andrey                                   Tue, 27 Apr 2010 08:02:08 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298640

Log:
Fixed possible buffer overflow in mysqlnd_conn__list_fields.

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c
    U   php/php-src/trunk/ext/mysqlnd/mysqlnd.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-27 06:24:24 UTC (rev 298639)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-27 08:02:08 UTC (rev 298640)
@@ -16,6 +16,7 @@

 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )
+- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey)

 - Fixed handling of session variable serialization on certain prefix
   characters. Reported by Stefan Esser (Ilia)

Modified: php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c  2010-04-27 06:24:24 UTC 
(rev 298639)
+++ php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c  2010-04-27 08:02:08 UTC 
(rev 298640)
@@ -1074,14 +1074,16 @@

        p = buff;
        if (table && (table_len = strlen(table))) {
-               memcpy(p, table, MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 
4));
-               p += table_len;
+               size_t to_copy = MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4);
+               memcpy(p, table, to_copy);
+               p += to_copy;
                *p++ = '\0';
        }

        if (achtung_wild && (wild_len = strlen(achtung_wild))) {
-               memcpy(p, achtung_wild, MIN(wild_len, 
MYSQLND_MAX_ALLOWED_DB_LEN * 4));
-               p += wild_len;
+               size_t to_copy = MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4);
+               memcpy(p, achtung_wild, to_copy);
+               p += to_copy;
                *p++ = '\0';
        }


Modified: php/php-src/trunk/ext/mysqlnd/mysqlnd.c
===================================================================
--- php/php-src/trunk/ext/mysqlnd/mysqlnd.c     2010-04-27 06:24:24 UTC (rev 
298639)
+++ php/php-src/trunk/ext/mysqlnd/mysqlnd.c     2010-04-27 08:02:08 UTC (rev 
298640)
@@ -1074,14 +1074,16 @@

        p = buff;
        if (table && (table_len = strlen(table))) {
-               memcpy(p, table, MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 
4));
-               p += table_len;
+               size_t to_copy = MIN(table_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4);
+               memcpy(p, table, to_copy);
+               p += to_copy;
                *p++ = '\0';
        }

        if (achtung_wild && (wild_len = strlen(achtung_wild))) {
-               memcpy(p, achtung_wild, MIN(wild_len, 
MYSQLND_MAX_ALLOWED_DB_LEN * 4));
-               p += wild_len;
+               size_t to_copy = MIN(wild_len, MYSQLND_MAX_ALLOWED_DB_LEN * 4);
+               memcpy(p, achtung_wild, to_copy);
+               p += to_copy;
                *p++ = '\0';
        }


-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to