andrey Tue, 27 Apr 2010 08:26:24 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=298643
Log:
Fixed buffer overflow in mysqlnd_change_user
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c
U php/php-src/trunk/ext/mysqlnd/mysqlnd.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-04-27 08:23:25 UTC (rev 298642)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-04-27 08:26:24 UTC (rev 298643)
@@ -16,7 +16,8 @@
- Implemented FR#35638 (Adding udate to imap_fetch_overview results).
(Charles_Duffy at dell dot com )
-- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey)
+- Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user
+ (Andrey)
- Fixed handling of session variable serialization on certain prefix
characters. Reported by Stefan Esser (Ilia)
Modified: php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c 2010-04-27 08:23:25 UTC
(rev 298642)
+++ php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c 2010-04-27 08:26:24 UTC
(rev 298643)
@@ -1782,7 +1782,7 @@
/*
User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3
Stack space is not that expensive, so use a bit more to be protected
against
- stack overrungs.
+ buffer overflows.
*/
size_t user_len;
enum_func_status ret;
@@ -1805,7 +1805,7 @@
}
/* 1. user ASCIIZ */
- user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN);
+ user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN);
memcpy(p, user, user_len);
p += user_len;
*p++ = '\0';
@@ -1821,8 +1821,8 @@
/* 3. db ASCIIZ */
if (db[0]) {
- size_t db_len = strlen(db);
- memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN));
+ size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN);
+ memcpy(p, db, db_len);
p += db_len;
}
*p++ = '\0';
Modified: php/php-src/trunk/ext/mysqlnd/mysqlnd.c
===================================================================
--- php/php-src/trunk/ext/mysqlnd/mysqlnd.c 2010-04-27 08:23:25 UTC (rev
298642)
+++ php/php-src/trunk/ext/mysqlnd/mysqlnd.c 2010-04-27 08:26:24 UTC (rev
298643)
@@ -1782,7 +1782,7 @@
/*
User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3
Stack space is not that expensive, so use a bit more to be protected
against
- stack overrungs.
+ buffer overflows.
*/
size_t user_len;
enum_func_status ret;
@@ -1805,7 +1805,7 @@
}
/* 1. user ASCIIZ */
- user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN);
+ user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN);
memcpy(p, user, user_len);
p += user_len;
*p++ = '\0';
@@ -1821,8 +1821,8 @@
/* 3. db ASCIIZ */
if (db[0]) {
- size_t db_len = strlen(db);
- memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN));
+ size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN);
+ memcpy(p, db, db_len);
p += db_len;
}
*p++ = '\0';
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
