andrey Tue, 27 Apr 2010 08:26:24 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298643
Log: Fixed buffer overflow in mysqlnd_change_user Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c U php/php-src/trunk/ext/mysqlnd/mysqlnd.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-04-27 08:23:25 UTC (rev 298642) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-27 08:26:24 UTC (rev 298643) @@ -16,7 +16,8 @@ - Implemented FR#35638 (Adding udate to imap_fetch_overview results). (Charles_Duffy at dell dot com ) -- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey) +- Fixed possible buffer overflows in mysqlnd_list_fields, mysqlnd_change_user + (Andrey) - Fixed handling of session variable serialization on certain prefix characters. Reported by Stefan Esser (Ilia) Modified: php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c 2010-04-27 08:23:25 UTC (rev 298642) +++ php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c 2010-04-27 08:26:24 UTC (rev 298643) @@ -1782,7 +1782,7 @@ /* User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3 Stack space is not that expensive, so use a bit more to be protected against - stack overrungs. + buffer overflows. */ size_t user_len; enum_func_status ret; @@ -1805,7 +1805,7 @@ } /* 1. user ASCIIZ */ - user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN); + user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN); memcpy(p, user, user_len); p += user_len; *p++ = '\0'; @@ -1821,8 +1821,8 @@ /* 3. db ASCIIZ */ if (db[0]) { - size_t db_len = strlen(db); - memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN)); + size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN); + memcpy(p, db, db_len); p += db_len; } *p++ = '\0'; Modified: php/php-src/trunk/ext/mysqlnd/mysqlnd.c =================================================================== --- php/php-src/trunk/ext/mysqlnd/mysqlnd.c 2010-04-27 08:23:25 UTC (rev 298642) +++ php/php-src/trunk/ext/mysqlnd/mysqlnd.c 2010-04-27 08:26:24 UTC (rev 298643) @@ -1782,7 +1782,7 @@ /* User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3 Stack space is not that expensive, so use a bit more to be protected against - stack overrungs. + buffer overflows. */ size_t user_len; enum_func_status ret; @@ -1805,7 +1805,7 @@ } /* 1. user ASCIIZ */ - user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN); + user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN); memcpy(p, user, user_len); p += user_len; *p++ = '\0'; @@ -1821,8 +1821,8 @@ /* 3. db ASCIIZ */ if (db[0]) { - size_t db_len = strlen(db); - memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN)); + size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN); + memcpy(p, db, db_len); p += db_len; } *p++ = '\0';
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php