andrey                                   Tue, 27 Apr 2010 08:26:24 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298643

Log:
Fixed buffer overflow in mysqlnd_change_user

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c
    U   php/php-src/trunk/ext/mysqlnd/mysqlnd.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-27 08:23:25 UTC (rev 298642)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-27 08:26:24 UTC (rev 298643)
@@ -16,7 +16,8 @@

 - Implemented FR#35638 (Adding udate to imap_fetch_overview results).
   (Charles_Duffy at dell dot com )
-- Fixed possible buffer overflow in mysqlnd_list_fields. (Andrey)
+- Fixed possible buffer overflows in mysqlnd_list_fields,  mysqlnd_change_user
+  (Andrey)

 - Fixed handling of session variable serialization on certain prefix
   characters. Reported by Stefan Esser (Ilia)

Modified: php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c  2010-04-27 08:23:25 UTC 
(rev 298642)
+++ php/php-src/branches/PHP_5_3/ext/mysqlnd/mysqlnd.c  2010-04-27 08:26:24 UTC 
(rev 298643)
@@ -1782,7 +1782,7 @@
        /*
          User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3
          Stack space is not that expensive, so use a bit more to be protected 
against
-         stack overrungs.
+         buffer overflows.
        */
        size_t user_len;
        enum_func_status ret;
@@ -1805,7 +1805,7 @@
        }

        /* 1. user ASCIIZ */
-       user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN);
+       user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN);
        memcpy(p, user, user_len);
        p += user_len;
        *p++ = '\0';
@@ -1821,8 +1821,8 @@

        /* 3. db ASCIIZ */
        if (db[0]) {
-               size_t db_len = strlen(db);
-               memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN));
+               size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN);
+               memcpy(p, db, db_len);
                p += db_len;
        }
        *p++ = '\0';

Modified: php/php-src/trunk/ext/mysqlnd/mysqlnd.c
===================================================================
--- php/php-src/trunk/ext/mysqlnd/mysqlnd.c     2010-04-27 08:23:25 UTC (rev 
298642)
+++ php/php-src/trunk/ext/mysqlnd/mysqlnd.c     2010-04-27 08:26:24 UTC (rev 
298643)
@@ -1782,7 +1782,7 @@
        /*
          User could be max 16 * 3 (utf8), pass is 20 usually, db is up to 64*3
          Stack space is not that expensive, so use a bit more to be protected 
against
-         stack overrungs.
+         buffer overflows.
        */
        size_t user_len;
        enum_func_status ret;
@@ -1805,7 +1805,7 @@
        }

        /* 1. user ASCIIZ */
-       user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_DB_LEN);
+       user_len = MIN(strlen(user), MYSQLND_MAX_ALLOWED_USER_LEN);
        memcpy(p, user, user_len);
        p += user_len;
        *p++ = '\0';
@@ -1821,8 +1821,8 @@

        /* 3. db ASCIIZ */
        if (db[0]) {
-               size_t db_len = strlen(db);
-               memcpy(p, db, MIN(db_len, MYSQLND_MAX_ALLOWED_DB_LEN));
+               size_t db_len = MIN(strlen(db), MYSQLND_MAX_ALLOWED_DB_LEN);
+               memcpy(p, db, db_len);
                p += db_len;
        }
        *p++ = '\0';

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to