pajoye                                   Wed, 28 Apr 2010 14:10:01 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298700

Log:
- fix possible Dechunking Filter Buffer Overflow

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/filters.c
    U   php/php-src/trunk/ext/standard/filters.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-04-28 12:29:13 UTC (rev 298699)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-04-28 14:10:01 UTC (rev 298700)
@@ -21,6 +21,8 @@
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)

+- Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser.
+  (Pierre)
 - Fixed a possible arbitrary memory access inside sqlite extension. Reported
   by Mateusz Kocielski. (Ilia)
 - Fixed string format validation inside phar extension. Reported by Stefan

Modified: php/php-src/branches/PHP_5_3/ext/standard/filters.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/filters.c 2010-04-28 12:29:13 UTC 
(rev 298699)
+++ php/php-src/branches/PHP_5_3/ext/standard/filters.c 2010-04-28 14:10:01 UTC 
(rev 298700)
@@ -1914,7 +1914,7 @@

 typedef struct _php_chunked_filter_data {
        php_chunked_filter_state state;
-       int chunk_size;
+       size_t chunk_size;
        int persistent;
 } php_chunked_filter_data;

@@ -1991,7 +1991,7 @@
                                        continue;
                                }
                        case CHUNK_BODY:
-                               if (end - p >= data->chunk_size) {
+                               if ((size_t) (end - p) >= data->chunk_size) {
                                        if (p != out) {
                                                memmove(out, p, 
data->chunk_size);
                                        }

Modified: php/php-src/trunk/ext/standard/filters.c
===================================================================
--- php/php-src/trunk/ext/standard/filters.c    2010-04-28 12:29:13 UTC (rev 
298699)
+++ php/php-src/trunk/ext/standard/filters.c    2010-04-28 14:10:01 UTC (rev 
298700)
@@ -1914,7 +1914,7 @@

 typedef struct _php_chunked_filter_data {
        php_chunked_filter_state state;
-       int chunk_size;
+       size_t chunk_size;
        int persistent;
 } php_chunked_filter_data;

@@ -1991,7 +1991,7 @@
                                        continue;
                                }
                        case CHUNK_BODY:
-                               if (end - p >= data->chunk_size) {
+                               if ((size_t) (end - p) >= data->chunk_size) {
                                        if (p != out) {
                                                memmove(out, p, 
data->chunk_size);
                                        }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to