pajoye Wed, 28 Apr 2010 14:10:01 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298700
Log: - fix possible Dechunking Filter Buffer Overflow Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/standard/filters.c U php/php-src/trunk/ext/standard/filters.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-04-28 12:29:13 UTC (rev 298699) +++ php/php-src/branches/PHP_5_3/NEWS 2010-04-28 14:10:01 UTC (rev 298700) @@ -21,6 +21,8 @@ - Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey) +- Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser. + (Pierre) - Fixed a possible arbitrary memory access inside sqlite extension. Reported by Mateusz Kocielski. (Ilia) - Fixed string format validation inside phar extension. Reported by Stefan Modified: php/php-src/branches/PHP_5_3/ext/standard/filters.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/filters.c 2010-04-28 12:29:13 UTC (rev 298699) +++ php/php-src/branches/PHP_5_3/ext/standard/filters.c 2010-04-28 14:10:01 UTC (rev 298700) @@ -1914,7 +1914,7 @@ typedef struct _php_chunked_filter_data { php_chunked_filter_state state; - int chunk_size; + size_t chunk_size; int persistent; } php_chunked_filter_data; @@ -1991,7 +1991,7 @@ continue; } case CHUNK_BODY: - if (end - p >= data->chunk_size) { + if ((size_t) (end - p) >= data->chunk_size) { if (p != out) { memmove(out, p, data->chunk_size); } Modified: php/php-src/trunk/ext/standard/filters.c =================================================================== --- php/php-src/trunk/ext/standard/filters.c 2010-04-28 12:29:13 UTC (rev 298699) +++ php/php-src/trunk/ext/standard/filters.c 2010-04-28 14:10:01 UTC (rev 298700) @@ -1914,7 +1914,7 @@ typedef struct _php_chunked_filter_data { php_chunked_filter_state state; - int chunk_size; + size_t chunk_size; int persistent; } php_chunked_filter_data; @@ -1991,7 +1991,7 @@ continue; } case CHUNK_BODY: - if (end - p >= data->chunk_size) { + if ((size_t) (end - p) >= data->chunk_size) { if (p != out) { memmove(out, p, data->chunk_size); }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php