[PHP-CVS] com php-src: Fixed bug that would lead to out of bounds memory access: ext/openssl/openssl.c

Tue, 08 Oct 2013 07:01:24 -0700 

Commit:    8e847b5845b85c080295aea60c20869973c09a15
Author:    Tjerk Meesters <datib...@php.net>         Sat, 21 Sep 2013 19:38:09 
+0800
Parents:   8915c3fb4fa40743bdddf23013a63e014d03d02c
Branches:  master

Link:       
http://git.php.net/?p=php-src.git;a=commitdiff;h=8e847b5845b85c080295aea60c20869973c09a15

Log:
Fixed bug that would lead to out of bounds memory access

Changed paths:
  M  ext/openssl/openssl.c


Diff:
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 5460f3a..1c367df 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -4831,26 +4831,36 @@ static int verify_callback(int preverify_ok, 
X509_STORE_CTX *ctx) /* {{{ */
 
 static int php_openssl_match_cn(const char *subjectname, const char *certname)
 {
-       int match = strcmp(subjectname, certname) == 0;
-
-       if (!match) {
-               char *wildcard = strchr(certname, '*');
-               int prefix_len = wildcard - certname;
-
-               /* 1) prefix, if not empty, must match */
-               if (wildcard && (prefix_len == 0 || strncmp(subjectname, 
certname, prefix_len) == 0)) {
-                       const char *suffix = subjectname + strlen(subjectname) 
- strlen(wildcard + 1);
-
-                       /*
-                        * 2) suffix must match
-                        * 3) no period between prefix and suffix
-                       **/
-                       match = strcmp(wildcard + 1, suffix) == 0 &&
-                               memchr(subjectname + prefix_len, '.', suffix - 
subjectname - prefix_len) == NULL;
-               }
+       char *wildcard;
+       int prefix_len, suffix_len, subject_len;
+
+       if (strcmp(subjectname, certname) == 0) {
+               return 1;
        }
 
-       return match;
+       if (!(wildcard = strchr(certname, '*'))) {
+               return 0;
+       }
+
+       // 1) prefix, if not empty, must match subject
+       prefix_len = wildcard - certname;
+       if (prefix_len && strncmp(subjectname, certname, prefix_len) != 0) {
+               return 0;
+       }
+
+       suffix_len = strlen(wildcard + 1);
+       subject_len = strlen(subjectname);
+       if (suffix_len <= subject_len) {
+               const char *suffix = subjectname + subject_len - suffix_len;
+
+               /* 2) suffix must match
+                * 3) no . between prefix and suffix
+                **/
+               return strcmp(wildcard + 1, suffix) == 0 &&
+                       memchr(subjectname + prefix_len, '.', suffix - 
subjectname - prefix_len) == NULL;
+       }
+
+       return 0;
 }
 
 int php_openssl_apply_verification_policy(SSL *ssl, X509 *peer, php_stream 
*stream TSRMLS_DC) /* {{{ */


--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to