iliaa Wed Sep 5 12:55:37 2007 UTC Modified files: /php-src/ext/standard dir.c file.c Log: MFB: Fixed possible buffer overflows inside the fnmatch() and glob() functions http://cvs.php.net/viewvc.cgi/php-src/ext/standard/dir.c?r1=1.168&r2=1.169&diff_format=u Index: php-src/ext/standard/dir.c diff -u php-src/ext/standard/dir.c:1.168 php-src/ext/standard/dir.c:1.169 --- php-src/ext/standard/dir.c:1.168 Wed Aug 22 14:58:30 2007 +++ php-src/ext/standard/dir.c Wed Sep 5 12:55:36 2007 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: dir.c,v 1.168 2007/08/22 14:58:30 jani Exp $ */ +/* $Id: dir.c,v 1.169 2007/09/05 12:55:36 iliaa Exp $ */ /* {{{ includes/startup/misc */ @@ -427,6 +427,11 @@ return; } + if (pattern_len >= MAXPATHLEN) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); + RETURN_FALSE; + } + if ((GLOB_AVAILABLE_FLAGS & flags) != flags) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "At least one of the passed flags is invalid or not supported on this platform"); RETURN_FALSE; http://cvs.php.net/viewvc.cgi/php-src/ext/standard/file.c?r1=1.499&r2=1.500&diff_format=u Index: php-src/ext/standard/file.c diff -u php-src/ext/standard/file.c:1.499 php-src/ext/standard/file.c:1.500 --- php-src/ext/standard/file.c:1.499 Mon Sep 3 11:53:43 2007 +++ php-src/ext/standard/file.c Wed Sep 5 12:55:36 2007 @@ -21,7 +21,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: file.c,v 1.499 2007/09/03 11:53:43 jani Exp $ */ +/* $Id: file.c,v 1.500 2007/09/05 12:55:36 iliaa Exp $ */ /* Synced with php 3.0 revision 1.218 1999-06-16 [ssb] */ @@ -2894,6 +2894,11 @@ zend_unicode_to_string_ex(UG(utf8_conv), &filename_utf8, &filename_utf8_len, filename.u, filename_len, &status); pattern.s = pattern_utf8; filename.s = filename_utf8; + filename_len = filename_utf8_len; + } + if (filename_len >= MAXPATHLEN) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN); + RETURN_FALSE; } RETVAL_BOOL( ! fnmatch( pattern.s, filename.s, flags ));
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php