MFH:- Fixed bug #34306 (wddx_serialize_value() crashes with long array keys)

2024-09-22 10:27:25 +00:00 · 2005-08-31 14:31:44 +00:00 · 2005-08-31 14:31:44 +00:00 · 307ec8ece4
commit 307ec8ece4
parent 9230473cd3
3 changed files with 18 additions and 3 deletions
--- a/1
+++ b/1
@ -14,6 +14,7 @@ PHP                                                                        NEWS
 - Fixed "make test" to work for phpized extensions. (Hartmut, Jani)
 - Fixed failing queries (FALSE returned) with mysqli_query() on 64 bit systems.
  (Andrey)
+- Fixed bug #34306 (wddx_serialize_value() crashes with long array keys). (Jani)
 - Fixed bug #34302 (date('W') do not return leading zeros for week 1 to 9).
  (Derick)
 - Fixed bug #34299 (ReflectionClass::isInstantiable() returns true for abstract
--- a/ext/wddx/tests/bug34306.phpt
+++ b/ext/wddx/tests/bug34306.phpt
@ -0,0 +1,12 @@
+--TEST--
+#34306 (wddx_serialize_value() crashes with long array keys)
+--FILE--
+<?php
+
+$var = array('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa12345678901234567890123456789012345678901234567890ba12345678901234567890123456789012345678901234567890ba12345678901234567890123456789012345678901234567890ba12345678901234567890123456789012345678901234567890b12345678901234567891234567890123123121231211111' => 1);
+$buf = wddx_serialize_value($var, 'name');
+echo "OK\n";
+
+?>
+--EXPECT--
+OK
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@ -422,7 +422,7 @@ static void php_wddx_serialize_number(wddx_packet *packet, zval *var)
 	tmp = *var;
 	zval_copy_ctor(&tmp);
 	convert_to_string(&tmp);
-	sprintf(tmp_buf, WDDX_NUMBER, Z_STRVAL(tmp));
+	snprintf(tmp_buf, Z_STRLEN(tmp), WDDX_NUMBER, Z_STRVAL(tmp));
 	zval_dtor(&tmp);

 	php_wddx_add_chunk(packet, tmp_buf);	
@ -617,15 +617,17 @@ static void php_wddx_serialize_array(wddx_packet *packet, zval *arr)
 */
 void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name_len TSRMLS_DC)
 {
-	char tmp_buf[WDDX_BUF_LEN];
+	char *tmp_buf;
 	char *name_esc;
 	int name_esc_len;
 	HashTable *ht;

 	if (name) {
 		name_esc = php_escape_html_entities(name, name_len, &name_esc_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
-		sprintf(tmp_buf, WDDX_VAR_S, name_esc);
+		tmp_buf = emalloc(name_esc_len + 1);
+		snprintf(tmp_buf, name_esc_len, WDDX_VAR_S, name_esc);
 		php_wddx_add_chunk(packet, tmp_buf);
+		efree(tmp_buf);
 		efree(name_esc);
 	}