clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-22 10:27:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

MFB: Added checks for negative max length and overflow checks for overly

Browse Source 
long strings.
This commit is contained in:
Ilia Alshanetsky 2006-12-23 18:50:52 +00:00
parent 7b170eea73
commit 4e17200d59
1 changed files with 10 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ext/sysvmsg/sysvmsg.c
View File

@ -295,6 +295,11 @@ PHP_FUNCTION(msg_receive)
return;
}
if (maxsize <= 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "maximum size of the message has to be greater then zero");
return;
}
if (flags != 0) {
if (flags & PHP_MSG_EXCEPT) {
#ifndef MSG_EXCEPT
@ -314,7 +319,7 @@ PHP_FUNCTION(msg_receive)
ZEND_FETCH_RESOURCE(mq, sysvmsg_queue_t *, &queue, -1, "sysvmsg queue", le_sysvmsg);
messagebuffer = (struct php_msgbuf *) emalloc(sizeof(struct php_msgbuf) + maxsize);
messagebuffer = (struct php_msgbuf *) safe_emalloc(maxsize, 1, sizeof(struct php_msgbuf));
result = msgrcv(mq->id, messagebuffer, maxsize, desiredmsgtype, realflags);
@ -389,7 +394,7 @@ PHP_FUNCTION(msg_send)
/* NB: php_msgbuf is 1 char bigger than a long, so there is no need to
* allocate the extra byte. */
messagebuffer = emalloc(sizeof(struct php_msgbuf) + msg_var.len);
messagebuffer = safe_emalloc(msg_var.len, 1, sizeof(struct php_msgbuf));
memcpy(messagebuffer->mtext, msg_var.c, msg_var.len + 1);
message_len = msg_var.len;
smart_str_free(&msg_var);
@ -421,7 +426,7 @@ PHP_FUNCTION(msg_send)
RETURN_FALSE;
}
messagebuffer = emalloc(sizeof(struct php_msgbuf) + message_len);
messagebuffer = safe_emalloc(message_len, 1, sizeof(struct php_msgbuf));
memcpy(messagebuffer->mtext, p, message_len + 1);
if (Z_TYPE_P(message) != IS_STRING) {