mirror of
https://github.com/php/php-src.git
synced 2024-09-21 09:57:23 +00:00
Fix GH-15628: php_stream_memory_get_buffer() not zero-terminated
We're reasonably sure that appending the NUL is not an OOB write, since the memory stream implementation uses `zend_string` APIs instead of fiddling with the buffer. We don't add a regression test because that would require to set up something in the zend_test extension, and regressions are supposed to be caught by external consumers of this API, such as mailparse. Closes GH-15648.
This commit is contained in:
parent
bf9929a26c
commit
93021c635d
4
NEWS
4
NEWS
@ -25,6 +25,10 @@ PHP NEWS
|
||||
. Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
|
||||
Kamil Tekiela)
|
||||
|
||||
- Streams:
|
||||
. Fixed bug GH-15628 (php_stream_memory_get_buffer() not zero-terminated).
|
||||
(cmb)
|
||||
|
||||
29 Aug 2024, PHP 8.2.23
|
||||
|
||||
- Core:
|
||||
|
@ -60,6 +60,7 @@ static ssize_t php_stream_memory_write(php_stream *stream, const char *buf, size
|
||||
if (count) {
|
||||
ZEND_ASSERT(buf != NULL);
|
||||
memcpy(ZSTR_VAL(ms->data) + ms->fpos, (char*) buf, count);
|
||||
ZSTR_VAL(ms->data)[ZSTR_LEN(ms->data)] = '\0';
|
||||
ms->fpos += count;
|
||||
}
|
||||
return count;
|
||||
@ -240,6 +241,7 @@ static int php_stream_memory_set_option(php_stream *stream, int option, int valu
|
||||
size_t old_size = ZSTR_LEN(ms->data);
|
||||
ms->data = zend_string_realloc(ms->data, newsize, 0);
|
||||
memset(ZSTR_VAL(ms->data) + old_size, 0, newsize - old_size);
|
||||
ZSTR_VAL(ms->data)[ZSTR_LEN(ms->data)] = '\0';
|
||||
}
|
||||
return PHP_STREAM_OPTION_RETURN_OK;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user