clones/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-09-21 09:57:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-15628: php_stream_memory_get_buffer() not zero-terminated

Browse Source 
We're reasonably sure that appending the NUL is not an OOB write, since
the memory stream implementation uses `zend_string` APIs instead of
fiddling with the buffer.

We don't add a regression test because that would require to set up
something in the zend_test extension, and regressions are supposed
to be caught by external consumers of this API, such as mailparse.

Closes GH-15648.
This commit is contained in:
Christoph M. Becker 2024-08-30 19:13:44 +02:00
parent bf9929a26c
commit 93021c635d
No known key found for this signature in database
GPG Key ID: D66C9593118BCCB6
2 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@ -25,6 +25,10 @@ PHP NEWS
. Fixed bug GH-15432 (Heap corruption when querying a vector). (cmb,
Kamil Tekiela)
- Streams:
. Fixed bug GH-15628 (php_stream_memory_get_buffer() not zero-terminated).
(cmb)
29 Aug 2024, PHP 8.2.23
- Core:

2
main/streams/memory.c
View File

@ -60,6 +60,7 @@ static ssize_t php_stream_memory_write(php_stream *stream, const char *buf, size
if (count) {
ZEND_ASSERT(buf != NULL);
memcpy(ZSTR_VAL(ms->data) + ms->fpos, (char*) buf, count);
ZSTR_VAL(ms->data)[ZSTR_LEN(ms->data)] = '\0';
ms->fpos += count;
}
return count;
@ -240,6 +241,7 @@ static int php_stream_memory_set_option(php_stream *stream, int option, int valu
size_t old_size = ZSTR_LEN(ms->data);
ms->data = zend_string_realloc(ms->data, newsize, 0);
memset(ZSTR_VAL(ms->data) + old_size, 0, newsize - old_size);
ZSTR_VAL(ms->data)[ZSTR_LEN(ms->data)] = '\0';
}
return PHP_STREAM_OPTION_RETURN_OK;
}