diff options
| author | Remi Collet <remi@php.net> | 2012-11-28 10:35:04 +0100 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2012-11-28 10:35:04 +0100 |
| commit | bc492007da8c8614545a32560c445ab4e02baed0 (patch) | |
| tree | c07a3e4909ed448727df85c031a3707934b3e4e7 | |
| parent | f08060a48fadf079e860be73584ac87747dc59d6 (diff) | |
| download | php-git-bc492007da8c8614545a32560c445ab4e02baed0.tar.gz | |
Fixed Bug #63581 Possible buffer overflow
In fpm-log, possible buffer overflow. Check for length is done at
the beginning of the loop, so is not done when overflow occurs
on the last loop (len = 1024 or 1025). (ack from fat).
This issue where found from by static code analysis tool and, so,
I can't provide any reproducer.
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | sapi/fpm/fpm/fpm_log.c | 7 |
2 files changed, 7 insertions, 3 deletions
@@ -21,6 +21,9 @@ PHP NEWS . Fixed bug #63590 (Different results in TS and NTS under Windows). (Anatoliy) +- FPM: + . Fixed bug #63581 Possible null dereference and buffer overflow (Remi) + - Imap: . Fixed Bug #63126 DISABLE_AUTHENTICATOR ignores array (Remi) diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c index 69bd31b113..6b014b5005 100644 --- a/sapi/fpm/fpm/fpm_log.c +++ b/sapi/fpm/fpm/fpm_log.c @@ -96,7 +96,7 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp) /* {{{ */ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */ { char *s, *b; - char buffer[FPM_LOG_BUFFER]; + char buffer[FPM_LOG_BUFFER+1]; int token, test; size_t len, len2; struct fpm_scoreboard_proc_s proc, *proc_p; @@ -146,9 +146,10 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */ s = log_format; while (*s != '\0') { - if (len > FPM_LOG_BUFFER) { + /* Test is we have place for 1 more char. */ + if (len >= FPM_LOG_BUFFER) { zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER); - len = FPM_LOG_BUFFER - 1; + len = FPM_LOG_BUFFER; break; } |