diff options
author | libnex <emmanuel.law@gmail.com> | 2016-01-04 12:27:27 +1300 |
---|---|---|
committer | Anatol Belski <ab@php.net> | 2016-01-06 06:33:04 +0100 |
commit | c666a67a9873707a6cd9c83bbd09c3ac1b76e0d2 (patch) | |
tree | 08b5e1602bcf4ddc43201a346df16e8b4ec280ce | |
parent | bf76af30c7c8c5c225cd2ff8af0caedd97354d9e (diff) | |
download | php-git-c666a67a9873707a6cd9c83bbd09c3ac1b76e0d2.tar.gz |
Patch for Heap Buffer Overflow in EscapeShell
Proposed patch for bug #71270
-rw-r--r-- | ext/standard/exec.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ext/standard/exec.c b/ext/standard/exec.c index 8dd0d5dfd7..e330da3c46 100644 --- a/ext/standard/exec.c +++ b/ext/standard/exec.c @@ -253,7 +253,7 @@ PHPAPI zend_string *php_escape_shell_cmd(char *str) #endif - cmd = zend_string_alloc(2 * l, 0); + cmd = zend_string_safe_alloc(2, l, 0, 0); for (x = 0, y = 0; x < l; x++) { int mb_len = php_mblen(str + x, (l - x)); @@ -345,7 +345,7 @@ PHPAPI zend_string *php_escape_shell_arg(char *str) size_t estimate = (4 * l) + 3; - cmd = zend_string_alloc(4 * l + 2, 0); /* worst case */ + cmd = zend_string_safe_alloc(4, l, 2, 0); /* worst case */ #ifdef PHP_WIN32 ZSTR_VAL(cmd)[y++] = '"'; |