summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJoe Watkins <krakjoe@php.net>2018-11-13 12:59:50 +0100
committerJoe Watkins <krakjoe@php.net>2018-11-13 13:00:08 +0100
commit8a11c9ee7696bcf7d57014032333eb5eb5f42fab (patch)
tree15b9263d8a7faccf249e7fdcfa3275f4d8655714
parentf76be1a0d682fb11c706a789cce1dfb898041f30 (diff)
parentce4eb8997651e04fa9284ac3a7e1a2fb2da7df9e (diff)
downloadphp-git-8a11c9ee7696bcf7d57014032333eb5eb5f42fab.tar.gz
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2: Validate length on socket_write
-rw-r--r--NEWS3
-rw-r--r--ext/sockets/sockets.c15
-rw-r--r--ext/sockets/tests/socket_send_params.phpt17
-rw-r--r--ext/sockets/tests/socket_sendto_params.phpt17
-rw-r--r--ext/sockets/tests/socket_write_params.phpt1
5 files changed, 53 insertions, 0 deletions
diff --git a/NEWS b/NEWS
index 8d2b34aebd..dd324d7bd2 100644
--- a/NEWS
+++ b/NEWS
@@ -29,6 +29,9 @@ PHP NEWS
(Cameron Porter)
. Fixed bug #76348 (WSDL_CACHE_MEMORY causes Segmentation fault). (cmb)
+- Sockets:
+ . Fixed bug #67619 (Validate length on socket_write). (thiagooak)
+
- Standard:
. Fixed bug #77081 (ftruncate() changes seek pointer in c mode). (cmb, Anatol)
diff --git a/ext/sockets/sockets.c b/ext/sockets/sockets.c
index e8e689f83a..a962ba3219 100644
--- a/ext/sockets/sockets.c
+++ b/ext/sockets/sockets.c
@@ -1209,6 +1209,11 @@ PHP_FUNCTION(socket_write)
return;
}
+ if (length < 0) {
+ php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+ RETURN_FALSE;
+ }
+
if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
RETURN_FALSE;
}
@@ -1751,6 +1756,11 @@ PHP_FUNCTION(socket_send)
return;
}
+ if (len < 0) {
+ php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+ RETURN_FALSE;
+ }
+
if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
RETURN_FALSE;
}
@@ -1913,6 +1923,11 @@ PHP_FUNCTION(socket_sendto)
return;
}
+ if (len < 0) {
+ php_error_docref(NULL, E_WARNING, "Length cannot be negative");
+ RETURN_FALSE;
+ }
+
if ((php_sock = (php_socket *)zend_fetch_resource(Z_RES_P(arg1), le_socket_name, le_socket)) == NULL) {
RETURN_FALSE;
}
diff --git a/ext/sockets/tests/socket_send_params.phpt b/ext/sockets/tests/socket_send_params.phpt
new file mode 100644
index 0000000000..44be133bf9
--- /dev/null
+++ b/ext/sockets/tests/socket_send_params.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_send - test with incorrect parameters
+--SKIPIF--
+<?php
+ if (!extension_loaded('sockets')) {
+ die('skip sockets extension not available.');
+ }
+?>
+--FILE--
+<?php
+ $rand = rand(1,999);
+ $s_c = socket_create_listen(31330+$rand);
+ $s_w = socket_send($s_c, "foo", -1, MSG_OOB);
+ socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_send(): Length cannot be negative in %s on line %i
diff --git a/ext/sockets/tests/socket_sendto_params.phpt b/ext/sockets/tests/socket_sendto_params.phpt
new file mode 100644
index 0000000000..f232258ec0
--- /dev/null
+++ b/ext/sockets/tests/socket_sendto_params.phpt
@@ -0,0 +1,17 @@
+--TEST--
+ext/sockets - socket_sendto - test with incorrect parameters
+--SKIPIF--
+<?php
+ if (!extension_loaded('sockets')) {
+ die('skip sockets extension not available.');
+ }
+?>
+--FILE--
+<?php
+ $rand = rand(1,999);
+ $s_c = socket_create_listen(31330+$rand);
+ $s_w = socket_sendto($s_c, "foo", -1, MSG_OOB, '127.0.0.1');
+ socket_close($s_c);
+?>
+--EXPECTF--
+Warning: socket_sendto(): Length cannot be negative in %s on line %i
diff --git a/ext/sockets/tests/socket_write_params.phpt b/ext/sockets/tests/socket_write_params.phpt
index 5a1a5a89ff..5c56c64915 100644
--- a/ext/sockets/tests/socket_write_params.phpt
+++ b/ext/sockets/tests/socket_write_params.phpt
@@ -17,6 +17,7 @@ fa@php.net
$s_c = socket_create_listen(31330+$rand);
$s_w = socket_write($s_c);
$s_w = socket_write($s_c, "foo");
+ $s_w = socket_write($s_c, "foo", -1);
socket_close($s_c);
?>
--EXPECTF--