[prev in list] [next in list] [prev in thread] [next in thread]
List: php-cvs
Subject: [PHP-CVS] com php-src: Fixed Bug #63581 Possible buffer overflow: NEWS =?UTF-8?Q?sapi/fpm/fpm/fpm=5F
From: Remi Collet <remi () php ! net>
Date: 2012-11-28 9:35:04
Message-ID: php-mail-b11ce5d7100c85cc6215379b1c7eb16540722010 () git ! php ! net
[Download RAW message or body]
Commit: bc492007da8c8614545a32560c445ab4e02baed0
Author: Remi Collet <remi@php.net> Wed, 28 Nov 2012 10:35:04 +0100
Parents: f08060a48fadf079e860be73584ac87747dc59d6
Branches: PHP-5.3
Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=bc492007da8c8614545a32560c445ab4e02baed0
Log:
Fixed Bug #63581 Possible buffer overflow
In fpm-log, possible buffer overflow. Check for length is done at
the beginning of the loop, so is not done when overflow occurs
on the last loop (len = 1024 or 1025). (ack from fat).
This issue where found from by static code analysis tool and, so,
I can't provide any reproducer.
Bugs:
https://bugs.php.net/63581
Changed paths:
M NEWS
M sapi/fpm/fpm/fpm_log.c
Diff:
diff --git a/NEWS b/NEWS
index eb4238a..08da27c 100644
--- a/NEWS
+++ b/NEWS
@@ -21,6 +21,9 @@ PHP \
NEWS
. Fixed bug #63590 (Different results in TS and NTS under Windows).
(Anatoliy)
+- FPM:
+ . Fixed bug #63581 Possible null dereference and buffer overflow (Remi)
+
- Imap:
. Fixed Bug #63126 DISABLE_AUTHENTICATOR ignores array (Remi)
diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c
index 69bd31b..6b014b5 100644
--- a/sapi/fpm/fpm/fpm_log.c
+++ b/sapi/fpm/fpm/fpm_log.c
@@ -96,7 +96,7 @@ int fpm_log_init_child(struct fpm_worker_pool_s *wp) /* {{{ */
int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
{
char *s, *b;
- char buffer[FPM_LOG_BUFFER];
+ char buffer[FPM_LOG_BUFFER+1];
int token, test;
size_t len, len2;
struct fpm_scoreboard_proc_s proc, *proc_p;
@@ -146,9 +146,10 @@ int fpm_log_write(char *log_format TSRMLS_DC) /* {{{ */
s = log_format;
while (*s != '\0') {
- if (len > FPM_LOG_BUFFER) {
+ /* Test is we have place for 1 more char. */
+ if (len >= FPM_LOG_BUFFER) {
zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been \
truncated.", FPM_LOG_BUFFER);
- len = FPM_LOG_BUFFER - 1;
+ len = FPM_LOG_BUFFER;
break;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic