Fix various possible integer overflows

author: xXx-caillou-xXx 2018-07-13 14:55:23 +0200
committer: jvoisin 2018-07-13 12:55:23 +0000
commit: 7bd365ebc471409f85e6561f7da4f93d7017bfa4 (patch)
tree: 3a5ef9438a025e53de751a6dd9162cc7ee5df960 /src/sp_var_value.c
parent: b1bf270b41f94ce2df668be611e5b646397a7a52 (diff)
1 files changed, 9 insertions, 7 deletions
diff --git a/src/sp_var_value.c b/src/sp_var_value.c
index e91c3d8..9f656b7 100644
--- a/src/sp_var_value.c
+++ b/src/sp_var_value.c
@@ -131,17 +131,19 @@ static zval *get_object_property(zend_execute_data *ed, zval *object,
    }
  }
  zvalue = get_entry_hashtable(array, property, strlen(property));
+  // TODO do we want to log overflow?
  if (!zvalue) {
-    char *protected_property = emalloc(strlen(property) + 4);
+    len = strlen(property) + 4;
-    len = sprintf(protected_property, PROTECTED_PROP_FMT, 0, 0, property);
+    char *protected_property = emalloc(len);
-    zvalue = get_entry_hashtable(array, protected_property, len);
+    snprintf(protected_property, len, PROTECTED_PROP_FMT, 0, 0, property);
+    zvalue = get_entry_hashtable(array, protected_property, len - 1);
    efree(protected_property);
  }
  if (!zvalue) {
-    char *private_property = emalloc(strlen(class_name) + 3 + strlen(property));
+    len = strlen(class_name) + 3 + strlen(property);
-    len =
+    char *private_property = emalloc(len);
-        sprintf(private_property, PRIVATE_PROP_FMT, 0, class_name, 0, property);
+    snprintf(private_property, len, PRIVATE_PROP_FMT, 0, class_name, 0, property);
-    zvalue = get_entry_hashtable(array, private_property, len);
+    zvalue = get_entry_hashtable(array, private_property, len - 1);
    efree(private_property);
  }
  return zvalue;
author	xXx-caillou-xXx	2018-07-13 14:55:23 +0200
committer	jvoisin	2018-07-13 12:55:23 +0000
commit	7bd365ebc471409f85e6561f7da4f93d7017bfa4 (patch)
tree	3a5ef9438a025e53de751a6dd9162cc7ee5df960 /src/sp_var_value.c
parent	b1bf270b41f94ce2df668be611e5b646397a7a52 (diff)