summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorxXx-caillou-xXx2018-07-13 14:55:23 +0200
committerjvoisin2018-07-13 12:55:23 +0000
commit7bd365ebc471409f85e6561f7da4f93d7017bfa4 (patch)
tree3a5ef9438a025e53de751a6dd9162cc7ee5df960 /src
parentb1bf270b41f94ce2df668be611e5b646397a7a52 (diff)
Fix various possible integer overflows
Diffstat (limited to 'src')
-rw-r--r--src/sp_unserialize.c4
-rw-r--r--src/sp_utils.c5
-rw-r--r--src/sp_var_value.c16
3 files changed, 18 insertions, 7 deletions
diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c
index db99389..0f27255 100644
--- a/src/sp_unserialize.c
+++ b/src/sp_unserialize.c
@@ -24,6 +24,10 @@ PHP_FUNCTION(sp_serialize) {
24 call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params); 24 call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params);
25 25
26 size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac); 26 size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac);
27 if (len < Z_STRLEN_P(return_value)) {
28 sp_log_err("overflow_error", "Overflow tentative detected in sp_serialize.");
29 sp_terminate();
30 }
27 zend_string *res = zend_string_alloc(len, 0); 31 zend_string *res = zend_string_alloc(len, 0);
28 32
29 memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value)); 33 memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value));
diff --git a/src/sp_utils.c b/src/sp_utils.c
index a94ab2a..14b7c09 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -143,6 +143,11 @@ int sp_log_request(const zend_string* folder, const zend_string* text_repr,
143 143
144static char* zend_string_to_char(const zend_string* zs) { 144static char* zend_string_to_char(const zend_string* zs) {
145 // Remove \0 from the middle of a string 145 // Remove \0 from the middle of a string
146
147 if (ZSTR_LEN(zs) + 1 < ZSTR_LEN(zs)) {
148 sp_log_err("overflow_error", "Overflow tentative detected in zend_string_to_char.");
149 sp_terminate();
150 }
146 char* copy = emalloc(ZSTR_LEN(zs) + 1); 151 char* copy = emalloc(ZSTR_LEN(zs) + 1);
147 152
148 copy[ZSTR_LEN(zs)] = 0; 153 copy[ZSTR_LEN(zs)] = 0;
diff --git a/src/sp_var_value.c b/src/sp_var_value.c
index e91c3d8..9f656b7 100644
--- a/src/sp_var_value.c
+++ b/src/sp_var_value.c
@@ -131,17 +131,19 @@ static zval *get_object_property(zend_execute_data *ed, zval *object,
131 } 131 }
132 } 132 }
133 zvalue = get_entry_hashtable(array, property, strlen(property)); 133 zvalue = get_entry_hashtable(array, property, strlen(property));
134 // TODO do we want to log overflow?
134 if (!zvalue) { 135 if (!zvalue) {
135 char *protected_property = emalloc(strlen(property) + 4); 136 len = strlen(property) + 4;
136 len = sprintf(protected_property, PROTECTED_PROP_FMT, 0, 0, property); 137 char *protected_property = emalloc(len);
137 zvalue = get_entry_hashtable(array, protected_property, len); 138 snprintf(protected_property, len, PROTECTED_PROP_FMT, 0, 0, property);
139 zvalue = get_entry_hashtable(array, protected_property, len - 1);
138 efree(protected_property); 140 efree(protected_property);
139 } 141 }
140 if (!zvalue) { 142 if (!zvalue) {
141 char *private_property = emalloc(strlen(class_name) + 3 + strlen(property)); 143 len = strlen(class_name) + 3 + strlen(property);
142 len = 144 char *private_property = emalloc(len);
143 sprintf(private_property, PRIVATE_PROP_FMT, 0, class_name, 0, property); 145 snprintf(private_property, len, PRIVATE_PROP_FMT, 0, class_name, 0, property);
144 zvalue = get_entry_hashtable(array, private_property, len); 146 zvalue = get_entry_hashtable(array, private_property, len - 1);
145 efree(private_property); 147 efree(private_property);
146 } 148 }
147 return zvalue; 149 return zvalue;