diff options
| -rw-r--r-- | src/sp_unserialize.c | 4 | ||||
| -rw-r--r-- | src/sp_utils.c | 5 | ||||
| -rw-r--r-- | src/sp_var_value.c | 16 |
3 files changed, 18 insertions, 7 deletions
diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c index db99389..0f27255 100644 --- a/src/sp_unserialize.c +++ b/src/sp_unserialize.c | |||
| @@ -24,6 +24,10 @@ PHP_FUNCTION(sp_serialize) { | |||
| 24 | call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params); | 24 | call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params); |
| 25 | 25 | ||
| 26 | size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac); | 26 | size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac); |
| 27 | if (len < Z_STRLEN_P(return_value)) { | ||
| 28 | sp_log_err("overflow_error", "Overflow tentative detected in sp_serialize."); | ||
| 29 | sp_terminate(); | ||
| 30 | } | ||
| 27 | zend_string *res = zend_string_alloc(len, 0); | 31 | zend_string *res = zend_string_alloc(len, 0); |
| 28 | 32 | ||
| 29 | memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value)); | 33 | memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value)); |
diff --git a/src/sp_utils.c b/src/sp_utils.c index a94ab2a..14b7c09 100644 --- a/src/sp_utils.c +++ b/src/sp_utils.c | |||
| @@ -143,6 +143,11 @@ int sp_log_request(const zend_string* folder, const zend_string* text_repr, | |||
| 143 | 143 | ||
| 144 | static char* zend_string_to_char(const zend_string* zs) { | 144 | static char* zend_string_to_char(const zend_string* zs) { |
| 145 | // Remove \0 from the middle of a string | 145 | // Remove \0 from the middle of a string |
| 146 | |||
| 147 | if (ZSTR_LEN(zs) + 1 < ZSTR_LEN(zs)) { | ||
| 148 | sp_log_err("overflow_error", "Overflow tentative detected in zend_string_to_char."); | ||
| 149 | sp_terminate(); | ||
| 150 | } | ||
| 146 | char* copy = emalloc(ZSTR_LEN(zs) + 1); | 151 | char* copy = emalloc(ZSTR_LEN(zs) + 1); |
| 147 | 152 | ||
| 148 | copy[ZSTR_LEN(zs)] = 0; | 153 | copy[ZSTR_LEN(zs)] = 0; |
diff --git a/src/sp_var_value.c b/src/sp_var_value.c index e91c3d8..9f656b7 100644 --- a/src/sp_var_value.c +++ b/src/sp_var_value.c | |||
| @@ -131,17 +131,19 @@ static zval *get_object_property(zend_execute_data *ed, zval *object, | |||
| 131 | } | 131 | } |
| 132 | } | 132 | } |
| 133 | zvalue = get_entry_hashtable(array, property, strlen(property)); | 133 | zvalue = get_entry_hashtable(array, property, strlen(property)); |
| 134 | // TODO do we want to log overflow? | ||
| 134 | if (!zvalue) { | 135 | if (!zvalue) { |
| 135 | char *protected_property = emalloc(strlen(property) + 4); | 136 | len = strlen(property) + 4; |
| 136 | len = sprintf(protected_property, PROTECTED_PROP_FMT, 0, 0, property); | 137 | char *protected_property = emalloc(len); |
| 137 | zvalue = get_entry_hashtable(array, protected_property, len); | 138 | snprintf(protected_property, len, PROTECTED_PROP_FMT, 0, 0, property); |
| 139 | zvalue = get_entry_hashtable(array, protected_property, len - 1); | ||
| 138 | efree(protected_property); | 140 | efree(protected_property); |
| 139 | } | 141 | } |
| 140 | if (!zvalue) { | 142 | if (!zvalue) { |
| 141 | char *private_property = emalloc(strlen(class_name) + 3 + strlen(property)); | 143 | len = strlen(class_name) + 3 + strlen(property); |
| 142 | len = | 144 | char *private_property = emalloc(len); |
| 143 | sprintf(private_property, PRIVATE_PROP_FMT, 0, class_name, 0, property); | 145 | snprintf(private_property, len, PRIVATE_PROP_FMT, 0, class_name, 0, property); |
| 144 | zvalue = get_entry_hashtable(array, private_property, len); | 146 | zvalue = get_entry_hashtable(array, private_property, len - 1); |
| 145 | efree(private_property); | 147 | efree(private_property); |
| 146 | } | 148 | } |
| 147 | return zvalue; | 149 | return zvalue; |