From 7bd365ebc471409f85e6561f7da4f93d7017bfa4 Mon Sep 17 00:00:00 2001
From: xXx-caillou-xXx
Date: Fri, 13 Jul 2018 14:55:23 +0200
Subject: Fix various possible integer overflows

---
 src/sp_unserialize.c |  4 ++++
 src/sp_utils.c       |  5 +++++
 src/sp_var_value.c   | 16 +++++++++-------
 3 files changed, 18 insertions(+), 7 deletions(-)

(limited to 'src')

diff --git a/src/sp_unserialize.c b/src/sp_unserialize.c
index db99389..0f27255 100644
--- a/src/sp_unserialize.c
+++ b/src/sp_unserialize.c
@@ -24,6 +24,10 @@ PHP_FUNCTION(sp_serialize) {
   call_user_function(CG(function_table), NULL, &func_name, &hmac, 3, params);
 
   size_t len = Z_STRLEN_P(return_value) + Z_STRLEN(hmac);
+  if (len < Z_STRLEN_P(return_value)) {
+    sp_log_err("overflow_error", "Overflow tentative detected in sp_serialize.");
+    sp_terminate();
+  }
   zend_string *res = zend_string_alloc(len, 0);
 
   memcpy(ZSTR_VAL(res), Z_STRVAL_P(return_value), Z_STRLEN_P(return_value));
diff --git a/src/sp_utils.c b/src/sp_utils.c
index a94ab2a..14b7c09 100644
--- a/src/sp_utils.c
+++ b/src/sp_utils.c
@@ -143,6 +143,11 @@ int sp_log_request(const zend_string* folder, const zend_string* text_repr,
 
 static char* zend_string_to_char(const zend_string* zs) {
   // Remove \0 from the middle of a string
+
+  if (ZSTR_LEN(zs) + 1 < ZSTR_LEN(zs)) {
+    sp_log_err("overflow_error", "Overflow tentative detected in zend_string_to_char.");
+    sp_terminate();
+  }
   char* copy = emalloc(ZSTR_LEN(zs) + 1);
 
   copy[ZSTR_LEN(zs)] = 0;
diff --git a/src/sp_var_value.c b/src/sp_var_value.c
index e91c3d8..9f656b7 100644
--- a/src/sp_var_value.c
+++ b/src/sp_var_value.c
@@ -131,17 +131,19 @@ static zval *get_object_property(zend_execute_data *ed, zval *object,
     }
   }
   zvalue = get_entry_hashtable(array, property, strlen(property));
+  // TODO do we want to log overflow?
   if (!zvalue) {
-    char *protected_property = emalloc(strlen(property) + 4);
-    len = sprintf(protected_property, PROTECTED_PROP_FMT, 0, 0, property);
-    zvalue = get_entry_hashtable(array, protected_property, len);
+    len = strlen(property) + 4;
+    char *protected_property = emalloc(len);
+    snprintf(protected_property, len, PROTECTED_PROP_FMT, 0, 0, property);
+    zvalue = get_entry_hashtable(array, protected_property, len - 1);
     efree(protected_property);
   }
   if (!zvalue) {
-    char *private_property = emalloc(strlen(class_name) + 3 + strlen(property));
-    len =
-        sprintf(private_property, PRIVATE_PROP_FMT, 0, class_name, 0, property);
-    zvalue = get_entry_hashtable(array, private_property, len);
+    len = strlen(class_name) + 3 + strlen(property);
+    char *private_property = emalloc(len);
+    snprintf(private_property, len, PRIVATE_PROP_FMT, 0, class_name, 0, property);
+    zvalue = get_entry_hashtable(array, private_property, len - 1);
     efree(private_property);
   }
   return zvalue;
-- 
cgit v1.3