Electronics & Programming

develissimo

Open Source electronics development and programming

  • You are not logged in.
  • Root
  • » PHP
  • » [PHP-DEV] [PATCH] main/fopen_wrappers.c: expand_filepath() - Potential for un-freed dynamic memory [RSS Feed]

#1 March 26, 2008 15:07:44

Magnus W.
Registered: 2009-11-02
Reputation: +  0  -
Profile   Send e-mail  

[PHP-DEV] [PATCH] main/fopen_wrappers.c: expand_filepath() - Potential for un-freed dynamic memory


expand_filepath()'s declaration:

char *expand_filepath(const char *filepath, char *real_path TSRMLS_DC)

It can accept NULL as real_path param. and will dynamically create an expanded
pathname string to return to caller.

It can also accept a MAXPATHLEN-sized array as real_path and is supposed to
copy expanded pathname to this array (as well as return the array).

However, under certain conditions, function always dynamically creates string
(via estrndup()), without checking whether real_path is pre-existing char array.

If these conditons occur when caller expects the copy behavior, the return
value will not be freed (see php_check_specific_open_basedir() in
main/fopen_wrappers.c for sevaral instances).

The following patch (against HEAD, but issue exists in PHP 5.2.5 as well) fixes
this behavior.


--- php-src/main/fopen_wrappers.c 2008-03-26 08:15:31.390625000 -0400
+++ php-src_EDIT/main/fopen_wrappers.c 2008-03-26 08:16:47.156250000 -0400
@@ -676,7 +676,13 @@
* we cannot cannot getcwd() and the requested,
* relatively referenced file is accessible */
copy_len = strlen(filepath) > MAXPATHLEN - 1 ? MAXPATHLEN - 1
: strlen(filepath);
- real_path = estrndup(filepath, copy_len);
+
+ if (real_path) {
+ memcpy(real_path, filepath, copy_len);
+ real_path = '\0';
+ } else {
+ real_path = estrndup(filepath, copy_len);
+ }
close(fdtest);
return real_path;
} else {



---------------------------------
Never miss a thing. Make Yahoo your homepage.

Offline

  • Root
  • » PHP
  • » [PHP-DEV] [PATCH] main/fopen_wrappers.c: expand_filepath() - Potential for un-freed dynamic memory [RSS Feed]

Board footer

Moderator control

Enjoy the 11th of December
PoweredBy

The Forums are managed by develissimo stuff members, if you find any issues or misplaced content please help us to fix it. Thank you! Tell us via Contact Options
Leave a Message
Welcome to Develissimo Live Support