diff options
| author | Yasuo Ohgaki <yohgaki@php.net> | 2002-05-20 01:40:22 +0000 |
|---|---|---|
| committer | Yasuo Ohgaki <yohgaki@php.net> | 2002-05-20 01:40:22 +0000 |
| commit | 62b8c290836cbed1e8918153da25d08e48b8a3ab (patch) | |
| tree | 0e0e9eca51f11447b00fa0e9d2e70205ec5918f3 | |
| parent | 935809872a7088aa6d47854288dd7da57fe1ed69 (diff) | |
| download | php-git-62b8c290836cbed1e8918153da25d08e48b8a3ab.tar.gz | |
Fixed possible pg_lo_write() overflow and make it more fail safe.
| -rw-r--r-- | ext/pgsql/pgsql.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 2ec9304914..f4e41dd738 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -1904,6 +1904,16 @@ PHP_FUNCTION(pg_lo_write) if (argc > 2) { convert_to_long_ex(z_len); + if (Z_LVAL_PP(z_len) > Z_STRLEN_PP(str)) { + php_error(E_WARNING, "%s() cannot write more than buffer size %d. Tried to wtite %d", + get_active_function_name(TSRMLS_C), Z_LVAL_PP(str), Z_LVAL_PP(z_len)); + RETURN_FALSE; + } + if (Z_LVAL_PP(z_len) < 0) { + php_error(E_WARNING, "%s() buffer size must be larger than 0. %d specified for buffer size.", + get_active_function_name(TSRMLS_C), Z_LVAL_PP(str), Z_LVAL_PP(z_len)); + RETURN_FALSE; + } len = Z_LVAL_PP(z_len); } else { @@ -1925,7 +1935,7 @@ PHP_FUNCTION(pg_lo_write) PHP_FUNCTION(pg_lo_read_all) { zval **pgsql_id; - int i, tbytes; + int tbytes; volatile int nbytes; char buf[PGSQL_LO_READ_BUF_SIZE]; pgLofp *pgsql; |