diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:09:30 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-09-12 21:09:30 -0700 |
| commit | 07c6bdb85d3efe21598ebb8af6fcebceb9d486e9 (patch) | |
| tree | 0fb02e7c08ec0b50791020ac862fc56e1f475135 /ext/mysqlnd/mysqlnd_wireprotocol.c | |
| parent | 2d8ab51576695630a7471ff829cc5ea10becdc0f (diff) | |
| parent | c984661d39cfa4db1dd97fde1f59c77a44991440 (diff) | |
| download | php-git-07c6bdb85d3efe21598ebb8af6fcebceb9d486e9.tar.gz | |
Merge branch 'PHP-7.0.11' into PHP-7.0
* PHP-7.0.11: (22 commits)
Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields
I don't think 8cceb012a7aabf3c36ab7c2724a436f976cdd165 is needed
Fix test
Add check in fgetcsv in case sizeof(unit) != sizeof(size_t)
Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
Fix bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile)
Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
Fix bug #73029 - Missing type check when unserializing SplArray
Fix bug #72860: wddx_deserialize use-after-free
Fix bug #73007: add locale length check
Fix bug #72928 - Out of bound when verify signature of zip phar in phar_parse_zipfile
sync NEWS
Revert "Merge branch 'PHP-5.6' into PHP-7.0"
Merge branch 'PHP-5.6' into PHP-7.0
Merge branch 'PHP-5.6' into PHP-7.0
Revert "Revert "Merge branch 'PHP-5.6' into PHP-7.0""
fix version
sync NEWS
Fix bug #72957
set versions
...
Diffstat (limited to 'ext/mysqlnd/mysqlnd_wireprotocol.c')
| -rw-r--r-- | ext/mysqlnd/mysqlnd_wireprotocol.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c index 8f80bbaada..5871c3c346 100644 --- a/ext/mysqlnd/mysqlnd_wireprotocol.c +++ b/ext/mysqlnd/mysqlnd_wireprotocol.c @@ -1608,6 +1608,7 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, zend_uchar * p = row_buffer->ptr; size_t data_size = row_buffer->app; zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */ + const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size; DBG_ENTER("php_mysqlnd_rowp_read_text_protocol_aux"); @@ -1619,11 +1620,15 @@ php_mysqlnd_rowp_read_text_protocol_aux(MYSQLND_MEMORY_POOL_CHUNK * row_buffer, for (i = 0, current_field = start_field; current_field < end_field; current_field++, i++) { /* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */ - zend_ulong len = php_mysqlnd_net_field_length(&p); + const zend_ulong len = php_mysqlnd_net_field_length(&p); /* NULL or NOT NULL, this is the question! */ if (len == MYSQLND_NULL_LENGTH) { ZVAL_NULL(current_field); + } else if ((p + len) > packet_end) { + php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC + " bytes after end of packet", (p + len) - packet_end - 1); + DBG_RETURN(FAIL); } else { #if defined(MYSQLND_STRING_TO_INT_CONVERSION) struct st_mysqlnd_perm_bind perm_bind = |