Fixed possible buffer overflow in 64bit systems

author: Moriyoshi Koizumi <moriyoshi@php.net> 2003-02-10 20:11:10 +0000
committer: Moriyoshi Koizumi <moriyoshi@php.net> 2003-02-10 20:11:10 +0000
commit: 9450b1e4b09e93e144fffa4cbc37eec88f727b3d (patch)
tree: c1dd78a3098d6a5f7283f89a39066301803e37b4 /main/SAPI.c
parent: 4fc819b9e8b2bf489fe97dee987250d67a9e809d (diff)
download: php-git-9450b1e4b09e93e144fffa4cbc37eec88f727b3d.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/main/SAPI.c b/main/SAPI.c
index 73ca760120..9657ba3a3f 100644
--- a/main/SAPI.c
+++ b/main/SAPI.c
@@ -619,14 +619,18 @@ SAPI_API int sapi_header_op(sapi_header_op_enum op, void *arg TSRMLS_DC)
 											 	0, &result_len, -1 TSRMLS_CC);
 						if(result_len==ptr_len) {
 							char *lower_temp = estrdup(ptr);	
-							char conv_temp[32];
+							char conv_temp[64];
 							int conv_len;
 
 							php_strtolower(lower_temp,strlen(lower_temp));
 							/* If there is no realm string at all, append one */
 							if(!strstr(lower_temp,"realm")) {
 								efree(result);
-								conv_len = sprintf(conv_temp," realm=\"%ld\"",myuid);		
+								conv_len = snprintf(conv_temp, sizeof(conv_temp), " realm=\"%ld\"",myuid);
+								/* some broken snprintf() impls may return a negative value on failure */
+								if (conv_len < 0) {
+									conv_len = 0;
+								}
 								result = emalloc(ptr_len+conv_len+1);
 								result_len = ptr_len+conv_len;
 								memcpy(result, ptr, ptr_len);
author	Moriyoshi Koizumi <moriyoshi@php.net>	2003-02-10 20:11:10 +0000
committer	Moriyoshi Koizumi <moriyoshi@php.net>	2003-02-10 20:11:10 +0000
commit	9450b1e4b09e93e144fffa4cbc37eec88f727b3d (patch)
tree	c1dd78a3098d6a5f7283f89a39066301803e37b4 /main/SAPI.c
parent	4fc819b9e8b2bf489fe97dee987250d67a9e809d (diff)
download	php-git-9450b1e4b09e93e144fffa4cbc37eec88f727b3d.tar.gz