Skip to content

Commit 6b6122a

Browse files
weltlingweltling
committed
ensure the string for conversion is \0 terminated and integrade
additional path length check
1 parent 95406c8 commit 6b6122a

File tree

1 file changed

+19
-4
lines changed

1 file changed

+19
-4
lines changed

Zend/zend_virtual_cwd.c

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -916,6 +916,7 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
916916
char *printname = NULL, *substitutename = NULL;
917917
size_t substitutename_len;
918918
int substitutename_off = 0;
919+
wchar_t tmpsubstname[MAXPATHLEN];
919920

920921
if(++(*ll) > LINK_MAX) {
921922
free_alloca(tmp, use_heap);
@@ -959,8 +960,15 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
959960
}
960961

961962
substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
962-
substitutename = php_win32_cp_conv_w_to_any(reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR),
963-
substitutename_len, &substitutename_len);
963+
if (substitutename_len > MAXPATHLEN) {
964+
free_alloca(pbuffer, use_heap_large);
965+
free_alloca(tmp, use_heap);
966+
FREE_PATHW()
967+
return -1;
968+
}
969+
memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
970+
tmpsubstname[substitutename_len] = L'\0';
971+
substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
964972
if (!substitutename) {
965973
free_alloca(pbuffer, use_heap_large);
966974
free_alloca(tmp, use_heap);
@@ -982,8 +990,15 @@ static int tsrm_realpath_r(char *path, int start, int len, int *ll, time_t *t, i
982990

983991

984992
substitutename_len = pbuffer->MountPointReparseBuffer.SubstituteNameLength / sizeof(WCHAR);
985-
substitutename = php_win32_cp_conv_w_to_any(reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR),
986-
substitutename_len, &substitutename_len);
993+
if (substitutename_len > MAXPATHLEN) {
994+
free_alloca(pbuffer, use_heap_large);
995+
free_alloca(tmp, use_heap);
996+
FREE_PATHW()
997+
return -1;
998+
}
999+
memmove(tmpsubstname, reparsetarget + pbuffer->MountPointReparseBuffer.SubstituteNameOffset / sizeof(WCHAR), pbuffer->MountPointReparseBuffer.SubstituteNameLength);
1000+
tmpsubstname[substitutename_len] = L'\0';
1001+
substitutename = php_win32_cp_conv_w_to_any(tmpsubstname, substitutename_len, &substitutename_len);
9871002
if (!substitutename) {
9881003
free_alloca(pbuffer, use_heap_large);
9891004
free_alloca(tmp, use_heap);

0 commit comments

Comments
 (0)