Fix potential OOB when checking for trailing spaces

cmb69 · cmb69 · commit ed8b11188b03 · 2025-01-16T00:01:22.000+01:00
If `path_len` is zero, we must not access `path`, let alone try to subtract `-1` from it. Since `path` and `path_len` are supposed to come from a `zend_string`, this is not a security issue. Closes GH-17471.
diff --git a/NEWS b/NEWS
@@ -11,6 +11,7 @@ PHP                                                                        NEWS
     inherited final). (ilutov)
   . Fixed NULL arithmetic during system program execution on Windows. (cmb,
     nielsdos)
+  . Fixed potential OOB when checking for trailing spaces on Windows. (cmb)
 
 - Enchant:
   . Fix crashes in enchant when passing null bytes. (nielsdos)
diff --git a/win32/winutil.c b/win32/winutil.c
@@ -56,7 +56,7 @@ PHP_WINUTIL_API void php_win32_error_msg_free(char *msg)
 
 int php_win32_check_trailing_space(const char * path, const size_t path_len)
 {/*{{{*/
-	if (path_len > MAXPATHLEN - 1) {
+	if (path_len == 0 || path_len > MAXPATHLEN - 1) {
 		return 1;
 	}
 	if (path) {

Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ PHP_WINUTIL_API void php_win32_error_msg_free(char *msg)`
`56`	`56`
`57`	`57`	`int php_win32_check_trailing_space(const char * path, const size_t path_len)`
`58`	`58`	`{/{{{/`
`59`		`- if (path_len > MAXPATHLEN - 1) {`
	`59`	`+ if (path_len == 0 \|\| path_len > MAXPATHLEN - 1) {`
`60`	`60`	`return 1;`
`61`	`61`	`}`
`62`	`62`	`if (path) {`