handle phpmapscript vulnerability in error handling (#6014)

jmckenna · jmckenna · commit 095ad646ab44 · 2020-03-20T16:47:34.000-03:00
diff --git a/mapscript/php/mapscript_error.c b/mapscript/php/mapscript_error.c
@@ -35,8 +35,6 @@
 #include <stdarg.h>
 #include "../../maperror.h"
 
-#define MAX_EXCEPTION_MSG 256
-
 zend_class_entry *mapscript_ce_mapscriptexception;
 
 #if  PHP_VERSION_ID >= 70000
@@ -46,9 +44,10 @@ zval* mapscript_throw_exception(char *format TSRMLS_DC, ...)
 #endif
 {
   va_list args;
-  char message[MAX_EXCEPTION_MSG];
+  char message[MESSAGELENGTH];
   va_start(args, format);
-  vsprintf(message, format, args);
+  //prevent buffer overflow
+  vsnprintf(message, MESSAGELENGTH, format, args);
   va_end(args);
   return zend_throw_exception(mapscript_ce_mapscriptexception, message, 0 TSRMLS_CC);
 }
@@ -60,7 +59,7 @@ zval* mapscript_throw_mapserver_exception(char *format TSRMLS_DC, ...)
 #endif
 {
   va_list args;
-  char message[MAX_EXCEPTION_MSG];
+  char message[MESSAGELENGTH];
   errorObj *ms_error;
 
   ms_error = msGetErrorObj();
@@ -73,17 +72,20 @@ zval* mapscript_throw_mapserver_exception(char *format TSRMLS_DC, ...)
   }
 
   va_start(args, format);
-  vsprintf(message, format, args);
+  //prevent buffer overflow
+  vsnprintf(message, MESSAGELENGTH, format, args);
   va_end(args);
-  return mapscript_throw_exception(message TSRMLS_CC);
+  //prevent format string attack
+  return mapscript_throw_exception("%s", message TSRMLS_CC);
 }
 
 void mapscript_report_php_error(int error_type, char *format TSRMLS_DC, ...)
 {
   va_list args;
-  char message[MAX_EXCEPTION_MSG];
+  char message[MESSAGELENGTH];
   va_start(args, format);
-  vsprintf(message, format, args);
+  //prevent buffer overflow
+  vsnprintf(message, MESSAGELENGTH, format, args); 
   va_end(args);
   php_error_docref(NULL TSRMLS_CC, error_type, "%s,", message);
 }
