Skip to content
Permalink
Browse files

handle phpmapscript vulnerability in error handling (#6014)

  • Loading branch information
jmckenna committed Mar 20, 2020
1 parent a3166a8 commit 69b06cf92f3a66b95bc334c8020781c94ceb53c1
Showing with 11 additions and 9 deletions.
  1. +11 −9 mapscript/php/mapscript_error.c
@@ -35,8 +35,6 @@
#include <stdarg.h>
#include "../../maperror.h"

#define MAX_EXCEPTION_MSG 256

zend_class_entry *mapscript_ce_mapscriptexception;

#if PHP_VERSION_ID >= 70000
@@ -46,9 +44,10 @@ zval* mapscript_throw_exception(char *format TSRMLS_DC, ...)
#endif
{
va_list args;
char message[MAX_EXCEPTION_MSG];
char message[MESSAGELENGTH];
va_start(args, format);
vsprintf(message, format, args);
//prevent buffer overflow
vsnprintf(message, MESSAGELENGTH, format, args);
va_end(args);
return zend_throw_exception(mapscript_ce_mapscriptexception, message, 0 TSRMLS_CC);
}
@@ -60,7 +59,7 @@ zval* mapscript_throw_mapserver_exception(char *format TSRMLS_DC, ...)
#endif
{
va_list args;
char message[MAX_EXCEPTION_MSG];
char message[MESSAGELENGTH];
errorObj *ms_error;

ms_error = msGetErrorObj();
@@ -73,17 +72,20 @@ zval* mapscript_throw_mapserver_exception(char *format TSRMLS_DC, ...)
}

va_start(args, format);
vsprintf(message, format, args);
//prevent buffer overflow
vsnprintf(message, MESSAGELENGTH, format, args);
va_end(args);
return mapscript_throw_exception(message TSRMLS_CC);
//prevent format string attack
return mapscript_throw_exception("%s", message TSRMLS_CC);
}

void mapscript_report_php_error(int error_type, char *format TSRMLS_DC, ...)
{
va_list args;
char message[MAX_EXCEPTION_MSG];
char message[MESSAGELENGTH];
va_start(args, format);
vsprintf(message, format, args);
//prevent buffer overflow
vsnprintf(message, MESSAGELENGTH, format, args);
va_end(args);
php_error_docref(NULL TSRMLS_CC, error_type, "%s,", message);
}

0 comments on commit 69b06cf

Please sign in to comment.
You can’t perform that action at this time.