You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Therefore, the call to zend_strndup will pass path_length=-1 as the second argument. Normally, this is dangerous and can lead to buffer overflow. Luckily, inside zend_strndup, the following protection code will cause the program to fail directly:
If the blacklist file contains a line with a single double-quote, we
called `zend_strndup(pbuf, -1)` what causes an unnecessary bail out;
instead we just ignore that line.
If the blacklist file contains an empty line, we may have caused an OOB
read; instead we just ignore that line.
cmb69
added a commit
to cmb69/php-src
that referenced
this issue
Jul 18, 2022
If the blacklist file contains a line with a single double-quote, we
called `zend_strndup(pbuf, -1)` what causes an unnecessary bail out;
instead we just ignore that line.
If the blacklist file contains an empty line, we may have caused an OOB
read; instead we just ignore that line.
Description
In the file
ext/opcache/zend_accelerator_blacklist.c
, the functionzend_accel_blacklist_loadone
has the following code:When
path_length = strlen(buf) = 1
andbuf[0] ='\"'
, the following code will reducepath_length
by 2:Therefore, the call to
zend_strndup
will passpath_length=-1
as the second argument. Normally, this is dangerous and can lead to buffer overflow. Luckily, insidezend_strndup
, the following protection code will cause the program to fail directly:Still, I think the above case should be explicitly checked and avoided.
PHP Version
github master
Operating System
No response
The text was updated successfully, but these errors were encountered: