php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75686 coding bug
Submitted: 2017-12-14 12:19 UTC Modified: 2017-12-14 15:02 UTC
From: yangx92 at hotmail dot com Assigned:
Status: Not a bug Package: XML Writer
PHP Version: master-Git-2017-12-14 (Git) OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: yangx92 at hotmail dot com
New email:
PHP Version: OS:

 

 [2017-12-14 12:19 UTC] yangx92 at hotmail dot com
Description:
------------
There is a coding bug in _xmlwriter_get_valid_file_path function in ext/xmlwriter/php_xmlwriter.c. 

>>>
        char file_dirname[MAXPATHLEN];
        size_t dir_len;
        if (!VCWD_REALPATH(source, resolved_path) && !expand_filepath(source, resolved_path)) {
            xmlFreeURI(uri);
            return NULL;
        }
        memcpy(file_dirname, source, strlen(source));
>>>
As code showed above, I think there should be a check for strlen(source) and MAXPATHLEN. If strlen(source) >= MAXPATHLEN, there will be a buffer overflow.

Test script:
---------------
None

Expected result:
----------------
None

Actual result:
--------------
None

Patches

patch_php_xmlwriter_c.txt (last revision 2017-12-14 12:19 UTC by yangx92 at hotmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-14 15:02 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-12-14 15:02 UTC] requinix@php.net
Path length is checked during VCWD_REALPATH.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved.
Last updated: Thu Jan 02 11:01:29 2025 UTC