PHP :: Bug #75686 :: coding bug

Bug #75686	coding bug
Submitted:	2017-12-14 12:19 UTC	Modified:	2017-12-14 15:02 UTC
From:	yangx92 at hotmail dot com	Assigned:
Status:	Not a bug	Package:	XML Writer
PHP Version:	master-Git-2017-12-14 (Git)	OS:	Linux
Private report:	No	CVE-ID:	None

View Developer Edit

Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !

Your email address: MUST BE VALID
Solve the problem: 29 - 19 = ?
Subscribe to this entry?

[2017-12-14 12:19 UTC] yangx92 at hotmail dot com

Description:
------------
There is a coding bug in _xmlwriter_get_valid_file_path function in ext/xmlwriter/php_xmlwriter.c. 

>>>
        char file_dirname[MAXPATHLEN];
        size_t dir_len;
        if (!VCWD_REALPATH(source, resolved_path) && !expand_filepath(source, resolved_path)) {
            xmlFreeURI(uri);
            return NULL;
        }
        memcpy(file_dirname, source, strlen(source));
>>>
As code showed above, I think there should be a check for strlen(source) and MAXPATHLEN. If strlen(source) >= MAXPATHLEN, there will be a buffer overflow.

Test script:
---------------
None

Expected result:
----------------
None

Actual result:
--------------
None

Patches

patch_php_xmlwriter_c.txt (last revision 2017-12-14 12:19 UTC by yangx92 at hotmail dot com)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2017-12-14 15:02 UTC] requinix@php.net

-Status: Open +Status: Not a bug

[2017-12-14 15:02 UTC] requinix@php.net

Path length is checked during VCWD_REALPATH.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Oct 29 04:00:01 2025 UTC