|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
[2009-11-16 09:54 UTC] pierrick@php.net
|
|||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Tue Oct 28 03:00:02 2025 UTC |
Description: ------------ If I do readFrame on a packet that is bigger than 4096 bytes (= STOMP_BUFSIZE) module segfaults. This is due to invalid handling of this case in stomp_read_buffer and stomp_read_line: Code contains sizeof()-call onto a char *hi variable. sizeof will always return the same value (i.e. 8 bytes on 64-bit systems since the pointer itself uses 8 bytes). Expected result: ---------------- Program gets the big frame Actual result: -------------- Program segfaults Here is my patch: --- trunk/stomp.c.sik 2009-11-16 08:04:08.000000000 +0100 +++ trunk/stomp.c 2009-11-16 14:55:00.000000000 +0100 @@ -277,6 +277,7 @@ { int rc = 0; size_t i = 0; + size_t bufsize = STOMP_BUFSIZE + 1; char *buffer = (char *) emalloc(STOMP_BUFSIZE + 1); while (1) { @@ -300,8 +301,9 @@ break; } - if (i >= sizeof(buffer)) { - buffer = (char *) erealloc(buffer, sizeof(buffer) + STOMP_BUFSIZE); + if (i >= bufsize) { + buffer = (char *) erealloc(buffer, bufsize + STOMP_BUFSIZE); + bufsize += STOMP_BUFSIZE; } } @@ -329,6 +331,7 @@ { int rc = 0; size_t i = 0; + size_t bufsize = STOMP_BUFSIZE + 1; char *buffer = (char *) emalloc(STOMP_BUFSIZE + 1); while (1) { @@ -351,8 +354,9 @@ return 0; } - if (i >= sizeof(buffer)) { - buffer = (char *) erealloc(buffer, sizeof(buffer) + STOMP_BUFSIZE); + if (i >= bufsize) { + buffer = (char *) erealloc(buffer, bufsize + STOMP_BUFSIZE); + bufsize += STOMP_BUFSIZE; } }