|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75686 coding bug
Submitted: 2017-12-14 12:19 UTC Modified: 2017-12-14 15:02 UTC
From: yangx92 at hotmail dot com Assigned:
Status: Not a bug Package: XML Writer
PHP Version: master-Git-2017-12-14 (Git) OS: Linux
Private report: No CVE-ID: None
 [2017-12-14 12:19 UTC] yangx92 at hotmail dot com
There is a coding bug in _xmlwriter_get_valid_file_path function in ext/xmlwriter/php_xmlwriter.c. 

        char file_dirname[MAXPATHLEN];
        size_t dir_len;
        if (!VCWD_REALPATH(source, resolved_path) && !expand_filepath(source, resolved_path)) {
            return NULL;
        memcpy(file_dirname, source, strlen(source));
As code showed above, I think there should be a check for strlen(source) and MAXPATHLEN. If strlen(source) >= MAXPATHLEN, there will be a buffer overflow.

Test script:

Expected result:

Actual result:


patch_php_xmlwriter_c.txt (last revision 2017-12-14 12:19 UTC by yangx92 at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-14 15:02 UTC]
-Status: Open +Status: Not a bug
 [2017-12-14 15:02 UTC]
Path length is checked during VCWD_REALPATH.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Mon Jun 24 15:01:31 2024 UTC