php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #75686 coding bug
Submitted: 2017-12-14 12:19 UTC Modified: 2017-12-14 15:02 UTC
From: yangx92 at hotmail dot com Assigned:
Status: Not a bug Package: XML Writer
PHP Version: master-Git-2017-12-14 (Git) OS: Linux
Private report: No CVE-ID: None
 [2017-12-14 12:19 UTC] yangx92 at hotmail dot com
Description:
------------
There is a coding bug in _xmlwriter_get_valid_file_path function in ext/xmlwriter/php_xmlwriter.c. 

>>>
        char file_dirname[MAXPATHLEN];
        size_t dir_len;
        if (!VCWD_REALPATH(source, resolved_path) && !expand_filepath(source, resolved_path)) {
            xmlFreeURI(uri);
            return NULL;
        }
        memcpy(file_dirname, source, strlen(source));
>>>
As code showed above, I think there should be a check for strlen(source) and MAXPATHLEN. If strlen(source) >= MAXPATHLEN, there will be a buffer overflow.

Test script:
---------------
None

Expected result:
----------------
None

Actual result:
--------------
None

Patches

patch_php_xmlwriter_c.txt (last revision 2017-12-14 12:19 UTC by yangx92 at hotmail dot com)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-12-14 15:02 UTC] requinix@php.net
-Status: Open +Status: Not a bug
 [2017-12-14 15:02 UTC] requinix@php.net
Path length is checked during VCWD_REALPATH.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Fri Jan 18 12:01:25 2019 UTC