1 --- a/ext/standard/dns.c 2014-08-13 19:22:50.000000000 +0000
2 +++ b/ext/standard/dns.c 2014-10-12 20:00:54.000000000 +0000
5 #if HAVE_FULL_DNS_FUNCS
7 +#define CHECKCP(n) do { \
8 + if (cp + n > end) { \
14 -static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
15 +static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
17 u_short type, class, dlen;
23 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
24 + n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
36 if (type_to_fetch != T_ANY && type != type_to_fetch) {
40 add_assoc_string(*subarray, "host", name, 1);
44 add_assoc_string(*subarray, "type", "A", 1);
45 snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
46 add_assoc_string(*subarray, "ip", name, 1);
51 add_assoc_string(*subarray, "type", "MX", 1);
53 add_assoc_long(*subarray, "pri", n);
55 if (type == DNS_T_PTR) {
56 add_assoc_string(*subarray, "type", "PTR", 1);
58 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
59 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
65 /* See RFC 1010 for values */
66 add_assoc_string(*subarray, "type", "HINFO", 1);
71 add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
77 add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
86 add_assoc_string(*subarray, "type", "TXT", 1);
88 MAKE_STD_ZVAL(entries);
93 - if ((ll + n) >= dlen) {
96 + if ((l1 + n) >= dlen) {
97 // Invalid chunk length, truncate
98 - n = dlen - (ll + 1);
99 + n = dlen - (l1 + 1);
102 + memcpy(tp + l2 , cp + l1 + 1, n);
103 + add_next_index_stringl(entries, cp + l1 + 1, n, 1);
105 - memcpy(tp + ll , cp + ll + 1, n);
106 - add_next_index_stringl(entries, cp + ll + 1, n, 1);
115 - add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
116 + add_assoc_stringl(*subarray, "txt", tp, l2, 0);
117 add_assoc_zval(*subarray, "entries", entries);
121 add_assoc_string(*subarray, "type", "SOA", 1);
122 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
123 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
128 add_assoc_string(*subarray, "mname", name, 1);
129 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
130 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
135 add_assoc_string(*subarray, "rname", name, 1);
138 add_assoc_long(*subarray, "serial", n);
145 for(i=0; i < 8; i++) {
151 add_assoc_string(*subarray, "type", "A6", 1);
153 n = ((int)cp[0]) & 0xFF;
155 add_assoc_long(*subarray, "masklen", n);
159 for (i = (n + 8) / 16; i < 8; i++) {
163 if (tp > (u_char *)name) {
166 add_assoc_string(*subarray, "ipv6", name, 1);
168 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
169 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
178 add_assoc_string(*subarray, "type", "SRV", 1);
180 add_assoc_long(*subarray, "pri", n);
182 add_assoc_long(*subarray, "weight", n);
184 add_assoc_long(*subarray, "port", n);
185 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
186 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
190 @@ -671,21 +694,35 @@
191 add_assoc_string(*subarray, "target", name, 1);
195 add_assoc_string(*subarray, "type", "NAPTR", 1);
197 add_assoc_long(*subarray, "order", n);
199 add_assoc_long(*subarray, "pref", n);
203 - add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
206 + add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
211 - add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
214 + add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
219 - add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
222 + add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
224 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
226 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
231 while (an-- && cp && cp < end) {
234 - cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
235 + cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
236 if (retval != NULL && store_results) {
237 add_next_index_zval(return_value, retval);
240 while (ns-- > 0 && cp && cp < end) {
243 - cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
244 + cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
245 if (retval != NULL) {
246 add_next_index_zval(authns, retval);
249 while (ar-- > 0 && cp && cp < end) {
252 - cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
253 + cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
254 if (retval != NULL) {
255 add_next_index_zval(addtl, retval);