2 Fix for wordwrap() buffer overflow, CAN-2002-1396.
4 --- php-4.2.2/ext/standard/string.c.wrap 2002-04-25 15:52:58.000000000 +0100
5 +++ php-4.2.2/ext/standard/string.c 2003-01-22 14:34:47.000000000 +0000
8 const char *text, *breakchar = "\n";
10 - int textlen, breakcharlen = 1, newtextlen;
11 + int textlen, breakcharlen = 1, newtextlen, alloced, chk;
12 long current = 0, laststart = 0, lastspace = 0;
16 for (current = 0; current < textlen; current++) {
17 if (text[current] == breakchar[0]) {
18 laststart = lastspace = current;
20 - else if (text[current] == ' ') {
21 + } else if (text[current] == ' ') {
22 if (current - laststart >= linelength) {
23 newtext[current] = breakchar[0];
28 - else if (current - laststart >= linelength
29 - && laststart != lastspace) {
30 + } else if (current - laststart >= linelength && laststart != lastspace) {
31 newtext[lastspace] = breakchar[0];
32 laststart = lastspace;
36 RETURN_STRINGL(newtext, textlen, 0);
40 /* Multiple character line break or forced cut */
42 - newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
45 - newtextlen = textlen * (breakcharlen + 1) + 1;
46 + chk = (int)(textlen/linelength + 1);
47 + alloced = textlen + chk * breakcharlen + 1;
50 + alloced = textlen * (breakcharlen + 1) + 1;
52 - newtext = emalloc(newtextlen);
53 + newtext = emalloc(alloced);
55 /* now keep track of the actual new text length */
58 laststart = lastspace = 0;
59 for (current = 0; current < textlen; current++) {
61 + alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1;
62 + newtext = erealloc(newtext, alloced);
63 + chk = (int) ((textlen - current)/linelength) + 1;
65 /* when we hit an existing break, copy to new buffer, and
66 * fix up laststart and lastspace */
67 if (text[current] == breakchar[0]
69 newtextlen += current-laststart+breakcharlen;
70 current += breakcharlen - 1;
71 laststart = lastspace = current + 1;
74 /* if it is a space, check if it is at the line boundary,
75 * copy and insert a break, or just keep track of it */
77 memcpy(newtext+newtextlen, breakchar, breakcharlen);
78 newtextlen += breakcharlen;
79 laststart = current + 1;
85 memcpy(newtext+newtextlen, breakchar, breakcharlen);
86 newtextlen += breakcharlen;
87 laststart = lastspace = current;
90 /* if the current word puts us over the linelength, copy
91 * back up until the last space, insert a break, and move
93 memcpy(newtext+newtextlen, breakchar, breakcharlen);
94 newtextlen += breakcharlen;
95 laststart = lastspace = lastspace + 1;
103 newtext[newtextlen] = '\0';
104 + /* free unused memory */
105 + newtext = erealloc(newtext, newtextlen+1);
107 RETURN_STRINGL(newtext, newtextlen, 0);