php-wrap.patch

   1
   2 Fix for wordwrap() buffer overflow, CAN-2002-1396.
   3
   4 --- php-4.2.2/ext/standard/string.c.wrap        2002-04-25 15:52:58.000000000 +0100
   5 +++ php-4.2.2/ext/standard/string.c     2003-01-22 14:34:47.000000000 +0000
   6 @@ -616,7 +616,7 @@
   7  {
   8         const char *text, *breakchar = "\n";
   9         char *newtext;
  10 -       int textlen, breakcharlen = 1, newtextlen;
  11 +       int textlen, breakcharlen = 1, newtextlen, alloced, chk;
  12         long current = 0, laststart = 0, lastspace = 0;
  13         long linelength = 75;
  14         zend_bool docut = 0;
  15 @@ -642,38 +642,40 @@
  16                 for (current = 0; current < textlen; current++) {
  17                         if (text[current] == breakchar[0]) {
  18                                 laststart = lastspace = current;
  19 -                       }
  20 -                       else if (text[current] == ' ') {
  21 +                       } else if (text[current] == ' ') {
  22                                 if (current - laststart >= linelength) {
  23                                         newtext[current] = breakchar[0];
  24                                         laststart = current;
  25                                 }
  26                                 lastspace = current;
  27 -                       }
  28 -                       else if (current - laststart >= linelength
  29 -                                       && laststart != lastspace) {
  30 +                       } else if (current - laststart >= linelength && laststart != lastspace) {
  31                                 newtext[lastspace] = breakchar[0];
  32                                 laststart = lastspace;
  33                         }
  34                 }
  35
  36                 RETURN_STRINGL(newtext, textlen, 0);
  37 -       }
  38 -       else {
  39 +       } else {
  40                 /* Multiple character line break or forced cut */
  41                 if (linelength > 0) {
  42 -                       newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
  43 -               }
  44 -               else {
  45 -                       newtextlen = textlen * (breakcharlen + 1) + 1;
  46 +                       chk = (int)(textlen/linelength + 1);
  47 +                       alloced = textlen + chk * breakcharlen + 1;
  48 +               } else {
  49 +                       chk = textlen;
  50 +                       alloced = textlen * (breakcharlen + 1) + 1;
  51                 }
  52 -               newtext = emalloc(newtextlen);
  53 +               newtext = emalloc(alloced);
  54
  55                 /* now keep track of the actual new text length */
  56                 newtextlen = 0;
  57
  58                 laststart = lastspace = 0;
  59                 for (current = 0; current < textlen; current++) {
  60 +                       if (chk <= 0) {
  61 +                               alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1;
  62 +                               newtext = erealloc(newtext, alloced);
  63 +                               chk = (int) ((textlen - current)/linelength) + 1;
  64 +                       }
  65                         /* when we hit an existing break, copy to new buffer, and
  66                          * fix up laststart and lastspace */
  67                         if (text[current] == breakchar[0]
  68 @@ -683,6 +685,7 @@
  69                                 newtextlen += current-laststart+breakcharlen;
  70                                 current += breakcharlen - 1;
  71                                 laststart = lastspace = current + 1;
  72 +                               chk--;
  73                         }
  74                         /* if it is a space, check if it is at the line boundary,
  75                          * copy and insert a break, or just keep track of it */
  76 @@ -693,6 +696,7 @@
  77                                         memcpy(newtext+newtextlen, breakchar, breakcharlen);
  78                                         newtextlen += breakcharlen;
  79                                         laststart = current + 1;
  80 +                                       chk--;
  81                                 }
  82                                 lastspace = current;
  83                         }
  84 @@ -706,6 +710,7 @@
  85                                 memcpy(newtext+newtextlen, breakchar, breakcharlen);
  86                                 newtextlen += breakcharlen;
  87                                 laststart = lastspace = current;
  88 +                               chk--;
  89                         }
  90                         /* if the current word puts us over the linelength, copy
  91                          * back up until the last space, insert a break, and move
  92 @@ -717,6 +722,7 @@
  93                                 memcpy(newtext+newtextlen, breakchar, breakcharlen);
  94                                 newtextlen += breakcharlen;
  95                                 laststart = lastspace = lastspace + 1;
  96 +                               chk--;
  97                         }
  98                 }
  99
 100 @@ -727,6 +733,8 @@
 101                 }
 102
 103                 newtext[newtextlen] = '\0';
 104 +               /* free unused memory */
 105 +               newtext = erealloc(newtext, newtextlen+1);
 106
 107                 RETURN_STRINGL(newtext, newtextlen, 0);
 108         }