]>
Commit | Line | Data |
---|---|---|
beb15c69 JB |
1 | |
2 | Fix for wordwrap() buffer overflow, CAN-2002-1396. | |
3 | ||
4 | --- php-4.2.2/ext/standard/string.c.wrap 2002-04-25 15:52:58.000000000 +0100 | |
5 | +++ php-4.2.2/ext/standard/string.c 2003-01-22 14:34:47.000000000 +0000 | |
6 | @@ -616,7 +616,7 @@ | |
7 | { | |
8 | const char *text, *breakchar = "\n"; | |
9 | char *newtext; | |
10 | - int textlen, breakcharlen = 1, newtextlen; | |
11 | + int textlen, breakcharlen = 1, newtextlen, alloced, chk; | |
12 | long current = 0, laststart = 0, lastspace = 0; | |
13 | long linelength = 75; | |
14 | zend_bool docut = 0; | |
15 | @@ -642,38 +642,40 @@ | |
16 | for (current = 0; current < textlen; current++) { | |
17 | if (text[current] == breakchar[0]) { | |
18 | laststart = lastspace = current; | |
19 | - } | |
20 | - else if (text[current] == ' ') { | |
21 | + } else if (text[current] == ' ') { | |
22 | if (current - laststart >= linelength) { | |
23 | newtext[current] = breakchar[0]; | |
24 | laststart = current; | |
25 | } | |
26 | lastspace = current; | |
27 | - } | |
28 | - else if (current - laststart >= linelength | |
29 | - && laststart != lastspace) { | |
30 | + } else if (current - laststart >= linelength && laststart != lastspace) { | |
31 | newtext[lastspace] = breakchar[0]; | |
32 | laststart = lastspace; | |
33 | } | |
34 | } | |
35 | ||
36 | RETURN_STRINGL(newtext, textlen, 0); | |
37 | - } | |
38 | - else { | |
39 | + } else { | |
40 | /* Multiple character line break or forced cut */ | |
41 | if (linelength > 0) { | |
42 | - newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1; | |
43 | - } | |
44 | - else { | |
45 | - newtextlen = textlen * (breakcharlen + 1) + 1; | |
46 | + chk = (int)(textlen/linelength + 1); | |
47 | + alloced = textlen + chk * breakcharlen + 1; | |
48 | + } else { | |
49 | + chk = textlen; | |
50 | + alloced = textlen * (breakcharlen + 1) + 1; | |
51 | } | |
52 | - newtext = emalloc(newtextlen); | |
53 | + newtext = emalloc(alloced); | |
54 | ||
55 | /* now keep track of the actual new text length */ | |
56 | newtextlen = 0; | |
57 | ||
58 | laststart = lastspace = 0; | |
59 | for (current = 0; current < textlen; current++) { | |
60 | + if (chk <= 0) { | |
61 | + alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1; | |
62 | + newtext = erealloc(newtext, alloced); | |
63 | + chk = (int) ((textlen - current)/linelength) + 1; | |
64 | + } | |
65 | /* when we hit an existing break, copy to new buffer, and | |
66 | * fix up laststart and lastspace */ | |
67 | if (text[current] == breakchar[0] | |
68 | @@ -683,6 +685,7 @@ | |
69 | newtextlen += current-laststart+breakcharlen; | |
70 | current += breakcharlen - 1; | |
71 | laststart = lastspace = current + 1; | |
72 | + chk--; | |
73 | } | |
74 | /* if it is a space, check if it is at the line boundary, | |
75 | * copy and insert a break, or just keep track of it */ | |
76 | @@ -693,6 +696,7 @@ | |
77 | memcpy(newtext+newtextlen, breakchar, breakcharlen); | |
78 | newtextlen += breakcharlen; | |
79 | laststart = current + 1; | |
80 | + chk--; | |
81 | } | |
82 | lastspace = current; | |
83 | } | |
84 | @@ -706,6 +710,7 @@ | |
85 | memcpy(newtext+newtextlen, breakchar, breakcharlen); | |
86 | newtextlen += breakcharlen; | |
87 | laststart = lastspace = current; | |
88 | + chk--; | |
89 | } | |
90 | /* if the current word puts us over the linelength, copy | |
91 | * back up until the last space, insert a break, and move | |
92 | @@ -717,6 +722,7 @@ | |
93 | memcpy(newtext+newtextlen, breakchar, breakcharlen); | |
94 | newtextlen += breakcharlen; | |
95 | laststart = lastspace = lastspace + 1; | |
96 | + chk--; | |
97 | } | |
98 | } | |
99 | ||
100 | @@ -727,6 +733,8 @@ | |
101 | } | |
102 | ||
103 | newtext[newtextlen] = '\0'; | |
104 | + /* free unused memory */ | |
105 | + newtext = erealloc(newtext, newtextlen+1); | |
106 | ||
107 | RETURN_STRINGL(newtext, newtextlen, 0); | |
108 | } |