[packages/php.git] / php-wrap.patch


Fix for wordwrap() buffer overflow, CAN-2002-1396.

--- php-4.2.2/ext/standard/string.c.wrap	2002-04-25 15:52:58.000000000 +0100
+++ php-4.2.2/ext/standard/string.c	2003-01-22 14:34:47.000000000 +0000
@@ -616,7 +616,7 @@
 {
 	const char *text, *breakchar = "\n";
 	char *newtext;
-	int textlen, breakcharlen = 1, newtextlen;
+	int textlen, breakcharlen = 1, newtextlen, alloced, chk;
 	long current = 0, laststart = 0, lastspace = 0;
 	long linelength = 75;
 	zend_bool docut = 0;
@@ -642,38 +642,40 @@
 		for (current = 0; current < textlen; current++) {
 			if (text[current] == breakchar[0]) {
 				laststart = lastspace = current;
-			}
-			else if (text[current] == ' ') {
+			} else if (text[current] == ' ') {
 				if (current - laststart >= linelength) {
 					newtext[current] = breakchar[0];
 					laststart = current;
 				}
 				lastspace = current;
-			}
-			else if (current - laststart >= linelength
-					&& laststart != lastspace) {
+			} else if (current - laststart >= linelength && laststart != lastspace) {
 				newtext[lastspace] = breakchar[0];
 				laststart = lastspace;
 			}
 		}
 
 		RETURN_STRINGL(newtext, textlen, 0);
-	}
-	else {
+	} else {
 		/* Multiple character line break or forced cut */
 		if (linelength > 0) {
-			newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
-		}
-		else {
-			newtextlen = textlen * (breakcharlen + 1) + 1;
+			chk = (int)(textlen/linelength + 1);
+			alloced = textlen + chk * breakcharlen + 1;
+		} else {
+			chk = textlen;
+			alloced = textlen * (breakcharlen + 1) + 1;
 		}
-		newtext = emalloc(newtextlen);
+		newtext = emalloc(alloced);
 
 		/* now keep track of the actual new text length */
 		newtextlen = 0;
 
 		laststart = lastspace = 0;
 		for (current = 0; current < textlen; current++) {
+			if (chk <= 0) {
+				alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1;
+				newtext = erealloc(newtext, alloced);
+				chk = (int) ((textlen - current)/linelength) + 1;
+			}
 			/* when we hit an existing break, copy to new buffer, and
 			 * fix up laststart and lastspace */
 			if (text[current] == breakchar[0]
@@ -683,6 +685,7 @@
 				newtextlen += current-laststart+breakcharlen;
 				current += breakcharlen - 1;
 				laststart = lastspace = current + 1;
+				chk--;
 			}
 			/* if it is a space, check if it is at the line boundary,
 			 * copy and insert a break, or just keep track of it */
@@ -693,6 +696,7 @@
 					memcpy(newtext+newtextlen, breakchar, breakcharlen);
 					newtextlen += breakcharlen;
 					laststart = current + 1;
+					chk--;
 				}
 				lastspace = current;
 			}
@@ -706,6 +710,7 @@
 				memcpy(newtext+newtextlen, breakchar, breakcharlen);
 				newtextlen += breakcharlen;
 				laststart = lastspace = current;
+				chk--;
 			}
 			/* if the current word puts us over the linelength, copy
 			 * back up until the last space, insert a break, and move
@@ -717,6 +722,7 @@
 				memcpy(newtext+newtextlen, breakchar, breakcharlen);
 				newtextlen += breakcharlen;
 				laststart = lastspace = lastspace + 1;
+				chk--;
 			}
 		}
 
@@ -727,6 +733,8 @@
 		}
 
 		newtext[newtextlen] = '\0';
+		/* free unused memory */
+		newtext = erealloc(newtext, newtextlen+1);
 
 		RETURN_STRINGL(newtext, newtextlen, 0);
 	}
Commit	Line	Data
beb15c69 JB	1
	2	Fix for wordwrap() buffer overflow, CAN-2002-1396.
	3
	4	--- php-4.2.2/ext/standard/string.c.wrap 2002-04-25 15:52:58.000000000 +0100
	5	+++ php-4.2.2/ext/standard/string.c 2003-01-22 14:34:47.000000000 +0000
	6	@@ -616,7 +616,7 @@
	7	{
	8	const char text, breakchar = "\n";
	9	char *newtext;
	10	- int textlen, breakcharlen = 1, newtextlen;
	11	+ int textlen, breakcharlen = 1, newtextlen, alloced, chk;
	12	long current = 0, laststart = 0, lastspace = 0;
	13	long linelength = 75;
	14	zend_bool docut = 0;
	15	@@ -642,38 +642,40 @@
	16	for (current = 0; current < textlen; current++) {
	17	if (text[current] == breakchar[0]) {
	18	laststart = lastspace = current;
	19	- }
	20	- else if (text[current] == ' ') {
	21	+ } else if (text[current] == ' ') {
	22	if (current - laststart >= linelength) {
	23	newtext[current] = breakchar[0];
	24	laststart = current;
	25	}
	26	lastspace = current;
	27	- }
	28	- else if (current - laststart >= linelength
	29	- && laststart != lastspace) {
	30	+ } else if (current - laststart >= linelength && laststart != lastspace) {
	31	newtext[lastspace] = breakchar[0];
	32	laststart = lastspace;
	33	}
	34	}
	35
	36	RETURN_STRINGL(newtext, textlen, 0);
	37	- }
	38	- else {
	39	+ } else {
	40	/* Multiple character line break or forced cut */
	41	if (linelength > 0) {
	42	- newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
	43	- }
	44	- else {
	45	- newtextlen = textlen * (breakcharlen + 1) + 1;
	46	+ chk = (int)(textlen/linelength + 1);
	47	+ alloced = textlen + chk * breakcharlen + 1;
	48	+ } else {
	49	+ chk = textlen;
	50	+ alloced = textlen * (breakcharlen + 1) + 1;
	51	}
	52	- newtext = emalloc(newtextlen);
	53	+ newtext = emalloc(alloced);
	54
	55	/* now keep track of the actual new text length */
	56	newtextlen = 0;
	57
	58	laststart = lastspace = 0;
	59	for (current = 0; current < textlen; current++) {
	60	+ if (chk <= 0) {
	61	+ alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1;
	62	+ newtext = erealloc(newtext, alloced);
	63	+ chk = (int) ((textlen - current)/linelength) + 1;
	64	+ }
65	/* when we hit an existing break, copy to new buffer, and
66	* fix up laststart and lastspace */
67	if (text[current] == breakchar[0]
68	@@ -683,6 +685,7 @@
69	newtextlen += current-laststart+breakcharlen;
70	current += breakcharlen - 1;
71	laststart = lastspace = current + 1;
72	+ chk--;
73	}
74	/* if it is a space, check if it is at the line boundary,
75	* copy and insert a break, or just keep track of it */
76	@@ -693,6 +696,7 @@
77	memcpy(newtext+newtextlen, breakchar, breakcharlen);
78	newtextlen += breakcharlen;
79	laststart = current + 1;
80	+ chk--;
81	}
82	lastspace = current;
83	}
84	@@ -706,6 +710,7 @@
85	memcpy(newtext+newtextlen, breakchar, breakcharlen);
86	newtextlen += breakcharlen;
87	laststart = lastspace = current;
88	+ chk--;
89	}
90	/* if the current word puts us over the linelength, copy
91	* back up until the last space, insert a break, and move
92	@@ -717,6 +722,7 @@
93	memcpy(newtext+newtextlen, breakchar, breakcharlen);
94	newtextlen += breakcharlen;
95	laststart = lastspace = lastspace + 1;
96	+ chk--;
97	}
98	}
99
100	@@ -727,6 +733,8 @@
101	}
102
103	newtext[newtextlen] = '\0';
104	+ /* free unused memory */
105	+ newtext = erealloc(newtext, newtextlen+1);
106
107	RETURN_STRINGL(newtext, newtextlen, 0);
108	}