Fix #73025: Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c

cmb69 · cmb69 · commit dad793630d59 · 2016-09-06T12:05:58.000+02:00
`command_length` is retrieved via strlen() and later passed to emalloc()
and memcpy(), so the appropriate type is `size_t`.

We don't add a regression test, because that would need to allocate a string
of at least 2 GiB.
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2016, PHP 5.6.27
 
+- Core:
+  . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of
+    zend_virtual_cwd.c). (cmb)
+
 - Filter:
   . Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
     FILTER_FLAG_NO_PRIV_RANGE). (julien)
diff --git a/Zend/zend_virtual_cwd.c b/Zend/zend_virtual_cwd.c
@@ -1896,7 +1896,7 @@ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /*
 #else /* Unix */
 CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* {{{ */
 {
-	int command_length;
+	size_t command_length;
 	int dir_length, extra = 0;
 	char *command_line;
 	char *ptr, *dir;

Original file line number	Diff line number	Diff line change
`@@ -1896,7 +1896,7 @@ CWD_API FILE virtual_popen(const char command, const char type TSRMLS_DC) /`
`1896`	`1896`	`#else /* Unix */`
`1897`	`1897`	`CWD_API FILE virtual_popen(const char command, const char type TSRMLS_DC) / {{{ */`
`1898`	`1898`	`{`
`1899`		`- int command_length;`
	`1899`	`+ size_t command_length;`
`1900`	`1900`	`int dir_length, extra = 0;`
`1901`	`1901`	`char *command_line;`
`1902`	`1902`	`char ptr, dir;`