 |
 |
 |
 |
|
|
Date: 05/15/00
- Next message: Sascha Schumann: "Re: [PHP-DEV] Session handling bug-let?"
- Previous message: adam <email protected>: "[PHP-DEV] Returning multi-dimensional array"
- Next in thread: Sascha Schumann: "Re: [PHP-DEV] Session handling bug-let?"
- Reply: Sascha Schumann: "Re: [PHP-DEV] Session handling bug-let?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I've noticed a small bug-let in session handling code, as follows:
in session.c, in PS_SERIALIZER_DECODE_FUNC(php) we have:
for (p = q = val; (p < endptr) && (q = strchr(p, '|')); p = q) {
where val is obtained via:
(PS(mod)->read(&PS(mod_data), PS(id), &val, &vallen)
which for mod_files does:
*vallen = sbuf.st_size;
*val = emalloc(sbuf.st_size);
n = read(data->fd, *val, sbuf.st_size);
That means, val is not \0-terminated. That is, it's unsafe to run strchr
on it. The obvious solution would be to emalloc one byte more and
null-terminate the string.
-- Stanislav Malyshev stas <email protected> +972-3-6139665-- PHP Development Mailing List <http://www.php.net/> To unsubscribe, e-mail: php-dev-unsubscribe <email protected> For additional commands, e-mail: php-dev-help <email protected> To contact the list administrators, e-mail: php-list-admin <email protected>
- Next message: Sascha Schumann: "Re: [PHP-DEV] Session handling bug-let?"
- Previous message: adam <email protected>: "[PHP-DEV] Returning multi-dimensional array"
- Next in thread: Sascha Schumann: "Re: [PHP-DEV] Session handling bug-let?"
- Reply: Sascha Schumann: "Re: [PHP-DEV] Session handling bug-let?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]