Skip to content

Instantly share code, notes, and snippets.

@smalyshev

smalyshev/gist:35b5e5a2aeb1006290a5a0aaf6835f7d Secret

Created December 30, 2018 04:42
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save smalyshev/35b5e5a2aeb1006290a5a0aaf6835f7d to your computer and use it in GitHub Desktop.
Save smalyshev/35b5e5a2aeb1006290a5a0aaf6835f7d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
gistfile1.txt
commit 68144cb1beb88361b9c59ec75b8c0e250a4ac656
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Dec 29 20:39:08 2018 -0800
Fix #77369 - memcpy with negative length via crafted DNS response
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 8e102f816f..b5fbcb96f9 100644
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t
GETLONG(ttl, cp);
GETSHORT(dlen, cp);
CHECKCP(dlen);
+ if (dlen == 0) {
+ /* No data in the response - nothing to do */
+ return NULL;
+ }
if (type_to_fetch != T_ANY && type != type_to_fetch) {
cp += dlen;
return cp;
@@ -549,6 +553,9 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t
CHECKCP(n);
add_assoc_stringl(subarray, "tag", (char*)cp, n);
cp += n;
+ if ( (size_t) dlen < ((size_t)n) + 2 ) {
+ return NULL;
+ }
n = dlen - n - 2;
CHECKCP(n);
add_assoc_stringl(subarray, "value", (char*)cp, n);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment