Created
December 30, 2018 04:42
-
-
Save smalyshev/35b5e5a2aeb1006290a5a0aaf6835f7d to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 68144cb1beb88361b9c59ec75b8c0e250a4ac656 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Sat Dec 29 20:39:08 2018 -0800 | |
Fix #77369 - memcpy with negative length via crafted DNS response | |
diff --git a/ext/standard/dns.c b/ext/standard/dns.c | |
index 8e102f816f..b5fbcb96f9 100644 | |
--- a/ext/standard/dns.c | |
+++ b/ext/standard/dns.c | |
@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t | |
GETLONG(ttl, cp); | |
GETSHORT(dlen, cp); | |
CHECKCP(dlen); | |
+ if (dlen == 0) { | |
+ /* No data in the response - nothing to do */ | |
+ return NULL; | |
+ } | |
if (type_to_fetch != T_ANY && type != type_to_fetch) { | |
cp += dlen; | |
return cp; | |
@@ -549,6 +553,9 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t | |
CHECKCP(n); | |
add_assoc_stringl(subarray, "tag", (char*)cp, n); | |
cp += n; | |
+ if ( (size_t) dlen < ((size_t)n) + 2 ) { | |
+ return NULL; | |
+ } | |
n = dlen - n - 2; | |
CHECKCP(n); | |
add_assoc_stringl(subarray, "value", (char*)cp, n); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment