Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
commit 68144cb1beb88361b9c59ec75b8c0e250a4ac656
Author: Stanislav Malyshev <stas@php.net>
Date: Sat Dec 29 20:39:08 2018 -0800
Fix #77369 - memcpy with negative length via crafted DNS response
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 8e102f816f..b5fbcb96f9 100644
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t
GETLONG(ttl, cp);
GETSHORT(dlen, cp);
CHECKCP(dlen);
+ if (dlen == 0) {
+ /* No data in the response - nothing to do */
+ return NULL;
+ }
if (type_to_fetch != T_ANY && type != type_to_fetch) {
cp += dlen;
return cp;
@@ -549,6 +553,9 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t
CHECKCP(n);
add_assoc_stringl(subarray, "tag", (char*)cp, n);
cp += n;
+ if ( (size_t) dlen < ((size_t)n) + 2 ) {
+ return NULL;
+ }
n = dlen - n - 2;
CHECKCP(n);
add_assoc_stringl(subarray, "value", (char*)cp, n);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.