Fix buffer-overflow in open_basedir()

iluuu1994 · iluuu1994 · commit a7f91e37dea9 · 2023-03-26T10:28:27.000+02:00
diff --git a/Zend/tests/gh10469.phpt b/Zend/tests/gh10469.phpt
@@ -10,6 +10,7 @@ $tmpDir = $originalDir . '/gh10469_tmp';
 chdir($tmpDir);
 ini_set('open_basedir', ini_get('open_basedir') . ':./..');
 ini_set('open_basedir', ini_get('open_basedir') . ':./../');
+ini_set('open_basedir', ini_get('open_basedir') . ':/a/');
 
 chdir($originalDir);
 var_dump(ini_get('open_basedir'));
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
@@ -103,7 +103,7 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)
 		}
 		/* Don't allow paths with a parent dir component (..) to be set at runtime */
 		char *substr_pos = ptr;
-		while (true) {
+		while (*substr_pos) {
 			// Check if we have a .. path component
 			if (substr_pos[0] == '.'
 			 && substr_pos[1] == '.'

Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ PHPAPI ZEND_INI_MH(OnUpdateBaseDir)`
`103`	`103`	`}`
`104`	`104`	`/* Don't allow paths with a parent dir component (..) to be set at runtime */`
`105`	`105`	`char *substr_pos = ptr;`
`106`		`- while (true) {`
	`106`	`+ while (*substr_pos) {`
`107`	`107`	`// Check if we have a .. path component`
`108`	`108`	`if (substr_pos[0] == '.'`
`109`	`109`	`&& substr_pos[1] == '.'`