case '7': case '8': case '9':
case '+': case '-': case '.':
if (state->ptr == tmp) {
- return tmp;
+ goto softfail;
}
/* no break */
case 'A': case 'B': case 'C': case 'D': case 'E': case 'F': case 'G':
default:
if (!(mb = parse_mb(state, PARSE_SCHEME, state->ptr, state->end, tmp, 1))) {
- /* soft fail; parse path next */
- return tmp;
+ goto softfail;
}
state->ptr += mb - 1;
}
} while (++state->ptr != state->end);
+softfail:
+ state->offset = 0;
return state->ptr = tmp;
}
php_http_url_t *php_http_url_parse(const char *str, size_t len, unsigned flags TSRMLS_DC)
{
- size_t maxlen = 3 * len;
+ size_t maxlen = 3 * len + 8 /* null bytes for all components */;
struct parse_state *state = ecalloc(1, sizeof(*state) + maxlen);
state->end = str + len;
--- /dev/null
+--TEST--
+Buffer overflow in HTTP url parsing functions
+--SKIPIF--
+<?php
+include "skipif.inc";
+?>
+--FILE--
+<?php
+
+echo "Test\n";
+try {
+ echo new http\Message(file_get_contents(__DIR__."/data/bug71719.bin"), false);
+} catch (Exception $e) {
+ echo $e;
+}
+?>
+
+===DONE===
+--EXPECTF--
+Test
+%r(exception ')?%rhttp\Exception\BadMessageException%r(' with message '|: )%rhttp\Message::__construct(): Could not parse HTTP protocol version 'HTTP/%s.0'%r'?%r in %sbug71719.php:5
+Stack trace:
+#0 %sbug71719.php(5): http\Message->__construct('\x80\xACTd 5 HTTP/1.1...', false)
+#1 {main}
+===DONE===
projects / m6w6 / ext-http / commitdiff
