From b555fbc66666874e9fb7eda2d89d3bb785cfafc1 Mon Sep 17 00:00:00 2001 From: Jakub Zelenka Date: Sun, 7 Nov 2021 20:55:09 +0000 Subject: [PATCH] Fix bug #81513 (Future possibility for heap overflow in FPM zlog) This fixes currently unused code path in zlog that could lead to the heap overflow in the future. --- sapi/fpm/fpm/zlog.c | 3 +- sapi/fpm/tests/log-bwp-realloc-buffer.phpt | 52 ++++++++++++++++++++++ 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 sapi/fpm/tests/log-bwp-realloc-buffer.phpt diff --git a/sapi/fpm/fpm/zlog.c b/sapi/fpm/fpm/zlog.c index db2f0db447ee8..4808447f5c924 100644 --- a/sapi/fpm/fpm/zlog.c +++ b/sapi/fpm/fpm/zlog.c @@ -414,7 +414,8 @@ static inline ssize_t zlog_stream_unbuffered_write( static inline ssize_t zlog_stream_buf_copy_cstr( struct zlog_stream *stream, const char *str, size_t str_len) /* {{{ */ { - if (stream->buf.size - stream->len <= str_len && !zlog_stream_buf_alloc_ex(stream, str_len)) { + if (stream->buf.size - stream->len <= str_len && + !zlog_stream_buf_alloc_ex(stream, str_len + stream->len)) { return -1; } diff --git a/sapi/fpm/tests/log-bwp-realloc-buffer.phpt b/sapi/fpm/tests/log-bwp-realloc-buffer.phpt new file mode 100644 index 0000000000000..3371bf8330c88 --- /dev/null +++ b/sapi/fpm/tests/log-bwp-realloc-buffer.phpt @@ -0,0 +1,52 @@ +--TEST-- +FPM: bug81513 - Buffered worker output plain log stream reallocation +--SKIPIF-- + +--FILE-- +start(); +$tester->expectLogStartNotices(); +$tester->request()->expectEmptyBody(); +$tester->terminate(); +var_dump($tester->getLastLogLine() === str_repeat('a', 100) . str_repeat('b', 923) . "\n"); +var_dump($tester->getLastLogLine() === str_repeat('b', 1023) . "\n"); +var_dump($tester->getLastLogLine() === str_repeat('b', 554) . "\n"); +$tester->close(); + +?> +Done +--EXPECT-- +bool(true) +bool(true) +bool(true) +Done +--CLEAN-- +