[PHP-DEV] [PATCH] Fix off-by-one in zend_register_standard_constants

Sun, 01 Jun 2003 03:21:20 -0700 

Hi:

The function zend_register_constant expects c->name_len to equal
sizeof(c->name) for any struct _zend_constant named c. In
zend_register_standard_constants, sizeof() is used to compute the length
of the constant name correctly, but ZEND_STRL() is used to allocate the
string. ZEND_STRL() allocates a string without a null-terminator (using
sizeof(str) - 1).

The enclosed patch fixes the four one-byte read overruns by using
ZEND_STRS(), which allocates a string of the correct size.

Note: This could have been fixed by using strlen() or sizeof() - 1 to
compute the size, but it appears something in the engine is operating
under the assumption that constant names are null-terminated; leaving
off the null terminator causes 'undefined constant' errors. I don't know
if this is expected.

Patch is against ZE2, but ZE1 appears to have the same problem.


Index: zend_constants.c
===================================================================
RCS file: /repository/ZendEngine2/zend_constants.c,v
retrieving revision 1.48
diff -u -r1.48 zend_constants.c
--- zend_constants.c    21 May 2003 22:57:51 -0000      1.48
+++ zend_constants.c    31 May 2003 16:13:06 -0000
@@ -114,25 +114,25 @@
                c.flags = CONST_PERSISTENT;
                c.module_number = 0;
 
-               c.name = zend_strndup(ZEND_STRL("TRUE"));
+               c.name = zend_strndup(ZEND_STRS("TRUE"));
                c.name_len = sizeof("TRUE");
                c.value.value.lval = 1;
                c.value.type = IS_BOOL;
                zend_register_constant(&c TSRMLS_CC);
                
-               c.name = zend_strndup(ZEND_STRL("FALSE"));
+               c.name = zend_strndup(ZEND_STRS("FALSE"));
                c.name_len = sizeof("FALSE");
                c.value.value.lval = 0;
                c.value.type = IS_BOOL;
                zend_register_constant(&c TSRMLS_CC);
 
-               c.name = zend_strndup(ZEND_STRL("ZEND_THREAD_SAFE"));
+               c.name = zend_strndup(ZEND_STRS("ZEND_THREAD_SAFE"));
                c.name_len = sizeof("ZEND_THREAD_SAFE");
                c.value.value.lval = ZTS_V;
                c.value.type = IS_BOOL;
                zend_register_constant(&c TSRMLS_CC);
 
-               c.name = zend_strndup(ZEND_STRL("NULL"));
+               c.name = zend_strndup(ZEND_STRS("NULL"));
                c.name_len = sizeof("NULL");
                c.value.type = IS_NULL;
                zend_register_constant(&c TSRMLS_CC);


Thanks,

- Dave
  [EMAIL PROTECTED]


-- 
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to