sas Thu Apr 3 13:19:15 2003 EDT
Modified files:
/php4/main output.c
Log:
Add some checks and avoid passing invalid data to call_user_function_ex.
Fixes some heap corruption and allocation of negative amounts of memory.
Index: php4/main/output.c
diff -u php4/main/output.c:1.152 php4/main/output.c:1.153
--- php4/main/output.c:1.152 Wed Apr 2 19:50:17 2003
+++ php4/main/output.c Thu Apr 3 13:19:15 2003
@@ -18,7 +18,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: output.c,v 1.152 2003/04/03 00:50:17 moriyoshi Exp $ */
+/* $Id: output.c,v 1.153 2003/04/03 18:19:15 sas Exp $ */
#include "php.h"
#include "ext/standard/head.h"
@@ -150,7 +150,7 @@
php_error_docref("ref.outcontrol" TSRMLS_CC, E_ERROR, "Cannot use
output buffering in output buffering display handlers");
return FAILURE;
}
- if (chunk_size) {
+ if (chunk_size > 0) {
if (chunk_size==1) {
chunk_size = 4096;
}
@@ -498,10 +498,7 @@
php_error_docref(NULL TSRMLS_CC, E_ERROR, "No method name given: use
ob_start(array($object,'method')) to specify instance $object and the name of a method
of class %s to use as output handler", Z_OBJCE_P(output_handler)->name);
result = FAILURE;
} else {
- if (output_handler) {
- SEPARATE_ZVAL(&output_handler);
- }
- result = php_ob_init_named(initial_size, block_size,
OB_DEFAULT_HANDLER_NAME, output_handler, chunk_size, erase TSRMLS_CC);
+ result = php_ob_init_named(initial_size, block_size,
OB_DEFAULT_HANDLER_NAME, NULL, chunk_size, erase TSRMLS_CC);
}
return result;
}
@@ -719,6 +716,9 @@
RETURN_FALSE;
}
+ if (chunk_size < 0)
+ chunk_size = 0;
+
if (php_start_ob_buffer(output_handler, chunk_size, erase TSRMLS_CC)==FAILURE)
{
RETURN_FALSE;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
