iliaa Tue Jun 29 21:12:09 2004 EDT
Modified files: (Branch: PHP_4_3)
/php-src/ext/session mod_mm.c
/php-src/ext/wddx wddx.c
/php-src/ext/pcntl pcntl.c
Log:
MFH: Do not use alloca() where it can be abused through user input.
http://cvs.php.net/diff.php/php-src/ext/session/mod_mm.c?r1=1.39.4.3&r2=1.39.4.4&ty=u
Index: php-src/ext/session/mod_mm.c
diff -u php-src/ext/session/mod_mm.c:1.39.4.3 php-src/ext/session/mod_mm.c:1.39.4.4
--- php-src/ext/session/mod_mm.c:1.39.4.3 Tue Dec 31 11:35:20 2002
+++ php-src/ext/session/mod_mm.c Tue Jun 29 21:12:09 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: mod_mm.c,v 1.39.4.3 2002/12/31 16:35:20 sebastian Exp $ */
+/* $Id: mod_mm.c,v 1.39.4.4 2004/06/30 01:12:09 iliaa Exp $ */
#include "php.h"
@@ -264,7 +264,7 @@
return FAILURE;
/* Directory + '/' + File + Module Name + Effective UID + \0 */
- ps_mm_path =
do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
+ ps_mm_path =
emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
memcpy(ps_mm_path, PS(save_path), save_path_len + 1);
if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) {
@@ -277,7 +277,7 @@
ret = ps_mm_initialize(ps_mm_instance, ps_mm_path);
- free_alloca(ps_mm_path);
+ efree(ps_mm_path);
if (ret != SUCCESS) {
free(ps_mm_instance);
http://cvs.php.net/diff.php/php-src/ext/wddx/wddx.c?r1=1.96.2.5&r2=1.96.2.6&ty=u
Index: php-src/ext/wddx/wddx.c
diff -u php-src/ext/wddx/wddx.c:1.96.2.5 php-src/ext/wddx/wddx.c:1.96.2.6
--- php-src/ext/wddx/wddx.c:1.96.2.5 Mon Oct 20 11:42:10 2003
+++ php-src/ext/wddx/wddx.c Tue Jun 29 21:12:09 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: wddx.c,v 1.96.2.5 2003/10/20 15:42:10 moriyoshi Exp $ */
+/* $Id: wddx.c,v 1.96.2.6 2004/06/30 01:12:09 iliaa Exp $ */
#include "php.h"
#include "php_wddx.h"
@@ -1069,7 +1069,7 @@
case ST_DATETIME: {
char *tmp;
- tmp = do_alloca(len + 1);
+ tmp = emalloc(len + 1);
memcpy(tmp, s, len);
tmp[len] = '\0';
@@ -1080,7 +1080,7 @@
Z_STRLEN_P(ent->data) = len;
Z_STRVAL_P(ent->data) = estrndup(s, len);
}
- free_alloca(tmp);
+ efree(tmp);
}
default:
break;
http://cvs.php.net/diff.php/php-src/ext/pcntl/pcntl.c?r1=1.28.4.4&r2=1.28.4.5&ty=u
Index: php-src/ext/pcntl/pcntl.c
diff -u php-src/ext/pcntl/pcntl.c:1.28.4.4 php-src/ext/pcntl/pcntl.c:1.28.4.5
--- php-src/ext/pcntl/pcntl.c:1.28.4.4 Fri Jan 23 02:02:54 2004
+++ php-src/ext/pcntl/pcntl.c Tue Jun 29 21:12:09 2004
@@ -16,7 +16,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: pcntl.c,v 1.28.4.4 2004/01/23 07:02:54 sniper Exp $ */
+/* $Id: pcntl.c,v 1.28.4.5 2004/06/30 01:12:09 iliaa Exp $ */
#define PCNTL_DEBUG 0
@@ -386,7 +386,7 @@
args_hash = HASH_OF(args);
argc = zend_hash_num_elements(args_hash);
- argv = alloca((argc+2) * sizeof(char *));
+ argv = safe_emalloc((argc + 2), sizeof(char *), 0);
*argv = path;
for ( zend_hash_internal_pointer_reset(args_hash), current_arg =
argv+1;
(argi < argc && (zend_hash_get_current_data(args_hash, (void
**) &element) == SUCCESS));
@@ -397,7 +397,7 @@
}
*(current_arg) = NULL;
} else {
- argv = alloca(2 * sizeof(char *));
+ argv = emalloc(2 * sizeof(char *));
*argv = path;
*(argv+1) = NULL;
}
@@ -407,13 +407,13 @@
envs_hash = HASH_OF(envs);
envc = zend_hash_num_elements(envs_hash);
- envp = alloca((envc+1) * sizeof(char *));
+ envp = safe_emalloc((envc + 1), sizeof(char *), 0);
for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp;
(envi < envc && (zend_hash_get_current_data(envs_hash, (void
**) &element) == SUCCESS));
(envi++, pair++, zend_hash_move_forward(envs_hash)) ) {
switch (return_val = zend_hash_get_current_key_ex(envs_hash,
&key, &key_length, &key_num, 0, NULL)) {
case HASH_KEY_IS_LONG:
- key = alloca(101);
+ key = emalloc(101);
snprintf(key, 100, "%ld", key_num);
key_length = strlen(key);
break;
@@ -432,7 +432,7 @@
strlcat(*pair, Z_STRVAL_PP(element), pair_length);
/* Cleanup */
- if (return_val == HASH_KEY_IS_LONG) free_alloca(key);
+ if (return_val == HASH_KEY_IS_LONG) efree(key);
}
*(pair) = NULL;
}
@@ -445,10 +445,10 @@
/* Cleanup */
if (envp != NULL) {
for (pair = envp; *pair != NULL; pair++) efree(*pair);
- free_alloca(envp);
+ efree(envp);
}
- free_alloca(argv);
+ efree(argv);
RETURN_FALSE;
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
