cellog Tue Feb 12 23:29:18 2008 UTC Modified files: (Branch: PHP_5_2) /php-src/ext/zlib zlib_filter.c /php-src NEWS Log: MFH: fix potential memleak due to destruction of filterparams zval http://cvs.php.net/viewvc.cgi/php-src/ext/zlib/zlib_filter.c?r1=1.6.2.2.2.10&r2=1.6.2.2.2.11&diff_format=u Index: php-src/ext/zlib/zlib_filter.c diff -u php-src/ext/zlib/zlib_filter.c:1.6.2.2.2.10 php-src/ext/zlib/zlib_filter.c:1.6.2.2.2.11 --- php-src/ext/zlib/zlib_filter.c:1.6.2.2.2.10 Sat Jan 12 22:04:02 2008 +++ php-src/ext/zlib/zlib_filter.c Tue Feb 12 23:29:18 2008 @@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: zlib_filter.c,v 1.6.2.2.2.10 2008/01/12 22:04:02 cellog Exp $ */ +/* $Id: zlib_filter.c,v 1.6.2.2.2.11 2008/02/12 23:29:18 cellog Exp $ */ #include "php.h" #include "php_zlib.h" @@ -315,15 +315,17 @@ if ((Z_TYPE_P(filterparams) == IS_ARRAY || Z_TYPE_P(filterparams) == IS_OBJECT) && zend_hash_find(HASH_OF(filterparams), "window", sizeof("window"), (void **) &tmpzval) == SUCCESS) { + zval tmp; + /* log-2 base of history window (9 - 15) */ - SEPARATE_ZVAL(tmpzval); - convert_to_long_ex(tmpzval); - if (Z_LVAL_PP(tmpzval) < -MAX_WBITS || Z_LVAL_PP(tmpzval) > MAX_WBITS + 32) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter give for window size. (%ld)", Z_LVAL_PP(tmpzval)); + tmp = **tmpzval; + zval_copy_ctor(&tmp); + convert_to_long(&tmp); + if (Z_LVAL(tmp) < -MAX_WBITS || Z_LVAL(tmp) > MAX_WBITS + 32) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter give for window size. (%ld)", Z_LVAL(tmp)); } else { - windowBits = Z_LVAL_PP(tmpzval); + windowBits = Z_LVAL(tmp); } - zval_ptr_dtor(tmpzval); } } @@ -347,27 +349,33 @@ case IS_ARRAY: case IS_OBJECT: if (zend_hash_find(HASH_OF(filterparams), "memory", sizeof("memory"), (void**) &tmpzval) == SUCCESS) { + zval tmp; + + tmp = **tmpzval; + zval_copy_ctor(&tmp); + convert_to_long(&tmp); + /* Memory Level (1 - 9) */ - SEPARATE_ZVAL(tmpzval); - convert_to_long_ex(tmpzval); - if (Z_LVAL_PP(tmpzval) < 1 || Z_LVAL_PP(tmpzval) > MAX_MEM_LEVEL) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter give for memory level. (%ld)", Z_LVAL_PP(tmpzval)); + if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > MAX_MEM_LEVEL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter give for memory level. (%ld)", Z_LVAL(tmp)); } else { - memLevel = Z_LVAL_PP(tmpzval); + memLevel = Z_LVAL(tmp); } - zval_ptr_dtor(tmpzval); } if (zend_hash_find(HASH_OF(filterparams), "window", sizeof("window"), (void**) &tmpzval) == SUCCESS) { + zval tmp; + + tmp = **tmpzval; + zval_copy_ctor(&tmp); + convert_to_long(&tmp); + /* log-2 base of history window (9 - 15) */ - SEPARATE_ZVAL(tmpzval); - convert_to_long_ex(tmpzval); - if (Z_LVAL_PP(tmpzval) < -MAX_WBITS || Z_LVAL_PP(tmpzval) > MAX_WBITS + 16) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter give for window size. (%ld)", Z_LVAL_PP(tmpzval)); + if (Z_LVAL(tmp) < -MAX_WBITS || Z_LVAL(tmp) > MAX_WBITS + 16) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter give for window size. (%ld)", Z_LVAL(tmp)); } else { - windowBits = Z_LVAL_PP(tmpzval); + windowBits = Z_LVAL(tmp); } - zval_ptr_dtor(tmpzval); } if (zend_hash_find(HASH_OF(filterparams), "level", sizeof("level"), (void**) &tmpzval) == SUCCESS) { @@ -378,17 +386,20 @@ case IS_STRING: case IS_DOUBLE: case IS_LONG: - tmpzval = &filterparams; + { + zval tmp; + + tmp = *filterparams; + zval_copy_ctor(&tmp); + convert_to_long(&tmp); factory_setlevel: - /* Set compression level within reason (-1 == default, 0 == none, 1-9 == least to most compression */ - SEPARATE_ZVAL(tmpzval); - convert_to_long_ex(tmpzval); - if (Z_LVAL_PP(tmpzval) < -1 || Z_LVAL_PP(tmpzval) > 9) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid compression level specified. (%ld)", Z_LVAL_PP(tmpzval)); - } else { - level = Z_LVAL_PP(tmpzval); + /* Set compression level within reason (-1 == default, 0 == none, 1-9 == least to most compression */ + if (Z_LVAL(tmp) < -1 || Z_LVAL(tmp) > 9) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid compression level specified. (%ld)", Z_LVAL(tmp)); + } else { + level = Z_LVAL(tmp); + } } - zval_ptr_dtor(tmpzval); break; default: php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filter parameter, ignored."); http://cvs.php.net/viewvc.cgi/php-src/NEWS?r1=1.2027.2.547.2.1076&r2=1.2027.2.547.2.1077&diff_format=u Index: php-src/NEWS diff -u php-src/NEWS:1.2027.2.547.2.1076 php-src/NEWS:1.2027.2.547.2.1077 --- php-src/NEWS:1.2027.2.547.2.1076 Wed Feb 6 11:10:07 2008 +++ php-src/NEWS Tue Feb 12 23:29:18 2008 @@ -1,6 +1,7 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2008, PHP 5.2.6 +- Fixed potential memleak in stream filter parameter for zlib filter (Greg) - Added Reflection API metadata for the methods of the DOM classes. (Sebastian) - Fixed weired behavior in CGI parameter parsing. (Dmitry, Hannes Magnusson) - Fixed a safe_mode bypass in cURL identified by Maksymilian Arciemowicz.
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php