pajoye Wed, 26 Aug 2009 19:57:01 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=287779
Log: - fix #44683, popen crashes when an invalid mode is passed (works on 2k8/vista/win7) Bug: http://bugs.php.net/44683 (No Feedback) popen with modes such as "e" or "er" cause php.exe to crash Changed paths: U php/php-src/branches/PHP_5_2/TSRM/tsrm_win32.c U php/php-src/branches/PHP_5_3/TSRM/tsrm_win32.c U php/php-src/trunk/TSRM/tsrm_win32.c Modified: php/php-src/branches/PHP_5_2/TSRM/tsrm_win32.c =================================================================== --- php/php-src/branches/PHP_5_2/TSRM/tsrm_win32.c 2009-08-26 19:19:05 UTC (rev 287778) +++ php/php-src/branches/PHP_5_2/TSRM/tsrm_win32.c 2009-08-26 19:57:01 UTC (rev 287779) @@ -179,20 +179,39 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd, char *env) { FILE *stream = NULL; - int fno, str_len = strlen(type), read, mode; + int fno, type_len = strlen(type), read, mode; STARTUPINFO startup; PROCESS_INFORMATION process; SECURITY_ATTRIBUTES security; HANDLE in, out; + process_pair *proc; char *cmd; - process_pair *proc; + int i; + char *ptype = (char *)type; TSRMLS_FETCH(); + if (!type) { + return NULL; + } + + /*The following two checks can be removed once we drop XP support */ + type_len = strlen(type); + if (type_len <1 || type_len > 2) { + return NULL; + } + + for (i=0; i < type_len; i++) { + if (!(*ptype == 'r' || *ptype == 'w' || *ptype == 'b' || *ptype == 't')) { + return NULL; + } + ptype++; + } + security.nLength = sizeof(SECURITY_ATTRIBUTES); security.bInheritHandle = TRUE; security.lpSecurityDescriptor = NULL; - if (!str_len || !CreatePipe(&in, &out, &security, 2048L)) { + if (!type_len || !CreatePipe(&in, &out, &security, 2048L)) { return NULL; } @@ -204,7 +223,7 @@ startup.hStdError = GetStdHandle(STD_ERROR_HANDLE); read = (type[0] == 'r') ? TRUE : FALSE; - mode = ((str_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT; + mode = ((type_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT; if (read) { Modified: php/php-src/branches/PHP_5_3/TSRM/tsrm_win32.c =================================================================== --- php/php-src/branches/PHP_5_3/TSRM/tsrm_win32.c 2009-08-26 19:19:05 UTC (rev 287778) +++ php/php-src/branches/PHP_5_3/TSRM/tsrm_win32.c 2009-08-26 19:57:01 UTC (rev 287779) @@ -305,7 +305,7 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd, char *env) { FILE *stream = NULL; - int fno, str_len = strlen(type), read, mode; + int fno, type_len = strlen(type), read, mode; STARTUPINFO startup; PROCESS_INFORMATION process; SECURITY_ATTRIBUTES security; @@ -313,13 +313,32 @@ DWORD dwCreateFlags = 0; process_pair *proc; char *cmd; + int i; + char *ptype = (char *)type; TSRMLS_FETCH(); + if (!type) { + return NULL; + } + + /*The following two checks can be removed once we drop XP support */ + type_len = strlen(type); + if (type_len <1 || type_len > 2) { + return NULL; + } + + for (i=0; i < type_len; i++) { + if (!(*ptype == 'r' || *ptype == 'w' || *ptype == 'b' || *ptype == 't')) { + return NULL; + } + ptype++; + } + security.nLength = sizeof(SECURITY_ATTRIBUTES); security.bInheritHandle = TRUE; security.lpSecurityDescriptor = NULL; - if (!str_len || !CreatePipe(&in, &out, &security, 2048L)) { + if (!type_len || !CreatePipe(&in, &out, &security, 2048L)) { return NULL; } @@ -331,7 +350,7 @@ startup.hStdError = GetStdHandle(STD_ERROR_HANDLE); read = (type[0] == 'r') ? TRUE : FALSE; - mode = ((str_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT; + mode = ((type_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT; if (read) { in = dupHandle(in, FALSE); Modified: php/php-src/trunk/TSRM/tsrm_win32.c =================================================================== --- php/php-src/trunk/TSRM/tsrm_win32.c 2009-08-26 19:19:05 UTC (rev 287778) +++ php/php-src/trunk/TSRM/tsrm_win32.c 2009-08-26 19:57:01 UTC (rev 287779) @@ -306,7 +306,7 @@ TSRM_API FILE *popen_ex(const char *command, const char *type, const char *cwd, char *env) { FILE *stream = NULL; - int fno, str_len = strlen(type), read, mode; + int fno, type_len = strlen(type), read, mode; STARTUPINFO startup; PROCESS_INFORMATION process; SECURITY_ATTRIBUTES security; @@ -314,13 +314,32 @@ DWORD dwCreateFlags = 0; process_pair *proc; char *cmd; + int i; + char *ptype = (char *)type; TSRMLS_FETCH(); + if (!type) { + return NULL; + } + + /*The following two checks can be removed once we drop XP support */ + type_len = strlen(type); + if (type_len <1 || type_len > 2) { + return NULL; + } + + for (i=0; i < type_len; i++) { + if (!(*ptype == 'r' || *ptype == 'w' || *ptype == 'b' || *ptype == 't')) { + return NULL; + } + ptype++; + } + security.nLength = sizeof(SECURITY_ATTRIBUTES); security.bInheritHandle = TRUE; security.lpSecurityDescriptor = NULL; - if (!str_len || !CreatePipe(&in, &out, &security, 2048L)) { + if (!type_len || !CreatePipe(&in, &out, &security, 2048L)) { return NULL; } @@ -332,7 +351,7 @@ startup.hStdError = GetStdHandle(STD_ERROR_HANDLE); read = (type[0] == 'r') ? TRUE : FALSE; - mode = ((str_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT; + mode = ((type_len == 2) && (type[1] == 'b')) ? O_BINARY : O_TEXT; if (read) {
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php