dmitry Tue, 04 May 2010 08:02:51 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=298945
Log:
Fixed a possible memory corruption in addcslashes().
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/Zend/zend_API.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-05-04 07:33:12 UTC (rev 298944)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-05-04 08:02:51 UTC (rev 298945)
@@ -23,6 +23,8 @@
- Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
(Andrey)
+- Fixed a possible memory corruption in addcslashes(). Reporeted by Stefan
+ Esser (Dmitry)
- Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan
Esser (Ilia)
- Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser.
Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_API.c 2010-05-04 07:33:12 UTC
(rev 298944)
+++ php/php-src/branches/PHP_5_3/Zend/zend_API.c 2010-05-04 08:02:51 UTC
(rev 298945)
@@ -251,22 +251,18 @@
}
/* }}} */
-static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type
TSRMLS_DC) /* {{{ */
+static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */
{
if (Z_OBJ_HANDLER_PP(arg, cast_object)) {
SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type
TSRMLS_CC) == SUCCESS) {
- *pl = Z_STRLEN_PP(arg);
- *p = Z_STRVAL_PP(arg);
+ if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING
TSRMLS_CC) == SUCCESS) {
return SUCCESS;
}
}
/* Standard PHP objects */
if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg,
cast_object)) {
SEPARATE_ZVAL_IF_NOT_REF(arg);
- if (zend_std_cast_object_tostring(*arg, *arg, type TSRMLS_CC)
== SUCCESS) {
- *pl = Z_STRLEN_PP(arg);
- *p = Z_STRVAL_PP(arg);
+ if (zend_std_cast_object_tostring(*arg, *arg, IS_STRING
TSRMLS_CC) == SUCCESS) {
return SUCCESS;
}
}
@@ -281,8 +277,6 @@
if (!use_copy) {
ZVAL_ZVAL(*arg, z, 1, 1);
}
- *pl = Z_STRLEN_PP(arg);
- *p = Z_STRVAL_PP(arg);
return SUCCESS;
}
zval_ptr_dtor(&z);
@@ -423,10 +417,6 @@
break;
case IS_OBJECT:
- if
(parse_arg_object_to_string(arg, p, pl, IS_STRING TSRMLS_CC) == SUCCESS) {
- break;
- }
-
case IS_ARRAY:
case IS_RESOURCE:
default:
@@ -680,7 +670,7 @@
int max_num_args = 0;
int post_varargs = 0;
zval **arg;
- int arg_count;
+ int arg_count = (int)(zend_uintptr_t) *(zend_vm_stack_top(TSRMLS_C) -
1);
int quiet = flags & ZEND_PARSE_PARAMS_QUIET;
zend_bool have_varargs = 0;
zval ****varargs = NULL;
@@ -689,14 +679,21 @@
for (spec_walk = type_spec; *spec_walk; spec_walk++) {
c = *spec_walk;
switch (c) {
+ case 's':
+ if (max_num_args < arg_count) {
+ arg = (zval **)
(zend_vm_stack_top(TSRMLS_C) - 1 - (arg_count - max_num_args));
+ if (Z_TYPE_PP(arg) == IS_OBJECT) {
+ parse_arg_object_to_string(arg
TSRMLS_CC);
+ }
+ }
+ /* break missing intentionally */
case 'l': case 'd':
- case 's': case 'b':
+ case 'H': case 'b':
case 'r': case 'a':
case 'o': case 'O':
case 'z': case 'Z':
case 'C': case 'h':
case 'f': case 'A':
- case 'H':
max_num_args++;
break;
@@ -770,8 +767,6 @@
return FAILURE;
}
- arg_count = (int)(zend_uintptr_t) *(zend_vm_stack_top(TSRMLS_C) - 1);
-
if (num_args > arg_count) {
zend_error(E_WARNING, "%s(): could not obtain parameters for
parsing",
get_active_function_name(TSRMLS_C));
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
