string.c

Dmitry Stogov Tue, 11 May 2010 04:59:31 -0700

dmitry                                   Tue, 11 May 2010 11:59:13 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=299242


Log:
Fixed a possible memory corruption in substr_replace()

Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/string.c
    U   php/php-src/trunk/ext/standard/string.c

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-05-11 10:57:32 UTC (rev 299241)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-05-11 11:59:13 UTC (rev 299242)
@@ -26,6 +26,8 @@
 - Fixed a possible memory corruption because of unexpected call-time pass by
   refernce and following memory clobbering through callbacks.
   Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in substr_replace(). Reported by Stefan
+  Esser (Dmitry)
 - Fixed a possible memory corruption in addcslashes(). Reported by Stefan
   Esser (Dmitry)
 - Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan

Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/string.c  2010-05-11 10:57:32 UTC 
(rev 299241)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c  2010-05-11 11:59:13 UTC 
(rev 299242)
@@ -2219,12 +2219,21 @@
        }

        if (Z_TYPE_PP(str) != IS_ARRAY) {
+               if (Z_ISREF_PP(str)) {
+                       SEPARATE_ZVAL(str);
+               }
                convert_to_string_ex(str);
        }
        if (Z_TYPE_PP(repl) != IS_ARRAY) {
+               if (Z_ISREF_PP(repl)) {
+                       SEPARATE_ZVAL(repl);
+               }
                convert_to_string_ex(repl);
        }
        if (Z_TYPE_PP(from) != IS_ARRAY) {
+               if (Z_ISREF_PP(from)) {
+                       SEPARATE_ZVAL(from);
+               }
                convert_to_long_ex(from);
        }


Modified: php/php-src/trunk/ext/standard/string.c
===================================================================
--- php/php-src/trunk/ext/standard/string.c     2010-05-11 10:57:32 UTC (rev 
299241)
+++ php/php-src/trunk/ext/standard/string.c     2010-05-11 11:59:13 UTC (rev 
299242)
@@ -2219,12 +2219,21 @@
        }

        if (Z_TYPE_PP(str) != IS_ARRAY) {
+               if (Z_ISREF_PP(str)) {
+                       SEPARATE_ZVAL(str);
+               }
                convert_to_string_ex(str);
        }
        if (Z_TYPE_PP(repl) != IS_ARRAY) {
+               if (Z_ISREF_PP(repl)) {
+                       SEPARATE_ZVAL(repl);
+               }
                convert_to_string_ex(repl);
        }
        if (Z_TYPE_PP(from) != IS_ARRAY) {
+               if (Z_ISREF_PP(from)) {
+                       SEPARATE_ZVAL(from);
+               }
                convert_to_long_ex(from);
        }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/string.c trunk/ext/standard/string.c

Reply via email to