dmitry Wed, 12 May 2010 11:10:06 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=299280
Log:
Fixed a possible information leak because of interruption of XOR operator
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/Zend/zend_operators.c
U php/php-src/trunk/Zend/zend_operators.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-05-12 11:04:57 UTC (rev 299279)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-05-12 11:10:06 UTC (rev 299280)
@@ -23,6 +23,8 @@
- Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
(Andrey)
+- Fixed a possible information leak because of interruption of XOR operator.
+ Reported by Stefan Esser (Dmitry)
- Fixed a possible memory corruption because of unexpected call-time pass by
refernce and following memory clobbering through callbacks.
Reported by Stefan Esser (Dmitry)
Modified: php/php-src/branches/PHP_5_3/Zend/zend_operators.c
===================================================================
--- php/php-src/branches/PHP_5_3/Zend/zend_operators.c 2010-05-12 11:04:57 UTC
(rev 299279)
+++ php/php-src/branches/PHP_5_3/Zend/zend_operators.c 2010-05-12 11:10:06 UTC
(rev 299280)
@@ -965,8 +965,10 @@
ZEND_API int mod_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{
*/
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
if (Z_LVAL_P(op2) == 0) {
@@ -981,7 +983,7 @@
return SUCCESS;
}
- ZVAL_LONG(result, Z_LVAL_P(op1) % Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval % Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -989,10 +991,12 @@
ZEND_API int boolean_xor_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_boolean(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_boolean(op2, op2_copy, result);
- ZVAL_BOOL(result, Z_LVAL_P(op1) ^ Z_LVAL_P(op2));
+ ZVAL_BOOL(result, op1_lval ^ Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1038,6 +1042,7 @@
ZEND_API int bitwise_or_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
/* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
zval *longer, *shorter;
@@ -1066,9 +1071,10 @@
return SUCCESS;
}
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) | Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval | Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1076,6 +1082,7 @@
ZEND_API int bitwise_and_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
zval *longer, *shorter;
@@ -1106,9 +1113,10 @@
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) & Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval & Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1116,6 +1124,7 @@
ZEND_API int bitwise_xor_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
zval *longer, *shorter;
@@ -1145,9 +1154,10 @@
}
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) ^ Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval ^ Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1155,10 +1165,12 @@
ZEND_API int shift_left_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
/* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) << Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval << Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1166,10 +1178,12 @@
ZEND_API int shift_right_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) >> Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval >> Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
Modified: php/php-src/trunk/Zend/zend_operators.c
===================================================================
--- php/php-src/trunk/Zend/zend_operators.c 2010-05-12 11:04:57 UTC (rev
299279)
+++ php/php-src/trunk/Zend/zend_operators.c 2010-05-12 11:10:06 UTC (rev
299280)
@@ -965,8 +965,10 @@
ZEND_API int mod_function(zval *result, zval *op1, zval *op2 TSRMLS_DC) /* {{{
*/
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
if (Z_LVAL_P(op2) == 0) {
@@ -981,7 +983,7 @@
return SUCCESS;
}
- ZVAL_LONG(result, Z_LVAL_P(op1) % Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval % Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -989,10 +991,12 @@
ZEND_API int boolean_xor_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_boolean(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_boolean(op2, op2_copy, result);
- ZVAL_BOOL(result, Z_LVAL_P(op1) ^ Z_LVAL_P(op2));
+ ZVAL_BOOL(result, op1_lval ^ Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1038,6 +1042,7 @@
ZEND_API int bitwise_or_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
/* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
zval *longer, *shorter;
@@ -1066,9 +1071,10 @@
return SUCCESS;
}
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) | Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval | Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1076,6 +1082,7 @@
ZEND_API int bitwise_and_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
zval *longer, *shorter;
@@ -1106,9 +1113,10 @@
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) & Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval & Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1116,6 +1124,7 @@
ZEND_API int bitwise_xor_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
if (Z_TYPE_P(op1) == IS_STRING && Z_TYPE_P(op2) == IS_STRING) {
zval *longer, *shorter;
@@ -1145,9 +1154,10 @@
}
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) ^ Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval ^ Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1155,10 +1165,12 @@
ZEND_API int shift_left_function(zval *result, zval *op1, zval *op2 TSRMLS_DC)
/* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) << Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval << Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
@@ -1166,10 +1178,12 @@
ZEND_API int shift_right_function(zval *result, zval *op1, zval *op2
TSRMLS_DC) /* {{{ */
{
zval op1_copy, op2_copy;
+ long op1_lval;
zendi_convert_to_long(op1, op1_copy, result);
+ op1_lval = Z_LVAL_P(op1);
zendi_convert_to_long(op2, op2_copy, result);
- ZVAL_LONG(result, Z_LVAL_P(op1) >> Z_LVAL_P(op2));
+ ZVAL_LONG(result, op1_lval >> Z_LVAL_P(op2));
return SUCCESS;
}
/* }}} */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
