pajoye Mon, 10 Jan 2011 00:43:08 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=307316
Log: - some more possible NULL deref Changed paths: U php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c U php/php-src/trunk/TSRM/tsrm_virtual_cwd.c Modified: php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c =================================================================== --- php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c 2011-01-10 00:30:07 UTC (rev 307315) +++ php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c 2011-01-10 00:43:08 UTC (rev 307316) @@ -509,6 +509,9 @@ *length = 1; retval = (char *) malloc(2); + if (retval == NULL) { + return NULL; + } retval[0] = DEFAULT_SLASH; retval[1] = '\0'; return retval; @@ -521,6 +524,9 @@ *length = state->cwd_length+1; retval = (char *) malloc(*length+1); + if (retval == NULL) { + return NULL; + } memcpy(retval, state->cwd, *length); retval[0] = toupper(retval[0]); retval[*length-1] = DEFAULT_SLASH; @@ -648,6 +654,10 @@ realpath_cache_bucket *bucket = malloc(size); unsigned long n; + if (bucket == NULL) { + return; + } + #ifdef PHP_WIN32 bucket->key = realpath_cache_key(path, path_len TSRMLS_CC); #else @@ -866,6 +876,9 @@ } pbuffer = (REPARSE_DATA_BUFFER *)tsrm_do_alloca(MAXIMUM_REPARSE_DATA_BUFFER_SIZE, use_heap_large); + if (pbuffer == NULL) { + return -1; + } if(!DeviceIoControl(hLink, FSCTL_GET_REPARSE_POINT, NULL, 0, pbuffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, &retlength, NULL)) { tsrm_free_alloca(pbuffer, use_heap_large); CloseHandle(hLink); @@ -952,9 +965,9 @@ } if (!isVolume) { - char * tmp = substitutename + substitutename_off; + char * tmp2 = substitutename + substitutename_off; for(bufindex = 0; bufindex < (substitutename_len - substitutename_off); bufindex++) { - *(path + bufindex) = *(tmp + bufindex); + *(path + bufindex) = *(tmp2 + bufindex); } *(path + bufindex) = 0; @@ -1370,6 +1383,10 @@ /* realpath("") returns CWD */ if (!*path) { new_state.cwd = (char*)malloc(1); + if (new_state.cwd == NULL) { + retval = NULL; + goto end; + } new_state.cwd[0] = '\0'; new_state.cwd_length = 0; if (VCWD_GETCWD(cwd, MAXPATHLEN)) { @@ -1379,6 +1396,10 @@ CWD_STATE_COPY(&new_state, &CWDG(cwd)); } else { new_state.cwd = (char*)malloc(1); + if (new_state.cwd == NULL) { + retval = NULL; + goto end; + } new_state.cwd[0] = '\0'; new_state.cwd_length = 0; } @@ -1394,7 +1415,7 @@ } CWD_STATE_FREE(&new_state); - +end: return retval; } /* }}} */ Modified: php/php-src/trunk/TSRM/tsrm_virtual_cwd.c =================================================================== --- php/php-src/trunk/TSRM/tsrm_virtual_cwd.c 2011-01-10 00:30:07 UTC (rev 307315) +++ php/php-src/trunk/TSRM/tsrm_virtual_cwd.c 2011-01-10 00:43:08 UTC (rev 307316) @@ -497,6 +497,9 @@ *length = 1; retval = (char *) malloc(2); + if (retval == NULL) { + return NULL; + } retval[0] = DEFAULT_SLASH; retval[1] = '\0'; return retval; @@ -509,6 +512,9 @@ *length = state->cwd_length+1; retval = (char *) malloc(*length+1); + if (retval == NULL) { + return NULL; + } memcpy(retval, state->cwd, *length); retval[0] = toupper(retval[0]); retval[*length-1] = DEFAULT_SLASH; @@ -636,6 +642,10 @@ realpath_cache_bucket *bucket = malloc(size); unsigned long n; + if (bucket == NULL) { + return; + } + #ifdef PHP_WIN32 bucket->key = realpath_cache_key(path, path_len TSRMLS_CC); #else @@ -854,6 +864,9 @@ } pbuffer = (REPARSE_DATA_BUFFER *)tsrm_do_alloca(MAXIMUM_REPARSE_DATA_BUFFER_SIZE, use_heap_large); + if (pbuffer == NULL) { + return -1; + } if(!DeviceIoControl(hLink, FSCTL_GET_REPARSE_POINT, NULL, 0, pbuffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, &retlength, NULL)) { tsrm_free_alloca(pbuffer, use_heap_large); CloseHandle(hLink); @@ -940,9 +953,9 @@ } if (!isVolume) { - char * tmp = substitutename + substitutename_off; + char * tmp2 = substitutename + substitutename_off; for(bufindex = 0; bufindex < (substitutename_len - substitutename_off); bufindex++) { - *(path + bufindex) = *(tmp + bufindex); + *(path + bufindex) = *(tmp2 + bufindex); } *(path + bufindex) = 0; @@ -1357,6 +1370,10 @@ /* realpath("") returns CWD */ if (!*path) { new_state.cwd = (char*)malloc(1); + if (new_state.cwd == NULL) { + retval = NULL; + goto end; + } new_state.cwd[0] = '\0'; new_state.cwd_length = 0; if (VCWD_GETCWD(cwd, MAXPATHLEN)) { @@ -1366,6 +1383,10 @@ CWD_STATE_COPY(&new_state, &CWDG(cwd)); } else { new_state.cwd = (char*)malloc(1); + if (new_state.cwd == NULL) { + retval = NULL; + goto end; + } new_state.cwd[0] = '\0'; new_state.cwd_length = 0; } @@ -1381,7 +1402,7 @@ } CWD_STATE_FREE(&new_state); - +end: return retval; } /* }}} */
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php