pajoye Mon, 10 Jan 2011 00:43:08 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=307316
Log:
- some more possible NULL deref
Changed paths:
U php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c
U php/php-src/trunk/TSRM/tsrm_virtual_cwd.c
Modified: php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c
===================================================================
--- php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c 2011-01-10
00:30:07 UTC (rev 307315)
+++ php/php-src/branches/PHP_5_3/TSRM/tsrm_virtual_cwd.c 2011-01-10
00:43:08 UTC (rev 307316)
@@ -509,6 +509,9 @@
*length = 1;
retval = (char *) malloc(2);
+ if (retval == NULL) {
+ return NULL;
+ }
retval[0] = DEFAULT_SLASH;
retval[1] = '\0';
return retval;
@@ -521,6 +524,9 @@
*length = state->cwd_length+1;
retval = (char *) malloc(*length+1);
+ if (retval == NULL) {
+ return NULL;
+ }
memcpy(retval, state->cwd, *length);
retval[0] = toupper(retval[0]);
retval[*length-1] = DEFAULT_SLASH;
@@ -648,6 +654,10 @@
realpath_cache_bucket *bucket = malloc(size);
unsigned long n;
+ if (bucket == NULL) {
+ return;
+ }
+
#ifdef PHP_WIN32
bucket->key = realpath_cache_key(path, path_len TSRMLS_CC);
#else
@@ -866,6 +876,9 @@
}
pbuffer = (REPARSE_DATA_BUFFER
*)tsrm_do_alloca(MAXIMUM_REPARSE_DATA_BUFFER_SIZE, use_heap_large);
+ if (pbuffer == NULL) {
+ return -1;
+ }
if(!DeviceIoControl(hLink, FSCTL_GET_REPARSE_POINT,
NULL, 0, pbuffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, &retlength, NULL)) {
tsrm_free_alloca(pbuffer, use_heap_large);
CloseHandle(hLink);
@@ -952,9 +965,9 @@
}
if (!isVolume) {
- char * tmp = substitutename +
substitutename_off;
+ char * tmp2 = substitutename +
substitutename_off;
for(bufindex = 0; bufindex <
(substitutename_len - substitutename_off); bufindex++) {
- *(path + bufindex) = *(tmp + bufindex);
+ *(path + bufindex) = *(tmp2 + bufindex);
}
*(path + bufindex) = 0;
@@ -1370,6 +1383,10 @@
/* realpath("") returns CWD */
if (!*path) {
new_state.cwd = (char*)malloc(1);
+ if (new_state.cwd == NULL) {
+ retval = NULL;
+ goto end;
+ }
new_state.cwd[0] = '\0';
new_state.cwd_length = 0;
if (VCWD_GETCWD(cwd, MAXPATHLEN)) {
@@ -1379,6 +1396,10 @@
CWD_STATE_COPY(&new_state, &CWDG(cwd));
} else {
new_state.cwd = (char*)malloc(1);
+ if (new_state.cwd == NULL) {
+ retval = NULL;
+ goto end;
+ }
new_state.cwd[0] = '\0';
new_state.cwd_length = 0;
}
@@ -1394,7 +1415,7 @@
}
CWD_STATE_FREE(&new_state);
-
+end:
return retval;
}
/* }}} */
Modified: php/php-src/trunk/TSRM/tsrm_virtual_cwd.c
===================================================================
--- php/php-src/trunk/TSRM/tsrm_virtual_cwd.c 2011-01-10 00:30:07 UTC (rev
307315)
+++ php/php-src/trunk/TSRM/tsrm_virtual_cwd.c 2011-01-10 00:43:08 UTC (rev
307316)
@@ -497,6 +497,9 @@
*length = 1;
retval = (char *) malloc(2);
+ if (retval == NULL) {
+ return NULL;
+ }
retval[0] = DEFAULT_SLASH;
retval[1] = '\0';
return retval;
@@ -509,6 +512,9 @@
*length = state->cwd_length+1;
retval = (char *) malloc(*length+1);
+ if (retval == NULL) {
+ return NULL;
+ }
memcpy(retval, state->cwd, *length);
retval[0] = toupper(retval[0]);
retval[*length-1] = DEFAULT_SLASH;
@@ -636,6 +642,10 @@
realpath_cache_bucket *bucket = malloc(size);
unsigned long n;
+ if (bucket == NULL) {
+ return;
+ }
+
#ifdef PHP_WIN32
bucket->key = realpath_cache_key(path, path_len TSRMLS_CC);
#else
@@ -854,6 +864,9 @@
}
pbuffer = (REPARSE_DATA_BUFFER
*)tsrm_do_alloca(MAXIMUM_REPARSE_DATA_BUFFER_SIZE, use_heap_large);
+ if (pbuffer == NULL) {
+ return -1;
+ }
if(!DeviceIoControl(hLink, FSCTL_GET_REPARSE_POINT,
NULL, 0, pbuffer, MAXIMUM_REPARSE_DATA_BUFFER_SIZE, &retlength, NULL)) {
tsrm_free_alloca(pbuffer, use_heap_large);
CloseHandle(hLink);
@@ -940,9 +953,9 @@
}
if (!isVolume) {
- char * tmp = substitutename +
substitutename_off;
+ char * tmp2 = substitutename +
substitutename_off;
for(bufindex = 0; bufindex <
(substitutename_len - substitutename_off); bufindex++) {
- *(path + bufindex) = *(tmp + bufindex);
+ *(path + bufindex) = *(tmp2 + bufindex);
}
*(path + bufindex) = 0;
@@ -1357,6 +1370,10 @@
/* realpath("") returns CWD */
if (!*path) {
new_state.cwd = (char*)malloc(1);
+ if (new_state.cwd == NULL) {
+ retval = NULL;
+ goto end;
+ }
new_state.cwd[0] = '\0';
new_state.cwd_length = 0;
if (VCWD_GETCWD(cwd, MAXPATHLEN)) {
@@ -1366,6 +1383,10 @@
CWD_STATE_COPY(&new_state, &CWDG(cwd));
} else {
new_state.cwd = (char*)malloc(1);
+ if (new_state.cwd == NULL) {
+ retval = NULL;
+ goto end;
+ }
new_state.cwd[0] = '\0';
new_state.cwd_length = 0;
}
@@ -1381,7 +1402,7 @@
}
CWD_STATE_FREE(&new_state);
-
+end:
return retval;
}
/* }}} */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
