dmitry Wed, 12 May 2010 11:04:57 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=299279
Log:
Fixed a possible memory corruption in pack(). Reported by Stefan Esser
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/standard/pack.c
U php/php-src/trunk/ext/standard/pack.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS 2010-05-12 10:38:11 UTC (rev 299278)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-05-12 11:04:57 UTC (rev 299279)
@@ -26,6 +26,8 @@
- Fixed a possible memory corruption because of unexpected call-time pass by
refernce and following memory clobbering through callbacks.
Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in pack(). Reported by Stefan Esser
+ (Dmitry)
- Fixed a possible memory corruption in substr_replace(). Reported by Stefan
Esser (Dmitry)
- Fixed a possible memory corruption in addcslashes(). Reported by Stefan
Modified: php/php-src/branches/PHP_5_3/ext/standard/pack.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/pack.c 2010-05-12 10:38:11 UTC
(rev 299278)
+++ php/php-src/branches/PHP_5_3/ext/standard/pack.c 2010-05-12 11:04:57 UTC
(rev 299279)
@@ -121,6 +121,9 @@
return;
}
+ if (Z_ISREF_PP(argv[0])) {
+ SEPARATE_ZVAL(argv[0]);
+ }
convert_to_string_ex(argv[0]);
format = Z_STRVAL_PP(argv[0]);
@@ -179,6 +182,9 @@
}
if (arg < 0) {
+ if (Z_ISREF_PP(argv[currentarg])) {
+ SEPARATE_ZVAL(argv[currentarg]);
+ }
convert_to_string_ex(argv[currentarg]);
arg = Z_STRLEN_PP(argv[currentarg]);
}
@@ -312,6 +318,9 @@
case 'A':
memset(&output[outputpos], (code == 'a') ? '\0'
: ' ', arg);
val = argv[currentarg++];
+ if (Z_ISREF_PP(val)) {
+ SEPARATE_ZVAL(val);
+ }
convert_to_string_ex(val);
memcpy(&output[outputpos], Z_STRVAL_PP(val),
(Z_STRLEN_PP(val) < arg) ?
Z_STRLEN_PP(val) : arg);
@@ -325,6 +334,9 @@
char *v;
val = argv[currentarg++];
+ if (Z_ISREF_PP(val)) {
+ SEPARATE_ZVAL(val);
+ }
convert_to_string_ex(val);
v = Z_STRVAL_PP(val);
outputpos--;
Modified: php/php-src/trunk/ext/standard/pack.c
===================================================================
--- php/php-src/trunk/ext/standard/pack.c 2010-05-12 10:38:11 UTC (rev
299278)
+++ php/php-src/trunk/ext/standard/pack.c 2010-05-12 11:04:57 UTC (rev
299279)
@@ -120,6 +120,9 @@
return;
}
+ if (Z_ISREF_PP(argv[0])) {
+ SEPARATE_ZVAL(argv[0]);
+ }
convert_to_string_ex(argv[0]);
format = Z_STRVAL_PP(argv[0]);
@@ -178,6 +181,9 @@
}
if (arg < 0) {
+ if (Z_ISREF_PP(argv[currentarg])) {
+ SEPARATE_ZVAL(argv[currentarg]);
+ }
convert_to_string_ex(argv[currentarg]);
arg = Z_STRLEN_PP(argv[currentarg]);
}
@@ -311,6 +317,9 @@
case 'A':
memset(&output[outputpos], (code == 'a') ? '\0'
: ' ', arg);
val = argv[currentarg++];
+ if (Z_ISREF_PP(val)) {
+ SEPARATE_ZVAL(val);
+ }
convert_to_string_ex(val);
memcpy(&output[outputpos], Z_STRVAL_PP(val),
(Z_STRLEN_PP(val) < arg) ?
Z_STRLEN_PP(val) : arg);
@@ -324,6 +333,9 @@
char *v;
val = argv[currentarg++];
+ if (Z_ISREF_PP(val)) {
+ SEPARATE_ZVAL(val);
+ }
convert_to_string_ex(val);
v = Z_STRVAL_PP(val);
outputpos--;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
