dmitry Wed, 12 May 2010 11:04:57 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=299279
Log: Fixed a possible memory corruption in pack(). Reported by Stefan Esser Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/standard/pack.c U php/php-src/trunk/ext/standard/pack.c Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-05-12 10:38:11 UTC (rev 299278) +++ php/php-src/branches/PHP_5_3/NEWS 2010-05-12 11:04:57 UTC (rev 299279) @@ -26,6 +26,8 @@ - Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. Reported by Stefan Esser (Dmitry) +- Fixed a possible memory corruption in pack(). Reported by Stefan Esser + (Dmitry) - Fixed a possible memory corruption in substr_replace(). Reported by Stefan Esser (Dmitry) - Fixed a possible memory corruption in addcslashes(). Reported by Stefan Modified: php/php-src/branches/PHP_5_3/ext/standard/pack.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/pack.c 2010-05-12 10:38:11 UTC (rev 299278) +++ php/php-src/branches/PHP_5_3/ext/standard/pack.c 2010-05-12 11:04:57 UTC (rev 299279) @@ -121,6 +121,9 @@ return; } + if (Z_ISREF_PP(argv[0])) { + SEPARATE_ZVAL(argv[0]); + } convert_to_string_ex(argv[0]); format = Z_STRVAL_PP(argv[0]); @@ -179,6 +182,9 @@ } if (arg < 0) { + if (Z_ISREF_PP(argv[currentarg])) { + SEPARATE_ZVAL(argv[currentarg]); + } convert_to_string_ex(argv[currentarg]); arg = Z_STRLEN_PP(argv[currentarg]); } @@ -312,6 +318,9 @@ case 'A': memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg); val = argv[currentarg++]; + if (Z_ISREF_PP(val)) { + SEPARATE_ZVAL(val); + } convert_to_string_ex(val); memcpy(&output[outputpos], Z_STRVAL_PP(val), (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg); @@ -325,6 +334,9 @@ char *v; val = argv[currentarg++]; + if (Z_ISREF_PP(val)) { + SEPARATE_ZVAL(val); + } convert_to_string_ex(val); v = Z_STRVAL_PP(val); outputpos--; Modified: php/php-src/trunk/ext/standard/pack.c =================================================================== --- php/php-src/trunk/ext/standard/pack.c 2010-05-12 10:38:11 UTC (rev 299278) +++ php/php-src/trunk/ext/standard/pack.c 2010-05-12 11:04:57 UTC (rev 299279) @@ -120,6 +120,9 @@ return; } + if (Z_ISREF_PP(argv[0])) { + SEPARATE_ZVAL(argv[0]); + } convert_to_string_ex(argv[0]); format = Z_STRVAL_PP(argv[0]); @@ -178,6 +181,9 @@ } if (arg < 0) { + if (Z_ISREF_PP(argv[currentarg])) { + SEPARATE_ZVAL(argv[currentarg]); + } convert_to_string_ex(argv[currentarg]); arg = Z_STRLEN_PP(argv[currentarg]); } @@ -311,6 +317,9 @@ case 'A': memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg); val = argv[currentarg++]; + if (Z_ISREF_PP(val)) { + SEPARATE_ZVAL(val); + } convert_to_string_ex(val); memcpy(&output[outputpos], Z_STRVAL_PP(val), (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg); @@ -324,6 +333,9 @@ char *v; val = argv[currentarg++]; + if (Z_ISREF_PP(val)) { + SEPARATE_ZVAL(val); + } convert_to_string_ex(val); v = Z_STRVAL_PP(val); outputpos--;
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php