[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/string.c trunk/ext/standard/string.c
dmitry Wed, 12 May 2010 11:32:25 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=299281
Log:
Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/standard/string.c
U php/php-src/trunk/ext/standard/string.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS 2010-05-12 11:10:06 UTC (rev 299280)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-05-12 11:32:25 UTC (rev 299281)
@@ -28,6 +28,8 @@
- Fixed a possible memory corruption because of unexpected call-time pass by
refernce and following memory clobbering through callbacks.
Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in parse_str(). Reported by Stefan Esser
+ (Dmitry)
- Fixed a possible memory corruption in pack(). Reported by Stefan Esser
(Dmitry)
- Fixed a possible memory corruption in substr_replace(). Reported by Stefan
Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===
--- php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-05-12 11:10:06 UTC
(rev 299280)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-05-12 11:32:25 UTC
(rev 299281)
@@ -4146,11 +4146,14 @@
Z_ARRVAL(tmp) = EG(active_symbol_table);
sapi_module.treat_data(PARSE_STRING, res, tmp TSRMLS_CC);
} else {
+ zval ret;
+
+ array_init(ret);
+ sapi_module.treat_data(PARSE_STRING, res, ret TSRMLS_CC);
/* Clear out the array that was passed in. */
zval_dtor(arrayArg);
- array_init(arrayArg);
-
- sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC);
+ arrayArg-type = ret.type;
+ arrayArg-value = ret.value;
}
}
/* }}} */
Modified: php/php-src/trunk/ext/standard/string.c
===
--- php/php-src/trunk/ext/standard/string.c 2010-05-12 11:10:06 UTC (rev
299280)
+++ php/php-src/trunk/ext/standard/string.c 2010-05-12 11:32:25 UTC (rev
299281)
@@ -4146,11 +4146,13 @@
Z_ARRVAL(tmp) = EG(active_symbol_table);
sapi_module.treat_data(PARSE_STRING, res, tmp TSRMLS_CC);
} else {
+ zval ret;
+
+ array_init(ret);
+ sapi_module.treat_data(PARSE_STRING, res, ret TSRMLS_CC);
/* Clear out the array that was passed in. */
zval_dtor(arrayArg);
- array_init(arrayArg);
-
- sapi_module.treat_data(PARSE_STRING, res, arrayArg TSRMLS_CC);
+ ZVAL_COPY_VALUE(arrayArg, ret);
}
}
/* }}} */
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/string.c trunk/ext/standard/string.c
dmitry Tue, 11 May 2010 11:59:13 +
Revision: http://svn.php.net/viewvc?view=revisionrevision=299242
Log:
Fixed a possible memory corruption in substr_replace()
Changed paths:
U php/php-src/branches/PHP_5_3/NEWS
U php/php-src/branches/PHP_5_3/ext/standard/string.c
U php/php-src/trunk/ext/standard/string.c
Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS 2010-05-11 10:57:32 UTC (rev 299241)
+++ php/php-src/branches/PHP_5_3/NEWS 2010-05-11 11:59:13 UTC (rev 299242)
@@ -26,6 +26,8 @@
- Fixed a possible memory corruption because of unexpected call-time pass by
refernce and following memory clobbering through callbacks.
Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in substr_replace(). Reported by Stefan
+ Esser (Dmitry)
- Fixed a possible memory corruption in addcslashes(). Reported by Stefan
Esser (Dmitry)
- Fixed a possible stack exhaustion inside fnmatch(). Reported by Stefan
Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===
--- php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-05-11 10:57:32 UTC
(rev 299241)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c 2010-05-11 11:59:13 UTC
(rev 299242)
@@ -2219,12 +2219,21 @@
}
if (Z_TYPE_PP(str) != IS_ARRAY) {
+ if (Z_ISREF_PP(str)) {
+ SEPARATE_ZVAL(str);
+ }
convert_to_string_ex(str);
}
if (Z_TYPE_PP(repl) != IS_ARRAY) {
+ if (Z_ISREF_PP(repl)) {
+ SEPARATE_ZVAL(repl);
+ }
convert_to_string_ex(repl);
}
if (Z_TYPE_PP(from) != IS_ARRAY) {
+ if (Z_ISREF_PP(from)) {
+ SEPARATE_ZVAL(from);
+ }
convert_to_long_ex(from);
}
Modified: php/php-src/trunk/ext/standard/string.c
===
--- php/php-src/trunk/ext/standard/string.c 2010-05-11 10:57:32 UTC (rev
299241)
+++ php/php-src/trunk/ext/standard/string.c 2010-05-11 11:59:13 UTC (rev
299242)
@@ -2219,12 +2219,21 @@
}
if (Z_TYPE_PP(str) != IS_ARRAY) {
+ if (Z_ISREF_PP(str)) {
+ SEPARATE_ZVAL(str);
+ }
convert_to_string_ex(str);
}
if (Z_TYPE_PP(repl) != IS_ARRAY) {
+ if (Z_ISREF_PP(repl)) {
+ SEPARATE_ZVAL(repl);
+ }
convert_to_string_ex(repl);
}
if (Z_TYPE_PP(from) != IS_ARRAY) {
+ if (Z_ISREF_PP(from)) {
+ SEPARATE_ZVAL(from);
+ }
convert_to_long_ex(from);
}
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
