[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS Zend/zend_API.c
dmitry Tue, 04 May 2010 08:02:51 + Revision: http://svn.php.net/viewvc?view=revision&revision=298945 Log: Fixed a possible memory corruption in addcslashes(). Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2010-05-04 07:33:12 UTC (rev 298944) +++ php/php-src/branches/PHP_5_3/NEWS 2010-05-04 08:02:51 UTC (rev 298945) @@ -23,6 +23,8 @@ - Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey) +- Fixed a possible memory corruption in addcslashes(). Reporeted by Stefan + Esser (Dmitry) - Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan Esser (Ilia) - Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser. Modified: php/php-src/branches/PHP_5_3/Zend/zend_API.c === --- php/php-src/branches/PHP_5_3/Zend/zend_API.c2010-05-04 07:33:12 UTC (rev 298944) +++ php/php-src/branches/PHP_5_3/Zend/zend_API.c2010-05-04 08:02:51 UTC (rev 298945) @@ -251,22 +251,18 @@ } /* }}} */ -static int parse_arg_object_to_string(zval **arg, char **p, int *pl, int type TSRMLS_DC) /* {{{ */ +static int parse_arg_object_to_string(zval **arg TSRMLS_DC) /* {{{ */ { if (Z_OBJ_HANDLER_PP(arg, cast_object)) { SEPARATE_ZVAL_IF_NOT_REF(arg); - if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, type TSRMLS_CC) == SUCCESS) { - *pl = Z_STRLEN_PP(arg); - *p = Z_STRVAL_PP(arg); + if (Z_OBJ_HANDLER_PP(arg, cast_object)(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { return SUCCESS; } } /* Standard PHP objects */ if (Z_OBJ_HT_PP(arg) == &std_object_handlers || !Z_OBJ_HANDLER_PP(arg, cast_object)) { SEPARATE_ZVAL_IF_NOT_REF(arg); - if (zend_std_cast_object_tostring(*arg, *arg, type TSRMLS_CC) == SUCCESS) { - *pl = Z_STRLEN_PP(arg); - *p = Z_STRVAL_PP(arg); + if (zend_std_cast_object_tostring(*arg, *arg, IS_STRING TSRMLS_CC) == SUCCESS) { return SUCCESS; } } @@ -281,8 +277,6 @@ if (!use_copy) { ZVAL_ZVAL(*arg, z, 1, 1); } - *pl = Z_STRLEN_PP(arg); - *p = Z_STRVAL_PP(arg); return SUCCESS; } zval_ptr_dtor(&z); @@ -423,10 +417,6 @@ break; case IS_OBJECT: - if (parse_arg_object_to_string(arg, p, pl, IS_STRING TSRMLS_CC) == SUCCESS) { - break; - } - case IS_ARRAY: case IS_RESOURCE: default: @@ -680,7 +670,7 @@ int max_num_args = 0; int post_varargs = 0; zval **arg; - int arg_count; + int arg_count = (int)(zend_uintptr_t) *(zend_vm_stack_top(TSRMLS_C) - 1); int quiet = flags & ZEND_PARSE_PARAMS_QUIET; zend_bool have_varargs = 0; zval varargs = NULL; @@ -689,14 +679,21 @@ for (spec_walk = type_spec; *spec_walk; spec_walk++) { c = *spec_walk; switch (c) { + case 's': + if (max_num_args < arg_count) { + arg = (zval **) (zend_vm_stack_top(TSRMLS_C) - 1 - (arg_count - max_num_args)); + if (Z_TYPE_PP(arg) == IS_OBJECT) { + parse_arg_object_to_string(arg TSRMLS_CC); + } + } + /* break missing intentionally */ case 'l': case 'd': - case 's': case 'b': + case 'H': case 'b': case 'r': case 'a': case 'o': case 'O': case 'z': case 'Z': case 'C': case 'h': case 'f': case 'A': - case 'H': max_num_args++; break; @@ -770,8 +767,6 @@ return FAILURE; } - arg_count = (int)(zend_uintptr_t) *(zend_vm_stack_top(TSRMLS_C) - 1); - if (num_args > arg_count) {
[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS Zend/zend_API.c Zend/zend_language_scanner.c Zend/zend_language_scanner_defs.h ext/standard/tests/general_functions/bug49847.phpt ext/standard/var_un
pajoye Thu, 11 Feb 2010 21:17:13 + Revision: http://svn.php.net/viewvc?view=revision&revision=294900 Log: - those are in 5.3.2 now, merge to 5.3.2 section is coming Changed paths: U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_API.c U php/php-src/branches/PHP_5_3/Zend/zend_language_scanner.c U php/php-src/branches/PHP_5_3/Zend/zend_language_scanner_defs.h U php/php-src/branches/PHP_5_3/ext/standard/tests/general_functions/bug49847.phpt U php/php-src/branches/PHP_5_3/ext/standard/var_unserializer.c Modified: php/php-src/branches/PHP_5_3/NEWS === --- php/php-src/branches/PHP_5_3/NEWS 2010-02-11 21:12:11 UTC (rev 294899) +++ php/php-src/branches/PHP_5_3/NEWS 2010-02-11 21:17:13 UTC (rev 294900) @@ -2,84 +2,10 @@ ||| ?? ??? 20??, PHP 5.3.3 - Upgraded bundled PCRE to version 8.01. (Ilia) -- Upgraded bundled sqlite to version 3.6.22. (Ilia) -- Upgraded bundled libmagic to version 5.03. (Mikko) -- Improved LCG entropy. (Rasmus, Samy Kamkar) - -- Added libpng 1.4.0 support. (Pierre) -- Added support for DISABLE_AUTHENTICATOR for imap_open. (Pierre) -- Added missing host validation for HTTP urls inside FILTER_VALIDATE_URL. - (Ilia) -- Added stream_resolve_include_path(). (Mikko) - Added stream filter support to mcrypt extension (ported from mcrypt_filter). (Stas) -- Fixed safe_mode validation inside tempnam() when the directory path does - not end with a /). (Martin Jansen) -- Fixed a possible open_basedir/safe_mode bypass in session extension - identified by Grzegorz Stachowiak. (Ilia) -- Fixed possible crash when a error/warning is raised during php startup. - (Pierre) -- Fixed possible bad behavior of rename on windows when used with symbolic - links or invalid paths. (Pierre) -- Fixed error output to stderr on Windows. (Pierre) - -- Fixed bug #50952 (allow underscore _ in constants parsed in php.ini files). - (Jani) -- Fixed bug #50940 (Custom content-length set incorrectly in Apache SAPIs). - (Brian France, Rasmus) -- Fixed bug #50930 (Wrong date by php_date.c patch with ancient gcc/glibc - versions). (Derick) -- Fixed bug #50907 (X-PHP-Originating-Script adding two new lines in *NIX). - (Ilia) -- Fixed bug #50859 (build fails with openssl 1.0 due to md2 deprecation). - (Ilia, hanno at hboeck dot de) -- Fixed bug #50847 (strip_tags() removes all tags greater then 1023 bytes - long). (Ilia) -- Fixed bug #50829 (php.ini directive pdo_mysql.default_socket is ignored). - (Ilia) -- Fixed bug #50832 (HTTP fopen wrapper does not support passwordless HTTP - authentication). (Jani) -- Fixed bug #50787 (stream_set_write_buffer() has no effect on socket streams). - (vnegrier at optilian dot com, Ilia) -- Fixed bug #50761 (system.multiCall crashes in xmlrpc extension). - (hiroaki dot kawai at gmail dot com, Ilia) -- Fixed bug #50756 (CURLOPT_FTP_SKIP_PASV_IP does not exist). (Sriram) -- Fixed bug #50732 (exec() adds single byte twice to $output array). (Ilia) -- Fixed bug #50728 (All PDOExceptions hardcode 'code' property to 0). - (Joey, Ilia) -- Fixed bug #50723 (Bug in garbage collector causes crash). (Dmitry) -- Fixed bug #50690 (putenv does not set ENV when the value is only one char). - (Pierre) -- Fixed bug #50680 (strtotime() does not support eighth ordinal number). (Ilia) -- Fixed bug #50661 (DOMDocument::loadXML does not allow UTF-16). (Rob) -- Fixed bug #50657 (copy() with an empty (zero-byte) HTTP source succeeds but - returns false). (Ilia) -- Fixed bug #50636 (MySQLi_Result sets values before calling constructor). - (Pierrick) -- Fixed bug #50632 (filter_input() does not return default value if the - variable does not exist). (Ilia) -- Fixed bug #50576 (XML_OPTION_SKIP_TAGSTART option has no effect). (Pierrick) -- Fixed bug #50416 (PROCEDURE db.myproc can't return a result set in the given - context). (Andrey) -- Fixed bug #49585 (date_format buffer not long enough for >4 digit years). - (Derick, Adam) -- Fixed bug #49560 (oci8: using LOBs causes slow PHP shutdown). (Oracle Corp.) -- Fixed bug #49463 (setAttributeNS fails setting default namespace). (Rob) -- Fixed bug #48811 (Directives in PATH section do not get applied to - sub-directories). (Patch by: ct at swin dot edu dot au) -- Fixed bug #48590 (SoapClient does not honor max_redirects). (Sriram) -- Fixed bug #48190 (Content-type parameter "boundary" is not case-insensitive - in HTTP uploads). (Ilia) -- Fixed bug #47409 (extract() problem with array containing word "this"). - (Ilia, chrisstocktonaz at gmail dot com) -- Fixed bug #47281 ($php_errormsg is limited in size of characters) - (Oracle Corp.) -- Fixed bug #44827 (define() allows :: in constant names). (Ilia) -- Fixed bug #44098 (imap_utf8() returns only capital letters). - (steffen at dislabs dot de, Pierre) - ?