diff options
author | Stanislav Malyshev <stas@php.net> | 2015-03-22 18:30:21 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-03-22 18:30:56 -0700 |
commit | 723ffe2e896f3546b666ba1b1ee677c404a8cf45 (patch) | |
tree | 0e2208d78c0f8dde2c45009b254027dbec3429f5 | |
parent | 0c27a8eb61813f04c92caf578d24bb3b76eb6651 (diff) | |
parent | 968fbc6acf0bc27be17c0209be7f966e89a55943 (diff) | |
download | php-git-723ffe2e896f3546b666ba1b1ee677c404a8cf45.tar.gz |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
Bacport fix bug #68741 - Null pointer dereference
Check that the type is correct
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | ext/pgsql/pgsql.c | 3 | ||||
-rw-r--r-- | ext/standard/incomplete_class.c | 2 |
3 files changed, 7 insertions, 1 deletions
@@ -33,6 +33,9 @@ PHP NEWS - OpenSSL: . Fixed bug #67403 (Add signatureType to openssl_x509_parse). +- Postgres: + . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui) + - SPL: . Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 2f12fd1829..7af7e8b039 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -6136,6 +6136,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c /* schame.table should be "schame"."table" */ table_copy = estrdup(table); token = php_strtok_r(table_copy, ".", &tmp); + if (token == NULL) { + token = table; + } len = strlen(token); if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) { smart_str_appendl(querystr, token, len); diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c index 5d0908e1a3..05619ddbc5 100644 --- a/ext/standard/incomplete_class.c +++ b/ext/standard/incomplete_class.c @@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) object_properties = Z_OBJPROP_P(object); - if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { + if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); if (nlen) { |