summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2015-03-22 18:30:21 -0700
committerStanislav Malyshev <stas@php.net>2015-03-22 18:30:56 -0700
commit723ffe2e896f3546b666ba1b1ee677c404a8cf45 (patch)
tree0e2208d78c0f8dde2c45009b254027dbec3429f5
parent0c27a8eb61813f04c92caf578d24bb3b76eb6651 (diff)
parent968fbc6acf0bc27be17c0209be7f966e89a55943 (diff)
downloadphp-git-723ffe2e896f3546b666ba1b1ee677c404a8cf45.tar.gz
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4: Bacport fix bug #68741 - Null pointer dereference Check that the type is correct
Diffstat
-rw-r--r--NEWS3
-rw-r--r--ext/pgsql/pgsql.c3
-rw-r--r--ext/standard/incomplete_class.c2
3 files changed, 7 insertions, 1 deletions
diff --git a/NEWS b/NEWS
index d0cd68f695..ae6c25a8f4 100644
--- a/NEWS
+++ b/NEWS
@@ -33,6 +33,9 @@ PHP NEWS
- OpenSSL:
. Fixed bug #67403 (Add signatureType to openssl_x509_parse).
+- Postgres:
+ . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui)
+
- SPL:
. Fixed bug #69227 (Use after free in zval_scan caused by
spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 2f12fd1829..7af7e8b039 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -6136,6 +6136,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c
/* schame.table should be "schame"."table" */
table_copy = estrdup(table);
token = php_strtok_r(table_copy, ".", &tmp);
+ if (token == NULL) {
+ token = table;
+ }
len = strlen(token);
if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) {
smart_str_appendl(querystr, token, len);
diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c
index 5d0908e1a3..05619ddbc5 100644
--- a/ext/standard/incomplete_class.c
+++ b/ext/standard/incomplete_class.c
@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen)
object_properties = Z_OBJPROP_P(object);
- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) {
+ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) {
retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
if (nlen) {
View Lorry Controller Status