diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-10-03 00:09:02 -0700 |
|---|---|---|
| committer | Anatol Belski <ab@php.net> | 2016-10-13 00:49:25 +0200 |
| commit | 85998b2a7ec2424a5dd7ccbfdb328e4c2c38fb31 (patch) | |
| tree | 87c262dcc707e02f10f3254118f0db977b15ff7c | |
| parent | d13507d2e6d7c280888cc9c3cab125b347662e90 (diff) | |
| download | php-git-85998b2a7ec2424a5dd7ccbfdb328e4c2c38fb31.tar.gz | |
Fix bug #73190: memcpy negative parameter _bc_new_num_ex
(cherry picked from commit 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6)
(cherry picked from commit 74b5662536ccdf9b7b02c495f02a27c64e27fff7)
| -rw-r--r-- | Zend/zend_exceptions.c | 26 | ||||
| -rw-r--r-- | ext/bcmath/libbcmath/src/init.c | 5 | ||||
| -rw-r--r-- | ext/bcmath/libbcmath/src/outofmem.c | 3 |
3 files changed, 26 insertions, 8 deletions
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c index 144b06f197..89c94eb56f 100644 --- a/Zend/zend_exceptions.c +++ b/Zend/zend_exceptions.c @@ -293,10 +293,7 @@ ZEND_METHOD(exception, __construct) #define CHECK_EXC_TYPE(name, type) \ pvalue = zend_read_property(i_get_exception_base(object), (object), name, sizeof(name) - 1, 1, &value); \ if (Z_TYPE_P(pvalue) != IS_NULL && Z_TYPE_P(pvalue) != type) { \ - zval tmp; \ - ZVAL_STRINGL(&tmp, name, sizeof(name) - 1); \ - Z_OBJ_HANDLER_P(object, unset_property)(object, &tmp, NULL); \ - zval_ptr_dtor(&tmp); \ + zend_unset_property(i_get_exception_base(object), object, name, sizeof(name)-1); \ } ZEND_METHOD(exception, __wakeup) @@ -309,7 +306,12 @@ ZEND_METHOD(exception, __wakeup) CHECK_EXC_TYPE("file", IS_STRING); CHECK_EXC_TYPE("line", IS_LONG); CHECK_EXC_TYPE("trace", IS_ARRAY); - CHECK_EXC_TYPE("previous", IS_OBJECT); + pvalue = zend_read_property(i_get_exception_base(object), object, "previous", sizeof("previous")-1, 1, &value); + if (pvalue && Z_TYPE_P(pvalue) != IS_NULL && (Z_TYPE_P(pvalue) != IS_OBJECT || + !instanceof_function(Z_OBJCE_P(pvalue), i_get_exception_base(object)) || + pvalue == object)) { + zend_unset_property(i_get_exception_base(object), object, "previous", sizeof("previous")-1); + } } /* }}} */ @@ -771,10 +773,24 @@ ZEND_METHOD(exception, __toString) zend_string_release(file); zval_ptr_dtor(&trace); + Z_OBJPROP_P(exception)->u.v.nApplyCount++; exception = GET_PROPERTY(exception, "previous"); + if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->u.v.nApplyCount > 0) { + exception = NULL; + } } zval_dtor(&fname); + /* Reset apply counts */ + while (exception && Z_TYPE_P(exception) == IS_OBJECT && (base_ce = i_get_exception_base(exception)) && instanceof_function(Z_OBJCE_P(exception), base_ce)) { + if(Z_OBJPROP_P(exception)->u.v.nApplyCount) { + Z_OBJPROP_P(exception)->u.v.nApplyCount--; + } else { + break; + } + exception = GET_PROPERTY(exception, "previous"); + } + exception = getThis(); base_ce = i_get_exception_base(exception); diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c index e1aeeddf89..d3a2e580e5 100644 --- a/ext/bcmath/libbcmath/src/init.c +++ b/ext/bcmath/libbcmath/src/init.c @@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent) int length, scale, persistent; { bc_num temp; - + /* PHP Change: add length check */ + if ((size_t)length+(size_t)scale > INT_MAX) { + zend_error(E_ERROR, "Result too long, max is %d", INT_MAX); + } /* PHP Change: malloc() -> pemalloc(), removed free_list code */ temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent); #if 0 diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c index bcbf4cfd1d..05a85b76ea 100644 --- a/ext/bcmath/libbcmath/src/outofmem.c +++ b/ext/bcmath/libbcmath/src/outofmem.c @@ -41,6 +41,5 @@ void bc_out_of_memory (void) { - (void) fprintf (stderr, "bcmath: out of memory!\n"); - exit (1); + zend_error_noreturn(E_ERROR, "bcmath: out of memory!"); } |