Merge branch 'master' of git.php.net:php-src

# By Stanislav Malyshev (5) and Remi Collet (1)
# Via Stanislav Malyshev
* 'master' of git.php.net:php-src:
  5.4.32
  fix potentially missing NUL termination
  Fix bug #67730 - Null byte injection possible with imagexxx functions
  Fixed bug #67717 - segfault in dns_get_record
  Fix bug #67716 - Segfault in cdf.c
  5.4.32 RC1

2 files changed, 7 insertions, 0 deletions

diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index 4f97af846a..a2e7163415 100644
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 				RETURN_FALSE;
 			}
 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+				RETURN_FALSE;
+			}
+
 			stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
 			if (stream == NULL) {
 				RETURN_FALSE;
diff --git a/main/network.c b/main/network.c
index 74855064d7..366e52c90b 100644
--- a/main/network.c
+++ b/main/network.c
@@ -1006,6 +1006,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize)
 		buf = estrdup(errstr);
 	} else {
 		strncpy(buf, errstr, bufsize);
+		buf[bufsize?(bufsize-1):0] = 0;
 	}
 	return buf;
 #else
@@ -1030,6 +1031,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize)
 		buf = estrdup(sysbuf);
 	} else {
 		strncpy(buf, sysbuf, bufsize);
+		buf[bufsize?(bufsize-1):0] = 0;
 	}
 
 	if (free_it) {