MFB

8 files changed, 85 insertions, 49 deletions

diff --git a/ext/filter/tests/PMOPB45.phpt b/ext/filter/tests/PMOPB45.phpt
new file mode 100644
index 0000000000..532eb219d3
--- /dev/null
+++ b/ext/filter/tests/PMOPB45.phpt
@@ -0,0 +1,11 @@
+--TEST--
+PMOPB-45-2007:PHP ext/filter Email Validation Vulnerability
+--SKIPIF--
+<?php if (!extension_loaded("filter")) die("skip"); ?>
+--FILE--
+<?php
+	$var = "test@example.com\n";
+	var_dump(filter_var($var, FILTER_VALIDATE_EMAIL));
+?>
+--EXPECT--	
+bool(false)
diff --git a/ext/imap/tests/bug40854.phpt b/ext/imap/tests/bug40854.phpt
new file mode 100644
index 0000000000..3df81ea29d
--- /dev/null
+++ b/ext/imap/tests/bug40854.phpt
@@ -0,0 +1,57 @@
+--TEST--                                 
+Bug #40854 (imap_mail_compose() creates an invalid terminator for multipart e-mails)
+--SKIPIF--
+<?php
+        if (!extension_loaded("imap")) { 
+                die("skip imap extension not available");  
+        }
+?>
+--FILE--
+<?php
+$envelope["from"]= "joe@example.com";
+$envelope["to"]  = "foo@example.com";
+$envelope["cc"]  = "bar@example.com";
+
+$part1["type"] = TYPEMULTIPART;
+$part1["subtype"] = "mixed";
+
+$part2["type"] = TYPEAPPLICATION;
+$part2["encoding"] = ENCBINARY;
+$part2["subtype"] = "octet-stream";
+$part2["description"] = 'a.txt';
+$part2["contents.data"] = '';
+
+$part3["type"] = TYPETEXT;
+$part3["subtype"] = "plain";
+$part3["description"] = "description3";
+$part3["contents.data"] = "contents.data3\n\n\n\t";
+
+$body[1] = $part1;
+$body[2] = $part2;
+$body[3] = $part3;
+
+echo imap_mail_compose($envelope, $body);
+?>
+--EXPECTF--
+From: joe@example.com
+To: foo@example.com
+cc: bar@example.com
+MIME-Version: 1.0
+Content-Type: MULTIPART/mixed; BOUNDARY="%s"
+
+--%s
+Content-Type: APPLICATION/octet-stream
+Content-Transfer-Encoding: BASE64
+Content-Description: a.txt
+
+
+
+--%s
+Content-Type: TEXT/plain; CHARSET=US-ASCII
+Content-Description: description3
+
+contents.data3
+
+
+	
+--%s--
\ No newline at end of file
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 9ea09addff..8621626815 100644
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -3280,7 +3280,6 @@ PHP_FUNCTION(pg_copy_to)
 	char *table_name, *pg_delim = NULL, *pg_null_as = NULL;
 	int table_name_len, pg_delim_len, pg_null_as_len;
 	char *query;
-	char *query_template = "COPY \"\" TO STDOUT DELIMITERS ':' WITH NULL AS ''";
 	int id = -1;
 	PGconn *pgsql;
 	PGresult *pgsql_result;
@@ -3308,9 +3307,7 @@ PHP_FUNCTION(pg_copy_to)
 		pg_null_as = safe_estrdup("\\\\N");
 	}
 
-	query = (char *)emalloc(strlen(query_template) + strlen(table_name) + strlen(pg_null_as) + 1);
-	sprintf(query, "COPY \"%s\" TO STDOUT DELIMITERS '%c' WITH NULL AS '%s'",
-			table_name, *pg_delim, pg_null_as);
+	spprintf(&query, 0, "COPY \"%s\" TO STDOUT DELIMITERS '%c' WITH NULL AS '%s'", table_name, *pg_delim, pg_null_as);
 
 	while ((pgsql_result = PQgetResult(pgsql))) {
 		PQclear(pgsql_result);
@@ -3418,7 +3415,6 @@ PHP_FUNCTION(pg_copy_from)
 	int  table_name_len, pg_delim_len, pg_null_as_len;
 	int  pg_null_as_free = 0;
 	char *query;
-	char *query_template = "COPY \"\" FROM STDIN DELIMITERS ':' WITH NULL AS ''";
 	HashPosition pos;
 	int id = -1;
 	PGconn *pgsql;
@@ -3441,9 +3437,7 @@ PHP_FUNCTION(pg_copy_from)
 
 	ZEND_FETCH_RESOURCE2(pgsql, PGconn *, &pgsql_link, id, "PostgreSQL link", le_link, le_plink);
 
-	query = (char *)emalloc(strlen(query_template) + strlen(table_name) + strlen(pg_null_as) + 1);
-	sprintf(query, "COPY \"%s\" FROM STDIN DELIMITERS '%c' WITH NULL AS '%s'",
-			table_name, *pg_delim, pg_null_as);
+	spprintf(&query, 0, "COPY \"%s\" FROM STDIN DELIMITERS '%c' WITH NULL AS '%s'", table_name, *pg_delim, pg_null_as);
 	while ((pgsql_result = PQgetResult(pgsql))) {
 		PQclear(pgsql_result);
 	}
diff --git a/ext/standard/dl.c b/ext/standard/dl.c
index 772975a844..f8cc30c8a5 100644
--- a/ext/standard/dl.c
+++ b/ext/standard/dl.c
@@ -115,12 +115,10 @@ void php_dl(zval *file, int type, zval *return_value, int start_now TSRMLS_DC)
 	if (extension_dir && extension_dir[0]){
 		int extension_dir_len = strlen(extension_dir);
 
-		libpath = emalloc(extension_dir_len+filename_len+2);
-
 		if (IS_SLASH(extension_dir[extension_dir_len-1])) {
-			sprintf(libpath, "%s%s", extension_dir, filename); /* SAFE */
+			spprintf(libpath, 0, "%s%s", extension_dir, filename); /* SAFE */
 		} else {
-			sprintf(libpath, "%s%c%s", extension_dir, DEFAULT_SLASH, filename); /* SAFE */
+			spprintf(libpath, 0, "%s%c%s", extension_dir, DEFAULT_SLASH, filename); /* SAFE */
 		}
 	} else {
 		libpath = estrndup(filename, filename_len);
diff --git a/ext/sybase/php_sybase_db.c b/ext/sybase/php_sybase_db.c
index 0a6f15fb71..4f6bbb0e0e 100644
--- a/ext/sybase/php_sybase_db.c
+++ b/ext/sybase/php_sybase_db.c
@@ -327,9 +327,7 @@ static void php_sybase_do_connect(INTERNAL_FUNCTION_PARAMETERS,int persistent)
 				}
 				convert_to_string_ex(yyhost);
 				host = Z_STRVAL_PP(yyhost);
-				hashed_details_length = Z_STRLEN_PP(yyhost)+6+5;
-				hashed_details = (char *) emalloc(hashed_details_length+1);
-				sprintf(hashed_details,"sybase_%s____", Z_STRVAL_PP(yyhost));
+				hashed_details_length = spprintf(&hashed_details, 0, "sybase_%s____", Z_STRVAL_PP(yyhost));
 			}
 			break;
 		case 2: {
@@ -342,9 +340,7 @@ static void php_sybase_do_connect(INTERNAL_FUNCTION_PARAMETERS,int persistent)
 				convert_to_string_ex(yyuser);
 				host = Z_STRVAL_PP(yyhost);
 				user = Z_STRVAL_PP(yyuser);
-				hashed_details_length = Z_STRLEN_PP(yyhost)+Z_STRLEN_PP(yyuser)+6+5;
-				hashed_details = (char *) emalloc(hashed_details_length+1);
-				sprintf(hashed_details,"sybase_%s_%s___",Z_STRVAL_PP(yyhost),Z_STRVAL_PP(yyuser));
+				hashed_details_length = spprintf(&hashed_details, 0, "sybase_%s_%s___", Z_STRVAL_PP(yyhost), Z_STRVAL_PP(yyuser));
 			}
 			break;
 		case 3: {
@@ -359,9 +355,7 @@ static void php_sybase_do_connect(INTERNAL_FUNCTION_PARAMETERS,int persistent)
 				host = Z_STRVAL_PP(yyhost);
 				user = Z_STRVAL_PP(yyuser);
 				passwd = Z_STRVAL_PP(yypasswd);
-				hashed_details_length = Z_STRLEN_PP(yyhost)+Z_STRLEN_PP(yyuser)+Z_STRLEN_PP(yypasswd)+6+5;
-				hashed_details = (char *) emalloc(hashed_details_length+1);
-				sprintf(hashed_details,"sybase_%s_%s_%s__",Z_STRVAL_PP(yyhost),Z_STRVAL_PP(yyuser),Z_STRVAL_PP(yypasswd)); /* SAFE */
+				hashed_details_length = spprintf(&hashed_details, 0, "sybase_%s_%s_%s__", Z_STRVAL_PP(yyhost), Z_STRVAL_PP(yyuser), Z_STRVAL_PP(yypasswd));
 			}
 			break;
 		case 4: {
@@ -378,9 +372,7 @@ static void php_sybase_do_connect(INTERNAL_FUNCTION_PARAMETERS,int persistent)
 				user = Z_STRVAL_PP(yyuser);
 				passwd = Z_STRVAL_PP(yypasswd);
 				charset = Z_STRVAL_PP(yycharset);
-				hashed_details_length = Z_STRLEN_PP(yyhost)+Z_STRLEN_PP(yyuser)+Z_STRLEN_PP(yypasswd)+Z_STRLEN_PP(yycharset)+6+5;
-				hashed_details = (char *) emalloc(hashed_details_length+1);
-				sprintf(hashed_details,"sybase_%s_%s_%s_%s_",Z_STRVAL_PP(yyhost),Z_STRVAL_PP(yyuser),Z_STRVAL_PP(yypasswd),Z_STRVAL_PP(yycharset)); /* SAFE */
+				hashed_details_length = spprintf(&hashed_details, 0, "sybase_%s_%s_%s_%s_", Z_STRVAL_PP(yyhost), Z_STRVAL_PP(yyuser), Z_STRVAL_PP(yypasswd), Z_STRVAL_PP(yycharset));
 			}
 			break;
 		case 5: {
@@ -399,9 +391,7 @@ static void php_sybase_do_connect(INTERNAL_FUNCTION_PARAMETERS,int persistent)
 				passwd = Z_STRVAL_PP(yypasswd);
 				charset = Z_STRVAL_PP(yycharset);
 				appname = Z_STRVAL_PP(yyappname);
-				hashed_details_length = Z_STRLEN_PP(yyhost)+Z_STRLEN_PP(yyuser)+Z_STRLEN_PP(yypasswd)+Z_STRLEN_PP(yycharset)+Z_STRLEN_PP(yyappname)+6+5;
-				hashed_details = (char *) emalloc(hashed_details_length+1);
-				sprintf(hashed_details,"sybase_%s_%s_%s_%s_%s",Z_STRVAL_PP(yyhost),Z_STRVAL_PP(yyuser),Z_STRVAL_PP(yypasswd),Z_STRVAL_PP(yycharset),Z_STRVAL_PP(yyappname)); /* SAFE */
+				hashed_details_length = spprintf(hashed_details, 0, "sybase_%s_%s_%s_%s_%s", Z_STRVAL_PP(yyhost), Z_STRVAL_PP(yyuser), Z_STRVAL_PP(yypasswd), Z_STRVAL_PP(yycharset), Z_STRVAL_PP(yyappname));
 			}
 			break;
 		default:
diff --git a/ext/tidy/tests/024.phpt b/ext/tidy/tests/024.phpt
index 43f04bd943..f69b962aee 100644
--- a/ext/tidy/tests/024.phpt
+++ b/ext/tidy/tests/024.phpt
@@ -27,27 +27,13 @@ $tidy->cleanRepair();
 var_dump($tidy->value);
 
 ?>
---EXPECT--
-string(117) "<html>
+--EXPECTF--
+string(11%d) "<html>
 <head>
 <title></title>
 </head>
 <body>
-<wps:block>
-<wps:var>
-<wps:value></wps:var>
-</wps:block>
-</body>
-</html>"
---UEXPECT--
-unicode(117) "<html>
-<head>
-<title></title>
-</head>
-<body>
-<wps:block>
-<wps:var>
-<wps:value></wps:var>
-</wps:block>
+<wps:block>%w<wps:var>
+<wps:value></wps:var>%w</wps:block>
 </body>
 </html>"
diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
index 7788d028d7..d020bd6646 100644
--- a/ext/xmlrpc/libxmlrpc/base64.c
+++ b/ext/xmlrpc/libxmlrpc/base64.c
@@ -49,7 +49,7 @@ void buffer_delete(struct buffer_st *b)
   b->data = NULL;
 }
 
-void base64_encode(struct buffer_st *b, const char *source, int length)
+void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
 {
   int i, hiteof = 0;
   int offset = 0;
@@ -114,7 +114,7 @@ void base64_encode(struct buffer_st *b, const char *source, int length)
   buffer_add(b, '\n');
 }
 
-void base64_decode(struct buffer_st *bfr, const char *source, int length)
+void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
 {
     int i;
     int offset = 0;
diff --git a/ext/xmlrpc/libxmlrpc/base64.h b/ext/xmlrpc/libxmlrpc/base64.h
index 4cf156ad1e..6a0c8ef6fc 100644
--- a/ext/xmlrpc/libxmlrpc/base64.h
+++ b/ext/xmlrpc/libxmlrpc/base64.h
@@ -21,8 +21,8 @@ void buffer_new(struct buffer_st *b);
 void buffer_add(struct buffer_st *b, char c);
 void buffer_delete(struct buffer_st *b);
 
-void base64_encode(struct buffer_st *b, const char *source, int length);
-void base64_decode(struct buffer_st *b, const char *source, int length);
+void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length);
+void base64_decode_xmlrpc(struct buffer_st *b, const char *source, int length);
 
 /*
 #define DEBUG_MALLOC