diff options
| -rw-r--r-- | ext/bz2/bz2.c | 6 | ||||
| -rw-r--r-- | ext/mcrypt/mcrypt.c | 4 | ||||
| -rw-r--r-- | ext/shmop/shmop.c | 5 | ||||
| -rw-r--r-- | ext/standard/array.c | 20 | ||||
| -rw-r--r-- | ext/standard/browscap.c | 12 | ||||
| -rw-r--r-- | ext/standard/proc_open.c | 3 | ||||
| -rw-r--r-- | ext/sysvshm/sysvshm.c | 5 | ||||
| -rw-r--r-- | ext/wddx/wddx.c | 8 | ||||
| -rw-r--r-- | main/streams/plain_wrapper.c | 10 | ||||
| -rwxr-xr-x | server-tests.php | 2 |
10 files changed, 49 insertions, 26 deletions
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c index 682a152204..0d27995525 100644 --- a/ext/bz2/bz2.c +++ b/ext/bz2/bz2.c @@ -225,6 +225,10 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper, #else path_copy = path; #endif + + if (php_check_open_basedir(path_copy TSRMLS_CC)) { + return NULL; + } /* try and open it directly first */ bz_file = BZ2_bzopen(path_copy, mode); @@ -236,7 +240,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper, if (bz_file == NULL) { /* that didn't work, so try and get something from the network/wrapper */ - stream = php_stream_open_wrapper(path, mode, options | STREAM_WILL_CAST, opened_path); + stream = php_stream_open_wrapper(path, mode, options | STREAM_WILL_CAST | ENFORCE_SAFE_MODE, opened_path); if (stream) { int fd; diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c index 261690ea5f..55b549accd 100644 --- a/ext/mcrypt/mcrypt.c +++ b/ext/mcrypt/mcrypt.c @@ -1002,8 +1002,8 @@ int php_mcrypt_iv(php_mcrypt_iv_source source, int size, char **iv_str, int *iv_ int fd, n; size_t read_bytes; - if (size <= 0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can not create an IV with size 0 or smaller"); + if (size <= 0 || size >= INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can not create an IV with a size of less then 1 or greater then %d", INT_MAX); return FAILURE; } diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c index ebd5082c8d..8051e2f84b 100644 --- a/ext/shmop/shmop.c +++ b/ext/shmop/shmop.c @@ -181,6 +181,11 @@ PHP_FUNCTION(shmop_open) goto err; } + if (shmop->shmflg & IPC_CREAT && shmop->size < 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Shared memory segment size must be greater then zero."); + goto err; + } + shmop->shmid = shmget(shmop->key, shmop->size, shmop->shmflg); if (shmop->shmid == -1) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to attach or create shared memory segment"); diff --git a/ext/standard/array.c b/ext/standard/array.c index c31a439bc8..a55eec02fd 100644 --- a/ext/standard/array.c +++ b/ext/standard/array.c @@ -1842,13 +1842,13 @@ double_str: add_next_index_double(return_value, low); } } else { - int low, high; + double low, high; long lstep; long_str: - convert_to_long(zlow); - convert_to_long(zhigh); - low = Z_LVAL_P(zlow); - high = Z_LVAL_P(zhigh); + convert_to_double(zlow); + convert_to_double(zhigh); + low = Z_DVAL_P(zlow); + high = Z_DVAL_P(zhigh); lstep = (long) step; if (low > high) { /* Negative steps */ @@ -1857,18 +1857,18 @@ long_str: goto err; } for (; low >= high; low -= lstep) { - add_next_index_long(return_value, low); + add_next_index_long(return_value, (long)low); } - } else if (high > low) { /* Positive steps */ + } else if (high > low) { /* Positive steps */ if (high - low < lstep || lstep <= 0) { err = 1; goto err; } for (; low <= high; low += lstep) { - add_next_index_long(return_value, low); + add_next_index_long(return_value, (long)low); } } else { - add_next_index_long(return_value, low); + add_next_index_long(return_value, (long)low); } } err: @@ -4104,7 +4104,7 @@ PHP_FUNCTION(array_reduce) zend_hash_move_forward_ex(htbl, &pos); } - RETVAL_ZVAL(result, 0, 1); + RETVAL_ZVAL(result, 1, 1); } /* }}} */ diff --git a/ext/standard/browscap.c b/ext/standard/browscap.c index 4e65fb9e0c..7d3a2e22ff 100644 --- a/ext/standard/browscap.c +++ b/ext/standard/browscap.c @@ -55,7 +55,7 @@ static void convert_browscap_pattern(zval *pattern) php_strtolower(Z_STRVAL_P(pattern), Z_STRLEN_P(pattern)); - t = (char *) malloc(Z_STRLEN_P(pattern)*2 + 3); + t = (char *) safe_pemalloc(Z_STRLEN_P(pattern), 2, 3, 1); t[0] = '^'; @@ -100,7 +100,7 @@ static void php_browscap_parser_cb(zval *arg1, zval *arg2, int callback_type, vo zval *new_property; char *new_key; - new_property = (zval *) malloc(sizeof(zval)); + new_property = (zval *) pemalloc(sizeof(zval), 1); INIT_PZVAL(new_property); Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2)); Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2); @@ -118,14 +118,14 @@ static void php_browscap_parser_cb(zval *arg1, zval *arg2, int callback_type, vo HashTable *section_properties; /*printf("'%s' (%d)\n",$1.value.str.val,$1.value.str.len+1);*/ - current_section = (zval *) malloc(sizeof(zval)); + current_section = (zval *) pemalloc(sizeof(zval), 1); INIT_PZVAL(current_section); - processed = (zval *) malloc(sizeof(zval)); + processed = (zval *) pemalloc(sizeof(zval), 1); INIT_PZVAL(processed); - unprocessed = (zval *) malloc(sizeof(zval)); + unprocessed = (zval *) pemalloc(sizeof(zval), 1); INIT_PZVAL(unprocessed); - section_properties = (HashTable *) malloc(sizeof(HashTable)); + section_properties = (HashTable *) pemalloc(sizeof(HashTable), 1); zend_hash_init(section_properties, 0, NULL, (dtor_func_t) browscap_entry_dtor, 1); current_section->value.ht = section_properties; current_section->type = IS_ARRAY; diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c index d7d4839618..afd0ca240b 100644 --- a/ext/standard/proc_open.c +++ b/ext/standard/proc_open.c @@ -777,6 +777,9 @@ PHP_FUNCTION(proc_open) channel.errfd = -1; /* Duplicate the command as processing downwards will modify it*/ command_dup = strdup(command); + if (!command_dup) { + goto exit_fail; + } /* get a number of args */ construct_argc_argv(command_dup, NULL, &command_num_args, NULL); child_argv = (char**) malloc((command_num_args + 1) * sizeof(char*)); diff --git a/ext/sysvshm/sysvshm.c b/ext/sysvshm/sysvshm.c index 81c940fa5d..9c69f462b3 100644 --- a/ext/sysvshm/sysvshm.c +++ b/ext/sysvshm/sysvshm.c @@ -118,6 +118,11 @@ PHP_FUNCTION(shm_attach) RETURN_FALSE; } + if (shm_size < 1) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Segment size must be greater then zero."); + RETURN_FALSE; + } + shm_list_ptr = (sysvshm_shm *) emalloc(sizeof(sysvshm_shm)); /* get the id from a specified key or create new shared memory */ diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 1432f02442..0282da2fde 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -984,6 +984,9 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) goto bigint; } l = (long) d; + if (l != d) { + goto bigint; + } case IS_LONG: zend_hash_index_update(target_hash, l, &ent1->data, sizeof(zval *), NULL); break; @@ -1034,10 +1037,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) Z_STRVAL_P(ent->data) = estrndup(decoded, decoded_len); Z_STRLEN_P(ent->data) = decoded_len; } else { - Z_STRVAL_P(ent->data) = erealloc(Z_STRVAL_P(ent->data), - Z_STRLEN_P(ent->data) + decoded_len + 1); - strncpy(Z_STRVAL_P(ent->data)+Z_STRLEN_P(ent->data), decoded, decoded_len); Z_STRLEN_P(ent->data) += decoded_len; + Z_STRVAL_P(ent->data) = erealloc(Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data) + 1); + strlcpy(Z_STRVAL_P(ent->data) + Z_STRLEN_P(ent->data), decoded, Z_STRLEN_P(ent->data) + 1); Z_STRVAL_P(ent->data)[Z_STRLEN_P(ent->data)] = '\0'; } diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c index 11e05a4672..fcedd0d2a4 100644 --- a/main/streams/plain_wrapper.c +++ b/main/streams/plain_wrapper.c @@ -904,12 +904,12 @@ PHPAPI php_stream *_php_stream_fopen(const char *filename, const char *mode, cha *opened_path = realpath; realpath = NULL; } - if (realpath) { - efree(realpath); - } /* fall through */ case PHP_STREAM_PERSISTENT_FAILURE: + if (realpath) { + efree(realpath); + } efree(persistent_id);; return ret; } @@ -948,6 +948,10 @@ PHPAPI php_stream *_php_stream_fopen(const char *filename, const char *mode, cha r = do_fstat(self, 0); if ((r == 0 && !S_ISREG(self->sb.st_mode))) { + if (opened_path) { + efree(*opened_path); + *opened_path = NULL; + } php_stream_close(ret); return NULL; } diff --git a/server-tests.php b/server-tests.php index 00055c24bd..6b341b3d9d 100755 --- a/server-tests.php +++ b/server-tests.php @@ -3,7 +3,7 @@ +----------------------------------------------------------------------+ | PHP Version 5 | +----------------------------------------------------------------------+ - | Copyright (c) 1997-2006 The PHP Group | + | Copyright (c) 1997-2007 The PHP Group | +----------------------------------------------------------------------+ | This source file is subject to version 3.01 of the PHP license, | | that is bundled with this package in the file LICENSE, and is | |