diff options
| -rw-r--r-- | Zend/tests/bug70895.phpt | 15 | ||||
| -rw-r--r-- | Zend/tests/bug70898.phpt | 22 | ||||
| -rw-r--r-- | Zend/zend.c | 4 | ||||
| -rw-r--r-- | ext/ldap/ldap.c | 3 |
4 files changed, 42 insertions, 2 deletions
diff --git a/Zend/tests/bug70895.phpt b/Zend/tests/bug70895.phpt new file mode 100644 index 0000000000..e6df09c9ac --- /dev/null +++ b/Zend/tests/bug70895.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #70895 null ptr deref and segfault with crafted calable +--FILE-- +<?php + +array_map("%n", 0); +array_map("%n %i", 0); +array_map("%n %i aoeu %f aoeu %p", 0); +?> +--EXPECTREGEX-- +Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n' not found or invalid function name in .+ + +Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n %i' not found or invalid function name in .+ + +Warning: array_map\(\) expects parameter 1 to be a valid callback, function '%n %i aoeu %f aoeu %p' not found or invalid function name in .+bug70895.php on line \d+ diff --git a/Zend/tests/bug70898.phpt b/Zend/tests/bug70898.phpt new file mode 100644 index 0000000000..6308ddc742 --- /dev/null +++ b/Zend/tests/bug70898.phpt @@ -0,0 +1,22 @@ +--TEST-- +Bug #70895 null ptr deref and segfault with crafted calable +--FILE-- +<?php + function m($f,$a){ + return array_map($f,0); + } + + echo implode(m("",m("",m("",m("",m("0000000000000000000000000000000000",(""))))))); +?> +--EXPECTF-- +Warning: array_map() expects parameter 1 to be a valid callback, function '0000000000000000000000000000000000' not found or invalid function name in %sbug70898.php on line %d + +Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in %sbug70898.php on line %d + +Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in %sbug70898.php on line %d + +Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in %sbug70898.php on line %d + +Warning: array_map() expects parameter 1 to be a valid callback, function '' not found or invalid function name in %sbug70898.php on line %d + +Warning: implode(): Argument must be an array in %sbug70898.php on line %d diff --git a/Zend/zend.c b/Zend/zend.c index 27e807067f..ec520b8b0b 100644 --- a/Zend/zend.c +++ b/Zend/zend.c @@ -1316,7 +1316,7 @@ ZEND_API ZEND_COLD void zend_throw_error(zend_class_entry *exception_ce, const c if (EG(current_execute_data) && !CG(in_compilation)) { zend_throw_exception(exception_ce, message, 0); } else { - zend_error(E_ERROR, message); + zend_error(E_ERROR, "%s", message); } efree(message); @@ -1346,7 +1346,7 @@ ZEND_API ZEND_COLD void zend_internal_type_error(zend_bool throw_exception, cons if (throw_exception) { zend_throw_exception(zend_ce_type_error, message, 0); } else { - zend_error(E_WARNING, message); + zend_error(E_WARNING, "%s", message); } efree(message); diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index e0faf24b16..f4dc087fac 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -345,6 +345,9 @@ PHP_FUNCTION(ldap_connect) RETURN_FALSE; } #endif + if (!port) { + port = LDAP_PORT; + } if (LDAPG(max_links) != -1 && LDAPG(num_links) >= LDAPG(max_links)) { php_error_docref(NULL, E_WARNING, "Too many open links (%pd)", LDAPG(num_links)); |