diff options
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/filter/filter_private.h | 6 | ||||
| -rw-r--r-- | ext/gd/libgd/gd_png.c | 4 | ||||
| -rw-r--r-- | ext/libxml/libxml.c | 2 | ||||
| -rw-r--r-- | ext/libxml/tests/004.phpt | 22 | ||||
| -rw-r--r-- | ext/libxml/tests/bug63389.phpt | 14 | ||||
| -rw-r--r-- | ext/mbstring/mb_gpc.c | 6 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug63447_001.phpt | 20 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug63447_002.phpt | 20 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug63447_003.phpt | 34 | ||||
| -rw-r--r-- | ext/mysqlnd/mysqlnd_wireprotocol.c | 2 | ||||
| -rw-r--r-- | ext/pdo_pgsql/pgsql_statement.c | 14 | ||||
| -rw-r--r-- | ext/pdo_pgsql/tests/bug62593.phpt | 51 |
12 files changed, 177 insertions, 18 deletions
diff --git a/ext/filter/filter_private.h b/ext/filter/filter_private.h index daa688b4ac..6c26d98075 100644 --- a/ext/filter/filter_private.h +++ b/ext/filter/filter_private.h @@ -107,8 +107,10 @@ if (len < 1) { \ RETURN_VALIDATION_FAILED \ } \ - while (p[len-1] == ' ' || p[len-1] == '\t' || p[len-1] == '\r' || p[len-1] == '\v' || p[len-1] == '\n') { \ - len--; \ + if (len > 0) { \ + while (p[len-1] == ' ' || p[len-1] == '\t' || p[len-1] == '\r' || p[len-1] == '\v' || p[len-1] == '\n') { \ + len--; \ + } \ } \ } diff --git a/ext/gd/libgd/gd_png.c b/ext/gd/libgd/gd_png.c index 49f7cb0777..bdbb7ee7d3 100644 --- a/ext/gd/libgd/gd_png.c +++ b/ext/gd/libgd/gd_png.c @@ -127,8 +127,8 @@ gdImagePtr gdImageCreateFromPngCtx (gdIOCtx * infile) png_color_16p trans_gray_rgb; png_color_16p trans_color_rgb; png_bytep trans; - png_bytep image_data = NULL; - png_bytepp row_pointers = NULL; + volatile png_bytep image_data = NULL; + volatile png_bytepp row_pointers = NULL; gdImagePtr im = NULL; int i, j, *open = NULL; volatile int transparent = -1; diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c index a17847868a..788736e756 100644 --- a/ext/libxml/libxml.c +++ b/ext/libxml/libxml.c @@ -699,7 +699,7 @@ static PHP_FUNCTION(libxml_set_streams_context) { zval *arg; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &arg) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &arg) == FAILURE) { return; } if (LIBXML(stream_context)) { diff --git a/ext/libxml/tests/004.phpt b/ext/libxml/tests/004.phpt index 8bdf593b93..aa87ab7503 100644 --- a/ext/libxml/tests/004.phpt +++ b/ext/libxml/tests/004.phpt @@ -27,26 +27,26 @@ echo "Done\n"; ?> --EXPECTF-- -Warning: stream_context_create(): options should have the form ["wrappername"]["optionname"] = $value in %s004.php on line 10 -NULL +Warning: stream_context_create(): options should have the form ["wrappername"]["optionname"] = $value in %s004.php on line %d -Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18 -bool(true) +Warning: libxml_set_streams_context() expects parameter 1 to be resource, null given in %s004.php on line %d NULL - -Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18 bool(true) -NULL -Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18 -bool(true) +Warning: libxml_set_streams_context() expects parameter 1 to be resource, string given in %s004.php on line %d NULL +bool(true) -Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18 +Warning: libxml_set_streams_context() expects parameter 1 to be resource, integer given in %s004.php on line %d +NULL bool(true) + +Warning: libxml_set_streams_context() expects parameter 1 to be resource, object given in %s004.php on line %d NULL +bool(true) -Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18 +Warning: libxml_set_streams_context() expects parameter 1 to be resource, array given in %s004.php on line %d +NULL bool(true) NULL bool(true) diff --git a/ext/libxml/tests/bug63389.phpt b/ext/libxml/tests/bug63389.phpt new file mode 100644 index 0000000000..e9498aae08 --- /dev/null +++ b/ext/libxml/tests/bug63389.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #63389 (Missing context check on libxml_set_streams_context() causes memleak) +--SKIPIF-- +<?php if (!extension_loaded('libxml')) die('skip'); ?> +--FILE-- +<?php +$fp = fopen("php://input", "r"); +libxml_set_streams_context($fp); +libxml_set_streams_context("a"); +echo "okey"; +?> +--EXPECTF-- +Warning: libxml_set_streams_context() expects parameter 1 to be resource, string given in %sbug63389.php on line %d +okey diff --git a/ext/mbstring/mb_gpc.c b/ext/mbstring/mb_gpc.c index dd60302d03..b35ece31de 100644 --- a/ext/mbstring/mb_gpc.c +++ b/ext/mbstring/mb_gpc.c @@ -262,6 +262,12 @@ enum mbfl_no_encoding _php_mb_encoding_handler_ex(const php_mb_encoding_handler_ n++; var = php_strtok_r(NULL, info->separator, &strtok_buf); } + + if (n > (PG(max_input_vars) * 2)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); + goto out; + } + num = n; /* make sure to process initilized vars only */ /* initialize converter */ diff --git a/ext/mbstring/tests/bug63447_001.phpt b/ext/mbstring/tests/bug63447_001.phpt new file mode 100644 index 0000000000..51302994db --- /dev/null +++ b/ext/mbstring/tests/bug63447_001.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On) +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +?> +--INI-- +max_input_nesting_level=10 +max_input_vars=5 +mbstring.encoding_translation=1 +--POST-- +a=1&b=2&c=3&d=4&e=5&f=6 +--FILE-- +<?php +var_dump($_POST); +?> +--EXPECT-- +Warning: Unknown: Input variables exceeded 5. To increase the limit change max_input_vars in php.ini. in Unknown on line 0 +array(0) { +} diff --git a/ext/mbstring/tests/bug63447_002.phpt b/ext/mbstring/tests/bug63447_002.phpt new file mode 100644 index 0000000000..e51089b794 --- /dev/null +++ b/ext/mbstring/tests/bug63447_002.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On) +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +?> +--INI-- +max_input_nesting_level=10 +max_input_vars=4 +mbstring.encoding_translation=1 +--POST-- +a=1&b=2&c=3&d=4&e=5 +--FILE-- +<?php +var_dump($_POST); +?> +--EXPECT-- +Warning: Unknown: Input variables exceeded 4. To increase the limit change max_input_vars in php.ini. in Unknown on line 0 +array(0) { +} diff --git a/ext/mbstring/tests/bug63447_003.phpt b/ext/mbstring/tests/bug63447_003.phpt new file mode 100644 index 0000000000..a4a7e14851 --- /dev/null +++ b/ext/mbstring/tests/bug63447_003.phpt @@ -0,0 +1,34 @@ +--TEST-- +Bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On) +--SKIPIF-- +<?php +extension_loaded('mbstring') or die('skip'); +?> +--INI-- +max_input_nesting_level=5 +max_input_vars=100 +mbstring.encoding_translation=1 +--POST-- +a=1&b[][][]=2&c[][][][][][]=7 +--FILE-- +<?php +print_r($_POST); +?> +--EXPECT-- +Array +( + [a] => 1 + [b] => Array + ( + [0] => Array + ( + [0] => Array + ( + [0] => 2 + ) + + ) + + ) + +) diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c index 1318c37a73..ec0ff496f4 100644 --- a/ext/mysqlnd/mysqlnd_wireprotocol.c +++ b/ext/mysqlnd/mysqlnd_wireprotocol.c @@ -982,7 +982,7 @@ php_mysqlnd_rset_field_read(void *_packet, MYSQLND *conn TSRMLS_DC) p += 2; BAIL_IF_NO_MORE_DATA; - meta->decimals = uint2korr(p); + meta->decimals = uint1korr(p); p += 1; BAIL_IF_NO_MORE_DATA; diff --git a/ext/pdo_pgsql/pgsql_statement.c b/ext/pdo_pgsql/pgsql_statement.c index c35ee33c7f..1dc0d58e97 100644 --- a/ext/pdo_pgsql/pgsql_statement.c +++ b/ext/pdo_pgsql/pgsql_statement.c @@ -362,8 +362,20 @@ static int pgsql_stmt_param_hook(pdo_stmt_t *stmt, struct pdo_bound_param_data * } break; } + } else { +#endif + if (param->is_param) { + /* We need to manually convert to a pg native boolean value */ + if (PDO_PARAM_TYPE(param->param_type) == PDO_PARAM_BOOL && + ((param->param_type & PDO_PARAM_INPUT_OUTPUT) != PDO_PARAM_INPUT_OUTPUT)) { + SEPARATE_ZVAL(¶m->parameter); + param->param_type = PDO_PARAM_STR; + ZVAL_STRINGL(param->parameter, Z_BVAL_P(param->parameter) ? "t" : "f", 1, 1); + } + } +#if HAVE_PQPREPARE } -#endif +#endif return 1; } diff --git a/ext/pdo_pgsql/tests/bug62593.phpt b/ext/pdo_pgsql/tests/bug62593.phpt new file mode 100644 index 0000000000..e3ebf46ed5 --- /dev/null +++ b/ext/pdo_pgsql/tests/bug62593.phpt @@ -0,0 +1,51 @@ +--TEST-- +PDO PgSQL Bug #62593 (Emulate prepares behave strangely with PARAM_BOOL) +--SKIPIF-- +<?php +if (!extension_loaded('pdo') || !extension_loaded('pdo_pgsql')) die('skip not loaded'); +require dirname(__FILE__) . '/config.inc'; +require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; +PDOTest::skip(); +?> +--FILE-- +<?php +require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc'; +$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt'); +$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true); +$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT); +$errors = array(); + +$value = true; +$query = $db->prepare('SELECT :foo IS FALSE as val_is_false'); +$query->bindValue(':foo', $value, PDO::PARAM_BOOL); +$query->execute(); +$errors[] = $query->errorInfo(); +var_dump($value); + +$query->bindValue(':foo', 0, PDO::PARAM_BOOL); +$query->execute(); +$errors[] = $query->errorInfo(); + +// Verify bindParam maintains reference and only passes when execute is called +$value = true; +$query->bindParam(':foo', $value, PDO::PARAM_BOOL); +$value = false; +$query->execute(); +$errors[] = $query->errorInfo(); +var_dump($value); + +$expect = 'No errors found'; + +foreach ($errors as $error) +{ + if (strpos('Invalid text representation', $error[2]) !== false) + { + $expect = 'Invalid boolean found'; + } +} +echo $expect; +?> +--EXPECTF-- +bool(true) +bool(false) +No errors found |