From 57b997ebf99e0eb9a073e0dafd2ab100bd4a112d Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 21 Feb 2016 23:14:29 -0800 Subject: Fix bug #71637: Multiple Heap Overflow due to integer overflows --- ext/xml/xml.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/xml/xml.c') diff --git a/ext/xml/xml.c b/ext/xml/xml.c index d6eae46583..bfa1b85b99 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -581,7 +581,7 @@ PHP_XML_API zend_string *xml_utf8_encode(const char *s, size_t len, const XML_Ch } /* This is the theoretical max (will never get beyond len * 2 as long * as we are converting from single-byte characters, though) */ - str = zend_string_alloc(len * 4, 0); + str = zend_string_safe_alloc(len, 4, 0, 0); ZSTR_LEN(str) = 0; while (pos > 0) { c = encoder ? encoder((unsigned char)(*s)) : (unsigned short)(*s); -- cgit v1.2.1 From c67c166f930b2f815a805a3376e9244794e20c31 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 2 Mar 2016 17:50:55 +0300 Subject: Removed zend_fcall_info.symbol_table --- ext/xml/xml.c | 1 - 1 file changed, 1 deletion(-) (limited to 'ext/xml/xml.c') diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 49b72a0acc..e18b4e7eef 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -485,7 +485,6 @@ static void xml_call_handler(xml_parser *parser, zval *handler, zend_function *f fci.size = sizeof(fci); fci.function_table = EG(function_table); ZVAL_COPY_VALUE(&fci.function_name, handler); - fci.symbol_table = NULL; fci.object = Z_OBJ(parser->object); fci.retval = retval; fci.param_count = argc; -- cgit v1.2.1 From 1ac152938cfe40e98b7b3c8cf403abb113266cfa Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Thu, 3 Mar 2016 16:46:04 +0100 Subject: Move semicolon into TSRMLS_CACHE_EXTERN/DEFINE Also re bug #71575. --- ext/xml/xml.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/xml/xml.c') diff --git a/ext/xml/xml.c b/ext/xml/xml.c index bfa1b85b99..439d9df082 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -63,7 +63,7 @@ ZEND_DECLARE_MODULE_GLOBALS(xml) /* {{{ dynamically loadable module stuff */ #ifdef COMPILE_DL_XML #ifdef ZTS -ZEND_TSRMLS_CACHE_DEFINE(); +ZEND_TSRMLS_CACHE_DEFINE() #endif ZEND_GET_MODULE(xml) #endif /* COMPILE_DL_XML */ -- cgit v1.2.1 From f0a2e8eb13b3971ec11baa2a6029ed7c4cb0064b Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 27 Apr 2016 13:46:38 +0300 Subject: Removed "zend_fcall_info.function_table". It was assigned in many places, but is never used. --- ext/xml/xml.c | 1 - 1 file changed, 1 deletion(-) (limited to 'ext/xml/xml.c') diff --git a/ext/xml/xml.c b/ext/xml/xml.c index a3a42655d0..6b93e2fcc3 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -483,7 +483,6 @@ static void xml_call_handler(xml_parser *parser, zval *handler, zend_function *f zend_fcall_info fci; fci.size = sizeof(fci); - fci.function_table = EG(function_table); ZVAL_COPY_VALUE(&fci.function_name, handler); fci.object = Z_OBJ(parser->object); fci.retval = retval; -- cgit v1.2.1 From 4a42fbbbc73aad7427aef5c89974d1833636e082 Mon Sep 17 00:00:00 2001 From: Joe Watkins Date: Sat, 14 May 2016 08:10:16 +0100 Subject: fix #72206 (xml_parser_create/xml_parser_free leaks mem) --- ext/xml/xml.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'ext/xml/xml.c') diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 6b93e2fcc3..9a23044641 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -1569,9 +1569,10 @@ PHP_FUNCTION(xml_parser_free) RETURN_FALSE; } - res = Z_RES(parser->index); - ZVAL_UNDEF(&parser->index); - zend_list_close(res); + if (zend_list_delete(Z_RES(parser->index)) == FAILURE) { + RETURN_FALSE; + } + RETURN_TRUE; } /* }}} */ -- cgit v1.2.1 From 8c41df548078425bce27cd833516e3a7392fe1c3 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Tue, 14 Jun 2016 21:29:02 +0800 Subject: Unused var --- ext/xml/xml.c | 1 - 1 file changed, 1 deletion(-) (limited to 'ext/xml/xml.c') diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 9a23044641..fe29f2891d 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -1554,7 +1554,6 @@ PHP_FUNCTION(xml_parser_free) { zval *pind; xml_parser *parser; - zend_resource *res; if (zend_parse_parameters(ZEND_NUM_ARGS(), "r", &pind) == FAILURE) { return; -- cgit v1.2.1