Merge tag 'PHP-5.4.32' into PHP-5.4

5.4.32

* tag 'PHP-5.4.32':
  5.4.32
  fix potentially missing NUL termination
  Fix bug #67730 - Null byte injection possible with imagexxx functions
  Fixed bug #67717 - segfault in dns_get_record
  Fix bug #67716 - Segfault in cdf.c
  5.4.32 RC1

Conflicts:
	configure.in
	main/php_version.h

2 files changed, 7 insertions, 0 deletions

diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index bff691fad2..eafbab5896 100644
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 				RETURN_FALSE;
 			}
 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+				RETURN_FALSE;
+			}
+
 			stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
 			if (stream == NULL) {
 				RETURN_FALSE;
diff --git a/main/network.c b/main/network.c
index 59ce12ef20..5e44b0e6a8 100644
--- a/main/network.c
+++ b/main/network.c
@@ -989,6 +989,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize)
 		buf = estrdup(errstr);
 	} else {
 		strncpy(buf, errstr, bufsize);
+		buf[bufsize?(bufsize-1):0] = 0;
 	}
 	return buf;
 #else
@@ -1013,6 +1014,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize)
 		buf = estrdup(sysbuf);
 	} else {
 		strncpy(buf, sysbuf, bufsize);
+		buf[bufsize?(bufsize-1):0] = 0;
 	}
 
 	if (free_it) {