diff options
| author | Stanislav Malyshev <stas@php.net> | 2011-11-18 07:11:19 +0000 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2011-11-18 07:11:19 +0000 |
| commit | 77d0643b68f9f9405131e583f549d15240bfa358 (patch) | |
| tree | 805a2f936502be820c918c18b41d1ec13770b958 | |
| parent | ced34c975ecb60f32ec0b48b78a5b22acc05b52e (diff) | |
| download | php-git-77d0643b68f9f9405131e583f549d15240bfa358.tar.gz | |
fixes for bug #55748
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | Zend/zend_builtin_functions.c | 3 | ||||
| -rw-r--r-- | ext/com_dotnet/com_typeinfo.c | 4 | ||||
| -rw-r--r-- | ext/oci8/oci8.c | 3 | ||||
| -rw-r--r-- | ext/standard/syslog.c | 3 |
5 files changed, 15 insertions, 0 deletions
@@ -10,6 +10,8 @@ PHP NEWS (klightspeed at netspace dot net dot au) . Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory). (Felipe) + . Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) + (CVE-2011-4153). (Stas) - MS SQL: . Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe) diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c index aeacda54e2..e4d6303839 100644 --- a/Zend/zend_builtin_functions.c +++ b/Zend/zend_builtin_functions.c @@ -706,6 +706,9 @@ repeat: } c.flags = case_sensitive; /* non persistent */ c.name = IS_INTERNED(name) ? name : zend_strndup(name, name_len); + if(name == NULL) { + RETURN_FALSE; + } c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { diff --git a/ext/com_dotnet/com_typeinfo.c b/ext/com_dotnet/com_typeinfo.c index e2d5d28af5..2934c05933 100644 --- a/ext/com_dotnet/com_typeinfo.c +++ b/ext/com_dotnet/com_typeinfo.c @@ -187,6 +187,10 @@ PHPAPI int php_com_import_typelib(ITypeLib *TL, int mode, int codepage TSRMLS_DC const_name = php_com_olestring_to_string(bstr_ids, &c.name_len, codepage TSRMLS_CC); c.name = zend_strndup(const_name, c.name_len); efree(const_name); + if(c.name == NULL) { + ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc); + continue; + } c.name_len++; /* include NUL */ SysFreeString(bstr_ids); diff --git a/ext/oci8/oci8.c b/ext/oci8/oci8.c index 809ff816ae..2b63a6faf5 100644 --- a/ext/oci8/oci8.c +++ b/ext/oci8/oci8.c @@ -2055,6 +2055,9 @@ php_oci_connection *php_oci_do_connect_ex(char *username, int username_len, char } else { connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection)); connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len); + if(connection->hash_key == NULL) { + return NULL; + } connection->is_persistent = 1; } } else { diff --git a/ext/standard/syslog.c b/ext/standard/syslog.c index 2abef47859..cc49cc5f4a 100644 --- a/ext/standard/syslog.c +++ b/ext/standard/syslog.c @@ -146,6 +146,9 @@ PHP_FUNCTION(openlog) free(BG(syslog_device)); } BG(syslog_device) = zend_strndup(ident, ident_len); + if(BG(syslog_device) == NULL) { + RETURN_FALSE; + } openlog(BG(syslog_device), option, facility); RETURN_TRUE; } |