diff options
| author | Stanislav Malyshev <stas@php.net> | 2014-08-19 01:34:09 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2014-08-19 01:34:09 -0700 |
| commit | b278be894fcd0f2cbaee93e3f657f7f9beeb532f (patch) | |
| tree | 64a396b4b4c1b3abab6f991673e24e320cad54cc | |
| parent | 335d89ec4d35d68d6443c7d51f99451a58c35b46 (diff) | |
| parent | 5a7039035ce22a68130af2309ff002a611976c87 (diff) | |
| download | php-git-b278be894fcd0f2cbaee93e3f657f7f9beeb532f.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.5
* PHP-5.4:
5.4.32
fix potentially missing NUL termination
Fix bug #67730 - Null byte injection possible with imagexxx functions
Fixed bug #67717 - segfault in dns_get_record
Fix bug #67716 - Segfault in cdf.c
5.4.32 RC1
| -rw-r--r-- | ext/gd/gd_ctx.c | 5 | ||||
| -rw-r--r-- | main/network.c | 2 |
2 files changed, 7 insertions, 0 deletions
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c index 59eff80443..253b6648f3 100644 --- a/ext/gd/gd_ctx.c +++ b/ext/gd/gd_ctx.c @@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type, RETURN_FALSE; } } else if (Z_TYPE_P(to_zval) == IS_STRING) { + if (CHECK_ZVAL_NULL_PATH(to_zval)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes"); + RETURN_FALSE; + } + stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL); if (stream == NULL) { RETURN_FALSE; diff --git a/main/network.c b/main/network.c index fc2a94badd..f8336442d0 100644 --- a/main/network.c +++ b/main/network.c @@ -992,6 +992,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize) buf = estrdup(errstr); } else { strncpy(buf, errstr, bufsize); + buf[bufsize?(bufsize-1):0] = 0; } return buf; #else @@ -1016,6 +1017,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize) buf = estrdup(sysbuf); } else { strncpy(buf, sysbuf, bufsize); + buf[bufsize?(bufsize-1):0] = 0; } if (free_it) { |