MFH: Various security fixes

4 files changed, 23 insertions, 9 deletions

diff --git a/NEWS b/NEWS
index cd84e755ff..9945cc3d3c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2006, Version 4.4.4
+- Fixed memory_limit on 64bit systems. (Stefan E.)
+- Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.)
+- Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are
+  enabled. (Stefan E.)
 - Fixed bug #38377 (session_destroy() gives warning after
   session_regenerate_id()). (Ilia)
 - Fixed bug #38322 (reading past array in sscanf() leads to arbitary code 
diff --git a/ext/curl/curl.c b/ext/curl/curl.c
index 9f44485545..ddf022c2dd 100644
--- a/ext/curl/curl.c
+++ b/ext/curl/curl.c
@@ -924,7 +924,6 @@ PHP_FUNCTION(curl_setopt)
 		case CURLOPT_FTPLISTONLY:
 		case CURLOPT_FTPAPPEND:
 		case CURLOPT_NETRC:
-		case CURLOPT_FOLLOWLOCATION:
 		case CURLOPT_PUT:
 #if CURLOPT_MUTE != 0
 		 case CURLOPT_MUTE:
@@ -961,6 +960,16 @@ PHP_FUNCTION(curl_setopt)
 			convert_to_long_ex(zvalue);
 			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
 			break;
+		case CURLOPT_FOLLOWLOCATION:
+			convert_to_long_ex(zvalue);
+			if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+				if (Z_LVAL_PP(zvalue) != 0) {
+					php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set");
+					RETURN_FALSE;
+				}
+			}
+			error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
+			break;
 		case CURLOPT_URL:
 		case CURLOPT_PROXY:
 		case CURLOPT_USERPWD:
diff --git a/ext/curl/curlstreams.c b/ext/curl/curlstreams.c
index e2ea652187..3bcbd7f5b1 100644
--- a/ext/curl/curlstreams.c
+++ b/ext/curl/curlstreams.c
@@ -297,7 +297,11 @@ PHPAPI php_stream *php_curl_stream_opener(php_stream_wrapper *wrapper, char *fil
 	curl_easy_setopt(curlstream->curl, CURLOPT_WRITEHEADER, stream);
 
 	/* currently buggy (bug is in curl) */
-	curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+	if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+		curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+	} else {
+		curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+	}
 	
 	curl_easy_setopt(curlstream->curl, CURLOPT_ERRORBUFFER, curlstream->errstr);
 	curl_easy_setopt(curlstream->curl, CURLOPT_VERBOSE, 0);
diff --git a/ext/standard/string.c b/ext/standard/string.c
index e172194634..9cc6e11a01 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -628,7 +628,8 @@ PHP_FUNCTION(wordwrap)
 {
 	const char *text, *breakchar = "\n";
 	char *newtext;
-	int textlen, breakcharlen = 1, newtextlen, alloced, chk;
+	int textlen, breakcharlen = 1, newtextlen, chk;
+	size_t alloced;
 	long current = 0, laststart = 0, lastspace = 0;
 	long linelength = 75;
 	zend_bool docut = 0;
@@ -3518,7 +3519,7 @@ PHP_FUNCTION(str_repeat)
 	zval		**input_str;		/* Input string */
 	zval		**mult;			/* Multiplier */
 	char		*result;		/* Resulting string */
-	int		result_len;		/* Length of the resulting string */
+	size_t		result_len;		/* Length of the resulting string */
 	
 	if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) {
 		WRONG_PARAM_COUNT;
@@ -3543,11 +3544,7 @@ PHP_FUNCTION(str_repeat)
 	
 	/* Initialize the result string */	
 	result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult);
-	if (result_len < 1) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes");
-		RETURN_FALSE;
-	}
-	result = (char *)emalloc(result_len + 1);
+	result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1);
 	
 	/* Heavy optimization for situations where input string is 1 byte long */
 	if (Z_STRLEN_PP(input_str) == 1) {