summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2012-02-02 17:31:05 +0000
committerStanislav Malyshev <stas@php.net>2012-02-02 17:31:05 +0000
commitdb1700c71cf8b9bba7c0951c075c7520460799e5 (patch)
treeb074e45476d2f2336add80795c447d9b5fd8762e
parent9ad3aa61e378f45a4c48d577b388910e33a456be (diff)
parent29e2f050f579e7fadadf4e3bf6d3701c84b6732b (diff)
downloadphp-git-php-5.4.0RC7.tar.gz
5.4.0rc7php-5.4.0RC7
Diffstat
-rw-r--r--NEWS2
-rw-r--r--ext/mysqlnd/mysqlnd_wireprotocol.c6
-rw-r--r--main/php_variables.c30
3 files changed, 22 insertions, 16 deletions
diff --git a/NEWS b/NEWS
index 488927e05b..1bfd345ab8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,7 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+?? Feb 2012, PHP 5.4.0 RC 8
+
02 Feb 2012, PHP 5.4.0 RC 7
- Core:
. Fix bug #60895 (Possible invalid handler usage in windows random
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c
index 4529a9447f..4d2bb8cac7 100644
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -1177,7 +1177,11 @@ php_mysqlnd_rset_field_read(void * _packet, MYSQLND_CONN_DATA * conn TSRMLS_DC)
BAIL_IF_NO_MORE_DATA;
}
- /* 1 byte filler */
+ /* 1 byte length */
+ if (12 != *p) {
+ DBG_ERR_FMT("Protocol error. Server sent false length. Expected 12 got %d", (int) *p);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Protocol error. Server sent false length. Expected 12");
+ }
p++;
BAIL_IF_NO_MORE_DATA;
diff --git a/main/php_variables.c b/main/php_variables.c
index 995497c42d..f544b7a60e 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -57,7 +57,7 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
{
char *p = NULL;
char *ip; /* index pointer */
- char *index, *escaped_index = NULL;
+ char *index;
char *var, *var_orig;
int var_len, index_len;
zval *gpc_element, **gpc_element_p;
@@ -174,10 +174,14 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
if (!index) {
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
- zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) {
+ zval_ptr_dtor(&gpc_element);
+ zval_dtor(val);
+ free_alloca(var_orig, use_heap);
+ return;
+ }
} else {
- escaped_index = index;
- if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ if (zend_symtable_find(symtable1, index, index_len + 1, (void **) &gpc_element_p) == FAILURE
|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
@@ -185,15 +189,13 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
}
MAKE_STD_ZVAL(gpc_element);
array_init(gpc_element);
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
} else {
+ zval_dtor(val);
free_alloca(var_orig, use_heap);
return;
}
}
- if (index != escaped_index) {
- efree(escaped_index);
- }
}
symtable1 = Z_ARRVAL_PP(gpc_element_p);
/* ip pointed to the '[' character, now obtain the key */
@@ -214,9 +216,10 @@ plain_var:
gpc_element->value = val->value;
Z_TYPE_P(gpc_element) = Z_TYPE_P(val);
if (!index) {
- zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) {
+ zval_ptr_dtor(&gpc_element);
+ }
} else {
- escaped_index = index;
/*
* According to rfc2965, more specific paths are listed above the less specific ones.
* If we encounter a duplicate cookie name, we should skip it, since it is not possible
@@ -225,21 +228,18 @@ plain_var:
*/
if (PG(http_globals)[TRACK_VARS_COOKIE] &&
symtable1 == Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_COOKIE]) &&
- zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ zend_symtable_exists(symtable1, index, index_len + 1)) {
zval_ptr_dtor(&gpc_element);
} else {
if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
}
- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+ zend_symtable_update(symtable1, index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
} else {
zval_ptr_dtor(&gpc_element);
}
}
- if (escaped_index != index) {
- efree(escaped_index);
- }
}
}
free_alloca(var_orig, use_heap);
View Lorry Controller Status