diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2007-06-17 14:31:12 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2007-06-17 14:31:12 +0000 |
| commit | 32c5a87a148d49450afd869f1a611bdf669e986d (patch) | |
| tree | 8b25bb3ebdbfbe37507d3be74f7e0ed8d0074f3d /Zend/zend_ini.c | |
| parent | e2d606e18b7079f7b7127fb581ccffc2f6104de7 (diff) | |
| download | php-git-32c5a87a148d49450afd869f1a611bdf669e986d.tar.gz | |
Fixed zend_alter_ini_entry() memory_limit interruption vulnerability.
Diffstat (limited to 'Zend/zend_ini.c')
| -rw-r--r-- | Zend/zend_ini.c | 35 |
1 files changed, 21 insertions, 14 deletions
diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c index c559e661e4..9b2a24c03c 100644 --- a/Zend/zend_ini.c +++ b/Zend/zend_ini.c @@ -55,7 +55,9 @@ static int zend_restore_ini_entry_cb(zend_ini_entry *ini_entry, int stage TSRMLS ini_entry->on_modify(ini_entry, ini_entry->orig_value, ini_entry->orig_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC); } zend_end_try(); } - efree(ini_entry->value); + if (ini_entry->value != ini_entry->orig_value) { + efree(ini_entry->value); + } ini_entry->value = ini_entry->orig_value; ini_entry->value_length = ini_entry->orig_value_length; ini_entry->modified = 0; @@ -234,34 +236,39 @@ ZEND_API int zend_alter_ini_entry(char *name, uint name_length, char *new_value, { zend_ini_entry *ini_entry; char *duplicate; + zend_bool modified; TSRMLS_FETCH(); if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) { return FAILURE; } + if (stage == ZEND_INI_STAGE_ACTIVATE && modify_type == ZEND_INI_SYSTEM) { + ini_entry->modifiable = ZEND_INI_SYSTEM; + } + if (!(ini_entry->modifiable & modify_type)) { return FAILURE; } - if (stage == ZEND_INI_STAGE_ACTIVATE && modify_type == ZEND_INI_SYSTEM) { - ini_entry->modifiable = ZEND_INI_SYSTEM; + modified = ini_entry->modified; + + if (!EG(modified_ini_directives)) { + ALLOC_HASHTABLE(EG(modified_ini_directives)); + zend_hash_init(EG(modified_ini_directives), 8, NULL, NULL, 0); + } + if (!modified) { + ini_entry->orig_value = ini_entry->value; + ini_entry->orig_value_length = ini_entry->value_length; + ini_entry->modified = 1; + zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL); } duplicate = estrndup(new_value, new_value_length); - + if (!ini_entry->on_modify || ini_entry->on_modify(ini_entry, duplicate, new_value_length, ini_entry->mh_arg1, ini_entry->mh_arg2, ini_entry->mh_arg3, stage TSRMLS_CC)==SUCCESS) { - if (!ini_entry->modified) { - ini_entry->orig_value = ini_entry->value; - ini_entry->orig_value_length = ini_entry->value_length; - ini_entry->modified = 1; - if (!EG(modified_ini_directives)) { - ALLOC_HASHTABLE(EG(modified_ini_directives)); - zend_hash_init(EG(modified_ini_directives), 8, NULL, NULL, 0); - } - zend_hash_add(EG(modified_ini_directives), name, name_length, &ini_entry, sizeof(zend_ini_entry*), NULL); - } else { /* we already changed the value, free the changed value */ + if (modified && ini_entry->orig_value != ini_entry->value) { /* we already changed the value, free the changed value */ efree(ini_entry->value); } ini_entry->value = duplicate; |