diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2004-06-30 01:12:06 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2004-06-30 01:12:06 +0000 |
| commit | 690ca62dd39fccb050c3fe3e61da531faf483da4 (patch) | |
| tree | 979e6b8cf0464fcea1689dabef6231940212505e /ext/pcntl/pcntl.c | |
| parent | 0850c7a3482df0fd2a639b2279a7c549f5cddc6a (diff) | |
| download | php-git-690ca62dd39fccb050c3fe3e61da531faf483da4.tar.gz | |
Do not use alloca() where it can be abused through user input.
Diffstat (limited to 'ext/pcntl/pcntl.c')
| -rwxr-xr-x | ext/pcntl/pcntl.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c index 687c76d65f..8aa9290011 100755 --- a/ext/pcntl/pcntl.c +++ b/ext/pcntl/pcntl.c @@ -434,7 +434,7 @@ PHP_FUNCTION(pcntl_exec) args_hash = HASH_OF(args); argc = zend_hash_num_elements(args_hash); - argv = alloca((argc+2) * sizeof(char *)); + argv = safe_emalloc((argc + 2), sizeof(char *), 0); *argv = path; for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; (argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS)); @@ -445,7 +445,7 @@ PHP_FUNCTION(pcntl_exec) } *(current_arg) = NULL; } else { - argv = alloca(2 * sizeof(char *)); + argv = emalloc(2 * sizeof(char *)); *argv = path; *(argv+1) = NULL; } @@ -455,13 +455,13 @@ PHP_FUNCTION(pcntl_exec) envs_hash = HASH_OF(envs); envc = zend_hash_num_elements(envs_hash); - envp = alloca((envc+1) * sizeof(char *)); + envp = safe_emalloc((envc + 1), sizeof(char *), 0); for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp; (envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS)); (envi++, pair++, zend_hash_move_forward(envs_hash)) ) { switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) { case HASH_KEY_IS_LONG: - key = alloca(101); + key = emalloc(101); snprintf(key, 100, "%ld", key_num); key_length = strlen(key); break; @@ -480,7 +480,7 @@ PHP_FUNCTION(pcntl_exec) strlcat(*pair, Z_STRVAL_PP(element), pair_length); /* Cleanup */ - if (return_val == HASH_KEY_IS_LONG) free_alloca(key); + if (return_val == HASH_KEY_IS_LONG) efree(key); } *(pair) = NULL; } @@ -492,10 +492,10 @@ PHP_FUNCTION(pcntl_exec) /* Cleanup */ if (envp != NULL) { for (pair = envp; *pair != NULL; pair++) efree(*pair); - free_alloca(envp); + efree(envp); } - free_alloca(argv); + efree(argv); RETURN_FALSE; } |