diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-11-03 22:53:05 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-11-03 22:53:05 -0700 |
| commit | 25d04ad8e3e4b415645f982178a274f7a36eeef6 (patch) | |
| tree | 9a6bf6839715f09d5b609f2e0cac986f143aa038 /ext | |
| parent | 0bc6592307af27c81ab1717cc589adb2530565ac (diff) | |
| parent | d858b4c77fa28ff9b0a597141a58f51803bafc2b (diff) | |
| download | php-git-25d04ad8e3e4b415645f982178a274f7a36eeef6.tar.gz | |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Add length check for bzcompress too - fix for bug #73356
More string length checks & fixes
More string length checks & fixes
Diffstat (limited to 'ext')
| -rw-r--r-- | ext/imap/php_imap.c | 2 | ||||
| -rw-r--r-- | ext/intl/intl_convert.c | 2 | ||||
| -rw-r--r-- | ext/intl/locale/locale_methods.c | 7 | ||||
| -rw-r--r-- | ext/intl/msgformat/msgformat_data.c | 2 | ||||
| -rw-r--r-- | ext/standard/exec.c | 2 | ||||
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/base64.c | 6 | ||||
| -rw-r--r-- | ext/xmlrpc/libxmlrpc/simplestring.c | 3 | ||||
| -rw-r--r-- | ext/zip/php_zip.c | 6 |
8 files changed, 21 insertions, 9 deletions
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c index 7b4d31143a..76edc78b22 100644 --- a/ext/imap/php_imap.c +++ b/ext/imap/php_imap.c @@ -3950,7 +3950,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char * #define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader); #define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION); - bufferHeader = (char *)emalloc(bufferLen + 1); + bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1); memset(bufferHeader, 0, bufferLen); if (to && *to) { strlcat(bufferHeader, "To: ", bufferLen + 1); diff --git a/ext/intl/intl_convert.c b/ext/intl/intl_convert.c index 2ae43fbb96..5092b7594f 100644 --- a/ext/intl/intl_convert.c +++ b/ext/intl/intl_convert.c @@ -53,7 +53,7 @@ void intl_convert_utf8_to_utf16( UErrorCode* status ) { UChar* dst_buf = NULL; - int32_t dst_len = 0; + uint32_t dst_len = 0; /* If *target is NULL determine required destination buffer size (pre-flighting). * Otherwise, attempt to convert source string; if *target buffer is not large enough diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index e35da2fd05..6a5cd2e3cb 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -268,6 +268,9 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam int32_t buflen = 512; UErrorCode status = U_ZERO_ERROR; + if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) { + return NULL; + } if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){ /* Handle grandfathered languages */ @@ -713,6 +716,8 @@ PHP_FUNCTION( locale_get_keywords ) RETURN_FALSE; } + INTL_CHECK_LOCALE_LEN(strlen(loc_name)); + if(loc_name_len == 0) { loc_name = intl_locale_get_default(); } @@ -1116,6 +1121,8 @@ PHP_FUNCTION(locale_parse) RETURN_FALSE; } + INTL_CHECK_LOCALE_LEN(strlen(loc_name)); + if(loc_name_len == 0) { loc_name = intl_locale_get_default(); } diff --git a/ext/intl/msgformat/msgformat_data.c b/ext/intl/msgformat/msgformat_data.c index b35c7c2281..e2510e16b8 100644 --- a/ext/intl/msgformat/msgformat_data.c +++ b/ext/intl/msgformat/msgformat_data.c @@ -83,7 +83,7 @@ msgformat_data* msgformat_data_create( void ) int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec) { if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) { - UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1)); + UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar)); uint32_t npattern_len; npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec); efree(*spattern); diff --git a/ext/standard/exec.c b/ext/standard/exec.c index bf9100b0d2..07ae161938 100644 --- a/ext/standard/exec.c +++ b/ext/standard/exec.c @@ -321,7 +321,7 @@ PHPAPI zend_string *php_escape_shell_cmd(char *str) ZSTR_VAL(cmd)[y++] = str[x]; break; #else - /* % is Windows specific for environmental variables, ^%PATH% will + /* % is Windows specific for environmental variables, ^%PATH% will output PATH while ^%PATH^% will not. escapeshellcmd->val will escape all % and !. */ case '%': diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c index fa6cc32b51..5ebdf31f7a 100644 --- a/ext/xmlrpc/libxmlrpc/base64.c +++ b/ext/xmlrpc/libxmlrpc/base64.c @@ -15,6 +15,7 @@ static const char rcsid[] = "#(@) $Id$"; /* ENCODE -- Encode binary file into base64. */ #include <stdlib.h> #include <ctype.h> +#include <limits.h> #include "base64.h" @@ -31,6 +32,9 @@ void buffer_new(struct buffer_st *b) void buffer_add(struct buffer_st *b, char c) { + if ((INT_MAX - b->length) <= 512) { + return; + } *(b->ptr++) = c; b->offset++; if (b->offset == b->length) { @@ -79,7 +83,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length) for (n = 0; n < 3; n++) { c = *(source++); offset++; - if (offset > length) { + if (offset > length || offset <= 0) { hiteof = 1; break; } diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c index c88754fb9a..98b5c81e42 100644 --- a/ext/xmlrpc/libxmlrpc/simplestring.c +++ b/ext/xmlrpc/libxmlrpc/simplestring.c @@ -80,6 +80,7 @@ static const char rcsid[] = "#(@) $Id$"; #include <stdlib.h> #include <string.h> +#include <limits.h> #include "simplestring.h" #define my_free(thing) if(thing) {free(thing); thing = 0;} @@ -200,7 +201,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len) simplestring_init_str(target); } - if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) { + if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) { /* check for overflows, if there's a potential overflow do nothing */ return; } diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 779d9d1593..4685fb2486 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -1590,7 +1590,7 @@ static ZIPARCHIVE_METHOD(addEmptyDir) } if (dirname[dirname_len-1] != '/') { - s=(char *)emalloc(dirname_len+2); + s=(char *)safe_emalloc(dirname_len, 1, 2); strcpy(s, dirname); s[dirname_len] = '/'; s[dirname_len+1] = '\0'; @@ -1805,14 +1805,14 @@ static ZIPARCHIVE_METHOD(addFromString) ze_obj = Z_ZIP_P(self); if (ze_obj->buffers_cnt) { - ze_obj->buffers = (char **)erealloc(ze_obj->buffers, sizeof(char *) * (ze_obj->buffers_cnt+1)); + ze_obj->buffers = (char **)safe_erealloc(ze_obj->buffers, sizeof(char *), (ze_obj->buffers_cnt+1), 0); pos = ze_obj->buffers_cnt++; } else { ze_obj->buffers = (char **)emalloc(sizeof(char *)); ze_obj->buffers_cnt++; pos = 0; } - ze_obj->buffers[pos] = (char *)emalloc(ZSTR_LEN(buffer) + 1); + ze_obj->buffers[pos] = (char *)safe_emalloc(ZSTR_LEN(buffer), 1, 1); memcpy(ze_obj->buffers[pos], ZSTR_VAL(buffer), ZSTR_LEN(buffer) + 1); zs = zip_source_buffer(intern, ze_obj->buffers[pos], ZSTR_LEN(buffer), 0); |