summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ext/bz2/bz2.c2
-rw-r--r--ext/iconv/iconv.c2
-rw-r--r--ext/imap/php_imap.c2
-rw-r--r--ext/intl/breakiterator/breakiterator_iterators.cpp2
-rw-r--r--ext/intl/intl_convert.c2
-rw-r--r--ext/intl/locale/locale_methods.c9
-rw-r--r--ext/intl/msgformat/msgformat_data.c4
-rw-r--r--ext/standard/exec.c10
-rw-r--r--ext/standard/php_smart_str.h3
-rw-r--r--ext/standard/string.c6
-rw-r--r--ext/xmlrpc/libxmlrpc/base64.c22
-rw-r--r--ext/xmlrpc/libxmlrpc/simplestring.c3
-rw-r--r--ext/zip/php_zip.c6
-rw-r--r--ext/zlib/zlib.c2
-rw-r--r--main/php_version.h6
15 files changed, 45 insertions, 36 deletions
diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
index 79ec3ec3fe..2e39f4a892 100644
--- a/ext/bz2/bz2.c
+++ b/ext/bz2/bz2.c
@@ -513,7 +513,7 @@ static PHP_FUNCTION(bzcompress)
dest_len = (unsigned int) (source_len + (0.01 * source_len) + 600);
/* Allocate the destination buffer */
- dest = emalloc(dest_len + 1);
+ dest = safe_emalloc(dest_len, 1, 1);
/* Handle the optional arguments */
if (argc > 1) {
diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
index fc45f41d65..69dd8c1cf7 100644
--- a/ext/iconv/iconv.c
+++ b/ext/iconv/iconv.c
@@ -2491,7 +2491,7 @@ PHP_NAMED_FUNCTION(php_if_iconv)
&out_buffer, &out_len, out_charset, in_charset);
_php_iconv_show_error(err, out_charset, in_charset TSRMLS_CC);
if (err == PHP_ICONV_ERR_SUCCESS && out_buffer != NULL) {
- RETVAL_STRINGL(out_buffer, out_len, 0);
+ RETVAL_STRINGL_CHECK(out_buffer, out_len, 0);
} else {
if (out_buffer != NULL) {
efree(out_buffer);
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
index 564473b738..8e70163bc6 100644
--- a/ext/imap/php_imap.c
+++ b/ext/imap/php_imap.c
@@ -3916,7 +3916,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
#define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
#define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
- bufferHeader = (char *)emalloc(bufferLen + 1);
+ bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
memset(bufferHeader, 0, bufferLen);
if (to && *to) {
strlcat(bufferHeader, "To: ", bufferLen + 1);
diff --git a/ext/intl/breakiterator/breakiterator_iterators.cpp b/ext/intl/breakiterator/breakiterator_iterators.cpp
index 3748991aed..7065ec671a 100644
--- a/ext/intl/breakiterator/breakiterator_iterators.cpp
+++ b/ext/intl/breakiterator/breakiterator_iterators.cpp
@@ -182,7 +182,7 @@ static void _breakiterator_parts_move_forward(zend_object_iterator *iter TSRMLS_
}
assert(next <= slen && next >= cur);
len = next - cur;
- res = static_cast<char*>(emalloc(len + 1));
+ res = static_cast<char*>(safe_emalloc(len, 1, 1));
memcpy(res, &s[cur], len);
res[len] = '\0';
diff --git a/ext/intl/intl_convert.c b/ext/intl/intl_convert.c
index 92cdc4cef4..2dde6ad124 100644
--- a/ext/intl/intl_convert.c
+++ b/ext/intl/intl_convert.c
@@ -49,7 +49,7 @@ void intl_convert_utf8_to_utf16(
UErrorCode* status )
{
UChar* dst_buf = NULL;
- int32_t dst_len = 0;
+ uint32_t dst_len = 0;
/* If *target is NULL determine required destination buffer size (pre-flighting).
* Otherwise, attempt to convert source string; if *target buffer is not large enough
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 862b9f5c87..39d80d524a 100644
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -263,6 +263,9 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
int32_t buflen = 512;
UErrorCode status = U_ZERO_ERROR;
+ if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
+ return NULL;
+ }
if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
/* Handle grandfathered languages */
@@ -395,7 +398,7 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
}
-
+
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
/* Call ICU get */
@@ -702,6 +705,8 @@ PHP_FUNCTION( locale_get_keywords )
RETURN_FALSE;
}
+ INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
}
@@ -1109,6 +1114,8 @@ PHP_FUNCTION(locale_parse)
RETURN_FALSE;
}
+ INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
}
diff --git a/ext/intl/msgformat/msgformat_data.c b/ext/intl/msgformat/msgformat_data.c
index 5d49054473..9e967daf4d 100644
--- a/ext/intl/msgformat/msgformat_data.c
+++ b/ext/intl/msgformat/msgformat_data.c
@@ -80,10 +80,10 @@ msgformat_data* msgformat_data_create( TSRMLS_D )
/* }}} */
#ifdef MSG_FORMAT_QUOTE_APOS
-int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
+int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
{
if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
- UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
+ UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
uint32_t npattern_len;
npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
efree(*spattern);
diff --git a/ext/standard/exec.c b/ext/standard/exec.c
index e0ca9140f7..88a6b4ab79 100644
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@ -133,7 +133,7 @@ PHPAPI int php_exec(int type, char *cmd, zval *array, zval *return_value TSRMLS_
if (type != 3) {
b = buf;
-
+
while (php_stream_get_line(stream, b, EXEC_INPUT_BUF, &bufl)) {
/* no new line found, let's read some more */
if (b[bufl - 1] != '\n' && !php_stream_eof(stream)) {
@@ -330,7 +330,7 @@ PHPAPI char *php_escape_shell_cmd(char *str)
cmd[y++] = str[x];
break;
#else
- /* % is Windows specific for enviromental variables, ^%PATH% will
+ /* % is Windows specific for enviromental variables, ^%PATH% will
output PATH while ^%PATH^% will not. escapeshellcmd will escape all % and !.
*/
case '%':
@@ -492,7 +492,7 @@ PHP_FUNCTION(escapeshellcmd)
return;
}
cmd = php_escape_shell_cmd(command);
- RETVAL_STRING(cmd, 0);
+ RETVAL_STRINGL_CHECK(cmd, strlen(cmd), 0);
} else {
RETVAL_EMPTY_STRING();
}
@@ -517,7 +517,7 @@ PHP_FUNCTION(escapeshellarg)
return;
}
cmd = php_escape_shell_arg(argument);
- RETVAL_STRING(cmd, 0);
+ RETVAL_STRINGL_CHECK(cmd, strlen(cmd), 0);
}
}
/* }}} */
@@ -551,7 +551,7 @@ PHP_FUNCTION(shell_exec)
php_stream_close(stream);
if (total_readbytes > 0) {
- RETVAL_STRINGL(ret, total_readbytes, 0);
+ RETVAL_STRINGL_CHECK(ret, total_readbytes, 0);
}
}
/* }}} */
diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h
index edd9d3a89f..a336660987 100644
--- a/ext/standard/php_smart_str.h
+++ b/ext/standard/php_smart_str.h
@@ -57,7 +57,8 @@
newlen = (n); \
(d)->a = newlen < SMART_STR_START_SIZE \
? SMART_STR_START_SIZE \
- : newlen + SMART_STR_PREALLOC; \
+ : (newlen >= (INT_MAX - SMART_STR_PREALLOC)? newlen \
+ : (newlen + INT_MAX)); \
SMART_STR_DO_REALLOC(d, what); \
} else { \
newlen = (d)->len + (n); \
diff --git a/ext/standard/string.c b/ext/standard/string.c
index abe4eb1aba..cb6a8b4315 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -908,11 +908,7 @@ PHP_FUNCTION(wordwrap)
RETURN_FALSE;
}
- if (linelength < 0) {
- /* For BC */
- linelength = 0;
- }
- if (linelength > INT_MAX) {
+ if (linelength < 0 || linelength > INT_MAX) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length should be between 0 and %d", INT_MAX);
RETURN_FALSE;
}
diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
index d020bd6646..5ebdf31f7a 100644
--- a/ext/xmlrpc/libxmlrpc/base64.c
+++ b/ext/xmlrpc/libxmlrpc/base64.c
@@ -15,6 +15,7 @@ static const char rcsid[] = "#(@) $Id$";
/* ENCODE -- Encode binary file into base64. */
#include <stdlib.h>
#include <ctype.h>
+#include <limits.h>
#include "base64.h"
@@ -31,6 +32,9 @@ void buffer_new(struct buffer_st *b)
void buffer_add(struct buffer_st *b, char c)
{
+ if ((INT_MAX - b->length) <= 512) {
+ return;
+ }
*(b->ptr++) = c;
b->offset++;
if (b->offset == b->length) {
@@ -54,13 +58,13 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
int i, hiteof = 0;
int offset = 0;
int olen;
-
+
olen = 0;
-
+
buffer_new(b);
-
+
/* Fill dtable with character encodings. */
-
+
for (i = 0; i < 26; i++) {
dtable[i] = 'A' + i;
dtable[26 + i] = 'a' + i;
@@ -70,16 +74,16 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
}
dtable[62] = '+';
dtable[63] = '/';
-
+
while (!hiteof) {
unsigned char igroup[3], ogroup[4];
int c, n;
-
+
igroup[0] = igroup[1] = igroup[2] = 0;
for (n = 0; n < 3; n++) {
c = *(source++);
offset++;
- if (offset > length) {
+ if (offset > length || offset <= 0) {
hiteof = 1;
break;
}
@@ -90,11 +94,11 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
ogroup[1] = dtable[((igroup[0] & 3) << 4) | (igroup[1] >> 4)];
ogroup[2] = dtable[((igroup[1] & 0xF) << 2) | (igroup[2] >> 6)];
ogroup[3] = dtable[igroup[2] & 0x3F];
-
+
/* Replace characters in output stream with "=" pad
characters if fewer than three characters were
read from the end of the input stream. */
-
+
if (n < 3) {
ogroup[3] = '=';
if (n < 2) {
diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c
index c88754fb9a..98b5c81e42 100644
--- a/ext/xmlrpc/libxmlrpc/simplestring.c
+++ b/ext/xmlrpc/libxmlrpc/simplestring.c
@@ -80,6 +80,7 @@ static const char rcsid[] = "#(@) $Id$";
#include <stdlib.h>
#include <string.h>
+#include <limits.h>
#include "simplestring.h"
#define my_free(thing) if(thing) {free(thing); thing = 0;}
@@ -200,7 +201,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)
simplestring_init_str(target);
}
- if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+ if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) {
/* check for overflows, if there's a potential overflow do nothing */
return;
}
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index eeca8ab44d..9f2b3768d3 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -1701,7 +1701,7 @@ static ZIPARCHIVE_METHOD(addEmptyDir)
}
if (dirname[dirname_len-1] != '/') {
- s=(char *)emalloc(dirname_len+2);
+ s=(char *)safe_emalloc(dirname_len, 1, 2);
strcpy(s, dirname);
s[dirname_len] = '/';
s[dirname_len+1] = '\0';
@@ -1915,14 +1915,14 @@ static ZIPARCHIVE_METHOD(addFromString)
ze_obj = (ze_zip_object*) zend_object_store_get_object(this TSRMLS_CC);
if (ze_obj->buffers_cnt) {
- ze_obj->buffers = (char **)erealloc(ze_obj->buffers, sizeof(char *) * (ze_obj->buffers_cnt+1));
+ ze_obj->buffers = (char **)safe_erealloc(ze_obj->buffers, sizeof(char *), (ze_obj->buffers_cnt+1), 0);
pos = ze_obj->buffers_cnt++;
} else {
ze_obj->buffers = (char **)emalloc(sizeof(char *));
ze_obj->buffers_cnt++;
pos = 0;
}
- ze_obj->buffers[pos] = (char *)emalloc(buffer_len + 1);
+ ze_obj->buffers[pos] = (char *)safe_emalloc(buffer_len, 1, 1);
memcpy(ze_obj->buffers[pos], buffer, buffer_len + 1);
zs = zip_source_buffer(intern, ze_obj->buffers[pos], buffer_len, 0);
diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
index e33b2ccd21..47dc3acf63 100644
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@@ -673,7 +673,7 @@ static PHP_FUNCTION(name) \
if (SUCCESS != php_zlib_encode(in_buf, in_len, &out_buf, &out_len, encoding, level TSRMLS_CC)) { \
RETURN_FALSE; \
} \
- RETURN_STRINGL(out_buf, out_len, 0); \
+ RETVAL_STRINGL_CHECK(out_buf, out_len, 0); \
}
#define PHP_ZLIB_DECODE_FUNC(name, encoding) \
diff --git a/main/php_version.h b/main/php_version.h
index d79d63fb09..8fa4040c5e 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
/* edit configure.in to change version number */
#define PHP_MAJOR_VERSION 5
#define PHP_MINOR_VERSION 6
-#define PHP_RELEASE_VERSION 28
+#define PHP_RELEASE_VERSION 26
#define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.6.28-dev"
-#define PHP_VERSION_ID 50628
+#define PHP_VERSION "5.6.26-dev"
+#define PHP_VERSION_ID 50626