diff options
| -rw-r--r-- | NEWS | 3 | ||||
| -rw-r--r-- | ext/pgsql/pgsql.c | 3 | ||||
| -rw-r--r-- | ext/standard/incomplete_class.c | 2 |
3 files changed, 7 insertions, 1 deletions
@@ -33,6 +33,9 @@ PHP NEWS - OpenSSL: . Fixed bug #67403 (Add signatureType to openssl_x509_parse). +- Postgres: + . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui) + - SPL: . Fixed bug #69227 (Use after free in zval_scan caused by spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 2f12fd1829..7af7e8b039 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -6136,6 +6136,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c /* schame.table should be "schame"."table" */ table_copy = estrdup(table); token = php_strtok_r(table_copy, ".", &tmp); + if (token == NULL) { + token = table; + } len = strlen(token); if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) { smart_str_appendl(querystr, token, len); diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c index 5d0908e1a3..05619ddbc5 100644 --- a/ext/standard/incomplete_class.c +++ b/ext/standard/incomplete_class.c @@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) object_properties = Z_OBJPROP_P(object); - if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { + if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); if (nlen) { |