From 77d0643b68f9f9405131e583f549d15240bfa358 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Fri, 18 Nov 2011 07:11:19 +0000
Subject: fixes for bug #55748

---
 NEWS                          | 2 ++
 Zend/zend_builtin_functions.c | 3 +++
 ext/com_dotnet/com_typeinfo.c | 4 ++++
 ext/oci8/oci8.c               | 3 +++
 ext/standard/syslog.c         | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/NEWS b/NEWS
index 717cb7137d..ef552e452d 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,8 @@ PHP                                                                        NEWS
     (klightspeed at netspace dot net dot au)
   . Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent
     directory). (Felipe)
+  . Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) 
+    (CVE-2011-4153). (Stas)
     
 - MS SQL:
   . Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe)
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index aeacda54e2..e4d6303839 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -706,6 +706,9 @@ repeat:
 	}
 	c.flags = case_sensitive; /* non persistent */
 	c.name = IS_INTERNED(name) ? name : zend_strndup(name, name_len);
+	if(name == NULL) {
+		RETURN_FALSE;
+	}
 	c.name_len = name_len+1;
 	c.module_number = PHP_USER_CONSTANT;
 	if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) {
diff --git a/ext/com_dotnet/com_typeinfo.c b/ext/com_dotnet/com_typeinfo.c
index e2d5d28af5..2934c05933 100644
--- a/ext/com_dotnet/com_typeinfo.c
+++ b/ext/com_dotnet/com_typeinfo.c
@@ -187,6 +187,10 @@ PHPAPI int php_com_import_typelib(ITypeLib *TL, int mode, int codepage TSRMLS_DC
 				const_name = php_com_olestring_to_string(bstr_ids, &c.name_len, codepage TSRMLS_CC);
 				c.name = zend_strndup(const_name, c.name_len);
 				efree(const_name);
+				if(c.name == NULL) {
+					ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc);
+					continue;
+				}
 				c.name_len++; /* include NUL */
 				SysFreeString(bstr_ids);
 
diff --git a/ext/oci8/oci8.c b/ext/oci8/oci8.c
index 809ff816ae..2b63a6faf5 100644
--- a/ext/oci8/oci8.c
+++ b/ext/oci8/oci8.c
@@ -2055,6 +2055,9 @@ php_oci_connection *php_oci_do_connect_ex(char *username, int username_len, char
 		} else {
 			connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection));
 			connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len);
+			if(connection->hash_key == NULL) {
+				return NULL;
+			}
 			connection->is_persistent = 1;
 		}
 	} else {
diff --git a/ext/standard/syslog.c b/ext/standard/syslog.c
index 2abef47859..cc49cc5f4a 100644
--- a/ext/standard/syslog.c
+++ b/ext/standard/syslog.c
@@ -146,6 +146,9 @@ PHP_FUNCTION(openlog)
 		free(BG(syslog_device));
 	}
 	BG(syslog_device) = zend_strndup(ident, ident_len);
+	if(BG(syslog_device) == NULL) {
+		RETURN_FALSE;
+	}
 	openlog(BG(syslog_device), option, facility);
 	RETURN_TRUE;
 }
-- 
cgit v1.2.1