From 336b5f59b6c4ff023f5e79a39eabd284ac7f1e66 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 8 Jun 2014 23:00:38 -0700 Subject: Fixed bug #67399 (putenv with empty variable may lead to crash) --- ext/standard/basic_functions.c | 111 ++++++++++++++++++++--------------------- 1 file changed, 55 insertions(+), 56 deletions(-) (limited to 'ext/standard/basic_functions.c') diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index e525ff2a80..3baa9f43b0 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -4043,92 +4043,91 @@ PHP_FUNCTION(putenv) { char *setting; int setting_len; + char *p, **env; + putenv_entry pe; +#ifdef PHP_WIN32 + char *value = NULL; + int equals = 0; + int error_code; +#endif if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &setting, &setting_len) == FAILURE) { return; } + + if(setting_len == 0 || setting[0] == '=') { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter syntax"); + RETURN_FALSE; + } - if (setting_len) { - char *p, **env; - putenv_entry pe; + pe.putenv_string = estrndup(setting, setting_len); + pe.key = estrndup(setting, setting_len); + if ((p = strchr(pe.key, '='))) { /* nullify the '=' if there is one */ + *p = '\0'; #ifdef PHP_WIN32 - char *value = NULL; - int equals = 0; - int error_code; + equals = 1; #endif + } - pe.putenv_string = estrndup(setting, setting_len); - pe.key = estrndup(setting, setting_len); - if ((p = strchr(pe.key, '='))) { /* nullify the '=' if there is one */ - *p = '\0'; -#ifdef PHP_WIN32 - equals = 1; -#endif - } - - pe.key_len = strlen(pe.key); + pe.key_len = strlen(pe.key); #ifdef PHP_WIN32 - if (equals) { - if (pe.key_len < setting_len - 1) { - value = p + 1; - } else { - /* empty string*/ - value = p; - } + if (equals) { + if (pe.key_len < setting_len - 1) { + value = p + 1; + } else { + /* empty string*/ + value = p; } + } #endif - zend_hash_del(&BG(putenv_ht), pe.key, pe.key_len+1); + zend_hash_del(&BG(putenv_ht), pe.key, pe.key_len+1); - /* find previous value */ - pe.previous_value = NULL; - for (env = environ; env != NULL && *env != NULL; env++) { - if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') { /* found it */ + /* find previous value */ + pe.previous_value = NULL; + for (env = environ; env != NULL && *env != NULL; env++) { + if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') { /* found it */ #if defined(PHP_WIN32) - /* must copy previous value because MSVCRT's putenv can free the string without notice */ - pe.previous_value = estrdup(*env); + /* must copy previous value because MSVCRT's putenv can free the string without notice */ + pe.previous_value = estrdup(*env); #else - pe.previous_value = *env; + pe.previous_value = *env; #endif - break; - } + break; } + } #if HAVE_UNSETENV - if (!p) { /* no '=' means we want to unset it */ - unsetenv(pe.putenv_string); - } - if (!p || putenv(pe.putenv_string) == 0) { /* success */ + if (!p) { /* no '=' means we want to unset it */ + unsetenv(pe.putenv_string); + } + if (!p || putenv(pe.putenv_string) == 0) { /* success */ #else # ifndef PHP_WIN32 - if (putenv(pe.putenv_string) == 0) { /* success */ + if (putenv(pe.putenv_string) == 0) { /* success */ # else - error_code = SetEnvironmentVariable(pe.key, value); + error_code = SetEnvironmentVariable(pe.key, value); # if _MSC_VER < 1500 - /* Yet another VC6 bug, unset may return env not found */ - if (error_code != 0 || - (error_code == 0 && GetLastError() == ERROR_ENVVAR_NOT_FOUND)) { + /* Yet another VC6 bug, unset may return env not found */ + if (error_code != 0 || + (error_code == 0 && GetLastError() == ERROR_ENVVAR_NOT_FOUND)) { # else - if (error_code != 0) { /* success */ + if (error_code != 0) { /* success */ # endif # endif #endif - zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len + 1, (void **) &pe, sizeof(putenv_entry), NULL); + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len + 1, (void **) &pe, sizeof(putenv_entry), NULL); #ifdef HAVE_TZSET - if (!strncmp(pe.key, "TZ", pe.key_len)) { - tzset(); - } -#endif - RETURN_TRUE; - } else { - efree(pe.putenv_string); - efree(pe.key); - RETURN_FALSE; + if (!strncmp(pe.key, "TZ", pe.key_len)) { + tzset(); } +#endif + RETURN_TRUE; + } else { + efree(pe.putenv_string); + efree(pe.key); + RETURN_FALSE; } - - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter syntax"); - RETURN_FALSE; } /* }}} */ #endif -- cgit v1.2.1 From b060880c8747a8234c2334691dfe04a60b705a15 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 8 Jun 2014 23:00:38 -0700 Subject: Fixed bug #67399 (putenv with empty variable may lead to crash) --- ext/standard/basic_functions.c | 111 ++++++++++++++++++++--------------------- 1 file changed, 55 insertions(+), 56 deletions(-) (limited to 'ext/standard/basic_functions.c') diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index de3719e1e9..189281bac6 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -4029,92 +4029,91 @@ PHP_FUNCTION(putenv) { char *setting; int setting_len; + char *p, **env; + putenv_entry pe; +#ifdef PHP_WIN32 + char *value = NULL; + int equals = 0; + int error_code; +#endif if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &setting, &setting_len) == FAILURE) { return; } + + if(setting_len == 0 || setting[0] == '=') { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter syntax"); + RETURN_FALSE; + } - if (setting_len) { - char *p, **env; - putenv_entry pe; + pe.putenv_string = estrndup(setting, setting_len); + pe.key = estrndup(setting, setting_len); + if ((p = strchr(pe.key, '='))) { /* nullify the '=' if there is one */ + *p = '\0'; #ifdef PHP_WIN32 - char *value = NULL; - int equals = 0; - int error_code; + equals = 1; #endif + } - pe.putenv_string = estrndup(setting, setting_len); - pe.key = estrndup(setting, setting_len); - if ((p = strchr(pe.key, '='))) { /* nullify the '=' if there is one */ - *p = '\0'; -#ifdef PHP_WIN32 - equals = 1; -#endif - } - - pe.key_len = strlen(pe.key); + pe.key_len = strlen(pe.key); #ifdef PHP_WIN32 - if (equals) { - if (pe.key_len < setting_len - 1) { - value = p + 1; - } else { - /* empty string*/ - value = p; - } + if (equals) { + if (pe.key_len < setting_len - 1) { + value = p + 1; + } else { + /* empty string*/ + value = p; } + } #endif - zend_hash_del(&BG(putenv_ht), pe.key, pe.key_len+1); + zend_hash_del(&BG(putenv_ht), pe.key, pe.key_len+1); - /* find previous value */ - pe.previous_value = NULL; - for (env = environ; env != NULL && *env != NULL; env++) { - if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') { /* found it */ + /* find previous value */ + pe.previous_value = NULL; + for (env = environ; env != NULL && *env != NULL; env++) { + if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') { /* found it */ #if defined(PHP_WIN32) - /* must copy previous value because MSVCRT's putenv can free the string without notice */ - pe.previous_value = estrdup(*env); + /* must copy previous value because MSVCRT's putenv can free the string without notice */ + pe.previous_value = estrdup(*env); #else - pe.previous_value = *env; + pe.previous_value = *env; #endif - break; - } + break; } + } #if HAVE_UNSETENV - if (!p) { /* no '=' means we want to unset it */ - unsetenv(pe.putenv_string); - } - if (!p || putenv(pe.putenv_string) == 0) { /* success */ + if (!p) { /* no '=' means we want to unset it */ + unsetenv(pe.putenv_string); + } + if (!p || putenv(pe.putenv_string) == 0) { /* success */ #else # ifndef PHP_WIN32 - if (putenv(pe.putenv_string) == 0) { /* success */ + if (putenv(pe.putenv_string) == 0) { /* success */ # else - error_code = SetEnvironmentVariable(pe.key, value); + error_code = SetEnvironmentVariable(pe.key, value); # if _MSC_VER < 1500 - /* Yet another VC6 bug, unset may return env not found */ - if (error_code != 0 || - (error_code == 0 && GetLastError() == ERROR_ENVVAR_NOT_FOUND)) { + /* Yet another VC6 bug, unset may return env not found */ + if (error_code != 0 || + (error_code == 0 && GetLastError() == ERROR_ENVVAR_NOT_FOUND)) { # else - if (error_code != 0) { /* success */ + if (error_code != 0) { /* success */ # endif # endif #endif - zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len + 1, (void **) &pe, sizeof(putenv_entry), NULL); + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len + 1, (void **) &pe, sizeof(putenv_entry), NULL); #ifdef HAVE_TZSET - if (!strncmp(pe.key, "TZ", pe.key_len)) { - tzset(); - } -#endif - RETURN_TRUE; - } else { - efree(pe.putenv_string); - efree(pe.key); - RETURN_FALSE; + if (!strncmp(pe.key, "TZ", pe.key_len)) { + tzset(); } +#endif + RETURN_TRUE; + } else { + efree(pe.putenv_string); + efree(pe.key); + RETURN_FALSE; } - - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter syntax"); - RETURN_FALSE; } /* }}} */ #endif -- cgit v1.2.1 From c38ab260fe3a40cce049c835fb7833de00ab977c Mon Sep 17 00:00:00 2001 From: Ferenc Kovacs Date: Wed, 11 Jun 2014 14:43:09 +0200 Subject: Revert "Add optional second arg to unserialize()" This reverts commit cfd104582220d578ab1b78a5991065d038e1f931. --- ext/standard/basic_functions.c | 1 - 1 file changed, 1 deletion(-) (limited to 'ext/standard/basic_functions.c') diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index 3baa9f43b0..69e20fdd9a 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -2648,7 +2648,6 @@ ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_unserialize, 0, 0, 1) ZEND_ARG_INFO(0, variable_representation) - ZEND_ARG_INFO(1, consumed) ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_memory_get_usage, 0, 0, 0) -- cgit v1.2.1