sniper Thu Apr 21 10:47:15 2005 EDT
Modified files: (Branch: PHP_4_3)
/php-src/ext/standard basic_functions.c
/php-src NEWS
Log:
MFH: - Fixed bug #32647 (Using register_shutdown_function() with invalid
callback can crash PHP)
http://cvs.php.net/diff.php/php-src/ext/standard/basic_functions.c?r1=1.543.2.47&r2=1.543.2.48&ty=u
Index: php-src/ext/standard/basic_functions.c
diff -u php-src/ext/standard/basic_functions.c:1.543.2.47
php-src/ext/standard/basic_functions.c:1.543.2.48
--- php-src/ext/standard/basic_functions.c:1.543.2.47 Tue Jan 18 06:01:20 2005
+++ php-src/ext/standard/basic_functions.c Thu Apr 21 10:47:10 2005
@@ -17,7 +17,7 @@
+----------------------------------------------------------------------+
*/
-/* $Id: basic_functions.c,v 1.543.2.47 2005/01/18 11:01:20 sniper Exp $ */
+/* $Id: basic_functions.c,v 1.543.2.48 2005/04/21 14:47:10 sniper Exp $ */
#include "php.h"
#include "php_streams.h"
@@ -2089,17 +2089,21 @@
static int user_shutdown_function_call(php_shutdown_function_entry
*shutdown_function_entry TSRMLS_DC)
{
zval retval;
+ char *function_name = NULL;
- if (call_user_function( EG(function_table), NULL,
-
shutdown_function_entry->arguments[0],
- &retval,
-
shutdown_function_entry->arg_count - 1,
-
shutdown_function_entry->arguments + 1
- TSRMLS_CC ) == SUCCESS
) {
+ if (!zend_is_callable(shutdown_function_entry->arguments[0], 0,
&function_name)) {
+ php_error(E_WARNING, "(Registered shutdown functions) Unable to
call %s() - function does not exist", function_name);
+ } else if (call_user_function(EG(function_table), NULL,
+
shutdown_function_entry->arguments[0],
+ &retval,
+
shutdown_function_entry->arg_count - 1,
+
shutdown_function_entry->arguments + 1
+ TSRMLS_CC ) ==
SUCCESS)
+ {
zval_dtor(&retval);
-
- } else {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call
%s() - function does not exist",
Z_STRVAL_P(shutdown_function_entry->arguments[0]));
+ }
+ if (function_name) {
+ efree(function_name);
}
return 0;
}
@@ -2192,6 +2196,7 @@
PHP_FUNCTION(register_shutdown_function)
{
php_shutdown_function_entry shutdown_function_entry;
+ char *function_name = NULL;
int i;
shutdown_function_entry.arg_count = ZEND_NUM_ARGS();
@@ -2200,26 +2205,31 @@
WRONG_PARAM_COUNT;
}
- shutdown_function_entry.arguments = (pval **) safe_emalloc(sizeof(pval
*), shutdown_function_entry.arg_count, 0);
+ shutdown_function_entry.arguments = (zval **) safe_emalloc(sizeof(zval
*), shutdown_function_entry.arg_count, 0);
if (zend_get_parameters_array(ht, shutdown_function_entry.arg_count,
shutdown_function_entry.arguments) == FAILURE) {
RETURN_FALSE;
}
- /* Prevent entering of anything but arrays/strings */
- if (Z_TYPE_P(shutdown_function_entry.arguments[0]) != IS_ARRAY) {
- convert_to_string(shutdown_function_entry.arguments[0]);
- }
-
- if (!BG(user_shutdown_function_names)) {
- ALLOC_HASHTABLE(BG(user_shutdown_function_names));
- zend_hash_init(BG(user_shutdown_function_names), 0, NULL, (void
(*)(void *)) user_shutdown_function_dtor, 0);
- }
+ /* Prevent entering of anything but valid callback (syntax check only!)
*/
+ if (!zend_is_callable(shutdown_function_entry.arguments[0], 1,
&function_name)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid shutdown
callback '%s' passed", function_name);
+ efree(shutdown_function_entry.arguments);
+ RETVAL_FALSE;
+ } else {
+ if (!BG(user_shutdown_function_names)) {
+ ALLOC_HASHTABLE(BG(user_shutdown_function_names));
+ zend_hash_init(BG(user_shutdown_function_names), 0,
NULL, (void (*)(void *)) user_shutdown_function_dtor, 0);
+ }
- for (i = 0; i < shutdown_function_entry.arg_count; i++) {
- shutdown_function_entry.arguments[i]->refcount++;
+ for (i = 0; i < shutdown_function_entry.arg_count; i++) {
+ shutdown_function_entry.arguments[i]->refcount++;
+ }
+ zend_hash_next_index_insert(BG(user_shutdown_function_names),
&shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
+ }
+ if (function_name) {
+ efree(function_name);
}
- zend_hash_next_index_insert(BG(user_shutdown_function_names),
&shutdown_function_entry, sizeof(php_shutdown_function_entry), NULL);
}
/* }}} */
http://cvs.php.net/diff.php/php-src/NEWS?r1=1.1247.2.882&r2=1.1247.2.883&ty=u
Index: php-src/NEWS
diff -u php-src/NEWS:1.1247.2.882 php-src/NEWS:1.1247.2.883
--- php-src/NEWS:1.1247.2.882 Wed Apr 20 16:51:45 2005
+++ php-src/NEWS Thu Apr 21 10:47:13 2005
@@ -11,6 +11,8 @@
(Derick)
- Fixed bug #32682 (ext/mssql: Error on module shutdown when called from
activescript). (Frank)
+- Fixed bug #32647 (Using register_shutdown_function() with invalid callback
+ can crash PHP). (Jani)
- Fixed bug #32591 (ext/mysql: Unsatisfied symbol: ntohs with HP-UX). (Jani)
- Fixed bug #32589 (Possible crash inside imap_mail_compose, with charsets).
(Ilia)
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
