[PHP-CVS] cvs: php-src /ext/standard string.c

Wed, 15 Mar 2006 04:21:03 -0800 

derick          Wed Mar 15 12:20:49 2006 UTC

  Modified files:              
    /php-src/ext/standard       string.c 
  Log:
  - Fixed two memory issues:
    - In the first one we were calculating the tmp_len wrong which made the
        u_strFromUTF32() function try to convert too many code points.
    - The second issue was a bit more subtle as the "what" string wasn't
        duplicated but still modified. This string is passed as data to the
        function and this kind of data the engine tries to free when the 
function
        ends. Because we were re-allocating the data the original memory 
location
        was already freed resulting in a double free error when the engine 
tries to
        free the argument as it was passed to the function.
  
  
http://cvs.php.net/viewcvs.cgi/php-src/ext/standard/string.c?r1=1.528&r2=1.529&diff_format=u
Index: php-src/ext/standard/string.c
diff -u php-src/ext/standard/string.c:1.528 php-src/ext/standard/string.c:1.529
--- php-src/ext/standard/string.c:1.528 Tue Mar 14 15:14:59 2006
+++ php-src/ext/standard/string.c       Wed Mar 15 12:20:49 2006
@@ -18,7 +18,7 @@
    +----------------------------------------------------------------------+
  */
 
-/* $Id: string.c,v 1.528 2006/03/14 15:14:59 tony2001 Exp $ */
+/* $Id: string.c,v 1.529 2006/03/15 12:20:49 derick Exp $ */
 
 /* Synced with php 3.0 revision 1.193 1999-06-16 [ssb] */
 
@@ -632,8 +632,8 @@
        for ( idx = 0, end = input+len ; input < end ; input++ ) {
                c = input[0];
                if ( (input+3 < end) && input[1] == '.' && input[2] == '.' && 
input[3] >= c ) {
-                       tmp_len += (input[3] - c + 1);
-                       tmp = (UChar32 *)erealloc(tmp, tmp_len*sizeof(UChar32));
+                       tmp_len += (input[3] - c + 1 - 4);
+                       tmp = (UChar32 *)erealloc(tmp, 
(tmp_len+1)*sizeof(UChar32));
                        for ( ; c <= input[3] ; c++ ) {
                                if ( U_IS_UNICODE_CHAR(c) ) tmp[idx++] = c;
                        }
@@ -700,6 +700,7 @@
        int32_t start = 0, end = len;
 
        if ( what ) {
+               what = eustrndup(what, what_len);
                php_expand_u_trim_range(&what, &what_len TSRMLS_CC);
        }
 
@@ -738,6 +739,10 @@
        } else {
                --end;
        }
+       if ( what )
+       {
+               efree( what );
+       }
 
        if ( start < len ) {
                if ( return_value ) {

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to