iliaa Thu, 19 Nov 2009 14:04:34 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=290995
Log: Fixed bug #50207 (segmentation fault when concatenating very large strings on 64bit linux). Bug: http://bugs.php.net/50207 (Verified) segmentation fault when concatenating very large strings on 64bit linux Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/Zend/zend_operators.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/Zend/zend_operators.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2009-11-19 14:00:05 UTC (rev 290994) +++ php/php-src/branches/PHP_5_2/NEWS 2009-11-19 14:04:34 UTC (rev 290995) @@ -6,6 +6,8 @@ - Changed "post_max_size" php.ini directive to allow unlimited post size by setting it to 0. (Rasmus) +- Fixed bug #50207 (segmentation fault when concatenating very large strings + on 64bit linux). (Ilia) - Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani) - Fixed bug #50174 (Incorrectly matched docComment). (Felipe) Modified: php/php-src/branches/PHP_5_2/Zend/zend_operators.c =================================================================== --- php/php-src/branches/PHP_5_2/Zend/zend_operators.c 2009-11-19 14:00:05 UTC (rev 290994) +++ php/php-src/branches/PHP_5_2/Zend/zend_operators.c 2009-11-19 14:04:34 UTC (rev 290995) @@ -1202,6 +1202,12 @@ } if (result==op1) { /* special case, perform operations on result */ uint res_len = op1->value.str.len + op2->value.str.len; + + if (Z_STRLEN_P(result) < 0) { + efree(Z_STRVAL_P(result)); + ZVAL_EMPTY_STRING(result); + zend_error(E_ERROR, "String size overflow"); + } result->value.str.val = erealloc(result->value.str.val, res_len+1); Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2009-11-19 14:00:05 UTC (rev 290994) +++ php/php-src/branches/PHP_5_3/NEWS 2009-11-19 14:04:34 UTC (rev 290995) @@ -23,8 +23,11 @@ - Fixed memory leak in extension loading when an error occurs on Windows. (Pierre) + - Fixed bug #50212 (crash by ldap_get_option() with LDAP_OPT_NETWORK_TIMEOUT). (Ilia, shigeru_kitazaki at cybozu dot co dot jp) +- Fixed bug #50207 (segmentation fault when concatenating very large strings on + 64bit linux). (Ilia) - Fixed bug #50185 (ldap_get_entries() return false instead of an empty array when there is no error). (Jani) - Fixed bug #50140 (With default compilation option, php symbols are Modified: php/php-src/branches/PHP_5_3/Zend/zend_operators.c =================================================================== --- php/php-src/branches/PHP_5_3/Zend/zend_operators.c 2009-11-19 14:00:05 UTC (rev 290994) +++ php/php-src/branches/PHP_5_3/Zend/zend_operators.c 2009-11-19 14:04:34 UTC (rev 290995) @@ -1227,6 +1227,12 @@ if (result==op1) { /* special case, perform operations on result */ uint res_len = Z_STRLEN_P(op1) + Z_STRLEN_P(op2); + if (Z_STRLEN_P(result) < 0) { + efree(Z_STRVAL_P(result)); + ZVAL_EMPTY_STRING(result); + zend_error(E_ERROR, "String size overflow"); + } + Z_STRVAL_P(result) = erealloc(Z_STRVAL_P(result), res_len+1); memcpy(Z_STRVAL_P(result)+Z_STRLEN_P(result), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
