stas Fri, 18 Nov 2011 07:11:19 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=319442
Log: fixes for bug #55748 Bug: https://bugs.php.net/55748 (error getting bug information) Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/Zend/zend_builtin_functions.c U php/php-src/branches/PHP_5_4/ext/com_dotnet/com_typeinfo.c U php/php-src/branches/PHP_5_4/ext/oci8/oci8.c U php/php-src/branches/PHP_5_4/ext/standard/syslog.c U php/php-src/trunk/Zend/zend_builtin_functions.c U php/php-src/trunk/ext/com_dotnet/com_typeinfo.c U php/php-src/trunk/ext/oci8/oci8.c U php/php-src/trunk/ext/standard/syslog.c Modified: php/php-src/branches/PHP_5_4/NEWS =================================================================== --- php/php-src/branches/PHP_5_4/NEWS 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/branches/PHP_5_4/NEWS 2011-11-18 07:11:19 UTC (rev 319442) @@ -10,6 +10,8 @@ (klightspeed at netspace dot net dot au) . Fixed bug #52624 (tempnam() by-pass open_basedir with nonexistent directory). (Felipe) + . Fixed bug #55748 (multiple NULL Pointer Dereference with zend_strndup()) + (CVE-2011-4153). (Stas) - MS SQL: . Fixed bug #60267 (Compile failure with freetds 0.91). (Felipe) Modified: php/php-src/branches/PHP_5_4/Zend/zend_builtin_functions.c =================================================================== --- php/php-src/branches/PHP_5_4/Zend/zend_builtin_functions.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/branches/PHP_5_4/Zend/zend_builtin_functions.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -706,6 +706,9 @@ } c.flags = case_sensitive; /* non persistent */ c.name = IS_INTERNED(name) ? name : zend_strndup(name, name_len); + if(name == NULL) { + RETURN_FALSE; + } c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { Modified: php/php-src/branches/PHP_5_4/ext/com_dotnet/com_typeinfo.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/com_dotnet/com_typeinfo.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/branches/PHP_5_4/ext/com_dotnet/com_typeinfo.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -187,6 +187,10 @@ const_name = php_com_olestring_to_string(bstr_ids, &c.name_len, codepage TSRMLS_CC); c.name = zend_strndup(const_name, c.name_len); efree(const_name); + if(c.name == NULL) { + ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc); + continue; + } c.name_len++; /* include NUL */ SysFreeString(bstr_ids); Modified: php/php-src/branches/PHP_5_4/ext/oci8/oci8.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/oci8/oci8.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/branches/PHP_5_4/ext/oci8/oci8.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -2055,6 +2055,9 @@ } else { connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection)); connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len); + if(connection->hash_key == NULL) { + return NULL; + } connection->is_persistent = 1; } } else { Modified: php/php-src/branches/PHP_5_4/ext/standard/syslog.c =================================================================== --- php/php-src/branches/PHP_5_4/ext/standard/syslog.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/branches/PHP_5_4/ext/standard/syslog.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -146,6 +146,9 @@ free(BG(syslog_device)); } BG(syslog_device) = zend_strndup(ident, ident_len); + if(BG(syslog_device) == NULL) { + RETURN_FALSE; + } openlog(BG(syslog_device), option, facility); RETURN_TRUE; } Modified: php/php-src/trunk/Zend/zend_builtin_functions.c =================================================================== --- php/php-src/trunk/Zend/zend_builtin_functions.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/trunk/Zend/zend_builtin_functions.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -706,6 +706,9 @@ } c.flags = case_sensitive; /* non persistent */ c.name = IS_INTERNED(name) ? name : zend_strndup(name, name_len); + if(name == NULL) { + RETURN_FALSE; + } c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) { Modified: php/php-src/trunk/ext/com_dotnet/com_typeinfo.c =================================================================== --- php/php-src/trunk/ext/com_dotnet/com_typeinfo.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/trunk/ext/com_dotnet/com_typeinfo.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -187,6 +187,10 @@ const_name = php_com_olestring_to_string(bstr_ids, &c.name_len, codepage TSRMLS_CC); c.name = zend_strndup(const_name, c.name_len); efree(const_name); + if(c.name == NULL) { + ITypeInfo_ReleaseVarDesc(TypeInfo, pVarDesc); + continue; + } c.name_len++; /* include NUL */ SysFreeString(bstr_ids); Modified: php/php-src/trunk/ext/oci8/oci8.c =================================================================== --- php/php-src/trunk/ext/oci8/oci8.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/trunk/ext/oci8/oci8.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -2055,6 +2055,9 @@ } else { connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection)); connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len); + if(connection->hash_key == NULL) { + return NULL; + } connection->is_persistent = 1; } } else { Modified: php/php-src/trunk/ext/standard/syslog.c =================================================================== --- php/php-src/trunk/ext/standard/syslog.c 2011-11-18 07:07:42 UTC (rev 319441) +++ php/php-src/trunk/ext/standard/syslog.c 2011-11-18 07:11:19 UTC (rev 319442) @@ -146,6 +146,9 @@ free(BG(syslog_device)); } BG(syslog_device) = zend_strndup(ident, ident_len); + if(BG(syslog_device) == NULL) { + RETURN_FALSE; + } openlog(BG(syslog_device), option, facility); RETURN_TRUE; }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
