file.c

Ilia Alshanetsky Sun, 02 May 2010 12:34:39 -0700

iliaa                                    Sun, 02 May 2010 19:34:21 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=298881


Log:
- Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan Esser

Changed paths:
    U   php/php-src/branches/PHP_5_2/NEWS
    U   php/php-src/branches/PHP_5_2/ext/standard/file.c
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/file.c
    U   php/php-src/trunk/ext/standard/file.c

Modified: php/php-src/branches/PHP_5_2/NEWS
===================================================================
--- php/php-src/branches/PHP_5_2/NEWS   2010-05-02 18:47:27 UTC (rev 298880)
+++ php/php-src/branches/PHP_5_2/NEWS   2010-05-02 19:34:21 UTC (rev 298881)
@@ -8,6 +8,8 @@

 - Updated timezone database to version 2010.5. (Derick)

+- Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan
+  Esser (Ilia)
 - Reset error state in PDO::beginTransaction() reset error state. (Ilia)
 - Fixed a NULL pointer dereference when processing invalid XML-RPC
   requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert)

Modified: php/php-src/branches/PHP_5_2/ext/standard/file.c
===================================================================
--- php/php-src/branches/PHP_5_2/ext/standard/file.c    2010-05-02 18:47:27 UTC 
(rev 298880)
+++ php/php-src/branches/PHP_5_2/ext/standard/file.c    2010-05-02 19:34:21 UTC 
(rev 298881)
@@ -2551,6 +2551,10 @@
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds 
the maximum allowed length of %d characters", MAXPATHLEN);
                RETURN_FALSE;
        }
+       if (pattern_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds 
the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
+       }

        RETURN_BOOL( ! fnmatch( pattern, filename, flags ));
 }

Modified: php/php-src/branches/PHP_5_3/NEWS
===================================================================
--- php/php-src/branches/PHP_5_3/NEWS   2010-05-02 18:47:27 UTC (rev 298880)
+++ php/php-src/branches/PHP_5_3/NEWS   2010-05-02 19:34:21 UTC (rev 298881)
@@ -23,6 +23,8 @@
 - Fixed very rare memory leak in mysqlnd, when binding thousands of columns.
   (Andrey)

+- Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan
+  Esser (Ilia)
 - Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser.
   (Pierre)
 - Fixed a possible arbitrary memory access inside sqlite extension. Reported

Modified: php/php-src/branches/PHP_5_3/ext/standard/file.c
===================================================================
--- php/php-src/branches/PHP_5_3/ext/standard/file.c    2010-05-02 18:47:27 UTC 
(rev 298880)
+++ php/php-src/branches/PHP_5_3/ext/standard/file.c    2010-05-02 19:34:21 UTC 
(rev 298881)
@@ -136,27 +136,13 @@

 /* {{{ ZTS-stuff / Globals / Prototypes */

-/* sharing globals is *evil* */
-static int le_stream_context = FAILURE;

-PHPAPI int php_le_stream_context(void)
-{
-       return le_stream_context;
-}
 /* }}} */

 /* {{{ Module-Stuff
 */
-static ZEND_RSRC_DTOR_FUNC(file_context_dtor)
-{
-       php_stream_context *context = (php_stream_context*)rsrc->ptr;
-       if (context->options) {
-               zval_ptr_dtor(&context->options);
-               context->options = NULL;
-       }
-       php_stream_context_free(context);
-}

+
 static void file_globals_ctor(php_file_globals *file_globals_p TSRMLS_DC)
 {
        FG(pclose_ret) = 0;
@@ -176,7 +162,6 @@

 PHP_MINIT_FUNCTION(file)
 {
-       le_stream_context = 
zend_register_list_destructors_ex(file_context_dtor, NULL, "stream-context", 
module_number);

 #ifdef ZTS
        ts_allocate_id(&file_globals_id, sizeof(php_file_globals), 
(ts_allocate_ctor) file_globals_ctor, (ts_allocate_dtor) file_globals_dtor);
@@ -2521,6 +2506,10 @@
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds 
the maximum allowed length of %d characters", MAXPATHLEN);
                RETURN_FALSE;
        }
+       if (pattern_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds 
the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
+       }

        RETURN_BOOL( ! fnmatch( pattern, filename, flags ));
 }

Modified: php/php-src/trunk/ext/standard/file.c
===================================================================
--- php/php-src/trunk/ext/standard/file.c       2010-05-02 18:47:27 UTC (rev 
298880)
+++ php/php-src/trunk/ext/standard/file.c       2010-05-02 19:34:21 UTC (rev 
298881)
@@ -2469,6 +2469,10 @@
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds 
the maximum allowed length of %d characters", MAXPATHLEN);
                RETURN_FALSE;
        }
+       if (pattern_len >= MAXPATHLEN) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds 
the maximum allowed length of %d characters", MAXPATHLEN);
+               RETURN_FALSE;
+       }

        RETURN_BOOL( ! fnmatch( pattern, filename, flags ));
 }

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_2/NEWS branches/PHP_5_2/ext/standard/file.c branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/file.c trunk/ext/standard/file.c

Reply via email to