iliaa Sun, 02 May 2010 19:34:21 +0000 Revision: http://svn.php.net/viewvc?view=revision&revision=298881
Log: - Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan Esser Changed paths: U php/php-src/branches/PHP_5_2/NEWS U php/php-src/branches/PHP_5_2/ext/standard/file.c U php/php-src/branches/PHP_5_3/NEWS U php/php-src/branches/PHP_5_3/ext/standard/file.c U php/php-src/trunk/ext/standard/file.c Modified: php/php-src/branches/PHP_5_2/NEWS =================================================================== --- php/php-src/branches/PHP_5_2/NEWS 2010-05-02 18:47:27 UTC (rev 298880) +++ php/php-src/branches/PHP_5_2/NEWS 2010-05-02 19:34:21 UTC (rev 298881) @@ -8,6 +8,8 @@ - Updated timezone database to version 2010.5. (Derick) +- Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan + Esser (Ilia) - Reset error state in PDO::beginTransaction() reset error state. (Ilia) - Fixed a NULL pointer dereference when processing invalid XML-RPC requests (Fixes CVE-2010-0397, bug #51288). (Raphael Geissert) Modified: php/php-src/branches/PHP_5_2/ext/standard/file.c =================================================================== --- php/php-src/branches/PHP_5_2/ext/standard/file.c 2010-05-02 18:47:27 UTC (rev 298880) +++ php/php-src/branches/PHP_5_2/ext/standard/file.c 2010-05-02 19:34:21 UTC (rev 298881) @@ -2551,6 +2551,10 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN); RETURN_FALSE; } + if (pattern_len >= MAXPATHLEN) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); + RETURN_FALSE; + } RETURN_BOOL( ! fnmatch( pattern, filename, flags )); } Modified: php/php-src/branches/PHP_5_3/NEWS =================================================================== --- php/php-src/branches/PHP_5_3/NEWS 2010-05-02 18:47:27 UTC (rev 298880) +++ php/php-src/branches/PHP_5_3/NEWS 2010-05-02 19:34:21 UTC (rev 298881) @@ -23,6 +23,8 @@ - Fixed very rare memory leak in mysqlnd, when binding thousands of columns. (Andrey) +- Fixed a possible stack exaustion inside fnmatch(). Reporeted by Stefan + Esser (Ilia) - Fixed a possible dechunking filter buffer overflow. Reported by Stefan Esser. (Pierre) - Fixed a possible arbitrary memory access inside sqlite extension. Reported Modified: php/php-src/branches/PHP_5_3/ext/standard/file.c =================================================================== --- php/php-src/branches/PHP_5_3/ext/standard/file.c 2010-05-02 18:47:27 UTC (rev 298880) +++ php/php-src/branches/PHP_5_3/ext/standard/file.c 2010-05-02 19:34:21 UTC (rev 298881) @@ -136,27 +136,13 @@ /* {{{ ZTS-stuff / Globals / Prototypes */ -/* sharing globals is *evil* */ -static int le_stream_context = FAILURE; -PHPAPI int php_le_stream_context(void) -{ - return le_stream_context; -} /* }}} */ /* {{{ Module-Stuff */ -static ZEND_RSRC_DTOR_FUNC(file_context_dtor) -{ - php_stream_context *context = (php_stream_context*)rsrc->ptr; - if (context->options) { - zval_ptr_dtor(&context->options); - context->options = NULL; - } - php_stream_context_free(context); -} + static void file_globals_ctor(php_file_globals *file_globals_p TSRMLS_DC) { FG(pclose_ret) = 0; @@ -176,7 +162,6 @@ PHP_MINIT_FUNCTION(file) { - le_stream_context = zend_register_list_destructors_ex(file_context_dtor, NULL, "stream-context", module_number); #ifdef ZTS ts_allocate_id(&file_globals_id, sizeof(php_file_globals), (ts_allocate_ctor) file_globals_ctor, (ts_allocate_dtor) file_globals_dtor); @@ -2521,6 +2506,10 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN); RETURN_FALSE; } + if (pattern_len >= MAXPATHLEN) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); + RETURN_FALSE; + } RETURN_BOOL( ! fnmatch( pattern, filename, flags )); } Modified: php/php-src/trunk/ext/standard/file.c =================================================================== --- php/php-src/trunk/ext/standard/file.c 2010-05-02 18:47:27 UTC (rev 298880) +++ php/php-src/trunk/ext/standard/file.c 2010-05-02 19:34:21 UTC (rev 298881) @@ -2469,6 +2469,10 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Filename exceeds the maximum allowed length of %d characters", MAXPATHLEN); RETURN_FALSE; } + if (pattern_len >= MAXPATHLEN) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); + RETURN_FALSE; + } RETURN_BOOL( ! fnmatch( pattern, filename, flags )); }
-- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php