head 1.10;
access;
symbols
OPENPKG_2_STABLE_MP:1.10
OPENPKG_E1_MP_HEAD:1.8
OPENPKG_E1_MP:1.8
OPENPKG_E1_MP_2_STABLE:1.6
OPENPKG_E1_FP:1.6
OPENPKG_2_STABLE_20061018:1.6
OPENPKG_2_STABLE:1.6.0.2
OPENPKG_2_STABLE_BP:1.6
OPENPKG_2_5_RELEASE:1.5
OPENPKG_2_5_SOLID:1.5.0.4
OPENPKG_2_5_SOLID_BP:1.5
OPENPKG_2_4_RELEASE:1.5
OPENPKG_2_4_SOLID:1.5.0.2
OPENPKG_2_4_SOLID_BP:1.5
OPENPKG_CW_FP:1.4
OPENPKG_2_3_RELEASE:1.4
OPENPKG_2_3_SOLID:1.4.0.2
OPENPKG_2_3_SOLID_BP:1.4
OPENPKG_2_2_RELEASE:1.3
OPENPKG_2_2_SOLID:1.3.0.2
OPENPKG_2_2_SOLID_BP:1.3
OPENPKG_2_1_RELEASE:1.2
OPENPKG_2_1_SOLID:1.2.0.4
OPENPKG_2_1_SOLID_BP:1.2
OPENPKG_2_0_RELEASE:1.2
OPENPKG_2_0_SOLID:1.2.0.2
OPENPKG_2_0_SOLID_BP:1.2
OPENPKG_1_3_RELEASE:1.1.2.1
OPENPKG_1_3_SOLID:1.1.2.1.0.2
OPENPKG_1_3_SOLID_BP:1.1.2.1
OPENPKG_1_STABLE:1.1.0.2
OPENPKG_1_STABLE_MP:1.1;
locks; strict;
comment @# @;
1.10
date 2007.02.08.21.03.08; author rse; state dead;
branches;
next 1.9;
commitid 70FdmFiv9eKxnJ5s;
1.9
date 2007.02.08.19.53.50; author rse; state Exp;
branches;
next 1.8;
commitid DhkSiUlctY6MZI5s;
1.8
date 2006.11.08.08.38.05; author rse; state Exp;
branches;
next 1.7;
commitid Zju28e19v2IidQTr;
1.7
date 2006.11.03.07.55.26; author rse; state Exp;
branches;
next 1.6;
commitid A59b33EWP9aD8cTr;
1.6
date 2006.05.28.12.28.22; author rse; state dead;
branches
1.6.2.1;
next 1.5;
commitid a5EGPEGCniw8LMyr;
1.5
date 2005.04.01.06.20.27; author rse; state Exp;
branches
1.5.2.1
1.5.4.1;
next 1.4;
1.4
date 2005.02.06.13.50.04; author rse; state Exp;
branches
1.4.2.1;
next 1.3;
1.3
date 2004.07.25.09.49.12; author rse; state Exp;
branches
1.3.2.1;
next 1.2;
1.2
date 2003.08.28.09.24.33; author mlelstv; state dead;
branches
1.2.2.1
1.2.4.1;
next 1.1;
1.1
date 2003.07.22.14.43.14; author rse; state Exp;
branches
1.1.2.1;
next ;
1.6.2.1
date 2006.11.03.08.01.49; author rse; state Exp;
branches;
next 1.6.2.2;
commitid K801jCzPHlmOacTr;
1.6.2.2
date 2006.11.03.22.41.46; author rse; state Exp;
branches;
next 1.6.2.3;
commitid XQm4qun8iFCH2hTr;
1.6.2.3
date 2006.12.22.19.13.17; author thl; state Exp;
branches;
next 1.6.2.4;
commitid 2LefOfqsS8nsjyZr;
1.6.2.4
date 2007.02.11.15.02.14; author rse; state dead;
branches;
next ;
commitid ICDdrDtxousKh56s;
1.5.2.1
date 2005.12.03.17.52.21; author rse; state Exp;
branches;
next ;
commitid wlGj5wHy4Rp2dccr;
1.5.4.1
date 2005.12.03.17.49.07; author rse; state Exp;
branches;
next ;
commitid Fx0wrPYKqpwVbccr;
1.4.2.1
date 2005.12.03.18.16.14; author rse; state Exp;
branches;
next ;
commitid 3wcIB6rCvlUclccr;
1.3.2.1
date 2004.12.16.16.58.20; author rse; state Exp;
branches;
next 1.3.2.2;
1.3.2.2
date 2004.12.16.20.26.59; author rse; state Exp;
branches;
next ;
1.2.2.1
date 2004.07.22.14.29.37; author thl; state Exp;
branches;
next ;
1.2.4.1
date 2004.07.27.10.12.09; author rse; state Exp;
branches;
next 1.2.4.2;
1.2.4.2
date 2004.12.16.17.02.17; author rse; state Exp;
branches;
next 1.2.4.3;
1.2.4.3
date 2004.12.16.20.31.27; author rse; state Exp;
branches;
next ;
1.1.2.1
date 2003.07.24.20.43.50; author rse; state Exp;
branches;
next ;
desc
@@
1.10
log
@remove obsolete patch
@
text
@Allow building against cURL 7.16.0 and higher
(http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.12&r2=1.62.2.14.2.13&view=patch)
Index: ext/curl/interface.c
--- ext/curl/interface.c.orig 2006-10-11 01:12:59 +0200
+++ ext/curl/interface.c 2006-11-08 09:26:28 +0100
@@@@ -369,7 +369,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FTPAPPEND);
REGISTER_CURL_CONSTANT(CURLOPT_NETRC);
REGISTER_CURL_CONSTANT(CURLOPT_FOLLOWLOCATION);
+#if CURLOPT_FTPASCII != 0
REGISTER_CURL_CONSTANT(CURLOPT_FTPASCII);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_PUT);
#if CURLOPT_MUTE != 0
REGISTER_CURL_CONSTANT(CURLOPT_MUTE);
@@@@ -409,7 +411,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FILETIME);
REGISTER_CURL_CONSTANT(CURLOPT_WRITEFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_READFUNCTION);
+#if CURLOPT_PASSWDFUNCTION != 0
REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_HEADERFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_MAXREDIRS);
REGISTER_CURL_CONSTANT(CURLOPT_MAXCONNECTS);
@@@@ -1157,12 +1161,13 @@@@
dupch->handlers->write_header->fp = ch->handlers->write_header->fp;
dupch->handlers->read->fp = ch->handlers->read->fp;
dupch->handlers->read->fd = ch->handlers->read->fd;
-
+#if CURLOPT_PASSWDDATA != 0
if (ch->handlers->passwd) {
zval_add_ref(&ch->handlers->passwd);
dupch->handlers->passwd = ch->handlers->passwd;
curl_easy_setopt(ch->cp, CURLOPT_PASSWDDATA, (void *) dupch);
}
+#endif
if (ch->handlers->write->func_name) {
zval_add_ref(&ch->handlers->write->func_name);
dupch->handlers->write->func_name = ch->handlers->write->func_name;
@
1.9
log
@remove already applied patch
@
text
@@
1.8
log
@fix building against our latest cURL 7.16
@
text
@a0 17
Security Fix (CVE-2006-4625)
Index: Zend/zend_ini.c
--- Zend/zend_ini.c.orig 2006-09-06 10:54:44 +0200
+++ Zend/zend_ini.c 2006-11-03 08:46:12 +0100
@@@@ -235,7 +235,8 @@@@
char *duplicate;
TSRMLS_FETCH();
- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER)==0)) {
return FAILURE;
}
-----------------------------------------------------------------------------
@
1.7
log
@modifying package: apache-1.3.37 20061016 -> 20061103
@
text
@d15 5
d21 38
@
1.6
log
@upgrade embedded PHP from 4.4.2 to 5.1.4
@
text
@d1 8
a8 6
Index: ext/pdf/pdf.c
--- ext/pdf/pdf.c.orig 2004-09-13 19:12:13 +0200
+++ ext/pdf/pdf.c 2005-04-01 07:52:31 +0200
@@@@ -240,6 +240,16 @@@@
ZEND_GET_MODULE(pdf)
#endif
d10 5
a14 30
+ZEND_BEGIN_MODULE_GLOBALS(pdf)
+FILE *fp;
+ZEND_END_MODULE_GLOBALS(pdf)
+ZEND_DECLARE_MODULE_GLOBALS(pdf)
+#ifdef ZTS
+#define PDF_G(v) TSRMG(pdf_globals_id, zend_pdf_globals *, v)
+#else
+#define PDF_G(v) (pdf_globals.v)
+#endif
+
/* {{{ _free_pdf_doc
*/
static void _free_pdf_doc(zend_rsrc_list_entry *rsrc TSRMLS_DC)
@@@@ -305,6 +315,15 @@@@
}
/* }}} */
+/* {{{ pdf_flushwrite_fp
+ */
+static size_t pdf_flushwrite_fp(PDF *p, void *data, size_t size)
+{
+ FILE *fp = PDF_G(fp);
+ return fwrite(data, size, 1, fp);
+}
+/* }}} */
+
/* {{{ pdf_flushwrite
*/
static size_t pdf_flushwrite(PDF *p, void *data, size_t size)
@@@@ -339,8 +358,13 @@@@
a15 24
/* {{{ PHP_MINIT_FUNCTION
*/
+static void php_pdf_init_globals (zend_pdf_globals *g)
+{
+ g->fp = NULL;
+}
PHP_MINIT_FUNCTION(pdf)
{
+ ZEND_INIT_MODULE_GLOBALS(pdf, php_pdf_init_globals, NULL);
if ((PDF_get_majorversion() != PDFLIB_MAJORVERSION) ||
(PDF_get_minorversion() != PDFLIB_MINORVERSION)) {
php_error(E_ERROR,"PDFlib error: Version mismatch in wrapper code");
@@@@ -469,9 +493,8 @@@@
pdf = PDF_new2(custom_errorhandler, pdf_emalloc, pdf_realloc, pdf_efree, NULL);
if(fp) {
- if (PDF_open_fp(pdf, fp) < 0) {
- RETURN_FALSE;
- }
+ PDF_G(fp) = fp;
+ PDF_begin_document_callback(pdf, pdf_flushwrite_fp, "");
} else {
PDF_open_mem(pdf, pdf_flushwrite);
}
@
1.6.2.1
log
@re-add apache.patch.php file. Seems like it was lost sometime ago
@
text
@d1 6
a6 8
Security Fix (CVE-2006-4625)
Index: Zend/zend_ini.c
--- Zend/zend_ini.c.orig 2006-01-05 00:53:04 +0100
+++ Zend/zend_ini.c 2006-10-17 08:24:12 +0200
@@@@ -256,8 +256,8 @@@@
zend_ini_entry *ini_entry;
TSRMLS_FETCH();
d8 30
a37 5
- if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE) {
- return FAILURE;
+ if (zend_hash_find(EG(ini_directives), name, name_length, (void **) &ini_entry)==FAILURE ||
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER) == 0)) { return FAILURE;
}
d39 7
a45 11
zend_restore_ini_entry_cb(ini_entry, stage TSRMLS_CC);
-----------------------------------------------------------------------------
Security Fix (CVE-2006-4812)
Index: Zend/zend_alloc.c
--- Zend/zend_alloc.c.orig 2006-08-10 19:16:24 +0200
+++ Zend/zend_alloc.c 2006-10-17 08:25:42 +0200
@@@@ -328,15 +328,14 @@@@
ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
d47 6
a52 34
void *p;
- int final_size = size*nmemb;
HANDLE_BLOCK_INTERRUPTIONS();
- p = _emalloc(final_size ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
+ p = _safe_emalloc(nmemb, size, 0 ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_ORIG_RELAY_CC);
if (!p) {
HANDLE_UNBLOCK_INTERRUPTIONS();
return (void *) p;
}
- memset(p, 0, final_size);
+ memset(p, 0, size * nmemb);
HANDLE_UNBLOCK_INTERRUPTIONS();
return p;
}
-----------------------------------------------------------------------------
Security Fix (CVE-2006-5178)
Index: main/php_open_temporary_file.c
--- main/php_open_temporary_file.c.orig 2006-05-24 01:22:26 +0200
+++ main/php_open_temporary_file.c 2006-10-17 08:26:02 +0200
@@@@ -206,6 +206,7 @@@@
PHPAPI int php_open_temporary_fd(const char *dir, const char *pfx, char **opened_path_p TSRMLS_DC)
{
int fd;
+ const char *temp_dir;
if (!pfx) {
pfx = "tmp.";
@@@@ -214,11 +215,22 @@@@
*opened_path_p = NULL;
}
d54 8
a61 17
+ if (!dir || *dir == '\0') {
+def_tmp:
+ temp_dir = php_get_temporary_directory();
+
+ if (temp_dir && *temp_dir != '\0' && !php_check_open_basedir(temp_dir TSRMLS_CC)) {
+ return php_do_open_temporary_file(temp_dir, pfx, opened_path_p TSRMLS_CC);
+ } else {
+ return -1;
+ }
+ }
+
/* Try the directory given as parameter. */
fd = php_do_open_temporary_file(dir, pfx, opened_path_p TSRMLS_CC);
if (fd == -1) {
/* Use default temporary directory. */
- fd = php_do_open_temporary_file(php_get_temporary_directory(), pfx, opened_path_p TSRMLS_CC);
+ goto def_tmp;
a62 2
return fd;
}
@
1.6.2.2
log
@MFC: recent fixes and upgrade to security fixed new upstream PHP version
@
text
@d4 4
a7 4
--- Zend/zend_ini.c.orig 2006-09-06 10:54:44 +0200
+++ Zend/zend_ini.c 2006-11-03 08:46:12 +0100
@@@@ -235,7 +235,8 @@@@
char *duplicate;
d11 1
d13 1
a13 2
+ (stage == ZEND_INI_STAGE_RUNTIME && (ini_entry->modifiable & ZEND_INI_USER)==0)) {
return FAILURE;
d16 67
@
1.6.2.3
log
@MFC: make up leeway for 2_STABLE by virtue of build-time results
@
text
@a14 5
-----------------------------------------------------------------------------
Allow building against cURL 7.16.0 and higher
(http://cvs.php.net/viewcvs.cgi/php-src/ext/curl/interface.c?r1=1.62.2.14.2.12&r2=1.62.2.14.2.13&view=patch)
a15 38
Index: ext/curl/interface.c
--- ext/curl/interface.c.orig 2006-10-11 01:12:59 +0200
+++ ext/curl/interface.c 2006-11-08 09:26:28 +0100
@@@@ -369,7 +369,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FTPAPPEND);
REGISTER_CURL_CONSTANT(CURLOPT_NETRC);
REGISTER_CURL_CONSTANT(CURLOPT_FOLLOWLOCATION);
+#if CURLOPT_FTPASCII != 0
REGISTER_CURL_CONSTANT(CURLOPT_FTPASCII);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_PUT);
#if CURLOPT_MUTE != 0
REGISTER_CURL_CONSTANT(CURLOPT_MUTE);
@@@@ -409,7 +411,9 @@@@
REGISTER_CURL_CONSTANT(CURLOPT_FILETIME);
REGISTER_CURL_CONSTANT(CURLOPT_WRITEFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_READFUNCTION);
+#if CURLOPT_PASSWDFUNCTION != 0
REGISTER_CURL_CONSTANT(CURLOPT_PASSWDFUNCTION);
+#endif
REGISTER_CURL_CONSTANT(CURLOPT_HEADERFUNCTION);
REGISTER_CURL_CONSTANT(CURLOPT_MAXREDIRS);
REGISTER_CURL_CONSTANT(CURLOPT_MAXCONNECTS);
@@@@ -1157,12 +1161,13 @@@@
dupch->handlers->write_header->fp = ch->handlers->write_header->fp;
dupch->handlers->read->fp = ch->handlers->read->fp;
dupch->handlers->read->fd = ch->handlers->read->fd;
-
+#if CURLOPT_PASSWDDATA != 0
if (ch->handlers->passwd) {
zval_add_ref(&ch->handlers->passwd);
dupch->handlers->passwd = ch->handlers->passwd;
curl_easy_setopt(ch->cp, CURLOPT_PASSWDDATA, (void *) dupch);
}
+#endif
if (ch->handlers->write->func_name) {
zval_add_ref(&ch->handlers->write->func_name);
dupch->handlers->write->func_name = ch->handlers->write->func_name;
@
1.6.2.4
log
@MFC: security fixed version with PHP 5.2.1
@
text
@@
1.5
log
@modifying package: apache-1.3.33 20050330 -> 20050401
@
text
@@
1.5.2.1
log
@Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391)
@
text
@a62 266
-----------------------------------------------------------------------------
Security Fix (CAN-2005-3054)
Index: main/fopen_wrappers.c
--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100
+++ main/fopen_wrappers.c 2005-10-04 21:52:15 +0200
@@@@ -120,8 +120,8 @@@@
/* Handler for basedirs that end with a / */
resolved_basedir_len = strlen(resolved_basedir);
if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
- resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+ if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+ resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
}
}
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3353)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
+++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
@@@@ -3014,6 +3014,12 @@@@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3388)
Index: ext/standard/info.c
--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
+++ ext/standard/info.c 2005-12-03 17:42:11 +0100
@@@@ -133,10 +133,21 @@@@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
@@@@ -196,7 +207,7 @@@@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3389)
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
+++ ext/standard/string.c 2005-12-03 17:43:25 +0100
@@@@ -3179,7 +3179,6 @@@@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@@@ -3192,19 +3191,18 @@@@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3390)
Index: ext/standard/array.c
--- ext/standard/array.c.orig 2005-06-21 14:11:19 +0200
+++ ext/standard/array.c 2005-12-03 17:54:00 +0100
@@@@ -1252,6 +1252,10 @@@@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
Index: ext/standard/basic_functions.c
--- ext/standard/basic_functions.c.orig 2005-05-16 10:55:31 +0200
+++ ext/standard/basic_functions.c 2005-12-03 17:54:00 +0100
@@@@ -3038,11 +3038,25 @@@@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
Index: main/php_variables.c
--- main/php_variables.c.orig 2005-05-17 20:42:35 +0200
+++ main/php_variables.c 2005-12-03 17:54:00 +0100
@@@@ -73,6 +73,10 @@@@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@@@ -99,6 +103,13 @@@@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3391)
Index: ext/curl/curl.c
--- ext/curl/curl.c.orig 2005-06-02 23:05:06 +0200
+++ ext/curl/curl.c 2005-12-03 17:57:09 +0100
@@@@ -66,7 +66,7 @@@@
#define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
- if (PG(open_basedir) && *PG(open_basedir) && \
+ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
{ \
php_url *tmp_url; \
@@@@ -76,7 +76,7 @@@@
RETURN_FALSE; \
} \
\
- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
) { \
php_url_free(tmp_url); \
@@@@ -992,10 +992,15 @@@@
postval = Z_STRVAL_PP(current);
if (*postval == '@@') {
+ ++postval;
+ /* safe_mode / open_basedir check */
+ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+ RETURN_FALSE;
+ }
error = curl_formadd(&first, &last,
CURLFORM_COPYNAME, string_key,
CURLFORM_NAMELENGTH, (long)string_key_len - 1,
- CURLFORM_FILE, ++postval,
+ CURLFORM_FILE, postval,
CURLFORM_END);
}
else {
Index: ext/gd/gd.c
--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
+++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
@@@@ -1644,7 +1644,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
Index: ext/gd/gd_ctx.c
--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
+++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
@@@@ -73,7 +73,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
@
1.5.4.1
log
@Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391)
@
text
@a62 266
-----------------------------------------------------------------------------
Security Fix (CAN-2005-3054)
Index: main/fopen_wrappers.c
--- main/fopen_wrappers.c.orig 2005-02-03 00:44:07 +0100
+++ main/fopen_wrappers.c 2005-10-04 21:52:15 +0200
@@@@ -120,8 +120,8 @@@@
/* Handler for basedirs that end with a / */
resolved_basedir_len = strlen(resolved_basedir);
if (basedir[strlen(basedir) - 1] == PHP_DIR_SEPARATOR) {
- if (resolved_basedir[resolved_basedir_len - 1] == '/') {
- resolved_basedir[resolved_basedir_len - 1] = PHP_DIR_SEPARATOR;
+ if (resolved_basedir[resolved_basedir_len - 1] != PHP_DIR_SEPARATOR) {
+ resolved_basedir[resolved_basedir_len] = PHP_DIR_SEPARATOR;
resolved_basedir[++resolved_basedir_len] = '\0';
}
}
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3353)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
+++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
@@@@ -3014,6 +3014,12 @@@@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3388)
Index: ext/standard/info.c
--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
+++ ext/standard/info.c 2005-12-03 17:42:11 +0100
@@@@ -133,10 +133,21 @@@@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
@@@@ -196,7 +207,7 @@@@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3389)
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
+++ ext/standard/string.c 2005-12-03 17:43:25 +0100
@@@@ -3179,7 +3179,6 @@@@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@@@ -3192,19 +3191,18 @@@@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3390)
Index: ext/standard/array.c
--- ext/standard/array.c.orig 2005-06-21 14:11:19 +0200
+++ ext/standard/array.c 2005-12-03 17:54:00 +0100
@@@@ -1252,6 +1252,10 @@@@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
Index: ext/standard/basic_functions.c
--- ext/standard/basic_functions.c.orig 2005-05-16 10:55:31 +0200
+++ ext/standard/basic_functions.c 2005-12-03 17:54:00 +0100
@@@@ -3038,11 +3038,25 @@@@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
Index: main/php_variables.c
--- main/php_variables.c.orig 2005-05-17 20:42:35 +0200
+++ main/php_variables.c 2005-12-03 17:54:00 +0100
@@@@ -73,6 +73,10 @@@@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@@@ -99,6 +103,13 @@@@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3391)
Index: ext/curl/curl.c
--- ext/curl/curl.c.orig 2005-06-02 23:05:06 +0200
+++ ext/curl/curl.c 2005-12-03 17:57:09 +0100
@@@@ -66,7 +66,7 @@@@
#define CAAZ(s, v) add_assoc_zval_ex(return_value, s, sizeof(s), (zval *) v);
#define PHP_CURL_CHECK_OPEN_BASEDIR(str, len) \
- if (PG(open_basedir) && *PG(open_basedir) && \
+ if (((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) && \
strncasecmp(str, "file://", sizeof("file://") - 1) == 0) \
{ \
php_url *tmp_url; \
@@@@ -76,7 +76,7 @@@@
RETURN_FALSE; \
} \
\
- if (php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
+ if (tmp_url->query || php_check_open_basedir(tmp_url->path TSRMLS_CC) || \
(PG(safe_mode) && !php_checkuid(tmp_url->path, "rb+", CHECKUID_CHECK_MODE_PARAM)) \
) { \
php_url_free(tmp_url); \
@@@@ -992,10 +992,15 @@@@
postval = Z_STRVAL_PP(current);
if (*postval == '@@') {
+ ++postval;
+ /* safe_mode / open_basedir check */
+ if (php_check_open_basedir(postval TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(postval, "rb+", CHECKUID_CHECK_MODE_PARAM))) {
+ RETURN_FALSE;
+ }
error = curl_formadd(&first, &last,
CURLFORM_COPYNAME, string_key,
CURLFORM_NAMELENGTH, (long)string_key_len - 1,
- CURLFORM_FILE, ++postval,
+ CURLFORM_FILE, postval,
CURLFORM_END);
}
else {
Index: ext/gd/gd.c
--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
+++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
@@@@ -1644,7 +1644,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
Index: ext/gd/gd_ctx.c
--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
+++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
@@@@ -73,7 +73,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
@
1.4
log
@port to ia64-freebsd5.3 and ix86-solaris10
@
text
@d2 2
a3 2
--- ext/pdf/pdf.c.orig 2004-02-28 23:58:56 +0100
+++ ext/pdf/pdf.c 2004-07-25 11:35:57 +0200
a62 21
Index: Zend/zend_strtod.c
--- Zend/zend_strtod.c.orig 2004-12-14 09:35:26 +0100
+++ Zend/zend_strtod.c 2005-02-06 14:15:09 +0100
@@@@ -95,7 +95,7 @@@@
static char *rcsid = "$OpenBSD: strtod.c,v 1.19 2004/02/03 16:52:11 drahn Exp $";
#endif /* LIBC_SCCS and not lint */
-#if defined(__m68k__) || defined(__sparc__) || defined(__i386__) || \
+#if defined(__m68k__) || defined(__sparc__) || defined(__i386__) || defined(__ia64__) || \
defined(__mips__) || defined(__ns32k__) || defined(__alpha__) || \
defined(__powerpc__) || defined(__ppc__) || defined(__m88k__) || \
defined(__hppa__) || defined(__x86_64__) || (defined(__arm__) && \
@@@@ -127,7 +127,7 @@@@
#define IEEE_LITTLE_ENDIAN
#endif
-#if defined(__sparc__) || defined(__ppc__)
+#if defined(__sparc__) || defined(__ppc__) || defined(__sun__)
#define u_int32_t uint32_t
#endif
@
1.4.2.1
log
@Security Fixes (CVE-2005-3353, CVE-2005-3388, CVE-2005-3389, CVE-2005-3390, CVE-2005-3391)
@
text
@a83 228
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3353)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2005-03-22 23:07:03 +0100
+++ ext/exif/exif.c 2005-12-03 17:41:40 +0100
@@@@ -3014,6 +3014,12 @@@@
}
}
/*
+ * Ignore IFD2 if it purportedly exists
+ */
+ if (section_index == SECTION_THUMBNAIL) {
+ return TRUE;
+ }
+ /*
* Hack to make it process IDF1 I hope
* There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
*/
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3388)
Index: ext/standard/info.c
--- ext/standard/info.c.orig 2005-06-07 15:37:33 +0200
+++ ext/standard/info.c 2005-12-03 17:42:11 +0100
@@@@ -133,10 +133,21 @@@@
PUTS(" => ");
}
if (Z_TYPE_PP(tmp) == IS_ARRAY) {
+ zval *tmp3;
+ MAKE_STD_ZVAL(tmp3);
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
+ php_start_ob_buffer(NULL, 4096, 1 TSRMLS_CC);
zend_print_zval_r(*tmp, 0);
+ php_ob_get_buffer(tmp3 TSRMLS_CC);
+ php_end_ob_buffer(0, 0 TSRMLS_CC);
+
+ elem_esc = php_info_html_esc(Z_STRVAL_P(tmp3) TSRMLS_CC);
+ PUTS(elem_esc);
+ efree(elem_esc);
+ zval_ptr_dtor(&tmp3);
+
if (!sapi_module.phpinfo_as_text) {
PUTS("");
}
@@@@ -196,7 +207,7 @@@@
PHPAPI char *php_info_html_esc(char *string TSRMLS_DC)
{
int new_len;
- return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_NOQUOTES, NULL TSRMLS_CC);
+ return php_escape_html_entities(string, strlen(string), &new_len, 0, ENT_QUOTES, NULL TSRMLS_CC);
}
/* }}} */
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3389)
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2005-06-02 10:50:52 +0200
+++ ext/standard/string.c 2005-12-03 17:43:25 +0100
@@@@ -3179,7 +3179,6 @@@@
zval *sarg;
char *res = NULL;
int argCount;
- int old_rg;
argCount = ARG_COUNT(ht);
if (argCount < 1 || argCount > 2 || zend_get_parameters_ex(argCount, &arg, &arrayArg) == FAILURE) {
@@@@ -3192,19 +3191,18 @@@@
res = estrndup(Z_STRVAL_P(sarg), Z_STRLEN_P(sarg));
}
- old_rg = PG(register_globals);
if (argCount == 1) {
- PG(register_globals) = 1;
- sapi_module.treat_data(PARSE_STRING, res, NULL TSRMLS_CC);
+ zval tmp;
+ Z_ARRVAL(tmp) = EG(active_symbol_table);
+
+ sapi_module.treat_data(PARSE_STRING, res, &tmp TSRMLS_CC);
} else {
- PG(register_globals) = 0;
/* Clear out the array that was passed in. */
zval_dtor(*arrayArg);
array_init(*arrayArg);
sapi_module.treat_data(PARSE_STRING, res, *arrayArg TSRMLS_CC);
}
- PG(register_globals) = old_rg;
}
/* }}} */
Index: ext/standard/array.c
--- ext/standard/array.c.orig 2004-12-02 17:36:41 +0100
+++ ext/standard/array.c 2005-12-03 18:12:00 +0100
@@@@ -1243,6 +1243,10 @@@@
/* break omitted intentionally */
case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+ if (var_exists && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
smart_str_appendl(&final_name, var_name, var_name_len);
break;
Index: ext/standard/basic_functions.c
--- ext/standard/basic_functions.c.orig 2004-11-16 00:26:40 +0100
+++ ext/standard/basic_functions.c 2005-12-03 18:12:00 +0100
@@@@ -3002,11 +3002,25 @@@@
prefix = va_arg(args, char *);
prefix_len = va_arg(args, uint);
- new_key_len = prefix_len + hash_key->nKeyLength;
- new_key = (char *) emalloc(new_key_len);
+ if (!prefix_len) {
+ if (!hash_key->nKeyLength) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+ return 0;
+ } else if (!strcmp(hash_key->arKey, "GLOBALS")) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+ return 0;
+ }
+ }
- memcpy(new_key, prefix, prefix_len);
- memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ if (hash_key->nKeyLength) {
+ new_key_len = prefix_len + hash_key->nKeyLength;
+ new_key = (char *) emalloc(new_key_len);
+
+ memcpy(new_key, prefix, prefix_len);
+ memcpy(new_key+prefix_len, hash_key->arKey, hash_key->nKeyLength);
+ } else {
+ new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+ }
zend_hash_del(&EG(symbol_table), new_key, new_key_len);
ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);
Index: main/main.c
--- main/main.c.orig 2004-10-01 16:27:13 +0200
+++ main/main.c 2005-12-03 18:12:01 +0100
@@@@ -1339,6 +1339,7 @@@@
ulong num_key;
HashPosition pos;
int key_type;
+ int globals_check = (PG(register_globals) && (dest == (&EG(symbol_table))));
zend_hash_internal_pointer_reset_ex(src, &pos);
while (zend_hash_get_current_data_ex(src, (void **)&src_entry, &pos) == SUCCESS) {
@@@@ -1349,7 +1350,12 @@@@
|| Z_TYPE_PP(dest_entry) != IS_ARRAY) {
(*src_entry)->refcount++;
if (key_type == HASH_KEY_IS_STRING) {
- zend_hash_update(dest, string_key, strlen(string_key)+1, src_entry, sizeof(zval *), NULL);
+ /* if register_globals is on and working with main symbol table, prevent overwriting of GLOBALS */
+ if (!globals_check || string_key_len != sizeof("GLOBALS") || memcmp(string_key, "GLOBALS", sizeof("GLOBALS") - 1)) {
+ zend_hash_update(dest, string_key, string_key_len, src_entry, sizeof(zval *), NULL);
+ } else {
+ (*src_entry)->refcount--;
+ }
} else {
zend_hash_index_update(dest, num_key, src_entry, sizeof(zval *), NULL);
}
Index: main/php_variables.c
--- main/php_variables.c.orig 2004-10-18 17:08:46 +0200
+++ main/php_variables.c 2005-12-03 18:12:00 +0100
@@@@ -73,6 +73,10 @@@@
symtable1 = Z_ARRVAL_P(track_vars_array);
} else if (PG(register_globals)) {
symtable1 = EG(active_symbol_table);
+ /* GLOBALS hijack attempt, reject parameter */
+ if (!strncmp("GLOBALS", var, sizeof("GLOBALS")) || !strncmp("GLOBALS", var, sizeof("GLOBALS[")-1)) {
+ return;
+ }
}
if (!symtable1) {
/* Nothing to do */
@@@@ -99,6 +103,13 @@@@
zval_dtor(val);
return;
}
+
+ /* GLOBALS hijack attempt, reject parameter */
+ if (symtable1 == EG(active_symbol_table) && !strcmp("GLOBALS", var)) {
+ zval_dtor(val);
+ return;
+ }
+
/* ensure that we don't have spaces or dots in the variable name (not binary safe) */
for (p=var; *p; p++) {
switch(*p) {
-----------------------------------------------------------------------------
Security Fix (CVE-2005-3391)
Index: ext/gd/gd.c
--- ext/gd/gd.c.orig 2005-05-06 18:51:54 +0200
+++ ext/gd/gd.c 2005-12-03 17:57:09 +0100
@@@@ -1644,7 +1644,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
Index: ext/gd/gd_ctx.c
--- ext/gd/gd_ctx.c.orig 2004-01-28 17:27:42 +0100
+++ ext/gd/gd_ctx.c 2005-12-03 17:57:09 +0100
@@@@ -73,7 +73,7 @@@@
}
if ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))) {
- if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC)) {
+ if (!fn || fn == empty_string || php_check_open_basedir(fn TSRMLS_CC) || (PG(safe_mode) && !php_checkuid(fn, "rb+", CHECKUID_CHECK_FILE_AND_DIR))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid filename '%s'", fn);
RETURN_FALSE;
}
@
1.3
log
@fix building against PDFLib 6.0.0p1 which no longer has a PDF_open_fp() function
@
text
@d63 21
@
1.3.2.1
log
@Security Fixes (OpenPKG-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065)
@
text
@a62 417
-----------------------------------------------------------------------------
Security Fixes (OpenPKG-2004.053-php):
o CAN-2004-1018:
shmop_write() out of bounds memory write access.
(ext/shmop/shmop.c)
o CAN-2004-1018:
integer overflow/underflow in pack() and unpack() functions.
(main/php.h, ext/standard/pack.c)
o CAN-2004-1019:
possible information disclosure, double free and negative reference
index array underflow in deserialization code.
(ext/standard/var_unserializer.re, ext/standard/var_unserializer.c)
o CAN-2004-1020:
addslashes() not escaping \0 correctly.
(ext/standard/string.c)
o CAN-2004-1063:
safe_mode execution directory bypass.
(ext/standard/link.c)
o CAN-2004-1064:
arbitrary file access through path truncation.
(main/safe_mode.c)
o CAN-2004-1065:
exif_read_data() overflow on long sectionname.
(ext/exif/exif.c)
o XXX-XXXX-XXXX:
magic_quotes_gpc could lead to one level directory traversal with
file uploads.
(main/rfc1867.c)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2003-12-17 10:08:37 +0100
+++ ext/exif/exif.c 2004-12-16 17:36:48 +0100
@@@@ -2712,7 +2712,7 @@@@
// JPEG does not use absolute pointers instead its pointers are relative to the start
// of the TIFF header in APP1 section.
*/
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM)) {
+ if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */
@@@@ -3750,7 +3750,7 @@@@
}
}
for (i=0; i shmop->size) {
+ if (offset < 0 || offset > shmop->size) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "offset out of range");
RETURN_FALSE;
}
Index: ext/standard/string.c
--- ext/standard/string.c.orig 2004-07-11 23:24:47 +0200
+++ ext/standard/string.c 2004-12-16 17:36:48 +0100
@@@@ -2443,7 +2443,13 @@@@
p = str;
if (!type) {
while (p < e) {
- if (php_esc_list[(int)(unsigned char)*p]) {
+ int c = php_esc_list[(int)(unsigned char)*p];
+ if (c == 2) {
+ *ps++ = '\\';
+ *ps++ = '0';
+ p++;
+ continue;
+ } else if (c) {
*ps++ = '\\';
}
*ps++ = *p++;
Index: ext/standard/pack.c
--- ext/standard/pack.c.orig 2004-02-25 13:36:24 +0100
+++ ext/standard/pack.c 2004-12-16 17:36:48 +0100
@@@@ -63,6 +63,13 @@@@
#include
#endif
+#define INC_OUTPUTPOS(a,b) \
+ if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow in format string", code); \
+ RETURN_FALSE; \
+ } \
+ outputpos += (a)*(b);
+
/* Whether machine is little endian */
char machine_little_endian;
@@@@ -246,7 +253,7 @@@@
switch ((int) code) {
case 'h':
case 'H':
- outputpos += (arg + 1) / 2; /* 4 bit per arg */
+ INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per arg */
break;
case 'a':
@@@@ -254,34 +261,34 @@@@
case 'c':
case 'C':
case 'x':
- outputpos += arg; /* 8 bit per arg */
+ INC_OUTPUTPOS(arg,1) /* 8 bit per arg */
break;
case 's':
case 'S':
case 'n':
case 'v':
- outputpos += arg * 2; /* 16 bit per arg */
+ INC_OUTPUTPOS(arg,2) /* 16 bit per arg */
break;
case 'i':
case 'I':
- outputpos += arg * sizeof(int);
+ INC_OUTPUTPOS(arg,sizeof(int))
break;
case 'l':
case 'L':
case 'N':
case 'V':
- outputpos += arg * 4; /* 32 bit per arg */
+ INC_OUTPUTPOS(arg,4) /* 32 bit per arg */
break;
case 'f':
- outputpos += arg * sizeof(float);
+ INC_OUTPUTPOS(arg,sizeof(float))
break;
case 'd':
- outputpos += arg * sizeof(double);
+ INC_OUTPUTPOS(arg,sizeof(double))
break;
case 'X':
@@@@ -650,6 +657,11 @@@@
sprintf(n, "%.*s", namelen, name);
}
+ if (size != 0 && size != -1 && INT_MAX - size + 1 < inputpos) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
+ inputpos = 0;
+ }
+
if ((inputpos + size) <= inputlen) {
switch ((int) type) {
case 'a':
@@@@ -820,6 +832,10 @@@@
}
inputpos += size;
+ if (inputpos < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
+ inputpos = 0;
+ }
} else if (arg < 0) {
/* Reached end of input for '*' repeater */
break;
Index: ext/standard/var_unserializer.re
--- ext/standard/var_unserializer.re.orig 2004-03-27 02:17:06 +0100
+++ ext/standard/var_unserializer.re 2004-12-16 17:36:48 +0100
@@@@ -62,7 +62,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -139,7 +139,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -161,9 +161,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -311,6 +317,8 @@@@
} else {
str = estrndup(YYCURSOR, len);
}
+
+ if (*rval == *rval_ref) return 0;
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: ext/standard/var_unserializer.c
--- ext/standard/var_unserializer.c.orig 2004-09-21 00:32:00 +0200
+++ ext/standard/var_unserializer.c 2004-12-16 17:36:48 +0100
@@@@ -63,7 +63,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -134,7 +134,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -156,9 +156,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -566,6 +572,8 @@@@
str = estrndup(YYCURSOR, len);
}
+ if (*rval == *rval_ref) return 0;
+
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: ext/standard/link.c
--- ext/standard/link.c.orig 2002-12-31 17:35:31 +0100
+++ ext/standard/link.c 2004-12-16 17:36:48 +0100
@@@@ -65,6 +65,14 @@@@
}
convert_to_string_ex(filename);
+ if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(filename), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+ RETURN_FALSE;
+ }
+
+ if (php_check_open_basedir(Z_STRVAL_PP(filename) TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
ret = readlink(Z_STRVAL_PP(filename), buff, MAXPATHLEN-1);
if (ret == -1) {
Index: main/php.h
--- main/php.h.orig 2003-09-25 01:22:32 +0200
+++ main/php.h 2004-12-16 17:36:48 +0100
@@@@ -226,6 +226,14 @@@@
#define LONG_MIN (- LONG_MAX - 1)
#endif
+#ifndef INT_MAX
+#define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+#define INT_MIN (- INT_MAX - 1)
+#endif
+
#define PHP_GCC_VERSION ZEND_GCC_VERSION
#define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
#define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
Index: main/safe_mode.c
--- main/safe_mode.c.orig 2003-03-17 14:50:23 +0100
+++ main/safe_mode.c 2004-12-16 17:36:48 +0100
@@@@ -54,13 +54,16 @@@@
php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
- strlcpy(filenamecopy, filename, MAXPATHLEN);
- filename=(char *)&filenamecopy;
-
if (!filename) {
return 0; /* path must be provided */
}
+ if (strlcpy(filenamecopy, filename, MAXPATHLEN)>=MAXPATHLEN) {
+ return 0;
+ }
+ filename=(char *)&filenamecopy;
+
+
if (fopen_mode) {
if (fopen_mode[0] == 'r') {
mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
Index: main/rfc1867.c
--- main/rfc1867.c.orig 2004-09-13 18:00:50 +0200
+++ main/rfc1867.c 2004-12-16 17:36:48 +0100
@@@@ -126,6 +126,7 @@@@
#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
#define UPLOAD_ERROR_C 3 /* Partially uploaded */
#define UPLOAD_ERROR_D 4 /* No file uploaded */
+#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
void php_rfc1867_register_constants(TSRMLS_D)
{
@@@@ -134,6 +135,7 @@@@
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
}
static void normalize_protected_variable(char *varname TSRMLS_DC)
@@@@ -956,12 +958,14 @@@@
}
}
+ total_bytes = cancel_upload = 0;
+
if (!skip_upload) {
/* Handle file */
fp = php_open_temporary_file(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
if (!fp) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
- skip_upload = 1;
+ cancel_upload = UPLOAD_ERROR_E;
}
}
if (skip_upload) {
@@@@ -970,9 +974,6 @@@@
continue;
}
- total_bytes = 0;
- cancel_upload = 0;
-
if(strlen(filename) == 0) {
#ifdef DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "No file uploaded");
@@@@ -999,10 +1000,12 @@@@
}
}
}
- fclose(fp);
+ if (fp) {
+ fclose(fp);
+ }
#ifdef DEBUG_FILE_UPLOAD
- if(strlen(filename) > 0 && total_bytes == 0) {
+ if(strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
cancel_upload = 5;
}
@@@@ -1010,7 +1013,9 @@@@
if (cancel_upload) {
if (temp_filename) {
- unlink(temp_filename);
+ if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
+ unlink(temp_filename);
+ }
efree(temp_filename);
}
temp_filename="";
@@@@ -1076,6 +1081,14 @@@@
s = tmp;
}
#endif
+ if (PG(magic_quotes_gpc)) {
+ s = s ? s : filename;
+ tmp = strrchr(s, '\'');
+ s = tmp > s ? tmp : s;
+ tmp = strrchr(s, '"');
+ s = tmp > s ? tmp : s;
+ }
+
if (s && s > filename) {
safe_php_register_variable(lbuf, s+1, NULL, 0 TSRMLS_CC);
} else {
@
1.3.2.2
log
@Shit happens: one hunk too much, others missing plus a whole file not patched
@
text
@d87 1
a87 1
(ext/standard/link.c, TSRM/tsrm_virtual_cwd.c)
d245 1
a245 1
+++ ext/standard/var_unserializer.re 2004-12-16 21:06:33 +0100
d280 3
a282 13
@@@@ -398,7 +404,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -406,7 +411,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d284 2
d287 1
a288 10
@@@@ -414,8 +418,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
d291 1
a291 1
+++ ext/standard/var_unserializer.c 2004-12-16 21:07:00 +0100
d326 2
a327 13
@@@@ -435,7 +441,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -443,7 +448,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d330 3
a333 7
@@@@ -451,8 +455,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
a334 2
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
a479 103
Index: TSRM/tsrm_virtual_cwd.c
--- TSRM/tsrm_virtual_cwd.c.orig 2003-07-28 20:35:34 +0200
+++ TSRM/tsrm_virtual_cwd.c 2004-12-16 21:13:42 +0100
@@@@ -301,15 +301,22 @@@@
if (path_length == 0)
return (0);
+ if (path_length >= MAXPATHLEN)
+ return (1);
#if !defined(TSRM_WIN32) && !defined(NETWARE)
/* cwd_length can be 0 when getcwd() fails.
* This can happen under solaris when a dir does not have read permissions
* but *does* have execute permissions */
if (IS_ABSOLUTE_PATH(path, path_length) || (state->cwd_length < 1)) {
- if (use_realpath && realpath(path, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (use_realpath) {
+ if (realpath(path, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ return 1; */
+ }
}
} else { /* Concat current directory with relative path and then run realpath() on it */
char *tmp;
@@@@ -325,9 +332,19 @@@@
memcpy(ptr, path, path_length);
ptr += path_length;
*ptr = '\0';
- if (use_realpath && realpath(tmp, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (strlen(tmp) >= MAXPATHLEN) {
+ free(tmp);
+ return 1;
+ }
+ if (use_realpath) {
+ if (realpath(tmp, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ free(tmp);
+ return 1; */
+ }
}
free(tmp);
}
@@@@ -818,13 +835,24 @@@@
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC)
{
int command_length;
+ int dir_length, extra = 0;
char *command_line;
- char *ptr;
+ char *ptr, *dir;
FILE *retval;
command_length = strlen(command);
- ptr = command_line = (char *) malloc(command_length + sizeof("cd ; ") + CWDG(cwd).cwd_length+1);
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+ while (dir_length > 0) {
+ if (*dir == '\'') extra+=3;
+ dir++;
+ dir_length--;
+ }
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+
+ ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +1+1);
if (!command_line) {
return NULL;
}
@@@@ -834,8 +862,21 @@@@
if (CWDG(cwd).cwd_length == 0) {
*ptr++ = DEFAULT_SLASH;
} else {
- memcpy(ptr, CWDG(cwd).cwd, CWDG(cwd).cwd_length);
- ptr += CWDG(cwd).cwd_length;
+ *ptr++ = '\'';
+ while (dir_length > 0) {
+ switch (*dir) {
+ case '\'':
+ *ptr++ = '\'';
+ *ptr++ = '\\';
+ *ptr++ = '\'';
+ /* fall-through */
+ default:
+ *ptr++ = *dir;
+ }
+ dir++;
+ dir_length--;
+ }
+ *ptr++ = '\'';
}
*ptr++ = ' ';
@
1.2
log
@upgrade php 4.3.2 -> 4.3.3 ; vendor rolled in equivalent patches
@
text
@d1 6
a6 7
--- php-4.3.2/ext/oci8/config.m4.dist 2003-07-01 09:55:33.000000000 +0200
+++ php-4.3.2/ext/oci8/config.m4 2003-07-01 0:56:01.000000000 +0200
@@@@ -100,7 +100,6 @@@@
PHP_ADD_LIBRARY(clntsh, 1, OCI8_SHARED_LIBADD)
PHP_ADD_LIBPATH($OCI8_DIR/lib, OCI8_SHARED_LIBADD)
AC_DEFINE(HAVE_OCI8_ATTR_STATEMENT,1,[ ])
- AC_DEFINE(HAVE_OCI8_SHARED_MODE,1,[ ])
d8 16
a23 7
dnl These functions are only available in version >= 9.2
PHP_CHECK_LIBRARY(clntsh, OCIEnvNlsCreate,
--- php-4.3.2/configure.dist 2003-07-01 13:52:41.000000000 +0200
+++ php-4.3.2/configure 2003-07-01 13:53:15.000000000 +0200
@@@@ -51349,10 +51349,6 @@@@
#define HAVE_OCI8_ATTR_STATEMENT 1
EOF
d25 13
a37 4
- cat >> confdefs.h <<\EOF
-#define HAVE_OCI8_SHARED_MODE 1
-EOF
-
d39 24
a62 2
save_old_LDFLAGS=$LDFLAGS
@
1.2.4.1
log
@MFC: latest fixes from CURRENT for PHP and Expat
@
text
@d1 7
a7 6
Index: ext/pdf/pdf.c
--- ext/pdf/pdf.c.orig 2004-02-28 23:58:56 +0100
+++ ext/pdf/pdf.c 2004-07-25 11:35:57 +0200
@@@@ -240,6 +240,16 @@@@
ZEND_GET_MODULE(pdf)
#endif
d9 7
a15 16
+ZEND_BEGIN_MODULE_GLOBALS(pdf)
+FILE *fp;
+ZEND_END_MODULE_GLOBALS(pdf)
+ZEND_DECLARE_MODULE_GLOBALS(pdf)
+#ifdef ZTS
+#define PDF_G(v) TSRMG(pdf_globals_id, zend_pdf_globals *, v)
+#else
+#define PDF_G(v) (pdf_globals.v)
+#endif
+
/* {{{ _free_pdf_doc
*/
static void _free_pdf_doc(zend_rsrc_list_entry *rsrc TSRMLS_DC)
@@@@ -305,6 +315,15 @@@@
}
/* }}} */
d17 4
a20 13
+/* {{{ pdf_flushwrite_fp
+ */
+static size_t pdf_flushwrite_fp(PDF *p, void *data, size_t size)
+{
+ FILE *fp = PDF_G(fp);
+ return fwrite(data, size, 1, fp);
+}
+/* }}} */
+
/* {{{ pdf_flushwrite
*/
static size_t pdf_flushwrite(PDF *p, void *data, size_t size)
@@@@ -339,8 +358,13 @@@@
d22 2
a23 24
/* {{{ PHP_MINIT_FUNCTION
*/
+static void php_pdf_init_globals (zend_pdf_globals *g)
+{
+ g->fp = NULL;
+}
PHP_MINIT_FUNCTION(pdf)
{
+ ZEND_INIT_MODULE_GLOBALS(pdf, php_pdf_init_globals, NULL);
if ((PDF_get_majorversion() != PDFLIB_MAJORVERSION) ||
(PDF_get_minorversion() != PDFLIB_MINORVERSION)) {
php_error(E_ERROR,"PDFlib error: Version mismatch in wrapper code");
@@@@ -469,9 +493,8 @@@@
pdf = PDF_new2(custom_errorhandler, pdf_emalloc, pdf_realloc, pdf_efree, NULL);
if(fp) {
- if (PDF_open_fp(pdf, fp) < 0) {
- RETURN_FALSE;
- }
+ PDF_G(fp) = fp;
+ PDF_begin_document_callback(pdf, pdf_flushwrite_fp, "");
} else {
PDF_open_mem(pdf, pdf_flushwrite);
}
@
1.2.4.2
log
@Security Fixes (OpenPKG-2004.053-php; CAN-2004-1018, CAN-2004-1018, CAN-2004-1019, CAN-2004-1020, CAN-2004-1063, CAN-2004-1064, CAN-2004-1065)
@
text
@a62 400
-----------------------------------------------------------------------------
Security Fixes (OpenPKG-2004.053-php):
o CAN-2004-1018:
shmop_write() out of bounds memory write access.
(ext/shmop/shmop.c)
o CAN-2004-1018:
integer overflow/underflow in pack() and unpack() functions.
(main/php.h, ext/standard/pack.c)
o CAN-2004-1019:
possible information disclosure, double free and negative reference
index array underflow in deserialization code.
(ext/standard/var_unserializer.re, ext/standard/var_unserializer.c)
o CAN-2004-1020:
addslashes() not escaping \0 correctly.
(ext/standard/string.c)
**** NOT NECCESSARY IN PHP 4.3.8!! ****
o CAN-2004-1063:
safe_mode execution directory bypass.
(ext/standard/link.c)
o CAN-2004-1064:
arbitrary file access through path truncation.
(main/safe_mode.c)
o CAN-2004-1065:
exif_read_data() overflow on long sectionname.
(ext/exif/exif.c)
o XXX-XXXX-XXXX:
magic_quotes_gpc could lead to one level directory traversal with
file uploads.
(main/rfc1867.c)
Index: ext/exif/exif.c
--- ext/exif/exif.c.orig 2003-12-17 10:08:37 +0100
+++ ext/exif/exif.c 2004-12-16 17:20:05 +0100
@@@@ -2712,7 +2712,7 @@@@
// JPEG does not use absolute pointers instead its pointers are relative to the start
// of the TIFF header in APP1 section.
*/
- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM)) {
+ if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
if (value_ptr < dir_entry) {
/* we can read this if offset_val > 0 */
/* some files have their values in other parts of the file */
@@@@ -3750,7 +3750,7 @@@@
}
}
for (i=0; i shmop->size) {
+ if (offset < 0 || offset > shmop->size) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "offset out of range");
RETURN_FALSE;
}
Index: ext/standard/link.c
--- ext/standard/link.c.orig 2002-12-31 17:35:31 +0100
+++ ext/standard/link.c 2004-12-16 17:20:05 +0100
@@@@ -65,6 +65,14 @@@@
}
convert_to_string_ex(filename);
+ if (PG(safe_mode) && !php_checkuid(Z_STRVAL_PP(filename), NULL, CHECKUID_CHECK_FILE_AND_DIR)) {
+ RETURN_FALSE;
+ }
+
+ if (php_check_open_basedir(Z_STRVAL_PP(filename) TSRMLS_CC)) {
+ RETURN_FALSE;
+ }
+
ret = readlink(Z_STRVAL_PP(filename), buff, MAXPATHLEN-1);
if (ret == -1) {
Index: ext/standard/pack.c
--- ext/standard/pack.c.orig 2004-02-25 13:36:24 +0100
+++ ext/standard/pack.c 2004-12-16 17:20:05 +0100
@@@@ -63,6 +63,13 @@@@
#include
#endif
+#define INC_OUTPUTPOS(a,b) \
+ if ((a) < 0 || ((INT_MAX - outputpos)/(b)) < (a)) { \
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow in format string", code); \
+ RETURN_FALSE; \
+ } \
+ outputpos += (a)*(b);
+
/* Whether machine is little endian */
char machine_little_endian;
@@@@ -246,7 +253,7 @@@@
switch ((int) code) {
case 'h':
case 'H':
- outputpos += (arg + 1) / 2; /* 4 bit per arg */
+ INC_OUTPUTPOS((arg + 1) / 2,1) /* 4 bit per arg */
break;
case 'a':
@@@@ -254,34 +261,34 @@@@
case 'c':
case 'C':
case 'x':
- outputpos += arg; /* 8 bit per arg */
+ INC_OUTPUTPOS(arg,1) /* 8 bit per arg */
break;
case 's':
case 'S':
case 'n':
case 'v':
- outputpos += arg * 2; /* 16 bit per arg */
+ INC_OUTPUTPOS(arg,2) /* 16 bit per arg */
break;
case 'i':
case 'I':
- outputpos += arg * sizeof(int);
+ INC_OUTPUTPOS(arg,sizeof(int))
break;
case 'l':
case 'L':
case 'N':
case 'V':
- outputpos += arg * 4; /* 32 bit per arg */
+ INC_OUTPUTPOS(arg,4) /* 32 bit per arg */
break;
case 'f':
- outputpos += arg * sizeof(float);
+ INC_OUTPUTPOS(arg,sizeof(float))
break;
case 'd':
- outputpos += arg * sizeof(double);
+ INC_OUTPUTPOS(arg,sizeof(double))
break;
case 'X':
@@@@ -650,6 +657,11 @@@@
sprintf(n, "%.*s", namelen, name);
}
+ if (size != 0 && size != -1 && INT_MAX - size + 1 < inputpos) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: integer overflow", type);
+ inputpos = 0;
+ }
+
if ((inputpos + size) <= inputlen) {
switch ((int) type) {
case 'a':
@@@@ -820,6 +832,10 @@@@
}
inputpos += size;
+ if (inputpos < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Type %c: outside of string", type);
+ inputpos = 0;
+ }
} else if (arg < 0) {
/* Reached end of input for '*' repeater */
break;
Index: ext/standard/var_unserializer.re
--- ext/standard/var_unserializer.re.orig 2004-03-27 02:17:06 +0100
+++ ext/standard/var_unserializer.re 2004-12-16 17:20:05 +0100
@@@@ -62,7 +62,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -139,7 +139,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -161,9 +161,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -311,6 +317,8 @@@@
} else {
str = estrndup(YYCURSOR, len);
}
+
+ if (*rval == *rval_ref) return 0;
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: ext/standard/var_unserializer.c
--- ext/standard/var_unserializer.c.orig 2004-07-13 16:53:12 +0200
+++ ext/standard/var_unserializer.c 2004-12-16 17:20:05 +0100
@@@@ -63,7 +63,7 @@@@
if (!var_hash) return !SUCCESS;
- if (id >= var_hash->used_slots) return !SUCCESS;
+ if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
*store = &var_hash->data[id];
@@@@ -134,7 +134,7 @@@@
static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, int elements)
{
while (elements-- > 0) {
- zval *key, *data;
+ zval *key, *data, *old_data;
ALLOC_INIT_ZVAL(key);
@@@@ -156,9 +156,15 @@@@
switch (Z_TYPE_P(key)) {
case IS_LONG:
+ if (zend_hash_index_find(ht, Z_LVAL_P(key), (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_index_update(ht, Z_LVAL_P(key), &data, sizeof(data), NULL);
break;
case IS_STRING:
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)) {
+ var_replace(var_hash, old_data, rval);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, sizeof(data), NULL);
break;
@@@@ -566,6 +572,8 @@@@
str = estrndup(YYCURSOR, len);
}
+ if (*rval == *rval_ref) return 0;
+
YYCURSOR += len + 2;
*p = YYCURSOR;
Index: main/php.h
--- main/php.h.orig 2003-09-25 01:22:32 +0200
+++ main/php.h 2004-12-16 17:20:05 +0100
@@@@ -226,6 +226,14 @@@@
#define LONG_MIN (- LONG_MAX - 1)
#endif
+#ifndef INT_MAX
+#define INT_MAX 2147483647
+#endif
+
+#ifndef INT_MIN
+#define INT_MIN (- INT_MAX - 1)
+#endif
+
#define PHP_GCC_VERSION ZEND_GCC_VERSION
#define PHP_ATTRIBUTE_MALLOC ZEND_ATTRIBUTE_MALLOC
#define PHP_ATTRIBUTE_FORMAT ZEND_ATTRIBUTE_FORMAT
Index: main/safe_mode.c
--- main/safe_mode.c.orig 2003-03-17 14:50:23 +0100
+++ main/safe_mode.c 2004-12-16 17:20:05 +0100
@@@@ -54,13 +54,16 @@@@
php_stream_wrapper *wrapper = NULL;
TSRMLS_FETCH();
- strlcpy(filenamecopy, filename, MAXPATHLEN);
- filename=(char *)&filenamecopy;
-
if (!filename) {
return 0; /* path must be provided */
}
+ if (strlcpy(filenamecopy, filename, MAXPATHLEN)>=MAXPATHLEN) {
+ return 0;
+ }
+ filename=(char *)&filenamecopy;
+
+
if (fopen_mode) {
if (fopen_mode[0] == 'r') {
mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;
Index: main/rfc1867.c
--- main/rfc1867.c.orig 2004-07-13 15:15:31 +0200
+++ main/rfc1867.c 2004-12-16 17:20:05 +0100
@@@@ -126,6 +126,7 @@@@
#define UPLOAD_ERROR_B 2 /* Uploaded file exceeded MAX_FILE_SIZE */
#define UPLOAD_ERROR_C 3 /* Partially uploaded */
#define UPLOAD_ERROR_D 4 /* No file uploaded */
+#define UPLOAD_ERROR_E 6 /* Missing /tmp or similar directory */
void php_rfc1867_register_constants(TSRMLS_D)
{
@@@@ -134,6 +135,7 @@@@
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_FORM_SIZE", UPLOAD_ERROR_B, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_PARTIAL", UPLOAD_ERROR_C, CONST_CS | CONST_PERSISTENT);
REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_FILE", UPLOAD_ERROR_D, CONST_CS | CONST_PERSISTENT);
+ REGISTER_MAIN_LONG_CONSTANT("UPLOAD_ERR_NO_TMP_DIR", UPLOAD_ERROR_E, CONST_CS | CONST_PERSISTENT);
}
static void normalize_protected_variable(char *varname TSRMLS_DC)
@@@@ -924,12 +926,14 @@@@
SAFE_RETURN;
}
+ total_bytes = cancel_upload = 0;
+
if (!skip_upload) {
/* Handle file */
fp = php_open_temporary_file(PG(upload_tmp_dir), "php", &temp_filename TSRMLS_CC);
if (!fp) {
sapi_module.sapi_error(E_WARNING, "File upload error - unable to create a temporary file");
- skip_upload = 1;
+ cancel_upload = UPLOAD_ERROR_E;
}
}
if (skip_upload) {
@@@@ -938,9 +942,6 @@@@
continue;
}
- total_bytes = 0;
- cancel_upload = 0;
-
if(strlen(filename) == 0) {
#ifdef DEBUG_FILE_UPLOAD
sapi_module.sapi_error(E_NOTICE, "No file uploaded");
@@@@ -967,10 +968,12 @@@@
}
}
}
- fclose(fp);
+ if (fp) {
+ fclose(fp);
+ }
#ifdef DEBUG_FILE_UPLOAD
- if(strlen(filename) > 0 && total_bytes == 0) {
+ if(strlen(filename) > 0 && total_bytes == 0 && !cancel_upload) {
sapi_module.sapi_error(E_WARNING, "Uploaded file size 0 - file [%s=%s] not saved", param, filename);
cancel_upload = 5;
}
@@@@ -978,7 +981,9 @@@@
if (cancel_upload) {
if (temp_filename) {
- unlink(temp_filename);
+ if (cancel_upload != UPLOAD_ERROR_E) { /* file creation failed */
+ unlink(temp_filename);
+ }
efree(temp_filename);
}
temp_filename="";
@@@@ -1048,6 +1053,14 @@@@
s = tmp;
}
#endif
+ if (PG(magic_quotes_gpc)) {
+ s = s ? s : filename;
+ tmp = strrchr(s, '\'');
+ s = tmp > s ? tmp : s;
+ tmp = strrchr(s, '"');
+ s = tmp > s ? tmp : s;
+ }
+
if (s && s > filename) {
safe_php_register_variable(lbuf, s+1, NULL, 0 TSRMLS_CC);
} else {
@
1.2.4.3
log
@Shit happens: one hunk too much, others missing plus a whole file not patched
@
text
@d88 1
a88 1
(ext/standard/link.c, TSRM/tsrm_virtual_cwd.c)
d246 1
a246 1
+++ ext/standard/var_unserializer.re 2004-12-16 21:09:57 +0100
d281 3
a283 13
@@@@ -398,7 +404,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -406,7 +411,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d285 2
d288 1
a289 10
@@@@ -414,8 +418,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
d292 1
a292 1
+++ ext/standard/var_unserializer.c 2004-12-16 21:10:16 +0100
d327 2
a328 13
@@@@ -435,7 +441,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
}
}
}
@@@@ -443,7 +448,6 @@@@
#ifdef ZEND_ENGINE_2
ce = *(zend_class_entry **)ce; /* Bad hack, TBF! */
#endif
- efree(class_name);
d331 3
a334 7
@@@@ -451,8 +455,8 @@@@
if (incomplete_class) {
php_store_class_name(*rval, class_name, len2 TSRMLS_CC);
- efree(class_name);
}
+ efree(class_name);
a335 2
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
a462 103
Index: TSRM/tsrm_virtual_cwd.c
--- TSRM/tsrm_virtual_cwd.c.orig 2003-07-28 20:35:34 +0200
+++ TSRM/tsrm_virtual_cwd.c 2004-12-16 21:15:08 +0100
@@@@ -301,15 +301,22 @@@@
if (path_length == 0)
return (0);
+ if (path_length >= MAXPATHLEN)
+ return (1);
#if !defined(TSRM_WIN32) && !defined(NETWARE)
/* cwd_length can be 0 when getcwd() fails.
* This can happen under solaris when a dir does not have read permissions
* but *does* have execute permissions */
if (IS_ABSOLUTE_PATH(path, path_length) || (state->cwd_length < 1)) {
- if (use_realpath && realpath(path, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (use_realpath) {
+ if (realpath(path, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ return 1; */
+ }
}
} else { /* Concat current directory with relative path and then run realpath() on it */
char *tmp;
@@@@ -325,9 +332,19 @@@@
memcpy(ptr, path, path_length);
ptr += path_length;
*ptr = '\0';
- if (use_realpath && realpath(tmp, resolved_path)) {
- path = resolved_path;
- path_length = strlen(path);
+ if (strlen(tmp) >= MAXPATHLEN) {
+ free(tmp);
+ return 1;
+ }
+ if (use_realpath) {
+ if (realpath(tmp, resolved_path)) {
+ path = resolved_path;
+ path_length = strlen(path);
+ } else {
+ /* disable for now
+ free(tmp);
+ return 1; */
+ }
}
free(tmp);
}
@@@@ -818,13 +835,24 @@@@
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC)
{
int command_length;
+ int dir_length, extra = 0;
char *command_line;
- char *ptr;
+ char *ptr, *dir;
FILE *retval;
command_length = strlen(command);
- ptr = command_line = (char *) malloc(command_length + sizeof("cd ; ") + CWDG(cwd).cwd_length+1);
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+ while (dir_length > 0) {
+ if (*dir == '\'') extra+=3;
+ dir++;
+ dir_length--;
+ }
+ dir_length = CWDG(cwd).cwd_length;
+ dir = CWDG(cwd).cwd;
+
+ ptr = command_line = (char *) malloc(command_length + sizeof("cd '' ; ") + dir_length +1+1);
if (!command_line) {
return NULL;
}
@@@@ -834,8 +862,21 @@@@
if (CWDG(cwd).cwd_length == 0) {
*ptr++ = DEFAULT_SLASH;
} else {
- memcpy(ptr, CWDG(cwd).cwd, CWDG(cwd).cwd_length);
- ptr += CWDG(cwd).cwd_length;
+ *ptr++ = '\'';
+ while (dir_length > 0) {
+ switch (*dir) {
+ case '\'':
+ *ptr++ = '\'';
+ *ptr++ = '\\';
+ *ptr++ = '\'';
+ /* fall-through */
+ default:
+ *ptr++ = *dir;
+ }
+ dir++;
+ dir_length--;
+ }
+ *ptr++ = '\'';
}
*ptr++ = ' ';
@
1.2.2.1
log
@SA-2004.034-php; CAN-2004-0594, CAN-2004-0595
@
text
@d1 19
a19 347
OpenPKG-SA-2004.034-php; CAN-2004-0594, CAN-2004-0595
Index: php-4.3.4/Zend/zend_alloc.c
===================================================================
--- php-4.3.4.orig/Zend/zend_alloc.c 2004-07-14 12:48:39.063013753 +0200
+++ php-4.3.4/Zend/zend_alloc.c 2004-07-14 12:48:53.975006655 +0200
@@@@ -67,7 +67,7 @@@@
#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { AG(allocated_memory) += rs;\
if (AG(memory_limit) AG(allocated_memory) - rs) { \
+ if (EG(in_execution) && AG(memory_limit)+1048576 > AG(allocated_memory) - rs) { \
AG(memory_limit) = AG(allocated_memory) + 1048576; \
if (file) { \
zend_error(E_ERROR,"Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes)", php_mem_limit, file, lineno, s); \
Index: php-4.3.4/Zend/zend_hash.c
===================================================================
--- php-4.3.4.orig/Zend/zend_hash.c 2004-07-14 13:14:45.475609161 +0200
+++ php-4.3.4/Zend/zend_hash.c 2004-07-14 13:14:55.865900116 +0200
@@@@ -174,6 +174,7 @@@@
ZEND_API int zend_hash_init(HashTable *ht, uint nSize, hash_func_t pHashFunction, dtor_func_t pDestructor, int persistent)
{
uint i = 3;
+ Bucket **tmp;
SET_INCONSISTENT(HT_OK);
@@@@ -183,14 +184,6 @@@@
ht->nTableSize = 1 << i;
ht->nTableMask = ht->nTableSize - 1;
-
- /* Uses ecalloc() so that Bucket* == NULL */
- ht->arBuckets = (Bucket **) pecalloc(ht->nTableSize, sizeof(Bucket *), persistent);
-
- if (!ht->arBuckets) {
- return FAILURE;
- }
-
ht->pDestructor = pDestructor;
ht->pListHead = NULL;
ht->pListTail = NULL;
@@@@ -200,6 +193,16 @@@@
ht->persistent = persistent;
ht->nApplyCount = 0;
ht->bApplyProtection = 1;
+ ht->arBuckets = NULL;
+
+ /* Uses ecalloc() so that Bucket* == NULL */
+ tmp = (Bucket **) pecalloc(ht->nTableSize, sizeof(Bucket *), persistent);
+
+ if (!tmp) {
+ return FAILURE;
+ }
+ ht->arBuckets = tmp;
+
return SUCCESS;
}
Index: php-4.3.4/Zend/zend_variables.c
===================================================================
--- php-4.3.4.orig/Zend/zend_variables.c 2004-07-14 13:14:45.481608752 +0200
+++ php-4.3.4/Zend/zend_variables.c 2004-07-14 13:14:55.865900116 +0200
@@@@ -114,27 +114,31 @@@@
case IS_CONSTANT_ARRAY: {
zval *tmp;
HashTable *original_ht = zvalue->value.ht;
+ HashTable *tmp_ht = NULL;
TSRMLS_FETCH();
if (zvalue->value.ht == &EG(symbol_table)) {
return SUCCESS; /* do nothing */
}
- ALLOC_HASHTABLE_REL(zvalue->value.ht);
- zend_hash_init(zvalue->value.ht, 0, NULL, ZVAL_PTR_DTOR, 0);
- zend_hash_copy(zvalue->value.ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ ALLOC_HASHTABLE_REL(tmp_ht);
+ zend_hash_init(tmp_ht, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_hash_copy(tmp_ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ zvalue->value.ht = tmp_ht;
}
break;
case IS_OBJECT: {
zval *tmp;
HashTable *original_ht = zvalue->value.obj.properties;
+ HashTable *tmp_ht = NULL;
TSRMLS_FETCH();
if (zvalue->value.obj.properties == &EG(symbol_table)) {
return SUCCESS; /* do nothing */
}
- ALLOC_HASHTABLE_REL(zvalue->value.obj.properties);
- zend_hash_init(zvalue->value.obj.properties, 0, NULL, ZVAL_PTR_DTOR, 0);
- zend_hash_copy(zvalue->value.obj.properties, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ ALLOC_HASHTABLE_REL(tmp_ht);
+ zend_hash_init(tmp_ht, 0, NULL, ZVAL_PTR_DTOR, 0);
+ zend_hash_copy(tmp_ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+ zvalue->value.obj.properties = tmp_ht;
}
break;
}
Index: php-4.3.4/ext/mssql/php_mssql.c
===================================================================
--- php-4.3.4.orig/ext/mssql/php_mssql.c 2004-07-14 13:14:45.428612368 +0200
+++ php-4.3.4/ext/mssql/php_mssql.c 2004-07-14 13:14:55.868899911 +0200
@@@@ -343,6 +343,7 @@@@
PHP_RSHUTDOWN_FUNCTION(mssql)
{
STR_FREE(MS_SQL_G(appname));
+ MS_SQL_G(appname) = NULL;
if (MS_SQL_G(server_message)) {
STR_FREE(MS_SQL_G(server_message));
}
Index: php-4.3.4/ext/session/session.c
===================================================================
--- php-4.3.4.orig/ext/session/session.c 2004-07-14 13:14:45.433612027 +0200
+++ php-4.3.4/ext/session/session.c 2004-07-14 13:14:55.869899843 +0200
@@@@ -499,13 +499,16 @@@@
static void php_session_track_init(TSRMLS_D)
{
+ zval *session_vars = NULL;
+
/* Unconditionally destroy existing arrays -- possible dirty data */
zend_hash_del(&EG(symbol_table), "HTTP_SESSION_VARS",
sizeof("HTTP_SESSION_VARS"));
zend_hash_del(&EG(symbol_table), "_SESSION", sizeof("_SESSION"));
- MAKE_STD_ZVAL(PS(http_session_vars));
- array_init(PS(http_session_vars));
+ MAKE_STD_ZVAL(session_vars);
+ array_init(session_vars);
+ PS(http_session_vars) = session_vars;
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("HTTP_SESSION_VARS", sizeof("HTTP_SESSION_VARS"), PS(http_session_vars), 2, 1);
ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1);
Index: php-4.3.4/ext/sybase/php_sybase_db.c
===================================================================
--- php-4.3.4.orig/ext/sybase/php_sybase_db.c 2004-07-14 13:14:45.456610458 +0200
+++ php-4.3.4/ext/sybase/php_sybase_db.c 2004-07-14 13:14:55.871899707 +0200
@@@@ -297,7 +297,9 @@@@
PHP_RSHUTDOWN_FUNCTION(sybase)
{
efree(php_sybase_module.appname);
+ php_sybase_module.appname = NULL;
STR_FREE(php_sybase_module.server_message);
+ php_sybase_module.server_message = NULL;
return SUCCESS;
}
Index: php-4.3.4/ext/sybase_ct/php_sybase_ct.c
===================================================================
--- php-4.3.4.orig/ext/sybase_ct/php_sybase_ct.c 2004-07-14 13:14:45.470609502 +0200
+++ php-4.3.4/ext/sybase_ct/php_sybase_ct.c 2004-07-14 13:14:55.874899502 +0200
@@@@ -407,11 +407,13 @@@@
PHP_RSHUTDOWN_FUNCTION(sybase)
{
efree(SybCtG(appname));
+ SybCtG(appname) = NULL;
if (SybCtG(callback_name)) {
zval_ptr_dtor(&SybCtG(callback_name));
SybCtG(callback_name)= NULL;
}
STR_FREE(SybCtG(server_message));
+ SybCtG(server_message) = NULL;
return SUCCESS;
}
Index: php-4.3.4/ext/w32api/w32api.c
===================================================================
--- php-4.3.4.orig/ext/w32api/w32api.c 2004-07-14 13:14:45.450610867 +0200
+++ php-4.3.4/ext/w32api/w32api.c 2004-07-14 13:14:55.876899366 +0200
@@@@ -290,20 +290,26 @@@@
*/
PHP_RINIT_FUNCTION(w32api)
{
+ HashTable *tmp;
+ WG(funcs) = WG(libraries) = WG(callbacks) = WG(types) = NULL;
+
/* Allocate Request Specific HT's here
*/
- ALLOC_HASHTABLE(WG(funcs));
- zend_hash_init(WG(funcs), 1, NULL, php_w32api_hash_func_dtor, 1);
-
- ALLOC_HASHTABLE(WG(libraries));
- zend_hash_init(WG(libraries), 1, NULL, php_w32api_hash_lib_dtor, 1);
-
- ALLOC_HASHTABLE(WG(callbacks));
- zend_hash_init(WG(callbacks), 1, NULL, php_w32api_hash_callback_dtor, 1);
-
- ALLOC_HASHTABLE(WG(types));
- zend_hash_init(WG(types), 1, NULL, php_w32api_hash_type_dtor, 1);
-
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_func_dtor, 1);
+ WG(funcs) = tmp;
+
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_lib_dtor, 1);
+ WG(libraries) = tmp;
+
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_callback_dtor, 1);
+ WG(callbacks) = tmp;
+
+ ALLOC_HASHTABLE(tmp);
+ zend_hash_init(tmp, 1, NULL, php_w32api_hash_type_dtor, 1);
+ WG(types) = tmp;
return SUCCESS;
@@@@ -330,6 +336,7 @@@@
zend_hash_destroy(WG(types));
FREE_HASHTABLE(WG(types));
+ WG(funcs) = WG(libraries) = WG(callbacks) = WG(types) = NULL;
return SUCCESS;
}
Index: php-4.3.4/main/main.c
===================================================================
--- php-4.3.4.orig/main/main.c 2004-07-14 13:14:45.491608069 +0200
+++ php-4.3.4/main/main.c 2004-07-14 13:14:55.878899229 +0200
@@@@ -1367,6 +1367,7 @@@@
int _gpc_flags[5] = {0, 0, 0, 0, 0};
zend_bool have_variables_order;
zval *dummy_track_vars_array = NULL;
+ zval *env_vars = NULL;
zend_bool initialized_dummy_track_vars_array=0;
int i;
char *variables_order;
@@@@ -1399,9 +1400,10 @@@@
} else {
variables_order = PG(gpc_order);
have_variables_order=0;
- ALLOC_ZVAL(PG(http_globals)[TRACK_VARS_ENV]);
- array_init(PG(http_globals)[TRACK_VARS_ENV]);
- INIT_PZVAL(PG(http_globals)[TRACK_VARS_ENV]);
+ ALLOC_ZVAL(env_vars);
+ array_init(env_vars);
+ INIT_PZVAL(env_vars);
+ PG(http_globals)[TRACK_VARS_ENV] = env_vars;
php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
if (PG(register_globals)) {
php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]) TSRMLS_CC);
@@@@ -1444,9 +1446,10 @@@@
case 'E':
if (!_gpc_flags[3]) {
if (have_variables_order) {
- ALLOC_ZVAL(PG(http_globals)[TRACK_VARS_ENV]);
- array_init(PG(http_globals)[TRACK_VARS_ENV]);
- INIT_PZVAL(PG(http_globals)[TRACK_VARS_ENV]);
+ ALLOC_ZVAL(env_vars);
+ array_init(env_vars);
+ INIT_PZVAL(env_vars);
+ PG(http_globals)[TRACK_VARS_ENV] = env_vars;
php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC);
if (PG(register_globals)) {
php_autoglobal_merge(&EG(symbol_table), Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV]) TSRMLS_CC);
Index: php-4.3.4/main/rfc1867.c
===================================================================
--- php-4.3.4.orig/main/rfc1867.c 2004-07-14 13:14:45.485608479 +0200
+++ php-4.3.4/main/rfc1867.c 2004-07-14 13:16:53.079904285 +0200
@@@@ -693,7 +693,7 @@@@
char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL;
char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL;
int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0, max_file_size=0, skip_upload=0;
- zval *http_post_files=NULL;
+ zval *http_post_files=NULL; HashTable *uploaded_files=NULL;
zend_bool magic_quotes_gpc;
multipart_buffer *mbuff;
zval *array_ptr = (zval *) arg;
@@@@ -743,8 +743,9 @@@@
/* Initialize $_FILES[] */
zend_hash_init(&PG(rfc1867_protected_variables), 5, NULL, NULL, 0);
- ALLOC_HASHTABLE(SG(rfc1867_uploaded_files));
- zend_hash_init(SG(rfc1867_uploaded_files), 5, NULL, (dtor_func_t) free_estring, 0);
+ ALLOC_HASHTABLE(uploaded_files);
+ zend_hash_init(uploaded_files, 5, NULL, (dtor_func_t) free_estring, 0);
+ SG(rfc1867_uploaded_files) = uploaded_files;
ALLOC_ZVAL(http_post_files);
array_init(http_post_files);
Patches within this file... More or less security related
---------------------------------------------------------
Fixed: Alloca replaced by emalloc() where the size is user supplied
Zend/zend_constants.c
ext/msession/msession.c
ext/pcntl/pcntl.c
ext/session/mod_mm.c
ext/wddx/wddx.c
Fixed: Off-By-One in memory allocation for IMAP addresses
ext/imap/php_imap.c
Fixed: Correctly disable CLIENT_LOCAL_FILE option when open_basedir set
ext/mysql/php_mysql.c
Fixed: Added missing safe_mode check
ext/standard/ftok.c
ext/standard/iptc.c
Fixed: Made strip_slashes binary safe to work around an IE bug (feature?)
ext/standard/string.c
before strip_slashes($input, ""); would believe <\0whatever>
is a valid tag (because it would search in "" for "<\0"
and of course our friend internet explorer accepts <\0whatever>
as
Index: php-4.3.4/Zend/zend_constants.c
===================================================================
--- php-4.3.4.orig/Zend/zend_constants.c 2004-07-14 13:16:57.582597240 +0200
+++ php-4.3.4/Zend/zend_constants.c 2004-07-14 13:20:37.300623859 +0200
@@@@ -220,8 +220,7 @@@@
int retval = 1;
if (zend_hash_find(EG(zend_constants), name, name_len+1, (void **) &c) == FAILURE) {
- lookup_name = do_alloca(name_len+1);
- memcpy(lookup_name, name, name_len+1);
+ lookup_name = estrndup(name, name_len);
zend_str_tolower(lookup_name, name_len);
if (zend_hash_find(EG(zend_constants), lookup_name, name_len+1, (void **) &c)==SUCCESS) {
@@@@ -231,7 +230,7 @@@@
} else {
retval=0;
}
- free_alloca(lookup_name);
+ efree(lookup_name);
}
if (retval) {
@@@@ -252,9 +251,7 @@@@
printf("Registering constant for module %d\n", c->module_number);
#endif
- lowercase_name = do_alloca(c->name_len);
a20 251
- memcpy(lowercase_name, c->name, c->name_len);
+ lowercase_name = estrndup(c->name, c->name_len);
if (!(c->flags & CONST_CS)) {
zend_str_tolower(lowercase_name, c->name_len);
@@@@ -268,7 +265,7 @@@@
zend_error(E_NOTICE,"Constant %s already defined", lowercase_name);
ret = FAILURE;
}
- free_alloca(lowercase_name);
+ efree(lowercase_name);
return ret;
}
Index: php-4.3.4/ext/imap/php_imap.c
===================================================================
--- php-4.3.4.orig/ext/imap/php_imap.c 2004-07-14 13:16:57.532600650 +0200
+++ php-4.3.4/ext/imap/php_imap.c 2004-07-14 13:16:59.114492780 +0200
@@@@ -3674,7 +3674,7 @@@@
addresstmp = addresslist;
if ((len = _php_imap_address_size(addresstmp))) {
- tmpstr = (char *) malloc (len);
+ tmpstr = (char *) malloc(len + 1);
tmpstr[0] = '\0';
rfc822_write_address(tmpstr, addresstmp);
*fulladdress = tmpstr;
Index: php-4.3.4/ext/msession/msession.c
===================================================================
--- php-4.3.4.orig/ext/msession/msession.c 2004-07-14 13:16:57.577597581 +0200
+++ php-4.3.4/ext/msession/msession.c 2004-07-14 13:16:59.116492644 +0200
@@@@ -1266,7 +1266,7 @@@@
{
int port;
int len = strlen(save_path)+1;
- char * path = alloca(len);
+ char * path = emalloc(len);
char * szport;
strcpy(path, save_path);
@@@@ -1285,7 +1285,13 @@@@
ELOG( "ps_open_msession");
PS_SET_MOD_DATA((void *)1); /* session.c needs a non-zero here! */
- return PHPMsessionConnect(path, port) ? SUCCESS : FAILURE;
+ if (PHPMsessionConnect(path, port)) {
+ efree(path);
+ return SUCCESS;
+ } else {
+ efree(path);
+ return FAILURE;
+ }
}
PS_CLOSE_FUNC(msession)
Index: php-4.3.4/ext/mysql/php_mysql.c
===================================================================
--- php-4.3.4.orig/ext/mysql/php_mysql.c 2004-07-14 13:16:57.544599832 +0200
+++ php-4.3.4/ext/mysql/php_mysql.c 2004-07-14 13:16:59.118492507 +0200
@@@@ -259,6 +259,9 @@@@
*/
static void php_mysql_set_default_link(int id TSRMLS_DC)
{
+ if (MySG(default_link) != -1) {
+ zend_list_delete(MySG(default_link));
+ }
MySG(default_link) = id;
zend_list_addref(id);
}
@@@@ -591,7 +594,7 @@@@
break;
}
/* disable local infile option for open_basedir */
- if (PG(open_basedir) && strlen(PG(open_basedir))) {
+ if (PG(open_basedir) && strlen(PG(open_basedir)) && (client_flags & CLIENT_LOCAL_FILES)) {
client_flags ^= CLIENT_LOCAL_FILES;
}
Index: php-4.3.4/ext/pcntl/pcntl.c
===================================================================
--- php-4.3.4.orig/ext/pcntl/pcntl.c 2004-07-14 13:16:57.550599422 +0200
+++ php-4.3.4/ext/pcntl/pcntl.c 2004-07-14 13:16:59.119492439 +0200
@@@@ -386,7 +386,7 @@@@
args_hash = HASH_OF(args);
argc = zend_hash_num_elements(args_hash);
- argv = alloca((argc+2) * sizeof(char *));
+ argv = safe_emalloc((argc + 2), sizeof(char *), 0);
*argv = path;
for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1;
(argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS));
@@@@ -397,7 +397,7 @@@@
}
*(current_arg) = NULL;
} else {
- argv = alloca(2 * sizeof(char *));
+ argv = emalloc(2 * sizeof(char *));
*argv = path;
*(argv+1) = NULL;
}
@@@@ -407,13 +407,13 @@@@
envs_hash = HASH_OF(envs);
envc = zend_hash_num_elements(envs_hash);
- envp = alloca((envc+1) * sizeof(char *));
+ envp = safe_emalloc((envc + 1), sizeof(char *), 0);
for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp;
(envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS));
(envi++, pair++, zend_hash_move_forward(envs_hash)) ) {
switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) {
case HASH_KEY_IS_LONG:
- key = alloca(101);
+ key = emalloc(101);
snprintf(key, 100, "%ld", key_num);
key_length = strlen(key);
break;
@@@@ -432,7 +432,7 @@@@
strlcat(*pair, Z_STRVAL_PP(element), pair_length);
/* Cleanup */
- if (return_val == HASH_KEY_IS_LONG) free_alloca(key);
+ if (return_val == HASH_KEY_IS_LONG) efree(key);
}
*(pair) = NULL;
}
@@@@ -445,10 +445,10 @@@@
/* Cleanup */
if (envp != NULL) {
for (pair = envp; *pair != NULL; pair++) efree(*pair);
- free_alloca(envp);
+ efree(envp);
}
- free_alloca(argv);
+ efree(argv);
RETURN_FALSE;
}
Index: php-4.3.4/ext/session/mod_mm.c
===================================================================
--- php-4.3.4.orig/ext/session/mod_mm.c 2004-07-14 13:16:57.555599082 +0200
+++ php-4.3.4/ext/session/mod_mm.c 2004-07-14 13:16:59.120492371 +0200
@@@@ -16,7 +16,7 @@@@
+----------------------------------------------------------------------+
*/
-/* $Id: mod_mm.c,v 1.39.4.3 2002/12/31 16:35:20 sebastian Exp $ */
+/* $Id: mod_mm.c,v 1.39.4.4 2004/06/30 01:12:09 iliaa Exp $ */
#include "php.h"
@@@@ -264,7 +264,7 @@@@
return FAILURE;
/* Directory + '/' + File + Module Name + Effective UID + \0 */
- ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
+ ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
memcpy(ps_mm_path, PS(save_path), save_path_len + 1);
if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) {
@@@@ -277,7 +277,7 @@@@
ret = ps_mm_initialize(ps_mm_instance, ps_mm_path);
- free_alloca(ps_mm_path);
+ efree(ps_mm_path);
if (ret != SUCCESS) {
free(ps_mm_instance);
Index: php-4.3.4/ext/standard/ftok.c
===================================================================
--- php-4.3.4.orig/ext/standard/ftok.c 2004-07-14 13:16:57.560598741 +0200
+++ php-4.3.4/ext/standard/ftok.c 2004-07-14 13:16:59.120492371 +0200
@@@@ -16,7 +16,7 @@@@
+----------------------------------------------------------------------+
*/
-/* $Id: ftok.c,v 1.9.2.1 2002/12/31 16:35:28 sebastian Exp $ */
+/* $Id: ftok.c,v 1.9.2.2 2004/06/24 00:48:56 iliaa Exp $ */
#include "php.h"
@@@@ -52,6 +52,10 @@@@
RETURN_LONG(-1);
}
+ if ((PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(pathname), NULL, CHECKUID_CHECK_FILE_AND_DIR))) || php_check_open_basedir(Z_STRVAL_PP(pathname) TSRMLS_CC)) {
+ RETURN_LONG(-1);
+ }
+
k = ftok(Z_STRVAL_PP(pathname),Z_STRVAL_PP(proj)[0]);
RETURN_LONG(k);
Index: php-4.3.4/ext/standard/iptc.c
===================================================================
--- php-4.3.4.orig/ext/standard/iptc.c 2004-07-14 13:16:57.565598400 +0200
+++ php-4.3.4/ext/standard/iptc.c 2004-07-14 13:16:59.121492303 +0200
@@@@ -208,6 +208,10 @@@@
break;
}
+ if (PG(safe_mode) && (!php_checkuid(Z_STRVAL_PP(jpeg_file), NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ RETURN_FALSE;
+ }
+
if (php_check_open_basedir(Z_STRVAL_PP(jpeg_file) TSRMLS_CC)) {
RETURN_FALSE;
}
@@@@ -347,7 +351,7 @@@@
inx += 2;
}
- sprintf(key, "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
+ snprintf(key, sizeof(key), "%d#%03d", (unsigned int) dataset, (unsigned int) recnum);
if ((len > length) || (inx + len) > length)
break;
Index: php-4.3.4/ext/standard/string.c
===================================================================
--- php-4.3.4.orig/ext/standard/string.c 2004-07-14 13:16:57.572597922 +0200
+++ php-4.3.4/ext/standard/string.c 2004-07-14 13:16:59.125492030 +0200
@@@@ -3349,6 +3349,8 @@@@
while (i < len) {
switch (c) {
+ case '\0':
+ break;
case '<':
if (isspace(*(p + 1))) {
goto reg_char;
Index: php-4.3.4/ext/wddx/wddx.c
===================================================================
--- php-4.3.4.orig/ext/wddx/wddx.c 2004-07-14 13:16:57.538600241 +0200
+++ php-4.3.4/ext/wddx/wddx.c 2004-07-14 13:16:59.126491962 +0200
@@@@ -16,7 +16,7 @@@@
+----------------------------------------------------------------------+
*/
-/* $Id: wddx.c,v 1.96.2.5 2003/10/20 15:42:10 moriyoshi Exp $ */
+/* $Id: wddx.c,v 1.96.2.6 2004/06/30 01:12:09 iliaa Exp $ */
#include "php.h"
#include "php_wddx.h"
@@@@ -1069,7 +1069,7 @@@@
case ST_DATETIME: {
char *tmp;
- tmp = do_alloca(len + 1);
+ tmp = emalloc(len + 1);
memcpy(tmp, s, len);
tmp[len] = '\0';
d22 2
a23 10
@@@@ -1080,7 +1080,7 @@@@
Z_STRLEN_P(ent->data) = len;
Z_STRVAL_P(ent->data) = estrndup(s, len);
}
- free_alloca(tmp);
+ efree(tmp);
}
default:
break;
@
1.1
log
@use canonical patch filenames only
@
text
@@
1.1.2.1
log
@mass Merge-From-CURRENT (MFC) in preparation for OpenPKG 1.3 [class BASE only]
@
text
@@