Grokbase Groups PHP php-cvs May 2016
FAQ
Commit: 544940c48a6b39226d4af6a9033a53b2086de709
Author: Stanislav Malyshev <stas@php.net> Tue, 24 May 2016 16:35:12 -0700
Parents: fe6af26e2ddda928851d7ebddcd418e8dbd6baba 9a826a3bd99315b7c4d4673acd3084c99eb04253
Branches: PHP-5.6 PHP-5.6.22

Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=544940c48a6b39226d4af6a9033a53b2086de709

Log:
Merge branch 'PHP-5.5' into PHP-5.6.22

* PHP-5.5:
   Fix memory leak in imagescale()
   Update NEWS
   Better fix for bug #72135
   Fixed bug #72227: imagescale out-of-bounds read
   Fix bug #72241: get_icu_value_internal out-of-bounds read
   Fix bug #72135 - don't create strings with lengths outside int range
   Add check for string overflow to all string add operations
   Fix bug #72114 - int/size_t confusion in fread
   Updated NEWS
   Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()

Conflicts:
  Zend/zend_operators.c
  ext/phar/dirstream.c
  ext/phar/tests/bug71331.phpt

Bugs:
https://bugs.php.net/72135
https://bugs.php.net/72227
https://bugs.php.net/72241
https://bugs.php.net/72114
https://bugs.php.net/71331

Changed paths:
   MM Zend/zend_operators.c
   MM ext/gd/libgd/gd_interpolation.c
   MM ext/standard/file.c
   MM ext/standard/html.c


Diff:
diff --cc Zend/zend_operators.c
index b8a8b5f,2f1394f..450153f
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@@ -1397,8 -1252,18 +1397,14 @@@ ZEND_API int shift_right_function(zval
   ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
   {
    int length = Z_STRLEN_P(op1) + 1;
- char *buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
+ char *buf;
+
+ if (UNEXPECTED(length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
+
  - if (IS_INTERNED(Z_STRVAL_P(op1))) {
  - buf = (char *) emalloc(length + 1);
  - memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
  - } else {
  - buf = (char *) erealloc(Z_STRVAL_P(op1), length + 1);
  - }
++ buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
  +
    buf[length - 1] = (char) Z_LVAL_P(op2);
    buf[length] = 0;
    ZVAL_STRINGL(result, buf, length, 0);
@@@ -1410,8 -1275,17 +1416,14 @@@
   ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
   {
    int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
- char *buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
+ char *buf;
+
+ if (UNEXPECTED(length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
  - if (IS_INTERNED(Z_STRVAL_P(op1))) {
  - buf = (char *) emalloc(length+1);
  - memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
  - } else {
  - buf = (char *) erealloc(Z_STRVAL_P(op1), length+1);
  - }
++
++ buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
  +
    memcpy(buf + Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
    buf[length] = 0;
    ZVAL_STRINGL(result, buf, length, 0);

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupphp-cvs @
categoriesphp
postedMay 25, '16 at 12:21a
activeMay 25, '16 at 12:21a
posts1
users1
websitephp.net

1 user in discussion

Stanislav Malyshev: 1 post

People

Translate

site design / logo © 2019 Grokbase