mirror of
https://github.com/php/php-src.git
synced 2025-08-16 14:08:47 +02:00
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6: More string length checks & fixes
This commit is contained in:
Stanislav Malyshev
commit
6e12e49b5b
7 changed files with 20 additions and 8 deletions
|
|
@ -3950,7 +3950,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
|
||||||
#define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
|
#define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
|
||||||
#define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
|
#define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
|
||||||
|
|
||||||
bufferHeader = (char *)emalloc(bufferLen + 1);
|
bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
|
||||||
memset(bufferHeader, 0, bufferLen);
|
memset(bufferHeader, 0, bufferLen);
|
||||||
if (to && *to) {
|
if (to && *to) {
|
||||||
strlcat(bufferHeader, "To: ", bufferLen + 1);
|
strlcat(bufferHeader, "To: ", bufferLen + 1);
|
||||||
|
|
|
||||||
|
|
@ -53,7 +53,7 @@ void intl_convert_utf8_to_utf16(
|
||||||
UErrorCode* status )
|
UErrorCode* status )
|
||||||
{
|
{
|
||||||
UChar* dst_buf = NULL;
|
UChar* dst_buf = NULL;
|
||||||
int32_t dst_len = 0;
|
uint32_t dst_len = 0;
|
||||||
|
|
||||||
/* If *target is NULL determine required destination buffer size (pre-flighting).
|
/* If *target is NULL determine required destination buffer size (pre-flighting).
|
||||||
* Otherwise, attempt to convert source string; if *target buffer is not large enough
|
* Otherwise, attempt to convert source string; if *target buffer is not large enough
|
||||||
|
|
|
||||||
|
|
@ -268,6 +268,9 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam
|
||||||
int32_t buflen = 512;
|
int32_t buflen = 512;
|
||||||
UErrorCode status = U_ZERO_ERROR;
|
UErrorCode status = U_ZERO_ERROR;
|
||||||
|
|
||||||
|
if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
|
||||||
|
return NULL;
|
||||||
|
}
|
||||||
|
|
||||||
if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
|
if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
|
||||||
/* Handle grandfathered languages */
|
/* Handle grandfathered languages */
|
||||||
|
|
@ -713,6 +716,8 @@ PHP_FUNCTION( locale_get_keywords )
|
||||||
RETURN_FALSE;
|
RETURN_FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
|
||||||
|
|
||||||
if(loc_name_len == 0) {
|
if(loc_name_len == 0) {
|
||||||
loc_name = intl_locale_get_default();
|
loc_name = intl_locale_get_default();
|
||||||
}
|
}
|
||||||
|
|
@ -1120,6 +1125,8 @@ PHP_FUNCTION(locale_parse)
|
||||||
RETURN_FALSE;
|
RETURN_FALSE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
|
||||||
|
|
||||||
if(loc_name_len == 0) {
|
if(loc_name_len == 0) {
|
||||||
loc_name = intl_locale_get_default();
|
loc_name = intl_locale_get_default();
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -83,7 +83,7 @@ msgformat_data* msgformat_data_create( void )
|
||||||
int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
|
int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
|
||||||
{
|
{
|
||||||
if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
|
if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
|
||||||
UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
|
UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
|
||||||
uint32_t npattern_len;
|
uint32_t npattern_len;
|
||||||
npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
|
npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
|
||||||
efree(*spattern);
|
efree(*spattern);
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,7 @@ static const char rcsid[] = "#(@) $Id$";
|
||||||
/* ENCODE -- Encode binary file into base64. */
|
/* ENCODE -- Encode binary file into base64. */
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <ctype.h>
|
#include <ctype.h>
|
||||||
|
#include <limits.h>
|
||||||
|
|
||||||
#include "base64.h"
|
#include "base64.h"
|
||||||
|
|
||||||
|
|
@ -31,6 +32,9 @@ void buffer_new(struct buffer_st *b)
|
||||||
|
|
||||||
void buffer_add(struct buffer_st *b, char c)
|
void buffer_add(struct buffer_st *b, char c)
|
||||||
{
|
{
|
||||||
|
if ((INT_MAX - b->length) <= 512) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
*(b->ptr++) = c;
|
*(b->ptr++) = c;
|
||||||
b->offset++;
|
b->offset++;
|
||||||
if (b->offset == b->length) {
|
if (b->offset == b->length) {
|
||||||
|
|
@ -79,7 +83,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
|
||||||
for (n = 0; n < 3; n++) {
|
for (n = 0; n < 3; n++) {
|
||||||
c = *(source++);
|
c = *(source++);
|
||||||
offset++;
|
offset++;
|
||||||
if (offset > length) {
|
if (offset > length || offset <= 0) {
|
||||||
hiteof = 1;
|
hiteof = 1;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -80,6 +80,7 @@ static const char rcsid[] = "#(@) $Id$";
|
||||||
|
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
#include <limits.h>
|
||||||
#include "simplestring.h"
|
#include "simplestring.h"
|
||||||
|
|
||||||
#define my_free(thing) if(thing) {free(thing); thing = 0;}
|
#define my_free(thing) if(thing) {free(thing); thing = 0;}
|
||||||
|
|
@ -200,7 +201,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)
|
||||||
simplestring_init_str(target);
|
simplestring_init_str(target);
|
||||||
}
|
}
|
||||||
|
|
||||||
if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
|
if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) {
|
||||||
/* check for overflows, if there's a potential overflow do nothing */
|
/* check for overflows, if there's a potential overflow do nothing */
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -1590,7 +1590,7 @@ static ZIPARCHIVE_METHOD(addEmptyDir)
|
||||||
}
|
}
|
||||||
|
|
||||||
if (dirname[dirname_len-1] != '/') {
|
if (dirname[dirname_len-1] != '/') {
|
||||||
s=(char *)emalloc(dirname_len+2);
|
s=(char *)safe_emalloc(dirname_len, 1, 2);
|
||||||
strcpy(s, dirname);
|
strcpy(s, dirname);
|
||||||
s[dirname_len] = '/';
|
s[dirname_len] = '/';
|
||||||
s[dirname_len+1] = '\0';
|
s[dirname_len+1] = '\0';
|
||||||
|
|
@ -1805,14 +1805,14 @@ static ZIPARCHIVE_METHOD(addFromString)
|
||||||
|
|
||||||
ze_obj = Z_ZIP_P(self);
|
ze_obj = Z_ZIP_P(self);
|
||||||
if (ze_obj->buffers_cnt) {
|
if (ze_obj->buffers_cnt) {
|
||||||
ze_obj->buffers = (char **)erealloc(ze_obj->buffers, sizeof(char *) * (ze_obj->buffers_cnt+1));
|
ze_obj->buffers = (char **)safe_erealloc(ze_obj->buffers, sizeof(char *), (ze_obj->buffers_cnt+1), 0);
|
||||||
pos = ze_obj->buffers_cnt++;
|
pos = ze_obj->buffers_cnt++;
|
||||||
} else {
|
} else {
|
||||||
ze_obj->buffers = (char **)emalloc(sizeof(char *));
|
ze_obj->buffers = (char **)emalloc(sizeof(char *));
|
||||||
ze_obj->buffers_cnt++;
|
ze_obj->buffers_cnt++;
|
||||||
pos = 0;
|
pos = 0;
|
||||||
}
|
}
|
||||||
ze_obj->buffers[pos] = (char *)emalloc(ZSTR_LEN(buffer) + 1);
|
ze_obj->buffers[pos] = (char *)safe_emalloc(ZSTR_LEN(buffer), 1, 1);
|
||||||
memcpy(ze_obj->buffers[pos], ZSTR_VAL(buffer), ZSTR_LEN(buffer) + 1);
|
memcpy(ze_obj->buffers[pos], ZSTR_VAL(buffer), ZSTR_LEN(buffer) + 1);
|
||||||
|
|
||||||
zs = zip_source_buffer(intern, ze_obj->buffers[pos], ZSTR_LEN(buffer), 0);
|
zs = zip_source_buffer(intern, ze_obj->buffers[pos], ZSTR_LEN(buffer), 0);
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue