- Prevent memory corruption

2025-08-20 01:14:28 +02:00 · 2007-01-27 21:23:02 +00:00 · 2007-01-27 21:23:02 +00:00 · d5bbd84d76
commit d5bbd84d76
parent c26e5edbeb
2 changed files with 18 additions and 16 deletions
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@ -259,11 +259,12 @@ static int phar_get_entry_data(phar_entry_data **ret, char *fname, int fname_len
 		return FAILURE;
 	}
 	*ret = NULL;
-	*error = (char *) emalloc(200 + fname_len);
+	if (error) {
-	**error = '\0';
+		*error = NULL;
 	}
 	if (for_write && PHAR_G(readonly)) {
 		if (error) {
-			sprintf(*error, "phar error: file \"%s\" cannot opened for writing, disabled by ini setting", fname);
+			spprintf(error, 0, "phar error: file \"%s\" cannot opened for writing, disabled by ini setting", fname);
 		}
 		return FAILURE;
 	}
@ -271,13 +272,13 @@ static int phar_get_entry_data(phar_entry_data **ret, char *fname, int fname_len
 		if ((entry = phar_get_entry_info(phar, path, path_len TSRMLS_CC)) != NULL) {
 			if (entry->is_modified && !for_write) {
 				if (error) {
-					sprintf(*error, "phar error: file \"%s\" cannot opened for reading, writable file pointers are open", fname);
+					spprintf(error, 0, "phar error: file \"%s\" cannot opened for reading, writable file pointers are open", fname);
 				}
 				return FAILURE;
 			}
 			if (entry->fp_refcount && for_write) {
 				if (error) {
-					sprintf(*error, "phar error: file \"%s\" cannot opened for writing, readable file pointers are open", fname);
+					spprintf(error, 0, "phar error: file \"%s\" cannot opened for writing, readable file pointers are open", fname);
 				}
 				return FAILURE;
 			}
@ -294,7 +295,6 @@ static int phar_get_entry_data(phar_entry_data **ret, char *fname, int fname_len
 			if (entry->fp) {
 				/* make a copy */
 				if (for_trunc) {
 					php_stream_truncate_set_size(entry->fp, 0);
 					entry->is_modified = 1;
 					phar->is_modified = 1;
 					/* reset file size */
@ -1299,10 +1299,10 @@ static php_stream * phar_wrapper_open_url(php_stream_wrapper *wrapper, char *pat
 	internal_file = estrdup(resource->path + 1);
 	if (mode[0] == 'w' || (mode[0] == 'r' && mode[1] == '+')) {
 		if (NULL == (idata = phar_get_or_create_entry_data(resource->host, strlen(resource->host), internal_file, strlen(internal_file), mode, &error TSRMLS_CC))) {
-			if (error[0]) {
+			if (error) {
 				php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, error);
 				efree(error);
 			}
 			efree(error);
 			php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "phar error: file \"%s\" could not be created in phar \"%s\"", internal_file, resource->host);
 			efree(internal_file);
 			php_url_free(resource);
@ -1326,17 +1326,15 @@ static php_stream * phar_wrapper_open_url(php_stream_wrapper *wrapper, char *pat
 		return fpf;
 	} else {
 		if ((FAILURE == phar_get_entry_data(&idata, resource->host, strlen(resource->host), internal_file, strlen(internal_file), "r", &error TSRMLS_CC)) || !idata) {
-			if (error[0]) {
+			if (error) {
 				php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, error);
 				efree(error);
 			}
 			efree(error);
 			php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "phar error: \"%s\" is not a file in phar \"%s\"", internal_file, resource->host);
 			efree(internal_file);
 			php_url_free(resource);
 			return NULL;
 		}
 		/* alloced in get_entry_data */
 		efree(error);
 	}
 	php_url_free(resource);
@ -2467,10 +2465,10 @@ static int phar_wrapper_unlink(php_stream_wrapper *wrapper, char *url, int optio
 	internal_file = estrdup(resource->path + 1);
 	if (FAILURE == phar_get_entry_data(&idata, resource->host, strlen(resource->host), internal_file, strlen(internal_file), "r", &error TSRMLS_CC)) {
 		/* constraints of fp refcount were not met */
-		if (error[0]) {
+		if (error) {
 			php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, error);
 			efree(error);
 		}
 		efree(error);
 		efree(internal_file);
 		php_url_free(resource);
 		return FAILURE;
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@ -493,8 +493,12 @@ PHP_METHOD(Phar, offsetSet)
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Entry %s could not be written to", fname);
 	}
 	if (!(data = phar_get_or_create_entry_data(phar_obj->arc.archive->fname, phar_obj->arc.archive->fname_len, fname, fname_len, "w+b", &error TSRMLS_CC))) {
-		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Entry %s does not exist and cannot be created: %s", fname, error);
+		if (error) {
-		efree(error);
+			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Entry %s does not exist and cannot be created: %s", fname, error);
 			efree(error);
 		} else {
 			zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "Entry %s does not exist and cannot be created", fname);
 		}
 	} else {
 		efree(error);
 		if (Z_TYPE_P(contents) == IS_STRING) {