MFH

diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
index b1e54d5e34564eebc195f1c6d031285e7ee52d74..3a24111baa6d4ce26cac15290918ec7a2112ea5d 100644 (file)
--- a/ext/standard/var_unserializer.c
+++ b/ext/standard/var_unserializer.c
@@ -83,7 +83,7 @@ static int var_access(php_unserialize_data_t *var_hashx, int id, zval ***store)
 
        if (!var_hash) return !SUCCESS;
 
-       if (id >= var_hash->used_slots) return !SUCCESS;
+       if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
 
        *store = &var_hash->data[id];
 

diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 10eb47bed1aa4f4efce248d1bedc6d55a674fa01..1cf6ef5b5cf52c5307ba372026dfdaeebaf511d2 100644 (file)
--- a/ext/standard/var_unserializer.re
+++ b/ext/standard/var_unserializer.re
@@ -81,7 +81,7 @@ static int var_access(php_unserialize_data_t *var_hashx, int id, zval ***store)
 
        if (!var_hash) return !SUCCESS;
 
-       if (id >= var_hash->used_slots) return !SUCCESS;
+       if (id < 0 || id >= var_hash->used_slots) return !SUCCESS;
 
        *store = &var_hash->data[id];
 

diff --git a/main/safe_mode.c b/main/safe_mode.c
index 69bf5d35391801362b4d44e310ee9348556cd927..574c5d1b715c378a5678e980244648cbf2582d98 100644 (file)
--- a/main/safe_mode.c
+++ b/main/safe_mode.c
@@ -54,13 +54,15 @@ PHPAPI int php_checkuid_ex(const char *filename, char *fopen_mode, int mode, int
        php_stream_wrapper *wrapper = NULL;
        TSRMLS_FETCH();
 
-       strlcpy(filenamecopy, filename, MAXPATHLEN);
-       filename=(char *)&filenamecopy;
-
        if (!filename) {
                return 0; /* path must be provided */
        }
 
+       if (strlcpy(filenamecopy, filename, MAXPATHLEN)>=MAXPATHLEN) {
+               return 0;
+       }
+       filename=(char *)&filenamecopy;
+
        if (fopen_mode) {
                if (fopen_mode[0] == 'r') {
                        mode = CHECKUID_DISALLOW_FILE_NOT_EXISTS;