Fixed a possible memory corruption in pack(). Reported by Stefan Esser

author Dmitry Stogov <dmitry@php.net>

Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)

committer Dmitry Stogov <dmitry@php.net>

Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
author Dmitry Stogov <dmitry@php.net>
Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
committer Dmitry Stogov <dmitry@php.net>
Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
diff --git a/NEWS b/NEWS

index 8d59a25d9bba4023bab665802a08de0c68b93056..933880840a6bd11d2ca5387874260ae83fe973f8 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,8 @@ PHP                                                                        NEWS
  - Fixed a possible memory corruption because of unexpected call-time pass by
    refernce and following memory clobbering through callbacks.
    Reported by Stefan Esser (Dmitry)
+- Fixed a possible memory corruption in pack(). Reported by Stefan Esser
+  (Dmitry)
  - Fixed a possible memory corruption in substr_replace(). Reported by Stefan    
    Esser (Dmitry)
  - Fixed a possible memory corruption in addcslashes(). Reported by Stefan    
diff --git a/ext/standard/pack.c b/ext/standard/pack.c

index 32714795b3540ad5979ee30481c93142329070ef..f00549aa177603b33dbe7438c346561478dd007d 100644 (file)
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -121,6 +121,9 @@ PHP_FUNCTION(pack)
                 return;
         }
  
+       if (Z_ISREF_PP(argv[0])) {
+               SEPARATE_ZVAL(argv[0]);
+       }
         convert_to_string_ex(argv[0]);
  
         format = Z_STRVAL_PP(argv[0]);
@@ -179,6 +182,9 @@ PHP_FUNCTION(pack)
                                 }
  
                                 if (arg < 0) {
+                                       if (Z_ISREF_PP(argv[currentarg])) {
+                                               SEPARATE_ZVAL(argv[currentarg]);
+                                       }
                                         convert_to_string_ex(argv[currentarg]);
                                         arg = Z_STRLEN_PP(argv[currentarg]);
                                 }
@@ -312,6 +318,9 @@ PHP_FUNCTION(pack)
                         case 'A': 
                                 memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg);
                                 val = argv[currentarg++];
+                               if (Z_ISREF_PP(val)) {
+                                       SEPARATE_ZVAL(val);
+                               }
                                 convert_to_string_ex(val);
                                 memcpy(&output[outputpos], Z_STRVAL_PP(val),
                                            (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg);
@@ -325,6 +334,9 @@ PHP_FUNCTION(pack)
                                 char *v;
  
                                 val = argv[currentarg++];
+                               if (Z_ISREF_PP(val)) {
+                                       SEPARATE_ZVAL(val);
+                               }
                                 convert_to_string_ex(val);
                                 v = Z_STRVAL_PP(val);
                                 outputpos--;
author	Dmitry Stogov <dmitry@php.net>
	Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
committer	Dmitry Stogov <dmitry@php.net>
	Wed, 12 May 2010 11:04:57 +0000 (11:04 +0000)
NEWS		patch \| blob \| history
ext/standard/pack.c		patch \| blob \| history