Allocation safety checks

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index 2f3f3219a7b0946f032195deca6a23fa0d573599..08a99485627b0201e068733eee7d64480192ff0c 100644 (file)
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -2102,7 +2102,7 @@ static void php_pgsql_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, long result_type,
                                        Bucket *p;
        
                                        fci.param_count = 0;
-                                       fci.params = emalloc(sizeof(zval*) * ht->nNumOfElements);
+                                       fci.params = safe_emalloc(sizeof(zval*), ht->nNumOfElements, 0);
                                        p = ht->pListHead;
                                        while (p != NULL) {
                                                fci.params[fci.param_count++] = (zval**)p->pData;

diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
index 0f0b281c25de32bcb42e0165a68806a2e0d1a232..5b6acdcae30324ea0b5feb0bfb8a9192869eba70 100644 (file)
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@@ -974,7 +974,7 @@ static xmlNodePtr to_xml_double(encodeTypePtr type, zval *data, int style, xmlNo
                convert_to_double(&tmp);
        }
        
-       str = (char *) emalloc(MAX_LENGTH_OF_DOUBLE + EG(precision) + 1);
+       str = (char *) safe_emalloc(EG(precision), 1, MAX_LENGTH_OF_DOUBLE + 1);
        php_gcvt(Z_DVAL(tmp), EG(precision), '.', 'E', str);
        xmlNodeSetContentLen(ret, BAD_CAST(str), strlen(str));
        efree(str);

diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index ff8548a821615819b16e804abb3d8e74bfb31955..e07360a498f38e048a075455b43e7cc88a7492b7 100755 (executable)
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -1367,7 +1367,7 @@ static int spl_filesystem_file_read(spl_filesystem_object *intern, int silent TS
        }
 
        if (intern->u.file.max_line_len > 0) {
-               buf = emalloc((intern->u.file.max_line_len + 1) * sizeof(char));
+               buf = safe_emalloc((intern->u.file.max_line_len + 1), sizeof(char), 0);
                if (php_stream_get_line(intern->u.file.stream, buf, intern->u.file.max_line_len, &line_len) == NULL) {
                        efree(buf);
                        buf = NULL;

diff --git a/ext/standard/math.c b/ext/standard/math.c
index 79a16938680a25597dd94850d73374d82bedae97..0ee6f4ff99a770b076c7ba29906c144450907627 100644 (file)
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -976,7 +976,7 @@ PHPAPI char *_php_math_number_format(double d, int dec, char dec_point, char tho
        dec = MAX(0, dec);
        PHP_ROUND_WITH_FUZZ(d, dec);
 
-       tmplen = spprintf(&tmpbuf, 0, "%.*f", dec, d);
+       tmplen = spprintf(&tmpbuf, 0, "%.*F", dec, d);
 
        if (tmpbuf == NULL || !isdigit((int)tmpbuf[0])) {
                return tmpbuf;

diff --git a/main/main.c b/main/main.c
index e56d70940e92be2e1530f736f382745562c810b3..8e6cd90fe85767bb0228ffcbe803a8ded4f5789d 100644 (file)
--- a/main/main.c
+++ b/main/main.c
@@ -100,8 +100,13 @@ PHPAPI int core_globals_id;
  */
 static PHP_INI_MH(OnSetPrecision)
 {
-       EG(precision) = atoi(new_value);
-       return SUCCESS;
+       int i = atoi(new_value);
+       if (i >= 0) {
+               EG(precision) = i;
+               return SUCCESS;
+       } else {
+               return FAILURE;
+       }
 }
 /* }}} */