]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: fe6af26 9a826a3)
Merge branch 'PHP-5.5' into PHP-5.6.22
authorStanislav Malyshev <stas@php.net>
Tue, 24 May 2016 23:35:12 +0000 (16:35 -0700)
committerStanislav Malyshev <stas@php.net>
Tue, 24 May 2016 23:56:36 +0000 (16:56 -0700)
* PHP-5.5:
  Fix memory leak in imagescale()
  Update NEWS
  Better fix for bug #72135
  Fixed bug #72227: imagescale out-of-bounds read
  Fix bug #72241: get_icu_value_internal out-of-bounds read
  Fix bug #72135 - don't create strings with lengths outside int range
  Add check for string overflow to all string add operations
  Fix bug #72114 - int/size_t confusion in fread
  Updated NEWS
  Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()

Conflicts:
Zend/zend_operators.c
ext/phar/dirstream.c
ext/phar/tests/bug71331.phpt

1  2 
Zend/zend_operators.c patch | diff1 | diff2 | blob | history
ext/gd/libgd/gd_interpolation.c patch | diff1 | diff2 | blob | history
ext/standard/file.c patch | diff1 | diff2 | blob | history
ext/standard/html.c patch | diff1 | diff2 | blob | history

diff --cc Zend/zend_operators.c
index b8a8b5f2345d3c30fa89fb51c52d3c1ebf0374e0,2f1394f78ddac4eb3216216093ee7612aac31e30..450153ffecdacca2b97bfb99ed8e36bf9c329bbb
--- 1/Zend/zend_operators.c
--- 2/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@@ -1397,8 -1252,18 +1397,14 @@@ ZEND_API int shift_right_function(zval 
  ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
  {
        int length = Z_STRLEN_P(op1) + 1;
-       char *buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
+       char *buf;
+       if (UNEXPECTED(length < 0)) {
+               zend_error(E_ERROR, "String size overflow");
+       }
 -      if (IS_INTERNED(Z_STRVAL_P(op1))) {
 -              buf = (char *) emalloc(length + 1);
 -              memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
 -      } else {
 -              buf = (char *) erealloc(Z_STRVAL_P(op1), length + 1);
 -      }
++      buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
 +
        buf[length - 1] = (char) Z_LVAL_P(op2);
        buf[length] = 0;
        ZVAL_STRINGL(result, buf, length, 0);
@@@ -1410,8 -1275,17 +1416,14 @@@
  ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
  {
        int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
-       char *buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
+       char *buf;
+       if (UNEXPECTED(length < 0)) {
+               zend_error(E_ERROR, "String size overflow");
+       }
 -      if (IS_INTERNED(Z_STRVAL_P(op1))) {
 -              buf = (char *) emalloc(length+1);
 -              memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
 -      } else {
 -              buf = (char *) erealloc(Z_STRVAL_P(op1), length+1);
 -      }
++
++      buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
 +
        memcpy(buf + Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
        buf[length] = 0;
        ZVAL_STRINGL(result, buf, length, 0);
diff --cc ext/gd/libgd/gd_interpolation.c
Simple merge
diff --cc ext/standard/file.c
Simple merge
diff --cc ext/standard/html.c
Simple merge
Unnamed repository; edit this file 'description' to name the repository.