Fix various instances of memcpy null ub

diff --git a/ext/intl/converter/converter.c b/ext/intl/converter/converter.c
index 992a1bade7351524aa0a290a29539271205e4250..7b4109749e1666de37d76df0773b781252bee67f 100644 (file)
--- a/ext/intl/converter/converter.c
+++ b/ext/intl/converter/converter.c
@@ -231,8 +231,16 @@ static void php_converter_to_u_callback(const void *context,
        zval zargs[4];
 
        ZVAL_LONG(&zargs[0], reason);
-       ZVAL_STRINGL(&zargs[1], args->source, args->sourceLimit - args->source);
-       ZVAL_STRINGL(&zargs[2], codeUnits, length);
+       if (args->source) {
+               ZVAL_STRINGL(&zargs[1], args->source, args->sourceLimit - args->source);
+       } else {
+               ZVAL_EMPTY_STRING(&zargs[1]);
+       }
+       if (codeUnits) {
+               ZVAL_STRINGL(&zargs[2], codeUnits, length);
+       } else {
+               ZVAL_EMPTY_STRING(&zargs[2]);
+       }
        ZVAL_LONG(&zargs[3], *pErrorCode);
 
        objval->to_cb.param_count    = 4;

diff --git a/ext/soap/php_sdl.c b/ext/soap/php_sdl.c
index d9fea6d3b20ca7e246cc8e5c2f9613c9b7ac19ba..de4bf5c328625cc0b156847efb90fb825ba82912 100644 (file)
--- a/ext/soap/php_sdl.c
+++ b/ext/soap/php_sdl.c
@@ -116,7 +116,9 @@ encodePtr get_encoder(sdlPtr sdl, const char *ns, const char *type)
        int len = ns_len + type_len + 1;
 
        nscat = emalloc(len + 1);
-       memcpy(nscat, ns, ns_len);
+       if (ns) {
+               memcpy(nscat, ns, ns_len);
+       }
        nscat[ns_len] = ':';
        memcpy(nscat+ns_len+1, type, type_len);
        nscat[len] = '\0';

diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
index 676f107c3515dff4c880cf2f33ff7ddde10fe592..1fdaacb588e3764df78e5024051deaa0086e5983 100644 (file)
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@@ -619,7 +619,7 @@ static HashTable *spl_filesystem_object_get_debug_info(zval *object, int *is_tem
 
        pnstr = spl_gen_private_prop_name(spl_ce_SplFileInfo, "pathName", sizeof("pathName")-1);
        path = spl_filesystem_object_get_pathname(intern, &path_len);
-       ZVAL_STRINGL(&tmp, path, path_len);
+       ZVAL_STRINGL(&tmp, path ? path : "", path_len);
        zend_symtable_update(rv, pnstr, &tmp);
        zend_string_release_ex(pnstr, 0);
 
@@ -891,7 +891,11 @@ SPL_METHOD(SplFileInfo, getPath)
        }
 
        path = spl_filesystem_object_get_path(intern, &path_len);
-       RETURN_STRINGL(path, path_len);
+       if (path) {
+               RETURN_STRINGL(path, path_len);
+       } else {
+               RETURN_EMPTY_STRING();
+       }
 }
 /* }}} */
 

diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c
index ee7defeac4a5c3edf0cda6b2c0050c4d1c149a7a..295ca8d8f000c3c3c9a2251a8a346de47087f08c 100644 (file)
--- a/ext/tidy/tidy.c
+++ b/ext/tidy/tidy.c
@@ -783,7 +783,11 @@ static int tidy_doc_cast_handler(zval *in, zval *out, int type)
                        obj = Z_TIDY_P(in);
                        tidyBufInit(&output);
                        tidySaveBuffer (obj->ptdoc->doc, &output);
-                       ZVAL_STRINGL(out, (char *) output.bp, output.size ? output.size-1 : 0);
+                       if (output.size) {
+                               ZVAL_STRINGL(out, (char *) output.bp, output.size-1);
+                       } else {
+                               ZVAL_EMPTY_STRING(out);
+                       }
                        tidyBufFree(&output);
                        break;