Fixed possible crash and/or memory corruption in import_request_variables()

Fixed potential GLOBALS overwrite via import_request_variables().

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 28a9cf51a000a53b01959c72c995778518fdf794..738cd7c20358b0cd1ad91bac4080bf35b7805ec2 100644 (file)
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -3238,11 +3238,25 @@ static int copy_request_variable(void *pDest, int num_args, va_list args, zend_h
        prefix = va_arg(args, char *);
        prefix_len = va_arg(args, uint);
 
-       new_key_len = prefix_len + hash_key->nKeyLength;
-       new_key = (char *) emalloc(new_key_len);
+       if (!prefix_len) {
+               if (!hash_key->nKeyLength) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+                       return 0;
+               } else if (!strcmp(hash_key->u.string, "GLOBALS")) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+                       return 0; 
+               }
+       }
+
+       if (hash_key->nKeyLength) {
+               new_key_len = prefix_len + hash_key->nKeyLength;
+               new_key = (char *) emalloc(new_key_len);
 
-       memcpy(new_key, prefix, prefix_len);
-       memcpy(new_key+prefix_len, hash_key->u.string, hash_key->nKeyLength);
+               memcpy(new_key, prefix, prefix_len);
+               memcpy(new_key+prefix_len, hash_key->u.string, hash_key->nKeyLength);
+       } else {
+               new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+       }
 
        zend_delete_global_variable(new_key, new_key_len-1 TSRMLS_CC);
        ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);