Fixed overflow on 64bit systems in str_repeat() and wordwrap().

Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are
enabled.

# Patches by Stefan E.

diff --git a/ext/curl/interface.c b/ext/curl/interface.c
index dc1efe802119e66e6ae3b2b4442c8a3707d53783..888a822e66d2d15630c0dc3df57925464121c731 100644 (file)
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@@ -1168,7 +1168,6 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
                case CURLOPT_FTPLISTONLY:
                case CURLOPT_FTPAPPEND:
                case CURLOPT_NETRC:
-               case CURLOPT_FOLLOWLOCATION:
                case CURLOPT_PUT:
 #if CURLOPT_MUTE != 0
                 case CURLOPT_MUTE:
@@ -1219,6 +1218,16 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
                        convert_to_long_ex(zvalue);
                        error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
                        break;
+               case CURLOPT_FOLLOWLOCATION:
+                       convert_to_long_ex(zvalue);
+                       if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+                               if (Z_LVAL_PP(zvalue) != 0) {
+                                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "CURLOPT_FOLLOWLOCATION cannot be activated when in safe_mode or an open_basedir is set");
+                                       RETURN_FALSE;
+                               }
+                       }
+                       error = curl_easy_setopt(ch->cp, option, Z_LVAL_PP(zvalue));
+                       break;
                case CURLOPT_URL:
                case CURLOPT_PROXY:
                case CURLOPT_USERPWD:

diff --git a/ext/curl/streams.c b/ext/curl/streams.c
index f4600c00a7c7955c2e1bb8fa6fb1607a0b35e2d4..a1758787da5a948c30e395295fd7e1f9248bcf62 100644 (file)
--- a/ext/curl/streams.c
+++ b/ext/curl/streams.c
@@ -349,11 +349,19 @@ php_stream *php_curl_stream_opener(php_stream_wrapper *wrapper, char *filename,
                                }
                        }
                        if (mr > 1) {
-                               curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1L);
+                               if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+                                       curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+                               } else {
+                                       curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+                               }
                                curl_easy_setopt(curlstream->curl, CURLOPT_MAXREDIRS, mr);
                        }
                } else {
-                       curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1L);
+                       if ((PG(open_basedir) && *PG(open_basedir)) || PG(safe_mode)) {
+                               curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 1);
+                       } else {
+                               curl_easy_setopt(curlstream->curl, CURLOPT_FOLLOWLOCATION, 0);
+                       }
                        curl_easy_setopt(curlstream->curl, CURLOPT_MAXREDIRS, 20L);
                }
        }

diff --git a/ext/standard/string.c b/ext/standard/string.c
index 06a4c88eb2a4a2dee2cbd682e5b0e0421c80d28b..733b6ca5ccddf7ca8d154a6712a7e1912411bdde 100644 (file)
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -634,7 +634,8 @@ PHP_FUNCTION(wordwrap)
 {
        const char *text, *breakchar = "\n";
        char *newtext;
-       int textlen, breakcharlen = 1, newtextlen, alloced, chk;
+       int textlen, breakcharlen = 1, newtextlen, chk;
+       size_t alloced;
        long current = 0, laststart = 0, lastspace = 0;
        long linelength = 75;
        zend_bool docut = 0;
@@ -4265,7 +4266,7 @@ PHP_FUNCTION(str_repeat)
        zval            **input_str;            /* Input string */
        zval            **mult;                 /* Multiplier */
        char            *result;                /* Resulting string */
-       int             result_len;             /* Length of the resulting string */
+       size_t          result_len;             /* Length of the resulting string */
        
        if (ZEND_NUM_ARGS() != 2 || zend_get_parameters_ex(2, &input_str, &mult) == FAILURE) {
                WRONG_PARAM_COUNT;
@@ -4290,11 +4291,7 @@ PHP_FUNCTION(str_repeat)
        
        /* Initialize the result string */      
        result_len = Z_STRLEN_PP(input_str) * Z_LVAL_PP(mult);
-       if (result_len < 1 || result_len > 2147483647) {
-               php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may not create strings longer than 2147483647 bytes");
-               RETURN_FALSE;
-       }
-       result = (char *)emalloc(result_len + 1);
+       result = (char *)safe_emalloc(Z_STRLEN_PP(input_str), Z_LVAL_PP(mult), 1);
        
        /* Heavy optimization for situations where input string is 1 byte long */
        if (Z_STRLEN_PP(input_str) == 1) {