MFB: Fixed 2 memory corruptions in zip extension idenfied by

author Ilia Alshanetsky <iliaa@php.net>

Sun, 1 Mar 2009 17:35:25 +0000 (17:35 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Sun, 1 Mar 2009 17:35:25 +0000 (17:35 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Sun, 1 Mar 2009 17:35:25 +0000 (17:35 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Sun, 1 Mar 2009 17:35:25 +0000 (17:35 +0000)
diff --git a/NEWS b/NEWS

index d66b7d710b5aff1d364084ddf58a85b75d70a83f..eeb3fddd7979f03d39ef4c965a9fa7c5a4c4511d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
  ?? ??? 2009, PHP 5.2.10
+- Fixed memory corruptions while reading properties of zip files. (Ilia)
  
  26 Feb 2009, PHP 5.2.9
  - Changed __call() to be invoked on private/protected method access, similar to
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c

index 5dfa5427547e2ef0cb2169fdcaf78914687cac44..632d0afe9a94236321398e0bbc1c8e8abcc39860 100644 (file)
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -806,6 +806,7 @@ static int php_zip_property_reader(ze_zip_object *obj, zip_prop_handler *hnd, zv
                         } else {
                                 if (hnd->read_const_char_from_obj_func) {
                                         retchar = hnd->read_const_char_from_obj_func(obj TSRMLS_CC);
+                                       len = strlen(retchar);
                                 }
                         }
                 }
@@ -818,7 +819,7 @@ static int php_zip_property_reader(ze_zip_object *obj, zip_prop_handler *hnd, zv
         switch (hnd->type) {
                 case IS_STRING:
                         if (retchar) {
-                               ZVAL_STRING(*retval, (char *) retchar, 1);
+                               ZVAL_STRINGL(*retval, (char *) retchar, len, 1);
                         } else {
                                 ZVAL_EMPTY_STRING(*retval);
                         }
@@ -941,10 +942,11 @@ static int php_zip_has_property(zval *object, zval *member, int type TSRMLS_DC)
  
         if (ret == SUCCESS) {
                 zval *tmp;
+               ALLOC_INIT_ZVAL(tmp);
  
                 if (type == 2) {
                         retval = 1;
-               } else if (php_zip_property_reader(obj, hnd, &tmp, 1 TSRMLS_CC) == SUCCESS) {
+               } else if (php_zip_property_reader(obj, hnd, &tmp, 0 TSRMLS_CC) == SUCCESS) {
                         Z_SET_REFCOUNT_P(tmp, 1);
                         Z_UNSET_ISREF_P(tmp);
                         if (type == 1) {
@@ -952,8 +954,9 @@ static int php_zip_has_property(zval *object, zval *member, int type TSRMLS_DC)
                         } else if (type == 0) {
                                 retval = (Z_TYPE_P(tmp) != IS_NULL);
                         }
-                       zval_ptr_dtor(&tmp);
                 }
+
+               zval_ptr_dtor(&tmp);
         } else {
                 std_hnd = zend_get_std_object_handlers();
                 retval = std_hnd->has_property(object, member, type TSRMLS_CC);
author	Ilia Alshanetsky <iliaa@php.net>
	Sun, 1 Mar 2009 17:35:25 +0000 (17:35 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Sun, 1 Mar 2009 17:35:25 +0000 (17:35 +0000)
NEWS		patch \| blob \| history
ext/zip/php_zip.c		patch \| blob \| history