Simplify code and eliminate strcat() usage

diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index 5862a42e03271e7f256d073feaaafc62aa7c3d8f..ae145267f23299079ee2ee51e57dc3c9adcfc130 100644 (file)
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -248,7 +248,7 @@ static void proc_open_rsrc_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
 /* {{{ php_make_safe_mode_command */
 static int php_make_safe_mode_command(char *cmd, char **safecmd, int is_persistent TSRMLS_DC)
 {
-       int lcmd, larg0, ldir, len, overflow_limit;
+       int lcmd, larg0;
        char *space, *sep, *arg0;
 
        if (!PG(safe_mode)) {
@@ -257,42 +257,27 @@ static int php_make_safe_mode_command(char *cmd, char **safecmd, int is_persiste
        }
 
        lcmd = strlen(cmd);
-       ldir = strlen(PG(safe_mode_exec_dir));
-       len = lcmd + ldir + 2;
-       overflow_limit = len;
 
-       arg0 = emalloc(len);
-       
-       strcpy(arg0, cmd);
-       
-       space = strchr(arg0, ' ');
+       arg0 = estrndup(cmd, lcmd);
+
+       space = memchr(arg0, ' ', lcmd);
        if (space) {
                *space = '\0';
+               larg0 = space - arg0;
+       } else {
+               larg0 = lcmd;
        }
-       larg0 = strlen(arg0);
 
-       if (strstr(arg0, "..")) {
+       if (php_memnstr(arg0, "..", sizeof("..")-1, arg0 + larg0)) {
                php_error_docref(NULL TSRMLS_CC, E_WARNING, "No '..' components allowed in path");
                efree(arg0);
                return FAILURE;
        }
 
-       *safecmd = emalloc(len);
-       strcpy(*safecmd, PG(safe_mode_exec_dir));
-       overflow_limit -= ldir;
-       
-       sep = strrchr(arg0, PHP_DIR_SEPARATOR);
-       if (sep) {
-               strcat(*safecmd, sep);
-               overflow_limit -= strlen(sep);
-       } else {
-               strcat(*safecmd, "/");
-               strcat(*safecmd, arg0);
-               overflow_limit -= larg0 + 1;
-       }
-       if (space) {
-               strncat(*safecmd, cmd + larg0, overflow_limit);
-       }
+       sep = zend_memrchr(arg0, PHP_DIR_SEPARATOR, larg0);
+
+       spprintf(safecmd, 0, "%s%c%s%s", PG(safe_mode_exec_dir), (sep ? *sep : '/'), (sep ? "" : arg0), (space ? cmd + larg0 : ""));
+
        efree(arg0);
        arg0 = php_escape_shell_cmd(*safecmd);
        efree(*safecmd);

diff --git a/main/php_logos.c b/main/php_logos.c
index c544d7fdf35241493301403804a4f3af5c20d909..e85b04839e037d45442cb98dcc4d21e62a731ef0 100644 (file)
--- a/main/php_logos.c
+++ b/main/php_logos.c
@@ -78,13 +78,12 @@ int php_info_logos(const char *logo_string TSRMLS_DC)
        if(FAILURE==zend_hash_find(&phpinfo_logo_hash, (char *) logo_string, strlen(logo_string), (void **)&logo_image))
                return 0;
 
-       len=strlen(CONTENT_TYPE_HEADER)+logo_image->mimelen;
-       content_header=malloc(len+1);
-       if(!content_header) return 0;
-       strcpy(content_header, CONTENT_TYPE_HEADER);
-       strcat(content_header, logo_image->mimetype);
-       sapi_add_header(content_header, len, 1);
-       free(content_header);
+       len = sizeof(CONTENT_TYPE_HEADER) - 1 + logo_image->mimelen;
+       content_header = emalloc(len + 1);
+       memcpy(content_header, CONTENT_TYPE_HEADER, sizeof(CONTENT_TYPE_HEADER) - 1);
+       memcpy(content_header + sizeof(CONTENT_TYPE_HEADER) - 1 , logo_image->mimetype, logo_image->mimelen);
+       content_header[len] = '\0';
+       sapi_add_header(content_header, len, 0);
 
        PHPWRITE(logo_image->data, logo_image->size);
        return 1;