]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | combined (merge: ea84151 e18ec95)
Merge branch 'PHP-5.6'
authorStanislav Malyshev <stas@php.net>
Tue, 20 Jan 2015 18:41:59 +0000 (10:41 -0800)
committerStanislav Malyshev <stas@php.net>
Tue, 20 Jan 2015 18:41:59 +0000 (10:41 -0800)
* PHP-5.6:
  5.4.38 next
  Updated NEWS
  Updated NEWS
  Fix bug #68711 Remove useless checks. 'num' is unsigned and cannot be <0.
  Fix bug #68799: Free called on unitialized pointer
  Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())

Conflicts:
ext/exif/exif.c
ext/standard/var_unserializer.c
ext/standard/var_unserializer.re

1  2 
ext/exif/exif.c patch | diff1 | diff2 | blob | history

diff --cc ext/exif/exif.c
index d889db06fd6ce57f154b40f8983a777abcc41bf9,5504545b9be3379c5244b371d825eb64659eb5f5..0e25a05cf26757f9634961b1d178d3ae7cd7ade0
--- 1/ext/exif/exif.c
--- 2/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@@ -2692,19 -2689,19 +2692,19 @@@ static int exif_process_user_comment(im
  
  /* {{{ exif_process_unicode
   * Process unicode field in IFD. */
 -static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 +static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount)
  {
 -      xp_field->tag = tag;    
 +      xp_field->tag = tag;
+       xp_field->value = NULL;
        /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
        if (zend_multibyte_encoding_converter(
 -                      (unsigned char**)&xp_field->value, 
 -                      &xp_field->size, 
 +                      (unsigned char**)&xp_field->value,
 +                      &xp_field->size,
                        (unsigned char*)szValuePtr,
                        ByteCount,
 -                      zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 -                      zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
 -                      TSRMLS_CC) == (size_t)-1) {
 +                      zend_multibyte_fetch_encoding(ImageInfo->encode_unicode),
 +                      zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le)
 +                      ) == (size_t)-1) {
                xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
        }
        return xp_field->size;
Unnamed repository; edit this file 'description' to name the repository.