MFH: Fixed bug #34645 (ctype corrupts memory when validating large numbers).

diff --git a/NEWS b/NEWS
index 1026216968d592a24751648f8972229581de38de..fbb4bcd689a57ace5c06107e4ead580509259619 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,7 @@ PHP 4                                                                      NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2005, Version 4.4.1
 - Added "new_link" parameter to mssql_connect(). Bug #34369. (Frank)
+- Fixed bug #34645 (ctype corrupts memory when validating large numbers). (Ilia)
 - Fixed bug #34565 (mb_send_mail does not fetch mail.force_extra_parameters).
   (Marco, Ilia)
 - Fixed bug #34456 (Possible crash inside pspell extension). (Nuno)

diff --git a/ext/ctype/ctype.c b/ext/ctype/ctype.c
index 5f5f83f7543797d3f29ed92e37cf06c1c4604883..4766cb557bff70bfce399ce7fba672cbb0ac9fe8 100644 (file)
--- a/ext/ctype/ctype.c
+++ b/ext/ctype/ctype.c
@@ -92,34 +92,39 @@ PHP_MINFO_FUNCTION(ctype)
 /* {{{ ctype
  */
 #define CTYPE(iswhat) \
-       zval *c; \
+       zval *c, tmp; \
        if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &c) == FAILURE) \
                return; \
-       switch (Z_TYPE_P(c)) { \
-       case IS_LONG: \
+       if (Z_TYPE_P(c) == IS_LONG) { \
                if (Z_LVAL_P(c) <= 255 && Z_LVAL_P(c) >= 0) { \
                        RETURN_BOOL(iswhat(Z_LVAL_P(c))); \
                } else if (Z_LVAL_P(c) >= -128 && Z_LVAL_P(c) < 0) { \
                        RETURN_BOOL(iswhat(Z_LVAL_P(c) + 256)); \
                } \
-               SEPARATE_ZVAL(&c);      \
-               convert_to_string(c);   \
-       case IS_STRING: \
-               { \
-                       char *p; \
-                       int n, len; \
-                       p=Z_STRVAL_P(c); \
-                       len = Z_STRLEN_P(c); \
-                       for(n=0;n<len;n++) { \
-                               if(!iswhat((int)*(unsigned char *)(p++))) RETURN_FALSE; \
+               tmp = *c; \
+               zval_copy_ctor(&tmp); \
+               convert_to_string(&tmp); \
+       } else { \
+               tmp = *c; \
+       } \
+       if (Z_TYPE(tmp) == IS_STRING) { \
+               char *p = Z_STRVAL(tmp), *e = Z_STRVAL(tmp) + Z_STRLEN(tmp); \
+               if (e == p) {   \
+                       if (Z_TYPE_P(c) == IS_LONG) zval_dtor(&tmp); \
+                       RETURN_FALSE;   \
+               }       \
+               while (p < e) { \
+                       if(!iswhat((int)*(unsigned char *)(p++))) { \
+                               if (Z_TYPE_P(c) == IS_LONG) zval_dtor(&tmp); \
+                               RETURN_FALSE; \
                        } \
-                       RETURN_TRUE; \
                } \
-       default: \
-               break; \
+               if (Z_TYPE_P(c) == IS_LONG) zval_dtor(&tmp); \
+               RETURN_TRUE; \
+       } else { \
+               RETURN_FALSE; \
        } \
-       RETURN_FALSE; 
- 
+
 /* }}} */
 
 /* {{{ proto bool ctype_alnum(mixed c)

diff --git a/ext/ctype/tests/bug34645.phpt b/ext/ctype/tests/bug34645.phpt
new file mode 100644 (file)
index 0000000..412c8c9
--- /dev/null
+++ b/ext/ctype/tests/bug34645.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #34645 (ctype corrupts memory when validating large numbers)
+--FILE--
+<?php
+$id = 394829384;
+var_dump(ctype_digit($id));
+var_dump($id);
+?>
+--EXPECT--
+bool(true)
+int(394829384)