MFH: Do not use alloca() where it can be abused through user input.

author Ilia Alshanetsky <iliaa@php.net>

Wed, 30 Jun 2004 01:12:09 +0000 (01:12 +0000)

committer Ilia Alshanetsky <iliaa@php.net>

Wed, 30 Jun 2004 01:12:09 +0000 (01:12 +0000)
author Ilia Alshanetsky <iliaa@php.net>
Wed, 30 Jun 2004 01:12:09 +0000 (01:12 +0000)
committer Ilia Alshanetsky <iliaa@php.net>
Wed, 30 Jun 2004 01:12:09 +0000 (01:12 +0000)
diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c

index 070c9f2bae57d1cc7a40418081d12ce85d89a390..959383c2fa2aeeff2e0c1920a6d3bd1673e71943 100755 (executable)
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@@ -386,7 +386,7 @@ PHP_FUNCTION(pcntl_exec)
                 args_hash = HASH_OF(args);
                 argc = zend_hash_num_elements(args_hash);
                 
-               argv = alloca((argc+2) * sizeof(char *));
+               argv = safe_emalloc((argc + 2), sizeof(char *), 0);
                 *argv = path;
                 for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; 
                         (argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS));
@@ -397,7 +397,7 @@ PHP_FUNCTION(pcntl_exec)
                 }
                 *(current_arg) = NULL;
         } else {
-               argv = alloca(2 * sizeof(char *));
+               argv = emalloc(2 * sizeof(char *));
                 *argv = path;
                 *(argv+1) = NULL;
         }
@@ -407,13 +407,13 @@ PHP_FUNCTION(pcntl_exec)
                 envs_hash = HASH_OF(envs);
                 envc = zend_hash_num_elements(envs_hash);
                 
-               envp = alloca((envc+1) * sizeof(char *));
+               envp = safe_emalloc((envc + 1), sizeof(char *), 0);
                 for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp; 
                         (envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS));
                         (envi++, pair++, zend_hash_move_forward(envs_hash)) ) {
                         switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) {
                                 case HASH_KEY_IS_LONG:
-                                       key = alloca(101);
+                                       key = emalloc(101);
                                         snprintf(key, 100, "%ld", key_num);
                                         key_length = strlen(key);
                                         break;
@@ -432,7 +432,7 @@ PHP_FUNCTION(pcntl_exec)
                         strlcat(*pair, Z_STRVAL_PP(element), pair_length);
                         
                         /* Cleanup */
-                       if (return_val == HASH_KEY_IS_LONG) free_alloca(key);
+                       if (return_val == HASH_KEY_IS_LONG) efree(key);
                 }
                 *(pair) = NULL;
         }
@@ -445,10 +445,10 @@ PHP_FUNCTION(pcntl_exec)
         /* Cleanup */
         if (envp != NULL) {
                 for (pair = envp; *pair != NULL; pair++) efree(*pair);
-               free_alloca(envp);
+               efree(envp);
         }
  
-       free_alloca(argv);
+       efree(argv);
         
         RETURN_FALSE;
  }
diff --git a/ext/session/mod_mm.c b/ext/session/mod_mm.c

index df18659278fcfcaaf87c87f7d35dd448d9f66a12..2045451b8c7b659791885372afab10764e97b04d 100644 (file)
--- a/ext/session/mod_mm.c
+++ b/ext/session/mod_mm.c
@@ -264,7 +264,7 @@ PHP_MINIT_FUNCTION(ps_mm)
                 return FAILURE;
                 
      /* Directory + '/' + File + Module Name + Effective UID + \0 */    
-       ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
+       ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
         
         memcpy(ps_mm_path, PS(save_path), save_path_len + 1);
         if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) {
@@ -277,7 +277,7 @@ PHP_MINIT_FUNCTION(ps_mm)
         
         ret = ps_mm_initialize(ps_mm_instance, ps_mm_path);
                 
-       free_alloca(ps_mm_path);
+       efree(ps_mm_path);
     
         if (ret != SUCCESS) {
                 free(ps_mm_instance);
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c

index b68b02dd8d2bb2fd0f02552220d4b4873d6e2f81..3a16dc95d094eed3cd5b24931f4145cf43039069 100644 (file)
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -1069,7 +1069,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
                         case ST_DATETIME: {
                                 char *tmp;
  
-                               tmp = do_alloca(len + 1);
+                               tmp = emalloc(len + 1);
                                 memcpy(tmp, s, len);
                                 tmp[len] = '\0';
  
@@ -1080,7 +1080,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
                                         Z_STRLEN_P(ent->data) = len;
                                         Z_STRVAL_P(ent->data) = estrndup(s, len);
                                 }
-                               free_alloca(tmp);
+                               efree(tmp);
                         }
                         default:
                                 break;
author	Ilia Alshanetsky <iliaa@php.net>
	Wed, 30 Jun 2004 01:12:09 +0000 (01:12 +0000)
committer	Ilia Alshanetsky <iliaa@php.net>
	Wed, 30 Jun 2004 01:12:09 +0000 (01:12 +0000)
ext/pcntl/pcntl.c		patch \| blob \| history
ext/session/mod_mm.c		patch \| blob \| history
ext/wddx/wddx.c		patch \| blob \| history