From: Ilia Alshanetsky Date: Tue, 26 Dec 2006 17:40:20 +0000 (+0000) Subject: MFB: safety checks X-Git-Tag: RELEASE_1_0_0RC1~491 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2dbfe66e4a275a97c86729250e9cc26bb01243c1;p=php MFB: safety checks --- diff --git a/Zend/zend_ini.c b/Zend/zend_ini.c index 3ef92be5f1..c432b36a09 100644 --- a/Zend/zend_ini.c +++ b/Zend/zend_ini.c @@ -530,6 +530,28 @@ ZEND_API ZEND_INI_MH(OnUpdateLong) *p = zend_atoi(new_value, new_value_length); return SUCCESS; } +ZEND_API ZEND_INI_MH(OnUpdateLongGEZero) +{ + long *p, tmp; +#ifndef ZTS + char *base = (char *) mh_arg2; +#else + char *base; + + base = (char *) ts_resource(*((int *) mh_arg2)); +#endif + + tmp = zend_atoi(new_value, new_value_length); + if (tmp < 0) { + return FAILURE; + } + + p = (long *) (base+(size_t) mh_arg1); + *p = tmp; + + return SUCCESS; +} + ZEND_API ZEND_INI_MH(OnUpdateReal) diff --git a/Zend/zend_ini.h b/Zend/zend_ini.h index 8dcb0b0907..62592a58f0 100644 --- a/Zend/zend_ini.h +++ b/Zend/zend_ini.h @@ -175,6 +175,7 @@ END_EXTERN_C() BEGIN_EXTERN_C() ZEND_API ZEND_INI_MH(OnUpdateBool); ZEND_API ZEND_INI_MH(OnUpdateLong); +ZEND_API ZEND_INI_MH(OnUpdateLongGEZero); ZEND_API ZEND_INI_MH(OnUpdateReal); ZEND_API ZEND_INI_MH(OnUpdateString); ZEND_API ZEND_INI_MH(OnUpdateStringUnempty); diff --git a/ext/exif/exif.c b/ext/exif/exif.c index c2a107e4a5..908f3bedb7 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3569,7 +3569,7 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size); #endif if (!ImageInfo->Thumbnail.data) { - ImageInfo->Thumbnail.data = emalloc(ImageInfo->Thumbnail.size); + ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0); php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET); fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); if (fgot < ImageInfo->Thumbnail.size) { @@ -3602,7 +3602,7 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size); #endif if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset && ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) { - ImageInfo->Thumbnail.data = emalloc(ImageInfo->Thumbnail.size); + ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0); php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET); fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); if (fgot < ImageInfo->Thumbnail.size) { diff --git a/ext/interbase/ibase_query.c b/ext/interbase/ibase_query.c index 801c60d20a..205cc7fcd1 100644 --- a/ext/interbase/ibase_query.c +++ b/ext/interbase/ibase_query.c @@ -1146,7 +1146,7 @@ PHP_FUNCTION(ibase_query) break; } } else if (bind_n > 0) { - bind_args = (zval ***) emalloc(sizeof(zval **) * ZEND_NUM_ARGS()); + bind_args = (zval ***) safe_emalloc(sizeof(zval **), ZEND_NUM_ARGS(), 0); if (FAILURE == zend_get_parameters_array_ex(ZEND_NUM_ARGS(), bind_args)) { break; diff --git a/ext/json/json.c b/ext/json/json.c index 8aee1335f3..0bed13bd0a 100644 --- a/ext/json/json.c +++ b/ext/json/json.c @@ -242,7 +242,7 @@ static void json_escape_string(smart_str *buf, zstr s, int len, zend_uchar type) if (type == IS_UNICODE) { utf16 = (unsigned short *) s.u; } else { - utf16 = (unsigned short *) emalloc(len * sizeof(unsigned short)); + utf16 = (unsigned short *) safe_emalloc(len, sizeof(unsigned short), 0); len = utf8_to_utf16(utf16, s.s, len); if (len <= 0) @@ -443,7 +443,7 @@ PHP_FUNCTION(json_decode) utf16 = str.u; utf16_len = str_len; } else { - utf16 = (unsigned short *) emalloc((str_len+1) * sizeof(unsigned short)); + utf16 = (unsigned short *) safe_emalloc((str_len+1), sizeof(unsigned short), 0); utf16_len = utf8_to_utf16(utf16, str.s, str_len); if (utf16_len <= 0) diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c index 3c10e1b778..7de7429028 100644 --- a/ext/pdo_dblib/dblib_driver.c +++ b/ext/pdo_dblib/dblib_driver.c @@ -144,7 +144,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, int unquote char *q; int l = 1; - *quoted = q = emalloc(2 * unquotedlen + 3); + *quoted = q = safe_emalloc(2, unquotedlen, 3); *q++ = '\''; while (unquotedlen--) { diff --git a/ext/pdo_dblib/dblib_stmt.c b/ext/pdo_dblib/dblib_stmt.c index d4e77fae86..a8f01a5c10 100644 --- a/ext/pdo_dblib/dblib_stmt.c +++ b/ext/pdo_dblib/dblib_stmt.c @@ -131,7 +131,7 @@ static int pdo_dblib_stmt_execute(pdo_stmt_t *stmt TSRMLS_DC) arows = 100; size = S->ncols * sizeof(pdo_dblib_colval); - S->rows = emalloc(arows * size); + S->rows = safe_emalloc(arows, size, 0); /* let's fetch all the data */ do { diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index e6204533dc..31ec83cebb 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -2098,7 +2098,7 @@ static void php_pgsql_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, long result_type, Bucket *p; fci.param_count = 0; - fci.params = emalloc(sizeof(zval*) * ht->nNumOfElements); + fci.params = safe_emalloc(sizeof(zval*), ht->nNumOfElements, 0); p = ht->pListHead; while (p != NULL) { fci.params[fci.param_count++] = (zval**)p->pData; diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c index 338239ff00..cfa95e9464 100644 --- a/ext/soap/php_encoding.c +++ b/ext/soap/php_encoding.c @@ -941,7 +941,7 @@ static xmlNodePtr to_xml_double(encodeTypePtr type, zval *data, int style, xmlNo convert_to_double(&tmp); } - str = (char *) emalloc(MAX_LENGTH_OF_DOUBLE + EG(precision) + 1); + str = (char *) safe_emalloc(EG(precision), 1, MAX_LENGTH_OF_DOUBLE + 1); php_gcvt(Z_DVAL(tmp), EG(precision), '.', 'E', str); xmlNodeSetContentLen(ret, BAD_CAST(str), strlen(str)); efree(str); diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index 05a51e8579..ec76169ba0 100755 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -1363,7 +1363,7 @@ static int spl_filesystem_file_read(spl_filesystem_object *intern, int silent TS } if (intern->u.file.max_line_len > 0) { - buf = emalloc((intern->u.file.max_line_len + 1) * sizeof(char)); + buf = safe_emalloc((intern->u.file.max_line_len + 1), sizeof(char), 0); if (php_stream_get_line(intern->u.file.stream, ZSTR(buf), intern->u.file.max_line_len, &line_len) == NULL) { efree(buf); buf = NULL; diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c index 52245cc23b..b68d3c985a 100644 --- a/ext/standard/uuencode.c +++ b/ext/standard/uuencode.c @@ -71,7 +71,7 @@ PHPAPI int php_uuencode(char *src, int src_len, char **dest) char *p, *s, *e, *ee; /* encoded length is ~ 38% greater then the original */ - p = *dest = emalloc((ceil(src_len * 1.38) + 45 + 1)); + p = *dest = safe_emalloc(ceil(src_len * 1.38), 1, 46); s = src; e = src + src_len; @@ -128,7 +128,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) int len, total_len=0; char *s, *e, *p, *ee; - p = *dest = emalloc(ceil(src_len * 0.75) + 1); + p = *dest = safe_emalloc(ceil(src_len * 0.75), 1, 1); s = src; e = src + src_len; diff --git a/ext/standard/var.c b/ext/standard/var.c index 8aa7330ddf..2fa0ee20e7 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -944,7 +944,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var char *s; smart_str_appendl(buf, "d:", 2); - s = (char *) emalloc(MAX_LENGTH_OF_DOUBLE + PG(serialize_precision) + 1); + s = (char *) safe_emalloc(PG(serialize_precision), 1, MAX_LENGTH_OF_DOUBLE + 1); php_gcvt(Z_DVAL_P(struc), PG(serialize_precision), '.', 'E', s); smart_str_appends(buf, s); smart_str_appendc(buf, ';'); diff --git a/main/main.c b/main/main.c index a72054de41..95b6424f0f 100644 --- a/main/main.c +++ b/main/main.c @@ -100,8 +100,13 @@ PHPAPI int core_globals_id; */ static PHP_INI_MH(OnSetPrecision) { - EG(precision) = atoi(new_value); - return SUCCESS; + int i = atoi(new_value); + if (i >= 0) { + EG(precision) = i; + return SUCCESS; + } else { + return FAILURE; +} } /* }}} */ @@ -377,7 +382,7 @@ PHP_INI_BEGIN() STD_PHP_INI_BOOLEAN("y2k_compliance", "1", PHP_INI_ALL, OnUpdateBool, y2k_compliance, php_core_globals, core_globals) STD_PHP_INI_ENTRY("unserialize_callback_func", NULL, PHP_INI_ALL, OnUpdateString, unserialize_callback_func, php_core_globals, core_globals) - STD_PHP_INI_ENTRY("serialize_precision", "100", PHP_INI_ALL, OnUpdateLong, serialize_precision, php_core_globals, core_globals) + STD_PHP_INI_ENTRY("serialize_precision", "100", PHP_INI_ALL, OnUpdateLongGEZero, serialize_precision, php_core_globals, core_globals) STD_PHP_INI_ENTRY("arg_separator.output", "&", PHP_INI_ALL, OnUpdateStringUnempty, arg_separator.output, php_core_globals, core_globals) STD_PHP_INI_ENTRY("arg_separator.input", "&", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, arg_separator.input, php_core_globals, core_globals)