From: Marcus Boerger <helly@php.net>
Date: Mon, 24 Jul 2006 17:58:32 +0000 (+0000)
Subject: - Better fix for #34505 and related, drop zend_unmangle_property_name_ex()
X-Git-Tag: php-5.2.0RC1~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=519ed8e13be3a239318ed6d224e15b2fff090398;p=php

- Better fix for #34505 and related, drop zend_unmangle_property_name_ex()
---

diff --git a/Zend/zend.c b/Zend/zend.c
index 37fb54030b..9100e2fc88 100644
--- a/Zend/zend.c
+++ b/Zend/zend.c
@@ -131,7 +131,7 @@ static void print_hash(zend_write_func_t write_func, HashTable *ht, int indent,
 				if (is_object) {
 					char *prop_name, *class_name;
 
-					zend_unmangle_property_name_ex(string_key, str_len, &class_name, &prop_name);
+					zend_unmangle_property_name(string_key, str_len-1, &class_name, &prop_name);
 					ZEND_PUTS_EX(prop_name);
 					if (class_name) {
 						if (class_name[0]=='*') {
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index 6807067cc6..89366b0c6d 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -723,7 +723,7 @@ static void add_class_vars(zend_class_entry *ce, HashTable *properties, zval *re
 
 			zend_hash_get_current_key_ex(properties, &key, &key_len, &num_index, 0, &pos);
 			zend_hash_move_forward_ex(properties, &pos);
-			zend_unmangle_property_name_ex(key, key_len, &class_name, &prop_name);
+			zend_unmangle_property_name(key, key_len-1, &class_name, &prop_name);
 			if (class_name) {
 				if (class_name[0] != '*' && strcmp(class_name, ce->name)) {
 					/* filter privates from base classes */
@@ -820,7 +820,7 @@ ZEND_FUNCTION(get_object_vars)
 				(*value)->refcount++;
 				add_assoc_zval_ex(return_value, key, key_len, *value);
 			} else if (instanceof) {
-				zend_unmangle_property_name_ex(key, key_len, &class_name, &prop_name);
+				zend_unmangle_property_name(key, key_len-1, &class_name, &prop_name);
 				if (!memcmp(class_name, "*", 2) || (Z_OBJCE_P(EG(This)) == Z_OBJCE_PP(obj) && !strcmp(Z_OBJCE_P(EG(This))->name, class_name))) {
 					/* Not separating references */
 					(*value)->refcount++;
@@ -969,7 +969,7 @@ ZEND_FUNCTION(property_exists)
 		if (property_info->flags & ZEND_ACC_PUBLIC) {
 			RETURN_TRUE;
 		}
-		zend_unmangle_property_name_ex(property_info->name, property_info->name_length, &class_name, &prop_name);
+		zend_unmangle_property_name(property_info->name, property_info->name_length, &class_name, &prop_name);
 		if (!strncmp(class_name, "*", 1)) {
 			if (instanceof_function(EG(scope), ce TSRMLS_CC)) {
 				RETURN_TRUE;
diff --git a/Zend/zend_compile.c b/Zend/zend_compile.c
index ede2946c80..e92bda6460 100644
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -2116,7 +2116,7 @@ static zend_bool do_inherit_property_access_check(HashTable *target_ht, zend_pro
 					if (zend_hash_find(&ce->default_static_members, child_info->name, child_info->name_length+1, (void**)&new_prop) == SUCCESS) {
 						if (Z_TYPE_PP(new_prop) != IS_NULL && Z_TYPE_PP(prop) != IS_NULL) {
 							char *prop_name, *tmp;
-							zend_unmangle_property_name_ex(child_info->name, child_info->name_length, &tmp, &prop_name);
+							zend_unmangle_property_name(child_info->name, child_info->name_length, &tmp, &prop_name);
 						
 							zend_error(E_COMPILE_ERROR, "Cannot change initial value of property static protected %s::$%s in class %s", 
 								parent_ce->name, prop_name, ce->name);
@@ -2901,29 +2901,38 @@ ZEND_API void zend_mangle_property_name(char **dest, int *dest_length, char *src
 }
 
 
-ZEND_API void zend_unmangle_property_name_ex(char *mangled_property, int mangled_property_len, char **class_name, char **prop_name)
+static int zend_strnlen(const char* s, int maxlen)
 {
-	*prop_name = *class_name = NULL;
-
-	if (mangled_property_len < 2) { /* do not try to unmangle empty strings */
-		*prop_name = mangled_property;
-		return;
-	}
-	
-	zend_unmangle_property_name(mangled_property, class_name, prop_name);
+	int len = 0;
+	while (*s++ && maxlen--) len++;
+	return len;
 }
 
-ZEND_API void zend_unmangle_property_name(char *mangled_property, char **class_name, char **prop_name)
+ZEND_API int zend_unmangle_property_name(char *mangled_property, int len, char **class_name, char **prop_name)
 {
-	*prop_name = *class_name = NULL;
+	int class_name_len;
+
+	*class_name = NULL;
 
 	if (mangled_property[0]!=0) {
 		*prop_name = mangled_property;
-		return;
+		return SUCCESS;
+	}
+	if (len < 3) {
+		zend_error(E_NOTICE, "Illegal member variable name");
+		*prop_name = mangled_property;
+		return FAILURE;
 	}
 
+	class_name_len = zend_strnlen(mangled_property+1, --len - 1) + 1;
+	if (class_name_len >= len || mangled_property[class_name_len]!=0) {
+		zend_error(E_NOTICE, "Corrupt member variable name");
+		*prop_name = mangled_property;
+		return FAILURE;
+	}
 	*class_name = mangled_property+1;
-	*prop_name = (*class_name)+strlen(*class_name)+1;
+	*prop_name = (*class_name)+class_name_len;
+	return SUCCESS;
 }
 
 void zend_do_declare_property(znode *var_name, znode *value, zend_uint access_type TSRMLS_DC)
diff --git a/Zend/zend_compile.h b/Zend/zend_compile.h
index ee1c0ada8b..3525198d91 100644
--- a/Zend/zend_compile.h
+++ b/Zend/zend_compile.h
@@ -528,8 +528,7 @@ ZEND_API void destroy_zend_class(zend_class_entry **pce);
 void zend_class_add_ref(zend_class_entry **ce);
 
 ZEND_API void zend_mangle_property_name(char **dest, int *dest_length, char *src1, int src1_length, char *src2, int src2_length, int internal);
-ZEND_API void zend_unmangle_property_name(char *mangled_property, char **prop_name, char **class_name);
-ZEND_API void zend_unmangle_property_name_ex(char *mangled_property, int mangled_property_len, char **prop_name, char **class_name);
+ZEND_API int zend_unmangle_property_name(char *mangled_property, int mangled_property_len, char **prop_name, char **class_name);
 
 #define ZEND_FUNCTION_DTOR (void (*)(void *)) zend_function_dtor
 #define ZEND_CLASS_DTOR (void (*)(void *)) destroy_zend_class
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index 6b4e00edb3..fe6328e157 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -245,13 +245,13 @@ ZEND_API struct _zend_property_info *zend_get_property_info(zend_class_entry *ce
 }
 
 
-ZEND_API int zend_check_property_access(zend_object *zobj, char *prop_info_name TSRMLS_DC)
+ZEND_API int zend_check_property_access(zend_object *zobj, char *prop_info_name, int prop_info_name_len TSRMLS_DC)
 {
 	zend_property_info *property_info;
 	char *class_name, *prop_name;
 	zval member;
 
-	zend_unmangle_property_name(prop_info_name, &class_name, &prop_name);
+	zend_unmangle_property_name(prop_info_name, prop_info_name_len, &class_name, &prop_name);
 	ZVAL_STRING(&member, prop_name, 0);
 	property_info = zend_get_property_info(zobj->ce, &member, 1 TSRMLS_CC);
 	if (!property_info) {
diff --git a/Zend/zend_object_handlers.h b/Zend/zend_object_handlers.h
index 32e4c0d1c9..1d196e2e3c 100644
--- a/Zend/zend_object_handlers.h
+++ b/Zend/zend_object_handlers.h
@@ -153,7 +153,7 @@ ZEND_API int zend_check_private(union _zend_function *fbc, zend_class_entry *ce,
 
 ZEND_API int zend_check_protected(zend_class_entry *ce, zend_class_entry *scope);
 
-ZEND_API int zend_check_property_access(zend_object *zobj, char *prop_info_name TSRMLS_DC);
+ZEND_API int zend_check_property_access(zend_object *zobj, char *prop_info_name, int prop_info_name_len TSRMLS_DC);
 
 ZEND_API void zend_std_call_user_call(INTERNAL_FUNCTION_PARAMETERS);
 END_EXTERN_C()
diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
index ddb862e44f..3cf632c49e 100644
--- a/Zend/zend_vm_def.h
+++ b/Zend/zend_vm_def.h
@@ -3155,7 +3155,7 @@ ZEND_VM_HANDLER(77, ZEND_FE_RESET, CONST|TMP|VAR|CV, ANY)
 
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 				if (key_type != HASH_KEY_NON_EXISTANT &&
-				    zend_check_property_access(zobj, str_key TSRMLS_CC) == SUCCESS) {
+				    zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
 					break;
 				}
 				zend_hash_move_forward(fe_ht);
@@ -3214,9 +3214,9 @@ ZEND_VM_HANDLER(78, ZEND_FE_FETCH, VAR, ANY)
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 
 				zend_hash_move_forward(fe_ht);
-			} while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, str_key TSRMLS_CC) != SUCCESS);
+			} while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS);
 			if (use_key) {
-				zend_unmangle_property_name_ex(str_key, str_key_len, &class_name, &prop_name);
+				zend_unmangle_property_name(str_key, str_key_len-1, &class_name, &prop_name);
 				str_key_len = strlen(prop_name);
 				str_key = estrndup(prop_name, str_key_len);
 				str_key_len++;
diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
index 104f01d69c..c42937d0f9 100644
--- a/Zend/zend_vm_execute.h
+++ b/Zend/zend_vm_execute.h
@@ -2195,7 +2195,7 @@ static int ZEND_FE_RESET_SPEC_CONST_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 				if (key_type != HASH_KEY_NON_EXISTANT &&
-				    zend_check_property_access(zobj, str_key TSRMLS_CC) == SUCCESS) {
+				    zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
 					break;
 				}
 				zend_hash_move_forward(fe_ht);
@@ -4705,7 +4705,7 @@ static int ZEND_FE_RESET_SPEC_TMP_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 				if (key_type != HASH_KEY_NON_EXISTANT &&
-				    zend_check_property_access(zobj, str_key TSRMLS_CC) == SUCCESS) {
+				    zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
 					break;
 				}
 				zend_hash_move_forward(fe_ht);
@@ -7797,7 +7797,7 @@ static int ZEND_FE_RESET_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 				if (key_type != HASH_KEY_NON_EXISTANT &&
-				    zend_check_property_access(zobj, str_key TSRMLS_CC) == SUCCESS) {
+				    zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
 					break;
 				}
 				zend_hash_move_forward(fe_ht);
@@ -7856,9 +7856,9 @@ static int ZEND_FE_FETCH_SPEC_VAR_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 
 				zend_hash_move_forward(fe_ht);
-			} while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, str_key TSRMLS_CC) != SUCCESS);
+			} while (key_type == HASH_KEY_NON_EXISTANT || zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) != SUCCESS);
 			if (use_key) {
-				zend_unmangle_property_name_ex(str_key, str_key_len, &class_name, &prop_name);
+				zend_unmangle_property_name(str_key, str_key_len-1, &class_name, &prop_name);
 				str_key_len = strlen(prop_name);
 				str_key = estrndup(prop_name, str_key_len);
 				str_key_len++;
@@ -20249,7 +20249,7 @@ static int ZEND_FE_RESET_SPEC_CV_HANDLER(ZEND_OPCODE_HANDLER_ARGS)
 
 				key_type = zend_hash_get_current_key_ex(fe_ht, &str_key, &str_key_len, &int_key, 0, NULL);
 				if (key_type != HASH_KEY_NON_EXISTANT &&
-				    zend_check_property_access(zobj, str_key TSRMLS_CC) == SUCCESS) {
+				    zend_check_property_access(zobj, str_key, str_key_len-1 TSRMLS_CC) == SUCCESS) {
 					break;
 				}
 				zend_hash_move_forward(fe_ht);