From: Ilia Alshanetsky <iliaa@php.net>
Date: Mon, 28 May 2007 23:00:25 +0000 (+0000)
Subject: MFB
X-Git-Tag: RELEASE_1_4~31
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=66526cee92c9e285c0a73e35d5ba09e17e810e9a;p=php

MFB
---

diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
index 682a152204..0d27995525 100644
--- a/ext/bz2/bz2.c
+++ b/ext/bz2/bz2.c
@@ -225,6 +225,10 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
 #else
 	path_copy = path;
 #endif  
+
+	if (php_check_open_basedir(path_copy TSRMLS_CC)) {
+		return NULL;
+	}
 	
 	/* try and open it directly first */
 	bz_file = BZ2_bzopen(path_copy, mode);
@@ -236,7 +240,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
 	
 	if (bz_file == NULL) {
 		/* that didn't work, so try and get something from the network/wrapper */
-		stream = php_stream_open_wrapper(path, mode, options | STREAM_WILL_CAST, opened_path);
+		stream = php_stream_open_wrapper(path, mode, options | STREAM_WILL_CAST | ENFORCE_SAFE_MODE, opened_path);
 	
 		if (stream) {
 			int fd;
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index 261690ea5f..55b549accd 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -1002,8 +1002,8 @@ int php_mcrypt_iv(php_mcrypt_iv_source source, int size, char **iv_str, int *iv_
 	int fd, n;
 	size_t read_bytes;
 	
-	if (size <= 0) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can not create an IV with size 0 or smaller");
+	if (size <= 0 || size >= INT_MAX) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can not create an IV with a size of less then 1 or greater then %d", INT_MAX);
 		return FAILURE;
 	}
 	
diff --git a/ext/shmop/shmop.c b/ext/shmop/shmop.c
index ebd5082c8d..8051e2f84b 100644
--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -181,6 +181,11 @@ PHP_FUNCTION(shmop_open)
 			goto err;
 	}
 
+	if (shmop->shmflg & IPC_CREAT && shmop->size < 1) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Shared memory segment size must be greater then zero.");
+		goto err;
+	}
+
 	shmop->shmid = shmget(shmop->key, shmop->size, shmop->shmflg);
 	if (shmop->shmid == -1) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to attach or create shared memory segment");
diff --git a/ext/standard/array.c b/ext/standard/array.c
index c31a439bc8..a55eec02fd 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1842,13 +1842,13 @@ double_str:
 			add_next_index_double(return_value, low);
 		}
 	} else {
-		int low, high;
+		double low, high;
 		long lstep;
 long_str:
-		convert_to_long(zlow);
-		convert_to_long(zhigh);
-		low = Z_LVAL_P(zlow);
-		high = Z_LVAL_P(zhigh);
+		convert_to_double(zlow);
+		convert_to_double(zhigh);
+		low = Z_DVAL_P(zlow);
+		high = Z_DVAL_P(zhigh);
 		lstep = (long) step;
 				
 		if (low > high) { 		/* Negative steps */
@@ -1857,18 +1857,18 @@ long_str:
 				goto err;
 			}
 			for (; low >= high; low -= lstep) {
-				add_next_index_long(return_value, low);
+				add_next_index_long(return_value, (long)low);
 			}	
-		} else if (high > low) { 	/* Positive steps */
+ 		} else if (high > low) { 	/* Positive steps */
 			if (high - low < lstep || lstep <= 0) {
 				err = 1;
 				goto err;
 			}
 			for (; low <= high; low += lstep) {
-				add_next_index_long(return_value, low);
+				add_next_index_long(return_value, (long)low);
 			}	
 		} else {
-			add_next_index_long(return_value, low);
+			add_next_index_long(return_value, (long)low);
 		}
 	}
 err:
@@ -4104,7 +4104,7 @@ PHP_FUNCTION(array_reduce)
 		zend_hash_move_forward_ex(htbl, &pos);
 	}
 	
-	RETVAL_ZVAL(result, 0, 1);
+	RETVAL_ZVAL(result, 1, 1);
 }
 /* }}} */
 
diff --git a/ext/standard/browscap.c b/ext/standard/browscap.c
index 4e65fb9e0c..7d3a2e22ff 100644
--- a/ext/standard/browscap.c
+++ b/ext/standard/browscap.c
@@ -55,7 +55,7 @@ static void convert_browscap_pattern(zval *pattern)
 
 	php_strtolower(Z_STRVAL_P(pattern), Z_STRLEN_P(pattern));
 
-	t = (char *) malloc(Z_STRLEN_P(pattern)*2 + 3);
+	t = (char *) safe_pemalloc(Z_STRLEN_P(pattern), 2, 3, 1);
 
 	t[0] = '^';
 
@@ -100,7 +100,7 @@ static void php_browscap_parser_cb(zval *arg1, zval *arg2, int callback_type, vo
 				zval *new_property;
 				char *new_key;
 
-				new_property = (zval *) malloc(sizeof(zval));
+				new_property = (zval *) pemalloc(sizeof(zval), 1);
 				INIT_PZVAL(new_property);
 				Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2));
 				Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2);
@@ -118,14 +118,14 @@ static void php_browscap_parser_cb(zval *arg1, zval *arg2, int callback_type, vo
 				HashTable *section_properties;
 
 				/*printf("'%s' (%d)\n",$1.value.str.val,$1.value.str.len+1);*/
-				current_section = (zval *) malloc(sizeof(zval));
+				current_section = (zval *) pemalloc(sizeof(zval), 1);
 				INIT_PZVAL(current_section);
-				processed = (zval *) malloc(sizeof(zval));
+				processed = (zval *) pemalloc(sizeof(zval), 1);
 				INIT_PZVAL(processed);
-				unprocessed = (zval *) malloc(sizeof(zval));
+				unprocessed = (zval *) pemalloc(sizeof(zval), 1);
 				INIT_PZVAL(unprocessed);
 
-				section_properties = (HashTable *) malloc(sizeof(HashTable));
+				section_properties = (HashTable *) pemalloc(sizeof(HashTable), 1);
 				zend_hash_init(section_properties, 0, NULL, (dtor_func_t) browscap_entry_dtor, 1);
 				current_section->value.ht = section_properties;
 				current_section->type = IS_ARRAY;
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index d7d4839618..afd0ca240b 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -777,6 +777,9 @@ PHP_FUNCTION(proc_open)
 	channel.errfd = -1;
 	/* Duplicate the command as processing downwards will modify it*/
 	command_dup = strdup(command);
+	if (!command_dup) {
+		goto exit_fail;
+	}
 	/* get a number of args */
 	construct_argc_argv(command_dup, NULL, &command_num_args, NULL);
 	child_argv = (char**) malloc((command_num_args + 1) * sizeof(char*));
diff --git a/ext/sysvshm/sysvshm.c b/ext/sysvshm/sysvshm.c
index 81c940fa5d..9c69f462b3 100644
--- a/ext/sysvshm/sysvshm.c
+++ b/ext/sysvshm/sysvshm.c
@@ -118,6 +118,11 @@ PHP_FUNCTION(shm_attach)
 		RETURN_FALSE;
 	}
 
+	if (shm_size < 1) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Segment size must be greater then zero.");
+		RETURN_FALSE;
+  	}
+
 	shm_list_ptr = (sysvshm_shm *) emalloc(sizeof(sysvshm_shm));
 
 	/* get the id from a specified key or create new shared memory */
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 1432f02442..0282da2fde 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -984,6 +984,9 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 									goto bigint;
 								}
 								l = (long) d;
+								if (l != d) {
+									goto bigint;
+								}
 							case IS_LONG:
 								zend_hash_index_update(target_hash, l, &ent1->data, sizeof(zval *), NULL);
 								break;
@@ -1034,10 +1037,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 					Z_STRVAL_P(ent->data) = estrndup(decoded, decoded_len);
 					Z_STRLEN_P(ent->data) = decoded_len;
 				} else {
-					Z_STRVAL_P(ent->data) = erealloc(Z_STRVAL_P(ent->data),
-							Z_STRLEN_P(ent->data) + decoded_len + 1);
-					strncpy(Z_STRVAL_P(ent->data)+Z_STRLEN_P(ent->data), decoded, decoded_len);
 					Z_STRLEN_P(ent->data) += decoded_len;
+					Z_STRVAL_P(ent->data) = erealloc(Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data) + 1);
+					strlcpy(Z_STRVAL_P(ent->data) + Z_STRLEN_P(ent->data), decoded, Z_STRLEN_P(ent->data) + 1);
 					Z_STRVAL_P(ent->data)[Z_STRLEN_P(ent->data)] = '\0';
 				}
 
diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
index 11e05a4672..fcedd0d2a4 100644
--- a/main/streams/plain_wrapper.c
+++ b/main/streams/plain_wrapper.c
@@ -904,12 +904,12 @@ PHPAPI php_stream *_php_stream_fopen(const char *filename, const char *mode, cha
 					*opened_path = realpath;
 					realpath = NULL;
 				}
-				if (realpath) {
-					efree(realpath);
-				}
 				/* fall through */
 
 			case PHP_STREAM_PERSISTENT_FAILURE:
+				if (realpath) {
+					efree(realpath);
+				}
 				efree(persistent_id);;
 				return ret;
 		}
@@ -948,6 +948,10 @@ PHPAPI php_stream *_php_stream_fopen(const char *filename, const char *mode, cha
 
 				r = do_fstat(self, 0);
 				if ((r == 0 && !S_ISREG(self->sb.st_mode))) {
+					if (opened_path) {
+						efree(*opened_path);
+						*opened_path = NULL;
+					}
 					php_stream_close(ret);
 					return NULL;
 				}
diff --git a/server-tests.php b/server-tests.php
index 00055c24bd..6b341b3d9d 100755
--- a/server-tests.php
+++ b/server-tests.php
@@ -3,7 +3,7 @@
    +----------------------------------------------------------------------+
    | PHP Version 5                                                        |
    +----------------------------------------------------------------------+
-   | Copyright (c) 1997-2006 The PHP Group                                |
+   | Copyright (c) 1997-2007 The PHP Group                                |
    +----------------------------------------------------------------------+
    | This source file is subject to version 3.01 of the PHP license,      |
    | that is bundled with this package in the file LICENSE, and is        |