From: Christopher Jones <sixd@php.net>
Date: Fri, 18 Nov 2011 09:59:35 +0000 (+0000)
Subject: Sync to 5.3 and check additional cases for #55748
X-Git-Tag: php-5.5.0alpha1~869
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=984c34aa0bed37e32ce1f35ef81e9f9788070cf7;p=php

Sync to 5.3 and check additional cases for #55748
---

diff --git a/ext/oci8/oci8.c b/ext/oci8/oci8.c
index 2b63a6faf5..e47dbc7d8f 100644
--- a/ext/oci8/oci8.c
+++ b/ext/oci8/oci8.c
@@ -2054,8 +2054,12 @@ php_oci_connection *php_oci_do_connect_ex(char *username, int username_len, char
 			connection->is_persistent = 0;
 		} else {
 			connection = (php_oci_connection *) calloc(1, sizeof(php_oci_connection));
+			if (connection == NULL) {
+				return NULL;
+			}
 			connection->hash_key = zend_strndup(hashed_details.c, hashed_details.len);
-			if(connection->hash_key == NULL) {
+			if (connection->hash_key == NULL) {
+				free(connection);
 				return NULL;
 			}
 			connection->is_persistent = 1;
@@ -2707,12 +2711,20 @@ static php_oci_spool *php_oci_create_spool(char *username, int username_len, cha
 	ub4 poolmode = OCI_DEFAULT;	/* Mode to be passed to OCISessionPoolCreate */
 	OCIAuthInfo *spoolAuth = NULL;
 
-	/*Allocate sessionpool out of persistent memory */
+	/* Allocate sessionpool out of persistent memory */
 	session_pool = (php_oci_spool *) calloc(1, sizeof(php_oci_spool));
+	if (session_pool == NULL) {
+		iserror = 1;
+		goto exit_create_spool;
+	}
 
 	/* Populate key if passed */
 	if (hash_key_len) {
 		session_pool->spool_hash_key = zend_strndup(hash_key, hash_key_len);
+		if (session_pool->spool_hash_key == NULL) {
+			iserror = 1;
+			goto exit_create_spool;
+		}
 	}
 
 	/* Create the session pool's env */
diff --git a/ext/oci8/package.xml b/ext/oci8/package.xml
index bcad81b197..e699ad2efa 100644
--- a/ext/oci8/package.xml
+++ b/ext/oci8/package.xml
@@ -47,6 +47,7 @@ http://pear.php.net/dtd/package-2.0.xsd">
  <license uri="http://www.php.net/license">PHP</license>
  <notes>
   Fixed bug #59985 (show normal warning text for OCI_NO_DATA)
+  Fixed OCI8 part of bug #55748 (CVE-2011-4153: multiple NULL Pointer Dereference with zend_strndup)
   Increased maximum Oracle error message buffer length for new Oracle 11.2.0.3 size
   Improve internal initalization failure error messages
  </notes>