From: Ilia Alshanetsky <iliaa@php.net>
Date: Thu, 29 Sep 2005 16:30:15 +0000 (+0000)
Subject: Fixed possible crash and/or memory corruption in import_request_variables()
X-Git-Tag: RELEASE_0_9_0~71
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=a36e2bd05a541188a519476501f7d56af3817ee1;p=php

Fixed possible crash and/or memory corruption in import_request_variables()
Fixed potential GLOBALS overwrite via import_request_variables().
---

diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
index 28a9cf51a0..738cd7c203 100644
--- a/ext/standard/basic_functions.c
+++ b/ext/standard/basic_functions.c
@@ -3238,11 +3238,25 @@ static int copy_request_variable(void *pDest, int num_args, va_list args, zend_h
 	prefix = va_arg(args, char *);
 	prefix_len = va_arg(args, uint);
 
-	new_key_len = prefix_len + hash_key->nKeyLength;
-	new_key = (char *) emalloc(new_key_len);
+	if (!prefix_len) {
+		if (!hash_key->nKeyLength) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Numeric key detected - possible security hazard.");
+			return 0;
+		} else if (!strcmp(hash_key->u.string, "GLOBALS")) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Attempted GLOBALS variable overwrite.");
+			return 0; 
+		}
+	}
+
+	if (hash_key->nKeyLength) {
+		new_key_len = prefix_len + hash_key->nKeyLength;
+		new_key = (char *) emalloc(new_key_len);
 
-	memcpy(new_key, prefix, prefix_len);
-	memcpy(new_key+prefix_len, hash_key->u.string, hash_key->nKeyLength);
+		memcpy(new_key, prefix, prefix_len);
+		memcpy(new_key+prefix_len, hash_key->u.string, hash_key->nKeyLength);
+	} else {
+		new_key_len = spprintf(&new_key, 0, "%s%ld", prefix, hash_key->h);
+	}
 
 	zend_delete_global_variable(new_key, new_key_len-1 TSRMLS_CC);
 	ZEND_SET_SYMBOL_WITH_LENGTH(&EG(symbol_table), new_key, new_key_len, *var, (*var)->refcount+1, 0);