From: Antony Dovgal <tony2001@php.net>
Date: Mon, 23 Jan 2006 22:42:12 +0000 (+0000)
Subject: MFH: fix #36113 (Reading records of unsupported type causes segfault)
X-Git-Tag: php-5.1.3RC1~214
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d0e1a4fdca3fdddac07a559149877eb154fb3070;p=php

MFH: fix #36113 (Reading records of unsupported type causes segfault)
---

diff --git a/NEWS b/NEWS
index 7efb32aaac..41083f8c36 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,8 @@ PHP                                                                        NEWS
   on error. (Pierre)
 - Fixed bug #36134 (DirectoryIterator constructor failed to detect empty 
   directory names). (Ilia)
+- Fixed bug #36113 (Reading records of unsupported type causes segfault). 
+  (Tony)
 - Fixed bug #36096 (oci_result() returns garbage after oci_fetch() failed). 
   (Tony)
 - Fixed bug #36071 (Engine Crash related with 'clone'). (Dmitry)
diff --git a/ext/dbase/dbf_head.c b/ext/dbase/dbf_head.c
index 9ec1f40d6c..f45a99cfdd 100644
--- a/ext/dbase/dbf_head.c
+++ b/ext/dbase/dbf_head.c
@@ -24,7 +24,7 @@ dbhead_t *get_dbf_head(int fd)
 	dbfield_t *dbf, *cur_f, *tdbf;
 	int ret, nfields, offset, gf_retval;
 
-	if ((dbh = (dbhead_t *)malloc(sizeof(dbhead_t))) == NULL)
+	if ((dbh = (dbhead_t *)calloc(1, sizeof(dbhead_t))) == NULL)
 		return NULL;
 	if (lseek(fd, 0, 0) < 0)
 		return NULL;
@@ -44,7 +44,7 @@ dbhead_t *get_dbf_head(int fd)
 
 	/* malloc enough memory for the maximum number of fields:
 	   32 * 1024 = 32K dBase5 (for Win) seems to allow that many */
-	tdbf = (dbfield_t *)malloc(sizeof(dbfield_t)*1024);
+	tdbf = (dbfield_t *)calloc(1, sizeof(dbfield_t)*1024);
 	
 	offset = 1;
 	nfields = 0;
@@ -157,7 +157,8 @@ int get_dbf_field(dbhead_t *dbh, dbfield_t *dbf)
 	}
 
 	if ((dbf->db_format = get_dbf_f_fmt(dbf)) == NULL) {
-		return 1;
+		/* something went wrong, most likely this fieldtype is not supported */
+		return -1;
 	}
 
 	return 0;
@@ -235,6 +236,8 @@ char *get_dbf_f_fmt(dbfield_t *dbf)
 	   case 'M':
 		strcpy(format, "%s");
 		break;
+	   default:
+		return NULL;
 	}
 	return (char *)strdup(format);
 }
@@ -256,7 +259,7 @@ dbhead_t *dbf_open(char *dp, int o_flags TSRMLS_DC)
 		}
 	}
 
-	if ((dbh = get_dbf_head(fd)) ==	 0) {
+	if ((dbh = get_dbf_head(fd)) ==	NULL) {
 		fprintf(stderr, "Unable to get header\n");
 		return NULL;
 	}