From: Ilia Alshanetsky Date: Wed, 30 Jun 2004 01:12:09 +0000 (+0000) Subject: MFH: Do not use alloca() where it can be abused through user input. X-Git-Tag: php-4.3.9RC1~67 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=d5edc8497b3a5038e653399265a12b7f101f9180;p=php MFH: Do not use alloca() where it can be abused through user input. --- diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c index 070c9f2bae..959383c2fa 100755 --- a/ext/pcntl/pcntl.c +++ b/ext/pcntl/pcntl.c @@ -386,7 +386,7 @@ PHP_FUNCTION(pcntl_exec) args_hash = HASH_OF(args); argc = zend_hash_num_elements(args_hash); - argv = alloca((argc+2) * sizeof(char *)); + argv = safe_emalloc((argc + 2), sizeof(char *), 0); *argv = path; for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; (argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS)); @@ -397,7 +397,7 @@ PHP_FUNCTION(pcntl_exec) } *(current_arg) = NULL; } else { - argv = alloca(2 * sizeof(char *)); + argv = emalloc(2 * sizeof(char *)); *argv = path; *(argv+1) = NULL; } @@ -407,13 +407,13 @@ PHP_FUNCTION(pcntl_exec) envs_hash = HASH_OF(envs); envc = zend_hash_num_elements(envs_hash); - envp = alloca((envc+1) * sizeof(char *)); + envp = safe_emalloc((envc + 1), sizeof(char *), 0); for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp; (envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS)); (envi++, pair++, zend_hash_move_forward(envs_hash)) ) { switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) { case HASH_KEY_IS_LONG: - key = alloca(101); + key = emalloc(101); snprintf(key, 100, "%ld", key_num); key_length = strlen(key); break; @@ -432,7 +432,7 @@ PHP_FUNCTION(pcntl_exec) strlcat(*pair, Z_STRVAL_PP(element), pair_length); /* Cleanup */ - if (return_val == HASH_KEY_IS_LONG) free_alloca(key); + if (return_val == HASH_KEY_IS_LONG) efree(key); } *(pair) = NULL; } @@ -445,10 +445,10 @@ PHP_FUNCTION(pcntl_exec) /* Cleanup */ if (envp != NULL) { for (pair = envp; *pair != NULL; pair++) efree(*pair); - free_alloca(envp); + efree(envp); } - free_alloca(argv); + efree(argv); RETURN_FALSE; } diff --git a/ext/session/mod_mm.c b/ext/session/mod_mm.c index df18659278..2045451b8c 100644 --- a/ext/session/mod_mm.c +++ b/ext/session/mod_mm.c @@ -264,7 +264,7 @@ PHP_MINIT_FUNCTION(ps_mm) return FAILURE; /* Directory + '/' + File + Module Name + Effective UID + \0 */ - ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1); + ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1); memcpy(ps_mm_path, PS(save_path), save_path_len + 1); if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) { @@ -277,7 +277,7 @@ PHP_MINIT_FUNCTION(ps_mm) ret = ps_mm_initialize(ps_mm_instance, ps_mm_path); - free_alloca(ps_mm_path); + efree(ps_mm_path); if (ret != SUCCESS) { free(ps_mm_instance); diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index b68b02dd8d..3a16dc95d0 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -1069,7 +1069,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) case ST_DATETIME: { char *tmp; - tmp = do_alloca(len + 1); + tmp = emalloc(len + 1); memcpy(tmp, s, len); tmp[len] = '\0'; @@ -1080,7 +1080,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) Z_STRLEN_P(ent->data) = len; Z_STRVAL_P(ent->data) = estrndup(s, len); } - free_alloca(tmp); + efree(tmp); } default: break;