From 27ef344f2b70aee6778d39478e2e78f5edabe4e7 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 12 May 2010 11:04:57 +0000 Subject: [PATCH] Fixed a possible memory corruption in pack(). Reported by Stefan Esser --- NEWS | 2 ++ ext/standard/pack.c | 12 ++++++++++++ 2 files changed, 14 insertions(+) diff --git a/NEWS b/NEWS index 8d59a25d9b..933880840a 100644 --- a/NEWS +++ b/NEWS @@ -26,6 +26,8 @@ PHP NEWS - Fixed a possible memory corruption because of unexpected call-time pass by refernce and following memory clobbering through callbacks. Reported by Stefan Esser (Dmitry) +- Fixed a possible memory corruption in pack(). Reported by Stefan Esser + (Dmitry) - Fixed a possible memory corruption in substr_replace(). Reported by Stefan Esser (Dmitry) - Fixed a possible memory corruption in addcslashes(). Reported by Stefan diff --git a/ext/standard/pack.c b/ext/standard/pack.c index 32714795b3..f00549aa17 100644 --- a/ext/standard/pack.c +++ b/ext/standard/pack.c @@ -121,6 +121,9 @@ PHP_FUNCTION(pack) return; } + if (Z_ISREF_PP(argv[0])) { + SEPARATE_ZVAL(argv[0]); + } convert_to_string_ex(argv[0]); format = Z_STRVAL_PP(argv[0]); @@ -179,6 +182,9 @@ PHP_FUNCTION(pack) } if (arg < 0) { + if (Z_ISREF_PP(argv[currentarg])) { + SEPARATE_ZVAL(argv[currentarg]); + } convert_to_string_ex(argv[currentarg]); arg = Z_STRLEN_PP(argv[currentarg]); } @@ -312,6 +318,9 @@ PHP_FUNCTION(pack) case 'A': memset(&output[outputpos], (code == 'a') ? '\0' : ' ', arg); val = argv[currentarg++]; + if (Z_ISREF_PP(val)) { + SEPARATE_ZVAL(val); + } convert_to_string_ex(val); memcpy(&output[outputpos], Z_STRVAL_PP(val), (Z_STRLEN_PP(val) < arg) ? Z_STRLEN_PP(val) : arg); @@ -325,6 +334,9 @@ PHP_FUNCTION(pack) char *v; val = argv[currentarg++]; + if (Z_ISREF_PP(val)) { + SEPARATE_ZVAL(val); + } convert_to_string_ex(val); v = Z_STRVAL_PP(val); outputpos--; -- 2.40.0