From 7e2fcf986ee00e22e939d080a068795b25ce5db8 Mon Sep 17 00:00:00 2001 From: Sascha Schumann Date: Thu, 3 Apr 2003 18:19:15 +0000 Subject: [PATCH] Add some checks and avoid passing invalid data to call_user_function_ex. Fixes some heap corruption and allocation of negative amounts of memory. --- main/output.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/main/output.c b/main/output.c index adfbc11d11..c11e326bf2 100644 --- a/main/output.c +++ b/main/output.c @@ -150,7 +150,7 @@ PHPAPI int php_start_ob_buffer(zval *output_handler, uint chunk_size, zend_bool php_error_docref("ref.outcontrol" TSRMLS_CC, E_ERROR, "Cannot use output buffering in output buffering display handlers"); return FAILURE; } - if (chunk_size) { + if (chunk_size > 0) { if (chunk_size==1) { chunk_size = 4096; } @@ -498,10 +498,7 @@ static int php_ob_init(uint initial_size, uint block_size, zval *output_handler, php_error_docref(NULL TSRMLS_CC, E_ERROR, "No method name given: use ob_start(array($object,'method')) to specify instance $object and the name of a method of class %s to use as output handler", Z_OBJCE_P(output_handler)->name); result = FAILURE; } else { - if (output_handler) { - SEPARATE_ZVAL(&output_handler); - } - result = php_ob_init_named(initial_size, block_size, OB_DEFAULT_HANDLER_NAME, output_handler, chunk_size, erase TSRMLS_CC); + result = php_ob_init_named(initial_size, block_size, OB_DEFAULT_HANDLER_NAME, NULL, chunk_size, erase TSRMLS_CC); } return result; } @@ -719,6 +716,9 @@ PHP_FUNCTION(ob_start) RETURN_FALSE; } + if (chunk_size < 0) + chunk_size = 0; + if (php_start_ob_buffer(output_handler, chunk_size, erase TSRMLS_CC)==FAILURE) { RETURN_FALSE; } -- 2.50.1