From ae31c3c66ad376473ca2aa9fb5a01af723106d0b Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Sun, 1 Mar 2009 17:35:25 +0000
Subject: [PATCH] MFB: Fixed 2 memory corruptions in zip extension idenfied by
 oo_properties.phpt test

---
 NEWS              | 1 +
 ext/zip/php_zip.c | 9 ++++++---
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index d66b7d710b..eeb3fddd79 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2009, PHP 5.2.10
+- Fixed memory corruptions while reading properties of zip files. (Ilia)
 
 26 Feb 2009, PHP 5.2.9
 - Changed __call() to be invoked on private/protected method access, similar to
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 5dfa542754..632d0afe9a 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -806,6 +806,7 @@ static int php_zip_property_reader(ze_zip_object *obj, zip_prop_handler *hnd, zv
 			} else {
 				if (hnd->read_const_char_from_obj_func) {
 					retchar = hnd->read_const_char_from_obj_func(obj TSRMLS_CC);
+					len = strlen(retchar);
 				}
 			}
 		}
@@ -818,7 +819,7 @@ static int php_zip_property_reader(ze_zip_object *obj, zip_prop_handler *hnd, zv
 	switch (hnd->type) {
 		case IS_STRING:
 			if (retchar) {
-				ZVAL_STRING(*retval, (char *) retchar, 1);
+				ZVAL_STRINGL(*retval, (char *) retchar, len, 1);
 			} else {
 				ZVAL_EMPTY_STRING(*retval);
 			}
@@ -941,10 +942,11 @@ static int php_zip_has_property(zval *object, zval *member, int type TSRMLS_DC)
 
 	if (ret == SUCCESS) {
 		zval *tmp;
+		ALLOC_INIT_ZVAL(tmp);
 
 		if (type == 2) {
 			retval = 1;
-		} else if (php_zip_property_reader(obj, hnd, &tmp, 1 TSRMLS_CC) == SUCCESS) {
+		} else if (php_zip_property_reader(obj, hnd, &tmp, 0 TSRMLS_CC) == SUCCESS) {
 			Z_SET_REFCOUNT_P(tmp, 1);
 			Z_UNSET_ISREF_P(tmp);
 			if (type == 1) {
@@ -952,8 +954,9 @@ static int php_zip_has_property(zval *object, zval *member, int type TSRMLS_DC)
 			} else if (type == 0) {
 				retval = (Z_TYPE_P(tmp) != IS_NULL);
 			}
-			zval_ptr_dtor(&tmp);
 		}
+
+		zval_ptr_dtor(&tmp);
 	} else {
 		std_hnd = zend_get_std_object_handlers();
 		retval = std_hnd->has_property(object, member, type TSRMLS_CC);
-- 
2.50.1