php/sme8/php-5.3.3-CVE-2011-1148.patch


https://bugzilla.redhat.com/show_bug.cgi?id=688958

http://svn.php.net/viewvc?view=revision&revision=310194

--- php-5.3.3/ext/standard/string.c.cve1148
+++ php-5.3.3/ext/standard/string.c
@@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace)
 
                zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
                while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
-                       convert_to_string_ex(tmp_str);
+                       zval *orig_str;
+                       zval dummy;
+                       if(Z_TYPE_PP(tmp_str) != IS_STRING) {
+                               dummy = **tmp_str;
+                               orig_str = &dummy;
+                               zval_copy_ctor(orig_str);
+                               convert_to_string(orig_str);
+                       } else {
+                               orig_str = *tmp_str;
+                       }
 
                        if (Z_TYPE_PP(from) == IS_ARRAY) {
                                if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
-                                       convert_to_long_ex(tmp_from);
+                                       if(Z_TYPE_PP(tmp_from) != IS_LONG) {
+                                               zval dummy = **tmp_from;
+                                               zval_copy_ctor(&dummy);
+                                               convert_to_long(&dummy);
+                                               f = Z_LVAL(dummy);
+                                       } else {
+                                               f = Z_LVAL_PP(tmp_from);
+                                       }
 
-                                       f = Z_LVAL_PP(tmp_from);
                                        if (f < 0) {
-                                               f = Z_STRLEN_PP(tmp_str) + f;
+                                               f = Z_STRLEN_P(orig_str) + f;
                                                if (f < 0) {
                                                        f = 0;
                                                }
-                                       } else if (f > Z_STRLEN_PP(tmp_str)) {
-                                               f = Z_STRLEN_PP(tmp_str);
+                                       } else if (f > Z_STRLEN_P(orig_str)) {
+                                               f = Z_STRLEN_P(orig_str);
                                        }
                                        zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
                                } else {
@@ -2374,72 +2389,94 @@ PHP_FUNCTION(substr_replace)
                        } else {
                                f = Z_LVAL_PP(from);
                                if (f < 0) {
-                                       f = Z_STRLEN_PP(tmp_str) + f;
+                                       f = Z_STRLEN_P(orig_str) + f;
                                        if (f < 0) {
                                                f = 0;
                                        }
-                               } else if (f > Z_STRLEN_PP(tmp_str)) {
-                                       f = Z_STRLEN_PP(tmp_str);
+                               } else if (f > Z_STRLEN_P(orig_str)) {
+                                       f = Z_STRLEN_P(orig_str);
                                }
                        }
 
                        if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
                                if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
-                                       convert_to_long_ex(tmp_len);
+                                       if(Z_TYPE_PP(tmp_len) != IS_LONG) {
+                                               zval dummy = **tmp_len;
+                                               zval_copy_ctor(&dummy);
+                                               convert_to_long(&dummy);
+                                               l = Z_LVAL(dummy);
+                                       } else {
+                                               l = Z_LVAL_PP(tmp_len);
+                                       }
 
                                        l = Z_LVAL_PP(tmp_len);
                                        zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
                                } else {
-                                       l = Z_STRLEN_PP(tmp_str);
+                                       l = Z_STRLEN_P(orig_str);
                                }
                        } else if (argc > 3) { 
                                l = Z_LVAL_PP(len);
                        } else {
-                               l = Z_STRLEN_PP(tmp_str);
+                               l = Z_STRLEN_P(orig_str);
                        }
 
                        if (l < 0) {
-                               l = (Z_STRLEN_PP(tmp_str) - f) + l;
+                               l = (Z_STRLEN_P(orig_str) - f) + l;
                                if (l < 0) {
                                        l = 0;
                                }
                        }
 
-                       if ((f + l) > Z_STRLEN_PP(tmp_str)) {
-                               l = Z_STRLEN_PP(tmp_str) - f;
+                       if ((f + l) > Z_STRLEN_P(orig_str)) {
+                               l = Z_STRLEN_P(orig_str) - f;
                        }
 
-                       result_len = Z_STRLEN_PP(tmp_str) - l;
+                       result_len = Z_STRLEN_P(orig_str) - l;
 
                        if (Z_TYPE_PP(repl) == IS_ARRAY) {
                                if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
-                                       convert_to_string_ex(tmp_repl);
-                                       result_len += Z_STRLEN_PP(tmp_repl);
+                                       zval *repl_str;
+                                       zval zrepl;
+                                       if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
+                                               zrepl = **tmp_repl;
+                                               repl_str = &zrepl;
+                                               zval_copy_ctor(repl_str);
+                                               convert_to_string(repl_str);
+                                       } else {
+                                               repl_str = *tmp_repl;
+                                       }
+
+                                       result_len += Z_STRLEN_P(repl_str);
                                        zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);        
                                        result = emalloc(result_len + 1);
 
-                                       memcpy(result, Z_STRVAL_PP(tmp_str), f);
-                                       memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
-                                       memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
+                                       memcpy(result, Z_STRVAL_P(orig_str), f);
+                                       memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
+                                       memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+                                       if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
+                                               zval_dtor(repl_str);
+                                       }
                                } else {
                                        result = emalloc(result_len + 1);
        
-                                       memcpy(result, Z_STRVAL_PP(tmp_str), f);
-                                       memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
+                                       memcpy(result, Z_STRVAL_P(orig_str), f);
+                                       memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
                                }
                        } else {
                                result_len += Z_STRLEN_PP(repl);
 
                                result = emalloc(result_len + 1);
 
-                               memcpy(result, Z_STRVAL_PP(tmp_str), f);
+                               memcpy(result, Z_STRVAL_P(orig_str), f);
                                memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
-                               memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
+                               memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
                        }
 
                        result[result_len] = '\0';
                        add_next_index_stringl(return_value, result, result_len, 0);
-
+                       if(Z_TYPE_PP(tmp_str) != IS_STRING) {
+                               zval_dtor(orig_str);
+                       }
                        zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
                } /*while*/
        } /* if */
1	slords	1.1.2.1
2			https://bugzilla.redhat.com/show_bug.cgi?id=688958
3
4			http://svn.php.net/viewvc?view=revision&revision=310194
5
6			--- php-5.3.3/ext/standard/string.c.cve1148
7			+++ php-5.3.3/ext/standard/string.c
8			@@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace)
9
10			zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
11			while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
12			- convert_to_string_ex(tmp_str);
13			+ zval *orig_str;
14			+ zval dummy;
15			+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
16			+ dummy = **tmp_str;
17			+ orig_str = &dummy;
18			+ zval_copy_ctor(orig_str);
19			+ convert_to_string(orig_str);
20			+ } else {
21			+ orig_str = *tmp_str;
22			+ }
23
24			if (Z_TYPE_PP(from) == IS_ARRAY) {
25			if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
26			- convert_to_long_ex(tmp_from);
27			+ if(Z_TYPE_PP(tmp_from) != IS_LONG) {
28			+ zval dummy = **tmp_from;
29			+ zval_copy_ctor(&dummy);
30			+ convert_to_long(&dummy);
31			+ f = Z_LVAL(dummy);
32			+ } else {
33			+ f = Z_LVAL_PP(tmp_from);
34			+ }
35
36			- f = Z_LVAL_PP(tmp_from);
37			if (f < 0) {
38			- f = Z_STRLEN_PP(tmp_str) + f;
39			+ f = Z_STRLEN_P(orig_str) + f;
40			if (f < 0) {
41			f = 0;
42			}
43			- } else if (f > Z_STRLEN_PP(tmp_str)) {
44			- f = Z_STRLEN_PP(tmp_str);
45			+ } else if (f > Z_STRLEN_P(orig_str)) {
46			+ f = Z_STRLEN_P(orig_str);
47			}
48			zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
49			} else {
50			@@ -2374,72 +2389,94 @@ PHP_FUNCTION(substr_replace)
51			} else {
52			f = Z_LVAL_PP(from);
53			if (f < 0) {
54			- f = Z_STRLEN_PP(tmp_str) + f;
55			+ f = Z_STRLEN_P(orig_str) + f;
56			if (f < 0) {
57			f = 0;
58			}
59			- } else if (f > Z_STRLEN_PP(tmp_str)) {
60			- f = Z_STRLEN_PP(tmp_str);
61			+ } else if (f > Z_STRLEN_P(orig_str)) {
62			+ f = Z_STRLEN_P(orig_str);
63			}
64			}
65
66			if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
67			if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
68			- convert_to_long_ex(tmp_len);
69			+ if(Z_TYPE_PP(tmp_len) != IS_LONG) {
70			+ zval dummy = **tmp_len;
71			+ zval_copy_ctor(&dummy);
72			+ convert_to_long(&dummy);
73			+ l = Z_LVAL(dummy);
74			+ } else {
75			+ l = Z_LVAL_PP(tmp_len);
76			+ }
77
78			l = Z_LVAL_PP(tmp_len);
79			zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
80			} else {
81			- l = Z_STRLEN_PP(tmp_str);
82			+ l = Z_STRLEN_P(orig_str);
83			}
84			} else if (argc > 3) {
85			l = Z_LVAL_PP(len);
86			} else {
87			- l = Z_STRLEN_PP(tmp_str);
88			+ l = Z_STRLEN_P(orig_str);
89			}
90
91			if (l < 0) {
92			- l = (Z_STRLEN_PP(tmp_str) - f) + l;
93			+ l = (Z_STRLEN_P(orig_str) - f) + l;
94			if (l < 0) {
95			l = 0;
96			}
97			}
98
99			- if ((f + l) > Z_STRLEN_PP(tmp_str)) {
100			- l = Z_STRLEN_PP(tmp_str) - f;
101			+ if ((f + l) > Z_STRLEN_P(orig_str)) {
102			+ l = Z_STRLEN_P(orig_str) - f;
103			}
104
105			- result_len = Z_STRLEN_PP(tmp_str) - l;
106			+ result_len = Z_STRLEN_P(orig_str) - l;
107
108			if (Z_TYPE_PP(repl) == IS_ARRAY) {
109			if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
110			- convert_to_string_ex(tmp_repl);
111			- result_len += Z_STRLEN_PP(tmp_repl);
112			+ zval *repl_str;
113			+ zval zrepl;
114			+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
115			+ zrepl = **tmp_repl;
116			+ repl_str = &zrepl;
117			+ zval_copy_ctor(repl_str);
118			+ convert_to_string(repl_str);
119			+ } else {
120			+ repl_str = *tmp_repl;
121			+ }
122			+
123			+ result_len += Z_STRLEN_P(repl_str);
124			zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
125			result = emalloc(result_len + 1);
126
127			- memcpy(result, Z_STRVAL_PP(tmp_str), f);
128			- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
129			- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
130			+ memcpy(result, Z_STRVAL_P(orig_str), f);
131			+ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
132			+ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
133			+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
134			+ zval_dtor(repl_str);
135			+ }
136			} else {
137			result = emalloc(result_len + 1);
138
139			- memcpy(result, Z_STRVAL_PP(tmp_str), f);
140			- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
141			+ memcpy(result, Z_STRVAL_P(orig_str), f);
142			+ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
143			}
144			} else {
145			result_len += Z_STRLEN_PP(repl);
146
147			result = emalloc(result_len + 1);
148
149			- memcpy(result, Z_STRVAL_PP(tmp_str), f);
150			+ memcpy(result, Z_STRVAL_P(orig_str), f);
151			memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
152			- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
153			+ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
154			}
155
156			result[result_len] = '\0';
157			add_next_index_stringl(return_value, result, result_len, 0);
158			-
159			+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
160			+ zval_dtor(orig_str);
161			+ }
162			zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
163			} /while/
164			} /* if */