1 |
|
|
2 |
|
https://bugzilla.redhat.com/show_bug.cgi?id=688958 |
3 |
|
|
4 |
|
http://svn.php.net/viewvc?view=revision&revision=310194 |
5 |
|
|
6 |
|
--- php-5.3.3/ext/standard/string.c.cve1148 |
7 |
|
+++ php-5.3.3/ext/standard/string.c |
8 |
|
@@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace) |
9 |
|
|
10 |
|
zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str); |
11 |
|
while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) { |
12 |
|
- convert_to_string_ex(tmp_str); |
13 |
|
+ zval *orig_str; |
14 |
|
+ zval dummy; |
15 |
|
+ if(Z_TYPE_PP(tmp_str) != IS_STRING) { |
16 |
|
+ dummy = **tmp_str; |
17 |
|
+ orig_str = &dummy; |
18 |
|
+ zval_copy_ctor(orig_str); |
19 |
|
+ convert_to_string(orig_str); |
20 |
|
+ } else { |
21 |
|
+ orig_str = *tmp_str; |
22 |
|
+ } |
23 |
|
|
24 |
|
if (Z_TYPE_PP(from) == IS_ARRAY) { |
25 |
|
if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) { |
26 |
|
- convert_to_long_ex(tmp_from); |
27 |
|
+ if(Z_TYPE_PP(tmp_from) != IS_LONG) { |
28 |
|
+ zval dummy = **tmp_from; |
29 |
|
+ zval_copy_ctor(&dummy); |
30 |
|
+ convert_to_long(&dummy); |
31 |
|
+ f = Z_LVAL(dummy); |
32 |
|
+ } else { |
33 |
|
+ f = Z_LVAL_PP(tmp_from); |
34 |
|
+ } |
35 |
|
|
36 |
|
- f = Z_LVAL_PP(tmp_from); |
37 |
|
if (f < 0) { |
38 |
|
- f = Z_STRLEN_PP(tmp_str) + f; |
39 |
|
+ f = Z_STRLEN_P(orig_str) + f; |
40 |
|
if (f < 0) { |
41 |
|
f = 0; |
42 |
|
} |
43 |
|
- } else if (f > Z_STRLEN_PP(tmp_str)) { |
44 |
|
- f = Z_STRLEN_PP(tmp_str); |
45 |
|
+ } else if (f > Z_STRLEN_P(orig_str)) { |
46 |
|
+ f = Z_STRLEN_P(orig_str); |
47 |
|
} |
48 |
|
zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from); |
49 |
|
} else { |
50 |
|
@@ -2374,72 +2389,94 @@ PHP_FUNCTION(substr_replace) |
51 |
|
} else { |
52 |
|
f = Z_LVAL_PP(from); |
53 |
|
if (f < 0) { |
54 |
|
- f = Z_STRLEN_PP(tmp_str) + f; |
55 |
|
+ f = Z_STRLEN_P(orig_str) + f; |
56 |
|
if (f < 0) { |
57 |
|
f = 0; |
58 |
|
} |
59 |
|
- } else if (f > Z_STRLEN_PP(tmp_str)) { |
60 |
|
- f = Z_STRLEN_PP(tmp_str); |
61 |
|
+ } else if (f > Z_STRLEN_P(orig_str)) { |
62 |
|
+ f = Z_STRLEN_P(orig_str); |
63 |
|
} |
64 |
|
} |
65 |
|
|
66 |
|
if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) { |
67 |
|
if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) { |
68 |
|
- convert_to_long_ex(tmp_len); |
69 |
|
+ if(Z_TYPE_PP(tmp_len) != IS_LONG) { |
70 |
|
+ zval dummy = **tmp_len; |
71 |
|
+ zval_copy_ctor(&dummy); |
72 |
|
+ convert_to_long(&dummy); |
73 |
|
+ l = Z_LVAL(dummy); |
74 |
|
+ } else { |
75 |
|
+ l = Z_LVAL_PP(tmp_len); |
76 |
|
+ } |
77 |
|
|
78 |
|
l = Z_LVAL_PP(tmp_len); |
79 |
|
zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len); |
80 |
|
} else { |
81 |
|
- l = Z_STRLEN_PP(tmp_str); |
82 |
|
+ l = Z_STRLEN_P(orig_str); |
83 |
|
} |
84 |
|
} else if (argc > 3) { |
85 |
|
l = Z_LVAL_PP(len); |
86 |
|
} else { |
87 |
|
- l = Z_STRLEN_PP(tmp_str); |
88 |
|
+ l = Z_STRLEN_P(orig_str); |
89 |
|
} |
90 |
|
|
91 |
|
if (l < 0) { |
92 |
|
- l = (Z_STRLEN_PP(tmp_str) - f) + l; |
93 |
|
+ l = (Z_STRLEN_P(orig_str) - f) + l; |
94 |
|
if (l < 0) { |
95 |
|
l = 0; |
96 |
|
} |
97 |
|
} |
98 |
|
|
99 |
|
- if ((f + l) > Z_STRLEN_PP(tmp_str)) { |
100 |
|
- l = Z_STRLEN_PP(tmp_str) - f; |
101 |
|
+ if ((f + l) > Z_STRLEN_P(orig_str)) { |
102 |
|
+ l = Z_STRLEN_P(orig_str) - f; |
103 |
|
} |
104 |
|
|
105 |
|
- result_len = Z_STRLEN_PP(tmp_str) - l; |
106 |
|
+ result_len = Z_STRLEN_P(orig_str) - l; |
107 |
|
|
108 |
|
if (Z_TYPE_PP(repl) == IS_ARRAY) { |
109 |
|
if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) { |
110 |
|
- convert_to_string_ex(tmp_repl); |
111 |
|
- result_len += Z_STRLEN_PP(tmp_repl); |
112 |
|
+ zval *repl_str; |
113 |
|
+ zval zrepl; |
114 |
|
+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { |
115 |
|
+ zrepl = **tmp_repl; |
116 |
|
+ repl_str = &zrepl; |
117 |
|
+ zval_copy_ctor(repl_str); |
118 |
|
+ convert_to_string(repl_str); |
119 |
|
+ } else { |
120 |
|
+ repl_str = *tmp_repl; |
121 |
|
+ } |
122 |
|
+ |
123 |
|
+ result_len += Z_STRLEN_P(repl_str); |
124 |
|
zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl); |
125 |
|
result = emalloc(result_len + 1); |
126 |
|
|
127 |
|
- memcpy(result, Z_STRVAL_PP(tmp_str), f); |
128 |
|
- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl)); |
129 |
|
- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); |
130 |
|
+ memcpy(result, Z_STRVAL_P(orig_str), f); |
131 |
|
+ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str)); |
132 |
|
+ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); |
133 |
|
+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) { |
134 |
|
+ zval_dtor(repl_str); |
135 |
|
+ } |
136 |
|
} else { |
137 |
|
result = emalloc(result_len + 1); |
138 |
|
|
139 |
|
- memcpy(result, Z_STRVAL_PP(tmp_str), f); |
140 |
|
- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); |
141 |
|
+ memcpy(result, Z_STRVAL_P(orig_str), f); |
142 |
|
+ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); |
143 |
|
} |
144 |
|
} else { |
145 |
|
result_len += Z_STRLEN_PP(repl); |
146 |
|
|
147 |
|
result = emalloc(result_len + 1); |
148 |
|
|
149 |
|
- memcpy(result, Z_STRVAL_PP(tmp_str), f); |
150 |
|
+ memcpy(result, Z_STRVAL_P(orig_str), f); |
151 |
|
memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl)); |
152 |
|
- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l); |
153 |
|
+ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l); |
154 |
|
} |
155 |
|
|
156 |
|
result[result_len] = '\0'; |
157 |
|
add_next_index_stringl(return_value, result, result_len, 0); |
158 |
|
- |
159 |
|
+ if(Z_TYPE_PP(tmp_str) != IS_STRING) { |
160 |
|
+ zval_dtor(orig_str); |
161 |
|
+ } |
162 |
|
zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str); |
163 |
|
} /*while*/ |
164 |
|
} /* if */ |