/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2011-1148.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2011-1148.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1.2.1 - (show annotations) (download)
Thu Nov 3 22:49:53 2011 UTC (13 years ago) by slords
Branch: redhat-upstream
CVS Tags: php-5_3_3-1_el5_7_3, php-5_3_3-13_el5_9_1, php-5_3_3-1_el5_7_6, php-5_3_3-13_el6
Changes since 1.1: +164 -0 lines 
Upstream renamed
1
2 https://bugzilla.redhat.com/show_bug.cgi?id=688958
3
4 http://svn.php.net/viewvc?view=revision&revision=310194
5
6 --- php-5.3.3/ext/standard/string.c.cve1148
7 +++ php-5.3.3/ext/standard/string.c
8 @@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace)
9
10 zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
11 while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
12 - convert_to_string_ex(tmp_str);
13 + zval *orig_str;
14 + zval dummy;
15 + if(Z_TYPE_PP(tmp_str) != IS_STRING) {
16 + dummy = **tmp_str;
17 + orig_str = &dummy;
18 + zval_copy_ctor(orig_str);
19 + convert_to_string(orig_str);
20 + } else {
21 + orig_str = *tmp_str;
22 + }
23
24 if (Z_TYPE_PP(from) == IS_ARRAY) {
25 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
26 - convert_to_long_ex(tmp_from);
27 + if(Z_TYPE_PP(tmp_from) != IS_LONG) {
28 + zval dummy = **tmp_from;
29 + zval_copy_ctor(&dummy);
30 + convert_to_long(&dummy);
31 + f = Z_LVAL(dummy);
32 + } else {
33 + f = Z_LVAL_PP(tmp_from);
34 + }
35
36 - f = Z_LVAL_PP(tmp_from);
37 if (f < 0) {
38 - f = Z_STRLEN_PP(tmp_str) + f;
39 + f = Z_STRLEN_P(orig_str) + f;
40 if (f < 0) {
41 f = 0;
42 }
43 - } else if (f > Z_STRLEN_PP(tmp_str)) {
44 - f = Z_STRLEN_PP(tmp_str);
45 + } else if (f > Z_STRLEN_P(orig_str)) {
46 + f = Z_STRLEN_P(orig_str);
47 }
48 zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
49 } else {
50 @@ -2374,72 +2389,94 @@ PHP_FUNCTION(substr_replace)
51 } else {
52 f = Z_LVAL_PP(from);
53 if (f < 0) {
54 - f = Z_STRLEN_PP(tmp_str) + f;
55 + f = Z_STRLEN_P(orig_str) + f;
56 if (f < 0) {
57 f = 0;
58 }
59 - } else if (f > Z_STRLEN_PP(tmp_str)) {
60 - f = Z_STRLEN_PP(tmp_str);
61 + } else if (f > Z_STRLEN_P(orig_str)) {
62 + f = Z_STRLEN_P(orig_str);
63 }
64 }
65
66 if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
67 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
68 - convert_to_long_ex(tmp_len);
69 + if(Z_TYPE_PP(tmp_len) != IS_LONG) {
70 + zval dummy = **tmp_len;
71 + zval_copy_ctor(&dummy);
72 + convert_to_long(&dummy);
73 + l = Z_LVAL(dummy);
74 + } else {
75 + l = Z_LVAL_PP(tmp_len);
76 + }
77
78 l = Z_LVAL_PP(tmp_len);
79 zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
80 } else {
81 - l = Z_STRLEN_PP(tmp_str);
82 + l = Z_STRLEN_P(orig_str);
83 }
84 } else if (argc > 3) {
85 l = Z_LVAL_PP(len);
86 } else {
87 - l = Z_STRLEN_PP(tmp_str);
88 + l = Z_STRLEN_P(orig_str);
89 }
90
91 if (l < 0) {
92 - l = (Z_STRLEN_PP(tmp_str) - f) + l;
93 + l = (Z_STRLEN_P(orig_str) - f) + l;
94 if (l < 0) {
95 l = 0;
96 }
97 }
98
99 - if ((f + l) > Z_STRLEN_PP(tmp_str)) {
100 - l = Z_STRLEN_PP(tmp_str) - f;
101 + if ((f + l) > Z_STRLEN_P(orig_str)) {
102 + l = Z_STRLEN_P(orig_str) - f;
103 }
104
105 - result_len = Z_STRLEN_PP(tmp_str) - l;
106 + result_len = Z_STRLEN_P(orig_str) - l;
107
108 if (Z_TYPE_PP(repl) == IS_ARRAY) {
109 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
110 - convert_to_string_ex(tmp_repl);
111 - result_len += Z_STRLEN_PP(tmp_repl);
112 + zval *repl_str;
113 + zval zrepl;
114 + if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
115 + zrepl = **tmp_repl;
116 + repl_str = &zrepl;
117 + zval_copy_ctor(repl_str);
118 + convert_to_string(repl_str);
119 + } else {
120 + repl_str = *tmp_repl;
121 + }
122 +
123 + result_len += Z_STRLEN_P(repl_str);
124 zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
125 result = emalloc(result_len + 1);
126
127 - memcpy(result, Z_STRVAL_PP(tmp_str), f);
128 - memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
129 - memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
130 + memcpy(result, Z_STRVAL_P(orig_str), f);
131 + memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
132 + memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
133 + if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
134 + zval_dtor(repl_str);
135 + }
136 } else {
137 result = emalloc(result_len + 1);
138
139 - memcpy(result, Z_STRVAL_PP(tmp_str), f);
140 - memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
141 + memcpy(result, Z_STRVAL_P(orig_str), f);
142 + memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
143 }
144 } else {
145 result_len += Z_STRLEN_PP(repl);
146
147 result = emalloc(result_len + 1);
148
149 - memcpy(result, Z_STRVAL_PP(tmp_str), f);
150 + memcpy(result, Z_STRVAL_P(orig_str), f);
151 memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
152 - memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
153 + memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
154 }
155
156 result[result_len] = '\0';
157 add_next_index_stringl(return_value, result, result_len, 0);
158 -
159 + if(Z_TYPE_PP(tmp_str) != IS_STRING) {
160 + zval_dtor(orig_str);
161 + }
162 zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
163 } /*while*/
164 } /* if */
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed