https://bugzilla.redhat.com/show_bug.cgi?id=690905 http://svn.php.net/viewvc/?view=revision&revision=308734 --- php-5.3.3/ext/standard/ftp_fopen_wrapper.c.cve1469 +++ php-5.3.3/ext/standard/ftp_fopen_wrapper.c @@ -72,6 +72,12 @@ #define FTPS_ENCRYPT_DATA 1 #define GET_FTP_RESULT(stream) get_ftp_result((stream), tmp_line, sizeof(tmp_line) TSRMLS_CC) +typedef struct _php_ftp_dirstream_data { + php_stream *datastream; + php_stream *controlstream; + php_stream *dirstream; +} php_ftp_dirstream_data; + /* {{{ get_ftp_result */ static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC) @@ -97,12 +103,12 @@ static int php_stream_ftp_stream_stat(ph */ static int php_stream_ftp_stream_close(php_stream_wrapper *wrapper, php_stream *stream TSRMLS_DC) { - php_stream *controlstream = (php_stream *)stream->wrapperdata; + php_stream *controlstream = stream->wrapperthis; if (controlstream) { php_stream_write_string(controlstream, "QUIT\r\n"); php_stream_close(controlstream); - stream->wrapperdata = NULL; + stream->wrapperthis = NULL; } return 0; } @@ -187,7 +193,7 @@ static php_stream *php_ftp_fopen_connect || php_stream_xport_crypto_enable(stream, 1 TSRMLS_CC) < 0) { php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Unable to activate SSL mode"); php_stream_close(stream); - stream = NULL; + stream->wrapperthis = NULL; goto connect_errexit; } @@ -564,7 +570,7 @@ php_stream * php_stream_url_wrap_ftp(php } /* remember control stream */ - datastream->wrapperdata = (zval *)stream; + datastream->wrapperthis = stream; php_url_free(resource); return datastream; @@ -588,11 +594,13 @@ errexit: static size_t php_ftp_dirstream_read(php_stream *stream, char *buf, size_t count TSRMLS_DC) { php_stream_dirent *ent = (php_stream_dirent *)buf; - php_stream *innerstream = (php_stream *)stream->abstract; + php_stream *innerstream; size_t tmp_len; char *basename; size_t basename_len; + innerstream = ((php_ftp_dirstream_data *)stream->abstract)->datastream; + if (count != sizeof(php_stream_dirent)) { return 0; } @@ -636,13 +644,18 @@ static size_t php_ftp_dirstream_read(php */ static int php_ftp_dirstream_close(php_stream *stream, int close_handle TSRMLS_DC) { - php_stream *innerstream = (php_stream *)stream->abstract; + php_ftp_dirstream_data *data = stream->abstract; - if (innerstream->wrapperdata) { - php_stream_close((php_stream *)innerstream->wrapperdata); - innerstream->wrapperdata = NULL; - } - php_stream_close((php_stream *)stream->abstract); + /* close control connection */ + if (data->controlstream) { + php_stream_close(data->controlstream); + data->controlstream = NULL; + } + /* close data connection */ + php_stream_close(data->datastream); + data->datastream = NULL; + + efree(data); stream->abstract = NULL; return 0; @@ -668,6 +681,7 @@ static php_stream_ops php_ftp_dirstream_ php_stream * php_stream_ftp_opendir(php_stream_wrapper *wrapper, char *path, char *mode, int options, char **opened_path, php_stream_context *context STREAMS_DC TSRMLS_DC) { php_stream *stream, *reuseid, *datastream = NULL; + php_ftp_dirstream_data *dirsdata; php_url *resource = NULL; int result = 0, use_ssl, use_ssl_on_data = 0; char *hoststart = NULL, tmp_line[512]; @@ -727,11 +741,14 @@ php_stream * php_stream_ftp_opendir(php_ goto opendir_errexit; } - /* remember control stream */ - datastream->wrapperdata = (zval *)stream; - php_url_free(resource); - return php_stream_alloc(&php_ftp_dirstream_ops, datastream, 0, mode); + + dirsdata = emalloc(sizeof *dirsdata); + dirsdata->datastream = datastream; + dirsdata->controlstream = stream; + dirsdata->dirstream = php_stream_alloc(&php_ftp_dirstream_ops, dirsdata, 0, mode); + + return dirsdata->dirstream; opendir_errexit: if (resource) {