mirror of
https://github.com/php/php-src.git
synced 2024-09-22 02:17:32 +00:00
Merge branch 'PHP-7.1'
* PHP-7.1: Add length check for bzcompress too - fix for bug #73356 More string length checks & fixes More string length checks & fixes
This commit is contained in:
commit
dab757f322
@ -3950,7 +3950,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
|
||||
#define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
|
||||
#define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
|
||||
|
||||
bufferHeader = (char *)emalloc(bufferLen + 1);
|
||||
bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
|
||||
memset(bufferHeader, 0, bufferLen);
|
||||
if (to && *to) {
|
||||
strlcat(bufferHeader, "To: ", bufferLen + 1);
|
||||
|
@ -53,7 +53,7 @@ void intl_convert_utf8_to_utf16(
|
||||
UErrorCode* status )
|
||||
{
|
||||
UChar* dst_buf = NULL;
|
||||
int32_t dst_len = 0;
|
||||
uint32_t dst_len = 0;
|
||||
|
||||
/* If *target is NULL determine required destination buffer size (pre-flighting).
|
||||
* Otherwise, attempt to convert source string; if *target buffer is not large enough
|
||||
|
@ -268,6 +268,9 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam
|
||||
int32_t buflen = 512;
|
||||
UErrorCode status = U_ZERO_ERROR;
|
||||
|
||||
if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
|
||||
/* Handle grandfathered languages */
|
||||
@ -713,6 +716,8 @@ PHP_FUNCTION( locale_get_keywords )
|
||||
RETURN_FALSE;
|
||||
}
|
||||
|
||||
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
|
||||
|
||||
if(loc_name_len == 0) {
|
||||
loc_name = intl_locale_get_default();
|
||||
}
|
||||
@ -1116,6 +1121,8 @@ PHP_FUNCTION(locale_parse)
|
||||
RETURN_FALSE;
|
||||
}
|
||||
|
||||
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
|
||||
|
||||
if(loc_name_len == 0) {
|
||||
loc_name = intl_locale_get_default();
|
||||
}
|
||||
|
@ -83,7 +83,7 @@ msgformat_data* msgformat_data_create( void )
|
||||
int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
|
||||
{
|
||||
if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
|
||||
UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
|
||||
UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
|
||||
uint32_t npattern_len;
|
||||
npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
|
||||
efree(*spattern);
|
||||
|
@ -325,7 +325,7 @@ PHPAPI zend_string *php_escape_shell_cmd(char *str)
|
||||
ZSTR_VAL(cmd)[y++] = str[x];
|
||||
break;
|
||||
#else
|
||||
/* % is Windows specific for environmental variables, ^%PATH% will
|
||||
/* % is Windows specific for environmental variables, ^%PATH% will
|
||||
output PATH while ^%PATH^% will not. escapeshellcmd->val will escape all % and !.
|
||||
*/
|
||||
case '%':
|
||||
|
@ -32,6 +32,9 @@ void buffer_new(struct buffer_st *b)
|
||||
|
||||
void buffer_add(struct buffer_st *b, char c)
|
||||
{
|
||||
if ((INT_MAX - b->length) <= 512) {
|
||||
return;
|
||||
}
|
||||
*(b->ptr++) = c;
|
||||
b->offset++;
|
||||
if (b->offset == b->length) {
|
||||
@ -80,7 +83,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
|
||||
for (n = 0; n < 3; n++) {
|
||||
c = *(source++);
|
||||
offset++;
|
||||
if (offset > length) {
|
||||
if (offset > length || offset <= 0) {
|
||||
hiteof = 1;
|
||||
break;
|
||||
}
|
||||
|
@ -81,6 +81,7 @@ static const char rcsid[] = "#(@) $Id$";
|
||||
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <limits.h>
|
||||
#include "simplestring.h"
|
||||
|
||||
#define my_free(thing) if(thing) {efree(thing); thing = 0;}
|
||||
@ -201,7 +202,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)
|
||||
simplestring_init_str(target);
|
||||
}
|
||||
|
||||
if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
|
||||
if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) {
|
||||
/* check for overflows, if there's a potential overflow do nothing */
|
||||
return;
|
||||
}
|
||||
|
@ -1590,7 +1590,7 @@ static ZIPARCHIVE_METHOD(addEmptyDir)
|
||||
}
|
||||
|
||||
if (dirname[dirname_len-1] != '/') {
|
||||
s=(char *)emalloc(dirname_len+2);
|
||||
s=(char *)safe_emalloc(dirname_len, 1, 2);
|
||||
strcpy(s, dirname);
|
||||
s[dirname_len] = '/';
|
||||
s[dirname_len+1] = '\0';
|
||||
@ -1805,14 +1805,14 @@ static ZIPARCHIVE_METHOD(addFromString)
|
||||
|
||||
ze_obj = Z_ZIP_P(self);
|
||||
if (ze_obj->buffers_cnt) {
|
||||
ze_obj->buffers = (char **)erealloc(ze_obj->buffers, sizeof(char *) * (ze_obj->buffers_cnt+1));
|
||||
ze_obj->buffers = (char **)safe_erealloc(ze_obj->buffers, sizeof(char *), (ze_obj->buffers_cnt+1), 0);
|
||||
pos = ze_obj->buffers_cnt++;
|
||||
} else {
|
||||
ze_obj->buffers = (char **)emalloc(sizeof(char *));
|
||||
ze_obj->buffers_cnt++;
|
||||
pos = 0;
|
||||
}
|
||||
ze_obj->buffers[pos] = (char *)emalloc(ZSTR_LEN(buffer) + 1);
|
||||
ze_obj->buffers[pos] = (char *)safe_emalloc(ZSTR_LEN(buffer), 1, 1);
|
||||
memcpy(ze_obj->buffers[pos], ZSTR_VAL(buffer), ZSTR_LEN(buffer) + 1);
|
||||
|
||||
zs = zip_source_buffer(intern, ze_obj->buffers[pos], ZSTR_LEN(buffer), 0);
|
||||
|
Loading…
Reference in New Issue
Block a user