Skip to content

Instantly share code, notes, and snippets.

/73190.diff Secret

Created Oct 3, 2016
Embed
What would you like to do?
Patch for 73190
commit 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Oct 3 00:09:02 2016 -0700
Fix bug #73190: memcpy negative parameter _bc_new_num_ex
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index fda4d21..e656575 100644
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct)
/* {{{ proto Exception::__wakeup()
Exception unserialize checks */
#define CHECK_EXC_TYPE(name, type) \
- value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
+ value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
- zval *tmp; \
- MAKE_STD_ZVAL(tmp); \
- ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
- Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
- zval_ptr_dtor(&tmp); \
+ zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
}
ZEND_METHOD(exception, __wakeup)
@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup)
CHECK_EXC_TYPE("file", IS_STRING);
CHECK_EXC_TYPE("line", IS_LONG);
CHECK_EXC_TYPE("trace", IS_ARRAY);
- CHECK_EXC_TYPE("previous", IS_OBJECT);
+ value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+ if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT ||
+ !instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) ||
+ value == object)) {
+ zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
+ }
}
/* }}} */
@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString)
zval_dtor(&file);
zval_dtor(&line);
- exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
+ Z_OBJPROP_P(exception)->nApplyCount++;
+ exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+ if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
+ exception = NULL;
+ }
if (trace) {
zval_ptr_dtor(&trace);
@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString)
}
zval_dtor(&fname);
+ /* Reset apply counts */
+ exception = getThis();
+ while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
+ if(Z_OBJPROP_P(exception)->nApplyCount) {
+ Z_OBJPROP_P(exception)->nApplyCount--;
+ } else {
+ break;
+ }
+ exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+ }
+
/* We store the result in the private property string so we can access
* the result in uncaught exception handlers without memleaks. */
zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);
diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
index 986ad1d..c51133b 100644
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
int length, scale, persistent;
{
bc_num temp;
-
+ /* PHP Change: add length check */
+ if ((size_t)length+(size_t)scale > INT_MAX) {
+ zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+ }
/* PHP Change: malloc() -> pemalloc(), removed free_list code */
temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
#if 0
diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c
index 799a32d..05fa484 100644
--- a/ext/bcmath/libbcmath/src/outofmem.c
+++ b/ext/bcmath/libbcmath/src/outofmem.c
@@ -41,6 +41,5 @@
void bc_out_of_memory (void)
{
- (void) fprintf (stderr, "bcmath: out of memory!\n");
- exit (1);
+ zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
}
diff --git a/main/php_version.h b/main/php_version.h
index 1868cf0..8fa4040 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
/* edit configure.in to change version number */
#define PHP_MAJOR_VERSION 5
#define PHP_MINOR_VERSION 6
-#define PHP_RELEASE_VERSION 27
+#define PHP_RELEASE_VERSION 26
#define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.6.27-dev"
-#define PHP_VERSION_ID 50627
+#define PHP_VERSION "5.6.26-dev"
+#define PHP_VERSION_ID 50626
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment