-
-
Save anonymous/8d81ffd7128a2b805b6007ce415cd496 to your computer and use it in GitHub Desktop.
Patch for 73190
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Oct 3 00:09:02 2016 -0700 | |
Fix bug #73190: memcpy negative parameter _bc_new_num_ex | |
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c | |
index fda4d21..e656575 100644 | |
--- a/Zend/zend_exceptions.c | |
+++ b/Zend/zend_exceptions.c | |
@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct) | |
/* {{{ proto Exception::__wakeup() | |
Exception unserialize checks */ | |
#define CHECK_EXC_TYPE(name, type) \ | |
- value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \ | |
+ value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \ | |
if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \ | |
- zval *tmp; \ | |
- MAKE_STD_ZVAL(tmp); \ | |
- ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \ | |
- Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \ | |
- zval_ptr_dtor(&tmp); \ | |
+ zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \ | |
} | |
ZEND_METHOD(exception, __wakeup) | |
@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup) | |
CHECK_EXC_TYPE("file", IS_STRING); | |
CHECK_EXC_TYPE("line", IS_LONG); | |
CHECK_EXC_TYPE("trace", IS_ARRAY); | |
- CHECK_EXC_TYPE("previous", IS_OBJECT); | |
+ value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC); | |
+ if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT || | |
+ !instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) || | |
+ value == object)) { | |
+ zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC); | |
+ } | |
} | |
/* }}} */ | |
@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString) | |
zval_dtor(&file); | |
zval_dtor(&line); | |
- exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC); | |
+ Z_OBJPROP_P(exception)->nApplyCount++; | |
+ exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC); | |
+ if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) { | |
+ exception = NULL; | |
+ } | |
if (trace) { | |
zval_ptr_dtor(&trace); | |
@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString) | |
} | |
zval_dtor(&fname); | |
+ /* Reset apply counts */ | |
+ exception = getThis(); | |
+ while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) { | |
+ if(Z_OBJPROP_P(exception)->nApplyCount) { | |
+ Z_OBJPROP_P(exception)->nApplyCount--; | |
+ } else { | |
+ break; | |
+ } | |
+ exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC); | |
+ } | |
+ | |
/* We store the result in the private property string so we can access | |
* the result in uncaught exception handlers without memleaks. */ | |
zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC); | |
diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c | |
index 986ad1d..c51133b 100644 | |
--- a/ext/bcmath/libbcmath/src/init.c | |
+++ b/ext/bcmath/libbcmath/src/init.c | |
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent) | |
int length, scale, persistent; | |
{ | |
bc_num temp; | |
- | |
+ /* PHP Change: add length check */ | |
+ if ((size_t)length+(size_t)scale > INT_MAX) { | |
+ zend_error(E_ERROR, "Result too long, max is %d", INT_MAX); | |
+ } | |
/* PHP Change: malloc() -> pemalloc(), removed free_list code */ | |
temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent); | |
#if 0 | |
diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c | |
index 799a32d..05fa484 100644 | |
--- a/ext/bcmath/libbcmath/src/outofmem.c | |
+++ b/ext/bcmath/libbcmath/src/outofmem.c | |
@@ -41,6 +41,5 @@ | |
void bc_out_of_memory (void) | |
{ | |
- (void) fprintf (stderr, "bcmath: out of memory!\n"); | |
- exit (1); | |
+ zend_error_noreturn(E_ERROR, "bcmath: out of memory!"); | |
} | |
diff --git a/main/php_version.h b/main/php_version.h | |
index 1868cf0..8fa4040 100644 | |
--- a/main/php_version.h | |
+++ b/main/php_version.h | |
@@ -2,7 +2,7 @@ | |
/* edit configure.in to change version number */ | |
#define PHP_MAJOR_VERSION 5 | |
#define PHP_MINOR_VERSION 6 | |
-#define PHP_RELEASE_VERSION 27 | |
+#define PHP_RELEASE_VERSION 26 | |
#define PHP_EXTRA_VERSION "-dev" | |
-#define PHP_VERSION "5.6.27-dev" | |
-#define PHP_VERSION_ID 50627 | |
+#define PHP_VERSION "5.6.26-dev" | |
+#define PHP_VERSION_ID 50626 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment