Overview

File php-5.1.2-CVE-2007-1376.patch of Package php

--- ext/shmop/shmop.c
+++ ext/shmop/shmop.c
@@ -78,6 +78,16 @@
 ZEND_GET_MODULE(shmop)
 #endif
 
+#define PHP_SHMOP_GET_RES \
+	shmop = zend_list_find(shmid, &type);	\
+	if (!shmop) {	\
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment with an id of [%lu]", shmid);	\
+		RETURN_FALSE;	\
+	} else if (type != shm_type) {	\
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "not a shmop resource");	\
+		RETURN_FALSE;	\
+	}	\
+
 /* {{{ rsclean
  */
 static void rsclean(zend_rsrc_list_entry *rsrc TSRMLS_DC)
@@ -168,6 +178,11 @@
 			RETURN_FALSE;
 	}
 
+ 	if (shmop->shmflg & IPC_CREAT && shmop->size < 1) {
+  		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Shared memory segment size must be greater then zero.");
+  		goto err;
+  	}
+
 	shmop->shmid = shmget(shmop->key, shmop->size, shmop->shmflg);
 	if (shmop->shmid == -1) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "unable to attach or create shared memory segment");
@@ -210,13 +225,8 @@
 		WRONG_PARAM_COUNT;
 	}
 
-	shmop = zend_list_find(shmid, &type);
+	PHP_SHMOP_GET_RES
 
-	if (!shmop) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment with an id of [%lu]", shmid);
-		RETURN_FALSE;
-	}
-	
 	if (start < 0 || start > shmop->size) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "start is out of range");
 		RETURN_FALSE;
@@ -255,12 +265,7 @@
 		WRONG_PARAM_COUNT;
 	}
 
-	shmop = zend_list_find(shmid, &type);
-
-	if (!shmop) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment with an id of [%lu]", shmid);
-		RETURN_FALSE;
-	}
+	PHP_SHMOP_GET_RES
 
 	zend_list_delete(shmid);
 }
@@ -278,12 +283,7 @@
 		WRONG_PARAM_COUNT;
 	}
 
-	shmop = zend_list_find(shmid, &type);
-
-	if (!shmop) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment with an id of [%lu]", shmid);
-		RETURN_FALSE;
-	}
+	PHP_SHMOP_GET_RES
 
 	RETURN_LONG(shmop->size);
 }
@@ -304,12 +304,7 @@
 		WRONG_PARAM_COUNT;
 	}
 
-	shmop = zend_list_find(shmid, &type);
-
-	if (!shmop) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment with an id of [%lu]", shmid);
-		RETURN_FALSE;
-	}
+	PHP_SHMOP_GET_RES
 
 	if ((shmop->shmatflg & SHM_RDONLY) == SHM_RDONLY) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "trying to write to a read only segment");
@@ -340,12 +335,7 @@
 		WRONG_PARAM_COUNT;
 	}
 
-	shmop = zend_list_find(shmid, &type);
-
-	if (!shmop) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "no shared memory segment with an id of [%lu]", shmid);
-		RETURN_FALSE;
-	}
+	PHP_SHMOP_GET_RES
 
 	if (shmctl(shmop->shmid, IPC_RMID, NULL)) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "can't mark segment for deletion (are you the owner?)");
openSUSE Build Service is sponsored by
Places