File php-5.3.5-CVE-2011-4153.patch of Package php5
http://svn.php.net/viewvc?view=revision&revision=319442
http://svn.php.net/viewvc?view=revision&revision=319453
#-0-
Zend/zend_builtin_functions.c
#-1-
ext/soap/php_sdl.c
#-2-
ext/standard/syslog.c
#-3-
ext/standard/browscap.c
#-4-
N/A
#-5-
N/A
#-6-
ext/session/mod_files.c
ext/standard/file.c
Index: Zend/zend_builtin_functions.c
===================================================================
--- Zend/zend_builtin_functions.c.orig
+++ Zend/zend_builtin_functions.c
@@ -683,6 +683,9 @@ repeat:
}
c.flags = case_sensitive; /* non persistent */
c.name = zend_strndup(name, name_len);
+ if(c.name == NULL) {
+ RETURN_FALSE;
+ }
c.name_len = name_len+1;
c.module_number = PHP_USER_CONSTANT;
if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) {
Index: ext/standard/syslog.c
===================================================================
--- ext/standard/syslog.c.orig
+++ ext/standard/syslog.c
@@ -234,6 +234,9 @@ PHP_FUNCTION(openlog)
free(BG(syslog_device));
}
BG(syslog_device) = zend_strndup(ident, ident_len);
+ if(BG(syslog_device) == NULL) {
+ RETURN_FALSE;
+ }
openlog(BG(syslog_device), option, facility);
RETURN_TRUE;
}
Index: ext/soap/php_sdl.c
===================================================================
--- ext/soap/php_sdl.c.orig
+++ ext/soap/php_sdl.c
@@ -147,6 +147,10 @@ encodePtr get_encoder(sdlPtr sdl, const
memcpy(new_enc, enc, sizeof(encode));
if (sdl->is_persistent) {
new_enc->details.ns = zend_strndup(ns, ns_len);
+ if (new_enc->details.ns == NULL) {
+ efree(nscat);
+ return NULL;
+ }
new_enc->details.type_str = strdup(new_enc->details.type_str);
} else {
new_enc->details.ns = estrndup(ns, ns_len);
Index: ext/standard/file.c
===================================================================
--- ext/standard/file.c.orig
+++ ext/standard/file.c
@@ -2625,7 +2625,12 @@ PHP_FUNCTION(fnmatch)
Returns directory path used for temporary files */
PHP_FUNCTION(sys_get_temp_dir)
{
- RETURN_STRING((char *)php_get_temporary_directory(), 1);
+ char *tmp_dir;
+ tmp_dir = (char *)php_get_temporary_directory();
+ if (tmp_dir == NULL) {
+ return;
+ }
+ RETURN_STRING(tmp_dir, 1);
}
/* }}} */
Index: ext/session/mod_files.c
===================================================================
--- ext/session/mod_files.c.orig
+++ ext/session/mod_files.c
@@ -273,6 +273,9 @@ PS_OPEN_FUNC(files)
if (*save_path == '\0') {
/* if save path is an empty string, determine the temporary dir */
save_path = php_get_temporary_directory();
+ if (save_path == NULL) {
+ return FAILURE;
+ }
if (PG(safe_mode) && (!php_checkuid(save_path, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
return FAILURE;
Index: ext/standard/browscap.c
===================================================================
--- ext/standard/browscap.c.orig
+++ ext/standard/browscap.c
@@ -147,9 +147,17 @@ static void php_browscap_parser_cb(zval
Z_STRLEN_P(new_property) = 0;
} else { /* Other than true/false setting */
Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2));
+ if (Z_STRVAL_P(new_property) == NULL) {
+ zend_error(E_CORE_ERROR, "Out of memory");
+ return;
+ }
Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2);
}
new_key = zend_strndup(Z_STRVAL_P(arg1), Z_STRLEN_P(arg1));
+ if (new_key == NULL) {
+ zend_error(E_CORE_ERROR, "Out of memory");
+ return;
+ }
zend_str_tolower(new_key, Z_STRLEN_P(arg1));
zend_hash_update(Z_ARRVAL_P(current_section), new_key, Z_STRLEN_P(arg1) + 1, &new_property, sizeof(zval *), NULL);
free(new_key);
