[packages/php.git] / php-5.2.17-CVE-2011-1148.patch

--- PHP_5_3/ext/standard/string.c	2011/04/13 03:32:19	310193
+++ PHP_5_3/ext/standard/string.c	2011/04/13 06:32:41	310194
@@ -2352,20 +2352,35 @@
 
 		zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
 		while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
-			convert_to_string_ex(tmp_str);
+			zval *orig_str;
+			zval dummy;
+			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
+				dummy = **tmp_str;
+				orig_str = &dummy;
+				zval_copy_ctor(orig_str);
+				convert_to_string(orig_str);
+			} else {
+				orig_str = *tmp_str;
+			}
 
 			if (Z_TYPE_PP(from) == IS_ARRAY) {
 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
-					convert_to_long_ex(tmp_from);
+					if(Z_TYPE_PP(tmp_from) != IS_LONG) {
+						zval dummy = **tmp_from;
+						zval_copy_ctor(&dummy);
+						convert_to_long(&dummy);
+						f = Z_LVAL(dummy);
+					} else {
+						f = Z_LVAL_PP(tmp_from);
+					}
 
-					f = Z_LVAL_PP(tmp_from);
 					if (f < 0) {
-						f = Z_STRLEN_PP(tmp_str) + f;
+						f = Z_STRLEN_P(orig_str) + f;
 						if (f < 0) {
 							f = 0;
 						}
-					} else if (f > Z_STRLEN_PP(tmp_str)) {
-						f = Z_STRLEN_PP(tmp_str);
+					} else if (f > Z_STRLEN_P(orig_str)) {
+						f = Z_STRLEN_P(orig_str);
 					}
 					zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
 				} else {
@@ -2374,72 +2389,94 @@
 			} else {
 				f = Z_LVAL_PP(from);
 				if (f < 0) {
-					f = Z_STRLEN_PP(tmp_str) + f;
+					f = Z_STRLEN_P(orig_str) + f;
 					if (f < 0) {
 						f = 0;
 					}
-				} else if (f > Z_STRLEN_PP(tmp_str)) {
-					f = Z_STRLEN_PP(tmp_str);
+				} else if (f > Z_STRLEN_P(orig_str)) {
+					f = Z_STRLEN_P(orig_str);
 				}
 			}
 
 			if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
-					convert_to_long_ex(tmp_len);
+					if(Z_TYPE_PP(tmp_len) != IS_LONG) {
+						zval dummy = **tmp_len;
+						zval_copy_ctor(&dummy);
+						convert_to_long(&dummy);
+						l = Z_LVAL(dummy);
+					} else {
+						l = Z_LVAL_PP(tmp_len);
+					}
 
 					l = Z_LVAL_PP(tmp_len);
 					zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
 				} else {
-					l = Z_STRLEN_PP(tmp_str);
+					l = Z_STRLEN_P(orig_str);
 				}
 			} else if (argc > 3) { 
 				l = Z_LVAL_PP(len);
 			} else {
-				l = Z_STRLEN_PP(tmp_str);
+				l = Z_STRLEN_P(orig_str);
 			}
 
 			if (l < 0) {
-				l = (Z_STRLEN_PP(tmp_str) - f) + l;
+				l = (Z_STRLEN_P(orig_str) - f) + l;
 				if (l < 0) {
 					l = 0;
 				}
 			}
 
-			if ((f + l) > Z_STRLEN_PP(tmp_str)) {
-				l = Z_STRLEN_PP(tmp_str) - f;
+			if ((f + l) > Z_STRLEN_P(orig_str)) {
+				l = Z_STRLEN_P(orig_str) - f;
 			}
 
-			result_len = Z_STRLEN_PP(tmp_str) - l;
+			result_len = Z_STRLEN_P(orig_str) - l;
 
 			if (Z_TYPE_PP(repl) == IS_ARRAY) {
 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
-					convert_to_string_ex(tmp_repl);
-					result_len += Z_STRLEN_PP(tmp_repl);
+					zval *repl_str;
+					zval zrepl;
+					if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
+						zrepl = **tmp_repl;
+						repl_str = &zrepl;
+						zval_copy_ctor(repl_str);
+						convert_to_string(repl_str);
+					} else {
+						repl_str = *tmp_repl;
+					}
+
+					result_len += Z_STRLEN_P(repl_str);
 					zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);	
 					result = emalloc(result_len + 1);
 
-					memcpy(result, Z_STRVAL_PP(tmp_str), f);
-					memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
-					memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
+					memcpy(result, Z_STRVAL_P(orig_str), f);
+					memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
+					memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+					if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
+						zval_dtor(repl_str);
+					}
 				} else {
 					result = emalloc(result_len + 1);
 	
-					memcpy(result, Z_STRVAL_PP(tmp_str), f);
-					memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
+					memcpy(result, Z_STRVAL_P(orig_str), f);
+					memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
 				}
 			} else {
 				result_len += Z_STRLEN_PP(repl);
 
 				result = emalloc(result_len + 1);
 
-				memcpy(result, Z_STRVAL_PP(tmp_str), f);
+				memcpy(result, Z_STRVAL_P(orig_str), f);
 				memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
-				memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
+				memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
 			}
 
 			result[result_len] = '\0';
 			add_next_index_stringl(return_value, result, result_len, 0);
-
+			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
+				zval_dtor(orig_str);
+			}
 			zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
 		} /*while*/
 	} /* if */
Commit	Line	Data
fb98beff ER	1	--- PHP_5_3/ext/standard/string.c 2011/04/13 03:32:19 310193
	2	+++ PHP_5_3/ext/standard/string.c 2011/04/13 06:32:41 310194
	3	@@ -2352,20 +2352,35 @@
	4
	5	zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
	6	while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
	7	- convert_to_string_ex(tmp_str);
	8	+ zval *orig_str;
	9	+ zval dummy;
	10	+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
	11	+ dummy = **tmp_str;
	12	+ orig_str = &dummy;
	13	+ zval_copy_ctor(orig_str);
	14	+ convert_to_string(orig_str);
	15	+ } else {
	16	+ orig_str = *tmp_str;
	17	+ }
	18
	19	if (Z_TYPE_PP(from) == IS_ARRAY) {
	20	if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
	21	- convert_to_long_ex(tmp_from);
	22	+ if(Z_TYPE_PP(tmp_from) != IS_LONG) {
	23	+ zval dummy = **tmp_from;
	24	+ zval_copy_ctor(&dummy);
	25	+ convert_to_long(&dummy);
	26	+ f = Z_LVAL(dummy);
	27	+ } else {
	28	+ f = Z_LVAL_PP(tmp_from);
	29	+ }
	30
	31	- f = Z_LVAL_PP(tmp_from);
	32	if (f < 0) {
	33	- f = Z_STRLEN_PP(tmp_str) + f;
	34	+ f = Z_STRLEN_P(orig_str) + f;
	35	if (f < 0) {
	36	f = 0;
	37	}
	38	- } else if (f > Z_STRLEN_PP(tmp_str)) {
	39	- f = Z_STRLEN_PP(tmp_str);
	40	+ } else if (f > Z_STRLEN_P(orig_str)) {
	41	+ f = Z_STRLEN_P(orig_str);
	42	}
	43	zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
	44	} else {
	45	@@ -2374,72 +2389,94 @@
	46	} else {
	47	f = Z_LVAL_PP(from);
	48	if (f < 0) {
	49	- f = Z_STRLEN_PP(tmp_str) + f;
	50	+ f = Z_STRLEN_P(orig_str) + f;
	51	if (f < 0) {
	52	f = 0;
	53	}
	54	- } else if (f > Z_STRLEN_PP(tmp_str)) {
	55	- f = Z_STRLEN_PP(tmp_str);
	56	+ } else if (f > Z_STRLEN_P(orig_str)) {
	57	+ f = Z_STRLEN_P(orig_str);
	58	}
	59	}
	60
	61	if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
	62	if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
	63	- convert_to_long_ex(tmp_len);
	64	+ if(Z_TYPE_PP(tmp_len) != IS_LONG) {
65	+ zval dummy = **tmp_len;
66	+ zval_copy_ctor(&dummy);
67	+ convert_to_long(&dummy);
68	+ l = Z_LVAL(dummy);
69	+ } else {
70	+ l = Z_LVAL_PP(tmp_len);
71	+ }
72
73	l = Z_LVAL_PP(tmp_len);
74	zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
75	} else {
76	- l = Z_STRLEN_PP(tmp_str);
77	+ l = Z_STRLEN_P(orig_str);
78	}
79	} else if (argc > 3) {
80	l = Z_LVAL_PP(len);
81	} else {
82	- l = Z_STRLEN_PP(tmp_str);
83	+ l = Z_STRLEN_P(orig_str);
84	}
85
86	if (l < 0) {
87	- l = (Z_STRLEN_PP(tmp_str) - f) + l;
88	+ l = (Z_STRLEN_P(orig_str) - f) + l;
89	if (l < 0) {
90	l = 0;
91	}
92	}
93
94	- if ((f + l) > Z_STRLEN_PP(tmp_str)) {
95	- l = Z_STRLEN_PP(tmp_str) - f;
96	+ if ((f + l) > Z_STRLEN_P(orig_str)) {
97	+ l = Z_STRLEN_P(orig_str) - f;
98	}
99
100	- result_len = Z_STRLEN_PP(tmp_str) - l;
101	+ result_len = Z_STRLEN_P(orig_str) - l;
102
103	if (Z_TYPE_PP(repl) == IS_ARRAY) {
104	if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
105	- convert_to_string_ex(tmp_repl);
106	- result_len += Z_STRLEN_PP(tmp_repl);
107	+ zval *repl_str;
108	+ zval zrepl;
109	+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
110	+ zrepl = **tmp_repl;
111	+ repl_str = &zrepl;
112	+ zval_copy_ctor(repl_str);
113	+ convert_to_string(repl_str);
114	+ } else {
115	+ repl_str = *tmp_repl;
116	+ }
117	+
118	+ result_len += Z_STRLEN_P(repl_str);
119	zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
120	result = emalloc(result_len + 1);
121
122	- memcpy(result, Z_STRVAL_PP(tmp_str), f);
123	- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
124	- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
125	+ memcpy(result, Z_STRVAL_P(orig_str), f);
126	+ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
127	+ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
128	+ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
129	+ zval_dtor(repl_str);
130	+ }
131	} else {
132	result = emalloc(result_len + 1);
133
134	- memcpy(result, Z_STRVAL_PP(tmp_str), f);
135	- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
136	+ memcpy(result, Z_STRVAL_P(orig_str), f);
137	+ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
138	}
139	} else {
140	result_len += Z_STRLEN_PP(repl);
141
142	result = emalloc(result_len + 1);
143
144	- memcpy(result, Z_STRVAL_PP(tmp_str), f);
145	+ memcpy(result, Z_STRVAL_P(orig_str), f);
146	memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
147	- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
148	+ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
149	}
150
151	result[result_len] = '\0';
152	add_next_index_stringl(return_value, result, result_len, 0);
153	-
154	+ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
155	+ zval_dtor(orig_str);
156	+ }
157	zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
158	} /while/
159	} /* if */