php-5.2.17-CVE-2011-1148.patch

   1 --- PHP_5_3/ext/standard/string.c       2011/04/13 03:32:19     310193
   2 +++ PHP_5_3/ext/standard/string.c       2011/04/13 06:32:41     310194
   3 @@ -2352,20 +2352,35 @@
   4
   5                 zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
   6                 while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
   7 -                       convert_to_string_ex(tmp_str);
   8 +                       zval *orig_str;
   9 +                       zval dummy;
  10 +                       if(Z_TYPE_PP(tmp_str) != IS_STRING) {
  11 +                               dummy = **tmp_str;
  12 +                               orig_str = &dummy;
  13 +                               zval_copy_ctor(orig_str);
  14 +                               convert_to_string(orig_str);
  15 +                       } else {
  16 +                               orig_str = *tmp_str;
  17 +                       }
  18
  19                         if (Z_TYPE_PP(from) == IS_ARRAY) {
  20                                 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
  21 -                                       convert_to_long_ex(tmp_from);
  22 +                                       if(Z_TYPE_PP(tmp_from) != IS_LONG) {
  23 +                                               zval dummy = **tmp_from;
  24 +                                               zval_copy_ctor(&dummy);
  25 +                                               convert_to_long(&dummy);
  26 +                                               f = Z_LVAL(dummy);
  27 +                                       } else {
  28 +                                               f = Z_LVAL_PP(tmp_from);
  29 +                                       }
  30
  31 -                                       f = Z_LVAL_PP(tmp_from);
  32                                         if (f < 0) {
  33 -                                               f = Z_STRLEN_PP(tmp_str) + f;
  34 +                                               f = Z_STRLEN_P(orig_str) + f;
  35                                                 if (f < 0) {
  36                                                         f = 0;
  37                                                 }
  38 -                                       } else if (f > Z_STRLEN_PP(tmp_str)) {
  39 -                                               f = Z_STRLEN_PP(tmp_str);
  40 +                                       } else if (f > Z_STRLEN_P(orig_str)) {
  41 +                                               f = Z_STRLEN_P(orig_str);
  42                                         }
  43                                         zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
  44                                 } else {
  45 @@ -2374,72 +2389,94 @@
  46                         } else {
  47                                 f = Z_LVAL_PP(from);
  48                                 if (f < 0) {
  49 -                                       f = Z_STRLEN_PP(tmp_str) + f;
  50 +                                       f = Z_STRLEN_P(orig_str) + f;
  51                                         if (f < 0) {
  52                                                 f = 0;
  53                                         }
  54 -                               } else if (f > Z_STRLEN_PP(tmp_str)) {
  55 -                                       f = Z_STRLEN_PP(tmp_str);
  56 +                               } else if (f > Z_STRLEN_P(orig_str)) {
  57 +                                       f = Z_STRLEN_P(orig_str);
  58                                 }
  59                         }
  60
  61                         if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
  62                                 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
  63 -                                       convert_to_long_ex(tmp_len);
  64 +                                       if(Z_TYPE_PP(tmp_len) != IS_LONG) {
  65 +                                               zval dummy = **tmp_len;
  66 +                                               zval_copy_ctor(&dummy);
  67 +                                               convert_to_long(&dummy);
  68 +                                               l = Z_LVAL(dummy);
  69 +                                       } else {
  70 +                                               l = Z_LVAL_PP(tmp_len);
  71 +                                       }
  72
  73                                         l = Z_LVAL_PP(tmp_len);
  74                                         zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
  75                                 } else {
  76 -                                       l = Z_STRLEN_PP(tmp_str);
  77 +                                       l = Z_STRLEN_P(orig_str);
  78                                 }
  79                         } else if (argc > 3) {
  80                                 l = Z_LVAL_PP(len);
  81                         } else {
  82 -                               l = Z_STRLEN_PP(tmp_str);
  83 +                               l = Z_STRLEN_P(orig_str);
  84                         }
  85
  86                         if (l < 0) {
  87 -                               l = (Z_STRLEN_PP(tmp_str) - f) + l;
  88 +                               l = (Z_STRLEN_P(orig_str) - f) + l;
  89                                 if (l < 0) {
  90                                         l = 0;
  91                                 }
  92                         }
  93
  94 -                       if ((f + l) > Z_STRLEN_PP(tmp_str)) {
  95 -                               l = Z_STRLEN_PP(tmp_str) - f;
  96 +                       if ((f + l) > Z_STRLEN_P(orig_str)) {
  97 +                               l = Z_STRLEN_P(orig_str) - f;
  98                         }
  99
 100 -                       result_len = Z_STRLEN_PP(tmp_str) - l;
 101 +                       result_len = Z_STRLEN_P(orig_str) - l;
 102
 103                         if (Z_TYPE_PP(repl) == IS_ARRAY) {
 104                                 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
 105 -                                       convert_to_string_ex(tmp_repl);
 106 -                                       result_len += Z_STRLEN_PP(tmp_repl);
 107 +                                       zval *repl_str;
 108 +                                       zval zrepl;
 109 +                                       if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
 110 +                                               zrepl = **tmp_repl;
 111 +                                               repl_str = &zrepl;
 112 +                                               zval_copy_ctor(repl_str);
 113 +                                               convert_to_string(repl_str);
 114 +                                       } else {
 115 +                                               repl_str = *tmp_repl;
 116 +                                       }
 117 +
 118 +                                       result_len += Z_STRLEN_P(repl_str);
 119                                         zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
 120                                         result = emalloc(result_len + 1);
 121
 122 -                                       memcpy(result, Z_STRVAL_PP(tmp_str), f);
 123 -                                       memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
 124 -                                       memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
 125 +                                       memcpy(result, Z_STRVAL_P(orig_str), f);
 126 +                                       memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
 127 +                                       memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
 128 +                                       if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
 129 +                                               zval_dtor(repl_str);
 130 +                                       }
 131                                 } else {
 132                                         result = emalloc(result_len + 1);
 133
 134 -                                       memcpy(result, Z_STRVAL_PP(tmp_str), f);
 135 -                                       memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
 136 +                                       memcpy(result, Z_STRVAL_P(orig_str), f);
 137 +                                       memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
 138                                 }
 139                         } else {
 140                                 result_len += Z_STRLEN_PP(repl);
 141
 142                                 result = emalloc(result_len + 1);
 143
 144 -                               memcpy(result, Z_STRVAL_PP(tmp_str), f);
 145 +                               memcpy(result, Z_STRVAL_P(orig_str), f);
 146                                 memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
 147 -                               memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
 148 +                               memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
 149                         }
 150
 151                         result[result_len] = '\0';
 152                         add_next_index_stringl(return_value, result, result_len, 0);
 153 -
 154 +                       if(Z_TYPE_PP(tmp_str) != IS_STRING) {
 155 +                               zval_dtor(orig_str);
 156 +                       }
 157                         zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
 158                 } /*while*/
 159         } /* if */