logo       
Google Custom Search
    AddThis Social Bookmark Button
<prev   next>
-->

cvs: ZendEngine2(PHP_5_1) / zend_alloc.c: msg#00046

Subject: cvs: ZendEngine2(PHP_5_1) / zend_alloc.c 
iliaa           Thu Aug 10 17:16:24 2006 UTC

  Modified files:              (Branch: PHP_5_1)
    /ZendEngine2        zend_alloc.c 
  Log:
  Various security fixes backported from 5.2
  
  # part 1
  
  
http://cvs.php.net/viewvc.cgi/ZendEngine2/zend_alloc.c?r1=1.144.2.3&r2=1.144.2.4&diff_format=u
Index: ZendEngine2/zend_alloc.c
diff -u ZendEngine2/zend_alloc.c:1.144.2.3 ZendEngine2/zend_alloc.c:1.144.2.4
--- ZendEngine2/zend_alloc.c:1.144.2.3  Wed Jan  4 23:53:03 2006
+++ ZendEngine2/zend_alloc.c    Thu Aug 10 17:16:24 2006
@@ -17,7 +17,7 @@
    +----------------------------------------------------------------------+
 */
 
-/* $Id: zend_alloc.c,v 1.144.2.3 2006/01/04 23:53:03 andi Exp $ */
+/* $Id: zend_alloc.c,v 1.144.2.4 2006/08/10 17:16:24 iliaa Exp $ */
 
 #include "zend.h"
 #include "zend_alloc.h"
@@ -72,7 +72,15 @@
 #define CHECK_MEMORY_LIMIT(s, rs)      _CHECK_MEMORY_LIMIT(s, rs, NULL, 0)
 #  endif
 
-#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { AG(allocated_memory) += rs;\
+#define _CHECK_MEMORY_LIMIT(s, rs, file, lineno) { if ((ssize_t)(rs) > 
(ssize_t)(INT_MAX - AG(allocated_memory))) { \
+                                                                       if 
(file) { \
+                                                                               
fprintf(stderr, "Integer overflow in memory_limit check detected at %s:%d\n", 
file, lineno); \
+                                                                       } else 
{ \
+                                                                               
fprintf(stderr, "Integer overflow in memory_limit check detected\n"); \
+                                                                       } \
+                                                                       
exit(1); \
+                                                               } \
+                                                               
AG(allocated_memory) += rs;\
                                                                if 
(AG(memory_limit)<AG(allocated_memory)) {\
                                                                        int 
php_mem_limit = AG(memory_limit); \
                                                                        
AG(allocated_memory) -= rs; \
@@ -127,7 +135,7 @@
 #endif
 
 #define DECLARE_CACHE_VARS()   \
-       unsigned int real_size;         \
+       size_t real_size;               \
        unsigned int cache_index
 
 #define REAL_SIZE(size) ((size+7) & ~0x7)
@@ -142,12 +150,16 @@
 
 ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
-       zend_mem_header *p;
+       zend_mem_header *p = NULL;
        DECLARE_CACHE_VARS();
        TSRMLS_FETCH();
 
        CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
 
+       if (size > INT_MAX || SIZE < size) {
+               goto emalloc_error;
+       }
+
 #if !ZEND_DISABLE_MEMORY_CACHE
        if ((CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] 
> 0)) {
                p = AG(cache)[CACHE_INDEX][--AG(cache_count)[CACHE_INDEX]];
@@ -184,6 +196,8 @@
        }
 #endif
 
+emalloc_error:
+
        HANDLE_BLOCK_INTERRUPTIONS();
 
        if (!p) {
@@ -357,6 +371,13 @@
        CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
 
        HANDLE_BLOCK_INTERRUPTIONS();
+
+       if (size > INT_MAX || SIZE < size) {
+               REMOVE_POINTER_FROM_LIST(p);
+               p = NULL;
+               goto erealloc_error;
+       }
+
 #if MEMORY_LIMIT
        CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size));
        if (AG(allocated_memory) > AG(allocated_memory_peak)) {
@@ -365,6 +386,7 @@
 #endif
        REMOVE_POINTER_FROM_LIST(p);
        p = (zend_mem_header *) ZEND_DO_REALLOC(p, 
sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
+erealloc_error:
        if (!p) {
                if (!allow_failure) {
                        fprintf(stderr,"FATAL:  erealloc():  Unable to allocate 
%ld bytes\n", (long) size);

-- 
Zend Engine CVS Mailing List (http://cvs.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  cvs: ZendEngine2 / zend_API.c, Andrei Zmievski
Next by Date:  cvs: Zend(PHP_4_4) / zend_execute.c php-src NEWS, Derick Rethans
Previous by Thread:  cvs: ZendEngine2 / zend_unicode.h, Andrei Zmievski
Next by Thread:  cvs: Zend(PHP_4_4) / zend_execute.c php-src NEWS, Derick Rethans
Indexes:  [Date] [Thread] [Top] [All Lists]

    ^^^ ADDITIONAL NAVIGATION ^^^

  
Google Custom Search

Recently Viewed:
mail.spam.rbl.s...    php.seagull.gen...    culture.religio...    qnx.openqnx.dev...    gnome.love/2006...    bug-tracking.re...    user-groups.lin...    yellowdog.gener...    handhelds.ipaq....    kde.announce/20...    java.mx4j.devel...    xfree86.expert/...    recreation.cars...    text.xml.expat....    web.zope.zope3/...    version-control...    db.carob.cvs/20...    freebsd.perform...    ecos.cvs/2003-0...    linux.hotplug.d...    systemtap/2006-...    os.freebsd.secu...   
Home | blog view | USPTO Patent Archive (NEW!) | advertise | OSDir is an inevitable website. super tiny logo