Logoj0ke.net Open Build Service > Projects > internetx:php5 > php-5.2.17 > php-5.2.14-CVE-2012-0830.patch
Sign Up | Log In

File php-5.2.14-CVE-2012-0830.patch of Package php-5.2.17 (Revision 19)

Currently displaying revision 19, show latest

x
 
1
http://svn.php.net/viewvc?view=revision&revision=323007
2
http://svn.php.net/viewvc?view=revision&revision=323013
3
--- a/main/php_variables.c
4
+++ b/main/php_variables.c
5
@@ -182,7 +182,12 @@ PHPAPI void php_register_variable_ex(cha
6
            if (!index) {
7
                MAKE_STD_ZVAL(gpc_element);
8
                array_init(gpc_element);
9
-               zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
10
+               if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) {
11
+                   zval_ptr_dtor(&gpc_element);
12
+                   zval_dtor(val);
13
+                   efree(var_orig);
14
+                   return;
15
+               }
16
            } else {
17
                if (PG(magic_quotes_gpc)) {
18
                    escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
19
@@ -198,6 +203,13 @@ PHPAPI void php_register_variable_ex(cha
20
                        MAKE_STD_ZVAL(gpc_element);
21
                        array_init(gpc_element);
22
                        zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
23
+                   } else {
24
+                       if (index != escaped_index) {
25
+                           efree(escaped_index);
26
+                       }
27
+                       zval_dtor(val);
28
+                       efree(var_orig);
29
+                       return;
30
                    }
31
                }
32
                if (index != escaped_index) {
33
@@ -223,7 +235,9 @@ plain_var:
34
        gpc_element->value = val->value;
35
        Z_TYPE_P(gpc_element) = Z_TYPE_P(val);
36
        if (!index) {
37
-           zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
38
+           if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) {
39
+               zval_ptr_dtor(&gpc_element);
40
+           }
41
        } else {
42
            if (PG(magic_quotes_gpc)) { 
43
                escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
44