MFB: safety checks

20 years ago · 2dbfe66e4a
13 changed files with 44 additions and 16 deletions
--- a/Zend/zend_ini.c
+++ b/Zend/zend_ini.c
@ -530,6 +530,28 @@ ZEND_API ZEND_INI_MH(OnUpdateLong)
 	*p = zend_atoi(new_value, new_value_length);
 	return SUCCESS;
 }
 ZEND_API ZEND_INI_MH(OnUpdateLongGEZero)
 {
 	long *p, tmp;
 #ifndef ZTS
 	char *base = (char *) mh_arg2;
 #else
 	char *base;
 	base = (char *) ts_resource(*((int *) mh_arg2));
 #endif
 	tmp = zend_atoi(new_value, new_value_length);
 	if (tmp < 0) {
 		return FAILURE;
 	}
 	p = (long *) (base+(size_t) mh_arg1);
 	*p = tmp;
 	return SUCCESS;
 }
 ZEND_API ZEND_INI_MH(OnUpdateReal)
--- a/Zend/zend_ini.h
+++ b/Zend/zend_ini.h
@ -175,6 +175,7 @@ END_EXTERN_C()
 BEGIN_EXTERN_C()
 ZEND_API ZEND_INI_MH(OnUpdateBool);
 ZEND_API ZEND_INI_MH(OnUpdateLong);
 ZEND_API ZEND_INI_MH(OnUpdateLongGEZero);
 ZEND_API ZEND_INI_MH(OnUpdateReal);
 ZEND_API ZEND_INI_MH(OnUpdateString);
 ZEND_API ZEND_INI_MH(OnUpdateStringUnempty);
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@ -3569,7 +3569,7 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
 								exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size);
 #endif
 								if (!ImageInfo->Thumbnail.data) {
 									ImageInfo->Thumbnail.data = emalloc(ImageInfo->Thumbnail.size);
 									ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0);
 									php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET);
 									fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
 									if (fgot < ImageInfo->Thumbnail.size) {
@ -3602,7 +3602,7 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
 					exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "%s THUMBNAIL @0x%04X + 0x%04X", ImageInfo->Thumbnail.data ? "Ignore" : "Read", ImageInfo->Thumbnail.offset, ImageInfo->Thumbnail.size);
 #endif
 					if (!ImageInfo->Thumbnail.data && ImageInfo->Thumbnail.offset && ImageInfo->Thumbnail.size && ImageInfo->read_thumbnail) {
 						ImageInfo->Thumbnail.data = emalloc(ImageInfo->Thumbnail.size);
 						ImageInfo->Thumbnail.data = safe_emalloc(ImageInfo->Thumbnail.size, 1, 0);
 						php_stream_seek(ImageInfo->infile, ImageInfo->Thumbnail.offset, SEEK_SET);
 						fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
 						if (fgot < ImageInfo->Thumbnail.size) {
--- a/ext/interbase/ibase_query.c
+++ b/ext/interbase/ibase_query.c
@ -1146,7 +1146,7 @@ PHP_FUNCTION(ibase_query)
 				break;
 			}
 		} else if (bind_n > 0) {
 			bind_args = (zval ***) emalloc(sizeof(zval **) * ZEND_NUM_ARGS());
 			bind_args = (zval ***) safe_emalloc(sizeof(zval **), ZEND_NUM_ARGS(), 0);
 			if (FAILURE == zend_get_parameters_array_ex(ZEND_NUM_ARGS(), bind_args)) {
 				break;
--- a/ext/json/json.c
+++ b/ext/json/json.c
@ -242,7 +242,7 @@ static void json_escape_string(smart_str *buf, zstr s, int len, zend_uchar type)
 	if (type == IS_UNICODE) {
 		utf16 = (unsigned short *) s.u;
 	} else {	
 		utf16 = (unsigned short *) emalloc(len * sizeof(unsigned short));
 		utf16 = (unsigned short *) safe_emalloc(len, sizeof(unsigned short), 0);
 		len = utf8_to_utf16(utf16, s.s, len);
 		if (len <= 0)
@ -443,7 +443,7 @@ PHP_FUNCTION(json_decode)
 		utf16 = str.u;
 		utf16_len = str_len;
 	} else {
 		utf16 = (unsigned short *) emalloc((str_len+1) * sizeof(unsigned short));
 		utf16 = (unsigned short *) safe_emalloc((str_len+1), sizeof(unsigned short), 0);
 		utf16_len = utf8_to_utf16(utf16, str.s, str_len);
 		if (utf16_len <= 0)
--- a/ext/pdo_dblib/dblib_driver.c
+++ b/ext/pdo_dblib/dblib_driver.c
@ -144,7 +144,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, int unquote
 	char *q;
 	int l = 1;
 	*quoted = q = emalloc(2 * unquotedlen + 3);
 	*quoted = q = safe_emalloc(2, unquotedlen, 3);
 	*q++ = '\'';
 	while (unquotedlen--) {
--- a/ext/pdo_dblib/dblib_stmt.c
+++ b/ext/pdo_dblib/dblib_stmt.c
@ -131,7 +131,7 @@ static int pdo_dblib_stmt_execute(pdo_stmt_t *stmt TSRMLS_DC)
 	arows = 100;
 	size = S->ncols * sizeof(pdo_dblib_colval);
 	S->rows = emalloc(arows * size);
 	S->rows = safe_emalloc(arows, size, 0);
 	/* let's fetch all the data */
 	do {
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@ -2098,7 +2098,7 @@ static void php_pgsql_fetch_hash(INTERNAL_FUNCTION_PARAMETERS, long result_type,
 					Bucket *p;
 					fci.param_count = 0;
 					fci.params = emalloc(sizeof(zval*) * ht->nNumOfElements);
 					fci.params = safe_emalloc(sizeof(zval*), ht->nNumOfElements, 0);
 					p = ht->pListHead;
 					while (p != NULL) {
 						fci.params[fci.param_count++] = (zval**)p->pData;
--- a/ext/soap/php_encoding.c
+++ b/ext/soap/php_encoding.c
@ -941,7 +941,7 @@ static xmlNodePtr to_xml_double(encodeTypePtr type, zval *data, int style, xmlNo
 		convert_to_double(&tmp);
 	}
 	str = (char *) emalloc(MAX_LENGTH_OF_DOUBLE + EG(precision) + 1);
 	str = (char *) safe_emalloc(EG(precision), 1, MAX_LENGTH_OF_DOUBLE + 1);
 	php_gcvt(Z_DVAL(tmp), EG(precision), '.', 'E', str);
 	xmlNodeSetContentLen(ret, BAD_CAST(str), strlen(str));
 	efree(str);
--- a/ext/spl/spl_directory.c
+++ b/ext/spl/spl_directory.c
@ -1363,7 +1363,7 @@ static int spl_filesystem_file_read(spl_filesystem_object *intern, int silent TS
 	}
 	if (intern->u.file.max_line_len > 0) {
 		buf = emalloc((intern->u.file.max_line_len + 1) * sizeof(char));
 		buf = safe_emalloc((intern->u.file.max_line_len + 1), sizeof(char), 0);
 		if (php_stream_get_line(intern->u.file.stream, ZSTR(buf), intern->u.file.max_line_len, &line_len) == NULL) {
 			efree(buf);
 			buf = NULL;
--- a/ext/standard/uuencode.c
+++ b/ext/standard/uuencode.c
@ -71,7 +71,7 @@ PHPAPI int php_uuencode(char *src, int src_len, char **dest)
 	char *p, *s, *e, *ee;
 	/* encoded length is ~ 38% greater then the original */
 	p = *dest = emalloc((ceil(src_len * 1.38) + 45 + 1));
 	p = *dest = safe_emalloc(ceil(src_len * 1.38), 1, 46);
 	s = src;
 	e = src + src_len;
@ -128,7 +128,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest)
 	int len, total_len=0;
 	char *s, *e, *p, *ee;
 	p = *dest = emalloc(ceil(src_len * 0.75) + 1);
 	p = *dest = safe_emalloc(ceil(src_len * 0.75), 1, 1);
 	s = src;
 	e = src + src_len;
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@ -944,7 +944,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var
 				char *s;
 				smart_str_appendl(buf, "d:", 2);
 				s = (char *) emalloc(MAX_LENGTH_OF_DOUBLE + PG(serialize_precision) + 1);
 				s = (char *) safe_emalloc(PG(serialize_precision), 1, MAX_LENGTH_OF_DOUBLE + 1);
 				php_gcvt(Z_DVAL_P(struc), PG(serialize_precision), '.', 'E', s);
 				smart_str_appends(buf, s);
 				smart_str_appendc(buf, ';');
--- a/main/main.c
+++ b/main/main.c
@ -100,8 +100,13 @@ PHPAPI int core_globals_id;
 */
 static PHP_INI_MH(OnSetPrecision)
 {
 	EG(precision) = atoi(new_value);
 	return SUCCESS;
 	int i = atoi(new_value);
 	if (i >= 0) {
 		EG(precision) = i;
 		return SUCCESS;
 	} else {
 		return FAILURE;
 }
 }
 /* }}} */
@ -377,7 +382,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("y2k_compliance",		"1",		PHP_INI_ALL,		OnUpdateBool,			y2k_compliance,			php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("unserialize_callback_func",	NULL,	PHP_INI_ALL,		OnUpdateString,			unserialize_callback_func,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("serialize_precision",	"100",	PHP_INI_ALL,		OnUpdateLong,			serialize_precision,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("serialize_precision",	"100",	PHP_INI_ALL,		OnUpdateLongGEZero,			serialize_precision,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("arg_separator.output",	"&",		PHP_INI_ALL,		OnUpdateStringUnempty,	arg_separator.output,	php_core_globals,	core_globals)
 	STD_PHP_INI_ENTRY("arg_separator.input",	"&",		PHP_INI_SYSTEM|PHP_INI_PERDIR,	OnUpdateStringUnempty,	arg_separator.input,	php_core_globals,	core_globals)