fix bug #37061 (curl_exec() doesn't zero-terminate binary strings) - we get the data length from cURL, so it's binary safe.

fix leak appearing when re-using curl handle
20 years ago · 65fcbcbdc0
3 changed files with 12 additions and 12 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Apr 2006, PHP 5.1.3
+- Fixed bug #37061 (curl_exec() doesn't zero-terminate binary strings). (Tony)
 - Fixed bug #37060 (Type of retval of Countable::count() is not checked). 
  (Johannes)
 - FIxed bug #37059 (oci_bind_by_name() doesn't support RAW and LONG RAW 
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@ -1208,6 +1208,8 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu

 			if (Z_LVAL_PP(zvalue)) {
 				ch->handlers->write->type = PHP_CURL_BINARY;
+			} else {
+				ch->handlers->write->type = PHP_CURL_ASCII;
 			}
 			break;
 		case CURLOPT_WRITEFUNCTION:
@ -1462,7 +1464,7 @@ PHP_FUNCTION(curl_setopt_array)
 void _php_curl_cleanup_handle(php_curl *ch)
 {
 	if (ch->handlers->write->buf.len > 0) {
-		memset(&ch->handlers->write->buf, 0, sizeof(smart_str));
+		smart_str_free(&ch->handlers->write->buf);
 	}
 	if (ch->header.str_len) {
 		efree(ch->header.str);
@ -1497,7 +1499,6 @@ PHP_FUNCTION(curl_exec)
 		if (ch->handlers->write->buf.len > 0) {
 			smart_str_free(&ch->handlers->write->buf);
 		}
-
 		RETURN_FALSE;
 	}

@ -1505,10 +1506,8 @@ PHP_FUNCTION(curl_exec)

 	if (ch->handlers->write->method == PHP_CURL_RETURN && ch->handlers->write->buf.len > 0) {
 		--ch->uses;
-		if (ch->handlers->write->type != PHP_CURL_BINARY)  {
-			smart_str_0(&ch->handlers->write->buf);
-		}
-		RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 0);
+		smart_str_0(&ch->handlers->write->buf);
+		RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 1);
 	}
 	--ch->uses;
 	RETURN_TRUE;
@ -1739,6 +1738,9 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
 	zend_llist_clean(&ch->to_free.slist);
 	zend_llist_clean(&ch->to_free.post);

+	if (ch->handlers->write->buf.len > 0) {
+		smart_str_free(&ch->handlers->write->buf);
+	}
 	if (ch->handlers->write->func_name) {
 		zval_ptr_dtor(&ch->handlers->write->func_name);
 	}
@ -1754,7 +1756,7 @@ static void _php_curl_close(zend_rsrc_list_entry *rsrc TSRMLS_DC)
 	if (ch->header.str_len > 0) {
 		efree(ch->header.str);
 	}
-
+	
 	efree(ch->handlers->write);
 	efree(ch->handlers->write_header);
 	efree(ch->handlers->read);
--- a/ext/curl/multi.c
+++ b/ext/curl/multi.c
@ -195,11 +195,8 @@ PHP_FUNCTION(curl_multi_getcontent)
 	ZEND_FETCH_RESOURCE(ch, php_curl *, &z_ch, -1, le_curl_name, le_curl);

 	if (ch->handlers->write->method == PHP_CURL_RETURN && ch->handlers->write->buf.len > 0) {
-		if (ch->handlers->write->type != PHP_CURL_BINARY) {
-			smart_str_0(&ch->handlers->write->buf);
-		}
-		
-		RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 0);
+		smart_str_0(&ch->handlers->write->buf);
+		RETURN_STRINGL(ch->handlers->write->buf.c, ch->handlers->write->buf.len, 1);
 	}
 }