From 8fc52d77d6f66c438c98d536e2309b5fd13f90de Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 31 May 2015 22:47:52 -0700 Subject: [PATCH] Fix #69719 - more checks for nulls in paths --- ext/dom/document.c | 22 +++++++++++++++++----- ext/gd/gd.c | 14 +++++++------- 2 files changed, 24 insertions(+), 12 deletions(-) Index: php5-5.3.3.1/ext/dom/document.c =================================================================== --- php5-5.3.3.1.orig/ext/dom/document.c 2015-07-27 15:33:53.000000000 +0200 +++ php5-5.3.3.1/ext/dom/document.c 2015-07-27 15:33:53.000000000 +0200 @@ -1753,7 +1753,7 @@ char *file; long options = 0; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { return; } @@ -1995,6 +1995,10 @@ switch (type) { case DOM_LOAD_FILE: + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); + RETURN_FALSE; + } valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (!valid_file) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); @@ -2084,6 +2088,10 @@ switch (type) { case DOM_LOAD_FILE: + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); + RETURN_FALSE; + } valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (!valid_file) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); @@ -2173,6 +2181,10 @@ } if (mode == DOM_LOAD_FILE) { + if (CHECK_NULL_PATH(source, source_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); + RETURN_FALSE; + } ctxt = htmlCreateFileParserCtxt(source, NULL); } else { source_len = xmlStrlen(source); @@ -2257,7 +2269,7 @@ char *file; const char *encoding; - if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { return; } Index: php5-5.3.3.1/ext/gd/gd.c =================================================================== --- php5-5.3.3.1.orig/ext/gd/gd.c 2015-07-27 15:33:53.000000000 +0200 +++ php5-5.3.3.1/ext/gd/gd.c 2015-07-27 15:33:53.000000000 +0200 @@ -1761,7 +1761,7 @@ long cx, cy, w, h, ST, E, col, style; gdImagePtr im; int e, st; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) { return; } @@ -2004,7 +2004,7 @@ if ( handle == 0 ) { goto clean; } - pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); + pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow"); if ( pPrintWindow ) { pPrintWindow(window, memDC, (UINT) client_area); @@ -3933,7 +3933,7 @@ if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) { continue; } - + if (strcmp("linespacing", key) == 0) { convert_to_double_ex(item); strex.flags |= gdFTEX_LINESPACE; @@ -4020,7 +4020,7 @@ struct stat st; #endif - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { return; } @@ -4360,11 +4360,11 @@ if (argc != 3 && argc != 6) { ZEND_WRONG_PARAM_COUNT(); } - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) { return; } - + if (argc == 6) { space = sp; add_width = wd;