Subject: check the return values of the malloc, calloc, and realloc library functions Origin: upstream commits r313782, r313826, r313827, r313828, r313830, r313831, r313832, r313833, r313835, r313903 Bug-upstream: http://svn.php.net/viewvc?view=revision&revision=313903 r313782 | pajoye | 2011-07-27 07:23:06 -0700 (Wed, 27 Jul 2011) | 1 line - Fix #55295, check if malloc failed r313826 | pajoye | 2011-07-28 03:31:34 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (curl part) check if malloc succeded r313827 | pajoye | 2011-07-28 03:34:16 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (com_dotnet part) check if malloc succeded r313828 | pajoye | 2011-07-28 03:37:04 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (pdo_odbc part) check if malloc succeded r313830 | pajoye | 2011-07-28 03:39:19 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (interbase part) check if malloc succeded r313831 | pajoye | 2011-07-28 03:42:45 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (readline part) check if malloc succeded r313832 | pajoye | 2011-07-28 03:52:45 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (url scanner part) check if malloc succeded r313833 | pajoye | 2011-07-28 03:57:31 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (sybase part) check if malloc succeded r313835 | pajoye | 2011-07-28 04:01:04 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (mssql part) check if malloc succeded r313903 | pajoye | 2011-07-28 14:16:51 -0700 (Thu, 28 Jul 2011) | 1 line - Fix #55301 (sybase part, take #2) check if malloc succeded CVE-2011-3182 --- TSRM/tsrm_win32.c | 4 ++++ ext/com_dotnet/com_dotnet.c | 3 +++ ext/curl/interface.c | 3 +++ ext/interbase/interbase.c | 7 +++++-- ext/mssql/php_mssql.c | 7 +++++++ ext/pdo_odbc/pdo_odbc.c | 3 +++ ext/readline/readline.c | 8 +++++++- ext/standard/url_scanner_ex.c | 7 +++++-- ext/standard/url_scanner_ex.re | 8 ++++++-- ext/sybase_ct/php_sybase_ct.c | 4 ++++ 10 files changed, 47 insertions(+), 7 deletions(-) --- a/TSRM/tsrm_win32.c +++ b/TSRM/tsrm_win32.c @@ -532,6 +532,10 @@ TSRM_API FILE *popen_ex(const char *comm } cmd = (char*)malloc(strlen(command)+strlen(TWG(comspec))+sizeof(" /c ")+2); + if (!cmd) { + return NULL; + } + sprintf(cmd, "%s /c \"%s\"", TWG(comspec), command); if (asuser) { res = CreateProcessAsUser(token_user, NULL, cmd, &security, &security, security.bInheritHandle, dwCreateFlags, env, cwd, &startup, &process); --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -803,6 +803,9 @@ PHP_MINIT_FUNCTION(curl) int i, c = CRYPTO_num_locks(); php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T)); + if (!php_curl_openssl_tsl) { + return FAILURE; + } for (i = 0; i < c; ++i) { php_curl_openssl_tsl[i] = tsrm_mutex_alloc(); --- a/ext/com_dotnet/com_dotnet.c +++ b/ext/com_dotnet/com_dotnet.c @@ -129,6 +129,9 @@ static HRESULT dotnet_init(char **p_wher char *where = ""; stuff = malloc(sizeof(*stuff)); + if (!stuff) { + return S_FALSE; + } memset(stuff, 0, sizeof(*stuff)); where = "CoCreateInstance"; --- a/ext/pdo_odbc/pdo_odbc.c +++ b/ext/pdo_odbc/pdo_odbc.c @@ -98,6 +98,9 @@ PHP_MINIT_FUNCTION(pdo_odbc) char *instance = INI_STR("pdo_odbc.db2_instance_name"); if (instance) { char *env = malloc(sizeof("DB2INSTANCE=") + strlen(instance)); + if (!env) { + return FAILURE; + } strcpy(env, "DB2INSTANCE="); strcat(env, instance); putenv(env); --- a/ext/interbase/interbase.c +++ b/ext/interbase/interbase.c @@ -998,9 +998,12 @@ static void _php_ibase_connect(INTERNAL_ ZEND_REGISTER_RESOURCE(return_value, ib_link, le_link); } else { zend_rsrc_list_entry new_le; - + ib_link = (ibase_db_link *) malloc(sizeof(ibase_db_link)); - + if (!ib_link) { + RETURN_FALSE; + } + /* hash it up */ Z_TYPE(new_le) = le_plink; new_le.ptr = ib_link; --- a/ext/readline/readline.c +++ b/ext/readline/readline.c @@ -465,6 +465,9 @@ static char **_readline_completion_cb(co matches = rl_completion_matches(text,_readline_command_generator); } else { matches = malloc(sizeof(char *) * 2); + if (!matches) { + return NULL; + } matches[0] = strdup(""); matches[1] = '\0'; } @@ -505,7 +508,10 @@ PHP_FUNCTION(readline_completion_functio zval_copy_ctor(_readline_completion); rl_attempted_completion_function = _readline_completion_cb; - + if (rl_attempted_completion_function == NULL) { + efree(name); + RETURN_FALSE; + } RETURN_TRUE; } --- a/ext/standard/url_scanner_ex.re +++ b/ext/standard/url_scanner_ex.re @@ -55,9 +55,13 @@ static PHP_INI_MH(OnUpdateTags) if (ctx->tags) zend_hash_destroy(ctx->tags); - else + else { ctx->tags = malloc(sizeof(HashTable)); - + if (!ctx->tags) { + return FAILURE; + } + } + zend_hash_init(ctx->tags, 0, NULL, NULL, 1); for (key = php_strtok_r(tmp, ",", &lasts); --- a/ext/standard/url_scanner_ex.c +++ b/ext/standard/url_scanner_ex.c @@ -56,9 +56,12 @@ static PHP_INI_MH(OnUpdateTags) if (ctx->tags) zend_hash_destroy(ctx->tags); - else + else { ctx->tags = malloc(sizeof(HashTable)); - + if (!ctx->tags) { + return FAILURE; + } + } zend_hash_init(ctx->tags, 0, NULL, NULL, 1); for (key = php_strtok_r(tmp, ",", &lasts); --- a/ext/sybase_ct/php_sybase_ct.c +++ b/ext/sybase_ct/php_sybase_ct.c @@ -777,6 +777,10 @@ static void php_sybase_do_connect(INTERN } sybase_ptr = (sybase_link *) malloc(sizeof(sybase_link)); + if (!sybase_ptr) { + efree(hashed_details); + RETURN_FALSE; + } if (!php_sybase_do_connect_internal(sybase_ptr, host, user, passwd, charset, appname TSRMLS_CC)) { free(sybase_ptr); efree(hashed_details); --- a/ext/mssql/php_mssql.c +++ b/ext/mssql/php_mssql.c @@ -717,6 +717,13 @@ static void php_mssql_do_connect(INTERNA /* hash it up */ mssql_ptr = (mssql_link *) malloc(sizeof(mssql_link)); + if (!mssql_ptr) { + efree(hashed_details); + dbfreelogin(mssql.login); + dbclose(mssql.link); + RETURN_FALSE; + } + memcpy(mssql_ptr, &mssql, sizeof(mssql_link)); Z_TYPE(new_le) = le_plink; new_le.ptr = mssql_ptr;