File: CVE-2011-4153-2.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (61 lines) | stat: -rw-r--r-- 2,079 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
 
--- a/ext/soap/php_sdl.c
+++ b/ext/soap/php_sdl.c
@@ -147,6 +147,10 @@ encodePtr get_encoder(sdlPtr sdl, const
 			memcpy(new_enc, enc, sizeof(encode));
 			if (sdl->is_persistent) {
 				new_enc->details.ns = zend_strndup(ns, ns_len);
+				if (new_enc->details.ns == NULL) {
+					efree(nscat);
+					return NULL;
+				}
 				new_enc->details.type_str = strdup(new_enc->details.type_str);
 			} else {
 				new_enc->details.ns = estrndup(ns, ns_len);
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -2608,7 +2608,12 @@ PHP_FUNCTION(fnmatch)
    Returns directory path used for temporary files */
 PHP_FUNCTION(sys_get_temp_dir)
 {
-	RETURN_STRING((char *)php_get_temporary_directory(), 1);
+	char *tmp_dir;
+	tmp_dir = (char *)php_get_temporary_directory();
+	if (tmp_dir == NULL) {
+		return;
+	}
+	RETURN_STRING(tmp_dir, 1);
 }
 /* }}} */
 
--- a/ext/session/mod_files.c
+++ b/ext/session/mod_files.c
@@ -273,6 +273,9 @@ PS_OPEN_FUNC(files)
 	if (*save_path == '\0') {
 		/* if save path is an empty string, determine the temporary dir */
 		save_path = php_get_temporary_directory();
+		if (save_path == NULL) {
+			return FAILURE;
+		}
 
 		if (PG(safe_mode) && (!php_checkuid(save_path, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
 			return FAILURE;
--- a/ext/standard/browscap.c
+++ b/ext/standard/browscap.c
@@ -147,9 +147,17 @@ static void php_browscap_parser_cb(zval
 					Z_STRLEN_P(new_property) = 0;
 				} else { /* Other than true/false setting */
 					Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2));
+					if (Z_STRVAL_P(new_property) == NULL) {
+						zend_error(E_CORE_ERROR, "Out of memory");
+						return;
+					}
 					Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2);
 				}
 				new_key = zend_strndup(Z_STRVAL_P(arg1), Z_STRLEN_P(arg1));
+				if (new_key == NULL) {
+					zend_error(E_CORE_ERROR, "Out of memory");
+					return;
+				}
 				zend_str_tolower(new_key, Z_STRLEN_P(arg1));
 				zend_hash_update(Z_ARRVAL_P(current_section), new_key, Z_STRLEN_P(arg1) + 1, &new_property, sizeof(zval *), NULL);
 				free(new_key);