1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
|
From 8fc52d77d6f66c438c98d536e2309b5fd13f90de Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 31 May 2015 22:47:52 -0700
Subject: [PATCH] Fix #69719 - more checks for nulls in paths
---
ext/dom/document.c | 22 +++++++++++++++++-----
ext/gd/gd.c | 14 +++++++-------
2 files changed, 24 insertions(+), 12 deletions(-)
diff --git a/ext/dom/document.c b/ext/dom/document.c
index c2c4365..1bf4c54 100644
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1700,7 +1700,7 @@ PHP_FUNCTION(dom_document_save)
char *file;
long options = 0;
- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
return;
}
@@ -1930,7 +1930,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
int is_valid;
char resolved_path[MAXPATHLEN + 1];
- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) {
+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) {
return;
}
@@ -1943,6 +1943,10 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type
switch (type) {
case DOM_LOAD_FILE:
+ if (CHECK_NULL_PATH(source, source_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
+ RETURN_FALSE;
+ }
valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
if (!valid_file) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
@@ -2026,7 +2030,7 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ
int is_valid;
char resolved_path[MAXPATHLEN + 1];
- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
return;
}
@@ -2039,6 +2043,10 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ
switch (type) {
case DOM_LOAD_FILE:
+ if (CHECK_NULL_PATH(source, source_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
+ RETURN_FALSE;
+ }
valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
if (!valid_file) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
@@ -2119,7 +2127,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
id = getThis();
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
return;
}
@@ -2129,6 +2137,10 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
}
if (mode == DOM_LOAD_FILE) {
+ if (CHECK_NULL_PATH(source, source_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source");
+ RETURN_FALSE;
+ }
ctxt = htmlCreateFileParserCtxt(source, NULL);
} else {
source_len = xmlStrlen(source);
@@ -2217,7 +2229,7 @@ PHP_FUNCTION(dom_document_save_html_file)
char *file;
const char *encoding;
- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
return;
}
diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index 0642d45..283520c 100644
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1750,7 +1750,7 @@ PHP_FUNCTION(imagefilledarc)
long cx, cy, w, h, ST, E, col, style;
gdImagePtr im;
int e, st;
-
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) {
return;
}
@@ -1991,7 +1991,7 @@ PHP_FUNCTION(imagegrabwindow)
if ( handle == 0 ) {
goto clean;
}
- pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
+ pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
if ( pPrintWindow ) {
pPrintWindow(window, memDC, (UINT) client_area);
@@ -3860,7 +3860,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int
if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) {
continue;
}
-
+
if (strcmp("linespacing", key) == 0) {
convert_to_double_ex(item);
strex.flags |= gdFTEX_LINESPACE;
@@ -3939,7 +3939,7 @@ PHP_FUNCTION(imagepsloadfont)
struct stat st;
#endif
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
return;
}
@@ -4279,11 +4279,11 @@ PHP_FUNCTION(imagepsbbox)
if (argc != 3 && argc != 6) {
ZEND_WRONG_PARAM_COUNT();
}
-
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) {
return;
}
-
+
if (argc == 6) {
space = sp;
add_width = wd;
@@ -4459,7 +4459,7 @@ static void _php_image_convert(INTERNAL_FUNCTION_PARAMETERS, int image_type )
int x, y;
float x_ratio, y_ratio;
long ignore_warning;
-
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pplll", &f_org, &f_org_len, &f_dest, &f_dest_len, &height, &width, &threshold) == FAILURE) {
return;
}
--
2.1.4
|
