From 5dc319589770ef5471f8e86951118794a0368f93 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Tue, 9 Aug 2011 12:16:58 +0000
Subject: [PATCH] Avoiding strcpy, strcat, sprintf usage to make static
 analyzer happy

---
 ext/ereg/regex.patch              | 58 ++++++++++++++++++++++++++++---
 ext/ereg/regex/regerror.c         | 11 +++---
 ext/ereg/regex/regerror.ih        |  2 +-
 ext/standard/crypt.c              |  4 +--
 ext/standard/http_fopen_wrapper.c |  4 +--
 ext/standard/proc_open.c          |  4 +--
 ext/standard/user_filters.c       |  2 +-
 ext/xml/xml.c                     |  4 +--
 main/fopen_wrappers.c             |  5 +--
 main/streams/filter.c             |  2 +-
 10 files changed, 74 insertions(+), 22 deletions(-)

diff --git a/ext/ereg/regex.patch b/ext/ereg/regex.patch
index d10a9b9a463..c1e1d7d483c 100644
--- a/ext/ereg/regex.patch
+++ b/ext/ereg/regex.patch
@@ -1,12 +1,62 @@
+Only in regex: regcomp.lo
+Only in regex: regcomp.o
 diff -u regex.orig/regerror.c regex/regerror.c
---- regex.orig/regerror.c	2011-08-09 17:31:11.000000000 +0800
-+++ regex/regerror.c	2011-08-09 17:29:53.000000000 +0800
-@@ -82,7 +82,7 @@
+--- regex.orig/regerror.c	2011-08-09 19:49:30.000000000 +0800
++++ regex/regerror.c	2011-08-09 19:46:15.000000000 +0800
+@@ -74,7 +74,7 @@
+ 	char convbuf[50];
+ 
+ 	if (errcode == REG_ATOI)
+-		s = regatoi(preg, convbuf);
++		s = regatoi(preg, convbuf, sizeof(convbuf));
+ 	else {
+ 		for (r = rerrs; r->code >= 0; r++)
+ 			if (r->code == target)
+@@ -82,9 +82,9 @@
  	
  		if (errcode&REG_ITOA) {
  			if (r->code >= 0)
 -				(void) strcpy(convbuf, r->name);
 +				(void) strncpy(convbuf, r->name, 50);
  			else
- 				sprintf(convbuf, "REG_0x%x", target);
+-				sprintf(convbuf, "REG_0x%x", target);
++				snprintf(convbuf, sizeof(convbuf), "REG_0x%x", target);
  			assert(strlen(convbuf) < sizeof(convbuf));
+ 			s = convbuf;
+ 		} else
+@@ -106,12 +106,13 @@
+ 
+ /*
+  - regatoi - internal routine to implement REG_ATOI
+- == static char *regatoi(const regex_t *preg, char *localbuf);
++ == static char *regatoi(const regex_t *preg, char *localbuf, int bufsize);
+  */
+ static char *
+-regatoi(preg, localbuf)
++regatoi(preg, localbuf, bufsize)
+ const regex_t *preg;
+ char *localbuf;
++int bufsize;
+ {
+ 	register const struct rerr *r;
+ 
+@@ -121,6 +122,6 @@
+ 	if (r->code < 0)
+ 		return("0");
+ 
+-	sprintf(localbuf, "%d", r->code);
++	snprintf(localbuf, bufsize, "%d", r->code);
+ 	return(localbuf);
+ }
+diff -u regex.orig/regerror.ih regex/regerror.ih
+--- regex.orig/regerror.ih	2011-08-09 19:49:00.000000000 +0800
++++ regex/regerror.ih	2011-08-09 19:41:07.000000000 +0800
+@@ -4,7 +4,7 @@
+ #endif
+ 
+ /* === regerror.c === */
+-static char *regatoi(const regex_t *preg, char *localbuf);
++static char *regatoi(const regex_t *preg, char *localbuf, int bufsize);
+ 
+ #ifdef __cplusplus
+ }
diff --git a/ext/ereg/regex/regerror.c b/ext/ereg/regex/regerror.c
index f8c3ca3538f..05737a462ce 100644
--- a/ext/ereg/regex/regerror.c
+++ b/ext/ereg/regex/regerror.c
@@ -74,7 +74,7 @@ size_t errbuf_size)
 	char convbuf[50];
 
 	if (errcode == REG_ATOI)
-		s = regatoi(preg, convbuf);
+		s = regatoi(preg, convbuf, sizeof(convbuf));
 	else {
 		for (r = rerrs; r->code >= 0; r++)
 			if (r->code == target)
@@ -84,7 +84,7 @@ size_t errbuf_size)
 			if (r->code >= 0)
 				(void) strncpy(convbuf, r->name, 50);
 			else
-				sprintf(convbuf, "REG_0x%x", target);
+				snprintf(convbuf, sizeof(convbuf), "REG_0x%x", target);
 			assert(strlen(convbuf) < sizeof(convbuf));
 			s = convbuf;
 		} else
@@ -106,12 +106,13 @@ size_t errbuf_size)
 
 /*
  - regatoi - internal routine to implement REG_ATOI
- == static char *regatoi(const regex_t *preg, char *localbuf);
+ == static char *regatoi(const regex_t *preg, char *localbuf, int bufsize);
  */
 static char *
-regatoi(preg, localbuf)
+regatoi(preg, localbuf, bufsize)
 const regex_t *preg;
 char *localbuf;
+int bufsize;
 {
 	register const struct rerr *r;
 
@@ -121,6 +122,6 @@ char *localbuf;
 	if (r->code < 0)
 		return("0");
 
-	sprintf(localbuf, "%d", r->code);
+	snprintf(localbuf, bufsize, "%d", r->code);
 	return(localbuf);
 }
diff --git a/ext/ereg/regex/regerror.ih b/ext/ereg/regex/regerror.ih
index 2cb668c24f0..5ff158e57db 100644
--- a/ext/ereg/regex/regerror.ih
+++ b/ext/ereg/regex/regerror.ih
@@ -4,7 +4,7 @@ extern "C" {
 #endif
 
 /* === regerror.c === */
-static char *regatoi(const regex_t *preg, char *localbuf);
+static char *regatoi(const regex_t *preg, char *localbuf, int bufsize);
 
 #ifdef __cplusplus
 }
diff --git a/ext/standard/crypt.c b/ext/standard/crypt.c
index 865a25beb19..3bac50f9e47 100644
--- a/ext/standard/crypt.c
+++ b/ext/standard/crypt.c
@@ -170,10 +170,10 @@ PHP_FUNCTION(crypt)
 	/* The automatic salt generation covers standard DES, md5-crypt and Blowfish (simple) */
 	if (!*salt) {
 #if PHP_MD5_CRYPT
-		strcpy(salt, "$1$");
+		strncpy(salt, "$1$", PHP_MAX_SALT_LEN);
 		php_to64(&salt[3], PHP_CRYPT_RAND, 4);
 		php_to64(&salt[7], PHP_CRYPT_RAND, 4);
-		strcpy(&salt[11], "$");
+		strncpy(&salt[11], "$", PHP_MAX_SALT_LEN - 11);
 #elif PHP_STD_DES_CRYPT
 		php_to64(&salt[0], PHP_CRYPT_RAND, 2);
 		salt[2] = '\0';
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index 7a918d9c836..4567efc1f21 100644
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -330,7 +330,7 @@ finish:
 				scratch_len = strlen(path) + 29 + Z_STRLEN_PP(tmpzval);
 				scratch = emalloc(scratch_len);
 				strlcpy(scratch, Z_STRVAL_PP(tmpzval), Z_STRLEN_PP(tmpzval) + 1);
-				strcat(scratch, " ");
+				strncat(scratch, " ", 1);
 			}
 		}
 	}
@@ -344,7 +344,7 @@ finish:
 	if (!scratch) {
 		scratch_len = strlen(path) + 29 + protocol_version_len;
 		scratch = emalloc(scratch_len);
-		strcpy(scratch, "GET ");
+		strncpy(scratch, "GET ", scratch_len);
 	}
 
 	/* Should we send the entire path in the request line, default to no. */
diff --git a/ext/standard/proc_open.c b/ext/standard/proc_open.c
index 9544cc03da6..6b7f6ba548b 100644
--- a/ext/standard/proc_open.c
+++ b/ext/standard/proc_open.c
@@ -155,8 +155,8 @@ static php_process_env_t _php_array_to_envp(zval *environment, int is_persistent
 
 				l = string_length + el_len + 1;
 				memcpy(p, string_key, string_length);
-				strcat(p, "=");
-				strcat(p, data);
+				strncat(p, "=", 1);
+				strncat(p, data, el_len);
 
 #ifndef PHP_WIN32
 				*ep = p;
diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c
index 752c52af834..9afc4f1568a 100644
--- a/ext/standard/user_filters.c
+++ b/ext/standard/user_filters.c
@@ -311,7 +311,7 @@ static php_stream_filter *user_filter_factory_create(const char *filtername,
 			period = wildcard + (period - filtername);
 			while (period) {
 				*period = '\0';
-				strcat(wildcard, ".*");
+				strncat(wildcard, ".*", 2);
 				if (SUCCESS == zend_hash_find(BG(user_filter_map), wildcard, strlen(wildcard) + 1, (void**)&fdat)) {
 					period = NULL;
 				} else {
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 6788c86bc34..78237c0bb3d 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -950,7 +950,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 					if (zend_hash_find(Z_ARRVAL_PP(parser->ctag),"value",sizeof("value"),(void **) &myval) == SUCCESS) {
 						int newlen = Z_STRLEN_PP(myval) + decoded_len;
 						Z_STRVAL_PP(myval) = erealloc(Z_STRVAL_PP(myval),newlen+1);
-						strcpy(Z_STRVAL_PP(myval) + Z_STRLEN_PP(myval),decoded_value);
+						strncpy(Z_STRVAL_PP(myval) + Z_STRLEN_PP(myval), decoded_value, decoded_len + 1);
 						Z_STRLEN_PP(myval) += decoded_len;
 						efree(decoded_value);
 					} else {
@@ -970,7 +970,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 								if (zend_hash_find(Z_ARRVAL_PP(curtag),"value",sizeof("value"),(void **) &myval) == SUCCESS) {
 									int newlen = Z_STRLEN_PP(myval) + decoded_len;
 									Z_STRVAL_PP(myval) = erealloc(Z_STRVAL_PP(myval),newlen+1);
-									strcpy(Z_STRVAL_PP(myval) + Z_STRLEN_PP(myval),decoded_value);
+									strncpy(Z_STRVAL_PP(myval) + Z_STRLEN_PP(myval), decoded_value, decoded_len + 1);
 									Z_STRLEN_PP(myval) += decoded_len;
 									efree(decoded_value);
 									return;
diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
index f00127bc065..f4d122bbbb4 100644
--- a/main/fopen_wrappers.c
+++ b/main/fopen_wrappers.c
@@ -410,7 +410,8 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC)
 #endif
 	if (PG(doc_root) && path_info && (length = strlen(PG(doc_root))) &&
 		IS_ABSOLUTE_PATH(PG(doc_root), length)) {
-		filename = emalloc(length + strlen(path_info) + 2);
+		int path_len = strlen(path_info);
+		filename = emalloc(length + path_len + 2);
 		if (filename) {
 			memcpy(filename, PG(doc_root), length);
 			if (!IS_SLASH(filename[length - 1])) {	/* length is never 0 */
@@ -419,7 +420,7 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC)
 			if (IS_SLASH(path_info[0])) {
 				length--;
 			}
-			strcpy(filename + length, path_info);
+			strncpy(filename + length, path_info, path_len + 1);
 		}
 	} else {
 		filename = SG(request_info).path_translated;
diff --git a/main/streams/filter.c b/main/streams/filter.c
index 623c66f96da..99293259e73 100644
--- a/main/streams/filter.c
+++ b/main/streams/filter.c
@@ -270,7 +270,7 @@ PHPAPI php_stream_filter *php_stream_filter_create(const char *filtername, zval
 		period = wildname + (period - filtername);
 		while (period && !filter) {
 			*period = '\0';
-			strcat(wildname, ".*");
+			strncat(wildname, ".*", 2);
 			if (SUCCESS == zend_hash_find(filter_hash, wildname, strlen(wildname) + 1, (void**)&factory)) {
 				filter = factory->create_filter(filtername, filterparams, persistent TSRMLS_CC);
 			}