Do not use alloca() where it can be abused through user input.

2024-11-23 18:04:36 +08:00 · 2004-06-30 01:12:06 +00:00 · 2004-06-30 01:12:06 +00:00 · 690ca62dd3
commit 690ca62dd3
parent 0850c7a348
3 changed files with 11 additions and 11 deletions
--- a/ext/pcntl/pcntl.c
+++ b/ext/pcntl/pcntl.c
@ -434,7 +434,7 @@ PHP_FUNCTION(pcntl_exec)
 		args_hash = HASH_OF(args);
 		argc = zend_hash_num_elements(args_hash);
 		
-		argv = alloca((argc+2) * sizeof(char *));
+		argv = safe_emalloc((argc + 2), sizeof(char *), 0);
 		*argv = path;
 		for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1; 
 			(argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS));
@ -445,7 +445,7 @@ PHP_FUNCTION(pcntl_exec)
 		}
 		*(current_arg) = NULL;
 	} else {
-		argv = alloca(2 * sizeof(char *));
+		argv = emalloc(2 * sizeof(char *));
 		*argv = path;
 		*(argv+1) = NULL;
 	}
@ -455,13 +455,13 @@ PHP_FUNCTION(pcntl_exec)
 		envs_hash = HASH_OF(envs);
 		envc = zend_hash_num_elements(envs_hash);
 		
-		envp = alloca((envc+1) * sizeof(char *));
+		envp = safe_emalloc((envc + 1), sizeof(char *), 0);
 		for ( zend_hash_internal_pointer_reset(envs_hash), pair = envp; 
 			(envi < envc && (zend_hash_get_current_data(envs_hash, (void **) &element) == SUCCESS));
 			(envi++, pair++, zend_hash_move_forward(envs_hash)) ) {
 			switch (return_val = zend_hash_get_current_key_ex(envs_hash, &key, &key_length, &key_num, 0, NULL)) {
 				case HASH_KEY_IS_LONG:
-					key = alloca(101);
+					key = emalloc(101);
 					snprintf(key, 100, "%ld", key_num);
 					key_length = strlen(key);
 					break;
@ -480,7 +480,7 @@ PHP_FUNCTION(pcntl_exec)
 			strlcat(*pair, Z_STRVAL_PP(element), pair_length);
 			
 			/* Cleanup */
-			if (return_val == HASH_KEY_IS_LONG) free_alloca(key);
+			if (return_val == HASH_KEY_IS_LONG) efree(key);
 		}
 		*(pair) = NULL;
 	}
@ -492,10 +492,10 @@ PHP_FUNCTION(pcntl_exec)
 	/* Cleanup */
 	if (envp != NULL) {
 		for (pair = envp; *pair != NULL; pair++) efree(*pair);
-		free_alloca(envp);
+		efree(envp);
 	}

-	free_alloca(argv);
+	efree(argv);
 	
 	RETURN_FALSE;
 }
--- a/ext/session/mod_mm.c
+++ b/ext/session/mod_mm.c
@ -264,7 +264,7 @@ PHP_MINIT_FUNCTION(ps_mm)
 		return FAILURE;
 		
    /* Directory + '/' + File + Module Name + Effective UID + \0 */	
-	ps_mm_path = do_alloca(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
+	ps_mm_path = emalloc(save_path_len+1+sizeof(PS_MM_FILE)+mod_name_len+strlen(euid)+1);
 	
 	memcpy(ps_mm_path, PS(save_path), save_path_len + 1);
 	if (save_path_len > 0 && ps_mm_path[save_path_len - 1] != DEFAULT_SLASH) {
@ -277,7 +277,7 @@ PHP_MINIT_FUNCTION(ps_mm)
 	
 	ret = ps_mm_initialize(ps_mm_instance, ps_mm_path);
 		
-	free_alloca(ps_mm_path);
+	efree(ps_mm_path);
   
 	if (ret != SUCCESS) {
 		free(ps_mm_instance);
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@ -1062,7 +1062,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 			case ST_DATETIME: {
 				char *tmp;

-				tmp = do_alloca(len + 1);
+				tmp = emalloc(len + 1);
 				memcpy(tmp, s, len);
 				tmp[len] = '\0';

@ -1073,7 +1073,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 					Z_STRLEN_P(ent->data) = len;
 					Z_STRVAL_P(ent->data) = estrndup(s, len);
 				}
-				free_alloca(tmp);
+				efree(tmp);
 			}
 				break;