From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 22 Mar 2015 18:17:47 -0700 Subject: [PATCH 1/2] Check that the type is correct --- ext/standard/incomplete_class.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c index 1816ac4605b..30c82e67e67 100644 --- a/ext/standard/incomplete_class.c +++ b/ext/standard/incomplete_class.c @@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) object_properties = Z_OBJPROP_P(object); - if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { + if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); if (nlen) { From 968fbc6acf0bc27be17c0209be7f966e89a55943 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 22 Mar 2015 18:20:59 -0700 Subject: [PATCH 2/2] Bacport fix bug #68741 - Null pointer dereference --- NEWS | 3 +++ ext/pgsql/pgsql.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/NEWS b/NEWS index 715227eb386..365615418dd 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ PHP NEWS . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (Dmitry) +- Postgres: + . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui) + 19 Mar 2015 PHP 5.4.39 - Core: diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 16ce7bfb7f9..eb557777583 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -6117,6 +6117,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c /* schame.table should be "schame"."table" */ table_copy = estrdup(table); token = php_strtok_r(table_copy, ".", &tmp); + if (token == NULL) { + token = table; + } len = strlen(token); if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) { smart_str_appendl(querystr, token, len);