Re: [PHP-DEV] [PATCH] Fix uninitalized variables reads. See CWE-457 for more info.

Tue, 20 Jan 2015 12:32:41 -0800 

On 21/01/15 07:28, Joshua Rogers wrote:
> ---
>  ext/mbstring/mbstring.c         | 8 ++++----
>  ext/reflection/php_reflection.c | 1 +
>  main/main.c                     | 1 +
>  3 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
> index 7f2209f..504a5e6 100644
> --- a/ext/mbstring/mbstring.c
> +++ b/ext/mbstring/mbstring.c
> @@ -3891,7 +3891,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, 
> const char *str, size_t
>       int state = 0;
>       int crlf_state = -1;
>       char *token = NULL;
> -     size_t token_pos;
> +     size_t token_pos = 0;
>       zend_string *fld_name, *fld_val;
>  
>       ps = str;
> @@ -3917,7 +3917,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, 
> const char *str, size_t
>                               }
>  
>                               if (state == 0 || state == 1) {
> -                                     if(token) {
> +                                     if(token && token_pos > 0) {
>                                               fld_name = 
> zend_string_init(token, token_pos, 0);
>                                       }
>                                       state = 2;
> @@ -3983,7 +3983,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, 
> const char *str, size_t
>  
>                                       case 3:
>                                               if (crlf_state == -1) {
> -                                                     if(token) {
> +                                                     if(token && token_pos > 
> 0) {
>                                                               fld_val = 
> zend_string_init(token, token_pos, 0);
>                                                       }
>  
> @@ -4032,7 +4032,7 @@ out:
>               state = 3;
>       }
>       if (state == 3) {
> -             if(token) {
> +             if(token && token_pos > 0) {
>                       fld_val = zend_string_init(token, token_pos, 0);
>               }
>               if (fld_name != NULL && fld_val != NULL) {
> diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
> index 3f5c7a9..1f5085c 100644
> --- a/ext/reflection/php_reflection.c
> +++ b/ext/reflection/php_reflection.c
> @@ -3978,6 +3978,7 @@ static int _adddynproperty(zval *ptr, int num_args, 
> va_list args, zend_hash_key
>       if (zend_get_property_info(ce, hash_key->key, 1) == NULL) {
>               zend_property_info property_info;
>  
> +             property_info.doc_comment = NULL;
>               property_info.flags = ZEND_ACC_IMPLICIT_PUBLIC;
>               property_info.name = hash_key->key;
>               property_info.ce = ce;
> diff --git a/main/main.c b/main/main.c
> index 3aef805..50d0161 100644
> --- a/main/main.c
> +++ b/main/main.c
> @@ -2255,6 +2255,7 @@ int php_module_startup(sapi_module_struct *sf, 
> zend_module_entry *additional_mod
>  
>       zuv.html_errors = 1;
>       zuv.import_use_extension = ".php";
> +     zuv.import_use_extension_length = 
> (uint)strlen(zuv.import_use_extension);
>       php_startup_auto_globals();
>       zend_set_utility_values(&zuv);
>       php_startup_sapi_content_types();
This also fixes a potential buffer overflow. (see the "&& token_pos > 0"
additions)


Thanks,

-- 
-- Joshua Rogers <https://internot.info/>

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to