Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:2112
Return-Path: <dave@lan.codewhore.org>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 10242 invoked from network); 31 May 2003 17:14:15 -0000
Received: from unknown (HELO united.lan.codewhore.org) (24.95.48.170)
  by pb1.pair.com with SMTP; 31 May 2003 17:14:15 -0000
Received: from dave by united.lan.codewhore.org with local (Exim 3.16 #1)
	id 19M9hs-0005T5-00
	for internals@lists.php.net; Sat, 31 May 2003 12:59:48 -0400
Date: Sat, 31 May 2003 12:59:48 -0400
To: PHP Developers List <internals@lists.php.net>
Message-ID: <20030531165948.GA20195@codewhore.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4i
Sender: David Brown <dave@lan.codewhore.org>
Subject: [PATCH] Fix off-by-one in zend_register_standard_constants
From: dave@codewhore.org (David Brown)

Hi:

The function zend_register_constant expects c->name_len to equal
sizeof(c->name) for any struct _zend_constant named c. In
zend_register_standard_constants, sizeof() is used to compute the length
of the constant name correctly, but ZEND_STRL() is used to allocate the
string. ZEND_STRL() allocates a string without a null-terminator (using
sizeof(str) - 1).

The enclosed patch fixes the four one-byte read overruns by using
ZEND_STRS(), which allocates a string of the correct size.

Note: This could have been fixed by using strlen() or sizeof() - 1 to
compute the size, but it appears something in the engine is operating
under the assumption that constant names are null-terminated; leaving
off the null terminator causes 'undefined constant' errors. I don't know
if this is expected.

Patch is against ZE2, but ZE1 appears to have the same problem.


Index: zend_constants.c
===================================================================
RCS file: /repository/ZendEngine2/zend_constants.c,v
retrieving revision 1.48
diff -u -r1.48 zend_constants.c
--- zend_constants.c	21 May 2003 22:57:51 -0000	1.48
+++ zend_constants.c	31 May 2003 16:13:06 -0000
@@ -114,25 +114,25 @@
 		c.flags = CONST_PERSISTENT;
 		c.module_number = 0;
 
-		c.name = zend_strndup(ZEND_STRL("TRUE"));
+		c.name = zend_strndup(ZEND_STRS("TRUE"));
 		c.name_len = sizeof("TRUE");
 		c.value.value.lval = 1;
 		c.value.type = IS_BOOL;
 		zend_register_constant(&c TSRMLS_CC);
 		
-		c.name = zend_strndup(ZEND_STRL("FALSE"));
+		c.name = zend_strndup(ZEND_STRS("FALSE"));
 		c.name_len = sizeof("FALSE");
 		c.value.value.lval = 0;
 		c.value.type = IS_BOOL;
 		zend_register_constant(&c TSRMLS_CC);
 
-		c.name = zend_strndup(ZEND_STRL("ZEND_THREAD_SAFE"));
+		c.name = zend_strndup(ZEND_STRS("ZEND_THREAD_SAFE"));
 		c.name_len = sizeof("ZEND_THREAD_SAFE");
 		c.value.value.lval = ZTS_V;
 		c.value.type = IS_BOOL;
 		zend_register_constant(&c TSRMLS_CC);
 
-		c.name = zend_strndup(ZEND_STRL("NULL"));
+		c.name = zend_strndup(ZEND_STRS("NULL"));
 		c.name_len = sizeof("NULL");
 		c.value.type = IS_NULL;
 		zend_register_constant(&c TSRMLS_CC);


Thanks,

- Dave
  dave@codewhore.org