22 years ago by David Brown — view source — reply

unread

Hi:

The function zend_register_constant expects c->name_len to equal
sizeof(c->name) for any struct _zend_constant named c. In
zend_register_standard_constants, sizeof() is used to compute the length
of the constant name correctly, but ZEND_STRL() is used to allocate the
string. ZEND_STRL() allocates a string without a null-terminator (using
sizeof(str) - 1).

The enclosed patch fixes the four one-byte read overruns by using
ZEND_STRS(), which allocates a string of the correct size.

Note: This could have been fixed by using strlen() or sizeof() - 1 to
compute the size, but it appears something in the engine is operating
under the assumption that constant names are null-terminated; leaving
off the null terminator causes 'undefined constant' errors. I don't know
if this is expected.

Patch is against ZE2, but ZE1 appears to have the same problem.

Index: zend_constants.c

RCS file: /repository/ZendEngine2/zend_constants.c,v
retrieving revision 1.48
diff -u -r1.48 zend_constants.c
--- zend_constants.c 21 May 2003 22:57:51 -0000 1.48
+++ zend_constants.c 31 May 2003 16:13:06 -0000
@@ -114,25 +114,25 @@
c.flags = CONST_PERSISTENT;
c.module_number = 0;

  c.name = zend_strndup(ZEND_STRL("TRUE"));

  c.name = zend_strndup(ZEND_STRS("TRUE"));
  c.name_len = sizeof("TRUE");
  c.value.value.lval = 1;
  c.value.type = IS_BOOL;
  zend_register_constant(&c TSRMLS_CC);

  c.name = zend_strndup(ZEND_STRL("FALSE"));

  c.name = zend_strndup(ZEND_STRS("FALSE"));
  c.name_len = sizeof("FALSE");
  c.value.value.lval = 0;
  c.value.type = IS_BOOL;
  zend_register_constant(&c TSRMLS_CC);

  c.name = zend_strndup(ZEND_STRL("ZEND_THREAD_SAFE"));

  c.name = zend_strndup(ZEND_STRS("ZEND_THREAD_SAFE"));
  c.name_len = sizeof("ZEND_THREAD_SAFE");
  c.value.value.lval = ZTS_V;
  c.value.type = IS_BOOL;
  zend_register_constant(&c TSRMLS_CC);

  c.name = zend_strndup(ZEND_STRL("NULL"));

  c.name = zend_strndup(ZEND_STRS("NULL"));
  c.name_len = sizeof("NULL");
  c.value.type = IS_NULL;
  zend_register_constant(&c TSRMLS_CC);

Thanks,

Dave
dave@codewhore.org

22 years ago by marcus.boerger@t-online.de — view source — reply

unread

At 18:59 31.05.2003, David Brown wrote:

[...]
The enclosed patch fixes the four one-byte read overruns by using
ZEND_STRS(), which allocates a string of the correct size.
[...]

Thanks & applied.

marcus

[PATCH] Fix off-by-one in zend_register_standard_constants

Index: zend_constants.c