← Back to branch summary

~ubuntu-branches/ubuntu/gutsy/php5/gutsy

« back to all changes in this revision

Viewing changes to main/output.c

  • Committer: Bazaar Package Importer
  • Author(s): Martin Pitt, CVE-2007-0905, CVE-2007-0906, CVE-2007-0909, CVE-2007-0910
  • Date: 2007-02-20 17:54:46 UTC
  • mfrom: (1.1.6 upstream)
  • Revision ID: james.westby@ubuntu.com-20070220175446-nudqyuv0dfowel3r
Tags: 5.2.1-0ubuntu1
* New upstream security/bugfix release:
  - safe_mode & open_basedir bypasses inside the session extension
    [CVE-2007-0905]
  - multiple buffer overflows in various extensions and functions
    [CVE-2007-0906]
  - underflow in the internal sapi_header_op() function [CVE-2007-0907]
  - information disclosure in the wddx extension [CVE-2007-0908]
  - string format vulnerability in *print() functions on 64 bit systems
    [CVE-2007-0909]
  - possible clobbering of super-globals in several code paths
    [CVE-2007-0910]
* Adapted patches to new upstream release:
  - 006-debian_quirks.patch
  - 034-apache2_umask_fix.patch
  - 044-strtod_arm_fix.patch
* Drop 109-libdb4.4.patch: Obsolete, upstream now checks for db 4.5 and 4.4.
* Drop 114-zend_alloc.c_m68k_alignment.patch and
  115-zend_alloc.c_memleak.patch: Applied upstream.
* Add debian/patches/000upstream-str_ireplace_offbyone.patch:
  - Fix off-by-one in str_ireplace(), a regression introduced in 5.2.1.
  - Patch taken from upstream CVS:
    http://cvs.php.net/viewvc.cgi/php-src/ext/standard/string.c?r1=1.630&r2=1.631
  - CVE-2007-0911
* debian/control: Set Ubuntu maintainer.

Show diffs side-by-side

added added

removed removed

Lines of Context:
main/output.c
2
2
   +----------------------------------------------------------------------+
3
3
   | PHP Version 5                                                        |
4
4
   +----------------------------------------------------------------------+
5
 
   | Copyright (c) 1997-2006 The PHP Group                                |
 
5
   | Copyright (c) 1997-2007 The PHP Group                                |
6
6
   +----------------------------------------------------------------------+
7
7
   | This source file is subject to version 3.01 of the PHP license,      |
8
8
   | that is bundled with this package in the file LICENSE, and is        |
18
18
   +----------------------------------------------------------------------+
19
19
*/
20
20
 
21
 
/* $Id: output.c,v 1.167.2.3 2006/03/27 08:26:10 tony2001 Exp $ */
 
21
/* $Id: output.c,v 1.167.2.3.2.2 2007/01/29 11:21:31 dmitry Exp $ */
22
22
 
23
23
#include "php.h"
24
24
#include "ext/standard/head.h"
416
416
 */
417
417
static int php_ob_init_named(uint initial_size, uint block_size, char *handler_name, zval *output_handler, uint chunk_size, zend_bool erase TSRMLS_DC)
418
418
{
 
419
        php_ob_buffer tmp_buf;
 
420
 
419
421
        if (output_handler && !zend_is_callable(output_handler, 0, NULL)) {
420
422
                return FAILURE;
421
423
        }
 
424
        
 
425
        tmp_buf.block_size = block_size;
 
426
        tmp_buf.size = initial_size;
 
427
        tmp_buf.buffer = (char *) emalloc(initial_size+1);
 
428
        tmp_buf.text_length = 0;
 
429
        tmp_buf.output_handler = output_handler;
 
430
        tmp_buf.chunk_size = chunk_size;
 
431
        tmp_buf.status = 0;
 
432
        tmp_buf.internal_output_handler = NULL;
 
433
        tmp_buf.handler_name = estrdup(handler_name&&handler_name[0]?handler_name:OB_DEFAULT_HANDLER_NAME);
 
434
        tmp_buf.erase = erase;
 
435
 
422
436
        if (OG(ob_nesting_level)>0) {
423
437
#if HAVE_ZLIB && !defined(COMPILE_DL_ZLIB)
424
438
                if (!strncmp(handler_name, "ob_gzhandler", sizeof("ob_gzhandler")) && php_ob_gzhandler_check(TSRMLS_C)) {
431
445
                zend_stack_push(&OG(ob_buffers), &OG(active_ob_buffer), sizeof(php_ob_buffer));
432
446
        }
433
447
        OG(ob_nesting_level)++;
434
 
        OG(active_ob_buffer).block_size = block_size;
435
 
        OG(active_ob_buffer).size = initial_size;
436
 
        OG(active_ob_buffer).buffer = (char *) emalloc(initial_size+1);
437
 
        OG(active_ob_buffer).text_length = 0;
438
 
        OG(active_ob_buffer).output_handler = output_handler;
439
 
        OG(active_ob_buffer).chunk_size = chunk_size;
440
 
        OG(active_ob_buffer).status = 0;
441
 
        OG(active_ob_buffer).internal_output_handler = NULL;
442
 
        OG(active_ob_buffer).handler_name = estrdup(handler_name&&handler_name[0]?handler_name:OB_DEFAULT_HANDLER_NAME);
443
 
        OG(active_ob_buffer).erase = erase;
 
448
        OG(active_ob_buffer) = tmp_buf;
444
449
        OG(php_body_write) = php_b_body_write;
445
450
        return SUCCESS;
446
451
}