Skip to content

Commit 23ef0a1

Browse files
ptomuliknikic
ptomulik
authored and
nikic
committed
Fix some memory bugs in ldap.c
1 parent 3d5de7d commit 23ef0a1

File tree

1 file changed

+38
-8
lines changed

1 file changed

+38
-8
lines changed

ext/ldap/ldap.c

Lines changed: 38 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -283,7 +283,8 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
283283
int control_iscritical = 0, rc = LDAP_SUCCESS;
284284
char** ldap_attrs = NULL;
285285
LDAPSortKey** sort_keys = NULL;
286-
zend_string *tmpstring = NULL;
286+
zend_string *tmpstring = NULL, **tmpstrings1 = NULL, **tmpstrings2 = NULL;
287+
size_t num_tmpstrings1 = 0, num_tmpstrings2 = 0;
287288

288289
if ((val = zend_hash_str_find(Z_ARRVAL_P(array), "oid", sizeof("oid") - 1)) == NULL) {
289290
php_error_docref(NULL, E_WARNING, "Control must have an oid key");
@@ -397,7 +398,6 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
397398
if (ber_flatten2(vrber, control_value, 0) == -1) {
398399
rc = -1;
399400
}
400-
ber_free(vrber, 1);
401401
}
402402
}
403403
}
@@ -419,6 +419,8 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
419419

420420
num_attribs = zend_hash_num_elements(Z_ARRVAL_P(tmp));
421421
ldap_attrs = safe_emalloc((num_attribs+1), sizeof(char *), 0);
422+
tmpstrings1 = safe_emalloc(num_attribs, sizeof(zend_string*), 0);
423+
num_tmpstrings1 = 0;
422424

423425
for (i = 0; i<num_attribs; i++) {
424426
if ((attr = zend_hash_index_find(Z_ARRVAL_P(tmp), i)) == NULL) {
@@ -427,12 +429,13 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
427429
goto failure;
428430
}
429431

430-
tmpstring = zval_get_string(attr);
432+
tmpstrings1[num_tmpstrings1] = zval_get_string(attr);
431433
if (EG(exception)) {
432434
rc = -1;
433435
goto failure;
434436
}
435-
ldap_attrs[i] = ZSTR_VAL(tmpstring);
437+
ldap_attrs[i] = ZSTR_VAL(tmpstrings1[num_tmpstrings1]);
438+
++num_tmpstrings1;
436439
}
437440
ldap_attrs[num_attribs] = NULL;
438441

@@ -457,6 +460,10 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
457460

458461
num_keys = zend_hash_num_elements(Z_ARRVAL_P(val));
459462
sort_keys = safe_emalloc((num_keys+1), sizeof(LDAPSortKey*), 0);
463+
tmpstrings1 = safe_emalloc(num_keys, sizeof(zend_string*), 0);
464+
tmpstrings2 = safe_emalloc(num_keys, sizeof(zend_string*), 0);
465+
num_tmpstrings1 = 0;
466+
num_tmpstrings2 = 0;
460467

461468
for (i = 0; i<num_keys; i++) {
462469
if ((sortkey = zend_hash_index_find(Z_ARRVAL_P(val), i)) == NULL) {
@@ -471,20 +478,22 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
471478
goto failure;
472479
}
473480
sort_keys[i] = emalloc(sizeof(LDAPSortKey));
474-
tmpstring = zval_get_string(tmp);
481+
tmpstrings1[num_tmpstrings1] = zval_get_string(tmp);
475482
if (EG(exception)) {
476483
rc = -1;
477484
goto failure;
478485
}
479-
sort_keys[i]->attributeType = ZSTR_VAL(tmpstring);
486+
sort_keys[i]->attributeType = ZSTR_VAL(tmpstrings1[num_tmpstrings1]);
487+
++num_tmpstrings1;
480488

481489
if ((tmp = zend_hash_str_find(Z_ARRVAL_P(sortkey), "oid", sizeof("oid") - 1)) != NULL) {
482-
tmpstring = zval_get_string(tmp);
490+
tmpstrings2[num_tmpstrings2] = zval_get_string(tmp);
483491
if (EG(exception)) {
484492
rc = -1;
485493
goto failure;
486494
}
487-
sort_keys[i]->orderingRule = ZSTR_VAL(tmpstring);
495+
sort_keys[i]->orderingRule = ZSTR_VAL(tmpstrings2[num_tmpstrings2]);
496+
++num_tmpstrings2;
488497
} else {
489498
sort_keys[i]->orderingRule = NULL;
490499
}
@@ -591,6 +600,20 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
591600
if (tmpstring != NULL) {
592601
zend_string_release(tmpstring);
593602
}
603+
if (tmpstrings1 != NULL) {
604+
int i;
605+
for (i = 0; i < num_tmpstrings1; ++i) {
606+
zend_string_release(tmpstrings1[i]);
607+
}
608+
efree(tmpstrings1);
609+
}
610+
if (tmpstrings2 != NULL) {
611+
int i;
612+
for (i = 0; i < num_tmpstrings2; ++i) {
613+
zend_string_release(tmpstrings2[i]);
614+
}
615+
efree(tmpstrings2);
616+
}
594617
if (control_value != NULL) {
595618
ber_memfree(control_value);
596619
control_value = NULL;
@@ -3438,6 +3461,7 @@ PHP_FUNCTION(ldap_parse_result)
34383461
/* Reverse -> fall through */
34393462
switch (myargcount) {
34403463
case 7:
3464+
zval_ptr_dtor(serverctrls);
34413465
_php_ldap_controls_to_array(ld->link, lserverctrls, serverctrls, 0);
34423466
case 6:
34433467
zval_ptr_dtor(referrals);
@@ -4327,6 +4351,11 @@ PHP_FUNCTION(ldap_exop_passwd)
43274351
lnewpw.bv_len > 0 ? &lnewpw : NULL,
43284352
requestctrls,
43294353
NULL, &msgid);
4354+
4355+
if (requestctrls != NULL) {
4356+
efree(requestctrls);
4357+
}
4358+
43304359
if (rc != LDAP_SUCCESS ) {
43314360
php_error_docref(NULL, E_WARNING, "Passwd modify extended operation failed: %s (%d)", ldap_err2string(rc), rc);
43324361
RETURN_FALSE;
@@ -4366,6 +4395,7 @@ PHP_FUNCTION(ldap_exop_passwd)
43664395
}
43674396

43684397
if (myargcount > 4) {
4398+
zval_ptr_dtor(serverctrls);
43694399
_php_ldap_controls_to_array(ld->link, lserverctrls, serverctrls, 0);
43704400
}
43714401

0 commit comments

Comments
 (0)