Merge branch 'PHP-5.4' into PHP-5.5

smalyshev · smalyshev · commit 723ffe2e896f · 2015-03-22T18:30:56.000-07:00
* PHP-5.4:
  Bacport fix bug #68741 - Null pointer dereference
  Check that the type is correct
diff --git a/NEWS b/NEWS
@@ -33,6 +33,9 @@ PHP                                                                        NEWS
 - OpenSSL:
    . Fixed bug #67403 (Add signatureType to openssl_x509_parse).
 
+- Postgres:
+  . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui)
+
 - SPL:
    . Fixed bug #69227 (Use after free in zval_scan caused by
      spl_object_storage_get_gc). (adam dot scarr at 99designs dot com)
diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
@@ -6136,6 +6136,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c
 	/* schame.table should be "schame"."table" */
 	table_copy = estrdup(table);
 	token = php_strtok_r(table_copy, ".", &tmp);
+	if (token == NULL) {
+		token = table;
+	}
 	len = strlen(token);
 	if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) {
 		smart_str_appendl(querystr, token, len);
diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c
@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen)
 
 	object_properties = Z_OBJPROP_P(object);
 
-	if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) {
+	if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) {
 		retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
 
 		if (nlen) {
