Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4

cjbj · cjbj · commit b4b4372c8816 · 2013-09-26T09:57:30.000-07:00
# By Adam Harvey # Via Adam Harvey * 'PHP-5.4' of https://git.php.net/repository/php-src: Copy dba_*() keys before converting to string.
diff --git a/NEWS b/NEWS
@@ -10,6 +10,10 @@ PHP                                                                        NEWS
   . Fixed bug #64157 (DateTime::createFromFormat() reports confusing error
     message). (Boro Sitnikovski)
 
+- DBA extension:
+  . Fixed bug #65708 (dba functions cast $key param to string in-place,
+    bypassing copy on write). (Adam)
+
 - Filter:
   . Add RFC 6598 IPs to reserved addresses. (Sebastian Nohn)
   . Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
diff --git a/ext/dba/dba.c b/ext/dba/dba.c
@@ -226,12 +226,17 @@ static size_t php_dba_make_key(zval *key, char **key_str, char **key_free TSRMLS
 		*key_free = *key_str;
 		return len;
 	} else {
-		*key_free = NULL;
+		zval tmp = *key;
+		int len;
 
-		convert_to_string(key);
-		*key_str = Z_STRVAL_P(key);
+		zval_copy_ctor(&tmp);
+		convert_to_string(&tmp);
 
-		return Z_STRLEN_P(key);
+		*key_free = *key_str = estrndup(Z_STRVAL(tmp), Z_STRLEN(tmp));
+		len = Z_STRLEN(tmp);
+
+		zval_dtor(&tmp);
+		return len;
 	}
 }
 /* }}} */
@@ -297,6 +302,14 @@ static size_t php_dba_make_key(zval *key, char **key_str, char **key_free TSRMLS
 		RETURN_FALSE; \
 	}
 
+/* the same check, but with a call to DBA_ID_DONE before returning */
+#define DBA_WRITE_CHECK_WITH_ID \
+	if(info->mode != DBA_WRITER && info->mode != DBA_TRUNC && info->mode != DBA_CREAT) { \
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "You cannot perform a modification to a database without proper access"); \
+		DBA_ID_DONE; \
+		RETURN_FALSE; \
+	}
+
 /* }}} */
 
 /* {{{ globals */
@@ -557,7 +570,7 @@ static void php_dba_update(INTERNAL_FUNCTION_PARAMETERS, int mode)
 
 	DBA_FETCH_RESOURCE(info, &id);
 
-	DBA_WRITE_CHECK;
+	DBA_WRITE_CHECK_WITH_ID;
 
 	if (info->hnd->update(info, key_str, key_len, val, val_len, mode TSRMLS_CC) == SUCCESS) {
 		DBA_ID_DONE;
@@ -1110,7 +1123,7 @@ PHP_FUNCTION(dba_delete)
 {
 	DBA_ID_GET2;
 	
-	DBA_WRITE_CHECK;
+	DBA_WRITE_CHECK_WITH_ID;
 	
 	if(info->hnd->delete(info, key_str, key_len TSRMLS_CC) == SUCCESS)
 	{
diff --git a/ext/dba/tests/bug65708.phpt b/ext/dba/tests/bug65708.phpt
@@ -0,0 +1,38 @@
+--TEST--
+Bug #65708 (dba functions cast $key param to string in-place, bypassing copy on write)
+--SKIPIF--
+<?php 
+	require_once(dirname(__FILE__) .'/skipif.inc');
+?>
+--FILE--
+<?php
+
+error_reporting(E_ALL);
+
+require_once(dirname(__FILE__) .'/test.inc');
+
+$db = dba_popen($db_filename, 'c');
+
+$key = 1;
+$copy = $key;
+
+echo gettype($key)."\n";
+echo gettype($copy)."\n";
+
+dba_exists($key, $db);
+
+echo gettype($key)."\n";
+echo gettype($copy)."\n";
+
+dba_close($db);
+
+?>
+--CLEAN--
+<?php 
+	require(dirname(__FILE__) .'/clean.inc'); 
+?>
+--EXPECT--
+integer
+integer
+integer
+integer
