Skip to content

Commit bee2cf0

Browse files
nikicnikic
committed
Merge branch 'PHP-7.4'
* PHP-7.4: Fix some memory bugs in ldap.c
2 parents d59709d + 2235286 commit bee2cf0

File tree

1 file changed

+36
-8
lines changed

1 file changed

+36
-8
lines changed

ext/ldap/ldap.c

Lines changed: 36 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -280,7 +280,8 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
280280
int control_iscritical = 0, rc = LDAP_SUCCESS;
281281
char** ldap_attrs = NULL;
282282
LDAPSortKey** sort_keys = NULL;
283-
zend_string *tmpstring = NULL;
283+
zend_string *tmpstring = NULL, **tmpstrings1 = NULL, **tmpstrings2 = NULL;
284+
size_t num_tmpstrings1 = 0, num_tmpstrings2 = 0;
284285

285286
if ((val = zend_hash_str_find(Z_ARRVAL_P(array), "oid", sizeof("oid") - 1)) == NULL) {
286287
php_error_docref(NULL, E_WARNING, "Control must have an oid key");
@@ -394,7 +395,6 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
394395
if (ber_flatten2(vrber, control_value, 0) == -1) {
395396
rc = -1;
396397
}
397-
ber_free(vrber, 1);
398398
}
399399
}
400400
}
@@ -416,6 +416,8 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
416416

417417
num_attribs = zend_hash_num_elements(Z_ARRVAL_P(tmp));
418418
ldap_attrs = safe_emalloc((num_attribs+1), sizeof(char *), 0);
419+
tmpstrings1 = safe_emalloc(num_attribs, sizeof(zend_string*), 0);
420+
num_tmpstrings1 = 0;
419421

420422
for (i = 0; i<num_attribs; i++) {
421423
if ((attr = zend_hash_index_find(Z_ARRVAL_P(tmp), i)) == NULL) {
@@ -424,12 +426,13 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
424426
goto failure;
425427
}
426428

427-
tmpstring = zval_get_string(attr);
429+
tmpstrings1[num_tmpstrings1] = zval_get_string(attr);
428430
if (EG(exception)) {
429431
rc = -1;
430432
goto failure;
431433
}
432-
ldap_attrs[i] = ZSTR_VAL(tmpstring);
434+
ldap_attrs[i] = ZSTR_VAL(tmpstrings1[num_tmpstrings1]);
435+
++num_tmpstrings1;
433436
}
434437
ldap_attrs[num_attribs] = NULL;
435438

@@ -454,6 +457,10 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
454457

455458
num_keys = zend_hash_num_elements(Z_ARRVAL_P(val));
456459
sort_keys = safe_emalloc((num_keys+1), sizeof(LDAPSortKey*), 0);
460+
tmpstrings1 = safe_emalloc(num_keys, sizeof(zend_string*), 0);
461+
tmpstrings2 = safe_emalloc(num_keys, sizeof(zend_string*), 0);
462+
num_tmpstrings1 = 0;
463+
num_tmpstrings2 = 0;
457464

458465
for (i = 0; i<num_keys; i++) {
459466
if ((sortkey = zend_hash_index_find(Z_ARRVAL_P(val), i)) == NULL) {
@@ -468,20 +475,22 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
468475
goto failure;
469476
}
470477
sort_keys[i] = emalloc(sizeof(LDAPSortKey));
471-
tmpstring = zval_get_string(tmp);
478+
tmpstrings1[num_tmpstrings1] = zval_get_string(tmp);
472479
if (EG(exception)) {
473480
rc = -1;
474481
goto failure;
475482
}
476-
sort_keys[i]->attributeType = ZSTR_VAL(tmpstring);
483+
sort_keys[i]->attributeType = ZSTR_VAL(tmpstrings1[num_tmpstrings1]);
484+
++num_tmpstrings1;
477485

478486
if ((tmp = zend_hash_str_find(Z_ARRVAL_P(sortkey), "oid", sizeof("oid") - 1)) != NULL) {
479-
tmpstring = zval_get_string(tmp);
487+
tmpstrings2[num_tmpstrings2] = zval_get_string(tmp);
480488
if (EG(exception)) {
481489
rc = -1;
482490
goto failure;
483491
}
484-
sort_keys[i]->orderingRule = ZSTR_VAL(tmpstring);
492+
sort_keys[i]->orderingRule = ZSTR_VAL(tmpstrings2[num_tmpstrings2]);
493+
++num_tmpstrings2;
485494
} else {
486495
sort_keys[i]->orderingRule = NULL;
487496
}
@@ -588,6 +597,20 @@ static int _php_ldap_control_from_array(LDAP *ld, LDAPControl** ctrl, zval* arra
588597
if (tmpstring != NULL) {
589598
zend_string_release(tmpstring);
590599
}
600+
if (tmpstrings1 != NULL) {
601+
int i;
602+
for (i = 0; i < num_tmpstrings1; ++i) {
603+
zend_string_release(tmpstrings1[i]);
604+
}
605+
efree(tmpstrings1);
606+
}
607+
if (tmpstrings2 != NULL) {
608+
int i;
609+
for (i = 0; i < num_tmpstrings2; ++i) {
610+
zend_string_release(tmpstrings2[i]);
611+
}
612+
efree(tmpstrings2);
613+
}
591614
if (control_value != NULL) {
592615
ber_memfree(control_value);
593616
control_value = NULL;
@@ -4207,6 +4230,11 @@ PHP_FUNCTION(ldap_exop_passwd)
42074230
lnewpw.bv_len > 0 ? &lnewpw : NULL,
42084231
requestctrls,
42094232
NULL, &msgid);
4233+
4234+
if (requestctrls != NULL) {
4235+
efree(requestctrls);
4236+
}
4237+
42104238
if (rc != LDAP_SUCCESS ) {
42114239
php_error_docref(NULL, E_WARNING, "Passwd modify extended operation failed: %s (%d)", ldap_err2string(rc), rc);
42124240
RETURN_FALSE;

0 commit comments

Comments
 (0)