head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.32 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.30 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.28 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.26 pkgsrc-2011Q2-base:1.2 pkgsrc-2009Q4:1.2.0.24 pkgsrc-2009Q4-base:1.2 pkgsrc-2008Q4:1.2.0.22 pkgsrc-2008Q4-base:1.2 pkgsrc-2008Q3:1.2.0.20 pkgsrc-2008Q3-base:1.2 cube-native-xorg:1.2.0.18 cube-native-xorg-base:1.2 pkgsrc-2008Q2:1.2.0.16 pkgsrc-2008Q2-base:1.2 pkgsrc-2008Q1:1.2.0.14 pkgsrc-2008Q1-base:1.2 pkgsrc-2007Q4:1.2.0.12 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.10 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.8 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.2.0.6 pkgsrc-2007Q1-base:1.2 pkgsrc-2006Q4:1.2.0.4 pkgsrc-2006Q4-base:1.2 pkgsrc-2006Q3:1.2.0.2 pkgsrc-2006Q3-base:1.2 pkgsrc-2006Q2:1.1.0.2; locks; strict; comment @# @; 1.2 date 2006.08.19.16.44.15; author taca; state dead; branches; next 1.1; 1.1 date 2006.08.10.05.57.09; author taca; state Exp; branches 1.1.2.1; next ; 1.1.2.1 date 2006.08.10.05.57.09; author ghen; state dead; branches; next 1.1.2.2; 1.1.2.2 date 2006.08.10.07.19.25; author ghen; state Exp; branches; next ; desc @@ 1.2 log @Update php5 package to 5.1.5: 17 Aug 2006, PHP 5.1.5 - Fixed memory_limit on 64bit systems. (Stefan E.) - Fixed overflow on 64bit systems in str_repeat() and wordwrap(). (Stefan E.) - Disabled CURLOPT_FOLLOWLOCATION in curl when open_basedir or safe_mode are enabled. (Stefan E., Ilia) - Fixed bug #38322 (reading past array in sscanf() leads to arbitrary code execution). (Tony) - Fixed bug #38125 (undefined reference to spl_dual_it_free_storage). (Marcus) - Fixed bug #38112 (corrupted gif segfaults) (Pierre) - Fixed bug #37587 (var without attribute causes segfault). (Marcus) - Fixed bug #37576 (FastCGI env (cgi vars) table overflow). (Piotr) - Fixed bug #37496 (FastCGI output buffer overrun). (Piotr, Dmitry) - Fixed bug #37487 (oci_fetch_array() array-type should always default to OCI_BOTH). (Tony) - Fixed bug #37416 (iterator_to_array() hides exceptions thrown in rewind() method). (Tony) - Fixed bug #37392 (Unnecessary call to OCITransRollback() at the end of request). (Tony) - Fixed bug #37341 ($_SERVER in included file is shortened to two entries, if $_ENV gets used). (Dmitry) - Fixed bug #37313 (sigemptyset() used without including ). (jdolecek) - Fixed bug #37346 (invalid colormap format) (Pierre) - Fixed bug #37360 (invalid gif size) (Pierre) - Fixed bug #37306 (max_execution_time = max_input_time). (Dmitry) - Fixed Bug #37278 (SOAP not respecting uri in __soapCall). (Dmitry) - Fixed bug #37265 (Added missing safe_mode & open_basedir checks to imap_body()). (Ilia) - Fixed bug #37256 (php-fastcgi dosen't handle connection abort). (Dmitry) @ text @$NetBSD: patch-aw,v 1.1 2006/08/10 05:57:09 taca Exp $ # Fix for Secunia Advisory SA21403 --- ext/standard/scanf.c.orig 2006-01-01 21:50:15.000000000 +0900 +++ ext/standard/scanf.c @@@@ -732,7 +732,7 @@@@ PHPAPI int php_sscanf_internal( char *st if (*end == '$') { format = end+1; ch = format++; - objIndex = varStart + value; + objIndex = varStart + value - 1; } } @@@@ -762,7 +762,9 @@@@ PHPAPI int php_sscanf_internal( char *st switch (*ch) { case 'n': if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { zend_uint refcount; current = args[objIndex++]; @@@@ -888,7 +890,9 @@@@ PHPAPI int php_sscanf_internal( char *st } } if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { zend_uint refcount; current = args[objIndex++]; @@@@ -932,7 +936,9 @@@@ PHPAPI int php_sscanf_internal( char *st goto done; } if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; zval_dtor( *current ); ZVAL_STRINGL( *current, string, end-string, 1); @@@@ -1089,7 +1095,9 @@@@ PHPAPI int php_sscanf_internal( char *st value = (int) (*fn)(buf, NULL, base); if ((flags & SCAN_UNSIGNED) && (value < 0)) { sprintf(buf, "%u", value); /* INTL: ISO digit */ - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { /* change passed value type to string */ current = args[objIndex++]; convert_to_string( *current ); @@@@ -1098,7 +1106,9 @@@@ PHPAPI int php_sscanf_internal( char *st add_index_string(*return_value, objIndex++, buf, 1); } } else { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; convert_to_long( *current ); Z_LVAL(**current) = value; @@@@ -1206,7 +1216,9 @@@@ PHPAPI int php_sscanf_internal( char *st double dvalue; *end = '\0'; dvalue = zend_strtod(buf, NULL); - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; convert_to_double( *current ); Z_DVAL_PP( current ) = dvalue; @ 1.1 log @Add security fix for Secunia Advisory SA21403 from PHP's CVS repository. Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @ 1.1.2.1 log @file patch-aw was added on branch pkgsrc-2006Q2 on 2006-08-10 05:57:09 +0000 @ text @d1 81 @ 1.1.2.2 log @Pullup ticket 1786 - requested by taca security fix for php5 Revisions pulled up: - pkgsrc/lang/php5/Makefile 1.39 - pkgsrc/lang/php5/distinfo 1.26 - pkgsrc/lang/php5/patches/patch-aw 1.1 Module Name: pkgsrc Committed By: taca Date: Thu Aug 10 05:57:09 UTC 2006 Modified Files: pkgsrc/lang/php5: Makefile distinfo Added Files: pkgsrc/lang/php5/patches: patch-aw Log Message: Add security fix for Secunia Advisory SA21403 from PHP's CVS repository. Bump PKGREVISION. @ text @a0 81 $NetBSD: patch-aw,v 1.1.2.1 2006/08/10 07:19:25 ghen Exp $ # Fix for Secunia Advisory SA21403 --- ext/standard/scanf.c.orig 2006-01-01 21:50:15.000000000 +0900 +++ ext/standard/scanf.c @@@@ -732,7 +732,7 @@@@ PHPAPI int php_sscanf_internal( char *st if (*end == '$') { format = end+1; ch = format++; - objIndex = varStart + value; + objIndex = varStart + value - 1; } } @@@@ -762,7 +762,9 @@@@ PHPAPI int php_sscanf_internal( char *st switch (*ch) { case 'n': if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { zend_uint refcount; current = args[objIndex++]; @@@@ -888,7 +890,9 @@@@ PHPAPI int php_sscanf_internal( char *st } } if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { zend_uint refcount; current = args[objIndex++]; @@@@ -932,7 +936,9 @@@@ PHPAPI int php_sscanf_internal( char *st goto done; } if (!(flags & SCAN_SUPPRESS)) { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; zval_dtor( *current ); ZVAL_STRINGL( *current, string, end-string, 1); @@@@ -1089,7 +1095,9 @@@@ PHPAPI int php_sscanf_internal( char *st value = (int) (*fn)(buf, NULL, base); if ((flags & SCAN_UNSIGNED) && (value < 0)) { sprintf(buf, "%u", value); /* INTL: ISO digit */ - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { /* change passed value type to string */ current = args[objIndex++]; convert_to_string( *current ); @@@@ -1098,7 +1106,9 @@@@ PHPAPI int php_sscanf_internal( char *st add_index_string(*return_value, objIndex++, buf, 1); } } else { - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; convert_to_long( *current ); Z_LVAL(**current) = value; @@@@ -1206,7 +1216,9 @@@@ PHPAPI int php_sscanf_internal( char *st double dvalue; *end = '\0'; dvalue = zend_strtod(buf, NULL); - if (numVars) { + if (numVars && objIndex >= argCount) { + break; + } else if (numVars) { current = args[objIndex++]; convert_to_double( *current ); Z_DVAL_PP( current ) = dvalue; @