diff options
| author | Ilia Alshanetsky <iliaa@php.net> | 2003-07-31 19:46:03 +0000 |
|---|---|---|
| committer | Ilia Alshanetsky <iliaa@php.net> | 2003-07-31 19:46:03 +0000 |
| commit | ecbcd7f59f166ee54ed1357b19501cf2e616a723 (patch) | |
| tree | cf1a438228678d587aadc97e66ee2281a9d7f1de | |
| parent | 88cbc175ea64437229776332d23b311a4b26401e (diff) | |
| download | php-git-ecbcd7f59f166ee54ed1357b19501cf2e616a723.tar.gz | |
Fixed bug #22154 (Possible crash when memory_limit is reached and
output buffering in addition to session.use_trans_sid is used).
| -rw-r--r-- | main/output.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/main/output.c b/main/output.c index 67d81d212d..7563743850 100644 --- a/main/output.c +++ b/main/output.c @@ -379,15 +379,20 @@ PHPAPI void php_ob_set_internal_handler(php_output_handler_func_t internal_outpu /* {{{ php_ob_allocate */ -static inline void php_ob_allocate(TSRMLS_D) +static inline void php_ob_allocate(uint text_length TSRMLS_DC) { - if (OG(active_ob_buffer).size<OG(active_ob_buffer).text_length) { - while (OG(active_ob_buffer).size <= OG(active_ob_buffer).text_length) { - OG(active_ob_buffer).size+=OG(active_ob_buffer).block_size; + uint new_len = OG(active_ob_buffer).text_length + text_length; + + if (OG(active_ob_buffer).size < new_len) { + uint buf_size = OG(active_ob_buffer).size; + while (buf_size <= new_len) { + buf_size += OG(active_ob_buffer).block_size; } - - OG(active_ob_buffer).buffer = (char *) erealloc(OG(active_ob_buffer).buffer, OG(active_ob_buffer).size+1); + + OG(active_ob_buffer).buffer = (char *) erealloc(OG(active_ob_buffer).buffer, buf_size+1); + OG(active_ob_buffer).size = buf_size; } + OG(active_ob_buffer).text_length = new_len; } /* }}} */ @@ -589,9 +594,8 @@ static inline void php_ob_append(const char *text, uint text_length TSRMLS_DC) int original_ob_text_length; original_ob_text_length=OG(active_ob_buffer).text_length; - OG(active_ob_buffer).text_length = OG(active_ob_buffer).text_length + text_length; - php_ob_allocate(TSRMLS_C); + php_ob_allocate(text_length TSRMLS_CC); target = OG(active_ob_buffer).buffer+original_ob_text_length; memcpy(target, text, text_length); target[text_length]=0; @@ -616,8 +620,7 @@ static inline void php_ob_prepend(const char *text, uint text_length) char *p, *start; TSRMLS_FETCH(); - OG(active_ob_buffer).text_length += text_length; - php_ob_allocate(TSRMLS_C); + php_ob_allocate(text_length TSRMLS_CC); /* php_ob_allocate() may change OG(ob_buffer), so we can't initialize p&start earlier */ p = OG(ob_buffer)+OG(ob_text_length); |