Skip to content

Commit 0e180dc

Browse files
jcupittjcupitt
committed
fix type conversions
we were (incorrectly) using convert_to_*() functions ... instead, just call zval_get_*() this fixes various heap corruption issues when parsing complex data structures
1 parent b0408ba commit 0e180dc

File tree

2 files changed

+44
-42
lines changed

2 files changed

+44
-42
lines changed

ChangeLog

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,7 @@ Version 0.1.1 (2016-10-03)
66
* Add vips_error_buffer(), remove docref messages
77
* return 0/-1 everywhere for error
88
* vips_image_get() returns ["out" => value] | -1
9+
* fix type conversions
910

1011
Version 0.1.0 (2016-09-20)
1112
--------------------------

vips.c

Lines changed: 43 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -171,7 +171,6 @@ expand_constant(VipsImage *match_image, zval *constant)
171171
ones[i] = 1.0;
172172

173173
if ((ele = zend_hash_index_find(Z_ARRVAL_P(constant), i)) != NULL) {
174-
convert_to_double_ex(ele);
175174
offsets[i] = zval_get_double(ele);
176175
}
177176
}
@@ -183,8 +182,6 @@ expand_constant(VipsImage *match_image, zval *constant)
183182
result = x;
184183
}
185184
else {
186-
convert_to_double_ex(constant);
187-
188185
if (vips_linear1(result, &x, 1.0, zval_get_double(constant), NULL)) {
189186
return NULL;
190187
}
@@ -274,7 +271,6 @@ matrix_from_zval(zval *array)
274271
zval *ele;
275272

276273
ele = zend_hash_index_find(Z_ARRVAL_P(row), x);
277-
convert_to_double_ex(ele);
278274
*VIPS_MATRIX(mat, x, y) = zval_get_double(ele);
279275
}
280276
}
@@ -317,15 +313,17 @@ vips_php_zval_to_gval(VipsImage *match_image, zval *zvalue, GValue *gvalue)
317313
GType fundamental = G_TYPE_FUNDAMENTAL(type);
318314

319315
VipsImage *image;
316+
zend_string *zstr;
320317
int enum_value;
321318

322319
switch (fundamental) {
323320
case G_TYPE_STRING:
324321
/* These are GStrings, vips refstrings are handled by boxed, see
325322
* below.
326323
*/
327-
convert_to_string_ex(zvalue);
328-
g_value_set_string(gvalue, Z_STRVAL_P(zvalue));
324+
zstr = zval_get_string(zvalue);
325+
g_value_set_string(gvalue, ZSTR_VAL(zstr));
326+
zend_string_release(zstr);
329327
break;
330328

331329
case G_TYPE_OBJECT:
@@ -346,55 +344,57 @@ vips_php_zval_to_gval(VipsImage *match_image, zval *zvalue, GValue *gvalue)
346344
break;
347345

348346
case G_TYPE_INT:
349-
convert_to_long_ex(zvalue);
350-
g_value_set_int(gvalue, Z_LVAL_P(zvalue));
347+
g_value_set_int(gvalue, zval_get_long(zvalue));
351348
break;
352349

353350
case G_TYPE_UINT64:
354-
convert_to_long_ex(zvalue);
355-
g_value_set_uint64(gvalue, Z_LVAL_P(zvalue));
351+
g_value_set_uint64(gvalue, zval_get_long(zvalue));
356352
break;
357353

358354
case G_TYPE_BOOLEAN:
359-
convert_to_boolean(zvalue);
360-
g_value_set_boolean(gvalue, Z_LVAL_P(zvalue));
355+
g_value_set_boolean(gvalue, zval_get_long(zvalue));
361356
break;
362357

363358
case G_TYPE_ENUM:
364359
if (Z_TYPE_P(zvalue) == IS_LONG) {
365360
enum_value = Z_LVAL_P(zvalue);
366361
}
362+
else if (Z_TYPE_P(zvalue) == IS_DOUBLE) {
363+
enum_value = Z_DVAL_P(zvalue);
364+
}
367365
else {
368-
convert_to_string_ex(zvalue);
369-
if ((enum_value = vips_enum_from_nick("enum",
370-
type, Z_STRVAL_P(zvalue))) < 0 ) {
366+
zstr = zval_get_string(zvalue);
367+
enum_value = vips_enum_from_nick("enum", type, ZSTR_VAL(zstr));
368+
if (enum_value < 0) {
369+
zend_string_release(zstr);
371370
return -1;
372371
}
372+
zend_string_release(zstr);
373373
}
374374
g_value_set_enum(gvalue, enum_value);
375375
break;
376376

377377
case G_TYPE_FLAGS:
378-
convert_to_long_ex(zvalue);
379-
g_value_set_flags(gvalue, Z_LVAL_P(zvalue));
378+
g_value_set_flags(gvalue, zval_get_long(zvalue));
380379
break;
381380

382381
case G_TYPE_DOUBLE:
383-
convert_to_double_ex(zvalue);
384-
g_value_set_double(gvalue, Z_DVAL_P(zvalue));
382+
g_value_set_double(gvalue, zval_get_double(zvalue));
385383
break;
386384

387385
case G_TYPE_BOXED:
388386
if (type == VIPS_TYPE_REF_STRING) {
389-
convert_to_string_ex(zvalue);
390-
vips_value_set_ref_string(gvalue, Z_STRVAL_P(zvalue));
387+
zstr = zval_get_string(zvalue);
388+
vips_value_set_ref_string(gvalue, ZSTR_VAL(zstr));
389+
zend_string_release(zstr);
391390
}
392391
else if (type == VIPS_TYPE_BLOB) {
393392
void *buf;
394393

395-
convert_to_string_ex(zvalue);
396-
buf = g_malloc(Z_STRLEN_P(zvalue));
397-
memcpy(buf, Z_STRVAL_P(zvalue), Z_STRLEN_P(zvalue));
394+
zstr = zval_get_string(zvalue);
395+
buf = g_malloc(ZSTR_LEN(zstr));
396+
memcpy(buf, ZSTR_VAL(zstr), ZSTR_LEN(zstr));
397+
zend_string_release(zstr);
398398

399399
vips_value_set_blob(gvalue,
400400
vips_php_blob_free, buf, Z_STRLEN_P(zvalue));
@@ -418,15 +418,13 @@ vips_php_zval_to_gval(VipsImage *match_image, zval *zvalue, GValue *gvalue)
418418
for (i = 0; i < n; i++) {
419419
zval *ele;
420420

421-
if ((ele = zend_hash_index_find(Z_ARRVAL_P(zvalue),
422-
i)) != NULL) {
423-
convert_to_long_ex(ele);
421+
ele = zend_hash_index_find(Z_ARRVAL_P(zvalue), i);
422+
if (ele) {
424423
arr[i] = zval_get_long(ele);
425424
}
426425
}
427426
}
428427
else {
429-
convert_to_long_ex(zvalue);
430428
arr[0] = zval_get_long(zvalue);
431429
}
432430
}
@@ -449,15 +447,13 @@ vips_php_zval_to_gval(VipsImage *match_image, zval *zvalue, GValue *gvalue)
449447
for (i = 0; i < n; i++) {
450448
zval *ele;
451449

452-
if ((ele = zend_hash_index_find(Z_ARRVAL_P(zvalue),
453-
i)) != NULL) {
454-
convert_to_double_ex(ele);
450+
ele = zend_hash_index_find(Z_ARRVAL_P(zvalue), i);
451+
if (ele) {
455452
arr[i] = zval_get_double(ele);
456453
}
457454
}
458455
}
459456
else {
460-
convert_to_double_ex(zvalue);
461457
arr[0] = zval_get_double(zvalue);
462458
}
463459
}
@@ -481,20 +477,24 @@ vips_php_zval_to_gval(VipsImage *match_image, zval *zvalue, GValue *gvalue)
481477
for (i = 0; i < n; i++) {
482478
zval *ele;
483479

484-
if ((ele = zend_hash_index_find(Z_ARRVAL_P(zvalue),
485-
i)) != NULL &&
486-
(image = (VipsImage *)
487-
zend_fetch_resource(Z_RES_P(ele),
488-
"GObject", le_gobject)) != NULL) {
480+
ele = zend_hash_index_find(Z_ARRVAL_P(zvalue), i);
481+
if (ele) {
482+
image = (VipsImage *)
483+
zend_fetch_resource(
484+
Z_RES_P(ele), "GObject", le_gobject);
485+
}
486+
if (ele &&
487+
image) {
489488
arr[i] = image;
490489
g_object_ref(image);
491490
}
492491
}
493492
}
494493
else {
495-
if( (image = (VipsImage *)
496-
zend_fetch_resource(Z_RES_P(zvalue),
497-
"GObject", le_gobject)) != NULL) {
494+
image = (VipsImage *)
495+
zend_fetch_resource(
496+
Z_RES_P(zvalue), "GObject", le_gobject);
497+
if (image) {
498498
arr[0] = image;
499499
g_object_ref(image);
500500
}
@@ -1160,8 +1160,9 @@ PHP_FUNCTION(vips_image_new_from_array)
11601160
zval *ele;
11611161

11621162
ele = zend_hash_index_find(Z_ARRVAL_P(array), x);
1163-
convert_to_double_ex(ele);
1164-
*VIPS_MATRIX(mat, x, 0) = zval_get_double(ele);
1163+
if (ele) {
1164+
*VIPS_MATRIX(mat, x, 0) = zval_get_double(ele);
1165+
}
11651166
}
11661167
}
11671168

0 commit comments

Comments
 (0)