diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-09-01 00:28:39 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-09-01 00:28:39 -0700 |
| commit | 6935058a986034c41d893fa36104b1f68777fd39 (patch) | |
| tree | 5a1b55324a372874eb8ee89337777961950d25af | |
| parent | fc8eff897bd7fe3fed7f6867d2d6a86117a5278d (diff) | |
| parent | c8f07ad4771620252bf542e09938633bfb837363 (diff) | |
| download | php-git-6935058a986034c41d893fa36104b1f68777fd39.tar.gz | |
Merge branch 'PHP-5.4.45' into PHP-5.5.29
* PHP-5.4.45:
add test
Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
Fix bug #70172 - Use After Free Vulnerability in unserialize()
Fix bug #70388 - SOAP serialize_function_call() type confusion
Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
Improve fix for #70385
Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
Conflicts:
ext/pcre/php_pcre.c
ext/standard/var_unserializer.c
| -rw-r--r-- | ext/exif/exif.c | 212 | ||||
| -rw-r--r-- | ext/pcre/php_pcre.c | 148 | ||||
| -rw-r--r-- | ext/pcre/tests/bug70345.phpt | 24 | ||||
| -rw-r--r-- | ext/soap/soap.c | 96 | ||||
| -rw-r--r-- | ext/soap/tests/bug70388.phpt | 17 | ||||
| -rw-r--r-- | ext/spl/spl_dllist.c | 1 | ||||
| -rw-r--r-- | ext/spl/spl_observer.c | 2 | ||||
| -rw-r--r-- | ext/spl/tests/bug70155.phpt | 50 | ||||
| -rw-r--r-- | ext/spl/tests/bug70365.phpt | 50 | ||||
| -rw-r--r-- | ext/spl/tests/bug70366.phpt | 54 | ||||
| -rw-r--r-- | ext/standard/tests/serialize/bug70172.phpt | 52 | ||||
| -rw-r--r-- | ext/standard/var.c | 23 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.c | 76 | ||||
| -rw-r--r-- | ext/standard/var_unserializer.re | 12 | ||||
| -rw-r--r-- | ext/zip/php_zip.c | 4 | ||||
| -rw-r--r-- | ext/zip/tests/bug70350.phpt | 33 |
16 files changed, 587 insertions, 267 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 77f4630d93..ff29fdd0fa 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -74,7 +74,7 @@ #include "php_ini.h" #include "ext/standard/php_string.h" #include "ext/standard/php_image.h" -#include "ext/standard/info.h" +#include "ext/standard/info.h" /* needed for ssize_t definition */ #include <sys/types.h> @@ -161,7 +161,7 @@ ZEND_BEGIN_MODULE_GLOBALS(exif) char * encode_jis; char * decode_jis_be; char * decode_jis_le; -ZEND_END_MODULE_GLOBALS(exif) +ZEND_END_MODULE_GLOBALS(exif) ZEND_DECLARE_MODULE_GLOBALS(exif) @@ -170,7 +170,7 @@ ZEND_DECLARE_MODULE_GLOBALS(exif) #else #define EXIF_G(v) (exif_globals.v) #endif - + /* {{{ PHP_INI */ @@ -213,7 +213,7 @@ PHP_INI_BEGIN() STD_PHP_INI_ENTRY("exif.decode_jis_intel", "JIS", PHP_INI_ALL, OnUpdateDecode, decode_jis_le, zend_exif_globals, exif_globals) PHP_INI_END() /* }}} */ - + /* {{{ PHP_GINIT_FUNCTION */ static PHP_GINIT_FUNCTION(exif) @@ -233,9 +233,9 @@ PHP_MINIT_FUNCTION(exif) { REGISTER_INI_ENTRIES(); if (zend_hash_exists(&module_registry, "mbstring", sizeof("mbstring"))) { - REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT); } else { - REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT); } return SUCCESS; } @@ -265,7 +265,7 @@ zend_module_entry exif_module_entry = { exif_module_deps, "exif", exif_functions, - PHP_MINIT(exif), + PHP_MINIT(exif), PHP_MSHUTDOWN(exif), NULL, NULL, PHP_MINFO(exif), @@ -278,7 +278,7 @@ zend_module_entry exif_module_entry = { NULL, NULL, STANDARD_MODULE_PROPERTIES_EX -#else +#else STANDARD_MODULE_PROPERTIES #endif }; @@ -667,73 +667,73 @@ static tag_info_array tag_table_IFD = { { 0x0213, "YCbCrPositioning"}, { 0x0214, "ReferenceBlackWhite"}, { 0x02BC, "ExtensibleMetadataPlatform"}, /* XAP: Extensible Authoring Publishing, obsoleted by XMP: Extensible Metadata Platform */ - { 0x0301, "Gamma"}, - { 0x0302, "ICCProfileDescriptor"}, - { 0x0303, "SRGBRenderingIntent"}, - { 0x0320, "ImageTitle"}, - { 0x5001, "ResolutionXUnit"}, - { 0x5002, "ResolutionYUnit"}, - { 0x5003, "ResolutionXLengthUnit"}, - { 0x5004, "ResolutionYLengthUnit"}, - { 0x5005, "PrintFlags"}, - { 0x5006, "PrintFlagsVersion"}, - { 0x5007, "PrintFlagsCrop"}, - { 0x5008, "PrintFlagsBleedWidth"}, - { 0x5009, "PrintFlagsBleedWidthScale"}, - { 0x500A, "HalftoneLPI"}, - { 0x500B, "HalftoneLPIUnit"}, - { 0x500C, "HalftoneDegree"}, - { 0x500D, "HalftoneShape"}, - { 0x500E, "HalftoneMisc"}, - { 0x500F, "HalftoneScreen"}, - { 0x5010, "JPEGQuality"}, - { 0x5011, "GridSize"}, - { 0x5012, "ThumbnailFormat"}, - { 0x5013, "ThumbnailWidth"}, - { 0x5014, "ThumbnailHeight"}, - { 0x5015, "ThumbnailColorDepth"}, - { 0x5016, "ThumbnailPlanes"}, - { 0x5017, "ThumbnailRawBytes"}, - { 0x5018, "ThumbnailSize"}, - { 0x5019, "ThumbnailCompressedSize"}, - { 0x501A, "ColorTransferFunction"}, - { 0x501B, "ThumbnailData"}, - { 0x5020, "ThumbnailImageWidth"}, - { 0x5021, "ThumbnailImageHeight"}, - { 0x5022, "ThumbnailBitsPerSample"}, - { 0x5023, "ThumbnailCompression"}, - { 0x5024, "ThumbnailPhotometricInterp"}, - { 0x5025, "ThumbnailImageDescription"}, - { 0x5026, "ThumbnailEquipMake"}, - { 0x5027, "ThumbnailEquipModel"}, - { 0x5028, "ThumbnailStripOffsets"}, - { 0x5029, "ThumbnailOrientation"}, - { 0x502A, "ThumbnailSamplesPerPixel"}, - { 0x502B, "ThumbnailRowsPerStrip"}, - { 0x502C, "ThumbnailStripBytesCount"}, - { 0x502D, "ThumbnailResolutionX"}, - { 0x502E, "ThumbnailResolutionY"}, - { 0x502F, "ThumbnailPlanarConfig"}, - { 0x5030, "ThumbnailResolutionUnit"}, - { 0x5031, "ThumbnailTransferFunction"}, - { 0x5032, "ThumbnailSoftwareUsed"}, - { 0x5033, "ThumbnailDateTime"}, - { 0x5034, "ThumbnailArtist"}, - { 0x5035, "ThumbnailWhitePoint"}, - { 0x5036, "ThumbnailPrimaryChromaticities"}, - { 0x5037, "ThumbnailYCbCrCoefficients"}, - { 0x5038, "ThumbnailYCbCrSubsampling"}, - { 0x5039, "ThumbnailYCbCrPositioning"}, - { 0x503A, "ThumbnailRefBlackWhite"}, - { 0x503B, "ThumbnailCopyRight"}, - { 0x5090, "LuminanceTable"}, - { 0x5091, "ChrominanceTable"}, - { 0x5100, "FrameDelay"}, - { 0x5101, "LoopCount"}, - { 0x5110, "PixelUnit"}, - { 0x5111, "PixelPerUnitX"}, - { 0x5112, "PixelPerUnitY"}, - { 0x5113, "PaletteHistogram"}, + { 0x0301, "Gamma"}, + { 0x0302, "ICCProfileDescriptor"}, + { 0x0303, "SRGBRenderingIntent"}, + { 0x0320, "ImageTitle"}, + { 0x5001, "ResolutionXUnit"}, + { 0x5002, "ResolutionYUnit"}, + { 0x5003, "ResolutionXLengthUnit"}, + { 0x5004, "ResolutionYLengthUnit"}, + { 0x5005, "PrintFlags"}, + { 0x5006, "PrintFlagsVersion"}, + { 0x5007, "PrintFlagsCrop"}, + { 0x5008, "PrintFlagsBleedWidth"}, + { 0x5009, "PrintFlagsBleedWidthScale"}, + { 0x500A, "HalftoneLPI"}, + { 0x500B, "HalftoneLPIUnit"}, + { 0x500C, "HalftoneDegree"}, + { 0x500D, "HalftoneShape"}, + { 0x500E, "HalftoneMisc"}, + { 0x500F, "HalftoneScreen"}, + { 0x5010, "JPEGQuality"}, + { 0x5011, "GridSize"}, + { 0x5012, "ThumbnailFormat"}, + { 0x5013, "ThumbnailWidth"}, + { 0x5014, "ThumbnailHeight"}, + { 0x5015, "ThumbnailColorDepth"}, + { 0x5016, "ThumbnailPlanes"}, + { 0x5017, "ThumbnailRawBytes"}, + { 0x5018, "ThumbnailSize"}, + { 0x5019, "ThumbnailCompressedSize"}, + { 0x501A, "ColorTransferFunction"}, + { 0x501B, "ThumbnailData"}, + { 0x5020, "ThumbnailImageWidth"}, + { 0x5021, "ThumbnailImageHeight"}, + { 0x5022, "ThumbnailBitsPerSample"}, + { 0x5023, "ThumbnailCompression"}, + { 0x5024, "ThumbnailPhotometricInterp"}, + { 0x5025, "ThumbnailImageDescription"}, + { 0x5026, "ThumbnailEquipMake"}, + { 0x5027, "ThumbnailEquipModel"}, + { 0x5028, "ThumbnailStripOffsets"}, + { 0x5029, "ThumbnailOrientation"}, + { 0x502A, "ThumbnailSamplesPerPixel"}, + { 0x502B, "ThumbnailRowsPerStrip"}, + { 0x502C, "ThumbnailStripBytesCount"}, + { 0x502D, "ThumbnailResolutionX"}, + { 0x502E, "ThumbnailResolutionY"}, + { 0x502F, "ThumbnailPlanarConfig"}, + { 0x5030, "ThumbnailResolutionUnit"}, + { 0x5031, "ThumbnailTransferFunction"}, + { 0x5032, "ThumbnailSoftwareUsed"}, + { 0x5033, "ThumbnailDateTime"}, + { 0x5034, "ThumbnailArtist"}, + { 0x5035, "ThumbnailWhitePoint"}, + { 0x5036, "ThumbnailPrimaryChromaticities"}, + { 0x5037, "ThumbnailYCbCrCoefficients"}, + { 0x5038, "ThumbnailYCbCrSubsampling"}, + { 0x5039, "ThumbnailYCbCrPositioning"}, + { 0x503A, "ThumbnailRefBlackWhite"}, + { 0x503B, "ThumbnailCopyRight"}, + { 0x5090, "LuminanceTable"}, + { 0x5091, "ChrominanceTable"}, + { 0x5100, "FrameDelay"}, + { 0x5101, "LoopCount"}, + { 0x5110, "PixelUnit"}, + { 0x5111, "PixelPerUnitX"}, + { 0x5112, "PixelPerUnitY"}, + { 0x5113, "PaletteHistogram"}, { 0x1000, "RelatedImageFileFormat"}, { 0x800D, "ImageID"}, { 0x80E3, "Matteing"}, /* obsoleted by ExtraSamples */ @@ -939,7 +939,7 @@ static tag_info_array tag_table_VND_NIKON = { { 0x000b, "Converter"}, TAG_TABLE_END }; - + static tag_info_array tag_table_VND_NIKON_990 = { { 0x0001, "Version"}, { 0x0002, "ISOSetting"}, @@ -958,7 +958,7 @@ static tag_info_array tag_table_VND_NIKON_990 = { { 0x0010, "DataDump"}, TAG_TABLE_END }; - + static tag_info_array tag_table_VND_OLYMPUS = { { 0x0200, "SpecialMode"}, { 0x0201, "JPEGQuality"}, @@ -1224,7 +1224,7 @@ char * exif_dump_data(int *dump_free, int format, int components, int length, in if (components > 0) { dump = erealloc(dump, len + 2 + 1); snprintf(dump + len, 2 + 1, ", "); - len += 2; + len += 2; components--; } else{ break; @@ -1574,7 +1574,7 @@ typedef struct { static void exif_error_docref(const char *docref EXIFERR_DC, const image_info_type *ImageInfo, int type, const char *format, ...) { va_list args; - + va_start(args, format); #ifdef EXIF_DEBUG { @@ -2627,7 +2627,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP *pszEncoding = estrdup((const char*)szValuePtr); szValuePtr = szValuePtr+8; ByteCount -= 8; - /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) + /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16) * since we have no encoding support for the BOM yet we skip that. */ if (!memcmp(szValuePtr, "\xFE\xFF", 2)) { @@ -2645,8 +2645,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP } /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)pszInfoPtr, - &len, + (unsigned char**)pszInfoPtr, + &len, (unsigned char*)szValuePtr, ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), @@ -2666,8 +2666,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP ByteCount -= 8; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)pszInfoPtr, - &len, + (unsigned char**)pszInfoPtr, + &len, (unsigned char*)szValuePtr, ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC), @@ -2701,12 +2701,12 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP * Process unicode field in IFD. */ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) { - xp_field->tag = tag; + xp_field->tag = tag; xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)&xp_field->value, - &xp_field->size, + (unsigned char**)&xp_field->value, + &xp_field->size, (unsigned char*)szValuePtr, ByteCount, zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), @@ -2731,7 +2731,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu if (i==sizeof(maker_note_array)/sizeof(maker_note_type)) return FALSE; maker_note = maker_note_array+i; - + /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s,%s)", maker_note->make?maker_note->make:"", maker_note->model?maker_note->model:"");*/ if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make))) continue; @@ -2852,9 +2852,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - /* + /* dir_entry is ImageInfo->file.list[sn].data+2+i*12 - offset_base is ImageInfo->file.list[sn].data-dir_offset + offset_base is ImageInfo->file.list[sn].data-dir_offset dir_entry - offset_base is dir_offset+2+i*12 */ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { @@ -2925,18 +2925,18 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha case TAG_COMP_IMAGE_WIDTH: ImageInfo->Thumbnail.width = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_IMAGEHEIGHT: case TAG_COMP_IMAGE_HEIGHT: ImageInfo->Thumbnail.height = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_STRIP_OFFSETS: case TAG_JPEG_INTERCHANGE_FORMAT: /* accept both formats */ ImageInfo->Thumbnail.offset = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_STRIP_BYTE_COUNTS: if (ImageInfo->FileType == IMAGE_FILETYPE_TIFF_II || ImageInfo->FileType == IMAGE_FILETYPE_TIFF_MM) { ImageInfo->Thumbnail.filetype = ImageInfo->FileType; @@ -2946,7 +2946,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha } ImageInfo->Thumbnail.size = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC); break; - + case TAG_JPEG_INTERCHANGE_FORMAT_LEN: if (ImageInfo->Thumbnail.filetype == IMAGE_FILETYPE_UNKNOWN) { ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_JPEG; @@ -2964,16 +2964,16 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha if (length<byte_count-1) { /* When there are any characters after the first NUL */ ImageInfo->CopyrightPhotographer = estrdup(value_ptr); - ImageInfo->CopyrightEditor = estrdup(value_ptr+length+1); + ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ } else { - ImageInfo->Copyright = estrdup(value_ptr); + ImageInfo->Copyright = estrndup(value_ptr, byte_count); } } - break; + break; case TAG_USERCOMMENT: ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count TSRMLS_CC); @@ -3061,10 +3061,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha break; case TAG_MAKE: - ImageInfo->make = estrdup(value_ptr); + ImageInfo->make = estrndup(value_ptr, byte_count); break; case TAG_MODEL: - ImageInfo->model = estrdup(value_ptr); + ImageInfo->model = estrndup(value_ptr, byte_count); break; case TAG_MAKER_NOTE: @@ -3414,7 +3414,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC) if ((itemlen - 2) < 6) { return FALSE; } - + exif_process_SOFn(Data, marker, &sof_info); ImageInfo->Width = sof_info.width; ImageInfo->Height = sof_info.height; @@ -3459,21 +3459,21 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC) } for (;;) { pos += length; - if (pos>=ImageInfo->Thumbnail.size) + if (pos>=ImageInfo->Thumbnail.size) return FALSE; c = data[pos++]; - if (pos>=ImageInfo->Thumbnail.size) + if (pos>=ImageInfo->Thumbnail.size) return FALSE; if (c != 0xFF) { return FALSE; } n = 8; while ((c = data[pos++]) == 0xFF && n--) { - if (pos+3>=ImageInfo->Thumbnail.size) + if (pos+3>=ImageInfo->Thumbnail.size) return FALSE; /* +3 = pos++ of next check when reaching marker + 2 bytes for length */ } - if (c == 0xFF) + if (c == 0xFF) return FALSE; marker = c; length = php_jpg_get16(data+pos); @@ -3787,7 +3787,7 @@ static int exif_scan_FILE_header(image_info_type *ImageInfo TSRMLS_DC) exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "File has TIFF/II format"); #endif ImageInfo->sections_found |= FOUND_IFD0; - if (exif_process_IFD_in_TIFF(ImageInfo, + if (exif_process_IFD_in_TIFF(ImageInfo, php_ifd_get32u(file_header + 4, ImageInfo->motorola_intel), SECTION_IFD0 TSRMLS_CC)) { ret = TRUE; @@ -3967,7 +3967,7 @@ PHP_FUNCTION(exif_read_data) sections_str = exif_get_sectionlist(ImageInfo.sections_found TSRMLS_CC); #ifdef EXIF_DEBUG - if (sections_str) + if (sections_str) exif_error_docref(NULL EXIFERR_CC, &ImageInfo, E_NOTICE, "Sections found: %s", sections_str[0] ? sections_str : "None"); #endif diff --git a/ext/pcre/php_pcre.c b/ext/pcre/php_pcre.c index 7cc16ca6e6..06e35e537a 100644 --- a/ext/pcre/php_pcre.c +++ b/ext/pcre/php_pcre.c @@ -136,7 +136,7 @@ static PHP_MINFO_FUNCTION(pcre) static PHP_MINIT_FUNCTION(pcre) { REGISTER_INI_ENTRIES(); - + REGISTER_LONG_CONSTANT("PREG_PATTERN_ORDER", PREG_PATTERN_ORDER, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("PREG_SET_ORDER", PREG_SET_ORDER, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("PREG_OFFSET_CAPTURE", PREG_OFFSET_CAPTURE, CONST_CS | CONST_PERSISTENT); @@ -296,18 +296,18 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le #endif } } - + p = regex; - + /* Parse through the leading whitespace, and display a warning if we get to the end without encountering a delimiter. */ while (isspace((int)*(unsigned char *)p)) p++; if (*p == 0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, + php_error_docref(NULL TSRMLS_CC, E_WARNING, p < regex + regex_len ? "Null byte in regex" : "Empty regular expression"); return NULL; } - + /* Get the delimiter and display a warning if it is alphanumeric or a backslash. */ delimiter = *p++; @@ -360,7 +360,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le } return NULL; } - + /* Make a copy of the actual pattern. */ pattern = estrndup(p, pp-p); @@ -368,7 +368,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le pp++; /* Parse through the options, setting appropriate flags. Display - a warning if we encounter an unknown modifier. */ + a warning if we encounter an unknown modifier. */ while (pp < regex + regex_len) { switch (*pp++) { /* Perl compatible options */ @@ -376,7 +376,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le case 'm': coptions |= PCRE_MULTILINE; break; case 's': coptions |= PCRE_DOTALL; break; case 'x': coptions |= PCRE_EXTENDED; break; - + /* PCRE specific options */ case 'A': coptions |= PCRE_ANCHORED; break; case 'D': coptions |= PCRE_DOLLAR_ENDONLY;break; @@ -389,12 +389,12 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le the PCRE_UCP option. */ #ifdef PCRE_UCP coptions |= PCRE_UCP; -#endif +#endif break; /* Custom preg options */ case 'e': poptions |= PREG_REPLACE_EVAL; break; - + case ' ': case '\n': break; @@ -474,7 +474,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le * at end of request. However PCRE_G(pcre_cache) must be consistent * on the next request as well. So we disable usage of interned strings * as hash keys especually for this table. - * See bug #63180 + * See bug #63180 */ if (IS_INTERNED(regex)) { regex = tmp = estrndup(regex, regex_len); @@ -503,7 +503,7 @@ PHPAPI pcre* pcre_get_compiled_regex(char *regex, pcre_extra **extra, int *preg_ if (preg_options) { *preg_options = pce ? pce->preg_options : 0; } - + return pce ? pce->re : NULL; } /* }}} */ @@ -513,7 +513,7 @@ PHPAPI pcre* pcre_get_compiled_regex(char *regex, pcre_extra **extra, int *preg_ PHPAPI pcre* pcre_get_compiled_regex_ex(char *regex, pcre_extra **extra, int *preg_options, int *compile_options TSRMLS_DC) { pcre_cache_entry * pce = pcre_get_compiled_regex_cache(regex, strlen(regex) TSRMLS_CC); - + if (extra) { *extra = pce ? pce->extra : NULL; } @@ -523,7 +523,7 @@ PHPAPI pcre* pcre_get_compiled_regex_ex(char *regex, pcre_extra **extra, int *pr if (compile_options) { *compile_options = pce ? pce->compile_options : 0; } - + return pce ? pce->re : NULL; } /* }}} */ @@ -540,7 +540,7 @@ static inline void add_offset_pair(zval *result, char *str, int len, int offset, /* Add (match, offset) to the return value */ add_next_index_stringl(match_pair, str, len, 1); add_next_index_long(match_pair, offset); - + if (name) { zval_add_ref(&match_pair); zend_hash_update(Z_ARRVAL_P(result), name, strlen(name)+1, &match_pair, sizeof(zval *), NULL); @@ -565,14 +565,14 @@ static void php_do_pcre_match(INTERNAL_FUNCTION_PARAMETERS, int global) /* {{{ * &subject, &subject_len, &subpats, &flags, &start_offset) == FAILURE) { RETURN_FALSE; } - + /* Compile regex or get it from cache. */ if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) { RETURN_FALSE; } pce->refcount++; - php_pcre_match_impl(pce, subject, subject_len, return_value, subpats, + php_pcre_match_impl(pce, subject, subject_len, return_value, subpats, global, ZEND_NUM_ARGS() >= 4, flags, start_offset TSRMLS_CC); pce->refcount--; } @@ -676,7 +676,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec matched = 0; PCRE_G(error_code) = PHP_PCRE_NO_ERROR; - + do { /* Execute the regular expression. */ count = pcre_exec(pce->re, extra, subject, subject_len, start_offset, @@ -698,7 +698,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec /* If subpatterns array has been passed, fill it in with values. */ if (subpats != NULL) { /* Try to get the list of substrings and display a warning if failed. */ - if (pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) { + if ((offsets[1] - offsets[0] < 0) || pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) { efree(subpat_names); efree(offsets); if (match_sets) efree(match_sets); @@ -733,7 +733,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec ALLOC_ZVAL(result_set); array_init(result_set); INIT_PZVAL(result_set); - + /* Add all the subpatterns to it */ for (i = 0; i < count; i++) { if (offset_capture) { @@ -787,13 +787,13 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec pcre_handle_exec_error(count TSRMLS_CC); break; } - + /* If we have matched an empty string, mimic what Perl's /g options does. This turns out to be rather cunning. First we set PCRE_NOTEMPTY and try the match again at the same point. If this fails (picked up above) we advance to the next character. */ g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0; - + /* Advance to the position right after the last full match */ start_offset = offsets[1]; } while (global); @@ -810,7 +810,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec } efree(match_sets); } - + efree(offsets); efree(subpat_names); @@ -860,7 +860,7 @@ static int preg_get_backref(char **str, int *backref) walk++; } else return 0; - + if (*walk && *walk >= '0' && *walk <= '9') { *backref = *backref * 10 + *walk - '0'; walk++; @@ -872,9 +872,9 @@ static int preg_get_backref(char **str, int *backref) else walk++; } - + *str = walk; - return 1; + return 1; } /* }}} */ @@ -884,7 +884,7 @@ static int preg_do_repl_func(zval *function, char *subject, int *offsets, char * { zval *retval_ptr; /* Function return value */ zval **args[1]; /* Argument to pass to function */ - zval *subpats; /* Captured subpatterns */ + zval *subpats; /* Captured subpatterns */ int result_len; /* Return value length */ int i; @@ -935,11 +935,11 @@ static int preg_do_eval(char *eval_str, int eval_str_len, char *subject, int backref; /* Current backref */ char *compiled_string_description; smart_str code = {0}; - + eval_str_end = eval_str + eval_str_len; walk = segment = eval_str; walk_last = 0; - + while (walk < eval_str_end) { /* If found a backreference.. */ if ('\\' == *walk || '$' == *walk) { @@ -992,15 +992,15 @@ static int preg_do_eval(char *eval_str, int eval_str_len, char *subject, } efree(compiled_string_description); convert_to_string(&retval); - + /* Save the return value and its length */ *result = estrndup(Z_STRVAL(retval), Z_STRLEN(retval)); result_len = Z_STRLEN(retval); - + /* Clean up */ zval_dtor(&retval); smart_str_free(&code); - + return result_len; } /* }}} */ @@ -1029,7 +1029,7 @@ PHPAPI char *php_pcre_replace(char *regex, int regex_len, /* }}} */ /* {{{ php_pcre_replace_impl() */ -PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int subject_len, zval *replace_val, +PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int subject_len, zval *replace_val, int is_callable_replace, int *result_len, int limit, int *replace_count TSRMLS_DC) { pcre_extra *extra = pce->extra;/* Holds results of studying */ @@ -1105,7 +1105,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub } offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0); - + alloc_len = 2 * subject_len + 1; result = safe_emalloc(alloc_len, sizeof(char), 0); @@ -1114,7 +1114,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub *result_len = 0; start_offset = 0; PCRE_G(error_code) = PHP_PCRE_NO_ERROR; - + while (1) { /* Execute the regular expression. */ count = pcre_exec(pce->re, extra, subject, subject_len, start_offset, @@ -1131,7 +1131,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub piece = subject + start_offset; - if (count > 0 && (limit == -1 || limit > 0)) { + if (count > 0 && (offsets[1] - offsets[0] >= 0) && (limit == -1 || limit > 0)) { if (replace_count) { ++*replace_count; } @@ -1139,7 +1139,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub match = subject + offsets[0]; new_len = *result_len + offsets[0] - start_offset; /* part before the match */ - + /* If evaluating, do it and add the return string's length */ if (eval) { eval_result_len = preg_do_eval(replace, replace_len, subject, @@ -1184,7 +1184,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub /* copy replacement and backrefs */ walkbuf = result + *result_len; - + /* If evaluating or using custom function, copy result to the buffer * and clean up. */ if (eval || is_callable_replace) { @@ -1254,13 +1254,13 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub result = NULL; break; } - + /* If we have matched an empty string, mimic what Perl's /g options does. This turns out to be rather cunning. First we set PCRE_NOTEMPTY and try the match again at the same point. If this fails (picked up above) we advance to the next character. */ g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0; - + /* Advance to the next piece. */ start_offset = offsets[1]; } @@ -1284,18 +1284,18 @@ static char *php_replace_in_subject(zval *regex, zval *replace, zval **subject, *result; int subject_len; - /* Make sure we're dealing with strings. */ + /* Make sure we're dealing with strings. */ convert_to_string_ex(subject); /* FIXME: This might need to be changed to STR_EMPTY_ALLOC(). Check if this zval could be dtor()'ed somehow */ ZVAL_STRINGL(&empty_replace, "", 0, 0); - + /* If regex is an array */ if (Z_TYPE_P(regex) == IS_ARRAY) { /* Duplicate subject string for repeated replacement */ subject_value = estrndup(Z_STRVAL_PP(subject), Z_STRLEN_PP(subject)); subject_len = Z_STRLEN_PP(subject); *result_len = subject_len; - + zend_hash_internal_pointer_reset(Z_ARRVAL_P(regex)); replace_value = replace; @@ -1304,9 +1304,9 @@ static char *php_replace_in_subject(zval *regex, zval *replace, zval **subject, /* For each entry in the regex array, get the entry */ while (zend_hash_get_current_data(Z_ARRVAL_P(regex), (void **)®ex_entry) == SUCCESS) { - /* Make sure we're dealing with strings. */ + /* Make sure we're dealing with strings. */ convert_to_string_ex(regex_entry); - + /* If replace is an array and not a callable construct */ if (Z_TYPE_P(replace) == IS_ARRAY && !is_callable_replace) { /* Get current entry */ @@ -1321,7 +1321,7 @@ static char *php_replace_in_subject(zval *regex, zval *replace, zval **subject, replace_value = &empty_replace; } } - + /* Do the actual replacement and put the result back into subject_value for further replacements. */ if ((result = php_pcre_replace(Z_STRVAL_PP(regex_entry), @@ -1377,12 +1377,12 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl ulong num_key; char *callback_name; int replace_count=0, old_replace_count; - + /* Get function parameters and do error-checking. */ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|lZ", ®ex, &replace, &subject, &limit, &zcount) == FAILURE) { return; } - + if (!is_callable_replace && Z_TYPE_PP(replace) == IS_ARRAY && Z_TYPE_PP(regex) != IS_ARRAY) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Parameter mismatch, pattern is a string while replacement is an array"); RETURN_FALSE; @@ -1408,10 +1408,10 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl if (ZEND_NUM_ARGS() > 3) { limit_val = limit; } - + if (Z_TYPE_PP(regex) != IS_ARRAY) convert_to_string_ex(regex); - + /* if subject is an array */ if (Z_TYPE_PP(subject) == IS_ARRAY) { array_init(return_value); @@ -1439,7 +1439,7 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl efree(result); } } - + zend_hash_move_forward(Z_ARRVAL_PP(subject)); } } else { /* if subject is not an array */ @@ -1456,7 +1456,7 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl zval_dtor(*zcount); ZVAL_LONG(*zcount, replace_count); } - + } /* }}} */ @@ -1484,7 +1484,7 @@ static PHP_FUNCTION(preg_filter) } /* }}} */ -/* {{{ proto array preg_split(string pattern, string subject [, int limit [, int flags]]) +/* {{{ proto array preg_split(string pattern, string subject [, int limit [, int flags]]) Split string into an array using a perl-style regular expression as a delimiter */ static PHP_FUNCTION(preg_split) { @@ -1496,12 +1496,12 @@ static PHP_FUNCTION(preg_split) long flags = 0; /* Match control flags */ pcre_cache_entry *pce; /* Compiled regular expression */ - /* Get function parameters and do error checking */ + /* Get function parameters and do error checking */ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|ll", ®ex, ®ex_len, &subject, &subject_len, &limit_val, &flags) == FAILURE) { RETURN_FALSE; } - + /* Compile regex or get it from cache. */ if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) { RETURN_FALSE; @@ -1538,7 +1538,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec no_empty = flags & PREG_SPLIT_NO_EMPTY; delim_capture = flags & PREG_SPLIT_DELIM_CAPTURE; offset_capture = flags & PREG_SPLIT_OFFSET_CAPTURE; - + if (limit_val == 0) { limit_val = -1; } @@ -1549,7 +1549,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec } extra->match_limit = PCRE_G(backtrack_limit); extra->match_limit_recursion = PCRE_G(recursion_limit); - + /* Initialize return value */ array_init(return_value); @@ -1561,13 +1561,13 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec } size_offsets = (size_offsets + 1) * 3; offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0); - + /* Start at the beginning of the string */ start_offset = 0; next_offset = 0; last_match = subject; PCRE_G(error_code) = PHP_PCRE_NO_ERROR; - + /* Get next piece if no limit or limit not yet reached and something matched*/ while ((limit_val == -1 || limit_val > 1)) { count = pcre_exec(pce->re, extra, subject, @@ -1582,9 +1582,9 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec php_error_docref(NULL TSRMLS_CC,E_NOTICE, "Matched, but too many substrings"); count = size_offsets/3; } - + /* If something matched */ - if (count > 0) { + if (count > 0 && (offsets[1] - offsets[0] >= 0)) { if (!no_empty || &subject[offsets[0]] != last_match) { if (offset_capture) { @@ -1600,7 +1600,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec if (limit_val != -1) limit_val--; } - + last_match = &subject[offsets[1]]; next_offset = offsets[1]; @@ -1657,7 +1657,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec the match again at the same point. If this fails (picked up above) we advance to the next character. */ g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0; - + /* Advance to the position right after the last full match */ start_offset = offsets[1]; } @@ -1676,7 +1676,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec } } - + /* Clean up */ efree(offsets); } @@ -1697,13 +1697,13 @@ static PHP_FUNCTION(preg_quote) delim_char=0, /* Delimiter character to be quoted */ c; /* Current character */ zend_bool quote_delim = 0; /* Whether to quote additional delim char */ - + /* Get the arguments and check for errors */ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &in_str, &in_str_len, &delim, &delim_len) == FAILURE) { return; } - + in_str_end = in_str + in_str_len; /* Nothing to do if we got an empty string */ @@ -1715,11 +1715,11 @@ static PHP_FUNCTION(preg_quote) delim_char = delim[0]; quote_delim = 1; } - + /* Allocate enough memory so that even if each character is quoted, we won't run out of room */ out_str = safe_emalloc(4, in_str_len, 1); - + /* Go through the string and quote necessary characters */ for(p = in_str, q = out_str; p != in_str_end; p++) { c = *p; @@ -1763,7 +1763,7 @@ static PHP_FUNCTION(preg_quote) } } *q = '\0'; - + /* Reallocate string and return it */ RETVAL_STRINGL(erealloc(out_str, q - out_str + 1), q - out_str, 0); } @@ -1784,7 +1784,7 @@ static PHP_FUNCTION(preg_grep) &input, &flags) == FAILURE) { return; } - + /* Compile regex or get it from cache. */ if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) { RETURN_FALSE; @@ -1809,9 +1809,9 @@ PHPAPI void php_pcre_grep_impl(pcre_cache_entry *pce, zval *input, zval *return zend_bool invert; /* Whether to return non-matching entries */ int rc; - + invert = flags & PREG_GREP_INVERT ? 1 : 0; - + if (extra == NULL) { extra_data.flags = PCRE_EXTRA_MATCH_LIMIT | PCRE_EXTRA_MATCH_LIMIT_RECURSION; extra = &extra_data; @@ -1827,7 +1827,7 @@ PHPAPI void php_pcre_grep_impl(pcre_cache_entry *pce, zval *input, zval *return } size_offsets = (size_offsets + 1) * 3; offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0); - + /* Initialize return array */ array_init(return_value); @@ -1940,7 +1940,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_preg_split, 0, 0, 2) ZEND_ARG_INFO(0, pattern) ZEND_ARG_INFO(0, subject) ZEND_ARG_INFO(0, limit) - ZEND_ARG_INFO(0, flags) + ZEND_ARG_INFO(0, flags) ZEND_END_ARG_INFO() ZEND_BEGIN_ARG_INFO_EX(arginfo_preg_quote, 0, 0, 1) diff --git a/ext/pcre/tests/bug70345.phpt b/ext/pcre/tests/bug70345.phpt new file mode 100644 index 0000000000..0947ba3daa --- /dev/null +++ b/ext/pcre/tests/bug70345.phpt @@ -0,0 +1,24 @@ +--TEST-- +Bug #70345 (Multiple vulnerabilities related to PCRE functions) +--FILE-- +<?php +$regex = '/(?=xyz\K)/'; +$subject = "aaaaxyzaaaa"; + +$v = preg_split($regex, $subject); +print_r($v); + +$regex = '/(a(?=xyz\K))/'; +$subject = "aaaaxyzaaaa"; +preg_match($regex, $subject, $matches); + +var_dump($matches); +--EXPECTF-- +Array +( + [0] => aaaaxyzaaaa +) + +Warning: preg_match(): Get subpatterns list failed in %s on line %d +array(0) { +} diff --git a/ext/soap/soap.c b/ext/soap/soap.c index 41ad45f82f..0e4f1dd763 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -995,7 +995,7 @@ static HashTable* soap_create_typemap(sdlPtr sdl, HashTable *ht TSRMLS_DC) HashTable *ht2; HashPosition pos1, pos2; HashTable *typemap = NULL; - + zend_hash_internal_pointer_reset_ex(ht, &pos1); while (zend_hash_get_current_data_ex(ht, (void**)&tmp, &pos1) == SUCCESS) { char *type_name = NULL; @@ -1039,7 +1039,7 @@ static HashTable* soap_create_typemap(sdlPtr sdl, HashTable *ht TSRMLS_DC) } } zend_hash_move_forward_ex(ht2, &pos2); - } + } if (type_name) { smart_str nscat = {0}; @@ -1069,7 +1069,7 @@ static HashTable* soap_create_typemap(sdlPtr sdl, HashTable *ht TSRMLS_DC) new_enc->to_xml = enc->to_xml; new_enc->to_zval = enc->to_zval; new_enc->details.map = emalloc(sizeof(soapMapping)); - memset(new_enc->details.map, 0, sizeof(soapMapping)); + memset(new_enc->details.map, 0, sizeof(soapMapping)); if (to_xml) { zval_add_ref(&to_xml); new_enc->details.map->to_xml = to_xml; @@ -1126,7 +1126,7 @@ PHP_METHOD(SoapServer, SoapServer) if (Z_TYPE_P(wsdl) != IS_STRING && Z_TYPE_P(wsdl) != IS_NULL) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid parameters"); } - + service = emalloc(sizeof(soapService)); memset(service, 0, sizeof(soapService)); service->send_errors = 1; @@ -1161,7 +1161,7 @@ PHP_METHOD(SoapServer, SoapServer) if (zend_hash_find(ht, "encoding", sizeof("encoding"), (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) { xmlCharEncodingHandlerPtr encoding; - + encoding = xmlFindCharEncodingHandler(Z_STRVAL_PP(tmp)); if (encoding == NULL) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid 'encoding' option - '%s'", Z_STRVAL_PP(tmp)); @@ -1221,7 +1221,7 @@ PHP_METHOD(SoapServer, SoapServer) } } } - + if (typemap_ht) { service->typemap = soap_create_typemap(service->sdl, typemap_ht TSRMLS_CC); } @@ -1351,7 +1351,7 @@ PHP_METHOD(SoapServer, getFunctions) if (zend_parse_parameters_none() == FAILURE) { return; } - + FETCH_THIS_SERVICE(service); array_init(return_value); @@ -1511,7 +1511,7 @@ PHP_METHOD(SoapServer, handle) FETCH_THIS_SERVICE(service); SOAP_GLOBAL(soap_version) = service->version; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|s", &arg, &arg_len) == FAILURE) { return; } @@ -1936,7 +1936,7 @@ PHP_METHOD(SoapServer, handle) if (size == 0) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Dump memory failed"); - } + } if (soap_version == SOAP_1_2) { sapi_add_header("Content-Type: application/soap+xml; charset=utf-8", sizeof("Content-Type: application/soap+xml; charset=utf-8")-1, 1); @@ -2152,10 +2152,10 @@ static void soap_error_handler(int error_num, const char *error_filename, const use_exceptions = 1; } - if ((error_num == E_USER_ERROR || - error_num == E_COMPILE_ERROR || + if ((error_num == E_USER_ERROR || + error_num == E_COMPILE_ERROR || error_num == E_CORE_ERROR || - error_num == E_ERROR || + error_num == E_ERROR || error_num == E_PARSE) && use_exceptions) { zval *fault, *exception; @@ -2224,10 +2224,10 @@ static void soap_error_handler(int error_num, const char *error_filename, const va_list argcopy; #endif - if (error_num == E_USER_ERROR || - error_num == E_COMPILE_ERROR || + if (error_num == E_USER_ERROR || + error_num == E_COMPILE_ERROR || error_num == E_CORE_ERROR || - error_num == E_ERROR || + error_num == E_ERROR || error_num == E_PARSE) { char* code = SOAP_GLOBAL(error_code); @@ -2457,13 +2457,13 @@ PHP_METHOD(SoapClient, SoapClient) if (zend_hash_find(ht, "encoding", sizeof("encoding"), (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) { xmlCharEncodingHandlerPtr encoding; - + encoding = xmlFindCharEncodingHandler(Z_STRVAL_PP(tmp)); if (encoding == NULL) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid 'encoding' option - '%s'", Z_STRVAL_PP(tmp)); } else { xmlCharEncCloseFunc(encoding); - add_property_stringl(this_ptr, "_encoding", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + add_property_stringl(this_ptr, "_encoding", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } } if (zend_hash_find(ht, "classmap", sizeof("classmap"), (void**)&tmp) == SUCCESS && @@ -2498,7 +2498,7 @@ PHP_METHOD(SoapClient, SoapClient) if (context) { add_property_resource(this_ptr, "_stream_context", context->rsrc_id); } - + if (zend_hash_find(ht, "cache_wsdl", sizeof("cache_wsdl"), (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_LONG) { cache_wsdl = Z_LVAL_PP(tmp); @@ -2508,7 +2508,7 @@ PHP_METHOD(SoapClient, SoapClient) Z_TYPE_PP(tmp) == IS_STRING) { add_property_stringl(this_ptr, "_user_agent", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } - + if (zend_hash_find(ht, "keep_alive", sizeof("keep_alive"), (void**)&tmp) == SUCCESS && (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && Z_LVAL_PP(tmp) == 0) { add_property_long(this_ptr, "_keep_alive", 0); @@ -2616,7 +2616,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act xmlFree(buf); if (ret && zend_hash_find(Z_OBJPROP_P(this_ptr), "__soap_fault", sizeof("__soap_fault"), (void **) &fault) == SUCCESS) { return FALSE; - } + } return ret; } @@ -2922,8 +2922,10 @@ PHP_METHOD(SoapClient, __call) } zend_hash_internal_pointer_reset(default_headers); while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) { - Z_ADDREF_PP(tmp); - zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); + if(Z_TYPE_PP(tmp) == IS_OBJECT) { + Z_ADDREF_PP(tmp); + zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); + } zend_hash_move_forward(default_headers); } } else { @@ -2931,7 +2933,7 @@ PHP_METHOD(SoapClient, __call) free_soap_headers = 0; } } - + arg_count = zend_hash_num_elements(Z_ARRVAL_P(args)); if (arg_count > 0) { @@ -2997,7 +2999,7 @@ PHP_METHOD(SoapClient, __getTypes) HashPosition pos; FETCH_THIS_SDL(sdl); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -3026,7 +3028,7 @@ PHP_METHOD(SoapClient, __getTypes) PHP_METHOD(SoapClient, __getLastRequest) { zval **tmp; - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -3049,7 +3051,7 @@ PHP_METHOD(SoapClient, __getLastResponse) if (zend_parse_parameters_none() == FAILURE) { return; } - + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); @@ -3064,11 +3066,11 @@ PHP_METHOD(SoapClient, __getLastResponse) PHP_METHOD(SoapClient, __getLastRequestHeaders) { zval **tmp; - + if (zend_parse_parameters_none() == FAILURE) { return; } - + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); @@ -3083,7 +3085,7 @@ PHP_METHOD(SoapClient, __getLastRequestHeaders) PHP_METHOD(SoapClient, __getLastResponseHeaders) { zval **tmp; - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -3228,10 +3230,10 @@ PHP_METHOD(SoapClient, __setSoapHeaders) /* {{{ proto string SoapClient::__setLocation([string new_location]) - Sets the location option (the endpoint URL that will be touched by the + Sets the location option (the endpoint URL that will be touched by the following SOAP requests). If new_location is not specified or null then SoapClient will use endpoint - from WSDL file. + from WSDL file. The function returns old value of location options. */ PHP_METHOD(SoapClient, __setLocation) { @@ -3280,10 +3282,10 @@ static void set_soap_fault(zval *obj, char *fault_code_ns, char *fault_code, cha if (Z_TYPE_P(obj) != IS_OBJECT) { object_init_ex(obj, soap_fault_class_entry); } - + add_property_string(obj, "faultstring", fault_string ? fault_string : "", 1); zend_update_property_string(zend_exception_get_default(TSRMLS_C), obj, "message", sizeof("message")-1, (fault_string ? fault_string : "") TSRMLS_CC); - + if (fault_code != NULL) { int soap_version = SOAP_GLOBAL(soap_version); @@ -3708,7 +3710,7 @@ ignore_header: func = func->children; } deserialize_parameters(func, function, num_params, parameters TSRMLS_CC); - + encode_finish(); return function; @@ -3990,8 +3992,8 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function } if (fault_ns == NULL && - fault && - fault->details && + fault && + fault->details && zend_hash_num_elements(fault->details) == 1) { sdlParamPtr sparam; @@ -4015,7 +4017,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function xmlChar *code = xmlBuildQName(BAD_CAST(str), nsptr->prefix, NULL, 0); xmlNodeSetContent(node, code); xmlFree(code); - } else { + } else { xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len); } efree(str); @@ -4041,7 +4043,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function xmlChar *code = xmlBuildQName(BAD_CAST(str), nsptr->prefix, NULL, 0); xmlNodeSetContent(node, code); xmlFree(code); - } else { + } else { xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len); } efree(str); @@ -4213,7 +4215,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function encode_finish(); - if (function && function->responseName == NULL && + if (function && function->responseName == NULL && body->children == NULL && head == NULL) { xmlFreeDoc(doc); return NULL; @@ -4347,11 +4349,18 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function if (head) { zval** header; - zend_hash_internal_pointer_reset(soap_headers); - while (zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS) { - HashTable *ht = Z_OBJPROP_PP(header); + for(zend_hash_internal_pointer_reset(soap_headers); + zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS; + zend_hash_move_forward(soap_headers) + ) { + HashTable *ht; zval **name, **ns, **tmp; + if (Z_TYPE_PP(header) != IS_OBJECT) { + continue; + } + + ht = Z_OBJPROP_PP(header); if (zend_hash_find(ht, "name", sizeof("name"), (void**)&name) == SUCCESS && Z_TYPE_PP(name) == IS_STRING && zend_hash_find(ht, "namespace", sizeof("namespace"), (void**)&ns) == SUCCESS && @@ -4390,7 +4399,6 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function xmlSetNs(h, nsptr); set_soap_header_attributes(h, ht, version); } - zend_hash_move_forward(soap_headers); } } @@ -4501,7 +4509,7 @@ static sdlParamPtr get_param(sdlFunctionPtr function, char *param_name, int inde return *tmp; } else { HashPosition pos; - + zend_hash_internal_pointer_reset_ex(ht, &pos); while (zend_hash_get_current_data_ex(ht, (void **)&tmp, &pos) != FAILURE) { if ((*tmp)->paramName && strcmp(param_name, (*tmp)->paramName) == 0) { diff --git a/ext/soap/tests/bug70388.phpt b/ext/soap/tests/bug70388.phpt new file mode 100644 index 0000000000..49a8efc0ff --- /dev/null +++ b/ext/soap/tests/bug70388.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #70388 (SOAP serialize_function_call() type confusion / RCE) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--FILE-- +<?php +$dummy = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"X";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";a:1:{i:1;s:1337:"'.str_repeat("X", 1337).'";}}'); +try { + var_dump($dummy->notexisting()); +} catch(Exception $e) { + var_dump($e->getMessage()); + var_dump(get_class($e)); +} +?> +--EXPECTF-- +string(%d) "%s" +string(9) "SoapFault"
\ No newline at end of file diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c index 053173f010..2f2cf2826e 100644 --- a/ext/spl/spl_dllist.c +++ b/ext/spl/spl_dllist.c @@ -1220,6 +1220,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) zval_ptr_dtor(&elem); goto error; } + var_push_dtor(&var_hash, &elem); spl_ptr_llist_push(intern->llist, elem TSRMLS_CC); } diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index a5ec94b7a8..cfe0479652 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -843,6 +843,7 @@ SPL_METHOD(SplObjectStorage, unserialize) zval_ptr_dtor(&pentry); goto outexcept; } + var_push_dtor(&var_hash, &pentry); if(Z_TYPE_P(pentry) != IS_OBJECT) { zval_ptr_dtor(&pentry); goto outexcept; @@ -854,6 +855,7 @@ SPL_METHOD(SplObjectStorage, unserialize) zval_ptr_dtor(&pinf); goto outexcept; } + var_push_dtor(&var_hash, &pinf); } hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC); diff --git a/ext/spl/tests/bug70155.phpt b/ext/spl/tests/bug70155.phpt new file mode 100644 index 0000000000..1730a1a587 --- /dev/null +++ b/ext/spl/tests/bug70155.phpt @@ -0,0 +1,50 @@ +--TEST-- +SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject +--FILE-- +<?php +$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}'; +$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; +$data = unserialize($exploit); + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +object(ArrayObject)#1 (2) { + [0]=> + int(0) + ["storage":"ArrayObject":private]=> + object(DateInterval)#2 (15) { + ["y"]=> + int(3) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["days"]=> + int(-1) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) + } +} +===DONE=== diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt new file mode 100644 index 0000000000..c18110e3ca --- /dev/null +++ b/ext/spl/tests/bug70365.phpt @@ -0,0 +1,50 @@ +--TEST-- +SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage +--FILE-- +<?php +class obj { + var $ryat; + function __wakeup() { + $this->ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}'; +$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; + +$data = unserialize($exploit); + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +--EXPECTF-- +array(5) { + [0]=> + int(1) + [1]=> + &int(1) + [2]=> + object(obj)#%d (1) { + ["ryat"]=> + &int(1) + } + [3]=> + int(1) + [4]=> + string(24) "%s" +} diff --git a/ext/spl/tests/bug70366.phpt b/ext/spl/tests/bug70366.phpt new file mode 100644 index 0000000000..c9aa584ae2 --- /dev/null +++ b/ext/spl/tests/bug70366.phpt @@ -0,0 +1,54 @@ +--TEST-- +SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList +--FILE-- +<?php +class obj { + var $ryat; + function __wakeup() { + $this->ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'i:1234;:i:1;'; +$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; + +$data = unserialize($exploit); + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +array(5) { + [0]=> + int(1) + [1]=> + &int(1) + [2]=> + object(obj)#%d (1) { + ["ryat"]=> + &int(1) + } + [3]=> + array(1) { + [0]=> + int(1) + } + [4]=> + string(24) "%s" +}
\ No newline at end of file diff --git a/ext/standard/tests/serialize/bug70172.phpt b/ext/standard/tests/serialize/bug70172.phpt new file mode 100644 index 0000000000..0e9d7ed89a --- /dev/null +++ b/ext/standard/tests/serialize/bug70172.phpt @@ -0,0 +1,52 @@ +--TEST-- +Bug #70172 - Use After Free Vulnerability in unserialize() +--FILE-- +<?php +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + $this->data = unserialize($data); + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'r:2;'; +$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +array(2) { + [0]=> + int(1) + [1]=> + object(obj)#%d (1) { + ["data"]=> + int(1) + } +}
\ No newline at end of file diff --git a/ext/standard/var.c b/ext/standard/var.c index aacb49f2bb..7ecad80728 100644 --- a/ext/standard/var.c +++ b/ext/standard/var.c @@ -373,7 +373,7 @@ static int php_array_element_export(zval **zv TSRMLS_DC, int num_args, va_list a smart_str_appendc(buf, ','); smart_str_appendc(buf, '\n'); - + return 0; } /* }}} */ @@ -392,7 +392,7 @@ static int php_object_element_export(zval **zv TSRMLS_DC, int num_args, va_list const char *pname; char *pname_esc; int pname_esc_len; - + zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, &class_name, &pname); pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0, @@ -469,7 +469,7 @@ PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC) buffer_append_spaces(buf, level - 1); } smart_str_appendc(buf, ')'); - + break; case IS_OBJECT: @@ -802,7 +802,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var BG(serialize_lock)++; res = call_user_function_ex(CG(function_table), &struc, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC); BG(serialize_lock)--; - + if (EG(exception)) { if (retval_ptr) { zval_ptr_dtor(&retval_ptr); @@ -951,6 +951,8 @@ PHP_FUNCTION(unserialize) int buf_len; const unsigned char *p; php_unserialize_data_t var_hash; + int oldlevel; + zval *old_rval = return_value; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { RETURN_FALSE; @@ -970,6 +972,19 @@ PHP_FUNCTION(unserialize) } RETURN_FALSE; } + if (return_value != old_rval) { + /* + * Terrible hack due to the fact that executor passes us zval *, + * but unserialize with r/R wants to replace it with another zval * + */ + zval_dtor(old_rval); + *old_rval = *return_value; + zval_copy_ctor(old_rval); + var_push_dtor_no_addref(&var_hash, &return_value); + var_push_dtor_no_addref(&var_hash, &old_rval); + } else { + var_push_dtor(&var_hash, &return_value); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); } /* }}} */ diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 1aa5ff3e64..08ef139c27 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -69,7 +69,7 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); + fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -100,7 +100,7 @@ PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rv var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); + fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -179,6 +179,9 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx) while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { +#if VAR_ENTRIES_DBG + fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); +#endif zval_ptr_dtor(&var_hash->data[i]); } next = var_hash->next; @@ -239,7 +242,7 @@ static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen #define YYMARKER marker -#line 247 "ext/standard/var_unserializer.re" +#line 250 "ext/standard/var_unserializer.re" @@ -482,7 +485,9 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) start = cursor; -#line 487 "ext/standard/var_unserializer.c" + + +#line 491 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -542,9 +547,9 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 838 "ext/standard/var_unserializer.re" +#line 845 "ext/standard/var_unserializer.re" { return 0; } -#line 549 "ext/standard/var_unserializer.c" +#line 553 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy89; @@ -587,13 +592,13 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 832 "ext/standard/var_unserializer.re" +#line 839 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 598 "ext/standard/var_unserializer.c" +#line 602 "ext/standard/var_unserializer.c" yy16: yych = *++YYCURSOR; goto yy3; @@ -624,7 +629,7 @@ yy20: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 686 "ext/standard/var_unserializer.re" +#line 692 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -640,6 +645,7 @@ yy20: zval **args[1]; zval *arg_func_name; + if (!var_hash) return 0; if (*start == 'C') { custom_object = 1; } @@ -770,7 +776,7 @@ yy20: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 775 "ext/standard/var_unserializer.c" +#line 780 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -795,15 +801,16 @@ yy27: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 678 "ext/standard/var_unserializer.re" +#line 683 "ext/standard/var_unserializer.re" { + if (!var_hash) return 0; INIT_PZVAL(*rval); return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 808 "ext/standard/var_unserializer.c" +#line 814 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -824,11 +831,12 @@ yy34: yych = *++YYCURSOR; if (yych != '{') goto yy18; ++YYCURSOR; -#line 658 "ext/standard/var_unserializer.re" +#line 662 "ext/standard/var_unserializer.re" { long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ *p = YYCURSOR; + if (!var_hash) return 0; if (elements < 0) { return 0; @@ -844,7 +852,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 849 "ext/standard/var_unserializer.c" +#line 856 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -865,7 +873,7 @@ yy41: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 629 "ext/standard/var_unserializer.re" +#line 633 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -894,7 +902,7 @@ yy41: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 899 "ext/standard/var_unserializer.c" +#line 906 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -915,7 +923,7 @@ yy48: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 601 "ext/standard/var_unserializer.re" +#line 605 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -943,7 +951,7 @@ yy48: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 948 "ext/standard/var_unserializer.c" +#line 955 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -1031,7 +1039,7 @@ yy61: } yy63: ++YYCURSOR; -#line 591 "ext/standard/var_unserializer.re" +#line 595 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 use_double: @@ -1041,7 +1049,7 @@ use_double: ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1046 "ext/standard/var_unserializer.c" +#line 1053 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1100,7 +1108,7 @@ yy73: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 576 "ext/standard/var_unserializer.re" +#line 580 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); @@ -1115,7 +1123,7 @@ yy73: return 1; } -#line 1120 "ext/standard/var_unserializer.c" +#line 1127 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1142,7 +1150,7 @@ yy79: if (yych <= '9') goto yy79; if (yych != ';') goto yy18; ++YYCURSOR; -#line 549 "ext/standard/var_unserializer.re" +#line 553 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 int digits = YYCURSOR - start - 3; @@ -1169,7 +1177,7 @@ yy79: ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -#line 1174 "ext/standard/var_unserializer.c" +#line 1181 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1177,24 +1185,24 @@ yy83: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 542 "ext/standard/var_unserializer.re" +#line 546 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -#line 1189 "ext/standard/var_unserializer.c" +#line 1196 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; -#line 535 "ext/standard/var_unserializer.re" +#line 539 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } -#line 1199 "ext/standard/var_unserializer.c" +#line 1206 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1217,7 +1225,7 @@ yy91: if (yych <= '9') goto yy91; if (yych != ';') goto yy18; ++YYCURSOR; -#line 512 "ext/standard/var_unserializer.re" +#line 516 "ext/standard/var_unserializer.re" { long id; @@ -1240,7 +1248,7 @@ yy91: return 1; } -#line 1245 "ext/standard/var_unserializer.c" +#line 1252 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1263,7 +1271,7 @@ yy97: if (yych <= '9') goto yy97; if (yych != ';') goto yy18; ++YYCURSOR; -#line 491 "ext/standard/var_unserializer.re" +#line 495 "ext/standard/var_unserializer.re" { long id; @@ -1276,7 +1284,7 @@ yy97: } if (*rval != NULL) { - zval_ptr_dtor(rval); + var_push_dtor_no_addref(var_hash, rval); } *rval = *rval_ref; Z_ADDREF_PP(rval); @@ -1284,9 +1292,9 @@ yy97: return 1; } -#line 1289 "ext/standard/var_unserializer.c" +#line 1296 "ext/standard/var_unserializer.c" } -#line 840 "ext/standard/var_unserializer.re" +#line 847 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index 488cfdcb3c..4e165bf374 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -67,7 +67,7 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); + fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -98,7 +98,7 @@ PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rv var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); + fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -177,6 +177,9 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx) while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { +#if VAR_ENTRIES_DBG + fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); +#endif zval_ptr_dtor(&var_hash->data[i]); } next = var_hash->next; @@ -501,7 +504,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) } if (*rval != NULL) { - zval_ptr_dtor(rval); + var_push_dtor_no_addref(var_hash, rval); } *rval = *rval_ref; Z_ADDREF_PP(rval); @@ -660,6 +663,7 @@ use_double: long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ *p = YYCURSOR; + if (!var_hash) return 0; if (elements < 0) { return 0; @@ -677,6 +681,7 @@ use_double: } "o:" iv ":" ["] { + if (!var_hash) return 0; INIT_PZVAL(*rval); @@ -699,6 +704,7 @@ object ":" uiv ":" ["] { zval **args[1]; zval *arg_func_name; + if (!var_hash) return 0; if (*start == 'C') { custom_object = 1; } diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index c268059b54..99c293c6d7 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -174,7 +174,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int fil /* it is a directory only, see #40228 */ if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { - len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); + len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned); is_dir_only = 1; } else { memcpy(file_dirname, path_cleaned, path_cleaned_len); @@ -1865,7 +1865,7 @@ static ZIPARCHIVE_METHOD(addFromString) } fail: zip_source_free(zs); - RETURN_FALSE; + RETURN_FALSE; } /* }}} */ diff --git a/ext/zip/tests/bug70350.phpt b/ext/zip/tests/bug70350.phpt new file mode 100644 index 0000000000..c308f549cf --- /dev/null +++ b/ext/zip/tests/bug70350.phpt @@ -0,0 +1,33 @@ +--TEST-- +Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories) +--SKIPIF-- +<?php +if(!extension_loaded('zip')) die('skip'); +?> +--FILE-- +<?php + +$dir = dirname(__FILE__)."/bug70350"; +mkdir($dir); +$archive = new ZipArchive(); +$archive->open("$dir/a.zip",ZipArchive::CREATE); +$archive->addEmptyDir("../down2/"); +$archive->close(); + +$archive2 = new ZipArchive(); +$archive2->open('a.zip'); +$archive2->extractTo($dir); +$archive2->close(); +var_dump(file_exists("$dir/down2/")); +var_dump(file_exists("../down2/")); +?> +--CLEAN-- +<?php +$dir = dirname(__FILE__)."/bug70350"; +rmdir("$dir/down2"); +unlink("$dir/a.zip"); +rmdir($dir); +?> +--EXPECT-- +bool(true) +bool(false) |