diff options
author | Stanislav Malyshev <stas@php.net> | 2018-04-23 22:00:24 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2018-04-23 22:00:24 -0700 |
commit | 95ee9efa572ae7b6931c846833a3283f06610a2e (patch) | |
tree | bf6e2f738aa041effe896bb9a79dd05480504657 | |
parent | ff83c00715f6e036da5e5b627a742d2697871ae1 (diff) | |
parent | 5a18d7a0df075eb49a4e8094d1d54fed937f7565 (diff) | |
download | php-git-95ee9efa572ae7b6931c846833a3283f06610a2e.tar.gz |
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0:
Fix tsrm_ls
Fix #76129 - remove more potential unfiltered outputs for phar
Fix test
Fix bug #76248 - Malicious LDAP-Server Response causes Crash
Fix bug #76249 - fail on invalid sequences
Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
Fix bug #75981: prevent reading beyond buffer start
21 files changed, 101 insertions, 18 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 23479dadd2..b30bcb468f 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -1704,7 +1704,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c case TAG_FMT_UNDEFINED: if (value) { if (tag == TAG_MAKER_NOTE) { - length = MIN(length, strlen(value)); + length = (int) php_strnlen(value, length); } /* do not recompute length here */ diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt new file mode 100644 index 0000000000..9c826af629 --- /dev/null +++ b/ext/exif/tests/bug76130.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value) +--DESCRIPTION-- +This test is meant to exhibit memory issues with the `-m` option. Since a lot of +notices and warnings are to be expected anyway, we suppress these, since the are +not relevant for this test. +--INI-- +error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE +--SKIPIF-- +<?php +if (!extension_loaded('exif')) die('skip exif extension not available'); +?> +--FILE-- +<?php +exif_read_data(__DIR__ . '/bug76130_1.jpg'); +exif_read_data(__DIR__ . '/bug76130_2.jpg'); +?> +===DONE=== +--EXPECT-- +===DONE=== diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg Binary files differnew file mode 100644 index 0000000000..e063e46d22 --- /dev/null +++ b/ext/exif/tests/bug76130_1.jpg diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg Binary files differnew file mode 100644 index 0000000000..a9e79dca5c --- /dev/null +++ b/ext/exif/tests/bug76130_2.jpg diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c index df44a5cda0..7f7125b09f 100644 --- a/ext/iconv/iconv.c +++ b/ext/iconv/iconv.c @@ -2658,6 +2658,9 @@ static int php_iconv_stream_filter_append_bucket( tcnt = 0; break; } + } else { + php_error_docref(NULL, E_WARNING, "iconv stream filter (\"%s\"=>\"%s\"): invalid multibyte sequence", self->from_charset, self->to_charset); + goto out_failure; } break; diff --git a/ext/iconv/tests/bug76249.phpt b/ext/iconv/tests/bug76249.phpt new file mode 100644 index 0000000000..1503f0bc81 --- /dev/null +++ b/ext/iconv/tests/bug76249.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence) +--SKIPIF-- +<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?> +--FILE-- +<?php +$fh = fopen('php://memory', 'rw'); +fwrite($fh, "abc"); +rewind($fh); +stream_filter_append($fh, 'convert.iconv.ucs-2/utf8//IGNORE', STREAM_FILTER_READ, []); +$a = stream_get_contents($fh); +var_dump(strlen($a)); +?> +DONE +--EXPECTF-- +Warning: stream_get_contents(): iconv stream filter ("ucs-2"=>"utf8//IGNORE"): invalid multibyte sequence in %sbug76249.php on line %d +int(3) +DONE diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c index 8dbea0c3ba..5f1913de8e 100644 --- a/ext/ldap/ldap.c +++ b/ext/ldap/ldap.c @@ -1170,7 +1170,11 @@ PHP_FUNCTION(ldap_get_entries) add_assoc_long(&tmp1, "count", num_attrib); dn = ldap_get_dn(ldap, ldap_result_entry); - add_assoc_string(&tmp1, "dn", dn); + if (dn) { + add_assoc_string(&tmp1, "dn", dn); + } else { + add_assoc_null(&tmp1, "dn"); + } #if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP || WINDOWS ldap_memfree(dn); #else diff --git a/ext/ldap/tests/bug76248.phpt b/ext/ldap/tests/bug76248.phpt new file mode 100644 index 0000000000..45a7f83efb --- /dev/null +++ b/ext/ldap/tests/bug76248.phpt @@ -0,0 +1,40 @@ +--TEST-- +Bug #76248 (Malicious LDAP-Server Response causes Crash) +--SKIPIF-- +<?php +require_once('skipif.inc'); +if (!function_exists('pcntl_fork')) die('skip fork not available'); +?> +--FILE-- +<?php +$pid = pcntl_fork(); +const PORT = 12345; +if ($pid == 0) { + // child + $server = stream_socket_server("tcp://127.0.0.1:12345"); + $socket = stream_socket_accept($server, 3); + fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA")); + fflush($socket); +} else { + // parent + $ds = ldap_connect("127.0.0.1", PORT); + ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3); + $b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret"); + + $s = ldap_search($ds, "dc=example,dc=com", "(cn=root)"); + $tt = ldap_get_entries($ds, $s); + var_dump($tt); +} +?> +--EXPECT-- +array(2) { + ["count"]=> + int(1) + [0]=> + array(2) { + ["count"]=> + int(0) + ["dn"]=> + NULL + } +}
\ No newline at end of file diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index faa5ff26d1..905fcece73 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -308,8 +308,7 @@ static void phar_do_403(char *entry, int entry_len) /* {{{ */ sapi_header_op(SAPI_HEADER_REPLACE, &ctr); sapi_send_headers(); PHPWRITE("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ", sizeof("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ") - 1); - PHPWRITE(entry, entry_len); - PHPWRITE(" Access Denied</h1>\n </body>\n</html>", sizeof(" Access Denied</h1>\n </body>\n</html>") - 1); + PHPWRITE("Access Denied</h1>\n </body>\n</html>", sizeof("Access Denied</h1>\n </body>\n</html>") - 1); } /* }}} */ @@ -333,8 +332,7 @@ static void phar_do_404(phar_archive_data *phar, char *fname, int fname_len, cha sapi_header_op(SAPI_HEADER_REPLACE, &ctr); sapi_send_headers(); PHPWRITE("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ", sizeof("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ") - 1); - PHPWRITE(entry, entry_len); - PHPWRITE(" Not Found</h1>\n </body>\n</html>", sizeof(" Not Found</h1>\n </body>\n</html>") - 1); + PHPWRITE("Not Found</h1>\n </body>\n</html>", sizeof("Not Found</h1>\n </body>\n</html>") - 1); } /* }}} */ diff --git a/ext/phar/tests/cache_list/frontcontroller10.phpt b/ext/phar/tests/cache_list/frontcontroller10.phpt index 00177d4ff5..5fd986895d 100644 --- a/ext/phar/tests/cache_list/frontcontroller10.phpt +++ b/ext/phar/tests/cache_list/frontcontroller10.phpt @@ -20,6 +20,6 @@ Status: 403 Access Denied <title>Access Denied</title> </head> <body> - <h1>403 - File /hi Access Denied</h1> + <h1>403 - File Access Denied</h1> </body> </html> diff --git a/ext/phar/tests/cache_list/frontcontroller6.phpt b/ext/phar/tests/cache_list/frontcontroller6.phpt index 2480be4129..a79c958517 100644 --- a/ext/phar/tests/cache_list/frontcontroller6.phpt +++ b/ext/phar/tests/cache_list/frontcontroller6.phpt @@ -18,6 +18,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /notfound.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/cache_list/frontcontroller8.phpt b/ext/phar/tests/cache_list/frontcontroller8.phpt index bf9b390def..e04f9e5a3a 100644 --- a/ext/phar/tests/cache_list/frontcontroller8.phpt +++ b/ext/phar/tests/cache_list/frontcontroller8.phpt @@ -18,6 +18,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /index.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/frontcontroller10.phpt b/ext/phar/tests/frontcontroller10.phpt index 667d5c243c..b3f5e640dd 100644 --- a/ext/phar/tests/frontcontroller10.phpt +++ b/ext/phar/tests/frontcontroller10.phpt @@ -19,6 +19,6 @@ Status: 403 Access Denied <title>Access Denied</title> </head> <body> - <h1>403 - File /hi Access Denied</h1> + <h1>403 - File Access Denied</h1> </body> </html> diff --git a/ext/phar/tests/frontcontroller6.phpt b/ext/phar/tests/frontcontroller6.phpt index 1a2cc2cd23..c5dd382b10 100644 --- a/ext/phar/tests/frontcontroller6.phpt +++ b/ext/phar/tests/frontcontroller6.phpt @@ -16,6 +16,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /notfound.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/frontcontroller8.phpt b/ext/phar/tests/frontcontroller8.phpt index 36e3206d66..77d33dac38 100644 --- a/ext/phar/tests/frontcontroller8.phpt +++ b/ext/phar/tests/frontcontroller8.phpt @@ -16,6 +16,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /index.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/tar/frontcontroller10.phar.phpt b/ext/phar/tests/tar/frontcontroller10.phar.phpt index f1fc6e3d0f..23ce6f37e2 100644 --- a/ext/phar/tests/tar/frontcontroller10.phar.phpt +++ b/ext/phar/tests/tar/frontcontroller10.phar.phpt @@ -19,6 +19,6 @@ Status: 403 Access Denied <title>Access Denied</title> </head> <body> - <h1>403 - File /hi Access Denied</h1> + <h1>403 - File Access Denied</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/tar/frontcontroller6.phar.phpt b/ext/phar/tests/tar/frontcontroller6.phar.phpt index 5375beef8c..b811f00f75 100644 --- a/ext/phar/tests/tar/frontcontroller6.phar.phpt +++ b/ext/phar/tests/tar/frontcontroller6.phar.phpt @@ -16,6 +16,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /notfound.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/tar/frontcontroller8.phar.phpt b/ext/phar/tests/tar/frontcontroller8.phar.phpt index 19844cb199..a180e2010a 100644 --- a/ext/phar/tests/tar/frontcontroller8.phar.phpt +++ b/ext/phar/tests/tar/frontcontroller8.phar.phpt @@ -16,6 +16,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /index.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/zip/frontcontroller10.phar.phpt b/ext/phar/tests/zip/frontcontroller10.phar.phpt index 56d16c2064..5bbe9e1aff 100644 --- a/ext/phar/tests/zip/frontcontroller10.phar.phpt +++ b/ext/phar/tests/zip/frontcontroller10.phar.phpt @@ -19,6 +19,6 @@ Status: 403 Access Denied <title>Access Denied</title> </head> <body> - <h1>403 - File /hi Access Denied</h1> + <h1>403 - File Access Denied</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/zip/frontcontroller6.phar.phpt b/ext/phar/tests/zip/frontcontroller6.phar.phpt index 15489f6ca7..63f7c62e88 100644 --- a/ext/phar/tests/zip/frontcontroller6.phar.phpt +++ b/ext/phar/tests/zip/frontcontroller6.phar.phpt @@ -17,6 +17,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /notfound.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file diff --git a/ext/phar/tests/zip/frontcontroller8.phar.phpt b/ext/phar/tests/zip/frontcontroller8.phar.phpt index 1b0d133bc7..d4c3a3f9ea 100644 --- a/ext/phar/tests/zip/frontcontroller8.phar.phpt +++ b/ext/phar/tests/zip/frontcontroller8.phar.phpt @@ -16,6 +16,6 @@ Status: 404 Not Found <title>File Not Found</title> </head> <body> - <h1>404 - File /index.php Not Found</h1> + <h1>404 - File Not Found</h1> </body> </html>
\ No newline at end of file |