summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorStanislav Malyshev <stas@php.net>2018-04-23 22:00:24 -0700
committerStanislav Malyshev <stas@php.net>2018-04-23 22:00:24 -0700
commit95ee9efa572ae7b6931c846833a3283f06610a2e (patch)
treebf6e2f738aa041effe896bb9a79dd05480504657
parentff83c00715f6e036da5e5b627a742d2697871ae1 (diff)
parent5a18d7a0df075eb49a4e8094d1d54fed937f7565 (diff)
downloadphp-git-95ee9efa572ae7b6931c846833a3283f06610a2e.tar.gz
Merge branch 'PHP-7.0' into PHP-7.1
* PHP-7.0: Fix tsrm_ls Fix #76129 - remove more potential unfiltered outputs for phar Fix test Fix bug #76248 - Malicious LDAP-Server Response causes Crash Fix bug #76249 - fail on invalid sequences Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value Fix bug #75981: prevent reading beyond buffer start
-rw-r--r--ext/exif/exif.c2
-rw-r--r--ext/exif/tests/bug76130.phpt20
-rw-r--r--ext/exif/tests/bug76130_1.jpgbin0 -> 3396 bytes
-rw-r--r--ext/exif/tests/bug76130_2.jpgbin0 -> 1632 bytes
-rw-r--r--ext/iconv/iconv.c3
-rw-r--r--ext/iconv/tests/bug76249.phpt18
-rw-r--r--ext/ldap/ldap.c6
-rw-r--r--ext/ldap/tests/bug76248.phpt40
-rw-r--r--ext/phar/phar_object.c6
-rw-r--r--ext/phar/tests/cache_list/frontcontroller10.phpt2
-rw-r--r--ext/phar/tests/cache_list/frontcontroller6.phpt2
-rw-r--r--ext/phar/tests/cache_list/frontcontroller8.phpt2
-rw-r--r--ext/phar/tests/frontcontroller10.phpt2
-rw-r--r--ext/phar/tests/frontcontroller6.phpt2
-rw-r--r--ext/phar/tests/frontcontroller8.phpt2
-rw-r--r--ext/phar/tests/tar/frontcontroller10.phar.phpt2
-rw-r--r--ext/phar/tests/tar/frontcontroller6.phar.phpt2
-rw-r--r--ext/phar/tests/tar/frontcontroller8.phar.phpt2
-rw-r--r--ext/phar/tests/zip/frontcontroller10.phar.phpt2
-rw-r--r--ext/phar/tests/zip/frontcontroller6.phar.phpt2
-rw-r--r--ext/phar/tests/zip/frontcontroller8.phar.phpt2
21 files changed, 101 insertions, 18 deletions
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 23479dadd2..b30bcb468f 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1704,7 +1704,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
case TAG_FMT_UNDEFINED:
if (value) {
if (tag == TAG_MAKER_NOTE) {
- length = MIN(length, strlen(value));
+ length = (int) php_strnlen(value, length);
}
/* do not recompute length here */
diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt
new file mode 100644
index 0000000000..9c826af629
--- /dev/null
+++ b/ext/exif/tests/bug76130.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value)
+--DESCRIPTION--
+This test is meant to exhibit memory issues with the `-m` option. Since a lot of
+notices and warnings are to be expected anyway, we suppress these, since the are
+not relevant for this test.
+--INI--
+error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76130_1.jpg');
+exif_read_data(__DIR__ . '/bug76130_2.jpg');
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg
new file mode 100644
index 0000000000..e063e46d22
--- /dev/null
+++ b/ext/exif/tests/bug76130_1.jpg
Binary files differ
diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg
new file mode 100644
index 0000000000..a9e79dca5c
--- /dev/null
+++ b/ext/exif/tests/bug76130_2.jpg
Binary files differ
diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
index df44a5cda0..7f7125b09f 100644
--- a/ext/iconv/iconv.c
+++ b/ext/iconv/iconv.c
@@ -2658,6 +2658,9 @@ static int php_iconv_stream_filter_append_bucket(
tcnt = 0;
break;
}
+ } else {
+ php_error_docref(NULL, E_WARNING, "iconv stream filter (\"%s\"=>\"%s\"): invalid multibyte sequence", self->from_charset, self->to_charset);
+ goto out_failure;
}
break;
diff --git a/ext/iconv/tests/bug76249.phpt b/ext/iconv/tests/bug76249.phpt
new file mode 100644
index 0000000000..1503f0bc81
--- /dev/null
+++ b/ext/iconv/tests/bug76249.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$fh = fopen('php://memory', 'rw');
+fwrite($fh, "abc");
+rewind($fh);
+stream_filter_append($fh, 'convert.iconv.ucs-2/utf8//IGNORE', STREAM_FILTER_READ, []);
+$a = stream_get_contents($fh);
+var_dump(strlen($a));
+?>
+DONE
+--EXPECTF--
+Warning: stream_get_contents(): iconv stream filter ("ucs-2"=>"utf8//IGNORE"): invalid multibyte sequence in %sbug76249.php on line %d
+int(3)
+DONE
diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
index 8dbea0c3ba..5f1913de8e 100644
--- a/ext/ldap/ldap.c
+++ b/ext/ldap/ldap.c
@@ -1170,7 +1170,11 @@ PHP_FUNCTION(ldap_get_entries)
add_assoc_long(&tmp1, "count", num_attrib);
dn = ldap_get_dn(ldap, ldap_result_entry);
- add_assoc_string(&tmp1, "dn", dn);
+ if (dn) {
+ add_assoc_string(&tmp1, "dn", dn);
+ } else {
+ add_assoc_null(&tmp1, "dn");
+ }
#if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP || WINDOWS
ldap_memfree(dn);
#else
diff --git a/ext/ldap/tests/bug76248.phpt b/ext/ldap/tests/bug76248.phpt
new file mode 100644
index 0000000000..45a7f83efb
--- /dev/null
+++ b/ext/ldap/tests/bug76248.phpt
@@ -0,0 +1,40 @@
+--TEST--
+Bug #76248 (Malicious LDAP-Server Response causes Crash)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+if (!function_exists('pcntl_fork')) die('skip fork not available');
+?>
+--FILE--
+<?php
+$pid = pcntl_fork();
+const PORT = 12345;
+if ($pid == 0) {
+ // child
+ $server = stream_socket_server("tcp://127.0.0.1:12345");
+ $socket = stream_socket_accept($server, 3);
+ fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA"));
+ fflush($socket);
+} else {
+ // parent
+ $ds = ldap_connect("127.0.0.1", PORT);
+ ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+ $b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret");
+
+ $s = ldap_search($ds, "dc=example,dc=com", "(cn=root)");
+ $tt = ldap_get_entries($ds, $s);
+ var_dump($tt);
+}
+?>
+--EXPECT--
+array(2) {
+ ["count"]=>
+ int(1)
+ [0]=>
+ array(2) {
+ ["count"]=>
+ int(0)
+ ["dn"]=>
+ NULL
+ }
+} \ No newline at end of file
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index faa5ff26d1..905fcece73 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -308,8 +308,7 @@ static void phar_do_403(char *entry, int entry_len) /* {{{ */
sapi_header_op(SAPI_HEADER_REPLACE, &ctr);
sapi_send_headers();
PHPWRITE("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ", sizeof("<html>\n <head>\n <title>Access Denied</title>\n </head>\n <body>\n <h1>403 - File ") - 1);
- PHPWRITE(entry, entry_len);
- PHPWRITE(" Access Denied</h1>\n </body>\n</html>", sizeof(" Access Denied</h1>\n </body>\n</html>") - 1);
+ PHPWRITE("Access Denied</h1>\n </body>\n</html>", sizeof("Access Denied</h1>\n </body>\n</html>") - 1);
}
/* }}} */
@@ -333,8 +332,7 @@ static void phar_do_404(phar_archive_data *phar, char *fname, int fname_len, cha
sapi_header_op(SAPI_HEADER_REPLACE, &ctr);
sapi_send_headers();
PHPWRITE("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ", sizeof("<html>\n <head>\n <title>File Not Found</title>\n </head>\n <body>\n <h1>404 - File ") - 1);
- PHPWRITE(entry, entry_len);
- PHPWRITE(" Not Found</h1>\n </body>\n</html>", sizeof(" Not Found</h1>\n </body>\n</html>") - 1);
+ PHPWRITE("Not Found</h1>\n </body>\n</html>", sizeof("Not Found</h1>\n </body>\n</html>") - 1);
}
/* }}} */
diff --git a/ext/phar/tests/cache_list/frontcontroller10.phpt b/ext/phar/tests/cache_list/frontcontroller10.phpt
index 00177d4ff5..5fd986895d 100644
--- a/ext/phar/tests/cache_list/frontcontroller10.phpt
+++ b/ext/phar/tests/cache_list/frontcontroller10.phpt
@@ -20,6 +20,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html>
diff --git a/ext/phar/tests/cache_list/frontcontroller6.phpt b/ext/phar/tests/cache_list/frontcontroller6.phpt
index 2480be4129..a79c958517 100644
--- a/ext/phar/tests/cache_list/frontcontroller6.phpt
+++ b/ext/phar/tests/cache_list/frontcontroller6.phpt
@@ -18,6 +18,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/cache_list/frontcontroller8.phpt b/ext/phar/tests/cache_list/frontcontroller8.phpt
index bf9b390def..e04f9e5a3a 100644
--- a/ext/phar/tests/cache_list/frontcontroller8.phpt
+++ b/ext/phar/tests/cache_list/frontcontroller8.phpt
@@ -18,6 +18,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/frontcontroller10.phpt b/ext/phar/tests/frontcontroller10.phpt
index 667d5c243c..b3f5e640dd 100644
--- a/ext/phar/tests/frontcontroller10.phpt
+++ b/ext/phar/tests/frontcontroller10.phpt
@@ -19,6 +19,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html>
diff --git a/ext/phar/tests/frontcontroller6.phpt b/ext/phar/tests/frontcontroller6.phpt
index 1a2cc2cd23..c5dd382b10 100644
--- a/ext/phar/tests/frontcontroller6.phpt
+++ b/ext/phar/tests/frontcontroller6.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/frontcontroller8.phpt b/ext/phar/tests/frontcontroller8.phpt
index 36e3206d66..77d33dac38 100644
--- a/ext/phar/tests/frontcontroller8.phpt
+++ b/ext/phar/tests/frontcontroller8.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/tar/frontcontroller10.phar.phpt b/ext/phar/tests/tar/frontcontroller10.phar.phpt
index f1fc6e3d0f..23ce6f37e2 100644
--- a/ext/phar/tests/tar/frontcontroller10.phar.phpt
+++ b/ext/phar/tests/tar/frontcontroller10.phar.phpt
@@ -19,6 +19,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/tar/frontcontroller6.phar.phpt b/ext/phar/tests/tar/frontcontroller6.phar.phpt
index 5375beef8c..b811f00f75 100644
--- a/ext/phar/tests/tar/frontcontroller6.phar.phpt
+++ b/ext/phar/tests/tar/frontcontroller6.phar.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/tar/frontcontroller8.phar.phpt b/ext/phar/tests/tar/frontcontroller8.phar.phpt
index 19844cb199..a180e2010a 100644
--- a/ext/phar/tests/tar/frontcontroller8.phar.phpt
+++ b/ext/phar/tests/tar/frontcontroller8.phar.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/zip/frontcontroller10.phar.phpt b/ext/phar/tests/zip/frontcontroller10.phar.phpt
index 56d16c2064..5bbe9e1aff 100644
--- a/ext/phar/tests/zip/frontcontroller10.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller10.phar.phpt
@@ -19,6 +19,6 @@ Status: 403 Access Denied
<title>Access Denied</title>
</head>
<body>
- <h1>403 - File /hi Access Denied</h1>
+ <h1>403 - File Access Denied</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/zip/frontcontroller6.phar.phpt b/ext/phar/tests/zip/frontcontroller6.phar.phpt
index 15489f6ca7..63f7c62e88 100644
--- a/ext/phar/tests/zip/frontcontroller6.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller6.phar.phpt
@@ -17,6 +17,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /notfound.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file
diff --git a/ext/phar/tests/zip/frontcontroller8.phar.phpt b/ext/phar/tests/zip/frontcontroller8.phar.phpt
index 1b0d133bc7..d4c3a3f9ea 100644
--- a/ext/phar/tests/zip/frontcontroller8.phar.phpt
+++ b/ext/phar/tests/zip/frontcontroller8.phar.phpt
@@ -16,6 +16,6 @@ Status: 404 Not Found
<title>File Not Found</title>
</head>
<body>
- <h1>404 - File /index.php Not Found</h1>
+ <h1>404 - File Not Found</h1>
</body>
</html> \ No newline at end of file