diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-01-06 23:32:36 -0800 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2019-01-06 23:33:34 -0800 |
| commit | 1afebfb3faabafa7f8a28cf9351e86dd423a10ec (patch) | |
| tree | c2b25e36a4a36acb2349c313d4136391e311c6ec | |
| parent | 08bb0ce4e496d21190a8cff676b4aad3a4549e06 (diff) | |
| parent | 9d6c59eeea88a3e9d7039cb4fed5126ef704593a (diff) | |
| download | php-git-1afebfb3faabafa7f8a28cf9351e86dd423a10ec.tar.gz | |
Merge branch 'PHP-5.6' into PHP-7.1
* PHP-5.6:
Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
[ci skip] Add NEWS
Fix more issues with encodilng length
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
Fix #77269: Potential unsigned underflow in gdImageScale
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
Regenerate certs for openssl tests
| -rw-r--r-- | NEWS | 1 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/enc/utf16_be.c | 4 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/enc/utf16_le.c | 3 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/enc/utf32_be.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/enc/utf32_le.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug77418.phpt | 14 |
6 files changed, 22 insertions, 2 deletions
@@ -22,6 +22,7 @@ PHP NEWS expand_case_fold_string). (Stas) . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas) + . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) - Phar: . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas) diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c index 1e909ebbf2..9e2f73b073 100644 --- a/ext/mbstring/oniguruma/enc/utf16_be.c +++ b/ext/mbstring/oniguruma/enc/utf16_be.c @@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end) } static OnigCodePoint -utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf16be_mbc_to_code(const UChar* p, const UChar* end) { OnigCodePoint code; if (UTF16_IS_SURROGATE_FIRST(*p)) { + if (end - p < 4) return 0; code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16) + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8) + p[3]; } else { + if (end - p < 2) return 0; code = p[0] * 256 + p[1]; } return code; diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c index 5cc0759117..580f8dffa2 100644 --- a/ext/mbstring/oniguruma/enc/utf16_le.c +++ b/ext/mbstring/oniguruma/enc/utf16_le.c @@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end) } static OnigCodePoint -utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf16le_mbc_to_code(const UChar* p, const UChar* end) { OnigCodePoint code; UChar c0 = *p; UChar c1 = *(p+1); if (UTF16_IS_SURROGATE_FIRST(c1)) { + if (end - p < 4) return 0; code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16) + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8) + p[2]; diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c index b4f822607c..5295f26b1e 100644 --- a/ext/mbstring/oniguruma/enc/utf32_be.c +++ b/ext/mbstring/oniguruma/enc/utf32_be.c @@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) static OnigCodePoint utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) { + if (end - p < 4) return 0; return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); } diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c index 8f413bfc74..a78c4d0abc 100644 --- a/ext/mbstring/oniguruma/enc/utf32_le.c +++ b/ext/mbstring/oniguruma/enc/utf32_le.c @@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end) static OnigCodePoint utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) { + if (end - p < 4) return 0; return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]); } diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt new file mode 100644 index 0000000000..b4acc45c21 --- /dev/null +++ b/ext/mbstring/tests/bug77418.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #77371 (Heap overflow in utf32be_mbc_to_code) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +mb_regex_encoding("UTF-32"); +var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000")); +?> +--EXPECT-- +array(1) { + [0]=> + string(30) "000000000000000000000000000000" +} |