diff options
author | Stanislav Malyshev <stas@php.net> | 2020-01-20 22:22:02 -0800 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2020-01-21 09:15:37 +0100 |
commit | a8a6242db7c01bb2d87f29e9b8d5ff3f0f847645 (patch) | |
tree | d14c032f93f5ffe05780836b761e8c21e7f1ec33 | |
parent | 793d775b043a8e0bdb6f94c2bb42f49170d266cc (diff) | |
download | php-git-a8a6242db7c01bb2d87f29e9b8d5ff3f0f847645.tar.gz |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Update NEWS
Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
Fix #79099: OOB read in php_strip_tags_ex
Fix #79091: heap use-after-free in session_create_id()
(cherry picked from commit 25ec7eb3463f34a2be666c6785d1c6b3cc89575e)
-rw-r--r-- | NEWS | 8 | ||||
-rw-r--r-- | ext/mbstring/libmbfl/filters/mbfilter_big5.c | 4 | ||||
-rw-r--r-- | ext/mbstring/tests/bug79037.phpt | 10 | ||||
-rw-r--r-- | ext/session/session.c | 1 | ||||
-rw-r--r-- | ext/session/tests/bug79091.phpt | 67 | ||||
-rw-r--r-- | ext/standard/string.c | 6 | ||||
-rw-r--r-- | ext/standard/tests/file/bug79099.phpt | 32 |
7 files changed, 123 insertions, 5 deletions
@@ -32,6 +32,10 @@ PHP NEWS - Libxml: . Fixed bug #79029 (Use After Free's in XMLReader / XMLWriter). (Laruence) +- Mbstring: + . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`). + (CVE-2020-7060) (Nikita) + - OPcache: . Fixed bug #79040 (Warning Opcode handlers are unusable due to ASLR). (cmb) @@ -47,10 +51,14 @@ PHP NEWS . Fixed bug #78982 (pdo_pgsql returns dead persistent connection). (SATŌ Kentarō) +- Session: + . Fixed bug #79091 (heap use-after-free in session_create_id()). (cmb, Nikita) + - Shmop: . Fixed bug #78538 (shmop memory leak). (cmb) - Standard: + . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb) . Fixed bug #54298 (Using empty additional_headers adding extraneous CRLF). (cmb) diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c index c2cb9a1005..9d401c1b3a 100644 --- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c +++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c @@ -145,10 +145,10 @@ static unsigned short cp950_pua_tbl[][4] = { static inline int is_in_cp950_pua(int c1, int c) { if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) || (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) { - return (c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff); + return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe); } if (c1 == 0xc6) { - return c > 0xa0 && c < 0xff; + return c >= 0xa1 && c <= 0xfe; } return 0; } diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt new file mode 100644 index 0000000000..94ff01a4a1 --- /dev/null +++ b/ext/mbstring/tests/bug79037.phpt @@ -0,0 +1,10 @@ +--TEST-- +Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` +--FILE-- +<?php + +var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950")); + +?> +--EXPECT-- +string(1) "?" diff --git a/ext/session/session.c b/ext/session/session.c index 1364d16c8a..d0779294ec 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -2287,6 +2287,7 @@ static PHP_FUNCTION(session_create_id) /* Detect collision and retry */ if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) { zend_string_release_ex(new_id, 0); + new_id = NULL; continue; } break; diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt new file mode 100644 index 0000000000..1d14427159 --- /dev/null +++ b/ext/session/tests/bug79091.phpt @@ -0,0 +1,67 @@ +--TEST-- +Bug #79091 (heap use-after-free in session_create_id()) +--SKIPIF-- +<?php +if (!extension_loaded('session')) die('skip session extension not available'); +?> +--FILE-- +<?php +class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface +{ + public function close() + { + return true; + } + + public function destroy($session_id) + { + return true; + } + + public function gc($maxlifetime) + { + return true; + } + + public function open($save_path, $session_name) + { + return true; + } + + public function read($session_id) + { + return ''; + } + + public function write($session_id, $session_data) + { + return true; + } + + public function create_sid() + { + return uniqid(); + } + + public function updateTimestamp($key, $val) + { + return true; + } + + public function validateId($key) + { + return false; + } +} + +ob_start(); +var_dump(session_set_save_handler(new MySessionHandler())); +var_dump(session_start()); +ob_flush(); +session_create_id(); +?> +--EXPECTF-- +bool(true) +bool(true) + +Warning: session_create_id(): Failed to create new ID in %s on line %d diff --git a/ext/standard/string.c b/ext/standard/string.c index 39063484df..0fe8796a03 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -5164,7 +5164,7 @@ state_1: } lc = '>'; - if (is_xml && *(p -1) == '-') { + if (is_xml && p >= buf + 1 && *(p -1) == '-') { break; } in_q = state = is_xml = 0; @@ -5196,7 +5196,7 @@ state_1: goto reg_char_1; case '!': /* JavaScript & Other HTML scripting languages */ - if (*(p-1) == '<') { + if (p >= buf + 1 && *(p-1) == '<') { state = 3; lc = c; p++; @@ -5206,7 +5206,7 @@ state_1: } break; case '?': - if (*(p-1) == '<') { + if (p >= buf + 1 && *(p-1) == '<') { br=0; state = 2; p++; diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt new file mode 100644 index 0000000000..a1f2a3355f --- /dev/null +++ b/ext/standard/tests/file/bug79099.phpt @@ -0,0 +1,32 @@ +--TEST-- +Bug #79099 (OOB read in php_strip_tags_ex) +--FILE-- +<?php +$stream = fopen('php://memory', 'w+'); +fputs($stream, "<?\n\"\n"); +rewind($stream); +var_dump(@fgetss($stream)); +var_dump(@fgetss($stream)); +fclose($stream); + +$stream = fopen('php://memory', 'w+'); +fputs($stream, "<\0\n!\n"); +rewind($stream); +var_dump(@fgetss($stream)); +var_dump(@fgetss($stream)); +fclose($stream); + +$stream = fopen('php://memory', 'w+'); +fputs($stream, "<\0\n?\n"); +rewind($stream); +var_dump(@fgetss($stream)); +var_dump(@fgetss($stream)); +fclose($stream); +?> +--EXPECT-- +string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" +string(0) "" |