diff options
33 files changed, 320 insertions, 81 deletions
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c index 6eccc89723..cda0dd943c 100644 --- a/Zend/zend_exceptions.c +++ b/Zend/zend_exceptions.c @@ -557,6 +557,9 @@ ZEND_METHOD(exception, getTraceAsString) DEFAULT_0_PARAMS; trace = zend_read_property(base_exception_ce, getThis(), "trace", sizeof("trace")-1, 1, &rv); + if(Z_TYPE_P(trace) != IS_ARRAY) { + RETURN_FALSE; + } ZEND_HASH_FOREACH_NUM_KEY_VAL(Z_ARRVAL_P(trace), index, frame) { if (Z_TYPE_P(frame) != IS_ARRAY) { zend_error(E_WARNING, "Expected array for frame %pu", index); diff --git a/ext/curl/interface.c b/ext/curl/interface.c index a51c03f47f..bf8d2f00eb 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1345,6 +1345,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx) php_error_docref(NULL, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION"); length = -1; } else if (!Z_ISUNDEF(retval)) { + _php_curl_verify_handlers(ch, 1); if (Z_TYPE(retval) != IS_LONG) { convert_to_long_ex(&retval); } @@ -1397,6 +1398,7 @@ static int curl_fnmatch(void *ctx, const char *pattern, const char *string) if (error == FAILURE) { php_error_docref(NULL, E_WARNING, "Cannot call the CURLOPT_FNMATCH_FUNCTION"); } else if (!Z_ISUNDEF(retval)) { + _php_curl_verify_handlers(ch, 1); if (Z_TYPE(retval) != IS_LONG) { convert_to_long_ex(&retval); } @@ -1456,6 +1458,7 @@ static size_t curl_progress(void *clientp, double dltotal, double dlnow, double if (error == FAILURE) { php_error_docref(NULL, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION"); } else if (!Z_ISUNDEF(retval)) { + _php_curl_verify_handlers(ch, 1); if (Z_TYPE(retval) != IS_LONG) { convert_to_long_ex(&retval); } @@ -1524,6 +1527,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx) length = CURL_READFUNC_ABORT; #endif } else if (!Z_ISUNDEF(retval)) { + _php_curl_verify_handlers(ch, 1); if (Z_TYPE(retval) == IS_STRING) { length = MIN((int) (size * nmemb), Z_STRLEN(retval)); memcpy(data, Z_STRVAL(retval), length); @@ -1589,6 +1593,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx php_error_docref(NULL, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION"); length = -1; } else if (!Z_ISUNDEF(retval)) { + _php_curl_verify_handlers(ch, 1); if (Z_TYPE(retval) != IS_LONG) { convert_to_long_ex(&retval); } diff --git a/ext/curl/tests/bug69316.phpt b/ext/curl/tests/bug69316.phpt new file mode 100644 index 0000000000..16a655eef8 --- /dev/null +++ b/ext/curl/tests/bug69316.phpt @@ -0,0 +1,45 @@ +--TEST-- +Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER +--SKIPIF-- +<?php include 'skipif.inc'; ?> +--FILE-- +<?php + function hdr_callback($ch, $data) { + // close the stream, causing the FILE structure to be free()'d + if($GLOBALS['f_file']) { + fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0; + + // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc + $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238); + curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1)); + } + return strlen($data); + } + + include 'server.inc'; + $host = curl_cli_server_start(); + $temp_file = dirname(__FILE__) . '/body.tmp'; + $url = "{$host}/get.php?test=getpost"; + $ch = curl_init(); + $f_file = fopen($temp_file, "w") or die("failed to open file\n"); + curl_setopt($ch, CURLOPT_BUFFERSIZE, 10); + curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback"); + curl_setopt($ch, CURLOPT_FILE, $f_file); + curl_setopt($ch, CURLOPT_URL, $url); + curl_exec($ch); + curl_close($ch); +?> +===DONE=== +--CLEAN-- +<?php +unlink(dirname(__FILE__) . '/body.tmp'); +?> +--EXPECTF-- +Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d +array(1) { + ["test"]=> + string(7) "getpost" +} +array(0) { +} +===DONE=== diff --git a/ext/dom/document.c b/ext/dom/document.c index 92d5fb5d33..d435b1c281 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1379,7 +1379,11 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so xmlInitParser(); if (mode == DOM_LOAD_FILE) { - char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN ); + char *file_dest; + if (CHECK_NULL_PATH(source, source_len)) { + return NULL; + } + file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN); if (file_dest) { ctxt = xmlCreateFileParserCtxt(file_dest); } @@ -1979,7 +1983,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ id = getThis(); - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &source, &source_len, &options) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &source, &source_len, &options) == FAILURE) { return; } diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt index e59ff56c5a..75004e2a74 100644 --- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt @@ -13,6 +13,11 @@ assert.bail=true $doc = new DOMDocument(); $result = $doc->loadHTMLFile(""); assert('$result === false'); +$doc = new DOMDocument(); +$result = $doc->loadHTMLFile("text.html\0something"); +assert('$result === null'); ?> --EXPECTF-- %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s + +%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c index c4745f92fe..40df99df47 100644 --- a/ext/fileinfo/fileinfo.c +++ b/ext/fileinfo/fileinfo.c @@ -531,6 +531,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime RETVAL_FALSE; goto clean; } + if (CHECK_NULL_PATH(buffer, buffer_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETVAL_FALSE; + goto clean; + } wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0); diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index 24fa0ec436..e08d167f9e 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1101,7 +1101,14 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, if (bytecnt > nbytes) { bytecnt = nbytes; } - + if (offset > bytecnt) { + offset = bytecnt; + } + if (s == NULL) { + ms->search.s_len = 0; + ms->search.s = NULL; + return 0; + } buf = RCAST(const char *, s) + offset; end = last = RCAST(const char *, s) + bytecnt; /* mget() guarantees buf <= last */ diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt new file mode 100644 index 0000000000..ce39ee61db --- /dev/null +++ b/ext/fileinfo/tests/bug68819_001.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 +--SKIPIF-- +<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?> +--FILE-- +<?php + +$string = <<<HERE +----a-----'''---------a---------------a--------a-----a-----a---------a-----as-------a----a--a-------------a--as-----s---------------a---------a---a--s-a-----a-----------asy---------a-----a-----------a----s--------a-------------a-------a--------a----s------------a-----a----------------a----s-----------------\r\n-------------------a-------a-a-------a-----a----a----s----s--------a-----------------------a----a----s-------------a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a----s----s--------a----------a----------------------a----a----s-------------a----------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n------a-------a-a-------a-----a----a---a-----a-----------------------a----a---a-----a------------------s-------a----a---a-----a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s------\r\n-------------------a-------a-a-------a-----a----a---a-------a------------------------a----a---a-----''--a-------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a-------s-----a---a-------------------------a----a-------------a---a-------------------s-------a----a-------------a---a-----as-a--------------a-----a--s----s---------y------------a-----a-s---a-------''----a---s--a-''------''----s------------a-y----------------s------a-----y--a-s--a-s------s--a-s----------''----------------------------a---s--a----a---------a-s---a-s--------s--------a---------s--a-y-------------as----a----a-------------a------a---s--a-s------a--------a----s----y--as--a----a-s---------------a-----a--------------------------------------\r\n-------------------a-------a-a-------a-----a----a-----------s--------a-----------------------a----a--------------------a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a-----------s--------a----------a----------------------a----a--------------------a------------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a---a-----------------------a----a---a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a---a----------a----------------------a----a---a------------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-----a-a-----------a-------a-a-------a-----a----a----a---s-----a-----------------------a----a----a---------a-----------------s-------a----a----a---------a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a--------a----a-----------------------a----a----------a----a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-----a-------------a-------a-a-------a-----a----a--------s-----a---a-------------------------a----a--------------a---a-------------------s-------------a---------------a----a---a---a-----as-a--------------a-----a--s----s---------y------------a-----a-s---a-------''----a---s--a-''------''----s------------a-y----------------s------a-----y--a-s--a-s------s--a-s----------''----------------------------a---s--a----a---------a-s---a-s--------s--------a---------s--a-y-------------as----a----a-------------a------a---s--a-s------a--------a----s----y--as--a----a-s---------------a-----a--------------------------------------\r\n-------------------a-------a-a-------a-----a----a----------------a-----------------------a----a----------------a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a----------------a----------a----------------------a----a----------------a-----------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n---a---------------a-------a-a-------a-----as------------------------a--a--s------------------a-s------------------------a-----s--a-----'''----------a-s---------------------------------------------a-----s--a-----------------a---------a---a--s-a-----a-----------asy---------a-----a-----------a----s----------------------a----s--a-------------a-------a--------a----s------------a-----a----------------a----s------------------\r\n-a-----------------a-------a-a-------a--y---------a------------------y---------a-----'''-------y------a-y--a-------------------------a---------a---a----------as-a---a--s-a-----a-----------asy---------a-----a-----------a----s--------a-------------a-------a--------a----s---------a-----a----------------a----s------------------\r\n-a-----------------a-------a-a-------a--y-------------a------------------y-------------a-----'''-------y----------a-y--a-------------------------a---------a---a----------as-a---a--s-a-----a-----------asy---------a-----a-----------a----s--------a-------------a-------a--------a----s---------a-----a----------------a----s------------------\r\n-------------------a-------a-a-------a--a----a-----a------------------a----a-----a-----'''----------a----s----a----a-------s---a------------------a-----------a--s-a-----a---------------------a------a----s-a-----a-------s-s-------a----s--------a-------------a-------a--------a----s---------a-----a----------------a----s------------------\r\n------aa-----------a-------a-a------------s-a--s---------a---a------------------------a------------a---a------------------s--------a------------a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a------------------------s-----s--a----a-----------------------------------------s--a----a------------------s---------------------------------s--a----a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a--------------s-a---a--------------------------a---a------------------s----------a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s---------------a-----a----------a----------s--a----------s-----------------\r\nsay-------a------------s-----''------a----s--------a-------------a-\r\n +HERE; + +$finfo = new finfo(); +$type = $finfo->buffer($string); + +var_dump($type); +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt new file mode 100644 index 0000000000..cec238d63e --- /dev/null +++ b/ext/fileinfo/tests/bug68819_002.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 +--SKIPIF-- +<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?> +--FILE-- +<?php + +$string = ''; + +// These two in any order +$string .= "\r\n"; +$string .= "''''"; + +// Total string length > 8192 +$string .= str_repeat(chr(rand(32, 127)), 8184); + +// Ending in this string +$string .= "say"; + +$finfo = new finfo(); +$type = $finfo->buffer($string); +var_dump($type); + +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt index 20223fd88e..ee70e2e253 100644 --- a/ext/fileinfo/tests/finfo_file_basic.phpt +++ b/ext/fileinfo/tests/finfo_file_basic.phpt @@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n"; var_dump( finfo_file( $finfo, __FILE__) ); var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); var_dump( finfo_file( $finfo, $magicFile ) ); +var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); ?> ===DONE=== @@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) ); string(28) "text/x-php; charset=us-ascii" string(22) "PHP script, ASCII text" string(25) "text/plain; charset=utf-8" + +Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d +bool(false) ===DONE=== diff --git a/ext/gd/gd.c b/ext/gd/gd.c index fec29d7519..9105fe6609 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -2405,7 +2405,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, #endif if (image_type == PHP_GDIMG_TYPE_GD2PART) { - if (zend_parse_parameters(ZEND_NUM_ARGS(), "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { return; } if (width < 1 || height < 1) { @@ -2413,7 +2413,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, RETURN_FALSE; } } else { - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &file, &file_len) == FAILURE) { return; } } @@ -4155,7 +4155,7 @@ PHP_FUNCTION(imagepsencodefont) size_t enc_len; int *f_ind; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "rs", &fnt, &enc, &enc_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "rp", &fnt, &enc, &enc_len) == FAILURE) { return; } diff --git a/ext/gd/tests/imageloadfont_error1.phpt b/ext/gd/tests/imageloadfont_error1.phpt index 0e1386fcaf..418bbf3ced 100644 --- a/ext/gd/tests/imageloadfont_error1.phpt +++ b/ext/gd/tests/imageloadfont_error1.phpt @@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter --CREDITS-- Neveo Harrison <neveoo [at] gmail [dot] com> #testfest #tek11 --SKIPIF-- -<?php +<?php if (!extension_loaded("gd")) die("skip GD not present"); ?> --FILE-- diff --git a/ext/hash/hash.c b/ext/hash/hash.c index 3a15fc6fcc..0510d3749c 100644 --- a/ext/hash/hash.c +++ b/ext/hash/hash.c @@ -137,6 +137,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_ } if (isfilename) { if (CHECK_NULL_PATH(data, data_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); RETURN_FALSE; } stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); @@ -254,6 +255,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename, RETURN_FALSE; } if (isfilename) { + if (CHECK_NULL_PATH(data, data_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETURN_FALSE; + } stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); if (!stream) { /* Stream will report errors opening file */ @@ -464,7 +469,7 @@ PHP_FUNCTION(hash_update_file) char *filename, buf[1024]; size_t filename_len, n; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { return; } diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt index 42ab122285..26ba8aacbe 100644 --- a/ext/hash/tests/hash_hmac_file_error.phpt +++ b/ext/hash/tests/hash_hmac_file_error.phpt @@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg); echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; hash_hmac_file('foo', $file, $key, TRUE); +echo "\n-- Testing hash_hmac_file() function with bad path --\n"; +hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); + ?> ===Done=== --EXPECTF-- @@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d -- Testing hash_hmac_file() function with invalid hash algorithm -- Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d + +-- Testing hash_hmac_file() function with bad path -- + +Warning: hash_hmac_file(): Invalid path in %s on line %d ===Done===
\ No newline at end of file diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index 536c94157a..6a86b8941b 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -3126,7 +3126,7 @@ PHP_FUNCTION(pg_trace) php_stream *stream; zend_resource *link; - if (zend_parse_parameters(argc, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { + if (zend_parse_parameters(argc, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { return; } diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 8c2b596c3d..c4b6150026 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -604,48 +604,37 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len * * data is the serialized zval */ -int phar_parse_metadata(char **buffer, zval *metadata, int zip_metadata_len) /* {{{ */ +int phar_parse_metadata(char **buffer, zval *metadata, php_uint32 zip_metadata_len) /* {{{ */ { - const unsigned char *p; - php_uint32 buf_len; php_unserialize_data_t var_hash; - if (!zip_metadata_len) { - PHAR_GET_32(*buffer, buf_len); - } else { - buf_len = zip_metadata_len; - } - - if (buf_len) { + if (zip_metadata_len) { + const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); + p = p_buff; ZVAL_NULL(metadata); - p = (const unsigned char*) *buffer; PHP_VAR_UNSERIALIZE_INIT(var_hash); - if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash)) { + if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash)) { + efree(p_buff); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zval_ptr_dtor(metadata); ZVAL_UNDEF(metadata); return FAILURE; } - + efree(p_buff); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); if (PHAR_G(persist)) { /* lazy init metadata */ zval_ptr_dtor(metadata); - Z_PTR_P(metadata) = pemalloc(buf_len, 1); - memcpy(Z_PTR_P(metadata), *buffer, buf_len); - *buffer += buf_len; + Z_PTR_P(metadata) = pemalloc(zip_metadata_len, 1); + memcpy(Z_PTR_P(metadata), *buffer, zip_metadata_len); return SUCCESS; } } else { ZVAL_UNDEF(metadata); } - if (!zip_metadata_len) { - *buffer += buf_len; - } - return SUCCESS; } /* }}}*/ @@ -666,6 +655,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char phar_entry_info entry; php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; php_uint16 manifest_ver; + php_uint32 len; zend_long offset; int sig_len, register_alias = 0, temp_alias = 0; char *signature = NULL; @@ -1031,16 +1021,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char mydata->is_persistent = PHAR_G(persist); /* check whether we have meta data, zero check works regardless of byte order */ + PHAR_GET_32(buffer, len); if (mydata->is_persistent) { - PHAR_GET_32(buffer, mydata->metadata_len); - if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len) == FAILURE) { - MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); - } - } else { - if (phar_parse_metadata(&buffer, &mydata->metadata, 0) == FAILURE) { - MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); + mydata->metadata_len = len; + if(!len) { + /* FIXME: not sure why this is needed but removing it breaks tests */ + PHAR_GET_32(buffer, len); } } + if(len > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); + } + if (phar_parse_metadata(&buffer, &mydata->metadata, len) == FAILURE) { + MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); + } + buffer += len; /* set up our manifest */ zend_hash_init(&mydata->manifest, manifest_count, @@ -1075,7 +1070,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.manifest_pos = manifest_index; } - if (buffer + entry.filename_len + 20 > endbuffer) { + if (entry.filename_len + 20 > endbuffer - buffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); } @@ -1111,19 +1106,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.flags |= PHAR_ENT_PERM_DEF_DIR; } + PHAR_GET_32(buffer, len); if (entry.is_persistent) { - PHAR_GET_32(buffer, entry.metadata_len); - if (!entry.metadata_len) buffer -= 4; - if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len) == FAILURE) { - pefree(entry.filename, entry.is_persistent); - MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); - } + entry.metadata_len = len; } else { - if (phar_parse_metadata(&buffer, &entry.metadata, 0) == FAILURE) { - pefree(entry.filename, entry.is_persistent); - MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); - } + entry.metadata_len = 0; + } + if (len > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + if (phar_parse_metadata(&buffer, &entry.metadata, len) == FAILURE) { + pefree(entry.filename, entry.is_persistent); + MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); } + buffer += len; entry.offset = entry.offset_abs = offset; offset += entry.compressed_filesize; diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h index a2afd4d53b..ef752817aa 100644 --- a/ext/phar/phar_internal.h +++ b/ext/phar/phar_internal.h @@ -529,10 +529,13 @@ static inline void phar_set_inode(phar_entry_info *entry) /* {{{ */ { char tmp[MAXPATHLEN]; int tmp_len; + size_t len; - tmp_len = entry->filename_len + entry->phar->fname_len; - memcpy(tmp, entry->phar->fname, entry->phar->fname_len); - memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); + tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); + len = MIN(entry->phar->fname_len, tmp_len); + memcpy(tmp, entry->phar->fname, len); + len = MIN(tmp_len - len, entry->filename_len); + memcpy(tmp + entry->phar->fname_len, entry->filename, len); entry->inode = (unsigned short)zend_hash_func(tmp, tmp_len); } /* }}} */ @@ -565,7 +568,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len, zend_string *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar); char *phar_fix_filepath(char *path, int *new_len, int use_cwd); phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error); -int phar_parse_metadata(char **buffer, zval *metadata, int zip_metadata_len); +int phar_parse_metadata(char **buffer, zval *metadata, php_uint32 zip_metadata_len); void destroy_phar_manifest_entry(zval *zv); int phar_seek_efp(phar_entry_info *entry, zend_off_t offset, int whence, zend_off_t position, int follow_links); php_stream *phar_get_efp(phar_entry_info *entry, int follow_links); diff --git a/ext/phar/tests/bug69324.phar b/ext/phar/tests/bug69324.phar Binary files differnew file mode 100644 index 0000000000..0882d88c22 --- /dev/null +++ b/ext/phar/tests/bug69324.phar diff --git a/ext/phar/tests/bug69324.phpt b/ext/phar/tests/bug69324.phpt new file mode 100644 index 0000000000..70e3f972e7 --- /dev/null +++ b/ext/phar/tests/bug69324.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #69324: Buffer Over-read in unserialize when parsing Phar +--SKIPIF-- +<?php +if (!extension_loaded("phar")) die("skip"); +?> +--FILE-- +<?php +try { +$p = new Phar(dirname(__FILE__).'/bug69324.phar', 0); +$meta=$p->getMetadata(); +var_dump($meta); +} catch(Exception $e) { + echo $e->getMessage(); +} +--EXPECTF-- +internal corruption of phar "%s" (truncated manifest entry)
\ No newline at end of file diff --git a/ext/phar/tests/bug69441.phar b/ext/phar/tests/bug69441.phar Binary files differnew file mode 100644 index 0000000000..80956dce7c --- /dev/null +++ b/ext/phar/tests/bug69441.phar diff --git a/ext/phar/tests/bug69441.phpt b/ext/phar/tests/bug69441.phpt new file mode 100644 index 0000000000..ed461cf1f9 --- /dev/null +++ b/ext/phar/tests/bug69441.phpt @@ -0,0 +1,21 @@ +--TEST-- +Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode +--SKIPIF-- +<?php if (!extension_loaded("phar")) die("skip"); ?> +--FILE-- +<?php +$fname = dirname(__FILE__) . '/bug69441.phar'; +try { +$r = new Phar($fname, 0); +} catch(UnexpectedValueException $e) { + echo $e; +} +?> + +==DONE== +--EXPECTF-- +exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d +Stack trace: +#0 %s/bug69441.php(%d): Phar->__construct('%s', 0) +#1 {main} +==DONE==
\ No newline at end of file diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 457e806440..d5724fed30 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -670,6 +670,7 @@ finish: } response_header = zend_hash_str_find_ind(symbol_table, "http_response_header", sizeof("http_response_header")-1); + Z_ADDREF_P(response_header); if (!php_stream_eof(stream)) { size_t tmp_line_len; @@ -905,6 +906,10 @@ out: if (stream) { if (header_init) { ZVAL_COPY(&stream->wrapperdata, response_header); + } else { + if(response_header) { + Z_DELREF_P(response_header); + } } php_stream_notify_progress_init(context, 0, file_size); @@ -925,8 +930,13 @@ out: if (transfer_encoding) { php_stream_filter_append(&stream->readfilters, transfer_encoding); } - } else if (transfer_encoding) { - php_stream_filter_free(transfer_encoding); + } else { + if(response_header) { + Z_DELREF_P(response_header); + } + if (transfer_encoding) { + php_stream_filter_free(transfer_encoding); + } } return stream; diff --git a/ext/standard/link.c b/ext/standard/link.c index b7fe1ae495..7001dd8807 100644 --- a/ext/standard/link.c +++ b/ext/standard/link.c @@ -59,7 +59,7 @@ PHP_FUNCTION(readlink) char buff[MAXPATHLEN]; int ret; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &link, &link_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &link, &link_len) == FAILURE) { return; } diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c index a86aae25f0..fa9758b06c 100644 --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@ -1493,7 +1493,7 @@ PHP_FUNCTION(stream_resolve_include_path) size_t filename_len; zend_string *resolved_path; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &filename, &filename_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &filename, &filename_len) == FAILURE) { return; } diff --git a/ext/standard/tests/file/readlink_variation1.phpt b/ext/standard/tests/file/readlink_variation1.phpt index 1dae17cbd4..d4f1a5ff02 100644 --- a/ext/standard/tests/file/readlink_variation1.phpt +++ b/ext/standard/tests/file/readlink_variation1.phpt @@ -65,7 +65,7 @@ bool(false) Warning: readlink(): %s in %s on line %d bool(false) -Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d +Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d NULL Warning: readlink(): %s in %s on line %d diff --git a/ext/standard/tests/http/bug69337.phpt b/ext/standard/tests/http/bug69337.phpt new file mode 100644 index 0000000000..1451d4bf01 --- /dev/null +++ b/ext/standard/tests/http/bug69337.phpt @@ -0,0 +1,41 @@ +--TEST-- +Bug #69337 (Stream context leaks when http request fails) +--SKIPIF-- +<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:22345'); ?> +--INI-- +allow_url_fopen=1 +allow_url_include=1 +--FILE-- +<?php +require 'server.inc'; + +function stream_notification_callback($notification_code, $severity, $message, $message_code, $bytes_transferred, $bytes_max) +{ + if($notification_code == STREAM_NOTIFY_REDIRECTED) { + // $http_response_header is now a string, but will be used as an array + // by php_stream_url_wrap_http_ex() later on + $GLOBALS['http_response_header'] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\0\0\0\0"; + } +} + +$ctx = stream_context_create(); +stream_context_set_params($ctx, array("notification" => "stream_notification_callback")); + +$responses = array( + "data://text/plain,HTTP/1.0 302 Found\r\nLocation: http://127.0.0.1:22345/try-again\r\n\r\n", + "data://text/plain,HTTP/1.0 404 Not Found\r\n\r\n", +); + +$pid = http_server("tcp://127.0.0.1:22345", $responses, $output); + +$f = file_get_contents('http://127.0.0.1:22345/', 0, $ctx); + +http_server_kill($pid); +var_dump($f); +?> +==DONE== +--EXPECTF-- +string(26) "HTTP/1.0 404 Not Found + +" +==DONE==
\ No newline at end of file diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt new file mode 100644 index 0000000000..4e741685cc --- /dev/null +++ b/ext/standard/tests/serialize/bug69152.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() +--FILE-- +<?php +$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}'); +echo $x; +$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}'); +$x->test(); + +?> +--EXPECTF-- +exception 'Exception' in %s:%d +Stack trace: +#0 {main} + +Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c index 3cab7a1458..a7da0e7902 100644 --- a/ext/xmlwriter/php_xmlwriter.c +++ b/ext/xmlwriter/php_xmlwriter.c @@ -1672,7 +1672,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity) /* }}} */ #endif -/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) +/* {{{ proto resource xmlwriter_open_uri(string source) Create new xmlwriter using source uri for output */ static PHP_FUNCTION(xmlwriter_open_uri) { @@ -1685,7 +1685,7 @@ static PHP_FUNCTION(xmlwriter_open_uri) zval *self = getThis(); ze_xmlwriter_object *ze_obj = NULL; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &source, &source_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &source, &source_len) == FAILURE) { return; } diff --git a/ext/zlib/tests/gzopen_variation1.phpt b/ext/zlib/tests/gzopen_variation1.phpt index c5a47f4d08..bca48f39c9 100644 --- a/ext/zlib/tests/gzopen_variation1.phpt +++ b/ext/zlib/tests/gzopen_variation1.phpt @@ -1,17 +1,17 @@ --TEST-- -Test gzopen() function : usage variation +Test gzopen() function : usage variation --SKIPIF-- -<?php +<?php if (!extension_loaded("zlib")) { - print "skip - zlib extension not loaded"; -} + print "skip - zlib extension not loaded"; +} ?> --FILE-- <?php /* Prototype : resource gzopen(string filename, string mode [, int use_include_path]) - * Description: Open a .gz-file and return a .gz-file pointer + * Description: Open a .gz-file and return a .gz-file pointer * Source code: ext/zlib/zlib.c - * Alias to functions: + * Alias to functions: */ echo "*** Testing gzopen() : usage variation ***\n"; @@ -102,9 +102,9 @@ $inputs = array( // unset data 'unset var' => @$unset_var, - + // resource variable - 'resource' => $fp + 'resource' => $fp ); // loop through each element of the array for filename @@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d) bool(false) --empty array-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --int indexed array-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --associative array-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --nested arrays-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --uppercase NULL-- @@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct bool(false) --instance of classWithoutToString-- -Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d) NULL --undefined var-- @@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d) bool(false) --resource-- -Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d) NULL ===DONE=== diff --git a/ext/zlib/tests/readgzfile_variation1.phpt b/ext/zlib/tests/readgzfile_variation1.phpt index 5a5ec4f6e7..5d9b639d29 100644 --- a/ext/zlib/tests/readgzfile_variation1.phpt +++ b/ext/zlib/tests/readgzfile_variation1.phpt @@ -29,15 +29,15 @@ foreach ( $variation as $var ) { ===DONE=== --EXPECTF-- -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -===DONE===
\ No newline at end of file +===DONE=== diff --git a/ext/zlib/tests/readgzfile_variation6.phpt b/ext/zlib/tests/readgzfile_variation6.phpt index 702f91850e..9fcea02939 100644 --- a/ext/zlib/tests/readgzfile_variation6.phpt +++ b/ext/zlib/tests/readgzfile_variation6.phpt @@ -45,5 +45,5 @@ foreach ( $variation as $var ) { --EXPECTF-- Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d) bool(false) -Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d) -NULL
\ No newline at end of file +Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d) +NULL diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c index 0cb94fe6e4..f44f92b86d 100644 --- a/ext/zlib/zlib.c +++ b/ext/zlib/zlib.c @@ -588,7 +588,7 @@ static PHP_FUNCTION(gzopen) php_stream *stream; zend_long use_include_path = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { return; } @@ -616,7 +616,7 @@ static PHP_FUNCTION(readgzfile) size_t size; zend_long use_include_path = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &filename, &filename_len, &use_include_path) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &filename, &filename_len, &use_include_path) == FAILURE) { return; } diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c index 4eedba8b3a..42861bcf04 100644 --- a/sapi/apache2handler/sapi_apache2.c +++ b/sapi/apache2handler/sapi_apache2.c @@ -694,6 +694,7 @@ zend_first_try { } zend_end_try(); } apr_brigade_cleanup(brigade); + apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); } else { ctx->r = parent_req; } |