diff options
-rw-r--r-- | ext/bcmath/libbcmath/src/str2num.c | 4 | ||||
-rw-r--r-- | ext/bcmath/tests/bug78878.phpt | 13 | ||||
-rw-r--r-- | ext/exif/exif.c | 5 | ||||
-rw-r--r-- | ext/exif/tests/bug78910.phpt | 17 | ||||
-rw-r--r-- | ext/spl/spl_directory.c | 4 | ||||
-rw-r--r-- | ext/spl/tests/bug54291.phpt | 2 | ||||
-rw-r--r-- | ext/spl/tests/bug78863.phpt | 31 | ||||
-rw-r--r-- | ext/standard/tests/file/windows_links/bug78862.phpt | 17 | ||||
-rw-r--r-- | win32/sendmail.c | 3 |
9 files changed, 87 insertions, 9 deletions
diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c index f2d6a73501..22cebaf57d 100644 --- a/ext/bcmath/libbcmath/src/str2num.c +++ b/ext/bcmath/libbcmath/src/str2num.c @@ -56,9 +56,9 @@ bc_str2num (bc_num *num, char *str, int scale) zero_int = FALSE; if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ while (*ptr == '0') ptr++; /* Skip leading zeros. */ - while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ if (*ptr == '.') ptr++; /* decimal point */ - while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ if ((*ptr != '\0') || (digits+strscale == 0)) { *num = bc_copy_num (BCG(_zero_)); diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt new file mode 100644 index 0000000000..2c9d72b946 --- /dev/null +++ b/ext/bcmath/tests/bug78878.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #78878 (Buffer underflow in bc_shift_addsub) +--SKIPIF-- +<?php +if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); +?> +--FILE-- +<?php +print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); +?> +--EXPECT-- +bc math warning: non-zero scale in modulus +0 diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f48a24e8ab..f9320df6b4 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3129,7 +3129,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s)", maker_note->make?maker_note->make:"");*/ if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make))) continue; - if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) + if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) + continue; + if (maker_note->id_string && value_len >= maker_note->id_string_len + && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) continue; break; } diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt new file mode 100644 index 0000000000..f5b1c32c1b --- /dev/null +++ b/ext/exif/tests/bug78910.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) +--FILE-- +<?php + +var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN')); + +?> +--EXPECTF-- +Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d + +Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d + +Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d + +Warning: exif_read_data(): Invalid TIFF file in %s on line %d +bool(false) diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index 691ae9b8d0..d21d9034cd 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); } if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { flags |= SPL_FILE_DIR_SKIPDOTS; diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt index b15a3723d4..b4c1a2dc4b 100644 --- a/ext/spl/tests/bug54291.phpt +++ b/ext/spl/tests/bug54291.phpt @@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) $dir = new DirectoryIterator("\x00/abc"); $dir->isFile(); --EXPECTF-- -Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d Stack trace: #0 %s(%d): DirectoryIterator->__construct('\x00/abc') #1 {main} diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt new file mode 100644 index 0000000000..dc88d98dee --- /dev/null +++ b/ext/spl/tests/bug78863.phpt @@ -0,0 +1,31 @@ +--TEST-- +Bug #78863 (DirectoryIterator class silently truncates after a null byte) +--FILE-- +<?php +$dir = __DIR__ . '/bug78863'; +mkdir($dir); +touch("$dir/bad"); +mkdir("$dir/sub"); +touch("$dir/sub/good"); + +$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub"); +foreach ($it as $fileinfo) { + if (!$fileinfo->isDot()) { + var_dump($fileinfo->getFilename()); + } +} +?> +--EXPECTF-- +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d +Stack trace: +#0 %s(%d): DirectoryIterator->__construct('%s') +#1 {main} + thrown in %s on line %d +--CLEAN-- +<?php +$dir = __DIR__ . '/bug78863'; +unlink("$dir/sub/good"); +rmdir("$dir/sub"); +unlink("$dir/bad"); +rmdir($dir); +?> diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt new file mode 100644 index 0000000000..33b4b49293 --- /dev/null +++ b/ext/standard/tests/file/windows_links/bug78862.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78862 (link() silently truncates after a null byte on Windows) +--FILE-- +<?php +file_put_contents(__DIR__ . '/bug78862.target', 'foo'); +var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more")); +var_dump(file_exists(__DIR__ . '/bug78862.link')); +?> +--EXPECTF-- +Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d +NULL +bool(false) +--CLEAN-- +<?php +unlink(__DIR__ . '/bug78862.target'); +unlink(__DIR__ . '/bug78862.link'); +?> diff --git a/win32/sendmail.c b/win32/sendmail.c index 98b61ec920..9e31028d58 100644 --- a/win32/sendmail.c +++ b/win32/sendmail.c @@ -207,9 +207,6 @@ PHPAPI int TSendMail(char *host, int *error, char **error_message, /* Create a lowercased header for all the searches so we're finally case * insensitive when searching for a pattern. */ headers_lc = zend_string_tolower(headers_trim); - if (headers_lc == headers_trim) { - zend_string_release_ex(headers_lc, 0); - } } /* Fall back to sendmail_from php.ini setting */ |