From f6aef68089221c5ea047d4a74224ee3deead99a6 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 20 Jun 2016 21:35:22 -0700 Subject: Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize --- ext/zip/php_zip.c | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'ext/zip/php_zip.c') diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 99c293c6d7..57d060f4ff 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -1015,6 +1015,14 @@ static int php_zip_has_property(zval *object, zval *member, int type, const zend } /* }}} */ +static HashTable *php_zip_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */ +{ + *gc_data = NULL; + *gc_data_count = 0; + return zend_std_get_properties(object TSRMLS_CC); +} +/* }}} */ + static HashTable *php_zip_get_properties(zval *object TSRMLS_DC)/* {{{ */ { ze_zip_object *obj; @@ -2777,6 +2785,7 @@ static PHP_MINIT_FUNCTION(zip) zip_object_handlers.clone_obj = NULL; zip_object_handlers.get_property_ptr_ptr = php_zip_get_property_ptr_ptr; + zip_object_handlers.get_gc = php_zip_get_gc; zip_object_handlers.get_properties = php_zip_get_properties; zip_object_handlers.read_property = php_zip_read_property; zip_object_handlers.has_property = php_zip_has_property; -- cgit v1.2.1 From 16160386982a86e6ec7969c6c89707d38228f19e Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Tue, 21 Jun 2016 16:00:37 +0300 Subject: Added ZEND_ATTRIBUTE_FORMAT to some middind functions. "%p" replaced by ZEND_LONG_FMT to avoid compilation warnings. Fixed most incorrect use cases of format specifiers. --- ext/zip/php_zip.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'ext/zip/php_zip.c') diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index df08882242..73f31bbcd8 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -1694,7 +1694,7 @@ static void php_zip_add_from_pattern(INTERNAL_FUNCTION_PARAMETERS, int type) /* if (add_path) { if ((add_path_len + file_stripped_len) > MAXPATHLEN) { - php_error_docref(NULL, E_WARNING, "Entry name too long (max: %d, %pd given)", + php_error_docref(NULL, E_WARNING, "Entry name too long (max: %d, %zd given)", MAXPATHLEN - 1, (add_path_len + file_stripped_len)); zval_ptr_dtor(return_value); RETURN_FALSE; -- cgit v1.2.1 From 323b2733f6b42d00dd86e77ac524d64f6ddc4e22 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Wed, 22 Jun 2016 00:40:50 +0300 Subject: Fixed compilation warnings --- ext/zip/php_zip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'ext/zip/php_zip.c') diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 73f31bbcd8..9bb4b524de 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -499,7 +499,7 @@ int php_zip_glob(char *pattern, int pattern_len, zend_long flags, zval *return_v char *result; #endif glob_t globbuf; - int n; + uint n; int ret; if (pattern_len >= MAXPATHLEN) { @@ -3003,7 +3003,7 @@ static const zend_function_entry zip_class_functions[] = { ZIPARCHIVE_ME(getExternalAttributesIndex, arginfo_ziparchive_getextattrindex, ZEND_ACC_PUBLIC) ZIPARCHIVE_ME(setCompressionName, arginfo_ziparchive_setcompname, ZEND_ACC_PUBLIC) ZIPARCHIVE_ME(setCompressionIndex, arginfo_ziparchive_setcompindex, ZEND_ACC_PUBLIC) - {NULL, NULL, NULL} + PHP_FE_END }; /* }}} */ -- cgit v1.2.1