delta/php-git.git/ext/xml/tests, branch microseconds git.php.net: repository/php-src.git Merge branch 'PHP-5.6' into PHP-7.0 2016-08-20T10:46:08+00:00 Christoph M. Becker cmbecker69@gmx.de 2016-08-20T10:46:08+00:00 39172d44d8cdb9caf76ae851e3bb8f21091564ea 






Improvements to fix #72714, suggested by nikic
2016-08-20T10:44:20+00:00

Christoph M. Becker
cmbecker69@gmx.de

2016-08-20T10:42:03+00:00

52793c14d951b12f0eca806bb55a97011a322243












Merge branch 'PHP-5.6' into PHP-7.0
2016-08-20T00:14:49+00:00

Christoph M. Becker
cmbecker69@gmx.de

2016-08-20T00:07:28+00:00

db1ef5cb00e6bcdd166179fe1293eb628054107b












Fix #72714: _xml_startElementHandler() segmentation fault
2016-08-19T23:58:08+00:00

Christoph M. Becker
cmbecker69@gmx.de

2016-08-16T18:36:33+00:00

9164dc11e2323b8b80c389bb13d70789799b44fc

The issue is caused by an integer overflow when the `long` passed as
XML_OPTION_SKIP_TAGSTART is assigned to `xml_parser::toffset` which is
declared as `int`. We can simply work around this issue, by clipping
resulting negative values to 0 (and raising a notice in this case), because
the reasonable range for this value is certainly catered to by positive
`int`s.

However, there still remains the issue that `xml_parser::toffset` is later
added to `char *`s, which can cause OOB reads, so we make sure that the
upper bound never exceeds the strlen(). We eschew optimizing `SKIP_TAGSTART`
wrt. to the potentially duplicate strlen() call, because that code path is
unexpected anyway.





The issue is caused by an integer overflow when the `long` passed as
XML_OPTION_SKIP_TAGSTART is assigned to `xml_parser::toffset` which is
declared as `int`. We can simply work around this issue, by clipping
resulting negative values to 0 (and raising a notice in this case), because
the reasonable range for this value is certainly catered to by positive
`int`s.

However, there still remains the issue that `xml_parser::toffset` is later
added to `char *`s, which can cause OOB reads, so we make sure that the
upper bound never exceeds the strlen(). We eschew optimizing `SKIP_TAGSTART`
wrt. to the potentially duplicate strlen() call, because that code path is
unexpected anyway.







Merge branch 'PHP-5.6' into PHP-7.0
2016-08-16T23:22:11+00:00

Christoph M. Becker
cmbecker69@gmx.de

2016-08-16T23:14:12+00:00

6202b47e63dabe1434722c275925c23029deac8d












#72085: SEGV on unknown address zif_xml_parse
2016-08-16T22:42:45+00:00

Christoph M. Becker
cmbecker69@gmx.de

2016-08-16T22:41:31+00:00

1bb92d52121cf2635df163911216bf2958db4d34

We better make sure that the ZVALs we're accessing as arrays are indeed
arrays.





We better make sure that the ZVALs we're accessing as arrays are indeed
arrays.







Merge branch 'PHP-5.6' into PHP-7.0
2016-04-27T09:45:29+00:00

Anatol Belski
ab@php.net

2016-04-27T09:45:29+00:00

33d41da3474729486d6bbb7fb13e1b697356481e

* PHP-5.6:
  Fix memory leak
  Fix bug #72099: xml_parse_into_struct segmentation fault
  5.5.36 now
  Fix bug #72094 - Out of bounds heap read access in exif header processing
  Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
  Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
  Fix for bug #71912 (libgd: signedness vulnerability)
  Typo in NEWS





* PHP-5.6:
  Fix memory leak
  Fix bug #72099: xml_parse_into_struct segmentation fault
  5.5.36 now
  Fix bug #72094 - Out of bounds heap read access in exif header processing
  Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
  Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
  Fix for bug #71912 (libgd: signedness vulnerability)
  Typo in NEWS







Merge branch 'PHP-5.5' into PHP-5.6
2016-04-27T06:48:41+00:00

Stanislav Malyshev
stas@php.net

2016-04-27T06:48:41+00:00

e315a162da99f59e82a5272714a6f3d4d724b037

* PHP-5.5:
  Fix memory leak
  Fix bug #72099: xml_parse_into_struct segmentation fault
  5.5.36 now
  Fix bug #72094 - Out of bounds heap read access in exif header processing
  Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
  Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
  Fix for bug #71912 (libgd: signedness vulnerability)
  Typo in NEWS

Conflicts:
	configure.in
	main/php_version.h





* PHP-5.5:
  Fix memory leak
  Fix bug #72099: xml_parse_into_struct segmentation fault
  5.5.36 now
  Fix bug #72094 - Out of bounds heap read access in exif header processing
  Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
  Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
  Fix for bug #71912 (libgd: signedness vulnerability)
  Typo in NEWS

Conflicts:
	configure.in
	main/php_version.h







Fix bug #72099: xml_parse_into_struct segmentation fault
2016-04-27T05:46:28+00:00

Stanislav Malyshev
stas@php.net

2016-04-25T06:50:57+00:00

dccda88f27a084bcbbb30198ace12b4e7ae961cc












Merge branch 'PHP-5.6'
2015-09-09T02:33:28+00:00

Christoph M. Becker
cmb@php.net

2015-09-09T02:33:28+00:00

502b70c50ca1b6be241569430b49293d6e302d4b

* PHP-5.6:
  Skip test for old glibc iconv





* PHP-5.6:
  Skip test for old glibc iconv