Fix missing type checks in various functions

5 files changed, 41 insertions, 19 deletions

diff --git a/NEWS b/NEWS
index 0a5aea3d80..b444ea582d 100644
--- a/NEWS
+++ b/NEWS
@@ -14,11 +14,14 @@ PHP                                                                        NEWS
   . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
   . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type 
     Confusion) (CVE-2014-3515). (Stefan Esser)
-  . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). 
+  . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
     (Stefan Esser)
-    
+
+- COM:
+  . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
+
 - Date:
-  . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712) 
+  . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
     (Remi)
   . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas)
   . Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas)
@@ -28,12 +31,12 @@ PHP                                                                        NEWS
 
 - Fileinfo:
   . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol)
-  . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary 
-    check). (CVE-2014-0207) 
-  . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). 
+  . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary
+    check). (CVE-2014-0207)
+  . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS).
     (CVE-2014-0238)
-  . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in
-    performance degradation). (CVE-2014-0237)
+  . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting
+    in performance degradation). (CVE-2014-0237)
   . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
     string size). (Francisco Alonso, Jan Kaluza, Remi)
   . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
@@ -47,11 +50,17 @@ PHP                                                                        NEWS
   . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas)
   . Fixed bug #67397 (Buffer overflow in locale_get_display_name and
     uloc_getDisplayName (libicu 4.8.1)). (Stas)
-    
+
 - Network:
-  . Fixed bug #67432 (Fix potential segfault in dns_check_record()). 
+  . Fixed bug #67432 (Fix potential segfault in dns_check_record()).
     (CVE-2014-4049). (Sara)
 
+- OpenSSL:
+  . Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
+
+- Session:
+  . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
+
 12 Dec 2013, PHP 5.3.28
 
 - Openssl:
diff --git a/ext/com_dotnet/com_com.c b/ext/com_dotnet/com_com.c
index 02c475c41d..4fe25fca2e 100644
--- a/ext/com_dotnet/com_com.c
+++ b/ext/com_dotnet/com_com.c
@@ -698,9 +698,9 @@ PHP_FUNCTION(com_event_sink)
 		/* 0 => typelibname, 1 => dispname */
 		zval **tmp;
 
-		if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS)
+		if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING)
 			typelibname = Z_STRVAL_PP(tmp);
-		if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS)
+		if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING)
 			dispname = Z_STRVAL_PP(tmp);
 	} else if (sink != NULL) {
 		convert_to_string(sink);
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 0d2d6442df..295d6b368a 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -649,7 +649,7 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
 		return (time_t)-1;
 	}
 
-	if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
+	if (ASN1_STRING_length(timestr) != strlen((char*)ASN1_STRING_data(timestr))) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
 		return (time_t)-1;
 	}
@@ -765,13 +765,13 @@ static int add_oid_section(struct php_x509_request * req TSRMLS_DC) /* {{{ */
 			req->config_filename, req->var, req->req_config TSRMLS_CC) == FAILURE) return FAILURE
 
 #define SET_OPTIONAL_STRING_ARG(key, varname, defval)	\
-	if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \
+	if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) \
 		varname = Z_STRVAL_PP(item); \
 	else \
 		varname = defval
 
 #define SET_OPTIONAL_LONG_ARG(key, varname, defval)	\
-	if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \
+	if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_LONG) \
 		varname = Z_LVAL_PP(item); \
 	else \
 		varname = defval
@@ -813,7 +813,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option
 
 	SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);
 
-	if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS) {
+	if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_BOOL) {
 		req->priv_key_encrypt = Z_BVAL_PP(item);
 	} else {
 		str = CONF_get_string(req->req_config, req->section_name, "encrypt_rsa_key");
@@ -1889,7 +1889,7 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file)
 	}
 
 	/* parse extra config from args array, promote this to an extra function */
-	if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS)
+	if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING)
 		friendly_name = Z_STRVAL_PP(item);
 	/* certpbe (default RC2-40)
 	   keypbe (default 3DES)
@@ -1967,7 +1967,7 @@ PHP_FUNCTION(openssl_pkcs12_export)
 	}
 
 	/* parse extra config from args array, promote this to an extra function */
-	if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS)
+	if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING)
 		friendly_name = Z_STRVAL_PP(item);
 
 	if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS)
diff --git a/ext/openssl/tests/026.phpt b/ext/openssl/tests/026.phpt
new file mode 100644
index 0000000000..38d626d742
--- /dev/null
+++ b/ext/openssl/tests/026.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Options type checks
+--SKIPIF--
+<?php if (!extension_loaded("openssl")) print "skip"; ?>
+--FILE--
+<?php
+$x = openssl_pkey_new();
+$csr = openssl_csr_new(["countryName" => "DE"], $x, ["x509_extensions" => 0xDEADBEEF]);
+?>
+DONE
+--EXPECT--
+DONE
diff --git a/ext/session/session.c b/ext/session/session.c
index 5374db0b60..c659d2ccee 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -362,7 +362,8 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
 
 	if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"), (void **) &array) == SUCCESS &&
 		Z_TYPE_PP(array) == IS_ARRAY &&
-		zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS
+		zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS &&
+		Z_TYPE_PP(token) == IS_STRING
 	) {
 		remote_addr = Z_STRVAL_PP(token);
 	}