diff options
| author | Stanislav Malyshev <stas@php.net> | 2015-07-07 15:05:35 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2015-07-07 15:05:35 -0700 |
| commit | e4fc1d5d1db500c67ba6ce2e0916baeec1f1859e (patch) | |
| tree | bbb00aab381acb499aef15effc844815e689d105 | |
| parent | a46bae2df257ec9bbc601204c73a8f7b103edee1 (diff) | |
| parent | 885edfef0a0eb1016a906d197399f92375a795e4 (diff) | |
| download | php-git-e4fc1d5d1db500c67ba6ce2e0916baeec1f1859e.tar.gz | |
Merge branch 'PHP-5.4' into PHP-5.4.43
* PHP-5.4:
Better fix for bug #69958
update news
Fix bug #69669 (mysqlnd is vulnerable to BACKRONYM)
Fix bug #69923 - Buffer overflow and stack smashing error in phar_fix_filepath
Fix bug #69958 - Segfault in Phar::convertToData on invalid file
add missing second argument for ucfirst to the proto
Conflicts:
ext/mysqlnd/mysqlnd.c
ext/phar/phar_object.c
ext/phar/tests/bug69958.phpt
| -rw-r--r-- | NEWS | 11 | ||||
| -rw-r--r-- | ext/mysqlnd/mysqlnd.c | 6 | ||||
| -rw-r--r-- | ext/phar/phar_object.c | 22 | ||||
| -rw-r--r-- | ext/phar/tests/bug69958.phpt | 2 | ||||
| -rw-r--r-- | ext/standard/string.c | 2 |
5 files changed, 28 insertions, 15 deletions
@@ -1,12 +1,21 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2015 PHP 5.4.43 +09 Jul 2015 PHP 5.4.43 - Core: . Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb) . Fixed bug #69874 (Can't set empty additional_headers for mail()), regression from fix to bug #68776. (Yasuo) +- Mysqlnd: + . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM) (CVE-2015-3152). + (Andrey) + +- Phar: + . Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (Stas) + . Fixed bug #69923 (Buffer overflow and stack smashing error in + phar_fix_filepath). (Stas) + 11 Jun 2015 PHP 5.4.42 - Core: diff --git a/ext/mysqlnd/mysqlnd.c b/ext/mysqlnd/mysqlnd.c index 1c4a7714cc..61daf96887 100644 --- a/ext/mysqlnd/mysqlnd.c +++ b/ext/mysqlnd/mysqlnd.c @@ -454,9 +454,7 @@ mysqlnd_switch_to_ssl_if_needed( zend_bool verify = mysql_flags & CLIENT_SSL_VERIFY_SERVER_CERT? TRUE:FALSE; DBG_INF("Switching to SSL"); if (!PACKET_WRITE(auth_packet, conn)) { - CONN_SET_STATE(conn, CONN_QUIT_SENT); - SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone); - goto end; + goto close_conn; } conn->net->m.set_client_option(conn->net, MYSQL_OPT_SSL_VERIFY_SERVER_CERT, (const char *) &verify TSRMLS_CC); @@ -479,7 +477,7 @@ end: close_conn: CONN_SET_STATE(conn, CONN_QUIT_SENT); - conn->m->send_close(conn); + conn->m->send_close(conn TSRMLS_CC); SET_CLIENT_ERROR(*conn->error_info, CR_SERVER_GONE_ERROR, UNKNOWN_SQLSTATE, mysqlnd_server_gone); PACKET_FREE(auth_packet); DBG_RETURN(ret); diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index 1184863de9..8cfe0c8228 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -2089,9 +2089,10 @@ static int phar_copy_file_contents(phar_entry_info *entry, php_stream *fp TSRMLS } /* }}} */ -static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool compress TSRMLS_DC) /* {{{ */ +static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool compress TSRMLS_DC) /* {{{ */ { const char *oldname = NULL; + phar_archive_data *phar = *sphar; char *oldpath = NULL; char *basename = NULL, *basepath = NULL; char *newname = NULL, *newpath = NULL; @@ -2199,6 +2200,7 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c phar->fp = NULL; phar_destroy_phar_data(phar TSRMLS_CC); phar = *pphar; + *sphar = NULL; phar->refcount++; newpath = oldpath; goto its_ok; @@ -2413,17 +2415,19 @@ no_copy: phar_add_virtual_dirs(phar, newentry.filename, newentry.filename_len TSRMLS_CC); } - if ((ret = phar_rename_archive(phar, ext, 0 TSRMLS_CC))) { + if ((ret = phar_rename_archive(&phar, ext, 0 TSRMLS_CC))) { return ret; } else { - zend_hash_destroy(&(phar->manifest)); - zend_hash_destroy(&(phar->mounted_dirs)); - zend_hash_destroy(&(phar->virtual_dirs)); - if (phar->fp) { - php_stream_close(phar->fp); + if(phar != NULL) { + zend_hash_destroy(&(phar->manifest)); + zend_hash_destroy(&(phar->mounted_dirs)); + zend_hash_destroy(&(phar->virtual_dirs)); + if (phar->fp) { + php_stream_close(phar->fp); + } + efree(phar->fname); + efree(phar); } - efree(phar->fname); - efree(phar); return NULL; } } diff --git a/ext/phar/tests/bug69958.phpt b/ext/phar/tests/bug69958.phpt index d63b413c29..96f2198b14 100644 --- a/ext/phar/tests/bug69958.phpt +++ b/ext/phar/tests/bug69958.phpt @@ -1,5 +1,7 @@ --TEST-- Phar: bug #69958: Segfault in Phar::convertToData on invalid file +--XFAIL-- +Still has memory leaks, see https://bugs.php.net/bug.php?id=70005 --SKIPIF-- <?php if (!extension_loaded("phar")) die("skip"); ?> --FILE-- diff --git a/ext/standard/string.c b/ext/standard/string.c index e22207dcb9..978007a513 100644 --- a/ext/standard/string.c +++ b/ext/standard/string.c @@ -2738,7 +2738,7 @@ PHP_FUNCTION(lcfirst) } /* }}} */ -/* {{{ proto string ucwords(string str) +/* {{{ proto string ucwords(string str [, string delims]) Uppercase the first character of every word in a string */ PHP_FUNCTION(ucwords) { |