diff options
author | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-08 14:16:55 +0100 |
---|---|---|
committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-01-08 14:16:55 +0100 |
commit | 12583615da266b59f3cd28e9f81d6898645e30f8 (patch) | |
tree | 17dff59ab40fb7be349a9f1e4c9516418965de64 | |
parent | 059c720c4c934c6bce3cac6b3f25e2534ef43b77 (diff) | |
download | php-git-12583615da266b59f3cd28e9f81d6898645e30f8.tar.gz |
Cumulative fix for bugs #77370, #77371, #77381, #77382, #77385 and #77394
-rw-r--r-- | NEWS | 10 | ||||
-rw-r--r-- | ext/mbstring/oniguruma/src/regcomp.c | 10 | ||||
-rw-r--r-- | ext/mbstring/oniguruma/src/regparse.c | 7 | ||||
-rw-r--r-- | ext/mbstring/oniguruma/src/regparse.h | 12 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77370.phpt | 11 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77371.phpt | 11 | ||||
-rw-r--r-- | ext/mbstring/tests/bug77381.phpt | 23 |
7 files changed, 78 insertions, 6 deletions
@@ -33,6 +33,16 @@ PHP NEWS - MBString: . Fixed bug #77367 (Negative size parameter in mb_split). (Stas) + . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). + (Stas) + . Fixed bug #77371 (heap buffer overflow in mb regex functions - + compile_string_node). (Stas) + . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas) + . Fixed bug #77382 (heap buffer overflow due to incorrect length in + expand_case_fold_string). (Stas) + . Fixed bug #77385 (buffer overflow in fetch_token). (Stas) + . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). + (Stas) . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas) - OCI8: diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c index 83b92525d9..3ea28412a7 100644 --- a/ext/mbstring/oniguruma/src/regcomp.c +++ b/ext/mbstring/oniguruma/src/regcomp.c @@ -540,13 +540,13 @@ compile_length_string_node(Node* node, regex_t* reg) ambig = NODE_STRING_IS_AMBIG(node); p = prev = sn->s; - prev_len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, sn->end, prev_len); p += prev_len; slen = 1; rlen = 0; for (; p < sn->end; ) { - len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, sn->end, len); if (len == prev_len) { slen++; } @@ -591,12 +591,12 @@ compile_string_node(Node* node, regex_t* reg) ambig = NODE_STRING_IS_AMBIG(node); p = prev = sn->s; - prev_len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, end, prev_len); p += prev_len; slen = 1; for (; p < end; ) { - len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, end, len); if (len == prev_len) { slen++; } @@ -3624,7 +3624,7 @@ expand_case_fold_string(Node* node, regex_t* reg) goto err; } - len = enclen(reg->enc, p); + SAFE_ENC_LEN(reg->enc, p, end, len); if (n == 0) { if (IS_NULL(snode)) { diff --git a/ext/mbstring/oniguruma/src/regparse.c b/ext/mbstring/oniguruma/src/regparse.c index fcc05cf79e..ac5774bb2b 100644 --- a/ext/mbstring/oniguruma/src/regparse.c +++ b/ext/mbstring/oniguruma/src/regparse.c @@ -393,14 +393,17 @@ save_entry(ScanEnv* env, enum SaveType type, int* id) c = ONIGENC_MBC_TO_CODE(enc, p, end); \ pfetch_prev = p; \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PINC_S do { \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PFETCH_S(c) do { \ c = ONIGENC_MBC_TO_CODE(enc, p, end); \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) @@ -5409,7 +5412,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) tok->u.code = c2; } else { /* string */ - p = tok->backp + enclen(enc, tok->backp); + int len; + SAFE_ENC_LEN(enc, tok->backp, end, len); + p = tok->backp + len; } } break; diff --git a/ext/mbstring/oniguruma/src/regparse.h b/ext/mbstring/oniguruma/src/regparse.h index ff24eeb7d3..2855616d82 100644 --- a/ext/mbstring/oniguruma/src/regparse.h +++ b/ext/mbstring/oniguruma/src/regparse.h @@ -455,4 +455,16 @@ extern int onig_global_callout_names_free(void); extern int onig_print_names(FILE*, regex_t*); #endif +#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) +# define UNEXPECTED(condition) __builtin_expect(condition, 0) +#else +# define UNEXPECTED(condition) (condition) +#endif + +#define SAFE_ENC_LEN(enc, p, end, res) do { \ + int __res = enclen(enc, p); \ + if (UNEXPECTED(p + __res > end)) __res = end - p; \ + res = __res; \ +} while(0); + #endif /* REGPARSE_H */ diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt new file mode 100644 index 0000000000..73f186bc90 --- /dev/null +++ b/ext/mbstring/tests/bug77370.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #77370 (Buffer overflow on mb regex functions - fetch_token) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +var_dump(mb_split(" \xfd","")); +?> +--EXPECTF-- +Warning: mb_split(): mbregex compile err: invalid code point value in %sbug77370.php on line %d +bool(false) diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt new file mode 100644 index 0000000000..2ab04c04f6 --- /dev/null +++ b/ext/mbstring/tests/bug77371.phpt @@ -0,0 +1,11 @@ +--TEST-- +Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")); +?> +--EXPECTF-- +Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77371.php on line %d +bool(false) diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt new file mode 100644 index 0000000000..3d6dd76a4a --- /dev/null +++ b/ext/mbstring/tests/bug77381.phpt @@ -0,0 +1,23 @@ +--TEST-- +Bug #77381 (heap buffer overflow in multibyte match_at) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +var_dump(mb_ereg("000||0\xfa","0")); +var_dump(mb_ereg("(?i)000000000000000000000\xf0","")); +var_dump(mb_ereg("0000\\"."\xf5","0")); +var_dump(mb_ereg("(?i)FFF00000000000000000\xfd","")); +?> +--EXPECTF-- +Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d +bool(false) + +Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d +bool(false) + +Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d +bool(false) + +Warning: mb_ereg(): mbregex compile err: invalid code point value in %sbug77381.php on line %d +bool(false) |