diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-12-16 00:38:54 -0800 |
|---|---|---|
| committer | Christoph M. Becker <cmbecker69@gmx.de> | 2019-12-17 09:32:47 +0100 |
| commit | 63d0fa4a92a2c0ce3e4e31cda2e9291e12055c77 (patch) | |
| tree | 5f5833b97325cb454c967aec8fb7bbd604bbe55c | |
| parent | 11893c8e665d285f72c2b8a0fbe01a3fcc03b806 (diff) | |
| download | php-git-63d0fa4a92a2c0ce3e4e31cda2e9291e12055c77.tar.gz | |
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2:
Fixed bug #78910
Fix #78878: Buffer underflow in bc_shift_addsub
Fix test
Fix #78862: link() silently truncates after a null byte on Windows
Fix #78863: DirectoryIterator class silently truncates after a null byte
(cherry picked from commit a65b8abf2c9702503591d894ddac0b2f046950b6)
| -rw-r--r-- | ext/bcmath/libbcmath/src/str2num.c | 4 | ||||
| -rw-r--r-- | ext/bcmath/tests/bug78878.phpt | 13 | ||||
| -rw-r--r-- | ext/exif/exif.c | 5 | ||||
| -rw-r--r-- | ext/exif/tests/bug78910.phpt | 17 | ||||
| -rw-r--r-- | ext/spl/spl_directory.c | 4 | ||||
| -rw-r--r-- | ext/spl/tests/bug54291.phpt | 2 | ||||
| -rw-r--r-- | ext/spl/tests/bug78863.phpt | 31 | ||||
| -rw-r--r-- | ext/standard/link_win32.c | 2 | ||||
| -rw-r--r-- | ext/standard/tests/file/windows_links/bug78862.phpt | 17 |
9 files changed, 88 insertions, 7 deletions
diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c index f38d341570..03aec15930 100644 --- a/ext/bcmath/libbcmath/src/str2num.c +++ b/ext/bcmath/libbcmath/src/str2num.c @@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) zero_int = FALSE; if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ while (*ptr == '0') ptr++; /* Skip leading zeros. */ - while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ if (*ptr == '.') ptr++; /* decimal point */ - while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ if ((*ptr != '\0') || (digits+strscale == 0)) { *num = bc_copy_num (BCG(_zero_)); diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt new file mode 100644 index 0000000000..2c9d72b946 --- /dev/null +++ b/ext/bcmath/tests/bug78878.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #78878 (Buffer underflow in bc_shift_addsub) +--SKIPIF-- +<?php +if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); +?> +--FILE-- +<?php +print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); +?> +--EXPECT-- +bc math warning: non-zero scale in modulus +0 diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 1c2f0d143b..362e63d9a3 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3138,7 +3138,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu /*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s)", maker_note->make?maker_note->make:"");*/ if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make))) continue; - if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) + if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) + continue; + if (maker_note->id_string && value_len >= maker_note->id_string_len + && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) continue; break; } diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt new file mode 100644 index 0000000000..f5b1c32c1b --- /dev/null +++ b/ext/exif/tests/bug78910.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) +--FILE-- +<?php + +var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN')); + +?> +--EXPECTF-- +Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d + +Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d + +Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d + +Warning: exif_read_data(): Invalid TIFF file in %s on line %d +bool(false) diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index 7a91054fc4..b9e6bf91e8 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); } if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { flags |= SPL_FILE_DIR_SKIPDOTS; diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt index b15a3723d4..b4c1a2dc4b 100644 --- a/ext/spl/tests/bug54291.phpt +++ b/ext/spl/tests/bug54291.phpt @@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) $dir = new DirectoryIterator("\x00/abc"); $dir->isFile(); --EXPECTF-- -Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d Stack trace: #0 %s(%d): DirectoryIterator->__construct('\x00/abc') #1 {main} diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt new file mode 100644 index 0000000000..dc88d98dee --- /dev/null +++ b/ext/spl/tests/bug78863.phpt @@ -0,0 +1,31 @@ +--TEST-- +Bug #78863 (DirectoryIterator class silently truncates after a null byte) +--FILE-- +<?php +$dir = __DIR__ . '/bug78863'; +mkdir($dir); +touch("$dir/bad"); +mkdir("$dir/sub"); +touch("$dir/sub/good"); + +$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub"); +foreach ($it as $fileinfo) { + if (!$fileinfo->isDot()) { + var_dump($fileinfo->getFilename()); + } +} +?> +--EXPECTF-- +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d +Stack trace: +#0 %s(%d): DirectoryIterator->__construct('%s') +#1 {main} + thrown in %s on line %d +--CLEAN-- +<?php +$dir = __DIR__ . '/bug78863'; +unlink("$dir/sub/good"); +rmdir("$dir/sub"); +unlink("$dir/bad"); +rmdir($dir); +?> diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c index ae6cdd11f2..773e3c9ed6 100644 --- a/ext/standard/link_win32.c +++ b/ext/standard/link_win32.c @@ -211,7 +211,7 @@ PHP_FUNCTION(link) /*First argument to link function is the target and hence should go to frompath Second argument to link function is the link itself and hence should go to topath */ - if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { return; } diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt new file mode 100644 index 0000000000..33b4b49293 --- /dev/null +++ b/ext/standard/tests/file/windows_links/bug78862.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78862 (link() silently truncates after a null byte on Windows) +--FILE-- +<?php +file_put_contents(__DIR__ . '/bug78862.target', 'foo'); +var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more")); +var_dump(file_exists(__DIR__ . '/bug78862.link')); +?> +--EXPECTF-- +Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d +NULL +bool(false) +--CLEAN-- +<?php +unlink(__DIR__ . '/bug78862.target'); +unlink(__DIR__ . '/bug78862.link'); +?> |