diff options
author | Stanislav Malyshev <stas@php.net> | 2016-04-26 23:48:41 -0700 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2016-04-26 23:48:41 -0700 |
commit | e315a162da99f59e82a5272714a6f3d4d724b037 (patch) | |
tree | 7c2e9af8912bc69dd95100f25138bc190090ed7b | |
parent | 9f389cccfd5b0e0b8407d6d12a1c6b5acd3c4206 (diff) | |
parent | 61c7a06e7c19d9b408db1129efa0959a0acbf0b1 (diff) | |
download | php-git-e315a162da99f59e82a5272714a6f3d4d724b037.tar.gz |
Merge branch 'PHP-5.5' into PHP-5.6
* PHP-5.5:
Fix memory leak
Fix bug #72099: xml_parse_into_struct segmentation fault
5.5.36 now
Fix bug #72094 - Out of bounds heap read access in exif header processing
Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
Fix for bug #71912 (libgd: signedness vulnerability)
Typo in NEWS
Conflicts:
configure.in
main/php_version.h
-rw-r--r-- | ext/bcmath/bcmath.c | 60 | ||||
-rw-r--r-- | ext/bcmath/tests/bug72093.phpt | 13 | ||||
-rw-r--r-- | ext/exif/exif.c | 17 | ||||
-rw-r--r-- | ext/exif/tests/bug72094.phpt | 61 | ||||
-rw-r--r-- | ext/exif/tests/bug72094_1.jpg | bin | 0 -> 140 bytes | |||
-rw-r--r-- | ext/exif/tests/bug72094_2.jpg | bin | 0 -> 140 bytes | |||
-rw-r--r-- | ext/exif/tests/bug72094_3.jpg | bin | 0 -> 112 bytes | |||
-rw-r--r-- | ext/exif/tests/bug72094_4.jpg | bin | 0 -> 32 bytes | |||
-rw-r--r-- | ext/gd/libgd/gd_gd2.c | 6 | ||||
-rw-r--r-- | ext/gd/tests/bug71912.phpt | 16 | ||||
-rw-r--r-- | ext/gd/tests/invalid_neg_size.gd2 | bin | 0 -> 1676 bytes | |||
-rw-r--r-- | ext/intl/grapheme/grapheme_string.c | 12 | ||||
-rw-r--r-- | ext/intl/tests/bug72061.phpt | 15 | ||||
-rw-r--r-- | ext/xml/tests/bug72099.phpt | 17 | ||||
-rw-r--r-- | ext/xml/xml.c | 106 |
15 files changed, 244 insertions, 79 deletions
diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c index e40d302316..ea2c38e418 100644 --- a/ext/bcmath/bcmath.c +++ b/ext/bcmath/bcmath.c @@ -201,6 +201,21 @@ static void php_str2num(bc_num *num, char *str TSRMLS_DC) } /* }}} */ +/* {{{ split_bc_num + Convert to bc_num detecting scale */ +static bc_num split_bc_num(bc_num num) { + bc_num newnum; + if (num->n_refs >= 1) { + return num; + } + newnum = _bc_new_num_ex(0, 0, 0); + *newnum = *num; + newnum->n_refs = 1; + num->n_refs--; + return newnum; +} +/* }}} */ + /* {{{ proto string bcadd(string left_operand, string right_operand [, int scale]) Returns the sum of two arbitrary precision numbers */ PHP_FUNCTION(bcadd) @@ -214,7 +229,7 @@ PHP_FUNCTION(bcadd) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -225,11 +240,12 @@ PHP_FUNCTION(bcadd) php_str2num(&first, left TSRMLS_CC); php_str2num(&second, right TSRMLS_CC); bc_add (first, second, &result, scale); - + if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } - + Z_STRVAL_P(return_value) = bc_num2str(result); Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); Z_TYPE_P(return_value) = IS_STRING; @@ -253,7 +269,7 @@ PHP_FUNCTION(bcsub) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -266,6 +282,7 @@ PHP_FUNCTION(bcsub) bc_sub (first, second, &result, scale); if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } @@ -292,11 +309,11 @@ PHP_FUNCTION(bcmul) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } - + bc_init_num(&first TSRMLS_CC); bc_init_num(&second TSRMLS_CC); bc_init_num(&result TSRMLS_CC); @@ -305,6 +322,7 @@ PHP_FUNCTION(bcmul) bc_multiply (first, second, &result, scale TSRMLS_CC); if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } @@ -331,11 +349,11 @@ PHP_FUNCTION(bcdiv) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } - + bc_init_num(&first TSRMLS_CC); bc_init_num(&second TSRMLS_CC); bc_init_num(&result TSRMLS_CC); @@ -345,6 +363,7 @@ PHP_FUNCTION(bcdiv) switch (bc_divide(first, second, &result, scale TSRMLS_CC)) { case 0: /* OK */ if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } Z_STRVAL_P(return_value) = bc_num2str(result); @@ -374,13 +393,13 @@ PHP_FUNCTION(bcmod) if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &left, &left_len, &right, &right_len) == FAILURE) { return; } - + bc_init_num(&first TSRMLS_CC); bc_init_num(&second TSRMLS_CC); bc_init_num(&result TSRMLS_CC); bc_str2num(&first, left, 0 TSRMLS_CC); bc_str2num(&second, right, 0 TSRMLS_CC); - + switch (bc_modulo(first, second, &result, 0 TSRMLS_CC)) { case 0: Z_STRVAL_P(return_value) = bc_num2str(result); @@ -391,7 +410,7 @@ PHP_FUNCTION(bcmod) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Division by zero"); break; } - + bc_free_num(&first); bc_free_num(&second); bc_free_num(&result); @@ -424,8 +443,9 @@ PHP_FUNCTION(bcpowmod) scale_int = (int) ((int)scale < 0) ? 0 : scale; if (bc_raisemod(first, second, mod, &result, scale_int TSRMLS_CC) != -1) { - if (result->n_scale > scale) { - result->n_scale = scale; + if (result->n_scale > scale_int) { + result = split_bc_num(result); + result->n_scale = scale_int; } Z_STRVAL_P(return_value) = bc_num2str(result); Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); @@ -433,7 +453,7 @@ PHP_FUNCTION(bcpowmod) } else { RETVAL_FALSE; } - + bc_free_num(&first); bc_free_num(&second); bc_free_num(&mod); @@ -455,7 +475,7 @@ PHP_FUNCTION(bcpow) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -468,6 +488,7 @@ PHP_FUNCTION(bcpow) bc_raise (first, second, &result, scale TSRMLS_CC); if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } @@ -494,16 +515,17 @@ PHP_FUNCTION(bcsqrt) if (zend_parse_parameters(argc TSRMLS_CC, "s|l", &left, &left_len, &scale_param) == FAILURE) { return; } - + if (argc == 2) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } bc_init_num(&result TSRMLS_CC); php_str2num(&result, left TSRMLS_CC); - + if (bc_sqrt (&result, scale TSRMLS_CC) != 0) { if (result->n_scale > scale) { + result = split_bc_num(result); result->n_scale = scale; } Z_STRVAL_P(return_value) = bc_num2str(result); @@ -531,7 +553,7 @@ PHP_FUNCTION(bccomp) if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { return; } - + if (argc == 3) { scale = (int) ((int)scale_param < 0) ? 0 : scale_param; } @@ -555,7 +577,7 @@ PHP_FUNCTION(bccomp) PHP_FUNCTION(bcscale) { long new_scale; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &new_scale) == FAILURE) { return; } diff --git a/ext/bcmath/tests/bug72093.phpt b/ext/bcmath/tests/bug72093.phpt new file mode 100644 index 0000000000..be664b8114 --- /dev/null +++ b/ext/bcmath/tests/bug72093.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug 72093: bcpowmod accepts negative scale and corrupts _one_ definition +--SKIPIF-- +<?php if(!extension_loaded("bcmath")) print "skip"; ?> +--FILE-- +<?php +var_dump(bcpowmod(1, "A", 128, -200)); +var_dump(bcpowmod(1, 1.2, 1, 1)); +?> +--EXPECTF-- +string(1) "1" +bc math warning: non-zero scale in exponent +string(3) "0.0" diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f94e075e5a..db007ca2e6 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2955,7 +2955,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha /* When there are any characters after the first NUL */ ImageInfo->CopyrightPhotographer = estrdup(value_ptr); ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1); - spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1); + spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor); /* format = TAG_FMT_UNDEFINED; this musn't be ASCII */ /* but we are not supposed to change this */ /* keep in mind that image_info does not store editor value */ @@ -3124,6 +3124,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, ImageInfo->sections_found |= FOUND_IFD0; + if ((dir_start + 2) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } + NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel); if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) { @@ -3147,6 +3152,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start, * Hack to make it process IDF1 I hope * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail */ + if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) { + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size"); + return FALSE; + } NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel); if (NextDirOffset) { /* the next line seems false but here IFDlength means length of all IFDs */ @@ -3196,9 +3205,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, } /* Check the next two values for correctness. */ + if (length < 8) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); + return; + } exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel); offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel); - if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) { + if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)"); return; } diff --git a/ext/exif/tests/bug72094.phpt b/ext/exif/tests/bug72094.phpt new file mode 100644 index 0000000000..17674d0d9a --- /dev/null +++ b/ext/exif/tests/bug72094.phpt @@ -0,0 +1,61 @@ +--TEST-- +Bug #72094: Out of bounds heap read access in exif header processing +--SKIPIF-- +<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> +--FILE-- +<?php +print_r(exif_read_data(__DIR__ . '/bug72094_1.jpg')); +print_r(exif_read_data(__DIR__ . '/bug72094_2.jpg')); +print_r(exif_read_data(__DIR__ . '/bug72094_3.jpg')); +print_r(exif_read_data(__DIR__ . '/bug72094_4.jpg')); +?> +DONE +--EXPECTF-- +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright ): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_1.jpg): Invalid JPEG file in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_2.jpg): Illegal IFD size in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_2.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_2.jpg): Invalid JPEG file in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_3.jpg): Invalid JPEG file in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_4.jpg): Invalid TIFF start (1) in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_4.jpg): File structure corrupted in %s/bug72094.php on line %d + +Warning: exif_read_data(bug72094_4.jpg): Invalid JPEG file in %s/bug72094.php on line %d +DONE
\ No newline at end of file diff --git a/ext/exif/tests/bug72094_1.jpg b/ext/exif/tests/bug72094_1.jpg Binary files differnew file mode 100644 index 0000000000..d21382b44b --- /dev/null +++ b/ext/exif/tests/bug72094_1.jpg diff --git a/ext/exif/tests/bug72094_2.jpg b/ext/exif/tests/bug72094_2.jpg Binary files differnew file mode 100644 index 0000000000..ec414ce02b --- /dev/null +++ b/ext/exif/tests/bug72094_2.jpg diff --git a/ext/exif/tests/bug72094_3.jpg b/ext/exif/tests/bug72094_3.jpg Binary files differnew file mode 100644 index 0000000000..8b05314b67 --- /dev/null +++ b/ext/exif/tests/bug72094_3.jpg diff --git a/ext/exif/tests/bug72094_4.jpg b/ext/exif/tests/bug72094_4.jpg Binary files differnew file mode 100644 index 0000000000..ca6d453c2c --- /dev/null +++ b/ext/exif/tests/bug72094_4.jpg diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c index efc6ef47af..6726fee826 100644 --- a/ext/gd/libgd/gd_gd2.c +++ b/ext/gd/libgd/gd_gd2.c @@ -145,9 +145,15 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in cidx = gdCalloc(sidx, 1); for (i = 0; i < nc; i++) { if (gdGetInt(&cidx[i].offset, in) != 1) { + gdFree(cidx); goto fail1; } if (gdGetInt(&cidx[i].size, in) != 1) { + gdFree(cidx); + goto fail1; + } + if (cidx[i].offset < 0 || cidx[i].size < 0) { + gdFree(cidx); goto fail1; } } diff --git a/ext/gd/tests/bug71912.phpt b/ext/gd/tests/bug71912.phpt new file mode 100644 index 0000000000..33b079d937 --- /dev/null +++ b/ext/gd/tests/bug71912.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #71912 (libgd: signedness vulnerability) +--SKIPIF-- +<?php + if(!extension_loaded('gd')){ die('skip gd extension not available'); } + if(!function_exists('imagecreatefromgd2')) die('skip imagecreatefromgd2() not available'); +?> +--FILE-- +<?php +imagecreatefromgd2(__DIR__."/invalid_neg_size.gd2"); +?> +OK +--EXPECTF-- + +Warning: imagecreatefromgd2(): '%s/invalid_neg_size.gd2' is not a valid GD2 file in %s/bug71912.php on line %d +OK
\ No newline at end of file diff --git a/ext/gd/tests/invalid_neg_size.gd2 b/ext/gd/tests/invalid_neg_size.gd2 Binary files differnew file mode 100644 index 0000000000..3075f15a81 --- /dev/null +++ b/ext/gd/tests/invalid_neg_size.gd2 diff --git a/ext/intl/grapheme/grapheme_string.c b/ext/intl/grapheme/grapheme_string.c index 8a094e015e..3ba9b51524 100644 --- a/ext/intl/grapheme/grapheme_string.c +++ b/ext/intl/grapheme/grapheme_string.c @@ -112,7 +112,7 @@ PHP_FUNCTION(grapheme_strpos) int haystack_len, needle_len; unsigned char *found; long loffset = 0; - int32_t offset = 0; + int32_t offset = 0, noffset = 0; int ret_pos; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", (char **)&haystack, &haystack_len, (char **)&needle, &needle_len, &loffset) == FAILURE) { @@ -132,6 +132,7 @@ PHP_FUNCTION(grapheme_strpos) /* we checked that it will fit: */ offset = (int32_t) loffset; + noffset = offset >= 0 ? offset : haystack_len + offset; /* the offset is 'grapheme count offset' so it still might be invalid - we'll check it later */ @@ -146,7 +147,7 @@ PHP_FUNCTION(grapheme_strpos) /* quick check to see if the string might be there * I realize that 'offset' is 'grapheme count offset' but will work in spite of that */ - found = (unsigned char *)php_memnstr((char *)haystack + offset, (char *)needle, needle_len, (char *)haystack + haystack_len); + found = (unsigned char *)php_memnstr((char *)haystack + noffset, (char *)needle, needle_len, (char *)haystack + haystack_len); /* if it isn't there the we are done */ if (!found) { @@ -214,12 +215,13 @@ PHP_FUNCTION(grapheme_stripos) is_ascii = ( grapheme_ascii_check(haystack, haystack_len) >= 0 ); if ( is_ascii ) { + int32_t noffset = offset >= 0 ? offset : haystack_len + offset; needle_dup = (unsigned char *)estrndup((char *)needle, needle_len); php_strtolower((char *)needle_dup, needle_len); haystack_dup = (unsigned char *)estrndup((char *)haystack, haystack_len); php_strtolower((char *)haystack_dup, haystack_len); - found = (unsigned char*) php_memnstr((char *)haystack_dup + offset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); + found = (unsigned char*) php_memnstr((char *)haystack_dup + noffset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); efree(haystack_dup); efree(needle_dup); @@ -537,7 +539,7 @@ PHP_FUNCTION(grapheme_substr) efree(ustr); } ubrk_close(bi); - RETURN_EMPTY_STRING(); + RETURN_EMPTY_STRING(); } /* find the end point of the string to return */ @@ -576,7 +578,7 @@ PHP_FUNCTION(grapheme_substr) sub_str_end_pos = ustr_len; } } - + if(sub_str_start_pos > sub_str_end_pos) { intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_substr: length is beyond start", 1 TSRMLS_CC ); diff --git a/ext/intl/tests/bug72061.phpt b/ext/intl/tests/bug72061.phpt new file mode 100644 index 0000000000..782c32c11c --- /dev/null +++ b/ext/intl/tests/bug72061.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset +--SKIPIF-- +<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?> +--FILE-- +<?php + +var_dump(grapheme_stripos(str_repeat("ABCD", 16384), "A", -201)); +var_dump(grapheme_strpos(str_repeat("ABCD", 16384), "A", -201)); +?> +DONE +--EXPECT-- +int(65336) +int(65336) +DONE
\ No newline at end of file diff --git a/ext/xml/tests/bug72099.phpt b/ext/xml/tests/bug72099.phpt new file mode 100644 index 0000000000..50173a6a4c --- /dev/null +++ b/ext/xml/tests/bug72099.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #72099: xml_parse_into_struct segmentation fault +--SKIPIF-- +<?php +require_once("skipif.inc"); +?> +--FILE-- +<?php +$var1=xml_parser_create_ns(); +$var2=str_repeat("a", 10); +$var3=[]; +$var4=[]; +xml_parse_into_struct($var1, $var2, $var3, $var4); +var_dump($var3); +--EXPECT-- +array(0) { +}
\ No newline at end of file diff --git a/ext/xml/xml.c b/ext/xml/xml.c index 503bf34f1d..0850f0c605 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -283,7 +283,7 @@ xml_encoding xml_encodings[] = { static XML_Memory_Handling_Suite php_xml_mem_hdlrs; /* True globals, no need for thread safety */ -static int le_xml_parser; +static int le_xml_parser; /* }}} */ @@ -343,7 +343,7 @@ PHP_MINIT_FUNCTION(xml) REGISTER_LONG_CONSTANT("XML_OPTION_SKIP_WHITE", PHP_XML_OPTION_SKIP_WHITE, CONST_CS|CONST_PERSISTENT); /* this object should not be pre-initialised at compile time, - as the order of members may vary */ + as the order of members may vary */ php_xml_mem_hdlrs.malloc_fcn = php_xml_malloc_wrapper; php_xml_mem_hdlrs.realloc_fcn = php_xml_realloc_wrapper; @@ -404,7 +404,7 @@ static zval *_xml_xmlchar_zval(const XML_Char *s, int len, const XML_Char *encod { zval *ret; MAKE_STD_ZVAL(ret); - + if (s == NULL) { ZVAL_FALSE(ret); return ret; @@ -422,7 +422,7 @@ static zval *_xml_xmlchar_zval(const XML_Char *s, int len, const XML_Char *encod static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) { xml_parser *parser = (xml_parser *)rsrc->ptr; - + if (parser->parser) { XML_ParserFree(parser->parser); } @@ -503,7 +503,7 @@ static void xml_set_handler(zval **handler, zval **data) /* {{{ xml_call_handler() */ static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function *function_ptr, int argc, zval **argv) { - int i; + int i; TSRMLS_FETCH(); if (parser && handler && !EG(exception)) { @@ -516,7 +516,7 @@ static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function * for (i = 0; i < argc; i++) { args[i] = &argv[i]; } - + fci.size = sizeof(fci); fci.function_table = EG(function_table); fci.function_name = handler; @@ -540,7 +540,7 @@ static zval *xml_call_handler(xml_parser *parser, zval *handler, zend_function * Z_TYPE_PP(obj) == IS_OBJECT && Z_TYPE_PP(method) == IS_STRING) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler %s::%s()", Z_OBJCE_PP(obj)->name, Z_STRVAL_PP(method)); - } else + } else php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler"); } @@ -739,14 +739,14 @@ static void _xml_add_to_info(xml_parser *parser,char *name) if (zend_hash_find(Z_ARRVAL_P(parser->info),name,strlen(name) + 1,(void **) &element) == FAILURE) { MAKE_STD_ZVAL(values); - + array_init(values); - + zend_hash_update(Z_ARRVAL_P(parser->info), name, strlen(name)+1, (void *) &values, sizeof(zval*), (void **) &element); - } - + } + add_next_index_long(*element,parser->curtag); - + parser->curtag++; } /* }}} */ @@ -798,11 +798,11 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch efree(att); } - + if ((retval = xml_call_handler(parser, parser->startElementHandler, parser->startElementPtr, 3, args))) { zval_ptr_dtor(&retval); } - } + } if (parser->data) { if (parser->level <= XML_MAXLEVEL) { @@ -874,7 +874,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name) if ((retval = xml_call_handler(parser, parser->endElementHandler, parser->endElementPtr, 2, args))) { zval_ptr_dtor(&retval); } - } + } if (parser->data) { zval *tag; @@ -885,13 +885,13 @@ void _xml_endElementHandler(void *userData, const XML_Char *name) MAKE_STD_ZVAL(tag); array_init(tag); - + _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ add_assoc_string(tag,"type","close",1); add_assoc_long(tag,"level",parser->level); - + zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); } @@ -923,7 +923,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) if ((retval = xml_call_handler(parser, parser->characterDataHandler, parser->characterDataPtr, 2, args))) { zval_ptr_dtor(&retval); } - } + } if (parser->data) { int i; @@ -931,7 +931,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) char *decoded_value; int decoded_len; - + decoded_value = xml_utf8_decode(s,len,&decoded_len,parser->target_encoding); for (i = 0; i < decoded_len; i++) { switch (decoded_value[i]) { @@ -950,7 +950,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) if (doprint || (! parser->skipwhite)) { if (parser->lastwasopen) { zval **myval; - + /* check if the current tag already has a value - if yes append to that! */ if (zend_hash_find(Z_ARRVAL_PP(parser->ctag),"value",sizeof("value"),(void **) &myval) == SUCCESS) { int newlen = Z_STRLEN_PP(myval) + decoded_len; @@ -961,7 +961,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) } else { add_assoc_string(*(parser->ctag),"value",decoded_value,0); } - + } else { zval *tag; zval **curtag, **mytype, **myval; @@ -984,7 +984,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) } } - if (parser->level <= XML_MAXLEVEL) { + if (parser->level <= XML_MAXLEVEL && parser->level > 0) { MAKE_STD_ZVAL(tag); array_init(tag); @@ -1046,8 +1046,8 @@ void _xml_defaultHandler(void *userData, const XML_Char *s, int len) /* }}} */ /* {{{ _xml_unparsedEntityDeclHandler() */ -void _xml_unparsedEntityDeclHandler(void *userData, - const XML_Char *entityName, +void _xml_unparsedEntityDeclHandler(void *userData, + const XML_Char *entityName, const XML_Char *base, const XML_Char *systemId, const XML_Char *publicId, @@ -1172,9 +1172,9 @@ static void php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAMETERS, int ns_supp char *ns_param = NULL; int ns_param_len = 0; - + XML_Char *encoding; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, (ns_support ? "|ss": "|s"), &encoding_param, &encoding_param_len, &ns_param, &ns_param_len) == FAILURE) { RETURN_FALSE; } @@ -1220,15 +1220,15 @@ static void php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAMETERS, int ns_supp } /* }}} */ -/* {{{ proto resource xml_parser_create([string encoding]) +/* {{{ proto resource xml_parser_create([string encoding]) Create an XML parser */ PHP_FUNCTION(xml_parser_create) { - php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0); + php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0); } /* }}} */ -/* {{{ proto resource xml_parser_create_ns([string encoding [, string sep]]) +/* {{{ proto resource xml_parser_create_ns([string encoding [, string sep]]) Create an XML parser */ PHP_FUNCTION(xml_parser_create_ns) { @@ -1236,7 +1236,7 @@ PHP_FUNCTION(xml_parser_create_ns) } /* }}} */ -/* {{{ proto int xml_set_object(resource parser, object &obj) +/* {{{ proto int xml_set_object(resource parser, object &obj) Set up object which should be used for callbacks */ PHP_FUNCTION(xml_set_object) { @@ -1256,7 +1256,7 @@ PHP_FUNCTION(xml_set_object) /* please leave this commented - or ask thies@thieso.net before doing it (again) */ /* #ifdef ZEND_ENGINE_2 - zval_add_ref(&parser->object); + zval_add_ref(&parser->object); #endif */ ALLOC_ZVAL(parser->object); @@ -1266,7 +1266,7 @@ PHP_FUNCTION(xml_set_object) } /* }}} */ -/* {{{ proto int xml_set_element_handler(resource parser, string shdl, string ehdl) +/* {{{ proto int xml_set_element_handler(resource parser, string shdl, string ehdl) Set up start and end element handlers */ PHP_FUNCTION(xml_set_element_handler) { @@ -1286,7 +1286,7 @@ PHP_FUNCTION(xml_set_element_handler) } /* }}} */ -/* {{{ proto int xml_set_character_data_handler(resource parser, string hdl) +/* {{{ proto int xml_set_character_data_handler(resource parser, string hdl) Set up character data handler */ PHP_FUNCTION(xml_set_character_data_handler) { @@ -1305,7 +1305,7 @@ PHP_FUNCTION(xml_set_character_data_handler) } /* }}} */ -/* {{{ proto int xml_set_processing_instruction_handler(resource parser, string hdl) +/* {{{ proto int xml_set_processing_instruction_handler(resource parser, string hdl) Set up processing instruction (PI) handler */ PHP_FUNCTION(xml_set_processing_instruction_handler) { @@ -1324,7 +1324,7 @@ PHP_FUNCTION(xml_set_processing_instruction_handler) } /* }}} */ -/* {{{ proto int xml_set_default_handler(resource parser, string hdl) +/* {{{ proto int xml_set_default_handler(resource parser, string hdl) Set up default handler */ PHP_FUNCTION(xml_set_default_handler) { @@ -1342,7 +1342,7 @@ PHP_FUNCTION(xml_set_default_handler) } /* }}} */ -/* {{{ proto int xml_set_unparsed_entity_decl_handler(resource parser, string hdl) +/* {{{ proto int xml_set_unparsed_entity_decl_handler(resource parser, string hdl) Set up unparsed entity declaration handler */ PHP_FUNCTION(xml_set_unparsed_entity_decl_handler) { @@ -1361,7 +1361,7 @@ PHP_FUNCTION(xml_set_unparsed_entity_decl_handler) } /* }}} */ -/* {{{ proto int xml_set_notation_decl_handler(resource parser, string hdl) +/* {{{ proto int xml_set_notation_decl_handler(resource parser, string hdl) Set up notation declaration handler */ PHP_FUNCTION(xml_set_notation_decl_handler) { @@ -1379,7 +1379,7 @@ PHP_FUNCTION(xml_set_notation_decl_handler) } /* }}} */ -/* {{{ proto int xml_set_external_entity_ref_handler(resource parser, string hdl) +/* {{{ proto int xml_set_external_entity_ref_handler(resource parser, string hdl) Set up external entity reference handler */ PHP_FUNCTION(xml_set_external_entity_ref_handler) { @@ -1397,7 +1397,7 @@ PHP_FUNCTION(xml_set_external_entity_ref_handler) } /* }}} */ -/* {{{ proto int xml_set_start_namespace_decl_handler(resource parser, string hdl) +/* {{{ proto int xml_set_start_namespace_decl_handler(resource parser, string hdl) Set up character data handler */ PHP_FUNCTION(xml_set_start_namespace_decl_handler) { @@ -1416,7 +1416,7 @@ PHP_FUNCTION(xml_set_start_namespace_decl_handler) } /* }}} */ -/* {{{ proto int xml_set_end_namespace_decl_handler(resource parser, string hdl) +/* {{{ proto int xml_set_end_namespace_decl_handler(resource parser, string hdl) Set up character data handler */ PHP_FUNCTION(xml_set_end_namespace_decl_handler) { @@ -1435,7 +1435,7 @@ PHP_FUNCTION(xml_set_end_namespace_decl_handler) } /* }}} */ -/* {{{ proto int xml_parse(resource parser, string data [, int isFinal]) +/* {{{ proto int xml_parse(resource parser, string data [, int isFinal]) Start parsing an XML document */ PHP_FUNCTION(xml_parse) { @@ -1471,8 +1471,8 @@ PHP_FUNCTION(xml_parse_into_struct) if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rsZ|Z", &pind, &data, &data_len, &xdata, &info) == FAILURE) { return; } - - if (info) { + + if (info) { zval_dtor(*info); array_init(*info); } @@ -1483,11 +1483,11 @@ PHP_FUNCTION(xml_parse_into_struct) array_init(*xdata); parser->data = *xdata; - + if (info) { parser->info = *info; } - + parser->level = 0; parser->ltags = safe_emalloc(XML_MAXLEVEL, sizeof(char *), 0); @@ -1503,7 +1503,7 @@ PHP_FUNCTION(xml_parse_into_struct) } /* }}} */ -/* {{{ proto int xml_get_error_code(resource parser) +/* {{{ proto int xml_get_error_code(resource parser) Get XML parser error code */ PHP_FUNCTION(xml_get_error_code) { @@ -1537,7 +1537,7 @@ PHP_FUNCTION(xml_error_string) } /* }}} */ -/* {{{ proto int xml_get_current_line_number(resource parser) +/* {{{ proto int xml_get_current_line_number(resource parser) Get current line number for an XML parser */ PHP_FUNCTION(xml_get_current_line_number) { @@ -1569,7 +1569,7 @@ PHP_FUNCTION(xml_get_current_column_number) } /* }}} */ -/* {{{ proto int xml_get_current_byte_index(resource parser) +/* {{{ proto int xml_get_current_byte_index(resource parser) Get current byte index for an XML parser */ PHP_FUNCTION(xml_get_current_byte_index) { @@ -1585,7 +1585,7 @@ PHP_FUNCTION(xml_get_current_byte_index) } /* }}} */ -/* {{{ proto int xml_parser_free(resource parser) +/* {{{ proto int xml_parser_free(resource parser) Free an XML parser */ PHP_FUNCTION(xml_parser_free) { @@ -1611,7 +1611,7 @@ PHP_FUNCTION(xml_parser_free) } /* }}} */ -/* {{{ proto int xml_parser_set_option(resource parser, int option, mixed value) +/* {{{ proto int xml_parser_set_option(resource parser, int option, mixed value) Set options in an XML parser */ PHP_FUNCTION(xml_parser_set_option) { @@ -1657,7 +1657,7 @@ PHP_FUNCTION(xml_parser_set_option) } /* }}} */ -/* {{{ proto int xml_parser_get_option(resource parser, int option) +/* {{{ proto int xml_parser_get_option(resource parser, int option) Get options from an XML parser */ PHP_FUNCTION(xml_parser_get_option) { @@ -1687,7 +1687,7 @@ PHP_FUNCTION(xml_parser_get_option) } /* }}} */ -/* {{{ proto string utf8_encode(string data) +/* {{{ proto string utf8_encode(string data) Encodes an ISO-8859-1 string to UTF-8 */ PHP_FUNCTION(utf8_encode) { @@ -1707,7 +1707,7 @@ PHP_FUNCTION(utf8_encode) } /* }}} */ -/* {{{ proto string utf8_decode(string data) +/* {{{ proto string utf8_decode(string data) Converts a UTF-8 encoded string to ISO-8859-1 */ PHP_FUNCTION(utf8_decode) { |