diff options
| author | Xinchen Hui <laruence@php.net> | 2015-02-17 21:16:53 +0800 |
|---|---|---|
| committer | Xinchen Hui <laruence@php.net> | 2015-02-17 21:16:53 +0800 |
| commit | ed1967c7062db55eed7713b27812d4af7350dfa7 (patch) | |
| tree | 154b207777578418315134ce3d32415a475b9f07 | |
| parent | e22759b1e550b29117531fdce07df618234e79a0 (diff) | |
| parent | 0a331f49c1c39fc84b972c5f609d56ca21565a69 (diff) | |
| download | php-git-ed1967c7062db55eed7713b27812d4af7350dfa7.tar.gz | |
Merge branch 'PHP-5.6' of https://git.php.net/repository/php-src into PHP-5.6
| -rw-r--r-- | ext/date/php_date.c | 21 | ||||
| -rw-r--r-- | ext/date/tests/bug68942.phpt | 9 | ||||
| -rw-r--r-- | ext/date/tests/bug68942_2.phpt | 9 | ||||
| -rw-r--r-- | ext/enchant/enchant.c | 7 | ||||
| -rw-r--r-- | ext/standard/config.m4 | 16 |
5 files changed, 39 insertions, 23 deletions
diff --git a/ext/date/php_date.c b/ext/date/php_date.c index f8571b91b5..6a9cd47525 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht timelib_tzinfo *tzi; php_timezone_obj *tzobj; - if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { - convert_to_string(*z_date); - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { - convert_to_long(*z_timezone_type); - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_string(*z_timezone); + if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { + if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { switch (Z_LVAL_PP(z_timezone_type)) { case TIMELIB_ZONETYPE_OFFSET: @@ -2827,7 +2824,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht case TIMELIB_ZONETYPE_ID: { int ret; - convert_to_string(*z_timezone); tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); @@ -3744,9 +3740,8 @@ static int php_date_timezone_initialize_from_hash(zval **return_value, php_timez zval **z_timezone = NULL; zval **z_timezone_type = NULL; - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { + if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { - convert_to_long(*z_timezone_type); if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { return SUCCESS; } @@ -3771,7 +3766,9 @@ PHP_METHOD(DateTimeZone, __set_state) php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC); tzobj = (php_timezone_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC); + if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Timezone initialization failed"); + } } /* }}} */ @@ -3787,7 +3784,9 @@ PHP_METHOD(DateTimeZone, __wakeup) myht = Z_OBJPROP_P(object); - php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC); + if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { + php_error_docref(NULL TSRMLS_CC, E_ERROR, "Timezone initialization failed"); + } } /* }}} */ diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt new file mode 100644 index 0000000000..595cd9fa92 --- /dev/null +++ b/ext/date/tests/bug68942.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). +--FILE-- +<?php +$data = unserialize('a:2:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:4;}'); +var_dump($data); +?> +--EXPECTF-- +Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt new file mode 100644 index 0000000000..5b02567008 --- /dev/null +++ b/ext/date/tests/bug68942_2.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #68942 (Use after free vulnerability in unserialize() with DateTime). +--FILE-- +<?php +$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}'); +var_dump($data); +?> +--EXPECTF-- +Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c index 6ec02cdf84..d7c115e366 100644 --- a/ext/enchant/enchant.c +++ b/ext/enchant/enchant.c @@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict) d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag); if (d) { + pos = pbroker->dictcnt++; if (pbroker->dictcnt) { pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); - pos = pbroker->dictcnt++; } else { pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); pos = 0; - pbroker->dictcnt++; } dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); @@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict) d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl); if (d) { + pos = pbroker->dictcnt++; if (pbroker->dictcnt) { - pos = pbroker->dictcnt++; pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); } else { pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); pos = 0; - pbroker->dictcnt++; } + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); dict->id = pos; dict->pbroker = pbroker; diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 index d9e0bb7cc2..d328979c59 100644 --- a/ext/standard/config.m4 +++ b/ext/standard/config.m4 @@ -170,7 +170,7 @@ main() { ac_cv_crypt_blowfish=no ])]) -AC_CACHE_CHECK(for SHA512 crypt, ac_cv_crypt_SHA512,[ +AC_CACHE_CHECK(for SHA512 crypt, ac_cv_crypt_sha512,[ AC_TRY_RUN([ #if HAVE_UNISTD_H #include <unistd.h> @@ -192,14 +192,14 @@ main() { exit(0); #endif }],[ - ac_cv_crypt_SHA512=yes + ac_cv_crypt_sha512=yes ],[ - ac_cv_crypt_SHA512=no + ac_cv_crypt_sha512=no ],[ - ac_cv_crypt_SHA512=no + ac_cv_crypt_sha512=no ])]) -AC_CACHE_CHECK(for SHA256 crypt, ac_cv_crypt_SHA256,[ +AC_CACHE_CHECK(for SHA256 crypt, ac_cv_crypt_sha256,[ AC_TRY_RUN([ #if HAVE_UNISTD_H #include <unistd.h> @@ -222,11 +222,11 @@ main() { exit(0); #endif }],[ - ac_cv_crypt_SHA256=yes + ac_cv_crypt_sha256=yes ],[ - ac_cv_crypt_SHA256=no + ac_cv_crypt_sha256=no ],[ - ac_cv_crypt_SHA256=no + ac_cv_crypt_sha256=no ])]) |