diff options
| -rw-r--r-- | Zend/tests/bug73067.phpt | 21 | ||||
| -rw-r--r-- | Zend/zend_object_handlers.c | 1 | ||||
| -rw-r--r-- | ext/date/php_date.c | 4 | ||||
| -rw-r--r-- | ext/date/tests/bug73091.phpt | 46 | ||||
| -rw-r--r-- | ext/dom/document.c | 4 | ||||
| -rw-r--r-- | ext/intl/locale/locale_methods.c | 8 | ||||
| -rw-r--r-- | ext/intl/resourcebundle/resourcebundle_class.c | 12 | ||||
| -rw-r--r-- | ext/intl/tests/bug72241.phpt | 4 | ||||
| -rw-r--r-- | ext/openssl/openssl.c | 12 | ||||
| -rw-r--r-- | ext/simplexml/simplexml.c | 19 | ||||
| -rw-r--r-- | ext/spl/spl_observer.c | 14 | ||||
| -rw-r--r-- | ext/standard/math.c | 12 |
12 files changed, 109 insertions, 48 deletions
diff --git a/Zend/tests/bug73067.phpt b/Zend/tests/bug73067.phpt deleted file mode 100644 index f5d34a8d87..0000000000 --- a/Zend/tests/bug73067.phpt +++ /dev/null @@ -1,21 +0,0 @@ ---TEST-- -Bug #73067 (__debugInfo crashes when throwing an exception) ---FILE-- -<?php - -class Debug -{ - public function __debugInfo() - { - throw new Exception("Test Crash"); - } -} - -try { - var_dump(new Debug()); -} catch (Exception $e) { - echo $e->getMessage(); -} -?> ---EXPECTF-- -Fatal error: __debuginfo() must return an array in %sbug73067.php on line %d diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index d57bee862a..434102035c 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -182,7 +182,6 @@ ZEND_API HashTable *zend_std_get_debug_info(zval *object, int *is_temp) /* {{{ * return ht; } - zend_clear_exception(); zend_error_noreturn(E_ERROR, ZEND_DEBUGINFO_FUNC_NAME "() must return an array"); return NULL; /* Compilers are dumb and don't understand that noreturn means that the function does NOT need a return value... */ diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 7371590469..aed0dc94b2 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -4159,7 +4159,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter #define PHP_DATE_INTERVAL_READ_PROPERTY(element, member, itype, def) \ do { \ zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \ - if (z_arg) { \ + if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \ (*intobj)->diff->member = (itype)zval_get_long(z_arg); \ } else { \ (*intobj)->diff->member = (itype)def; \ @@ -4169,7 +4169,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter #define PHP_DATE_INTERVAL_READ_PROPERTY_I64(element, member) \ do { \ zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \ - if (z_arg) { \ + if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \ zend_string *str = zval_get_string(z_arg); \ DATE_A64I((*intobj)->diff->member, ZSTR_VAL(str)); \ zend_string_release(str); \ diff --git a/ext/date/tests/bug73091.phpt b/ext/date/tests/bug73091.phpt new file mode 100644 index 0000000000..668ef505d8 --- /dev/null +++ b/ext/date/tests/bug73091.phpt @@ -0,0 +1,46 @@ +--TEST-- +Bug #73091 (Unserializing DateInterval object may lead to __toString invocation) +--FILE-- +<?php +class foo { + function __toString() { + var_dump(0); + return 'may be a bug'; + } +} + +var_dump(unserialize('O:12:"DateInterval":1:{s:4:"days";O:3:"foo":0:{}}')); +?> +--EXPECTF-- +object(DateInterval)#%d (15) { + ["days"]=> + int(-1) + ["y"]=> + int(-1) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) +} diff --git a/ext/dom/document.c b/ext/dom/document.c index 70289cf54a..a5e119f786 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1663,7 +1663,7 @@ PHP_FUNCTION(dom_document_savexml) if (options & LIBXML_SAVE_NOEMPTYTAG) { xmlSaveNoEmptyTags = saveempty; } - if (!size) { + if (!size || !mem) { RETURN_FALSE; } RETVAL_STRINGL((char *) mem, size); @@ -2215,7 +2215,7 @@ PHP_FUNCTION(dom_document_save_html) #else htmlDocDumpMemory(docp, &mem, &size); #endif - if (!size) { + if (!size || !mem) { RETVAL_FALSE; } else { RETVAL_STRINGL((const char*) mem, size); diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 8cf5babc95..b75183da94 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -406,6 +406,8 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS) if(loc_name_len == 0) { loc_name = intl_locale_get_default(); } + + INTL_CHECK_LOCALE_LEN(loc_name_len); /* Call ICU get */ tag_value = get_icu_value_internal( loc_name , tag_name , &result ,0); @@ -1165,6 +1167,7 @@ PHP_FUNCTION(locale_get_all_variants) loc_name = intl_locale_get_default(); } + INTL_CHECK_LOCALE_LEN(loc_name_len); array_init( return_value ); @@ -1273,6 +1276,9 @@ PHP_FUNCTION(locale_filter_matches) RETURN_TRUE; } + INTL_CHECK_LOCALE_LEN(loc_range_len); + INTL_CHECK_LOCALE_LEN(lang_tag_len); + if( boolCanonical ){ /* canonicalize loc_range */ can_loc_range=get_icu_value_internal( loc_range , LOC_CANONICALIZE_TAG , &result , 0); @@ -1554,6 +1560,8 @@ PHP_FUNCTION(locale_lookup) hash_arr = Z_ARRVAL_P(arr); + INTL_CHECK_LOCALE_LEN(loc_range_len); + if( !hash_arr || zend_hash_num_elements( hash_arr ) == 0 ) { RETURN_EMPTY_STRING(); } diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c index fd255d57cd..47d9bf0403 100644 --- a/ext/intl/resourcebundle/resourcebundle_class.c +++ b/ext/intl/resourcebundle/resourcebundle_class.c @@ -101,6 +101,13 @@ static int resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_constr locale = intl_locale_get_default(); } + if (bundlename_len >= MAXPATHLEN) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "Bundle name too long", 0 ); + zval_dtor(return_value); + ZVAL_NULL(return_value); + return FAILURE; + } + if (fallback) { rb->me = ures_open(bundlename, locale, &INTL_DATA_ERROR_CODE(rb)); } else { @@ -331,6 +338,11 @@ PHP_FUNCTION( resourcebundle_locales ) RETURN_FALSE; } + if (bundlename_len >= MAXPATHLEN) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "resourcebundle_locales: bundle name too long", 0 ); + RETURN_FALSE; + } + if(bundlename_len == 0) { // fetch default locales list bundlename = NULL; diff --git a/ext/intl/tests/bug72241.phpt b/ext/intl/tests/bug72241.phpt index 397e1e7834..7ac5a5b503 100644 --- a/ext/intl/tests/bug72241.phpt +++ b/ext/intl/tests/bug72241.phpt @@ -9,6 +9,4 @@ $out = locale_get_primary_language($var1); echo strlen($out) . PHP_EOL; echo unpack('H*', $out)[1] . PHP_EOL; --EXPECT-- -1000 -61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 - +0 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index d441297350..dc16499950 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -6457,15 +6457,18 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) return; } - if (buffer_length <= 0) { - RETURN_FALSE; - } - if (zstrong_result_returned) { zval_dtor(zstrong_result_returned); ZVAL_FALSE(zstrong_result_returned); } + if (buffer_length <= 0 +#ifndef PHP_WIN32 + || ZEND_LONG_INT_OVFL(buffer_length) +#endif + ) { + RETURN_FALSE; + } buffer = zend_string_alloc(buffer_length, 0); #ifdef PHP_WIN32 @@ -6481,6 +6484,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length); PHP_OPENSSL_RAND_ADD_TIME(); + /* FIXME loop if requested size > INT_MAX */ if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) { zend_string_release(buffer); if (zstrong_result_returned) { diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index fdd09881eb..d1c78434e6 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -1462,9 +1462,15 @@ SXE_METHOD(asXML) if (node) { if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) { xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding); - RETVAL_STRINGL((char *)strval, strval_len); + if (!strval) { + RETVAL_FALSE; + } else { + RETVAL_STRINGL((char *)strval, strval_len); + } xmlFree(strval); } else { + char *return_content; + size_t return_len; /* Should we be passing encoding information instead of NULL? */ outbuf = xmlAllocOutputBuffer(NULL); @@ -1475,10 +1481,17 @@ SXE_METHOD(asXML) xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding); xmlOutputBufferFlush(outbuf); #ifdef LIBXML2_NEW_BUFFER - RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf)); + return_content = (char *)xmlOutputBufferGetContent(outbuf); + return_len = xmlOutputBufferGetSize(outbuf); #else - RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use); + return_content = (char *)outbuf->buffer->content; + return_len = outbuf->buffer->use; #endif + if (return_content) { + RETVAL_FALSE; + } else { + RETVAL_STRINGL(return_content, return_len); + } xmlOutputBufferClose(outbuf); } } else { diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index 4ad0c6d15e..b94ab401cf 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -788,6 +788,9 @@ SPL_METHOD(SplObjectStorage, unserialize) --p; /* for ';' */ count = Z_LVAL_P(pcount); + ZVAL_UNDEF(&entry); + ZVAL_UNDEF(&inf); + while (count-- > 0) { spl_SplObjectStorageElement *pelement; zend_hash_key key; @@ -803,18 +806,17 @@ SPL_METHOD(SplObjectStorage, unserialize) if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) { goto outexcept; } - if (Z_TYPE(entry) != IS_OBJECT) { - zval_ptr_dtor(&entry); - goto outexcept; - } if (*p == ',') { /* new version has inf */ ++p; if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) { zval_ptr_dtor(&entry); goto outexcept; } - } else { - ZVAL_UNDEF(&inf); + } + if (Z_TYPE(entry) != IS_OBJECT) { + zval_ptr_dtor(&entry); + zval_ptr_dtor(&inf); + goto outexcept; } if (spl_object_storage_get_hash(&key, intern, getThis(), &entry) == FAILURE) { diff --git a/ext/standard/math.c b/ext/standard/math.c index 930cd08cb5..753656c56f 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1111,8 +1111,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin zend_string *tmpbuf; char *s, *t; /* source, target */ char *dp; - int integral; - int reslen = 0; + size_t integral; + size_t reslen = 0; int count = 0; int is_negative=0; @@ -1139,15 +1139,15 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* calculate the length of the return buffer */ if (dp) { - integral = (int)(dp - ZSTR_VAL(tmpbuf)); + integral = (dp - ZSTR_VAL(tmpbuf)); } else { /* no decimal point was found */ - integral = (int)ZSTR_LEN(tmpbuf); + integral = ZSTR_LEN(tmpbuf); } /* allow for thousand separators */ if (thousand_sep) { - integral += (int)(thousand_sep_len * ((integral-1) / 3)); + integral += thousand_sep_len * ((integral-1) / 3); } reslen = integral; @@ -1156,7 +1156,7 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { - reslen += (int)dec_point_len; + reslen += dec_point_len; } } |