diff options
| -rw-r--r-- | ext/gd/libgd/gd_interpolation.c | 2 | ||||
| -rw-r--r-- | ext/gd/tests/bug70976.phpt | 13 | ||||
| -rw-r--r-- | ext/wddx/tests/bug70661.phpt | 69 | ||||
| -rw-r--r-- | ext/wddx/tests/bug70741.phpt | 26 | ||||
| -rw-r--r-- | ext/wddx/wddx.c | 6 | ||||
| -rw-r--r-- | ext/xmlrpc/tests/bug70728.phpt | 30 | ||||
| -rw-r--r-- | ext/xmlrpc/xmlrpc-epi-php.c | 12 | ||||
| -rw-r--r-- | sapi/fpm/fpm/fpm_log.c | 5 |
8 files changed, 159 insertions, 4 deletions
diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c index f70169dddc..a946e04b4d 100644 --- a/ext/gd/libgd/gd_interpolation.c +++ b/ext/gd/libgd/gd_interpolation.c @@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in { const int angle_rounded = (int)floor(angle * 100); - if (bgcolor < 0) { + if (bgcolor < 0 || (!src->trueColor && bgcolor >= gdMaxColors)) { return NULL; } diff --git a/ext/gd/tests/bug70976.phpt b/ext/gd/tests/bug70976.phpt new file mode 100644 index 0000000000..23af4eedc7 --- /dev/null +++ b/ext/gd/tests/bug70976.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds) +--SKIPIF-- +<?php + if(!extension_loaded('gd')){ die('skip gd extension not available'); } +?> +--FILE-- +<?php +$img = imagerotate(imagecreate(1,1),45,0x7ffffff9); +var_dump($img); +?> +--EXPECTF-- +bool(false)
\ No newline at end of file diff --git a/ext/wddx/tests/bug70661.phpt b/ext/wddx/tests/bug70661.phpt new file mode 100644 index 0000000000..e068c20a7a --- /dev/null +++ b/ext/wddx/tests/bug70661.phpt @@ -0,0 +1,69 @@ +--TEST-- +Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization) +--SKIPIF-- +<?php +if (!extension_loaded("wddx")) print "skip"; +?> +--FILE-- +<?php +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$x = <<<EOT +<?xml version='1.0'?> +<wddxPacket version='1.0'> +<header/> + <data> + <struct> + <recordset rowCount='1' fieldNames='ryat'> + <field name='ryat'> + <var name='php_class_name'> + <string>stdClass</string> + </var> + <null/> + </field> + </recordset> + </struct> + </data> +</wddxPacket> +EOT; + +$y = wddx_deserialize($x); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($y); + +function ptr2str($ptr) +{ + $out = ''; + + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + + return $out; +} +?> +DONE +--EXPECTF-- +array(1) { + [0]=> + array(1) { + ["ryat"]=> + array(2) { + ["php_class_name"]=> + string(8) "stdClass" + [0]=> + NULL + } + } +} +DONE
\ No newline at end of file diff --git a/ext/wddx/tests/bug70741.phpt b/ext/wddx/tests/bug70741.phpt new file mode 100644 index 0000000000..9c7e09b48b --- /dev/null +++ b/ext/wddx/tests/bug70741.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability) +--SKIPIF-- +<?php +if (!extension_loaded("wddx")) print "skip"; +?> +--FILE-- +<?php +ini_set('session.serialize_handler', 'wddx'); +session_start(); + +$hashtable = str_repeat('A', 66); +$wddx = "<?xml version='1.0'?> +<wddxPacket version='1.0'> +<header/> + <data> + <string>$hashtable</string> + </data> +</wddxPacket>"; +session_decode($wddx); +?> +DONE +--EXPECTF-- + +Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d +DONE
\ No newline at end of file diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c index 6632890084..c0971f8974 100644 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@ -298,6 +298,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx) ZVAL_UNDEF(&retval); if ((ret = php_wddx_deserialize_ex(val, vallen, &retval)) == SUCCESS) { + if (Z_TYPE(retval) != IS_ARRAY) { + zval_dtor(&retval); + return FAILURE; + } ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(retval), idx, key, ent) { if (key == NULL) { key = zend_long_to_str(idx); @@ -908,7 +912,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && - Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data)) { + Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) && ent2->type == ST_STRUCT) { zend_bool incomplete_class = 0; zend_str_tolower(Z_STRVAL(ent1->data), Z_STRLEN(ent1->data)); diff --git a/ext/xmlrpc/tests/bug70728.phpt b/ext/xmlrpc/tests/bug70728.phpt new file mode 100644 index 0000000000..5510c33936 --- /dev/null +++ b/ext/xmlrpc/tests/bug70728.phpt @@ -0,0 +1,30 @@ +--TEST-- +Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker) +--SKIPIF-- +<?php +if (!extension_loaded("xmlrpc")) print "skip"; +?> +--FILE-- +<?php +$obj = new stdClass; +$obj->xmlrpc_type = 'base64'; +$obj->scalar = 0x1122334455; +var_dump(xmlrpc_encode($obj)); +var_dump($obj); +?> +--EXPECTF-- +string(135) "<?xml version="1.0" encoding="utf-8"?> +<params> +<param> + <value> + <base64>NzM1ODgyMjkyMDU= </base64> + </value> +</param> +</params> +" +object(stdClass)#1 (2) { + ["xmlrpc_type"]=> + string(6) "base64" + ["scalar"]=> + int(73588229205) +} diff --git a/ext/xmlrpc/xmlrpc-epi-php.c b/ext/xmlrpc/xmlrpc-epi-php.c index f54a568202..dd39047bf0 100644 --- a/ext/xmlrpc/xmlrpc-epi-php.c +++ b/ext/xmlrpc/xmlrpc-epi-php.c @@ -514,7 +514,15 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep xReturn = XMLRPC_CreateValueEmpty(); XMLRPC_SetValueID(xReturn, key, 0); } else { - xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val)); + if (Z_TYPE(val) != IS_STRING) { + zval newvalue; + ZVAL_DUP(&newvalue, &val); + convert_to_string(&newvalue); + xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(newvalue), Z_STRLEN(newvalue)); + zval_dtor(&newvalue); + } else { + xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val)); + } } break; case xmlrpc_datetime: @@ -1357,7 +1365,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval* newvalue) /* {{{ */ if (newvalue) { zval* val; - if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) { + if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) { if ((val = zend_hash_str_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR) - 1)) != NULL) { ZVAL_COPY_VALUE(newvalue, val); } diff --git a/sapi/fpm/fpm/fpm_log.c b/sapi/fpm/fpm/fpm_log.c index 86332c4c80..5aad9a08c9 100644 --- a/sapi/fpm/fpm/fpm_log.c +++ b/sapi/fpm/fpm/fpm_log.c @@ -448,6 +448,11 @@ int fpm_log_write(char *log_format) /* {{{ */ b += len2; len += len2; } + if (len >= FPM_LOG_BUFFER) { + zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER); + len = FPM_LOG_BUFFER; + break; + } continue; } |