Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | set versions for releasephp-7.1.29PHP-7.1.29 | Joe Watkins | 2019-05-01 | 3 | -4/+4 |
| | |||||
* | Fix bug #77950 - Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG | Stanislav Malyshev | 2019-04-30 | 4 | -3/+22 |
| | | | | | | I do not completely understand what is going on there, but I am pretty sure dir_entry <= offset_base if not a normal situation, so we better not to rely on such dir_entry. | ||||
* | Fix #77821: Potential heap corruption in TSendMail() | Christoph M. Becker | 2019-04-29 | 1 | -6/+7 |
| | | | | | | | | `zend_string_tolower()` returns a copy (not a duplicate) of the given string, if it is already in lower case. In this case we must not not `zend_string_free()` both strings. The cleanest solution is to call ` zend_string_release()` on both strings, which properly handles the refcount. | ||||
* | Always use ZEND_SECURE_ZERO() when cleaning up data | Stanislav Malyshev | 2019-04-06 | 5 | -5/+7 |
| | | | | | | Optimizing compilers have an annoying tendency to throw out memsets over data that they think aren't used anymore. Apply secure zero-out in cases where this has potential to happen. | ||||
* | bump versions after release | Joe Watkins | 2019-04-02 | 3 | -5/+9 |
| | |||||
* | fix paste issue | Remi Collet | 2019-04-02 | 1 | -1/+1 |
| | |||||
* | Pointer arithmetic on void pointers is illegal | Christoph M. Becker | 2019-04-02 | 1 | -2/+2 |
| | | | | | We quick-fix this by casting to char*; it might be more appropriate to use char pointers in the first place. | ||||
* | Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value in EXIF | Stanislav Malyshev | 2019-04-02 | 4 | -15/+42 |
| | |||||
* | Update NEWS | Stanislav Malyshev | 2019-03-31 | 1 | -0/+3 |
| | |||||
* | Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s | Stanislav Malyshev | 2019-03-31 | 3 | -0/+20 |
| | |||||
* | Validate subject encoding in mb_split and mb_ereg_match | Nikita Popov | 2019-03-27 | 2 | -5/+12 |
| | | | | | We were already validating the subject encoding in most functions, but not these two. | ||||
* | Validate pattern against mbregex encoding | Nikita Popov | 2019-03-27 | 6 | -15/+31 |
| | | | | | | Oniguruma does not consistently perform this validation itself (at least on older versions), so make sure we check pattern encoding validity on the PHP side. | ||||
* | SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a mitigation strategy ↵ | bohwaz | 2019-03-11 | 6 | -1/+74 |
| | | | | against potential security flaws | ||||
* | Sync with behavior change in OpenSSL 1.1.1b | Anatol Belski | 2019-03-08 | 1 | -1/+1 |
| | | | | | | | | | A behavior change in revealed by some openssl_decrypt() based test, where an encrypt API is used with a decrypt context. The EVP_Cipher* functions will automatically choose the right operation depending on the context passed. (cherry picked from commit 19a44ffb7be91344550fa700830b8e62a73031ba) | ||||
* | fix news | Joe Watkins | 2019-03-05 | 1 | -2/+2 |
| | |||||
* | bump versions after release | Joe Watkins | 2019-03-05 | 3 | -5/+9 |
| | |||||
* | Fix bug #77630 - safer rename() procedure | Stanislav Malyshev | 2019-03-04 | 1 | -17/+34 |
| | | | | | | | In order to rename safer, we do the following: - set umask to 077 (unfortunately, not TS, so excluding ZTS) - chown() first, to set proper group before allowing group access - chmod() after, even if chown() fails | ||||
* | Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow | Stanislav Malyshev | 2019-03-03 | 5 | -8/+37 |
| | |||||
* | Update NEWS | Stanislav Malyshev | 2019-03-03 | 1 | -0/+16 |
| | |||||
* | Fix test error message | Stanislav Malyshev | 2019-03-03 | 1 | -1/+1 |
| | |||||
* | Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE | Stanislav Malyshev | 2019-03-03 | 3 | -1/+18 |
| | | | | Also fix for bug #77659 | ||||
* | Fix bug #77540 - Invalid Read on exif_process_SOFn | Stanislav Malyshev | 2019-03-03 | 3 | -2/+24 |
| | |||||
* | Fix integer overflows on 32-bits | Stanislav Malyshev | 2019-03-03 | 1 | -7/+7 |
| | |||||
* | Fix #77431 SplFileInfo::__construct() accepts NUL bytes | Christoph M. Becker | 2019-03-03 | 2 | -1/+10 |
| | | | | | `SplFileInfo::__construct()` has to expect a path instead of a string, analogous to `SplFileObject::__construct()`. | ||||
* | Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename | Stanislav Malyshev | 2019-03-03 | 2 | -0/+18 |
| | |||||
* | Use pkg-config for ICU, as the old icu-config has been deprecated | Derick Rethans | 2019-02-07 | 1 | -32/+66 |
| | |||||
* | Bump for 7.1.27 | Sara Golemon | 2019-01-08 | 3 | -5/+8 |
| | |||||
* | Still leaking for some reason, XFAIL for now, I'll look into it later. | Stanislav Malyshev | 2019-01-07 | 1 | -0/+2 |
| | |||||
* | Merge branch 'PHP-5.6' into PHP-7.1 | Stanislav Malyshev | 2019-01-06 | 6 | -2/+22 |
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * PHP-5.6: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code [ci skip] Add NEWS Fix more issues with encodilng length Fix #77270: imagecolormatch Out Of Bounds Write on Heap Fix bug #77380 (Global out of bounds read in xmlrpc base64 code) Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) Fix bug #77370 - check that we do not read past buffer end when parsing multibytes Fix #77269: Potential unsigned underflow in gdImageScale Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) Regenerate certs for openssl tests | ||||
| * | Fix bug #77418 - Heap overflow in utf32be_mbc_to_code | Stanislav Malyshev | 2019-01-06 | 6 | -5/+25 |
| | | |||||
| * | [ci skip] Add NEWS | Stanislav Malyshev | 2019-01-06 | 1 | -0/+22 |
| | | |||||
| * | Fix more issues with encodilng length | Stanislav Malyshev | 2019-01-06 | 6 | -14/+38 |
| | | | | | | | | Should fix bug #77381, bug #77382, bug #77385, bug #77394. | ||||
| * | Fix #77270: imagecolormatch Out Of Bounds Write on Heap | Christoph M. Becker | 2019-01-06 | 2 | -2/+20 |
| | | | | | | | | | | | | | | At least some of the image reading functions may return images which use color indexes greater than or equal to im->colorsTotal. We cater to this by always using a buffer size which is sufficient for `gdMaxColors` in `gdImageColorMatch()`. | ||||
| * | Fix bug #77380 (Global out of bounds read in xmlrpc base64 code) | Stanislav Malyshev | 2019-01-06 | 2 | -2/+19 |
| | | |||||
| * | Fix bug #77371 (heap buffer overflow in mb regex functions - ↵ | Stanislav Malyshev | 2019-01-06 | 2 | -0/+11 |
| | | | | | | | | compile_string_node) | ||||
| * | Fix bug #77370 - check that we do not read past buffer end when parsing ↵ | Stanislav Malyshev | 2019-01-06 | 2 | -0/+22 |
| | | | | | | | | multibytes | ||||
| * | Fix #77269: Potential unsigned underflow in gdImageScale | Christoph M. Becker | 2019-01-06 | 2 | -9/+30 |
| | | | | | | | | | | | | Belatedly, we're porting the respective upstream patch[1]. [1] <https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35> | ||||
| * | Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) | Stanislav Malyshev | 2019-01-06 | 2 | -1/+15 |
| | | |||||
| * | Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) | Stanislav Malyshev | 2019-01-06 | 2 | -0/+13 |
| | | |||||
| * | Regenerate certs for openssl tests | Alexander Kurilo | 2019-01-02 | 5 | -44/+91 |
| | | |||||
* | | Add NEWS | Stanislav Malyshev | 2019-01-06 | 1 | -0/+25 |
| | | |||||
* | | Fix test | Stanislav Malyshev | 2019-01-06 | 1 | -0/+2 |
| | | |||||
* | | Fix #77369 - memcpy with negative length via crafted DNS response | Stanislav Malyshev | 2019-01-06 | 1 | -0/+7 |
| | | |||||
* | | Fix more issues with encodilng length | Stanislav Malyshev | 2019-01-06 | 6 | -14/+38 |
| | | | | | | | | Should fix bug #77381, bug #77382, bug #77385, bug #77394. | ||||
* | | Fix #77270: imagecolormatch Out Of Bounds Write on Heap | Christoph M. Becker | 2019-01-06 | 2 | -2/+20 |
| | | | | | | | | | | | | | | At least some of the image reading functions may return images which use color indexes greater than or equal to im->colorsTotal. We cater to this by always using a buffer size which is sufficient for `gdMaxColors` in `gdImageColorMatch()`. | ||||
* | | Fix bug #77380 (Global out of bounds read in xmlrpc base64 code) | Stanislav Malyshev | 2019-01-06 | 2 | -2/+19 |
| | | |||||
* | | Fix bug #77371 (heap buffer overflow in mb regex functions - ↵ | Stanislav Malyshev | 2019-01-06 | 2 | -0/+11 |
| | | | | | | | | compile_string_node) | ||||
* | | Fix bug #77370 - check that we do not read past buffer end when parsing ↵ | Stanislav Malyshev | 2019-01-06 | 2 | -0/+22 |
| | | | | | | | | multibytes | ||||
* | | Fix #77269: Potential unsigned underflow in gdImageScale | Christoph M. Becker | 2019-01-06 | 2 | -9/+30 |
| | | | | | | | | | | | | Belatedly, we're porting the respective upstream patch[1]. [1] <https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35> | ||||
* | | Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) | Stanislav Malyshev | 2019-01-06 | 2 | -1/+15 |
| | |