From 0235a8acdc9b99d4d3d4dd107b75d7eb6ca0ef97 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 10 Jun 2014 21:17:37 -0700 Subject: 5.4.30 rc1 --- NEWS | 2 +- configure.in | 2 +- main/php_version.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index e846549103..853732f5dc 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2014, PHP 5.4.30 +12 Jun 2014, PHP 5.4.30 RC1 - Core: . Fixed BC break introduced by patch for bug #67072. (Anatol) diff --git a/configure.in b/configure.in index 855bcbb2c8..98e306dd70 100644 --- a/configure.in +++ b/configure.in @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 PHP_RELEASE_VERSION=30 -PHP_EXTRA_VERSION="-dev" +PHP_EXTRA_VERSION="RC1" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 59eb939959..9cb16ca685 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -4,6 +4,6 @@ #define PHP_MINOR_VERSION 4 #define PHP_RELEASE_VERSION 30 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "5.4.30-dev" +#define PHP_EXTRA_VERSION "RC1" +#define PHP_VERSION "5.4.30RC1" #define PHP_VERSION_ID 50430 -- cgit v1.2.1 From 2b04d689724bdfd5db9351c017566e2f51d61568 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 10 Jun 2014 23:17:30 -0700 Subject: Fix bug #66127 (Segmentation fault with ArrayObject unset) --- NEWS | 1 + ext/spl/spl_array.c | 2 +- ext/spl/tests/bug66127.phpt | 25 +++++++++++++++++++++++++ ext/spl/tests/iterator_035.phpt | 2 ++ 4 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug66127.phpt diff --git a/NEWS b/NEWS index 853732f5dc..f0367a8cc9 100644 --- a/NEWS +++ b/NEWS @@ -41,6 +41,7 @@ PHP NEWS . Implemented FR #49898 (Add SoapClient::__getCookies()). (Boro Sitnikovski) - SPL: + . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 34f3a3818d..758947a8cc 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -402,7 +402,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval /* When in a write context, * ZE has to be fooled into thinking this is in a reference set * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */ - if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) { + if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) { if (Z_REFCOUNT_PP(ret) > 1) { zval *newval; diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt new file mode 100644 index 0000000000..b5d1dcac4b --- /dev/null +++ b/ext/spl/tests/bug66127.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #66127 (Segmentation fault with ArrayObject unset) +--INI-- +error_reporting = E_ALL & ~E_NOTICE +--FILE-- + +--EXPECT-- +Worked! diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt index 9ce098b69d..fc0271e381 100644 --- a/ext/spl/tests/iterator_035.phpt +++ b/ext/spl/tests/iterator_035.phpt @@ -12,4 +12,6 @@ $a[] = &$tmp; echo "Done\n"; ?> --EXPECTF-- +Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d + Fatal error: Cannot assign by reference to overloaded object in %s on line %d -- cgit v1.2.1 From 21525d041369484d49781b34a8333a78798806e4 Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Tue, 10 Jun 2014 11:18:02 -0700 Subject: Fix potential segfault in dns_get_record() If the remote sends us a packet with a malformed TXT record, we could end up trying to over-consume the packet and wander off into overruns. --- NEWS | 4 ++++ ext/standard/dns.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/NEWS b/NEWS index f0367a8cc9..a5eaabcd6b 100644 --- a/NEWS +++ b/NEWS @@ -31,6 +31,10 @@ PHP NEWS . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (Francisco Alonso, Jan Kaluza, Remi) +- Network: + . Fixed bug #67432 (Fix potential segfault in dns_get_record()). + (CVE-2014-4049). (Sara) + - OpenSSL: . Fixed bug #65698 (certificates validity parsing does not work past 2050). (Paul Oehler) diff --git a/ext/standard/dns.c b/ext/standard/dns.c index 6a894467ff..214a7dc7e9 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int while (ll < dlen) { n = cp[ll]; + if ((ll + n) >= dlen) { + // Invalid chunk length, truncate + n = dlen - (ll + 1); + } memcpy(tp + ll , cp + ll + 1, n); add_next_index_stringl(entries, cp + ll + 1, n, 1); ll = ll + n + 1; -- cgit v1.2.1 From 300e0418a4b55cc745c262af8126d3aeb5f189e3 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 21 Jun 2014 18:37:08 -0700 Subject: add CVEs --- NEWS | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index a5eaabcd6b..ce9398e586 100644 --- a/NEWS +++ b/NEWS @@ -21,15 +21,15 @@ PHP NEWS - Fileinfo: . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary - check). + check). (CVE-2014-0207) . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal - string size). (Francisco Alonso, Jan Kaluza, Remi) + string size). (CVE-2014-3478) (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary - check). (Francisco Alonso, Jan Kaluza, Remi) + check). (CVE-2014-3479) (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). - (Francisco Alonso, Jan Kaluza, Remi) + (CVE-2014-3480) (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary - check). (Francisco Alonso, Jan Kaluza, Remi) + check). (CVE-2014-3487) (Francisco Alonso, Jan Kaluza, Remi) - Network: . Fixed bug #67432 (Fix potential segfault in dns_get_record()). -- cgit v1.2.1 From aef6432fbe9cd9b75e29acda226c34d57e434dec Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Wed, 4 Jun 2014 01:06:01 -0700 Subject: Fix bug #67349: Locale::parseLocale Double Free --- NEWS | 5 ++++- ext/intl/locale/locale_methods.c | 7 +++---- ext/intl/tests/locale_parse_locale2.phpt | 6 +++++- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index ce9398e586..37dcc63eb0 100644 --- a/NEWS +++ b/NEWS @@ -11,7 +11,7 @@ PHP NEWS . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) - CLI server: - . Fixed Bug #67406i (built-in web-server segfaults on startup). (Remi) + . Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi) - Date: . Fixed bug #67308 (Serialize of DateTime truncates fractions of second). @@ -31,6 +31,9 @@ PHP NEWS . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary check). (CVE-2014-3487) (Francisco Alonso, Jan Kaluza, Remi) +- Intl: + . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) + - Network: . Fixed bug #67432 (Fix potential segfault in dns_get_record()). (CVE-2014-4049). (Sara) diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 9c5b09a7bc..f6b3142fc5 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -272,8 +272,7 @@ static char* get_icu_value_internal( char* loc_name , char* tag_name, int* resul grOffset = findOffset( LOC_GRANDFATHERED , loc_name ); if( grOffset >= 0 ){ if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ - tag_value = estrdup(loc_name); - return tag_value; + return estrdup(loc_name); } else { /* Since Grandfathered , no value , do nothing , retutn NULL */ return NULL; @@ -283,8 +282,8 @@ static char* get_icu_value_internal( char* loc_name , char* tag_name, int* resul if( fromParseLocale==1 ){ /* Handle singletons */ if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ - if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){ - return loc_name; + if( strlen(loc_name)>1 && isIDPrefix(loc_name) ){ + return estrdup(loc_name); } } diff --git a/ext/intl/tests/locale_parse_locale2.phpt b/ext/intl/tests/locale_parse_locale2.phpt index 6012862a48..30cc8cc0ae 100644 --- a/ext/intl/tests/locale_parse_locale2.phpt +++ b/ext/intl/tests/locale_parse_locale2.phpt @@ -63,7 +63,8 @@ function ut_main() //Some Invalid Tags: 'de-419-DE', 'a-DE', - 'ar-a-aaa-b-bbb-a-ccc' + 'ar-a-aaa-b-bbb-a-ccc', + 'x-AAAAAA', ); @@ -201,3 +202,6 @@ No values found from Locale parsing. --------------------- ar-a-aaa-b-bbb-a-ccc: language : 'ar' , +--------------------- +x-AAAAAA: +private0 : 'AAAAAA' , -- cgit v1.2.1 From 6027c56fd727d2c4b193b96fee19cdbb4a128447 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 8 Jun 2014 13:44:40 -0700 Subject: Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1)) --- NEWS | 2 ++ ext/intl/locale/locale_methods.c | 10 +++++++++- ext/intl/tests/bug67397.phpt | 21 +++++++++++++++++++++ 3 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 ext/intl/tests/bug67397.phpt diff --git a/NEWS b/NEWS index 37dcc63eb0..507b545228 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,8 @@ PHP NEWS - Intl: . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) + . Fixed bug #67397 (Buffer overflow in locale_get_display_name and + uloc_getDisplayName (libicu 4.8.1)). (Stas) - Network: . Fixed bug #67432 (Fix potential segfault in dns_get_record()). diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index f6b3142fc5..3bb5648356 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -500,8 +500,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME RETURN_FALSE; } + if(loc_name_len > ULOC_FULLNAME_CAPACITY) { + /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */ + spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name ); + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, msg , 1 TSRMLS_CC ); + efree(msg); + RETURN_FALSE; + } + if(loc_name_len == 0) { - loc_name = INTL_G(default_locale); + loc_name = INTL_G(default_locale); } if( strcmp(tag_name, DISP_NAME) != 0 ){ diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt new file mode 100644 index 0000000000..b2b2911f8a --- /dev/null +++ b/ext/intl/tests/bug67397.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1)) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +false +'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR' -- cgit v1.2.1 From 88223c5245e9b470e1e6362bfd96829562ffe6ab Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 21 Jun 2014 19:46:16 -0700 Subject: Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion --- NEWS | 2 ++ ext/spl/spl_array.c | 2 +- ext/spl/spl_observer.c | 2 +- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 5 ++++- 4 files changed, 8 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 507b545228..24ce950695 100644 --- a/NEWS +++ b/NEWS @@ -53,6 +53,8 @@ PHP NEWS . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) + . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type + Confusion). (Stefan Esser) 29 May 2014, PHP 5.4.29 diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 758947a8cc..bf034ab248 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1808,7 +1808,7 @@ SPL_METHOD(Array, unserialize) ++p; ALLOC_INIT_ZVAL(pmembers); - if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { + if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { zval_ptr_dtor(&pmembers); goto outexcept; } diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index 1a706f7642..da9110bf14 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize) ++p; ALLOC_INIT_ZVAL(pmembers); - if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { + if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { zval_ptr_dtor(&pmembers); goto outexcept; } diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt index a525317093..8f0676de3b 100644 --- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt @@ -7,6 +7,7 @@ $badblobs = array( 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', ); foreach($badblobs as $blob) { try { @@ -17,6 +18,7 @@ try { echo $e->getMessage()."\n"; } } +echo "DONE\n"; --EXPECTF-- Error at offset 6 of 34 bytes Error at offset 46 of 89 bytes @@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) { } } } - +Error at offset 79 of 78 bytes +DONE -- cgit v1.2.1 From f3dd77714de06b927677bec61aa4d13ef1035786 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 23 Jun 2014 00:07:08 -0700 Subject: update CVE --- NEWS | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 24ce950695..dadcbe706a 100644 --- a/NEWS +++ b/NEWS @@ -1,13 +1,13 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -12 Jun 2014, PHP 5.4.30 RC1 +12 Jun 2014, PHP 5.4.30 - Core: . Fixed BC break introduced by patch for bug #67072. (Anatol) . Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases). (Levi Morrison) . Fixed bug #67390 (insecure temporary file use in the configure script). - (Remi) (CVE-2014-3981) + (CVE-2014-3981) (Remi) . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) - CLI server: @@ -54,7 +54,7 @@ PHP NEWS . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) . Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam) . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type - Confusion). (Stefan Esser) + Confusion) (CVE-2014-3515). (Stefan Esser) 29 May 2014, PHP 5.4.29 -- cgit v1.2.1 From fb0128af2a95ec0d1a0360be49776c5b056d1f33 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 23 Jun 2014 00:19:37 -0700 Subject: Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability --- NEWS | 2 ++ ext/standard/info.c | 8 ++++---- ext/standard/tests/general_functions/bug67498.phpt | 15 +++++++++++++++ 3 files changed, 21 insertions(+), 4 deletions(-) create mode 100644 ext/standard/tests/general_functions/bug67498.phpt diff --git a/NEWS b/NEWS index dadcbe706a..31a4a52793 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,8 @@ PHP NEWS . Fixed bug #67390 (insecure temporary file use in the configure script). (CVE-2014-3981) (Remi) . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) + . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). + (Stefan Esser) - CLI server: . Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi) diff --git a/ext/standard/info.c b/ext/standard/info.c index 70b2e2f617..0f15bbefd6 100644 --- a/ext/standard/info.c +++ b/ext/standard/info.c @@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC) php_info_print_table_start(); php_info_print_table_header(2, "Variable", "Value"); - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); } php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC); diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt new file mode 100644 index 0000000000..5b5951b0f8 --- /dev/null +++ b/ext/standard/tests/general_functions/bug67498.phpt @@ -0,0 +1,15 @@ +--TEST-- +phpinfo() Type Confusion Information Leak Vulnerability +--FILE-- + +==DONE== +--EXPECTF-- +phpinfo() + +PHP Variables +%A +==DONE== -- cgit v1.2.1 From 6d97b4b2b322171d9d3e88ccd5f933bc5661edd6 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 21 Jun 2014 21:28:33 -0700 Subject: Better fix for bug #67072 with more BC provisions --- NEWS | 2 +- ext/standard/tests/serialize/bug67072_2.phpt | 84 ++++++++++++++++++++++++++++ ext/standard/var_unserializer.c | 67 +++++++++++----------- ext/standard/var_unserializer.re | 3 +- 4 files changed, 121 insertions(+), 35 deletions(-) create mode 100644 ext/standard/tests/serialize/bug67072_2.phpt diff --git a/NEWS b/NEWS index 31a4a52793..4ee00dbe47 100644 --- a/NEWS +++ b/NEWS @@ -3,7 +3,7 @@ PHP NEWS 12 Jun 2014, PHP 5.4.30 - Core: - . Fixed BC break introduced by patch for bug #67072. (Anatol) + . Fixed BC break introduced by patch for bug #67072. (Anatol, Stas) . Fixed bug #66622 (Closures do not correctly capture the late bound class (static::) in some cases). (Levi Morrison) . Fixed bug #67390 (insecure temporary file use in the configure script). diff --git a/ext/standard/tests/serialize/bug67072_2.phpt b/ext/standard/tests/serialize/bug67072_2.phpt new file mode 100644 index 0000000000..09eadb9ee1 --- /dev/null +++ b/ext/standard/tests/serialize/bug67072_2.phpt @@ -0,0 +1,84 @@ +--TEST-- +Bug #67072 Echoing unserialized "SplFileObject" crash - BC break fixes +--FILE-- + +===DONE== +--EXPECTF-- +Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 4 + +Notice: unserialize(): Error at offset 26 of 66 bytes in %s on line 4 +object(stdClass)#%d (0) { +} +object(MyClass)#%d (0) { +} +object(MyClassSer)#%d (0) { +} +object(MyClassSer2)#%d (0) { +} + +Warning: Erroneous data format for unserializing 'SplFileObject' in %s on line 9 + +Notice: unserialize(): Error at offset 24 of 25 bytes in %s on line 9 +bool(false) + +Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 9 + +Notice: unserialize(): Error at offset 26 of 27 bytes in %s on line 9 +bool(false) +object(SplObjectStorage)#%d (1) { + ["storage":"SplObjectStorage":private]=> + array(0) { + } +} +object(__PHP_Incomplete_Class)#%d (1) { + ["__PHP_Incomplete_Class_Name"]=> + string(6) "FooBar" +} + +Warning: Erroneous data format for unserializing 'Closure' in %s on line 9 + +Notice: unserialize(): Error at offset 17 of 18 bytes in %s on line 9 +bool(false) +object(ArrayObject)#%d (1) { + ["storage":"ArrayObject":private]=> + array(0) { + } +} +object(MyArrayObject)#1 (2) { + ["a"]=> + int(1) + ["storage":"ArrayObject":private]=> + array(0) { + } +} +object(Directory)#1 (0) { +} +===DONE== diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c index 29d2e0f7ed..2dd10a72e1 100644 --- a/ext/standard/var_unserializer.c +++ b/ext/standard/var_unserializer.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Tue Jun 3 10:23:35 2014 */ +/* Generated by re2c 0.13.5 on Sat Jun 21 21:27:56 2014 */ #line 1 "ext/standard/var_unserializer.re" /* +----------------------------------------------------------------------+ @@ -23,6 +23,7 @@ #include "php.h" #include "ext/standard/php_var.h" #include "php_incomplete_class.h" +#include "Zend/zend_interfaces.h" /* {{{ reference-handling for unserializer: var_* */ #define VAR_ENTRIES_MAX 1024 @@ -226,7 +227,7 @@ static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen #define YYMARKER marker -#line 234 "ext/standard/var_unserializer.re" +#line 235 "ext/standard/var_unserializer.re" @@ -400,7 +401,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) Serializable interface have eventually an inconsistent behavior at this place when unserialized from a manipulated string. Additionaly the interal classes can possibly crash PHP so they're still disabled here. */ - if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) { + if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) { object_init_ex(*rval, ce); } else { /* If this class implements Serializable, it should not land here but in object_custom(). The passed string @@ -473,7 +474,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER) -#line 477 "ext/standard/var_unserializer.c" +#line 478 "ext/standard/var_unserializer.c" { YYCTYPE yych; static const unsigned char yybm[] = { @@ -533,9 +534,9 @@ yy2: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy95; yy3: -#line 828 "ext/standard/var_unserializer.re" +#line 829 "ext/standard/var_unserializer.re" { return 0; } -#line 539 "ext/standard/var_unserializer.c" +#line 540 "ext/standard/var_unserializer.c" yy4: yych = *(YYMARKER = ++YYCURSOR); if (yych == ':') goto yy89; @@ -578,13 +579,13 @@ yy13: goto yy3; yy14: ++YYCURSOR; -#line 822 "ext/standard/var_unserializer.re" +#line 823 "ext/standard/var_unserializer.re" { /* this is the case where we have less data than planned */ php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */ } -#line 588 "ext/standard/var_unserializer.c" +#line 589 "ext/standard/var_unserializer.c" yy16: yych = *++YYCURSOR; goto yy3; @@ -614,7 +615,7 @@ yy20: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 676 "ext/standard/var_unserializer.re" +#line 677 "ext/standard/var_unserializer.re" { size_t len, len2, len3, maxlen; long elements; @@ -760,7 +761,7 @@ yy20: return object_common2(UNSERIALIZE_PASSTHRU, elements); } -#line 764 "ext/standard/var_unserializer.c" +#line 765 "ext/standard/var_unserializer.c" yy25: yych = *++YYCURSOR; if (yych <= ',') { @@ -785,7 +786,7 @@ yy27: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 668 "ext/standard/var_unserializer.re" +#line 669 "ext/standard/var_unserializer.re" { INIT_PZVAL(*rval); @@ -793,7 +794,7 @@ yy27: return object_common2(UNSERIALIZE_PASSTHRU, object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR)); } -#line 797 "ext/standard/var_unserializer.c" +#line 798 "ext/standard/var_unserializer.c" yy32: yych = *++YYCURSOR; if (yych == '+') goto yy33; @@ -814,7 +815,7 @@ yy34: yych = *++YYCURSOR; if (yych != '{') goto yy18; ++YYCURSOR; -#line 648 "ext/standard/var_unserializer.re" +#line 649 "ext/standard/var_unserializer.re" { long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ @@ -834,7 +835,7 @@ yy34: return finish_nested_data(UNSERIALIZE_PASSTHRU); } -#line 838 "ext/standard/var_unserializer.c" +#line 839 "ext/standard/var_unserializer.c" yy39: yych = *++YYCURSOR; if (yych == '+') goto yy40; @@ -855,7 +856,7 @@ yy41: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 619 "ext/standard/var_unserializer.re" +#line 620 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -884,7 +885,7 @@ yy41: ZVAL_STRINGL(*rval, str, len, 0); return 1; } -#line 888 "ext/standard/var_unserializer.c" +#line 889 "ext/standard/var_unserializer.c" yy46: yych = *++YYCURSOR; if (yych == '+') goto yy47; @@ -905,7 +906,7 @@ yy48: yych = *++YYCURSOR; if (yych != '"') goto yy18; ++YYCURSOR; -#line 591 "ext/standard/var_unserializer.re" +#line 592 "ext/standard/var_unserializer.re" { size_t len, maxlen; char *str; @@ -933,7 +934,7 @@ yy48: ZVAL_STRINGL(*rval, str, len, 1); return 1; } -#line 937 "ext/standard/var_unserializer.c" +#line 938 "ext/standard/var_unserializer.c" yy53: yych = *++YYCURSOR; if (yych <= '/') { @@ -1021,7 +1022,7 @@ yy61: } yy63: ++YYCURSOR; -#line 581 "ext/standard/var_unserializer.re" +#line 582 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 use_double: @@ -1031,7 +1032,7 @@ use_double: ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL)); return 1; } -#line 1035 "ext/standard/var_unserializer.c" +#line 1036 "ext/standard/var_unserializer.c" yy65: yych = *++YYCURSOR; if (yych <= ',') { @@ -1090,7 +1091,7 @@ yy73: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 566 "ext/standard/var_unserializer.re" +#line 567 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); @@ -1105,7 +1106,7 @@ yy73: return 1; } -#line 1109 "ext/standard/var_unserializer.c" +#line 1110 "ext/standard/var_unserializer.c" yy76: yych = *++YYCURSOR; if (yych == 'N') goto yy73; @@ -1132,7 +1133,7 @@ yy79: if (yych <= '9') goto yy79; if (yych != ';') goto yy18; ++YYCURSOR; -#line 539 "ext/standard/var_unserializer.re" +#line 540 "ext/standard/var_unserializer.re" { #if SIZEOF_LONG == 4 int digits = YYCURSOR - start - 3; @@ -1159,7 +1160,7 @@ yy79: ZVAL_LONG(*rval, parse_iv(start + 2)); return 1; } -#line 1163 "ext/standard/var_unserializer.c" +#line 1164 "ext/standard/var_unserializer.c" yy83: yych = *++YYCURSOR; if (yych <= '/') goto yy18; @@ -1167,24 +1168,24 @@ yy83: yych = *++YYCURSOR; if (yych != ';') goto yy18; ++YYCURSOR; -#line 532 "ext/standard/var_unserializer.re" +#line 533 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_BOOL(*rval, parse_iv(start + 2)); return 1; } -#line 1178 "ext/standard/var_unserializer.c" +#line 1179 "ext/standard/var_unserializer.c" yy87: ++YYCURSOR; -#line 525 "ext/standard/var_unserializer.re" +#line 526 "ext/standard/var_unserializer.re" { *p = YYCURSOR; INIT_PZVAL(*rval); ZVAL_NULL(*rval); return 1; } -#line 1188 "ext/standard/var_unserializer.c" +#line 1189 "ext/standard/var_unserializer.c" yy89: yych = *++YYCURSOR; if (yych <= ',') { @@ -1207,7 +1208,7 @@ yy91: if (yych <= '9') goto yy91; if (yych != ';') goto yy18; ++YYCURSOR; -#line 502 "ext/standard/var_unserializer.re" +#line 503 "ext/standard/var_unserializer.re" { long id; @@ -1230,7 +1231,7 @@ yy91: return 1; } -#line 1234 "ext/standard/var_unserializer.c" +#line 1235 "ext/standard/var_unserializer.c" yy95: yych = *++YYCURSOR; if (yych <= ',') { @@ -1253,7 +1254,7 @@ yy97: if (yych <= '9') goto yy97; if (yych != ';') goto yy18; ++YYCURSOR; -#line 481 "ext/standard/var_unserializer.re" +#line 482 "ext/standard/var_unserializer.re" { long id; @@ -1274,9 +1275,9 @@ yy97: return 1; } -#line 1278 "ext/standard/var_unserializer.c" +#line 1279 "ext/standard/var_unserializer.c" } -#line 830 "ext/standard/var_unserializer.re" +#line 831 "ext/standard/var_unserializer.re" return 0; diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re index cd4d53b5c1..9a9c693337 100644 --- a/ext/standard/var_unserializer.re +++ b/ext/standard/var_unserializer.re @@ -21,6 +21,7 @@ #include "php.h" #include "ext/standard/php_var.h" #include "php_incomplete_class.h" +#include "Zend/zend_interfaces.h" /* {{{ reference-handling for unserializer: var_* */ #define VAR_ENTRIES_MAX 1024 @@ -404,7 +405,7 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) Serializable interface have eventually an inconsistent behavior at this place when unserialized from a manipulated string. Additionaly the interal classes can possibly crash PHP so they're still disabled here. */ - if (ce->serialize == NULL || ZEND_INTERNAL_CLASS != ce->type) { + if (ce->serialize == NULL || ce->unserialize == zend_user_unserialize || (ZEND_INTERNAL_CLASS != ce->type && ce->create_object == NULL)) { object_init_ex(*rval, ce); } else { /* If this class implements Serializable, it should not land here but in object_custom(). The passed string -- cgit v1.2.1 From 79457d1964c8a55c55c13b40e6b2d877792a9dc6 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 24 Jun 2014 10:17:34 -0700 Subject: 5.4.30 --- configure.in | 2 +- main/php_version.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.in b/configure.in index 98e306dd70..5c154fbb3f 100644 --- a/configure.in +++ b/configure.in @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 PHP_RELEASE_VERSION=30 -PHP_EXTRA_VERSION="RC1" +PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 9cb16ca685..a5ff7cb0a3 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -4,6 +4,6 @@ #define PHP_MINOR_VERSION 4 #define PHP_RELEASE_VERSION 30 -#define PHP_EXTRA_VERSION "RC1" -#define PHP_VERSION "5.4.30RC1" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "5.4.30" #define PHP_VERSION_ID 50430 -- cgit v1.2.1