From 1b29e4488e19c89e5b37ecb26acaec443d7f1355 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 25 Sep 2016 16:43:24 -0700 Subject: Fix bug #73091 - Unserializing DateInterval object may lead to __toString invocation --- ext/date/php_date.c | 4 ++-- ext/date/tests/bug73091.phpt | 46 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 ext/date/tests/bug73091.phpt diff --git a/ext/date/php_date.c b/ext/date/php_date.c index dbcd9d0404..d4c695c6b7 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -4113,7 +4113,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter #define PHP_DATE_INTERVAL_READ_PROPERTY(element, member, itype, def) \ do { \ zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \ - if (z_arg) { \ + if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \ (*intobj)->diff->member = (itype)zval_get_long(z_arg); \ } else { \ (*intobj)->diff->member = (itype)def; \ @@ -4123,7 +4123,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter #define PHP_DATE_INTERVAL_READ_PROPERTY_I64(element, member) \ do { \ zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \ - if (z_arg) { \ + if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \ zend_string *str = zval_get_string(z_arg); \ DATE_A64I((*intobj)->diff->member, ZSTR_VAL(str)); \ zend_string_release(str); \ diff --git a/ext/date/tests/bug73091.phpt b/ext/date/tests/bug73091.phpt new file mode 100644 index 0000000000..668ef505d8 --- /dev/null +++ b/ext/date/tests/bug73091.phpt @@ -0,0 +1,46 @@ +--TEST-- +Bug #73091 (Unserializing DateInterval object may lead to __toString invocation) +--FILE-- + +--EXPECTF-- +object(DateInterval)#%d (15) { + ["days"]=> + int(-1) + ["y"]=> + int(-1) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) +} -- cgit v1.2.1 From fcc232173eec049649645247312637b2093a7385 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 27 Sep 2016 12:38:38 +0200 Subject: set versions --- NEWS | 2 +- configure.in | 2 +- main/php_version.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index aa17db7c91..dfdd29ee54 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2016 PHP 7.0.12 +29 Sep 2016 PHP 7.0.12RC1 - Core: . Fixed bug #73067 (__debugInfo crashes when throwing an exception). diff --git a/configure.in b/configure.in index 7f60f4ce51..aa2c3f0e7d 100644 --- a/configure.in +++ b/configure.in @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=7 PHP_MINOR_VERSION=0 PHP_RELEASE_VERSION=12 -PHP_EXTRA_VERSION="-dev" +PHP_EXTRA_VERSION="RC1" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 2b2c7ab4f6..7b70248714 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 0 #define PHP_RELEASE_VERSION 12 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "7.0.12-dev" +#define PHP_EXTRA_VERSION "RC1" +#define PHP_VERSION "7.0.12RC1" #define PHP_VERSION_ID 70012 -- cgit v1.2.1 From 61cdd1255d5b9c8453be71aacbbf682796ac77d4 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 10 Oct 2016 22:54:29 -0700 Subject: Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key --- ext/spl/spl_observer.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index c189205879..ad7887bd28 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -772,6 +772,9 @@ SPL_METHOD(SplObjectStorage, unserialize) --p; /* for ';' */ count = Z_LVAL_P(pcount); + ZVAL_UNDEF(&entry); + ZVAL_UNDEF(&inf); + while (count-- > 0) { spl_SplObjectStorageElement *pelement; zend_string *hash; @@ -787,18 +790,17 @@ SPL_METHOD(SplObjectStorage, unserialize) if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) { goto outexcept; } - if (Z_TYPE(entry) != IS_OBJECT) { - zval_ptr_dtor(&entry); - goto outexcept; - } if (*p == ',') { /* new version has inf */ ++p; if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) { zval_ptr_dtor(&entry); goto outexcept; } - } else { - ZVAL_UNDEF(&inf); + } + if (Z_TYPE(entry) != IS_OBJECT) { + zval_ptr_dtor(&entry); + zval_ptr_dtor(&inf); + goto outexcept; } hash = spl_object_storage_get_hash(intern, getThis(), &entry); -- cgit v1.2.1 From 3b5262ec4c9a6f985f8ff1fb4a7bed18f1b48f75 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 10 Oct 2016 23:42:50 -0700 Subject: Fix for #73240 - Write out of bounds at number_format --- ext/standard/math.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/ext/standard/math.c b/ext/standard/math.c index ac776104b5..e4b1160b75 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1123,8 +1123,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin zend_string *tmpbuf; char *s, *t; /* source, target */ char *dp; - int integral; - int reslen = 0; + size_t integral; + size_t reslen = 0; int count = 0; int is_negative=0; @@ -1159,7 +1159,11 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* allow for thousand separators */ if (thousand_sep) { - integral += (int)(thousand_sep_len * ((integral-1) / 3)); + if (integral + thousand_sep_len * ((integral-1) / 3) < integral) { + /* overflow */ + php_error_docref(NULL, E_ERROR, "String overflow"); + } + integral += thousand_sep_len * ((integral-1) / 3); } reslen = integral; @@ -1168,7 +1172,11 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { - reslen += (int)dec_point_len; + if (reslen + dec_point_len < dec_point_len) { + /* overflow */ + php_error_docref(NULL, E_ERROR, "String overflow"); + } + reslen += dec_point_len; } } @@ -1270,7 +1278,6 @@ PHP_FUNCTION(number_format) break; default: WRONG_PARAM_COUNT; - break; } } /* }}} */ -- cgit v1.2.1 From 8c9f639a1df068976a841e9b5624d2f5d5d9c7c7 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 11 Oct 2016 11:24:08 +0200 Subject: Revert "Fixed bug #73067 (__debugInfo crashes when throwing an exception)" This reverts commit 2d8ab51576695630a7471ff829cc5ea10becdc0f. --- Zend/tests/bug73067.phpt | 21 --------------------- Zend/zend_object_handlers.c | 1 - 2 files changed, 22 deletions(-) delete mode 100644 Zend/tests/bug73067.phpt diff --git a/Zend/tests/bug73067.phpt b/Zend/tests/bug73067.phpt deleted file mode 100644 index f5d34a8d87..0000000000 --- a/Zend/tests/bug73067.phpt +++ /dev/null @@ -1,21 +0,0 @@ ---TEST-- -Bug #73067 (__debugInfo crashes when throwing an exception) ---FILE-- -getMessage(); -} -?> ---EXPECTF-- -Fatal error: __debuginfo() must return an array in %sbug73067.php on line %d diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c index 39c4d3d7e8..70dab660b3 100644 --- a/Zend/zend_object_handlers.c +++ b/Zend/zend_object_handlers.c @@ -182,7 +182,6 @@ ZEND_API HashTable *zend_std_get_debug_info(zval *object, int *is_temp) /* {{{ * return ht; } - zend_clear_exception(); zend_error_noreturn(E_ERROR, ZEND_DEBUGINFO_FUNC_NAME "() must return an array"); return NULL; /* Compilers are dumb and don't understand that noreturn means that the function does NOT need a return value... */ -- cgit v1.2.1 From a5f40e26567ad1e309f2023cdc6b4de9f1741527 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 11 Oct 2016 11:25:00 +0200 Subject: sync NEWS --- NEWS | 2 -- 1 file changed, 2 deletions(-) diff --git a/NEWS b/NEWS index dfdd29ee54..a1929667f2 100644 --- a/NEWS +++ b/NEWS @@ -3,8 +3,6 @@ PHP NEWS 29 Sep 2016 PHP 7.0.12RC1 - Core: - . Fixed bug #73067 (__debugInfo crashes when throwing an exception). - (Laruence) . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c). (cmb) . Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by -- cgit v1.2.1 From 92c55f15800631b1ed39b7accde12a53c4f5e800 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 11 Oct 2016 11:26:32 +0200 Subject: set versions and release date --- NEWS | 2 +- configure.in | 2 +- main/php_version.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index a1929667f2..65a8637a9f 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -29 Sep 2016 PHP 7.0.12RC1 +13 Oct 2016 PHP 7.0.12 - Core: . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of diff --git a/configure.in b/configure.in index aa2c3f0e7d..69df254d52 100644 --- a/configure.in +++ b/configure.in @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=7 PHP_MINOR_VERSION=0 PHP_RELEASE_VERSION=12 -PHP_EXTRA_VERSION="RC1" +PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 7b70248714..843bf0a7c9 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 7 #define PHP_MINOR_VERSION 0 #define PHP_RELEASE_VERSION 12 -#define PHP_EXTRA_VERSION "RC1" -#define PHP_VERSION "7.0.12RC1" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "7.0.12" #define PHP_VERSION_ID 70012 -- cgit v1.2.1 From 4d11a8eedf976f081dcc1b525c8a79ca18c9d67c Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Tue, 11 Oct 2016 21:35:10 -0700 Subject: Clear FG(user_stream_current_filename) when bailing out If a userwrapper opener E_ERRORs then FG(user_stream_current_filename) would remain set until the next request and would not be pointing at unallocated memory. Catch the bailout, clear the variable, then continue bailing. Closes https://bugs.php.net/bug.php?id=73188 --- ext/standard/tests/streams/user-stream-error.phpt | 23 +++++++++++++++++++++++ main/streams/userspace.c | 17 +++++++++++------ 2 files changed, 34 insertions(+), 6 deletions(-) create mode 100644 ext/standard/tests/streams/user-stream-error.phpt diff --git a/ext/standard/tests/streams/user-stream-error.phpt b/ext/standard/tests/streams/user-stream-error.phpt new file mode 100644 index 0000000000..bfa625be2c --- /dev/null +++ b/ext/standard/tests/streams/user-stream-error.phpt @@ -0,0 +1,23 @@ +--TEST-- +E_ERROR during UserStream Open +--FILE-- +stream_open('mystream://foo', 'r', 0, NULL) +#1 %s/user-stream-error.php(%d): fopen('mystream://foo', 'r') +#2 {main} + thrown in %s/user-stream-error.php on line %d diff --git a/main/streams/userspace.c b/main/streams/userspace.c index 63a351a59b..504f4d7282 100644 --- a/main/streams/userspace.c +++ b/main/streams/userspace.c @@ -372,12 +372,17 @@ static php_stream *user_wrapper_opener(php_stream_wrapper *wrapper, const char * ZVAL_STRING(&zfuncname, USERSTREAM_OPEN); - call_result = call_user_function_ex(NULL, - Z_ISUNDEF(us->object)? NULL : &us->object, - &zfuncname, - &zretval, - 4, args, - 0, NULL ); + zend_try { + call_result = call_user_function_ex(NULL, + Z_ISUNDEF(us->object)? NULL : &us->object, + &zfuncname, + &zretval, + 4, args, + 0, NULL ); + } zend_catch { + FG(user_stream_current_filename) = NULL; + zend_bailout(); + } zend_end_try(); if (call_result == SUCCESS && Z_TYPE(zretval) != IS_UNDEF && zval_is_true(&zretval)) { /* the stream is now open! */ -- cgit v1.2.1 From d1e878f2726e65502fdd992c5b57feeada57893f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 25 Sep 2016 21:25:01 -0700 Subject: Fix bug #73150: missing NULL check in dom_document_save_html (cherry picked from commit 1c0e9126fbfb7fde3173347b7464237f56c38bfa) --- ext/dom/document.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/dom/document.c b/ext/dom/document.c index 30d9c13ee9..17ac30a991 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1663,7 +1663,7 @@ PHP_FUNCTION(dom_document_savexml) if (options & LIBXML_SAVE_NOEMPTYTAG) { xmlSaveNoEmptyTags = saveempty; } - if (!size) { + if (!size || !mem) { RETURN_FALSE; } RETVAL_STRINGL((char *) mem, size); @@ -2215,7 +2215,7 @@ PHP_FUNCTION(dom_document_save_html) #else htmlDocDumpMemory(docp, &mem, &size); #endif - if (!size) { + if (!size || !mem) { RETVAL_FALSE; } else { RETVAL_STRINGL((const char*) mem, size); -- cgit v1.2.1 From 87a8240b5adc730153e6df54f33195aee1325e6f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 4 Oct 2016 21:28:40 -0700 Subject: Add more locale length checks, due to ICU bugs. (cherry picked from commit d3eb58332af433982f1e2ae9095fb087974a95f2) --- ext/intl/locale/locale_methods.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 32a70d2f7f..e2caacf9e9 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -406,6 +406,8 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS) if(loc_name_len == 0) { loc_name = intl_locale_get_default(); } + + INTL_CHECK_LOCALE_LEN(strlen(loc_name)); /* Call ICU get */ tag_value = get_icu_value_internal( loc_name , tag_name , &result ,0); @@ -1169,6 +1171,7 @@ PHP_FUNCTION(locale_get_all_variants) loc_name = intl_locale_get_default(); } + INTL_CHECK_LOCALE_LEN(strlen(loc_name)); array_init( return_value ); @@ -1277,6 +1280,9 @@ PHP_FUNCTION(locale_filter_matches) RETURN_TRUE; } + INTL_CHECK_LOCALE_LEN(strlen(loc_range)); + INTL_CHECK_LOCALE_LEN(strlen(lang_tag)); + if( boolCanonical ){ /* canonicalize loc_range */ can_loc_range=get_icu_value_internal( loc_range , LOC_CANONICALIZE_TAG , &result , 0); @@ -1558,6 +1564,8 @@ PHP_FUNCTION(locale_lookup) hash_arr = Z_ARRVAL_P(arr); + INTL_CHECK_LOCALE_LEN(strlen(loc_range)); + if( !hash_arr || zend_hash_num_elements( hash_arr ) == 0 ) { RETURN_EMPTY_STRING(); } -- cgit v1.2.1 From b26b02b2df95eaa647ea3f4e7b42bd11eea4ed2c Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 4 Oct 2016 22:40:09 -0700 Subject: Bug #73218: add mitigation for ICU int overflow (cherry picked from commit d946d102936525bc7dcd01f3827d0a6e0bb971b0) --- ext/intl/resourcebundle/resourcebundle_class.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c index fd255d57cd..47d9bf0403 100644 --- a/ext/intl/resourcebundle/resourcebundle_class.c +++ b/ext/intl/resourcebundle/resourcebundle_class.c @@ -101,6 +101,13 @@ static int resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_constr locale = intl_locale_get_default(); } + if (bundlename_len >= MAXPATHLEN) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "Bundle name too long", 0 ); + zval_dtor(return_value); + ZVAL_NULL(return_value); + return FAILURE; + } + if (fallback) { rb->me = ures_open(bundlename, locale, &INTL_DATA_ERROR_CODE(rb)); } else { @@ -331,6 +338,11 @@ PHP_FUNCTION( resourcebundle_locales ) RETURN_FALSE; } + if (bundlename_len >= MAXPATHLEN) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "resourcebundle_locales: bundle name too long", 0 ); + RETURN_FALSE; + } + if(bundlename_len == 0) { // fetch default locales list bundlename = NULL; -- cgit v1.2.1 From aaa5d07365b54f35ba3b5024492450f3d2fe4ee5 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Wed, 12 Oct 2016 13:28:23 +0200 Subject: avoid strlen --- ext/intl/locale/locale_methods.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index e2caacf9e9..eaf113a97e 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -407,7 +407,7 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS) loc_name = intl_locale_get_default(); } - INTL_CHECK_LOCALE_LEN(strlen(loc_name)); + INTL_CHECK_LOCALE_LEN(loc_name_len); /* Call ICU get */ tag_value = get_icu_value_internal( loc_name , tag_name , &result ,0); @@ -1171,7 +1171,7 @@ PHP_FUNCTION(locale_get_all_variants) loc_name = intl_locale_get_default(); } - INTL_CHECK_LOCALE_LEN(strlen(loc_name)); + INTL_CHECK_LOCALE_LEN(loc_name_len); array_init( return_value ); @@ -1280,8 +1280,8 @@ PHP_FUNCTION(locale_filter_matches) RETURN_TRUE; } - INTL_CHECK_LOCALE_LEN(strlen(loc_range)); - INTL_CHECK_LOCALE_LEN(strlen(lang_tag)); + INTL_CHECK_LOCALE_LEN(loc_range_len); + INTL_CHECK_LOCALE_LEN(lang_tag_len); if( boolCanonical ){ /* canonicalize loc_range */ @@ -1564,7 +1564,7 @@ PHP_FUNCTION(locale_lookup) hash_arr = Z_ARRVAL_P(arr); - INTL_CHECK_LOCALE_LEN(strlen(loc_range)); + INTL_CHECK_LOCALE_LEN(loc_range_len); if( !hash_arr || zend_hash_num_elements( hash_arr ) == 0 ) { RETURN_EMPTY_STRING(); -- cgit v1.2.1 From 01280f8deb837a61237a619cffa886d7f8c31963 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 10 Oct 2016 23:42:50 -0700 Subject: Fix for #73240 - Write out of bounds at number_format (cherry picked from commit 8259130b6bc752968856b352c9e7f8e03a8c0a8e) --- ext/standard/math.c | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/ext/standard/math.c b/ext/standard/math.c index e4b1160b75..62f6ea9cb2 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -1151,18 +1151,14 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin /* calculate the length of the return buffer */ if (dp) { - integral = (int)(dp - ZSTR_VAL(tmpbuf)); + integral = (dp - ZSTR_VAL(tmpbuf)); } else { /* no decimal point was found */ - integral = (int)ZSTR_LEN(tmpbuf); + integral = ZSTR_LEN(tmpbuf); } /* allow for thousand separators */ if (thousand_sep) { - if (integral + thousand_sep_len * ((integral-1) / 3) < integral) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } integral += thousand_sep_len * ((integral-1) / 3); } @@ -1172,10 +1168,6 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin reslen += dec; if (dec_point) { - if (reslen + dec_point_len < dec_point_len) { - /* overflow */ - php_error_docref(NULL, E_ERROR, "String overflow"); - } reslen += dec_point_len; } } @@ -1278,6 +1270,7 @@ PHP_FUNCTION(number_format) break; default: WRONG_PARAM_COUNT; + break; } } /* }}} */ -- cgit v1.2.1 From 4ef79370a82d6c92f4ea0cd462274ba24e007f56 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 11 Oct 2016 13:30:52 -0700 Subject: Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML() (cherry picked from commit 96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e) --- ext/simplexml/simplexml.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c index a20cb3e22a..6a05f04618 100644 --- a/ext/simplexml/simplexml.c +++ b/ext/simplexml/simplexml.c @@ -1472,9 +1472,15 @@ SXE_METHOD(asXML) if (node) { if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) { xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding); - RETVAL_STRINGL((char *)strval, strval_len); + if (!strval) { + RETVAL_FALSE; + } else { + RETVAL_STRINGL((char *)strval, strval_len); + } xmlFree(strval); } else { + char *return_content; + size_t return_len; /* Should we be passing encoding information instead of NULL? */ outbuf = xmlAllocOutputBuffer(NULL); @@ -1485,10 +1491,17 @@ SXE_METHOD(asXML) xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding); xmlOutputBufferFlush(outbuf); #ifdef LIBXML2_NEW_BUFFER - RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf)); + return_content = (char *)xmlOutputBufferGetContent(outbuf); + return_len = xmlOutputBufferGetSize(outbuf); #else - RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use); + return_content = (char *)outbuf->buffer->content; + return_len = outbuf->buffer->use; #endif + if (return_content) { + RETVAL_FALSE; + } else { + RETVAL_STRINGL(return_content, return_len); + } xmlOutputBufferClose(outbuf); } } else { -- cgit v1.2.1 From 7dc8b5e7aefce963a7a222c48ee3506725c4776b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 11 Oct 2016 13:37:47 -0700 Subject: Fix bug #73276 - crash in openssl_random_pseudo_bytes function (cherry picked from commit 85a22a0af0722ef3a8d49a056a0b2b18be1fb981) --- ext/openssl/openssl.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index e2f9fafacf..bf1f0c51a9 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5546,7 +5546,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) return; } - if (buffer_length <= 0) { + if (buffer_length <= 0 +#ifndef PHP_WIN32 + || ZEND_LONG_INT_OVFL(buffer_length) +#endif + ) { RETURN_FALSE; } @@ -5570,6 +5574,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length); PHP_OPENSSL_RAND_ADD_TIME(); + /* FIXME loop if requested size > INT_MAX */ if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) { zend_string_release(buffer); if (zstrong_result_returned) { -- cgit v1.2.1 From 7c6cb1282d539c4d5ff5adc8f7a6926c83b98e20 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Wed, 12 Oct 2016 16:03:09 +0200 Subject: fix test --- ext/intl/tests/bug72241.phpt | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/ext/intl/tests/bug72241.phpt b/ext/intl/tests/bug72241.phpt index 397e1e7834..7ac5a5b503 100644 --- a/ext/intl/tests/bug72241.phpt +++ b/ext/intl/tests/bug72241.phpt @@ -9,6 +9,4 @@ $out = locale_get_primary_language($var1); echo strlen($out) . PHP_EOL; echo unpack('H*', $out)[1] . PHP_EOL; --EXPECT-- -1000 -61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 - +0 -- cgit v1.2.1 From b135ba3fa93fd4f085322573d2850b29cb662e21 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Wed, 12 Oct 2016 16:03:35 +0200 Subject: followup with #73276 merge --- ext/openssl/openssl.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index bf1f0c51a9..648b110d61 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -5546,6 +5546,11 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) return; } + if (zstrong_result_returned) { + zval_dtor(zstrong_result_returned); + ZVAL_FALSE(zstrong_result_returned); + } + if (buffer_length <= 0 #ifndef PHP_WIN32 || ZEND_LONG_INT_OVFL(buffer_length) @@ -5553,12 +5558,6 @@ PHP_FUNCTION(openssl_random_pseudo_bytes) ) { RETURN_FALSE; } - - if (zstrong_result_returned) { - zval_dtor(zstrong_result_returned); - ZVAL_FALSE(zstrong_result_returned); - } - buffer = zend_string_alloc(buffer_length, 0); #ifdef PHP_WIN32 -- cgit v1.2.1