summaryrefslogtreecommitdiffstats
path: root/bug72061.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-04-27 09:04:26 +0200
committerRemi Collet <fedora@famillecollet.com>2016-04-27 09:04:26 +0200
commit42bb2c9221ab019a8d42a11644eceaf7b05d39d9 (patch)
treebebe4fa519a02a5192efb9f8ce0c276ee97642ba /bug72061.patch
parente3c0a2ba77c93252efd1c70ffab1b2ade30c9d14 (diff)
php 5.4 add security patches, backported from 5.5.35
Diffstat (limited to 'bug72061.patch')
-rw-r--r--bug72061.patch99
1 files changed, 99 insertions, 0 deletions
diff --git a/bug72061.patch b/bug72061.patch
new file mode 100644
index 0000000..8319a75
--- /dev/null
+++ b/bug72061.patch
@@ -0,0 +1,99 @@
+Backported for 5.4 from 5.5.35 by Remi Collet
+
+From fd9689745c44341b1bd6af4756f324be8abba2fb Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 24 Apr 2016 12:49:01 -0700
+Subject: [PATCH] Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos
+ with negative offset
+
+---
+ ext/intl/grapheme/grapheme_string.c | 12 +++++++-----
+ ext/intl/tests/bug72061.phpt | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+ create mode 100644 ext/intl/tests/bug72061.phpt
+
+diff --git a/ext/intl/grapheme/grapheme_string.c b/ext/intl/grapheme/grapheme_string.c
+index 8a094e0..3ba9b51 100644
+--- a/ext/intl/grapheme/grapheme_string.c
++++ b/ext/intl/grapheme/grapheme_string.c
+@@ -112,7 +112,7 @@ PHP_FUNCTION(grapheme_strpos)
+ int haystack_len, needle_len;
+ unsigned char *found;
+ long loffset = 0;
+- int32_t offset = 0;
++ int32_t offset = 0, noffset = 0;
+ int ret_pos;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", (char **)&haystack, &haystack_len, (char **)&needle, &needle_len, &loffset) == FAILURE) {
+@@ -132,6 +132,7 @@ PHP_FUNCTION(grapheme_strpos)
+
+ /* we checked that it will fit: */
+ offset = (int32_t) loffset;
++ noffset = offset >= 0 ? offset : haystack_len + offset;
+
+ /* the offset is 'grapheme count offset' so it still might be invalid - we'll check it later */
+
+@@ -146,7 +147,7 @@ PHP_FUNCTION(grapheme_strpos)
+ /* quick check to see if the string might be there
+ * I realize that 'offset' is 'grapheme count offset' but will work in spite of that
+ */
+- found = (unsigned char *)php_memnstr((char *)haystack + offset, (char *)needle, needle_len, (char *)haystack + haystack_len);
++ found = (unsigned char *)php_memnstr((char *)haystack + noffset, (char *)needle, needle_len, (char *)haystack + haystack_len);
+
+ /* if it isn't there the we are done */
+ if (!found) {
+@@ -214,12 +215,13 @@ PHP_FUNCTION(grapheme_stripos)
+ is_ascii = ( grapheme_ascii_check(haystack, haystack_len) >= 0 );
+
+ if ( is_ascii ) {
++ int32_t noffset = offset >= 0 ? offset : haystack_len + offset;
+ needle_dup = (unsigned char *)estrndup((char *)needle, needle_len);
+ php_strtolower((char *)needle_dup, needle_len);
+ haystack_dup = (unsigned char *)estrndup((char *)haystack, haystack_len);
+ php_strtolower((char *)haystack_dup, haystack_len);
+
+- found = (unsigned char*) php_memnstr((char *)haystack_dup + offset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len);
++ found = (unsigned char*) php_memnstr((char *)haystack_dup + noffset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len);
+
+ efree(haystack_dup);
+ efree(needle_dup);
+@@ -537,7 +539,7 @@ PHP_FUNCTION(grapheme_substr)
+ efree(ustr);
+ }
+ ubrk_close(bi);
+- RETURN_EMPTY_STRING();
++ RETURN_EMPTY_STRING();
+ }
+
+ /* find the end point of the string to return */
+@@ -576,7 +578,7 @@ PHP_FUNCTION(grapheme_substr)
+ sub_str_end_pos = ustr_len;
+ }
+ }
+-
++
+ if(sub_str_start_pos > sub_str_end_pos) {
+ intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_substr: length is beyond start", 1 TSRMLS_CC );
+
+diff --git a/ext/intl/tests/bug72061.phpt b/ext/intl/tests/bug72061.phpt
+new file mode 100644
+index 0000000..782c32c
+--- /dev/null
++++ b/ext/intl/tests/bug72061.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset
++--SKIPIF--
++<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
++--FILE--
++<?php
++
++var_dump(grapheme_stripos(str_repeat("ABCD", 16384), "A", -201));
++var_dump(grapheme_strpos(str_repeat("ABCD", 16384), "A", -201));
++?>
++DONE
++--EXPECT--
++int(65336)
++int(65336)
++DONE
+\ No newline at end of file