summaryrefslogtreecommitdiffstats
path: root/bug75981.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 11:00:36 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 11:00:36 +0100
commit0a0c58dff2291870b56cec15fabf27119179c997 (patch)
treef88a2f98cf3eca3a515f66114341de807337994d /bug75981.patch
parentb7dc0096c61deb8d3f7fb61d636b874ce1452197 (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug75981.patch')
-rw-r--r--bug75981.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/bug75981.patch b/bug75981.patch
new file mode 100644
index 0000000..27af03b
--- /dev/null
+++ b/bug75981.patch
@@ -0,0 +1,68 @@
+From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 20 Feb 2018 15:34:43 -0800
+Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start
+
+---
+ ext/standard/http_fopen_wrapper.c | 4 ++--
+ ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/http/bug75981.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index ed6adc0..78bd935 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -737,9 +737,9 @@ finish:
+ tmp_line, response_code);
+ }
+ }
+- if (tmp_line[tmp_line_len - 1] == '\n') {
++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
+ --tmp_line_len;
+- if (tmp_line[tmp_line_len - 1] == '\r') {
++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
+ --tmp_line_len;
+ }
+ }
+diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
+new file mode 100644
+index 0000000..d415de6
+--- /dev/null
++++ b/ext/standard/tests/http/bug75981.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #75981 (stack-buffer-overflow while parsing HTTP response)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
++--FILE--
++<?php
++require 'server.inc';
++
++$options = [
++ 'http' => [
++ 'protocol_version' => '1.1',
++ 'header' => 'Connection: Close'
++ ],
++];
++
++$ctx = stream_context_create($options);
++
++$responses = [
++ "data://text/plain,000000000100\xA\xA"
++];
++$pid = http_server('tcp://127.0.0.1:12342', $responses);
++
++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
++
++http_server_kill($pid);
++
++?>
++DONE
++--EXPECT--
++DONE
+--
+2.1.4
+