diff options
Diffstat (limited to 'php-5.5.0-CVE-2013-4013.patch')
-rw-r--r-- | php-5.5.0-CVE-2013-4013.patch | 181 |
1 files changed, 181 insertions, 0 deletions
diff --git a/php-5.5.0-CVE-2013-4013.patch b/php-5.5.0-CVE-2013-4013.patch new file mode 100644 index 0000000..dfa2c86 --- /dev/null +++ b/php-5.5.0-CVE-2013-4013.patch @@ -0,0 +1,181 @@ +From 7d163e8a0880ae8af2dd869071393e5dc07ef271 Mon Sep 17 00:00:00 2001 +From: Rob Richards <rrichards@php.net> +Date: Sat, 6 Jul 2013 07:53:07 -0400 +Subject: [PATCH] truncate results at depth of 255 to prevent corruption + +--- + ext/xml/xml.c | 90 +++++++++++++++++++++++++++++++++-------------------------- + 1 file changed, 50 insertions(+), 40 deletions(-) + +diff --git a/ext/xml/xml.c b/ext/xml/xml.c +index 1f0480b..9f0bc30 100644 +--- a/ext/xml/xml.c ++++ b/ext/xml/xml.c +@@ -428,7 +428,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) + } + if (parser->ltags) { + int inx; +- for (inx = 0; inx < parser->level; inx++) ++ for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++) + efree(parser->ltags[ inx ]); + efree(parser->ltags); + } +@@ -805,45 +805,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch + } + + if (parser->data) { +- zval *tag, *atr; +- int atcnt = 0; ++ if (parser->level <= XML_MAXLEVEL) { ++ zval *tag, *atr; ++ int atcnt = 0; + +- MAKE_STD_ZVAL(tag); +- MAKE_STD_ZVAL(atr); ++ MAKE_STD_ZVAL(tag); ++ MAKE_STD_ZVAL(atr); + +- array_init(tag); +- array_init(atr); ++ array_init(tag); ++ array_init(atr); + +- _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); ++ _xml_add_to_info(parser,((char *) tag_name) + parser->toffset); + +- add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ +- add_assoc_string(tag,"type","open",1); +- add_assoc_long(tag,"level",parser->level); ++ add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */ ++ add_assoc_string(tag,"type","open",1); ++ add_assoc_long(tag,"level",parser->level); + +- parser->ltags[parser->level-1] = estrdup(tag_name); +- parser->lastwasopen = 1; ++ parser->ltags[parser->level-1] = estrdup(tag_name); ++ parser->lastwasopen = 1; + +- attributes = (const XML_Char **) attrs; ++ attributes = (const XML_Char **) attrs; + +- while (attributes && *attributes) { +- att = _xml_decode_tag(parser, attributes[0]); +- val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding); +- +- add_assoc_stringl(atr,att,val,val_len,0); ++ while (attributes && *attributes) { ++ att = _xml_decode_tag(parser, attributes[0]); ++ val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding); + +- atcnt++; +- attributes += 2; ++ add_assoc_stringl(atr,att,val,val_len,0); + +- efree(att); +- } ++ atcnt++; ++ attributes += 2; + +- if (atcnt) { +- zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL); +- } else { +- zval_ptr_dtor(&atr); +- } ++ efree(att); ++ } ++ ++ if (atcnt) { ++ zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL); ++ } else { ++ zval_ptr_dtor(&atr); ++ } + +- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag); ++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag); ++ } else if (parser->level == (XML_MAXLEVEL + 1)) { ++ TSRMLS_FETCH(); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated"); ++ } + } + + efree(tag_name); +@@ -895,7 +900,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name) + + efree(tag_name); + +- if (parser->ltags) { ++ if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) { + efree(parser->ltags[parser->level-1]); + } + +@@ -979,18 +984,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) + } + } + +- MAKE_STD_ZVAL(tag); +- +- array_init(tag); +- +- _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); ++ if (parser->level <= XML_MAXLEVEL) { ++ MAKE_STD_ZVAL(tag); + +- add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1); +- add_assoc_string(tag,"value",decoded_value,0); +- add_assoc_string(tag,"type","cdata",1); +- add_assoc_long(tag,"level",parser->level); ++ array_init(tag); + +- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); ++ _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset); ++ ++ add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1); ++ add_assoc_string(tag,"value",decoded_value,0); ++ add_assoc_string(tag,"type","cdata",1); ++ add_assoc_long(tag,"level",parser->level); ++ ++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL); ++ } else if (parser->level == (XML_MAXLEVEL + 1)) { ++ TSRMLS_FETCH(); ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated"); ++ } + } + } else { + efree(decoded_value); +-- +1.7.11.5 + +From 710eee5555bc5c95692bd3c84f5d2b5d687349b6 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?Johannes=20Schl=C3=BCter?= <johannes@php.net> +Date: Wed, 10 Jul 2013 19:35:18 +0200 +Subject: [PATCH] add test for bug #65236 + +--- + ext/xml/tests/bug65236.phpt | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + create mode 100644 ext/xml/tests/bug65236.phpt + +diff --git a/ext/xml/tests/bug65236.phpt b/ext/xml/tests/bug65236.phpt +new file mode 100644 +index 0000000..67b26d6 +--- /dev/null ++++ b/ext/xml/tests/bug65236.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #65236 (heap corruption in xml parser) ++--SKIPIF-- ++<?php ++require_once("skipif.inc"); ++?> ++--FILE-- ++<?php ++xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a); ++ ++echo "Done\n"; ++?> ++--EXPECTF-- ++Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated in %s on line %d ++Done +-- +1.7.11.5 + |