From a2713f204e1202b6844c114a005c304aafb008c7 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 10 Sep 2016 10:14:22 +0200 Subject: PHP 5.5.38 + security patches from 5.6.25 --- bug72749.patch | 90 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 bug72749.patch (limited to 'bug72749.patch') diff --git a/bug72749.patch b/bug72749.patch new file mode 100644 index 0000000..4ea74bb --- /dev/null +++ b/bug72749.patch @@ -0,0 +1,90 @@ +Backported from 5.6.25 by Remi. + +From db38282f421a5d552840aeac807efc2f584162d2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 4 Aug 2016 00:17:42 -0700 +Subject: [PATCH] Fix bug #72749: wddx_deserialize allows illegal memory access + +--- + ext/wddx/tests/bug72749.phpt | 34 ++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 20 ++++++++++++++------ + 2 files changed, 48 insertions(+), 6 deletions(-) + create mode 100644 ext/wddx/tests/bug72749.phpt + +diff --git a/ext/wddx/tests/bug72749.phpt b/ext/wddx/tests/bug72749.phpt +new file mode 100644 +index 0000000..ee17d0f +--- /dev/null ++++ b/ext/wddx/tests/bug72749.phpt +@@ -0,0 +1,34 @@ ++--TEST-- ++Bug #72749: wddx_deserialize allows illegal memory access ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++
++ ++ ++ ++ 2\r2004-09-10T05:52:49+00 ++ ++ ++ ++ ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(1) { ++ ["aDateTime3"]=> ++ string(24) "2 ++2004-09-10T05:52:49+00" ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index cde3e07..faadbfe1 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1116,18 +1116,26 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + case ST_DATETIME: { + char *tmp; + +- tmp = emalloc(len + 1); +- memcpy(tmp, s, len); ++ if (Z_TYPE_P(ent->data) == IS_STRING) { ++ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1); ++ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data)); ++ memcpy(tmp + Z_STRLEN_P(ent->data), s, len); ++ len += Z_STRLEN_P(ent->data); ++ efree(Z_STRVAL_P(ent->data)); ++ Z_TYPE_P(ent->data) = IS_LONG; ++ } else { ++ tmp = emalloc(len + 1); ++ memcpy(tmp, s, len); ++ } + tmp[len] = '\0'; + + Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL); + /* date out of range < 1969 or > 2038 */ + if (Z_LVAL_P(ent->data) == -1) { +- Z_TYPE_P(ent->data) = IS_STRING; +- Z_STRLEN_P(ent->data) = len; +- Z_STRVAL_P(ent->data) = estrndup(s, len); ++ ZVAL_STRINGL(ent->data, tmp, len, 0); ++ } else { ++ efree(tmp); + } +- efree(tmp); + } + break; + -- cgit