From 0a0c58dff2291870b56cec15fabf27119179c997 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 1 Mar 2018 11:00:36 +0100 Subject: fix #73549: Use after free when stream is passed to imagepng fix #75981: stack-buffer-overflow while parsing HTTP response --- bug75981.patch | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 bug75981.patch (limited to 'bug75981.patch') diff --git a/bug75981.patch b/bug75981.patch new file mode 100644 index 0000000..27af03b --- /dev/null +++ b/bug75981.patch @@ -0,0 +1,68 @@ +From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index ed6adc0..78bd935 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -737,9 +737,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++ ++--FILE-- ++ [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + -- cgit