diff options
author | Remi Collet <remi@remirepo.net> | 2019-12-17 17:00:58 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-12-17 17:00:58 +0100 |
commit | 5155e7af6ac73b0e341a5c42d1dcee4d2f13ee24 (patch) | |
tree | 3e4a58f8e73e87866a134d97dc709180881717ba /php-bug78910.patch | |
parent | 91fb9e67870e51cc69fd08e588a153c5f7e186ed (diff) |
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub
CVE-2019-11046
- core:
Fix #78862 link() silently truncates after a null byte on Windows
CVE-2019-11044
Fix #78863 DirectoryIterator class silently truncates after a null byte
CVE-2019-11045
- exif
Fix #78793 Use-after-free in exif parsing under memory sanitizer
CVE-2019-11050
Fix #78910 Heap-buffer-overflow READ in exif
CVE-2019-11047
- use oracle client library version 19.5 (18.5 on EL-6)
Diffstat (limited to 'php-bug78910.patch')
-rw-r--r-- | php-bug78910.patch | 148 |
1 files changed, 148 insertions, 0 deletions
diff --git a/php-bug78910.patch b/php-bug78910.patch new file mode 100644 index 0000000..f164d0a --- /dev/null +++ b/php-bug78910.patch @@ -0,0 +1,148 @@ +From 75149a9a02d3bc44411a6e7ab35aee7110d053f3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 16 Dec 2019 00:10:39 -0800 +Subject: [PATCH] Fixed bug #78910 + +(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7) +--- + NEWS | 2 ++ + ext/exif/exif.c | 3 ++- + ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++ + 3 files changed, 21 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug78910.phpt + +diff --git a/NEWS b/NEWS +index 723cc69be6..ba237b8e33 100644 +--- a/NEWS ++++ b/NEWS +@@ -16,6 +16,8 @@ Backported from 7.2.26 + - EXIF: + . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer). + (CVE-2019-11050). (Nikita) ++ . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047). ++ (Nikita) + + Backported from 7.1.33 + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index a7da928800..9e42a62812 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2748,7 +2748,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + continue; + if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) + continue; +- if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) ++ if (maker_note->id_string && value_len >= maker_note->id_string_len ++ && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) + continue; + break; + } +diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt +new file mode 100644 +index 0000000000..f5b1c32c1b +--- /dev/null ++++ b/ext/exif/tests/bug78910.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) ++--FILE-- ++<?php ++ ++var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN')); ++ ++?> ++--EXPECTF-- ++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d ++ ++Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d ++ ++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d ++ ++Warning: exif_read_data(): Invalid TIFF file in %s on line %d ++bool(false) +From ec1dc05c2415f55507b5710dbeed9f0623c9b44d Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Tue, 17 Dec 2019 15:26:04 +0100 +Subject: [PATCH] Fix tests + +--- + ext/bcmath/tests/bug72093-win32.phpt | 2 +- + ext/bcmath/tests/bug75178-win32.phpt | 4 ++-- + ext/exif/tests/bug76557.phpt | 2 +- + ext/exif/tests/bug78910.phpt | 8 ++++---- + ext/spl/tests/bug54291.phpt | 2 +- + 5 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/ext/bcmath/tests/bug72093-win32.phpt b/ext/bcmath/tests/bug72093-win32.phpt +index a9b2077823..bcea8740b5 100644 +--- a/ext/bcmath/tests/bug72093-win32.phpt ++++ b/ext/bcmath/tests/bug72093-win32.phpt +@@ -14,5 +14,5 @@ var_dump(bcpowmod(1, 1.2, 1, 1)); + ?> + --EXPECTF-- + string(1) "1" +-string(3) "0.0" + bc math warning: non-zero scale in exponent ++string(3) "0.0" +diff --git a/ext/bcmath/tests/bug75178-win32.phpt b/ext/bcmath/tests/bug75178-win32.phpt +index bae590fb5b..c70e3aa810 100644 +--- a/ext/bcmath/tests/bug75178-win32.phpt ++++ b/ext/bcmath/tests/bug75178-win32.phpt +@@ -14,8 +14,8 @@ var_dump(bcpowmod('4', '4', '3.1', 3)); + ?> + ===DONE=== + --EXPECT-- ++bc math warning: non-zero scale in base + string(5) "1.000" ++bc math warning: non-zero scale in modulus + string(5) "1.000" + ===DONE=== +-bc math warning: non-zero scale in base +-bc math warning: non-zero scale in modulus +diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt +index 4553b62772..8920de658a 100644 +--- a/ext/exif/tests/bug76557.phpt ++++ b/ext/exif/tests/bug76557.phpt +@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f + + Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d + +-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d ++Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d + + Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d + +diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt +index f5b1c32c1b..7e40b82389 100644 +--- a/ext/exif/tests/bug78910.phpt ++++ b/ext/exif/tests/bug78910.phpt +@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA + + ?> + --EXPECTF-- +-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d ++Notice: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d + +-Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d ++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d + +-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d ++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): IFD data too short: 0x0000 offset 0x000C in %s on line %d + +-Warning: exif_read_data(): Invalid TIFF file in %s on line %d ++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Invalid TIFF file in %s on line %d + bool(false) +diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt +index c0119c4360..5e4a5a0607 100644 +--- a/ext/spl/tests/bug54291.phpt ++++ b/ext/spl/tests/bug54291.phpt +@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) + $dir = new DirectoryIterator("\x00/abc"); + $dir->isFile(); + --EXPECTF-- +-Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d ++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d + Stack trace: + #0 %s(%d): DirectoryIterator->__construct('\x00/abc') + #1 {main} |