summaryrefslogtreecommitdiffstats
path: root/bug72093.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-04-27 09:04:26 +0200
committerRemi Collet <fedora@famillecollet.com>2016-04-27 09:04:26 +0200
commit85057580654db47c797b369c7804af5d92249649 (patch)
treebe9652966c90c49b3fd998bb3795d82f99c36d76 /bug72093.patch
parentdcc383758424b1980806f04c718cfceb2e321931 (diff)
php 5.4 add security patches, backported from 5.5.35
Diffstat (limited to 'bug72093.patch')
-rw-r--r--bug72093.patch249
1 files changed, 249 insertions, 0 deletions
diff --git a/bug72093.patch b/bug72093.patch
new file mode 100644
index 0000000..e675e37
--- /dev/null
+++ b/bug72093.patch
@@ -0,0 +1,249 @@
+Backported for 5.4 from 5.5.35 by Remi Collet
+
+From d650063a0457aec56364e4005a636dc6c401f9cd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 24 Apr 2016 18:33:32 -0700
+Subject: [PATCH] Fix bug #72093: bcpowmod accepts negative scale and corrupts
+ _one_ definition
+
+We can not modify result since it can be copy of _zero_ or _one_, etc. and
+"copy" in bcmath is just bumping the refcount.
+---
+ ext/bcmath/bcmath.c | 60 +++++++++++++++++++++++++++++-------------
+ ext/bcmath/tests/bug72093.phpt | 13 +++++++++
+ main/php_version.h | 6 ++---
+ 3 files changed, 57 insertions(+), 22 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug72093.phpt
+
+diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c
+index 02177e4..dd69115 100644
+--- a/ext/bcmath/bcmath.c
++++ b/ext/bcmath/bcmath.c
+@@ -201,6 +201,21 @@ static void php_str2num(bc_num *num, char *str TSRMLS_DC)
+ }
+ /* }}} */
+
++/* {{{ split_bc_num
++ Convert to bc_num detecting scale */
++static bc_num split_bc_num(bc_num num) {
++ bc_num newnum;
++ if (num->n_refs >= 1) {
++ return num;
++ }
++ newnum = _bc_new_num_ex(0, 0, 0);
++ *newnum = *num;
++ newnum->n_refs = 1;
++ num->n_refs--;
++ return newnum;
++}
++/* }}} */
++
+ /* {{{ proto string bcadd(string left_operand, string right_operand [, int scale])
+ Returns the sum of two arbitrary precision numbers */
+ PHP_FUNCTION(bcadd)
+@@ -214,7 +229,7 @@ PHP_FUNCTION(bcadd)
+ if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 3) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+@@ -225,11 +240,12 @@ PHP_FUNCTION(bcadd)
+ php_str2num(&first, left TSRMLS_CC);
+ php_str2num(&second, right TSRMLS_CC);
+ bc_add (first, second, &result, scale);
+-
++
+ if (result->n_scale > scale) {
++ result = split_bc_num(result);
+ result->n_scale = scale;
+ }
+-
++
+ Z_STRVAL_P(return_value) = bc_num2str(result);
+ Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value));
+ Z_TYPE_P(return_value) = IS_STRING;
+@@ -253,7 +269,7 @@ PHP_FUNCTION(bcsub)
+ if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 3) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+@@ -266,6 +282,7 @@ PHP_FUNCTION(bcsub)
+ bc_sub (first, second, &result, scale);
+
+ if (result->n_scale > scale) {
++ result = split_bc_num(result);
+ result->n_scale = scale;
+ }
+
+@@ -292,11 +309,11 @@ PHP_FUNCTION(bcmul)
+ if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 3) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+-
++
+ bc_init_num(&first TSRMLS_CC);
+ bc_init_num(&second TSRMLS_CC);
+ bc_init_num(&result TSRMLS_CC);
+@@ -305,6 +322,7 @@ PHP_FUNCTION(bcmul)
+ bc_multiply (first, second, &result, scale TSRMLS_CC);
+
+ if (result->n_scale > scale) {
++ result = split_bc_num(result);
+ result->n_scale = scale;
+ }
+
+@@ -331,11 +349,11 @@ PHP_FUNCTION(bcdiv)
+ if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 3) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+-
++
+ bc_init_num(&first TSRMLS_CC);
+ bc_init_num(&second TSRMLS_CC);
+ bc_init_num(&result TSRMLS_CC);
+@@ -345,6 +363,7 @@ PHP_FUNCTION(bcdiv)
+ switch (bc_divide(first, second, &result, scale TSRMLS_CC)) {
+ case 0: /* OK */
+ if (result->n_scale > scale) {
++ result = split_bc_num(result);
+ result->n_scale = scale;
+ }
+ Z_STRVAL_P(return_value) = bc_num2str(result);
+@@ -374,13 +393,13 @@ PHP_FUNCTION(bcmod)
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &left, &left_len, &right, &right_len) == FAILURE) {
+ return;
+ }
+-
++
+ bc_init_num(&first TSRMLS_CC);
+ bc_init_num(&second TSRMLS_CC);
+ bc_init_num(&result TSRMLS_CC);
+ bc_str2num(&first, left, 0 TSRMLS_CC);
+ bc_str2num(&second, right, 0 TSRMLS_CC);
+-
++
+ switch (bc_modulo(first, second, &result, 0 TSRMLS_CC)) {
+ case 0:
+ Z_STRVAL_P(return_value) = bc_num2str(result);
+@@ -391,7 +410,7 @@ PHP_FUNCTION(bcmod)
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Division by zero");
+ break;
+ }
+-
++
+ bc_free_num(&first);
+ bc_free_num(&second);
+ bc_free_num(&result);
+@@ -424,8 +443,9 @@ PHP_FUNCTION(bcpowmod)
+ scale_int = (int) ((int)scale < 0) ? 0 : scale;
+
+ if (bc_raisemod(first, second, mod, &result, scale_int TSRMLS_CC) != -1) {
+- if (result->n_scale > scale) {
+- result->n_scale = scale;
++ if (result->n_scale > scale_int) {
++ result = split_bc_num(result);
++ result->n_scale = scale_int;
+ }
+ Z_STRVAL_P(return_value) = bc_num2str(result);
+ Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value));
+@@ -433,7 +453,7 @@ PHP_FUNCTION(bcpowmod)
+ } else {
+ RETVAL_FALSE;
+ }
+-
++
+ bc_free_num(&first);
+ bc_free_num(&second);
+ bc_free_num(&mod);
+@@ -455,7 +475,7 @@ PHP_FUNCTION(bcpow)
+ if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 3) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+@@ -468,6 +488,7 @@ PHP_FUNCTION(bcpow)
+ bc_raise (first, second, &result, scale TSRMLS_CC);
+
+ if (result->n_scale > scale) {
++ result = split_bc_num(result);
+ result->n_scale = scale;
+ }
+
+@@ -494,16 +515,17 @@ PHP_FUNCTION(bcsqrt)
+ if (zend_parse_parameters(argc TSRMLS_CC, "s|l", &left, &left_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 2) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+
+ bc_init_num(&result TSRMLS_CC);
+ php_str2num(&result, left TSRMLS_CC);
+-
++
+ if (bc_sqrt (&result, scale TSRMLS_CC) != 0) {
+ if (result->n_scale > scale) {
++ result = split_bc_num(result);
+ result->n_scale = scale;
+ }
+ Z_STRVAL_P(return_value) = bc_num2str(result);
+@@ -531,7 +553,7 @@ PHP_FUNCTION(bccomp)
+ if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 3) {
+ scale = (int) ((int)scale_param < 0) ? 0 : scale_param;
+ }
+@@ -555,7 +577,7 @@ PHP_FUNCTION(bccomp)
+ PHP_FUNCTION(bcscale)
+ {
+ long new_scale;
+-
++
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &new_scale) == FAILURE) {
+ return;
+ }
+diff --git a/ext/bcmath/tests/bug72093.phpt b/ext/bcmath/tests/bug72093.phpt
+new file mode 100644
+index 0000000..be664b811
+--- /dev/null
++++ b/ext/bcmath/tests/bug72093.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug 72093: bcpowmod accepts negative scale and corrupts _one_ definition
++--SKIPIF--
++<?php if(!extension_loaded("bcmath")) print "skip"; ?>
++--FILE--
++<?php
++var_dump(bcpowmod(1, "A", 128, -200));
++var_dump(bcpowmod(1, 1.2, 1, 1));
++?>
++--EXPECTF--
++string(1) "1"
++bc math warning: non-zero scale in exponent
++string(3) "0.0"
+