diff options
author | Remi Collet <fedora@famillecollet.com> | 2016-04-27 09:04:26 +0200 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2016-04-27 09:04:26 +0200 |
commit | 85057580654db47c797b369c7804af5d92249649 (patch) | |
tree | be9652966c90c49b3fd998bb3795d82f99c36d76 /bug72093.patch | |
parent | dcc383758424b1980806f04c718cfceb2e321931 (diff) |
php 5.4 add security patches, backported from 5.5.35
Diffstat (limited to 'bug72093.patch')
-rw-r--r-- | bug72093.patch | 249 |
1 files changed, 249 insertions, 0 deletions
diff --git a/bug72093.patch b/bug72093.patch new file mode 100644 index 0000000..e675e37 --- /dev/null +++ b/bug72093.patch @@ -0,0 +1,249 @@ +Backported for 5.4 from 5.5.35 by Remi Collet + +From d650063a0457aec56364e4005a636dc6c401f9cd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 24 Apr 2016 18:33:32 -0700 +Subject: [PATCH] Fix bug #72093: bcpowmod accepts negative scale and corrupts + _one_ definition + +We can not modify result since it can be copy of _zero_ or _one_, etc. and +"copy" in bcmath is just bumping the refcount. +--- + ext/bcmath/bcmath.c | 60 +++++++++++++++++++++++++++++------------- + ext/bcmath/tests/bug72093.phpt | 13 +++++++++ + main/php_version.h | 6 ++--- + 3 files changed, 57 insertions(+), 22 deletions(-) + create mode 100644 ext/bcmath/tests/bug72093.phpt + +diff --git a/ext/bcmath/bcmath.c b/ext/bcmath/bcmath.c +index 02177e4..dd69115 100644 +--- a/ext/bcmath/bcmath.c ++++ b/ext/bcmath/bcmath.c +@@ -201,6 +201,21 @@ static void php_str2num(bc_num *num, char *str TSRMLS_DC) + } + /* }}} */ + ++/* {{{ split_bc_num ++ Convert to bc_num detecting scale */ ++static bc_num split_bc_num(bc_num num) { ++ bc_num newnum; ++ if (num->n_refs >= 1) { ++ return num; ++ } ++ newnum = _bc_new_num_ex(0, 0, 0); ++ *newnum = *num; ++ newnum->n_refs = 1; ++ num->n_refs--; ++ return newnum; ++} ++/* }}} */ ++ + /* {{{ proto string bcadd(string left_operand, string right_operand [, int scale]) + Returns the sum of two arbitrary precision numbers */ + PHP_FUNCTION(bcadd) +@@ -214,7 +229,7 @@ PHP_FUNCTION(bcadd) + if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 3) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } +@@ -225,11 +240,12 @@ PHP_FUNCTION(bcadd) + php_str2num(&first, left TSRMLS_CC); + php_str2num(&second, right TSRMLS_CC); + bc_add (first, second, &result, scale); +- ++ + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } +- ++ + Z_STRVAL_P(return_value) = bc_num2str(result); + Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); + Z_TYPE_P(return_value) = IS_STRING; +@@ -253,7 +269,7 @@ PHP_FUNCTION(bcsub) + if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 3) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } +@@ -266,6 +282,7 @@ PHP_FUNCTION(bcsub) + bc_sub (first, second, &result, scale); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -292,11 +309,11 @@ PHP_FUNCTION(bcmul) + if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 3) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } +- ++ + bc_init_num(&first TSRMLS_CC); + bc_init_num(&second TSRMLS_CC); + bc_init_num(&result TSRMLS_CC); +@@ -305,6 +322,7 @@ PHP_FUNCTION(bcmul) + bc_multiply (first, second, &result, scale TSRMLS_CC); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -331,11 +349,11 @@ PHP_FUNCTION(bcdiv) + if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 3) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } +- ++ + bc_init_num(&first TSRMLS_CC); + bc_init_num(&second TSRMLS_CC); + bc_init_num(&result TSRMLS_CC); +@@ -345,6 +363,7 @@ PHP_FUNCTION(bcdiv) + switch (bc_divide(first, second, &result, scale TSRMLS_CC)) { + case 0: /* OK */ + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + Z_STRVAL_P(return_value) = bc_num2str(result); +@@ -374,13 +393,13 @@ PHP_FUNCTION(bcmod) + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &left, &left_len, &right, &right_len) == FAILURE) { + return; + } +- ++ + bc_init_num(&first TSRMLS_CC); + bc_init_num(&second TSRMLS_CC); + bc_init_num(&result TSRMLS_CC); + bc_str2num(&first, left, 0 TSRMLS_CC); + bc_str2num(&second, right, 0 TSRMLS_CC); +- ++ + switch (bc_modulo(first, second, &result, 0 TSRMLS_CC)) { + case 0: + Z_STRVAL_P(return_value) = bc_num2str(result); +@@ -391,7 +410,7 @@ PHP_FUNCTION(bcmod) + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Division by zero"); + break; + } +- ++ + bc_free_num(&first); + bc_free_num(&second); + bc_free_num(&result); +@@ -424,8 +443,9 @@ PHP_FUNCTION(bcpowmod) + scale_int = (int) ((int)scale < 0) ? 0 : scale; + + if (bc_raisemod(first, second, mod, &result, scale_int TSRMLS_CC) != -1) { +- if (result->n_scale > scale) { +- result->n_scale = scale; ++ if (result->n_scale > scale_int) { ++ result = split_bc_num(result); ++ result->n_scale = scale_int; + } + Z_STRVAL_P(return_value) = bc_num2str(result); + Z_STRLEN_P(return_value) = strlen(Z_STRVAL_P(return_value)); +@@ -433,7 +453,7 @@ PHP_FUNCTION(bcpowmod) + } else { + RETVAL_FALSE; + } +- ++ + bc_free_num(&first); + bc_free_num(&second); + bc_free_num(&mod); +@@ -455,7 +475,7 @@ PHP_FUNCTION(bcpow) + if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 3) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } +@@ -468,6 +488,7 @@ PHP_FUNCTION(bcpow) + bc_raise (first, second, &result, scale TSRMLS_CC); + + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + +@@ -494,16 +515,17 @@ PHP_FUNCTION(bcsqrt) + if (zend_parse_parameters(argc TSRMLS_CC, "s|l", &left, &left_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 2) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } + + bc_init_num(&result TSRMLS_CC); + php_str2num(&result, left TSRMLS_CC); +- ++ + if (bc_sqrt (&result, scale TSRMLS_CC) != 0) { + if (result->n_scale > scale) { ++ result = split_bc_num(result); + result->n_scale = scale; + } + Z_STRVAL_P(return_value) = bc_num2str(result); +@@ -531,7 +553,7 @@ PHP_FUNCTION(bccomp) + if (zend_parse_parameters(argc TSRMLS_CC, "ss|l", &left, &left_len, &right, &right_len, &scale_param) == FAILURE) { + return; + } +- ++ + if (argc == 3) { + scale = (int) ((int)scale_param < 0) ? 0 : scale_param; + } +@@ -555,7 +577,7 @@ PHP_FUNCTION(bccomp) + PHP_FUNCTION(bcscale) + { + long new_scale; +- ++ + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &new_scale) == FAILURE) { + return; + } +diff --git a/ext/bcmath/tests/bug72093.phpt b/ext/bcmath/tests/bug72093.phpt +new file mode 100644 +index 0000000..be664b811 +--- /dev/null ++++ b/ext/bcmath/tests/bug72093.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug 72093: bcpowmod accepts negative scale and corrupts _one_ definition ++--SKIPIF-- ++<?php if(!extension_loaded("bcmath")) print "skip"; ?> ++--FILE-- ++<?php ++var_dump(bcpowmod(1, "A", 128, -200)); ++var_dump(bcpowmod(1, 1.2, 1, 1)); ++?> ++--EXPECTF-- ++string(1) "1" ++bc math warning: non-zero scale in exponent ++string(3) "0.0" + |