diff options
| author | Remi Collet <remi@remirepo.net> | 2018-03-01 09:50:30 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2018-03-01 09:50:30 +0100 |
| commit | 03cb94d7835b8548cd35966c0cf3e10e48808f87 (patch) | |
| tree | 9dd556b7b0c66754ad6ea46395c10c997b1a91f5 /bug75981.patch | |
| parent | b9459ddfb28b45ec827d5d0e2e83ec7def175233 (diff) | |
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167
fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168
fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890
fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711
fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug75981.patch')
| -rw-r--r-- | bug75981.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/bug75981.patch b/bug75981.patch new file mode 100644 index 0000000..27af03b --- /dev/null +++ b/bug75981.patch @@ -0,0 +1,68 @@ +From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 20 Feb 2018 15:34:43 -0800 +Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start + +--- + ext/standard/http_fopen_wrapper.c | 4 ++-- + ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++ + 2 files changed, 34 insertions(+), 2 deletions(-) + create mode 100644 ext/standard/tests/http/bug75981.phpt + +diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c +index ed6adc0..78bd935 100644 +--- a/ext/standard/http_fopen_wrapper.c ++++ b/ext/standard/http_fopen_wrapper.c +@@ -737,9 +737,9 @@ finish: + tmp_line, response_code); + } + } +- if (tmp_line[tmp_line_len - 1] == '\n') { ++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') { + --tmp_line_len; +- if (tmp_line[tmp_line_len - 1] == '\r') { ++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') { + --tmp_line_len; + } + } +diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt +new file mode 100644 +index 0000000..d415de6 +--- /dev/null ++++ b/ext/standard/tests/http/bug75981.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #75981 (stack-buffer-overflow while parsing HTTP response) ++--INI-- ++allow_url_fopen=1 ++--SKIPIF-- ++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?> ++--FILE-- ++<?php ++require 'server.inc'; ++ ++$options = [ ++ 'http' => [ ++ 'protocol_version' => '1.1', ++ 'header' => 'Connection: Close' ++ ], ++]; ++ ++$ctx = stream_context_create($options); ++ ++$responses = [ ++ "data://text/plain,000000000100\xA\xA" ++]; ++$pid = http_server('tcp://127.0.0.1:12342', $responses); ++ ++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx); ++ ++http_server_kill($pid); ++ ++?> ++DONE ++--EXPECT-- ++DONE +-- +2.1.4 + |