diff options
| author | Remi Collet <fedora@famillecollet.com> | 2016-09-10 10:14:22 +0200 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2016-09-10 10:14:22 +0200 |
| commit | 22b274864edbc4052b961c5d14beecf665b46c49 (patch) | |
| tree | 51cade07b0ae4c8d112ceb52d0512f7f05e79d3c | |
| parent | 7eeeb6e96a8354ae5c553662e96a1bfcf3bb9b65 (diff) | |
PHP 5.5.38 + security patches from 5.6.25
| -rw-r--r-- | bug70436.patch | 97 | ||||
| -rw-r--r-- | bug72627.patch | 34 | ||||
| -rw-r--r-- | bug72663.patch | 206 | ||||
| -rw-r--r-- | bug72681.patch | 129 | ||||
| -rw-r--r-- | bug72697.patch | 94 | ||||
| -rw-r--r-- | bug72708.patch | 25 | ||||
| -rw-r--r-- | bug72716.patch | 24 | ||||
| -rw-r--r-- | bug72730.patch | 52 | ||||
| -rw-r--r-- | bug72749.patch | 90 | ||||
| -rw-r--r-- | bug72750.patch | 72 | ||||
| -rw-r--r-- | bug72771.patch | 26 | ||||
| -rw-r--r-- | bug72790.patch | 134 | ||||
| -rw-r--r-- | bug72807.patch | 60 | ||||
| -rw-r--r-- | bug72836.patch | 56 | ||||
| -rw-r--r-- | bug72837.patch | 45 | ||||
| -rw-r--r-- | bug72838.patch | 28 | ||||
| -rw-r--r-- | bug72848.patch | 83 | ||||
| -rw-r--r-- | bug72849.patch | 51 | ||||
| -rw-r--r-- | bug72850.patch | 54 | ||||
| -rw-r--r-- | failed.txt | 2 | ||||
| -rw-r--r-- | php.spec | 84 |
21 files changed, 1444 insertions, 2 deletions
diff --git a/bug70436.patch b/bug70436.patch new file mode 100644 index 0000000..c3dc139 --- /dev/null +++ b/bug70436.patch @@ -0,0 +1,97 @@ +Backported from 5.6.25 by Remi. + +From 27fe2b42fc4a0e82b30dba11e177611ac6a88bf5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 7 Aug 2016 15:16:28 -0700 +Subject: [PATCH] Fix bug #70436: Use After Free Vulnerability in unserialize() + +--- + ext/standard/tests/strings/bug70436.phpt | 65 ++++++++++++++++++++++++++++++++ + ext/standard/var.c | 1 + + 2 files changed, 66 insertions(+) + create mode 100644 ext/standard/tests/strings/bug70436.phpt + +diff --git a/ext/standard/tests/strings/bug70436.phpt b/ext/standard/tests/strings/bug70436.phpt +new file mode 100644 +index 0000000..c62e468 +--- /dev/null ++++ b/ext/standard/tests/strings/bug70436.phpt +@@ -0,0 +1,65 @@ ++--TEST-- ++Bug #70436: Use After Free Vulnerability in unserialize() ++--FILE-- ++<?php ++ ++class obj implements Serializable ++{ ++ var $data; ++ ++ function serialize() ++ { ++ return serialize($this->data); ++ } ++ ++ function unserialize($data) ++ { ++ $this->data = unserialize($data); ++ } ++} ++ ++$fakezval = ptr2str(1122334455); ++$fakezval .= ptr2str(0); ++$fakezval .= "\x00\x00\x00\x00"; ++$fakezval .= "\x01"; ++$fakezval .= "\x00"; ++$fakezval .= "\x00\x00"; ++ ++$inner = 'C:3:"obj":3:{ryat'; ++$exploit = 'a:4:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:2;s:'.strlen($fakezval).':"'.$fakezval.'";i:3;R:5;}'; ++ ++$data = unserialize($exploit); ++ ++var_dump($data); ++ ++function ptr2str($ptr) ++{ ++ $out = ''; ++ ++ for ($i = 0; $i < 8; $i++) { ++ $out .= chr($ptr & 0xff); ++ $ptr >>= 8; ++ } ++ ++ return $out; ++} ++?> ++DONE ++--EXPECTF-- ++Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d ++ ++Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d ++array(4) { ++ [0]=> ++ int(1) ++ [1]=> ++ object(obj)#%d (1) { ++ ["data"]=> ++ bool(false) ++ } ++ [2]=> ++ string(24) "%s" ++ [3]=> ++ bool(false) ++} ++DONE +\ No newline at end of file +diff --git a/ext/standard/var.c b/ext/standard/var.c +index f0efef2..137e794 100644 +--- a/ext/standard/var.c ++++ b/ext/standard/var.c +@@ -965,6 +965,7 @@ PHP_FUNCTION(unserialize) + p = (const unsigned char*) buf; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + if (!php_var_unserialize(&return_value, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ var_push_dtor(&var_hash, &return_value); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_dtor(return_value); + if (!EG(exception)) { diff --git a/bug72627.patch b/bug72627.patch new file mode 100644 index 0000000..410e40e --- /dev/null +++ b/bug72627.patch @@ -0,0 +1,34 @@ +Backported from 5.6.25 by Remi. +Binary patch dropped + +From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 8 Aug 2016 00:49:34 -0700 +Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF + +--- + ext/exif/exif.c | 5 ++- + ext/exif/tests/bug72627.phpt | 71 +++++++++++++++++++++++++++++++++++++++++++ + ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes + 3 files changed, 75 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug72627.phpt + create mode 100644 ext/exif/tests/bug72627.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index f95de3a..657a2cc1 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); + if (fgot < ImageInfo->Thumbnail.size) { + EXIF_ERRLOG_THUMBEOF(ImageInfo) ++ efree(ImageInfo->Thumbnail.data); ++ ImageInfo->Thumbnail.data = NULL; ++ } else { ++ exif_thumbnail_build(ImageInfo TSRMLS_CC); + } +- exif_thumbnail_build(ImageInfo TSRMLS_CC); + } + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done"); + diff --git a/bug72663.patch b/bug72663.patch new file mode 100644 index 0000000..498a58e --- /dev/null +++ b/bug72663.patch @@ -0,0 +1,206 @@ +Backported from 5.6.25 by Remi. + +From c1cfd6a9fe23765191ea2f654790c7b127d4b797 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 2 Aug 2016 01:08:42 -0700 +Subject: [PATCH] Fix bug #72663 - destroy broken object when unserializing + +--- + ext/standard/tests/strings/bug72663.phpt | 26 +++++++++++ + ext/standard/tests/strings/bug72663_2.phpt | 17 ++++++++ + ext/standard/var_unserializer.c | 70 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 5 ++- + 4 files changed, 84 insertions(+), 34 deletions(-) + create mode 100644 ext/standard/tests/strings/bug72663.phpt + create mode 100644 ext/standard/tests/strings/bug72663_2.phpt + +diff --git a/ext/standard/tests/strings/bug72663.phpt b/ext/standard/tests/strings/bug72663.phpt +new file mode 100644 +index 0000000..e61f939 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72663.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization ++--FILE-- ++<?php ++class obj implements Serializable { ++ var $data; ++ function serialize() { ++ return serialize($this->data); ++ } ++ function unserialize($data) { ++ $this->data = unserialize($data); ++ } ++} ++ ++$inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}'; ++$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; ++ ++$data = unserialize($exploit); ++echo $data[1]; ++?> ++DONE ++--EXPECTF-- ++Notice: unserialize(): Unexpected end of serialized data in %sbug72663.php on line %d ++ ++Notice: unserialize(): Error at offset 46 of 47 bytes in %sbug72663.php on line %d ++DONE +\ No newline at end of file +diff --git a/ext/standard/tests/strings/bug72663_2.phpt b/ext/standard/tests/strings/bug72663_2.phpt +new file mode 100644 +index 0000000..ac605e9 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72663_2.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization ++--FILE-- ++<?php ++ ++ini_set('session.serialize_handler', 'php_serialize'); ++session_start(); ++$sess = 'O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:1;}'; ++session_decode($sess); ++var_dump($_SESSION); ++?> ++DONE ++--EXPECTF-- ++Notice: session_decode(): Unexpected end of serialized data in %sbug72663_2.php on line %d ++array(0) { ++} ++DONE +\ No newline at end of file +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 1e45b03..e4ddecf 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -437,6 +437,9 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + } + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { ++ /* We've got partially constructed object on our hands here. Wipe it */ ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ ZVAL_NULL(*rval); + return 0; + } + +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index d1d4ef9..c1c18c9 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -443,6 +443,9 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + } + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { ++ /* We've got partially constructed object on our hands here. Wipe it. */ ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ ZVAL_NULL(*rval); + return 0; + } + +From b25f44098fdc8cecfd62d0fc5422c23d8747dcd2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 4 Aug 2016 00:03:31 -0700 +Subject: [PATCH] Update comment + +--- + ext/standard/var_unserializer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index e4ddecf..1d459ae 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -437,7 +437,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + } + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { +- /* We've got partially constructed object on our hands here. Wipe it */ ++ /* We've got partially constructed object on our hands here. Wipe it. */ + zend_hash_clean(Z_OBJPROP_PP(rval)); + ZVAL_NULL(*rval); + return 0; +From 75c0dbdd028ffa20eae5cf3a2fae194961464b8b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 7 Aug 2016 15:33:29 -0700 +Subject: [PATCH] Improve fix for #72663 + +--- + ext/standard/tests/strings/bug72663_3.phpt | 18 ++++++++ + ext/standard/var_unserializer.c | 68 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 8 +++- + 3 files changed, 62 insertions(+), 32 deletions(-) + create mode 100644 ext/standard/tests/strings/bug72663_3.phpt + +diff --git a/ext/standard/tests/strings/bug72663_3.phpt b/ext/standard/tests/strings/bug72663_3.phpt +new file mode 100644 +index 0000000..e336bc8 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72663_3.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization ++--FILE-- ++<?php ++class obj { ++ var $ryat; ++ function __wakeup() { ++ $this->ryat = str_repeat('A', 0x112); ++ } ++} ++ ++$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;'; ++unserialize($poc); ++?> ++DONE ++--EXPECTF-- ++Notice: unserialize(): Error at offset 51 of 50 bytes in %sbug72663_3.php on line %d ++DONE +\ No newline at end of file +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 1d459ae..c8e6f8a 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -438,11 +438,17 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { + /* We've got partially constructed object on our hands here. Wipe it. */ +- zend_hash_clean(Z_OBJPROP_PP(rval)); ++ if(Z_TYPE_PP(rval) == IS_OBJECT) { ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ } + ZVAL_NULL(*rval); + return 0; + } + ++ if (Z_TYPE_PP(rval) != IS_OBJECT) { ++ return 0; ++ } ++ + if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY && + zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) { + INIT_PZVAL(&fname); +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index c1c18c9..11b93c5 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -444,11 +444,17 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { + /* We've got partially constructed object on our hands here. Wipe it. */ +- zend_hash_clean(Z_OBJPROP_PP(rval)); ++ if(Z_TYPE_PP(rval) == IS_OBJECT) { ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ } + ZVAL_NULL(*rval); + return 0; + } + ++ if (Z_TYPE_PP(rval) != IS_OBJECT) { ++ return 0; ++ } ++ + if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY && + zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) { + INIT_PZVAL(&fname); diff --git a/bug72681.patch b/bug72681.patch new file mode 100644 index 0000000..23a741d --- /dev/null +++ b/bug72681.patch @@ -0,0 +1,129 @@ +Backported from 5.6.25 by Remi. + +From 61156f0d68704df748b5cbf08c77582c208db8c9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 3 Aug 2016 00:30:12 -0700 +Subject: [PATCH] Fix bug #72681 - consume data even if we're not storing them + +--- + ext/session/session.c | 25 ++++++++++++++++++------- + ext/session/tests/bug72681.phpt | 16 ++++++++++++++++ + 2 files changed, 34 insertions(+), 7 deletions(-) + create mode 100644 ext/session/tests/bug72681.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index c668bb7..b2d0236 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -923,11 +923,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ + int namelen; + int has_value; + php_unserialize_data_t var_hash; ++ int skip = 0; + + PHP_VAR_UNSERIALIZE_INIT(var_hash); + + for (p = val; p < endptr; ) { + zval **tmp; ++ skip = 0; + namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); + + if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { +@@ -943,22 +945,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ + + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { + if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { +- efree(name); +- continue; ++ skip = 1; + } + } + + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { +- php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ if (!skip) { ++ php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ } + } else { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + return FAILURE; + } + var_push_dtor_no_addref(&var_hash, ¤t); + } +- PS_ADD_VARL(name, namelen); ++ if (!skip) { ++ PS_ADD_VARL(name, namelen); ++ } + efree(name); + } + +@@ -1015,6 +1020,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + int namelen; + int has_value; + php_unserialize_data_t var_hash; ++ int skip = 0; + + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +@@ -1023,6 +1029,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + while (p < endptr) { + zval **tmp; + q = p; ++ skip = 0; + while (*q != PS_DELIMITER) { + if (++q >= endptr) goto break_outer_loop; + } +@@ -1039,14 +1046,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { + if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { +- goto skip; ++ skip = 1; + } + } + + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { +- php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ if (!skip) { ++ php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ } + } else { + var_push_dtor_no_addref(&var_hash, ¤t); + efree(name); +@@ -1055,7 +1064,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + } + var_push_dtor_no_addref(&var_hash, ¤t); + } +- PS_ADD_VARL(name, namelen); ++ if (!skip) { ++ PS_ADD_VARL(name, namelen); ++ } + skip: + efree(name); + +diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt +new file mode 100644 +index 0000000..ca38b07 +--- /dev/null ++++ b/ext/session/tests/bug72681.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #72681: PHP Session Data Injection Vulnerability ++--SKIPIF-- ++<?php include('skipif.inc'); ?> ++--FILE-- ++<?php ++ini_set('session.serialize_handler', 'php'); ++session_start(); ++$_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}'; ++session_write_close(); ++session_start(); ++var_dump($_SESSION); ++?> ++--EXPECT-- ++array(0) { ++} diff --git a/bug72697.patch b/bug72697.patch new file mode 100644 index 0000000..a29ff7a --- /dev/null +++ b/bug72697.patch @@ -0,0 +1,94 @@ +Backported from 5.6.25 by Remi. + +From 4d76676101f8814520ea988e42b3bda54eb9e255 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 10 Aug 2016 00:00:14 -0700 +Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds + +--- + ext/gd/gd.c | 16 ++++++++-------- + ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++ + 2 files changed, 25 insertions(+), 8 deletions(-) + create mode 100644 ext/gd/tests/bug72697.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index b96f901..5c604b7 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1615,11 +1615,11 @@ PHP_FUNCTION(imagetruecolortopalette) + + ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + +- if (ncolors <= 0) { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero"); ++ if (ncolors <= 0 || ncolors > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX); + RETURN_FALSE; + } +- gdImageTrueColorToPalette(im, dither, ncolors); ++ gdImageTrueColorToPalette(im, dither, (int)ncolors); + + RETURN_TRUE; + } +diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt +new file mode 100644 +index 0000000..6110385 +--- /dev/null ++++ b/ext/gd/tests/bug72697.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72697: select_colors write out-of-bounds ++--SKIPIF-- ++<?php ++if (!function_exists("imagecreatetruecolor")) die("skip"); ++if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only"); ++?> ++--FILE-- ++<?php ++ ++$img=imagecreatetruecolor(10, 10); ++imagetruecolortopalette($img, false, PHP_INT_MAX / 8); ++?> ++DONE ++--EXPECTF-- ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d ++DONE +\ No newline at end of file + +From 64e4b276bda8bfa504df8acb40d07369b8d124b3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 16:47:53 -0700 +Subject: [PATCH] fix tests + +--- + ext/gd/tests/imagetruecolortopalette_error3.phpt | 2 +- + ext/gd/tests/imagetruecolortopalette_error4.phpt | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/gd/tests/imagetruecolortopalette_error3.phpt b/ext/gd/tests/imagetruecolortopalette_error3.phpt +index d65a995..dbbdb08 100644 +--- a/ext/gd/tests/imagetruecolortopalette_error3.phpt ++++ b/ext/gd/tests/imagetruecolortopalette_error3.phpt +@@ -25,4 +25,4 @@ Warning: imagetruecolortopalette() expects parameter 3 to be long, resource give + + Warning: imagetruecolortopalette() expects parameter 3 to be long, array given in %s on line %d + +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d +\ No newline at end of file ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d +\ No newline at end of file +diff --git a/ext/gd/tests/imagetruecolortopalette_error4.phpt b/ext/gd/tests/imagetruecolortopalette_error4.phpt +index b9661e3..1d56bfc 100644 +--- a/ext/gd/tests/imagetruecolortopalette_error4.phpt ++++ b/ext/gd/tests/imagetruecolortopalette_error4.phpt +@@ -16,6 +16,6 @@ imagetruecolortopalette($image, true, -1); + + ?> + --EXPECTF-- +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d + +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d +\ No newline at end of file ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d +\ No newline at end of file diff --git a/bug72708.patch b/bug72708.patch new file mode 100644 index 0000000..2d1c01e --- /dev/null +++ b/bug72708.patch @@ -0,0 +1,25 @@ +Backported from 5.6.25 by Remi. + +From b9ab6e14ffd602d2020da53be44bf2e77aae7b55 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 3 Aug 2016 22:37:57 -0700 +Subject: [PATCH] Fix bug #72708 - php_snmp_parse_oid integer overflow in + memory allocation + +--- + ext/snmp/snmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c +index b88cdcd..d2c1b94 100644 +--- a/ext/snmp/snmp.c ++++ b/ext/snmp/snmp.c +@@ -1034,7 +1034,7 @@ static int php_snmp_parse_oid(zval *object, int st, struct objid_query *objid_qu + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Got empty OID array"); + return FALSE; + } +- objid_query->vars = (snmpobjarg *)emalloc(sizeof(snmpobjarg) * zend_hash_num_elements(Z_ARRVAL_PP(oid))); ++ objid_query->vars = (snmpobjarg *)safe_emalloc(sizeof(snmpobjarg), zend_hash_num_elements(Z_ARRVAL_PP(oid)), 0); + if (objid_query->vars == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "emalloc() failed while parsing oid array: %s", strerror(errno)); + efree(objid_query->vars); diff --git a/bug72716.patch b/bug72716.patch new file mode 100644 index 0000000..3a6f94a --- /dev/null +++ b/bug72716.patch @@ -0,0 +1,24 @@ +Backported from 5.6.25 by Remi. + +From 9c291f0fa0c8b8c6994f521f5863c407494eb1dc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 3 Aug 2016 22:59:01 -0700 +Subject: [PATCH] Fix bug #72716 - initialize buffer before read + +--- + ext/standard/ftp_fopen_wrapper.c | 81 ++++++++++++++++++++-------------------- + 1 file changed, 41 insertions(+), 40 deletions(-) + +diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c +index b7eeb56..0d5384e 100644 +--- a/ext/standard/ftp_fopen_wrapper.c ++++ b/ext/standard/ftp_fopen_wrapper.c +@@ -82,6 +82,7 @@ typedef struct _php_ftp_dirstream_data { + */ + static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC) + { ++ buffer[0] = '\0'; /* in case read fails to read anything */ + while (php_stream_gets(stream, buffer, buffer_size-1) && + !(isdigit((int) buffer[0]) && isdigit((int) buffer[1]) && + isdigit((int) buffer[2]) && buffer[3] == ' ')); + diff --git a/bug72730.patch b/bug72730.patch new file mode 100644 index 0000000..a23f63d --- /dev/null +++ b/bug72730.patch @@ -0,0 +1,52 @@ +Backported from 5.6.25 by Remi. + +From 229782c0ada4d7e72dba6327cc7dff889ce7d92f Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 10 Aug 2016 00:14:58 -0700 +Subject: [PATCH] Fix bug #72730 - imagegammacorrect allows arbitrary write + access + +--- + ext/gd/gd.c | 5 +++++ + ext/gd/tests/bug72730.phpt | 15 +++++++++++++++ + 2 files changed, 20 insertions(+) + create mode 100644 ext/gd/tests/bug72730.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index 5c604b7..0fb9604 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -3036,6 +3036,11 @@ PHP_FUNCTION(imagegammacorrect) + return; + } + ++ if ( input <= 0.0 || output <= 0.0 ) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Gamma values should be positive"); ++ RETURN_FALSE; ++ } ++ + ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + + if (gdImageTrueColor(im)) { +diff --git a/ext/gd/tests/bug72730.phpt b/ext/gd/tests/bug72730.phpt +new file mode 100644 +index 0000000..e7c13cb +--- /dev/null ++++ b/ext/gd/tests/bug72730.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72730: imagegammacorrect allows arbitrary write access ++--SKIPIF-- ++<?php ++if (!function_exists("imagecreatetruecolor")) die("skip"); ++?> ++--FILE-- ++<?php ++$img = imagecreatetruecolor(1, 1); ++imagegammacorrect($img, -1, 1337); ++?> ++DONE ++--EXPECTF-- ++Warning: imagegammacorrect(): Gamma values should be positive in %sbug72730.php on line %d ++DONE +\ No newline at end of file diff --git a/bug72749.patch b/bug72749.patch new file mode 100644 index 0000000..4ea74bb --- /dev/null +++ b/bug72749.patch @@ -0,0 +1,90 @@ +Backported from 5.6.25 by Remi. + +From db38282f421a5d552840aeac807efc2f584162d2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 4 Aug 2016 00:17:42 -0700 +Subject: [PATCH] Fix bug #72749: wddx_deserialize allows illegal memory access + +--- + ext/wddx/tests/bug72749.phpt | 34 ++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 20 ++++++++++++++------ + 2 files changed, 48 insertions(+), 6 deletions(-) + create mode 100644 ext/wddx/tests/bug72749.phpt + +diff --git a/ext/wddx/tests/bug72749.phpt b/ext/wddx/tests/bug72749.phpt +new file mode 100644 +index 0000000..ee17d0f +--- /dev/null ++++ b/ext/wddx/tests/bug72749.phpt +@@ -0,0 +1,34 @@ ++--TEST-- ++Bug #72749: wddx_deserialize allows illegal memory access ++--SKIPIF-- ++<?php ++if (!extension_loaded('wddx')) { ++ die('skip. wddx not available'); ++} ++?> ++--FILE-- ++<?php ++$xml = <<<XML ++<?xml version='1.0'?> ++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> ++<wddxPacket version='1.0'> ++<header/> ++ <data> ++ <struct> ++ <var name='aDateTime3'> ++ <dateTime>2\r2004-09-10T05:52:49+00</dateTime> ++ </var> ++ </struct> ++ </data> ++</wddxPacket> ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(1) { ++ ["aDateTime3"]=> ++ string(24) "2 ++2004-09-10T05:52:49+00" ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index cde3e07..faadbfe1 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1116,18 +1116,26 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + case ST_DATETIME: { + char *tmp; + +- tmp = emalloc(len + 1); +- memcpy(tmp, s, len); ++ if (Z_TYPE_P(ent->data) == IS_STRING) { ++ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1); ++ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data)); ++ memcpy(tmp + Z_STRLEN_P(ent->data), s, len); ++ len += Z_STRLEN_P(ent->data); ++ efree(Z_STRVAL_P(ent->data)); ++ Z_TYPE_P(ent->data) = IS_LONG; ++ } else { ++ tmp = emalloc(len + 1); ++ memcpy(tmp, s, len); ++ } + tmp[len] = '\0'; + + Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL); + /* date out of range < 1969 or > 2038 */ + if (Z_LVAL_P(ent->data) == -1) { +- Z_TYPE_P(ent->data) = IS_STRING; +- Z_STRLEN_P(ent->data) = len; +- Z_STRVAL_P(ent->data) = estrndup(s, len); ++ ZVAL_STRINGL(ent->data, tmp, len, 0); ++ } else { ++ efree(tmp); + } +- efree(tmp); + } + break; + diff --git a/bug72750.patch b/bug72750.patch new file mode 100644 index 0000000..5af5a9b --- /dev/null +++ b/bug72750.patch @@ -0,0 +1,72 @@ +Backported from 5.6.25 by Remi. + +From 82b95bb758ac707a2372f2edaed70589b6f374d3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 7 Aug 2016 16:26:52 -0700 +Subject: [PATCH] Fix bug #72750: wddx_deserialize null dereference + +--- + ext/wddx/tests/bug72750.phpt | 34 ++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 8 ++++++-- + 2 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 ext/wddx/tests/bug72750.phpt + +diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt +new file mode 100644 +index 0000000..3a6794d +--- /dev/null ++++ b/ext/wddx/tests/bug72750.phpt +@@ -0,0 +1,34 @@ ++--TEST-- ++Bug #72750: wddx_deserialize null dereference ++--SKIPIF-- ++<?php ++if (!extension_loaded('wddx')) { ++ die('skip. wddx not available'); ++} ++?> ++--FILE-- ++<?php ++ ++$xml = <<< XML ++<?xml version='1.0'?> ++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> ++<wddxPacket version='1.0'> ++<header/> ++ <data> ++ <struct> ++ <var name='aBinary'> ++ <binary length='11'>\\tYmluYXJRhdGE=</binary> ++ </var> ++ </struct> ++ </data> ++</wddxPacket> ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(1) { ++ ["aBinary"]=> ++ string(0) "" ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index faadbfe1..1b2d103 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -952,8 +952,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + + new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len); + STR_FREE(Z_STRVAL_P(ent1->data)); +- Z_STRVAL_P(ent1->data) = new_str; +- Z_STRLEN_P(ent1->data) = new_len; ++ if (new_str) { ++ Z_STRVAL_P(ent1->data) = new_str; ++ Z_STRLEN_P(ent1->data) = new_len; ++ } else { ++ ZVAL_EMPTY_STRING(ent1->data); ++ } + } + + /* Call __wakeup() method on the object. */ diff --git a/bug72771.patch b/bug72771.patch new file mode 100644 index 0000000..db77d0a --- /dev/null +++ b/bug72771.patch @@ -0,0 +1,26 @@ +Backported from 5.6.25 by Remi. + +From 7d5ca3b28d3c8f8cae6cd874740f18fd3eb5100e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 7 Aug 2016 16:17:54 -0700 +Subject: [PATCH] Fix bug #72771: ftps:// opendir wrapper is vulnerable to + protocol downgrade attack + +--- + ext/standard/ftp_fopen_wrapper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c +index bfb1631..5bffa47 100644 +--- a/ext/standard/ftp_fopen_wrapper.c ++++ b/ext/standard/ftp_fopen_wrapper.c +@@ -187,7 +187,8 @@ static php_stream *php_ftp_fopen_connect(php_stream_wrapper *wrapper, const char + /* get the response */ + result = GET_FTP_RESULT(stream); + if (result != 334) { +- use_ssl = 0; ++ php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Server doesn't support FTPS."); ++ goto connect_errexit; + } else { + /* we must reuse the old SSL session id */ + /* if we talk to an old ftpd-ssl */ diff --git a/bug72790.patch b/bug72790.patch new file mode 100644 index 0000000..fa571b7 --- /dev/null +++ b/bug72790.patch @@ -0,0 +1,134 @@ +Backported from 5.6.25 by Remi. + +From 1f6078e4a5c67733bfdbd20bb2706501ac56a344 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 10 Aug 2016 23:43:56 -0700 +Subject: [PATCH] Fix for bug #72790 and bug #72799 + +--- + ext/wddx/tests/bug72790.phpt | 35 +++++++++++++++++++++++++++++++++++ + ext/wddx/tests/bug72799.phpt | 28 ++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 14 +++++++++----- + 3 files changed, 72 insertions(+), 5 deletions(-) + create mode 100644 ext/wddx/tests/bug72790.phpt + create mode 100644 ext/wddx/tests/bug72799.phpt + +diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt +new file mode 100644 +index 0000000..a60524b +--- /dev/null ++++ b/ext/wddx/tests/bug72790.phpt +@@ -0,0 +1,35 @@ ++--TEST-- ++Bug 72790: wddx_deserialize null dereference with invalid xml ++--SKIPIF-- ++<?php ++if (!extension_loaded('wddx')) { ++ die('skip. wddx not available'); ++} ++?> ++--FILE-- ++<?php ++ ++$xml = <<< XML ++<?xml version='1.0' ?> ++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> ++<wddxPacket version='1.0'> ++ |array> ++ <var name="XXXX"> ++ <boolean value="this"> ++ </boolean> ++ </var> ++ <var name="YYYY"> ++ <var name="UUUU"> ++ <var name="EZEZ"> ++ </var> ++ </var> ++ </var> ++ </array> ++</wddxPacket> ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file +diff --git a/ext/wddx/tests/bug72799.phpt b/ext/wddx/tests/bug72799.phpt +new file mode 100644 +index 0000000..5861d55 +--- /dev/null ++++ b/ext/wddx/tests/bug72799.phpt +@@ -0,0 +1,28 @@ ++--TEST-- ++Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element ++--SKIPIF-- ++<?php ++if (!extension_loaded('wddx')) { ++ die('skip. wddx not available'); ++} ++?> ++--FILE-- ++<?php ++ ++$xml = <<<XML ++<?xml version='1.0'?> ++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> ++<wddxPacket version="1.0"> ++ <var name="XXXX"> ++ <boolean value="1"> ++ <dateTime>1998-06-12T04:32:12+00</dateTime> ++ </boolean> ++ </var> ++</wddxPacket> ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 1b2d103..d7bd295 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -939,10 +939,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + if (!ent1->data) { + if (stack->top > 1) { + stack->top--; ++ efree(ent1); + } else { + stack->done = 1; + } +- efree(ent1); + return; + } + +@@ -981,7 +981,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + wddx_stack_top(stack, (void**)&ent2); + + /* if non-existent field */ +- if (ent2->type == ST_FIELD && ent2->data == NULL) { ++ if (ent2->data == NULL) { + zval_ptr_dtor(&ent1->data); + efree(ent1); + return; +@@ -1172,9 +1172,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value) + + if (stack.top == 1) { + wddx_stack_top(&stack, (void**)&ent); +- *return_value = *(ent->data); +- zval_copy_ctor(return_value); +- retval = SUCCESS; ++ if(ent->data == NULL) { ++ retval = FAILURE; ++ } else { ++ *return_value = *(ent->data); ++ zval_copy_ctor(return_value); ++ retval = SUCCESS; ++ } + } else { + retval = FAILURE; + } diff --git a/bug72807.patch b/bug72807.patch new file mode 100644 index 0000000..6350b7f --- /dev/null +++ b/bug72807.patch @@ -0,0 +1,60 @@ +Backported from 5.6.25 by Remi. + +From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 11 Aug 2016 23:36:25 -0700 +Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative + length + +--- + Zend/zend_API.h | 7 +++++-- + ext/curl/interface.c | 4 ++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/Zend/zend_API.h b/Zend/zend_API.h +index a56075e..e17be4c 100644 +--- a/Zend/zend_API.h ++++ b/Zend/zend_API.h +@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval + #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC) + #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC) + #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC) +-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) ++#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) + + + ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC); +@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache; + + /** Build zend_call_info/cache from a zval* + * +- * Caller is responsible to provide a return value, otherwise the we will crash. ++ * Caller is responsible to provide a return value, otherwise the we will crash. + * fci->retval_ptr_ptr = NULL; + * In order to pass parameters the following members need to be set: + * fci->param_count = 0; +@@ -575,6 +575,9 @@ END_EXTERN_C() + const char *__s=(s); \ + zval *__z = (z); \ + Z_STRLEN_P(__z) = strlen(__s); \ ++ if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \ ++ zend_error(E_ERROR, "String size overflow"); \ ++ } \ + Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\ + Z_TYPE_P(__z) = IS_STRING; \ + } while (0) +diff --git a/ext/curl/interface.c b/ext/curl/interface.c +index c7112a0..062f996 100644 +--- a/ext/curl/interface.c ++++ b/ext/curl/interface.c +@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape) + ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl); + + if ((res = curl_easy_escape(ch->cp, str, str_len))) { ++ if (strlen(res) > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX); ++ RETURN_FALSE; ++ } + RETVAL_STRING(res, 1); + curl_free(res); + } else { diff --git a/bug72836.patch b/bug72836.patch new file mode 100644 index 0000000..ad6b486 --- /dev/null +++ b/bug72836.patch @@ -0,0 +1,56 @@ +Backported from 5.6.25 by Remi. + +From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 14 Aug 2016 23:13:30 -0700 +Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused + heap corruption + +--- + ext/standard/base64.c | 5 + + sapi/cli/generate_mime_type_map.php | 76 +++++++ + sapi/fpm/www.conf.in | 413 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 494 insertions(+) + create mode 100644 sapi/cli/generate_mime_type_map.php + create mode 100644 sapi/fpm/www.conf.in + +diff --git a/ext/standard/base64.c b/ext/standard/base64.c +index a40b866..8340ed1 100644 +--- a/ext/standard/base64.c ++++ b/ext/standard/base64.c +@@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in + return NULL; + } + ++ if (((size_t)length + 2) / 3 > INT_MAX/4 ) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); ++ return NULL; ++ } ++ + result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1); + p = result; + + +From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 16:34:35 -0700 +Subject: [PATCH] Fix TSRM build + +--- + ext/standard/base64.c | 1 + + ext/standard/url.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ext/standard/base64.c b/ext/standard/base64.c +index 8340ed1..b30a5b7 100644 +--- a/ext/standard/base64.c ++++ b/ext/standard/base64.c +@@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in + } + + if (((size_t)length + 2) / 3 > INT_MAX/4 ) { ++ TSRMLS_FETCH(); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); + return NULL; + } + diff --git a/bug72837.patch b/bug72837.patch new file mode 100644 index 0000000..2dfe6f4 --- /dev/null +++ b/bug72837.patch @@ -0,0 +1,45 @@ +Backported from 5.6.25 by Remi. + +From 69236ea9793b76b778c6cd64748cfee817521118 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 15 Aug 2016 23:17:26 -0700 +Subject: [PATCH] Fix bug #72837 - integer overflow in bzdecompress caused heap + corruption + +--- + ext/bz2/bz2.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c +index 54b59f7..79ec3ec 100644 +--- a/ext/bz2/bz2.c ++++ b/ext/bz2/bz2.c +@@ -573,15 +573,25 @@ static PHP_FUNCTION(bzdecompress) + /* compression is better then 2:1, need to allocate more memory */ + bzs.avail_out = source_len; + size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; ++ if (size > INT_MAX) { ++ /* no reason to continue if we're going to drop it anyway */ ++ break; ++ } + dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size ); + bzs.next_out = dest + size; + } + + if (error == BZ_STREAM_END || error == BZ_OK) { + size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; +- dest = safe_erealloc(dest, 1, (size_t) size, 1); +- dest[size] = '\0'; +- RETVAL_STRINGL(dest, (int) size, 0); ++ if (size > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX); ++ efree(dest); ++ RETVAL_LONG(BZ_MEM_ERROR); ++ } else { ++ dest = safe_erealloc(dest, 1, (size_t) size, 1); ++ dest[size] = '\0'; ++ RETVAL_STRINGL(dest, (int) size, 0); ++ } + } else { /* real error */ + efree(dest); + RETVAL_LONG(error); diff --git a/bug72838.patch b/bug72838.patch new file mode 100644 index 0000000..76e8386 --- /dev/null +++ b/bug72838.patch @@ -0,0 +1,28 @@ +Backported from 5.6.25 by Remi. + +From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 15 Aug 2016 23:43:59 -0700 +Subject: [PATCH] Fix bug #72838 - Integer overflow lead to heap + corruption in sql_regcase + +--- + ext/ereg/ereg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c +index 5d38d04..8eb833a 100644 +--- a/ext/ereg/ereg.c ++++ b/ext/ereg/ereg.c +@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase) + + for (i = j = 0; i < string_len; i++) { + c = (unsigned char) string[i]; ++ if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(tmp); ++ RETURN_FALSE; ++ } + if (isalpha(c)) { + tmp[j++] = '['; + tmp[j++] = toupper(c); diff --git a/bug72848.patch b/bug72848.patch new file mode 100644 index 0000000..bdf4bcc --- /dev/null +++ b/bug72848.patch @@ -0,0 +1,83 @@ +Backported from 5.6.25 by Remi. + +From 444314a2919587674c24777e56d29b4040b4fed4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 15:48:31 -0700 +Subject: [PATCH] Fix bug #72848 - integer overflow in quoted_printable_encode + caused heap corruption + +--- + ext/standard/quot_print.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c +index 3b8c0ec..6d5835e 100644 +--- a/ext/standard/quot_print.c ++++ b/ext/standard/quot_print.c +@@ -144,7 +144,7 @@ PHPAPI unsigned char *php_quot_print_decode(const unsigned char *str, size_t len + /* }}} */ + + #define PHP_QPRINT_MAXL 75 +- ++ + PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t length, size_t *ret_length) /* {{{ */ + { + unsigned long lp = 0; +@@ -162,9 +162,9 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len + lp = 0; + } else { + if (iscntrl (c) || (c == 0x7f) || (c & 0x80) || (c == '=') || ((c == ' ') && (*str == '\015'))) { +- if ((((lp+= 3) > PHP_QPRINT_MAXL) && (c <= 0x7f)) +- || ((c > 0x7f) && (c <= 0xdf) && ((lp + 3) > PHP_QPRINT_MAXL)) +- || ((c > 0xdf) && (c <= 0xef) && ((lp + 6) > PHP_QPRINT_MAXL)) ++ if ((((lp+= 3) > PHP_QPRINT_MAXL) && (c <= 0x7f)) ++ || ((c > 0x7f) && (c <= 0xdf) && ((lp + 3) > PHP_QPRINT_MAXL)) ++ || ((c > 0xdf) && (c <= 0xef) && ((lp + 6) > PHP_QPRINT_MAXL)) + || ((c > 0xef) && (c <= 0xf4) && ((lp + 9) > PHP_QPRINT_MAXL))) { + *d++ = '='; + *d++ = '\015'; +@@ -208,7 +208,7 @@ PHP_FUNCTION(quoted_printable_decode) + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg1, &arg1_len) == FAILURE) { + return; + } +- ++ + if (arg1_len == 0) { + /* shortcut */ + RETURN_EMPTY_STRING(); +@@ -219,11 +219,11 @@ PHP_FUNCTION(quoted_printable_decode) + while (str_in[i]) { + switch (str_in[i]) { + case '=': +- if (str_in[i + 1] && str_in[i + 2] && +- isxdigit((int) str_in[i + 1]) && ++ if (str_in[i + 1] && str_in[i + 2] && ++ isxdigit((int) str_in[i + 1]) && + isxdigit((int) str_in[i + 2])) + { +- str_out[j++] = (php_hex2int((int) str_in[i + 1]) << 4) ++ str_out[j++] = (php_hex2int((int) str_in[i + 1]) << 4) + + php_hex2int((int) str_in[i + 2]); + i += 3; + } else /* check for soft line break according to RFC 2045*/ { +@@ -254,7 +254,7 @@ PHP_FUNCTION(quoted_printable_decode) + } + } + str_out[j] = '\0'; +- ++ + RETVAL_STRINGL(str_out, j, 0); + } + /* }}} */ +@@ -275,6 +275,11 @@ PHP_FUNCTION(quoted_printable_encode) + } + + new_str = (char *)php_quot_print_encode((unsigned char *)str, (size_t)str_len, &new_str_len); ++ if (new_str_len > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(new_str); ++ RETURN_FALSE; ++ } + RETURN_STRINGL(new_str, new_str_len, 0); + } + /* }}} */ diff --git a/bug72849.patch b/bug72849.patch new file mode 100644 index 0000000..f2cd26f --- /dev/null +++ b/bug72849.patch @@ -0,0 +1,51 @@ +Backported from 5.6.25 by Remi. + +From dc223e524d640167c0f12e942eb52cabd6f89ee4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 15:58:05 -0700 +Subject: [PATCH] Fixed bug #72849 - integer overflow in urlencode + +--- + ext/standard/url.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 4b52000..8e471e1 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length) + *to++ = c; + } + } ++ ++ if ((to-start) > INT_MAX) { ++ /* E_ERROR since most clients won't check for error, and this is rather rare condition */ ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX); ++ } ++ + *to = 0; + if (new_length) { + *new_length = to - start; + +From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 16:34:35 -0700 +Subject: [PATCH] Fix TSRM build + +--- + ext/standard/base64.c | 1 + + ext/standard/url.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 8e471e1..dd861a5 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -522,6 +522,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length) + } + + if ((to-start) > INT_MAX) { ++ TSRMLS_FETCH(); + /* E_ERROR since most clients won't check for error, and this is rather rare condition */ + php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX); + } diff --git a/bug72850.patch b/bug72850.patch new file mode 100644 index 0000000..0637e84 --- /dev/null +++ b/bug72850.patch @@ -0,0 +1,54 @@ +Backported from 5.6.25 by Remi. + +From c35e4cb20cdeb02d9d362c57edce11c2948effcd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 16:03:44 -0700 +Subject: [PATCH] Fix bug #72850 - integer overflow in uuencode + +--- + ext/standard/uuencode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c +index cd35c28..a31f14d 100644 +--- a/ext/standard/uuencode.c ++++ b/ext/standard/uuencode.c +@@ -153,7 +153,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ + while (s < ee) { + if(s+4 > e) { + goto err; +- } ++ } + *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; + *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; + *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3)); +@@ -168,7 +168,7 @@ + s++; + } + +- if ((len = total_len > (p - *dest))) { ++ if ((len = total_len) > (p - *dest)) { + *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; + if (len > 1) { + *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; +@@ -188,7 +188,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ + } + /* }}} */ + +-/* {{{ proto string convert_uuencode(string data) ++/* {{{ proto string convert_uuencode(string data) + uuencode a string */ + PHP_FUNCTION(convert_uuencode) + { +@@ -200,6 +200,11 @@ PHP_FUNCTION(convert_uuencode) + } + + dst_len = php_uuencode(src, src_len, &dst); ++ if (dst_len < 0) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(dst); ++ RETURN_FALSE; ++ } + + RETURN_STRINGL(dst, dst_len, 0); + } @@ -1,4 +1,4 @@ -==== PHP 5.5.38 (2016-07-21) +==== PHP 5.5.38-2 (2016-09-10) $ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 1%{?dist}.1 +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -193,6 +193,25 @@ Patch91: php-5.3.7-oci8conf.patch # Upstream fixes (100+) Patch100: bug72735.patch +Patch101: bug72716.patch +Patch102: bug72663.patch +Patch103: bug72681.patch +Patch104: bug72708.patch +Patch105: bug72749.patch +Patch106: bug70436.patch +Patch107: bug72771.patch +Patch108: bug72750.patch +Patch109: bug72627.patch +Patch110: bug72697.patch +Patch111: bug72730.patch +Patch112: bug72790.patch +Patch113: bug72807.patch +Patch114: bug72836.patch +Patch115: bug72837.patch +Patch116: bug72838.patch +Patch117: bug72848.patch +Patch118: bug72849.patch +Patch119: bug72850.patch # Security fixes (200+) @@ -884,6 +903,25 @@ support for using the enchant library to PHP. # security patches %patch100 -p1 -b .bug72735 +%patch101 -p1 -b .bug72716 +%patch102 -p1 -b .bug72663 +%patch103 -p1 -b .bug72681 +%patch104 -p1 -b .bug72708 +%patch105 -p1 -b .bug72749 +%patch106 -p1 -b .bug70436 +%patch107 -p1 -b .bug72771 +%patch108 -p1 -b .bug72750 +%patch109 -p1 -b .bug72627 +%patch110 -p1 -b .bug72697 +%patch111 -p1 -b .bug72730 +%patch112 -p1 -b .bug72790 +%patch113 -p1 -b .bug72807 +%patch114 -p1 -b .bug72836 +%patch115 -p1 -b .bug72837 +%patch116 -p1 -b .bug72838 +%patch117 -p1 -b .bug72848 +%patch118 -p1 -b .bug72849 +%patch119 -p1 -b .bug72850 # Fixes for tests %patch300 -p1 -b .datetests @@ -1612,6 +1650,16 @@ fi %endif +%posttrans common +cat << EOF + +WARNING : PHP 5.5 have reached its "End of Life" in July 2016. +Even, if this package includes some security fix, backported from 5.6, +The upgrade to a maintained version is very strongly recommended. + +EOF + + %{!?_licensedir:%global license %%doc} %files @@ -1778,6 +1826,40 @@ fi %changelog +* Mon Sep 5 2016 Remi Collet <remi@remirepo.net> 5.5.38-2 +- fix #72716: initialize buffer before read (ftp) +- fix #72663: destroy broken object when unserializing + CVE-2016-7124 +- fix #72681: consume data even if we're not storing them + CVE-2016-7125 +- fix #72708: php_snmp_parse_oid integer overflow in memory allocation +- fix #72749: wddx_deserialize allows illegal memory access + CVE-2016-7129 +- fix #70436: Use After Free Vulnerability in unserialize() + CVE-2016-7129 +- fix #72771: ftps:// opendir wrapper is vulnerable to protocol + downgrade attack +- fix #72750: wddx_deserialize null dereference + CVE-2016-7130 +- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF + CVE-2016-7128 +- fix #72697: select_colors write out-of-bounds + CVE-2016-7126 +- fix #72730: imagegammacorrect allows arbitrary write access + CVE-2016-7127 +- fix #72790: wddx_deserialize null dereference with invalid xml + CVE-2016-7131 +- fix #72799: wddx_deserialize null dereference in php_wddx_pop_element + CVE-2016-7132 +- fix #72807: do not produce strings with negative length +- fix #72836: integer overflow in base64_decode caused heap corruption +- fix #72837: integer overflow in bzdecompress caused heap corruption +- fix #72838: Integer overflow lead to heap corruption in sql_regcase +- fix #72848: integer overflow in quoted_printable_encode caused + heap corruption +- fix #72849: integer overflow in urlencode +- fix #72850: integer overflow in uuencode + * Fri Aug 5 2016 Remi Collet <remi@fedoraproject.org> 5.5.38-1.1 - fix #72735 regression in exif maker note parser |