diff options
-rw-r--r-- | bug73631.patch | 142 | ||||
-rw-r--r-- | failed.txt | 2 | ||||
-rw-r--r-- | php.spec | 13 |
3 files changed, 152 insertions, 5 deletions
diff --git a/bug73631.patch b/bug73631.patch new file mode 100644 index 0000000..98f5cc4 --- /dev/null +++ b/bug73631.patch @@ -0,0 +1,142 @@ +Backported from 5.6.29 by Remi. + + +From 66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 5 Dec 2016 21:40:55 -0800 +Subject: [PATCH] Fix bug #73631 - Invalid read when wddx decodes empty boolean + element + +--- + ext/wddx/tests/bug73631.phpt | 19 +++++++++++++++++++ + ext/wddx/wddx.c | 5 +++++ + 2 files changed, 24 insertions(+) + create mode 100644 ext/wddx/tests/bug73631.phpt + +diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt +new file mode 100644 +index 0000000..5e37ae8 +--- /dev/null ++++ b/ext/wddx/tests/bug73631.phpt +@@ -0,0 +1,19 @@ ++--TEST-- ++Bug #73631 (Memory leak due to invalid wddx stack processing) ++--SKIPIF-- ++<?php if (!extension_loaded("wddx")) print "skip"; ?> ++--FILE-- ++<?php ++$xml = <<<EOF ++<?xml version="1.0" ?> ++<wddxPacket version="1.0"> ++<number>1234</number> ++<binary><boolean/></binary> ++</wddxPacket> ++EOF; ++$wddx = wddx_deserialize($xml); ++var_dump($wddx); ++?> ++--EXPECTF-- ++int(1234) ++ +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 069ea12..0cee16b 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -805,6 +805,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); + break; + } ++ } else { ++ ent.type = ST_BOOLEAN; ++ SET_STACK_VARNAME; ++ ZVAL_FALSE(&ent.data); ++ wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); + } + } else if (!strcmp(name, EL_NULL)) { + ent.type = ST_NULL; +From 331db73eab1008b30069137f27ebd1e7a42de28a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 5 Dec 2016 22:32:59 -0800 +Subject: [PATCH] This still leaks memory, I don't have enough knowledge in + WDDX code to fix them :( + +--- + ext/wddx/tests/bug73631.phpt | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt +index 5e37ae8..880ada5 100644 +--- a/ext/wddx/tests/bug73631.phpt ++++ b/ext/wddx/tests/bug73631.phpt +@@ -2,6 +2,8 @@ + Bug #73631 (Memory leak due to invalid wddx stack processing) + --SKIPIF-- + <?php if (!extension_loaded("wddx")) print "skip"; ?> ++--XFAIL-- ++Still has memory leaks, not sure how to fix them. + --FILE-- + <?php + $xml = <<<EOF +@@ -16,4 +18,3 @@ var_dump($wddx); + ?> + --EXPECTF-- + int(1234) +- +From e64d104a9b43bd48da5260b4a91d42f4a71fd1c4 Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Tue, 6 Dec 2016 14:34:27 +0100 +Subject: [PATCH] fix leak, take on 5.6 + +--- + ext/wddx/tests/bug73631.phpt | 2 -- + ext/wddx/wddx.c | 2 ++ + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt +index 880ada5..1fcde72d 100644 +--- a/ext/wddx/tests/bug73631.phpt ++++ b/ext/wddx/tests/bug73631.phpt +@@ -2,8 +2,6 @@ + Bug #73631 (Memory leak due to invalid wddx stack processing) + --SKIPIF-- + <?php if (!extension_loaded("wddx")) print "skip"; ?> +---XFAIL-- +-Still has memory leaks, not sure how to fix them. + --FILE-- + <?php + $xml = <<<EOF +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 0cee16b..9394a59 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1050,6 +1050,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + } else { + zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL); + } ++ } else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) { ++ zval_ptr_dtor(&ent1->data); + } + efree(ent1); + } else { +From 864f3bda5aba2c1982e9bf77ecfd6901eb404a7e Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Tue, 6 Dec 2016 16:12:39 +0100 +Subject: [PATCH] fix leak, take 2 + +--- + ext/wddx/wddx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 9394a59..72d2408 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1050,7 +1050,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + } else { + zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL); + } +- } else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) { ++ } else if (!strcmp(name, EL_BINARY) && Z_STRLEN_P(ent1->data) < 1) { + zval_ptr_dtor(&ent1->data); + } + efree(ent1); @@ -1,4 +1,4 @@ -==== PHP 5.5.38-5 (2016-11-09) +==== PHP 5.5.38-6 (2016-12-10) $ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 5%{?dist} +Release: 6%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -241,6 +241,7 @@ Patch145: bug73331.patch Patch146: bug73144.patch Patch147: bug73418.patch Patch148: bug73356.patch +Patch149: bug73631.patch # Security fixes (200+) @@ -982,6 +983,7 @@ support for using the enchant library to PHP. %patch146 -p1 -b .bug73144 %patch147 -p1 -b .bug73418 %patch148 -p1 -b .bug73356 +%patch149 -p1 -b .bug73631 : ------------------------ # Fixes for tests @@ -1887,16 +1889,20 @@ EOF %changelog -* Wed Nov 9 2016 Remi Collet <remi@remirepo.net> 5.5.38-5 +* Sat Dec 10 2016 Remi Collet <remi@remirepo.net> - 5.5.38-6 +- fix #73631: Invalid read when wddx decodes empty boolean element + +* Wed Nov 9 2016 Remi Collet <remi@remirepo.net> - 5.5.38-5 - fix #73418: Integer Overflow in "_php_imap_mail" leads Heap Overflow - fix #73144: Use-after-free in ArrayObject Deserialization - fix #73356: crash in bzcompress function - fix #73331: NULL Pointer Deref. in WDDX Packet Deserialization with PDORow -* Sat Oct 15 2016 Remi Collet <remi@remirepo.net> 5.5.38-4 +* Sat Oct 15 2016 Remi Collet <remi@remirepo.net> - 5.5.38-4 - fix #73189: Memcpy negative size parameter php_resolve_path - fix #72581: previous property undefined in Exception after deserialization - fix #73147: Use After Free in unserialize + CVE-2016-9137 - fix #73190: memcpy negative parameter _bc_new_num_ex - fix #73150: missing NULL check in dom_document_save_html - fix #73284: heap overflow in php_ereg_replace function @@ -1906,7 +1912,6 @@ EOF - fix #73082: string length overflow in mb_encode_* function - fix #73174: heap overflow in php_pcre_replace_impl - fix #73275: crash in openssl_encrypt function -- fix #73275: crash in openssl_encrypt function - fix #73293: NULL pointer dereference in SimpleXMLElement::asXML - fix #73240: Write out of bounds at number_format - fix #73017: memory corruption in wordwrap function |