diff options
-rw-r--r-- | bug77242.patch | 42 | ||||
-rw-r--r-- | bug77380.patch | 52 | ||||
-rw-r--r-- | php.spec | 10 |
3 files changed, 103 insertions, 1 deletions
diff --git a/bug77242.patch b/bug77242.patch new file mode 100644 index 0000000..485ed8a --- /dev/null +++ b/bug77242.patch @@ -0,0 +1,42 @@ +From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 17:56:36 -0800 +Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) + +--- + ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++ + ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++ + 2 files changed, 13 insertions(+) + create mode 100644 ext/xmlrpc/tests/bug77242.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c +index 56642d46142e..eeec5379bf68 100644 +--- a/ext/xmlrpc/libxmlrpc/xml_element.c ++++ b/ext/xmlrpc/libxmlrpc/xml_element.c +@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI + long byte_idx = XML_GetCurrentByteIndex(parser); + /* int byte_total = XML_GetCurrentByteCount(parser); */ + const char * error_str = XML_ErrorString(err_code); ++ if(byte_idx > len) { ++ byte_idx = len; ++ } + if(byte_idx >= 0) { + snprintf(buf, + sizeof(buf), +diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt +new file mode 100644 +index 000000000000..542c06311f74 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77242.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77242 (heap out of bounds read in xmlrpc_decode()) ++--SKIPIF-- ++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"))); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file diff --git a/bug77380.patch b/bug77380.patch new file mode 100644 index 0000000..1308863 --- /dev/null +++ b/bug77380.patch @@ -0,0 +1,52 @@ +Backported for 5.5 from: + + + +From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- + ext/xmlrpc/libxmlrpc/base64.c | 4 ++-- + ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug77380.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31f7ade..a4fa19327b76 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt +new file mode 100644 +index 000000000000..8559c07a5aea +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77380.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #77380 (Global out of bounds read in xmlrpc base64 code) ++--SKIPIF-- ++<?php ++if (!extension_loaded("xmlrpc")) print "skip"; ++?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="))); ++?> ++--EXPECT-- ++object(stdClass)#1 (2) { ++ ["scalar"]=> ++ string(0) "" ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++} @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 10%{?dist} +Release: 11%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -253,6 +253,8 @@ Patch157: bug76582.patch Patch158: bug77153.patch Patch159: bug77020.patch Patch160: bug77231.patch +Patch161: bug77242.patch +Patch162: bug77380.patch # Security fixes (200+) @@ -1006,6 +1008,8 @@ support for using the enchant library to PHP. %patch158 -p1 -b .bug77153 %patch159 -p1 -b .bug77020 %patch160 -p1 -b .bug77231 +%patch161 -p1 -b .bug77242 +%patch162 -p1 -b .bug77380 : ------------------------ @@ -1918,6 +1922,10 @@ EOF %changelog +* Fri Jan 11 2019 Remi Collet <remi@remirepo.net> - 5.5.38-11 +- Fix #77242 heap out of bounds read in xmlrpc_decode +- Fix #77380 Global out of bounds read in xmlrpc base64 code + * Mon Dec 10 2018 Remi Collet <remi@remirepo.net> - 5.5.38-10 - Fix #77231 Segfault when using convert.quoted-printable-encode filter - Fix #77020 null pointer dereference in imap_mail |