summaryrefslogtreecommitdiffstats
path: root/bug73293.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug73293.patch')
-rw-r--r--bug73293.patch179
1 files changed, 179 insertions, 0 deletions
diff --git a/bug73293.patch b/bug73293.patch
new file mode 100644
index 0000000..5be3171
--- /dev/null
+++ b/bug73293.patch
@@ -0,0 +1,179 @@
+Backported from 5.6.27 by Remi.
+
+
+From 19866fb76cf4c95d904ebb0e08592cf38303fae9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 1 Sep 2016 23:15:34 -0700
+Subject: [PATCH] Fix various int size overflows.
+
+Add function for detection of string zvals with length that does not fit
+INT_MAX.
+---
+ Zend/zend_API.c | 61 ++++++++++++++---
+ Zend/zend_API.h | 14 ++++
+ Zend/zend_alloc.c | 9 +++
+ Zend/zend_alloc.h | 4 +-
+ ext/imap/php_imap.c | 28 +++++---
+ ext/ldap/ldap.c | 2 +-
+ ext/pcre/php_pcre.c | 14 ++--
+ ext/pgsql/pgsql.c | 186 +++++++++++++++++++++++++-------------------------
+ ext/standard/string.c | 23 +++----
+ ext/xml/xml.c | 4 +-
+ ext/zlib/zlib.c | 8 +--
+ 11 files changed, 210 insertions(+), 143 deletions(-)
+
+diff --git a/Zend/zend_API.h b/Zend/zend_API.h
+index e17be4c..3e191b6 100644
+--- a/Zend/zend_API.h
++++ b/Zend/zend_API.h
+@@ -642,6 +642,21 @@ END_EXTERN_C()
+ #define RETURN_FALSE { RETVAL_FALSE; return; }
+ #define RETURN_TRUE { RETVAL_TRUE; return; }
+
++/* Check that returned string length fits int */
++#define RETVAL_STRINGL_CHECK(s, len, dup) do { \
++ size_t __len = (len); \
++ if (UNEXPECTED(__len > INT_MAX)) { \
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max is %d", INT_MAX); \
++ if(!(dup)) { \
++ efree((s)); \
++ } \
++ RETURN_FALSE; \
++ } \
++ RETVAL_STRINGL((s), __len, (dup)); \
++} while (0)
++
++
++
+ #define SET_VAR_STRING(n, v) { \
+ { \
+ zval *var; \
+
+
+From 96a8cf8e1b5dc1b0c708bb5574e0d6727cc56d9e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 11 Oct 2016 13:30:52 -0700
+Subject: [PATCH] Fix bug #73293 - NULL pointer dereference in
+ SimpleXMLElement::asXML()
+
+---
+ Zend/zend_API.h | 2 +-
+ ext/simplexml/simplexml.c | 33 +++++++++++++++++++++++----------
+ 2 files changed, 24 insertions(+), 11 deletions(-)
+
+diff --git a/Zend/zend_API.h b/Zend/zend_API.h
+index c57c003..dadeaf5 100644
+--- a/Zend/zend_API.h
++++ b/Zend/zend_API.h
+@@ -652,7 +652,7 @@ END_EXTERN_C()
+ } \
+ RETURN_FALSE; \
+ } \
+- RETVAL_STRINGL((s), __len, (dup)); \
++ RETVAL_STRINGL((s), (int)__len, (dup)); \
+ } while (0)
+
+
+diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
+index 07fc654..d7077fc 100644
+--- a/ext/simplexml/simplexml.c
++++ b/ext/simplexml/simplexml.c
+@@ -989,7 +989,7 @@ static inline char * sxe_xmlNodeListGetString(xmlDocPtr doc, xmlNodePtr list, in
+ {
+ xmlChar *tmp = xmlNodeListGetString(doc, list, inLine);
+ char *res;
+-
++
+ if (tmp) {
+ res = estrdup((char*)tmp);
+ xmlFree(tmp);
+@@ -1147,7 +1147,7 @@ static HashTable * sxe_get_prop_hash(zval *object, int is_debug TSRMLS_DC) /* {{
+ } else {
+ if (node->type == XML_TEXT_NODE) {
+ const xmlChar *cur = node->content;
+-
++
+ if (*cur != 0) {
+ MAKE_STD_ZVAL(value);
+ ZVAL_STRING(value, sxe_xmlNodeListGetString(node->doc, node, 1), 0);
+@@ -1198,7 +1198,7 @@ next_iter:
+ static HashTable * sxe_get_gc(zval *object, zval ***table, int *n TSRMLS_DC) /* {{{ */ {
+ php_sxe_object *sxe;
+ sxe = php_sxe_fetch_object(object TSRMLS_CC);
+-
++
+ *table = NULL;
+ *n = 0;
+ return sxe->properties;
+@@ -1302,7 +1302,7 @@ SXE_METHOD(xpath)
+ result = retval->nodesetval;
+
+ array_init(return_value);
+-
++
+ if (result != NULL) {
+ for (i = 0; i < result->nodeNr; ++i) {
+ nodeptr = result->nodeTab[i];
+@@ -1412,9 +1412,15 @@ SXE_METHOD(asXML)
+ if (node) {
+ if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) {
+ xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, ((xmlDocPtr) sxe->document->ptr)->encoding);
+- RETVAL_STRINGL((char *)strval, strval_len, 1);
++ if (!strval) {
++ RETVAL_FALSE;
++ } else {
++ RETVAL_STRINGL((char *)strval, strval_len, 1);
++ }
+ xmlFree(strval);
+ } else {
++ char *return_content;
++ size_t return_len;
+ /* Should we be passing encoding information instead of NULL? */
+ outbuf = xmlAllocOutputBuffer(NULL);
+
+@@ -1425,10 +1431,17 @@ SXE_METHOD(asXML)
+ xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, ((xmlDocPtr) sxe->document->ptr)->encoding);
+ xmlOutputBufferFlush(outbuf);
+ #ifdef LIBXML2_NEW_BUFFER
+- RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf), 1);
++ return_content = (char *)xmlOutputBufferGetContent(outbuf);
++ return_len = xmlOutputBufferGetSize(outbuf);
+ #else
+- RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use, 1);
++ return_content = (char *)outbuf->buffer->content;
++ return_len = outbuf->buffer->use;
+ #endif
++ if (!return_content) {
++ RETVAL_FALSE;
++ } else {
++ RETVAL_STRINGL_CHECK(return_content, return_len, 1);
++ }
+ xmlOutputBufferClose(outbuf);
+ }
+ } else {
+@@ -1542,11 +1555,11 @@ SXE_METHOD(getDocNamespaces)
+ }else{
+ GET_NODE(sxe, node);
+ }
+-
++
+ if (node == NULL) {
+ RETURN_FALSE;
+ }
+-
++
+ array_init(return_value);
+ sxe_add_registered_namespaces(sxe, node, recursive, return_value TSRMLS_CC);
+ }
+@@ -1933,7 +1946,7 @@ SXE_METHOD(count)
+ }
+
+ php_sxe_count_elements_helper(sxe, &count TSRMLS_CC);
+-
++
+ RETURN_LONG(count);
+ }
+ /* }}} */
+--
+2.1.4
+