diff options
author | Remi Collet <remi@remirepo.net> | 2019-12-17 17:23:58 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-12-17 17:23:58 +0100 |
commit | 81d085a88766fd8917eb3a1b1afc8e95049b4822 (patch) | |
tree | 7fa8df4499ad430b14471d41490fe60ab7f4fd07 /php-bug78878.patch | |
parent | b1b66396debbf9f9030deda817b31e0a447be549 (diff) |
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub
CVE-2019-11046
- core:
Fix #78862 link() silently truncates after a null byte on Windows
CVE-2019-11044
Fix #78863 DirectoryIterator class silently truncates after a null byte
CVE-2019-11045
- exif
Fix #78793 Use-after-free in exif parsing under memory sanitizer
CVE-2019-11050
Fix #78910 Heap-buffer-overflow READ in exif
CVE-2019-11047
- use oracle client library version 19.5 (18.5 on EL-6)
Diffstat (limited to 'php-bug78878.patch')
-rw-r--r-- | php-bug78878.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/php-bug78878.patch b/php-bug78878.patch new file mode 100644 index 0000000..7d54bda --- /dev/null +++ b/php-bug78878.patch @@ -0,0 +1,68 @@ +From e6614bec92634d91d2406bf9e997675b52971769 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmbecker69@gmx.de> +Date: Sat, 30 Nov 2019 12:26:37 +0100 +Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub + +We must not rely on `isdigit()` to detect digits, since we only support +decimal ASCII digits in the following processing. + +(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018) +--- + NEWS | 6 ++++++ + ext/bcmath/libbcmath/src/str2num.c | 4 ++-- + ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ + 3 files changed, 21 insertions(+), 2 deletions(-) + create mode 100644 ext/bcmath/tests/bug78878.phpt + +diff --git a/NEWS b/NEWS +index 9d7b600cf0..5102c97629 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,12 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.26 ++ ++- Bcmath: ++ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046). ++ (cmb) ++ + Backported from 7.1.33 + + - FPM: +diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c +index c484c158e5..a5e7850160 100644 +--- a/ext/bcmath/libbcmath/src/str2num.c ++++ b/ext/bcmath/libbcmath/src/str2num.c +@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale TSRMLS_DC) + zero_int = FALSE; + if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ + while (*ptr == '0') ptr++; /* Skip leading zeros. */ +- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ ++ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ + if (*ptr == '.') ptr++; /* decimal point */ +- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ ++ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ + if ((*ptr != '\0') || (digits+strscale == 0)) + { + *num = bc_copy_num (BCG(_zero_)); +diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt +new file mode 100644 +index 0000000000..2c9d72b946 +--- /dev/null ++++ b/ext/bcmath/tests/bug78878.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #78878 (Buffer underflow in bc_shift_addsub) ++--SKIPIF-- ++<?php ++if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); ++?> ++--FILE-- ++<?php ++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); ++?> ++--EXPECT-- ++bc math warning: non-zero scale in modulus ++0 |