diff options
author | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
---|---|---|
committer | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
commit | 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch) | |
tree | 9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a | |
parent | 022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff) |
- core:
Fix #77369 memcpy with negative length via crafted DNS response
- mbstring:
Fix #77370 buffer overflow on mb regex functions - fetch_token
Fix #77371 heap buffer overflow in mb regex functions compile_string_node
Fix #77381 heap buffer overflow in multibyte match_at
Fix #77382 heap buffer overflow in expand_case_fold_string
Fix #77385 buffer overflow in fetch_token
Fix #77394 buffer overflow in multibyte case folding - unicode
Fix #77418 heap overflow in utf32be_mbc_to_code
- phar:
Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
- xmlrpc:
Fix #77242 heap out of bounds read in xmlrpc_decode
Fix #77380 global out of bounds read in xmlrpc base64 code
-rw-r--r-- | failed.txt | 6 | ||||
-rw-r--r-- | php-bug77242.patch | 45 | ||||
-rw-r--r-- | php-bug77247.patch | 49 | ||||
-rw-r--r-- | php-bug77369.patch | 42 | ||||
-rw-r--r-- | php-bug77370.patch | 66 | ||||
-rw-r--r-- | php-bug77371.patch | 41 | ||||
-rw-r--r-- | php-bug77380.patch | 57 | ||||
-rw-r--r-- | php-bug77381.patch | 158 | ||||
-rw-r--r-- | php-bug77418.patch | 103 | ||||
-rw-r--r-- | php.spec | 39 |
10 files changed, 603 insertions, 3 deletions
@@ -1,4 +1,4 @@ -===== 7.0.33 (2018-12-06) +===== 7.0.33-2 (2019-01-10) $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log @@ -8,9 +8,11 @@ $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log /var/lib/mock/scl70fc26x/build.log:Tests failed : 0 /var/lib/mock/scl70fc27x/build.log:Tests failed : 0 /var/lib/mock/scl70fc28x/build.log:Tests failed : 0 -/var/lib/mock/scl70fc29x/build.log:Tests failed : 0 +/var/lib/mock/scl70fc29x/build.log:Tests failed : 1 +fc29x: + 1 Bug #64438 proc_open hangs with stdin/out with 4097+ bytes [ext/standard/tests/streams/proc_open_bug64438.phpt] 1 proc_open give erratic test results :( diff --git a/php-bug77242.patch b/php-bug77242.patch new file mode 100644 index 0000000..b6afc78 --- /dev/null +++ b/php-bug77242.patch @@ -0,0 +1,45 @@ +Backported for 7.0 by Remi + + +From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 17:56:36 -0800 +Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) + +--- + ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++ + ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++ + 2 files changed, 13 insertions(+) + create mode 100644 ext/xmlrpc/tests/bug77242.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c +index 56642d46142e..eeec5379bf68 100644 +--- a/ext/xmlrpc/libxmlrpc/xml_element.c ++++ b/ext/xmlrpc/libxmlrpc/xml_element.c +@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI + long byte_idx = XML_GetCurrentByteIndex(parser); + /* int byte_total = XML_GetCurrentByteCount(parser); */ + const char * error_str = XML_ErrorString(err_code); ++ if(byte_idx > len) { ++ byte_idx = len; ++ } + if(byte_idx >= 0) { + snprintf(buf, + sizeof(buf), +diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt +new file mode 100644 +index 000000000000..542c06311f74 +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77242.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77242 (heap out of bounds read in xmlrpc_decode()) ++--SKIPIF-- ++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk"))); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file diff --git a/php-bug77247.patch b/php-bug77247.patch new file mode 100644 index 0000000..6a2c8b4 --- /dev/null +++ b/php-bug77247.patch @@ -0,0 +1,49 @@ +Backported for 7.0 by Remi + + +From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 18:25:37 -0800 +Subject: [PATCH] Fix bug #77247 (heap buffer overflow in + phar_detect_phar_fname_ext) + +--- + ext/phar/phar.c | 2 +- + ext/phar/tests/bug77247.phpt | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug77247.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 82a9ef31943a..0d2173195c32 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha + } + + while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) { +- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1); ++ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1); + if (!pos) { + return FAILURE; + } +diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt +new file mode 100644 +index 000000000000..588975f9f2f8 +--- /dev/null ++++ b/ext/phar/tests/bug77247.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--FILE-- ++<?php ++try { ++var_dump(new Phar('a/.b', 0,'test.phar')); ++} catch(UnexpectedValueException $e) { ++ echo "OK"; ++} ++?> ++--EXPECT-- ++OK +\ No newline at end of file diff --git a/php-bug77369.patch b/php-bug77369.patch new file mode 100644 index 0000000..21fb348 --- /dev/null +++ b/php-bug77369.patch @@ -0,0 +1,42 @@ +Backported for 7.0 by Remi + + +From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 20:39:08 -0800 +Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS + response + +--- + ext/standard/dns.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ext/standard/dns.c b/ext/standard/dns.c +index 8e102f816f6e..b5fbcb96f968 100644 +--- a/ext/standard/dns.c ++++ b/ext/standard/dns.c +@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u + GETLONG(ttl, cp); + GETSHORT(dlen, cp); + CHECKCP(dlen); ++ if (dlen == 0) { ++ /* No data in the response - nothing to do */ ++ return NULL; ++ } + if (type_to_fetch != T_ANY && type != type_to_fetch) { + cp += dlen; + return cp; +@@ -549,7 +553,12 @@ static u_char *php_parserr(u_char *cp, u + CHECKCP(n); + add_assoc_stringl(subarray, "tag", (char*)cp, n); + cp += n; +- add_assoc_string(subarray, "value", (char*)cp); ++ if ( (size_t) dlen < ((size_t)n) + 2 ) { ++ return NULL; ++ } ++ n = dlen - n - 2; ++ CHECKCP(n); ++ add_assoc_stringl(subarray, "value", (char*)cp, n); + break; + case DNS_T_TXT: + { diff --git a/php-bug77370.patch b/php-bug77370.patch new file mode 100644 index 0000000..b85944a --- /dev/null +++ b/php-bug77370.patch @@ -0,0 +1,66 @@ +From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 19:51:24 -0800 +Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end + when parsing multibytes + +--- + ext/mbstring/oniguruma/regparse.c | 9 +++++++++ + ext/mbstring/tests/bug77370.phpt | 13 +++++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 ext/mbstring/tests/bug77370.phpt + +diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c +index d2925f1e81b0..252ca1871202 100644 +--- a/ext/mbstring/oniguruma/regparse.c ++++ b/ext/mbstring/oniguruma/regparse.c +@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + } + #endif + ++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) ++# define UNEXPECTED(condition) __builtin_expect(condition, 0) ++#else ++# define UNEXPECTED(condition) (condition) ++#endif ++ + /* scan pattern methods */ + #define PEND_VALUE 0 + +@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + c = ONIGENC_MBC_TO_CODE(enc, p, end); \ + pfetch_prev = p; \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + + #define PINC_S do { \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + #define PFETCH_S(c) do { \ + c = ONIGENC_MBC_TO_CODE(enc, p, end); \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + + #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) +diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt +new file mode 100644 +index 000000000000..c4d25582fe3b +--- /dev/null ++++ b/ext/mbstring/tests/bug77370.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #77370 (Buffer overflow on mb regex functions - fetch_token) ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++var_dump(mb_split(" \xfd","")); ++?> ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(0) "" ++} diff --git a/php-bug77371.patch b/php-bug77371.patch new file mode 100644 index 0000000..e574827 --- /dev/null +++ b/php-bug77371.patch @@ -0,0 +1,41 @@ +From c6e34d91b88638966662caac62c4d0e90538e317 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 20:06:08 -0800 +Subject: [PATCH] Fix bug #77371 (heap buffer overflow in mb regex functions - + compile_string_node) + +--- + ext/mbstring/oniguruma/regcomp.c | 1 + + ext/mbstring/tests/bug77371.phpt | 10 ++++++++++ + 2 files changed, 11 insertions(+) + create mode 100644 ext/mbstring/tests/bug77371.phpt + +diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c +index b93ca948a773..c72d65d6942f 100644 +--- a/ext/mbstring/oniguruma/regcomp.c ++++ b/ext/mbstring/oniguruma/regcomp.c +@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg) + + for (; p < end; ) { + len = enclen(enc, p); ++ if (p + len > end) len = end - p; + if (len == prev_len) { + slen++; + } +diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt +new file mode 100644 +index 000000000000..f23445bd0917 +--- /dev/null ++++ b/ext/mbstring/tests/bug77371.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) ++?> ++--EXPECT-- ++bool(false) +\ No newline at end of file diff --git a/php-bug77380.patch b/php-bug77380.patch new file mode 100644 index 0000000..4aea7b5 --- /dev/null +++ b/php-bug77380.patch @@ -0,0 +1,57 @@ +From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- + ext/xmlrpc/libxmlrpc/base64.c | 4 ++-- + ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug77380.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31f7ade..a4fa19327b76 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length) + + while (!hiteof) { + unsigned char igroup[3], ogroup[4]; +- int c, n; ++ int c, n; + + igroup[0] = igroup[1] = igroup[2] = 0; + for (n = 0; n < 3; n++) { +@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt +new file mode 100644 +index 000000000000..8559c07a5aea +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77380.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #77380 (Global out of bounds read in xmlrpc base64 code) ++--SKIPIF-- ++<?php ++if (!extension_loaded("xmlrpc")) print "skip"; ++?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="))); ++?> ++--EXPECT-- ++object(stdClass)#1 (2) { ++ ["scalar"]=> ++ string(0) "" ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++} diff --git a/php-bug77381.patch b/php-bug77381.patch new file mode 100644 index 0000000..7494049 --- /dev/null +++ b/php-bug77381.patch @@ -0,0 +1,158 @@ +From 31f59e1f3074ab344b473dde6077a6844ca87264 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 2 Jan 2019 00:36:30 -0800 +Subject: [PATCH] Fix more issues with encodilng length + +Should fix bug #77381, bug #77382, bug #77385, bug #77394. +--- + ext/mbstring/oniguruma/enc/unicode.c | 1 + + ext/mbstring/oniguruma/regcomp.c | 11 +++++------ + ext/mbstring/oniguruma/regparse.c | 10 +++------- + ext/mbstring/oniguruma/regparse.h | 12 ++++++++++++ + ext/mbstring/tests/bug77371.phpt | 2 +- + ext/mbstring/tests/bug77381.phpt | 16 ++++++++++++++++ + 6 files changed, 38 insertions(+), 14 deletions(-) + create mode 100644 ext/mbstring/tests/bug77381.phpt + +diff --git a/ext/mbstring/oniguruma/enc/unicode.c b/ext/mbstring/oniguruma/enc/unicode.c +index e13429f51e9c..9f86095896b6 100644 +--- a/ext/mbstring/oniguruma/enc/unicode.c ++++ b/ext/mbstring/oniguruma/enc/unicode.c +@@ -10989,6 +10989,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc, + + code = ONIGENC_MBC_TO_CODE(enc, p, end); + len = enclen(enc, p); ++ if (*pp + len > end) len = end - *pp; + *pp += len; + + #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI +diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c +index c72d65d6942f..820257341f54 100644 +--- a/ext/mbstring/oniguruma/regcomp.c ++++ b/ext/mbstring/oniguruma/regcomp.c +@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, regex_t* reg) + ambig = NSTRING_IS_AMBIG(node); + + p = prev = sn->s; +- prev_len = enclen(enc, p); ++ SAFE_ENC_LEN(enc, p, sn->end, prev_len); + p += prev_len; + slen = 1; + rlen = 0; + + for (; p < sn->end; ) { +- len = enclen(enc, p); ++ SAFE_ENC_LEN(enc, p, sn->end, len); + if (len == prev_len) { + slen++; + } +@@ -518,13 +518,12 @@ compile_string_node(Node* node, regex_t* reg) + ambig = NSTRING_IS_AMBIG(node); + + p = prev = sn->s; +- prev_len = enclen(enc, p); ++ SAFE_ENC_LEN(enc, p, end, prev_len); + p += prev_len; + slen = 1; + + for (; p < end; ) { +- len = enclen(enc, p); +- if (p + len > end) len = end - p; ++ SAFE_ENC_LEN(enc, p, end, len); + if (len == prev_len) { + slen++; + } +@@ -3391,7 +3390,7 @@ expand_case_fold_string(Node* node, regex_t* reg) + goto err; + } + +- len = enclen(reg->enc, p); ++ SAFE_ENC_LEN(reg->enc, p, end, len); + + if (n == 0) { + if (IS_NULL(snode)) { +diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c +index 252ca1871202..fcfaf4378c06 100644 +--- a/ext/mbstring/oniguruma/regparse.c ++++ b/ext/mbstring/oniguruma/regparse.c +@@ -246,12 +246,6 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + } + #endif + +-#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) +-# define UNEXPECTED(condition) __builtin_expect(condition, 0) +-#else +-# define UNEXPECTED(condition) (condition) +-#endif +- + /* scan pattern methods */ + #define PEND_VALUE 0 + +@@ -3589,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env) + tok->u.code = (OnigCodePoint )num; + } + else { /* string */ +- p = tok->backp + enclen(enc, tok->backp); ++ int len; ++ SAFE_ENC_LEN(enc, tok->backp, end, len); ++ p = tok->backp + len; + } + break; + } +diff --git a/ext/mbstring/oniguruma/regparse.h b/ext/mbstring/oniguruma/regparse.h +index 0c5c2c936c04..bcab03ed5892 100644 +--- a/ext/mbstring/oniguruma/regparse.h ++++ b/ext/mbstring/oniguruma/regparse.h +@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex_t*); + #endif + #endif + ++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) ++# define UNEXPECTED(condition) __builtin_expect(condition, 0) ++#else ++# define UNEXPECTED(condition) (condition) ++#endif ++ ++#define SAFE_ENC_LEN(enc, p, end, res) do { \ ++ int __res = enclen(enc, p); \ ++ if (UNEXPECTED(p + __res > end)) __res = end - p; \ ++ res = __res; \ ++} while(0); ++ + #endif /* REGPARSE_H */ +diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt +index f23445bd0917..33e5fc115c96 100644 +--- a/ext/mbstring/tests/bug77371.phpt ++++ b/ext/mbstring/tests/bug77371.phpt +@@ -4,7 +4,7 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) + <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> + --FILE-- + <?php +-var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) ++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")); + ?> + --EXPECT-- + bool(false) +\ No newline at end of file +diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt +new file mode 100644 +index 000000000000..cb83759fc09b +--- /dev/null ++++ b/ext/mbstring/tests/bug77381.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #77381 (heap buffer overflow in multibyte match_at) ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++var_dump(mb_ereg("000||0\xfa","0")); ++var_dump(mb_ereg("(?i)000000000000000000000\xf0","")); ++var_dump(mb_ereg("0000\\"."\xf5","0")); ++var_dump(mb_ereg("(?i)FFF00000000000000000\xfd","")); ++?> ++--EXPECT-- ++int(1) ++bool(false) ++bool(false) ++bool(false) diff --git a/php-bug77418.patch b/php-bug77418.patch new file mode 100644 index 0000000..7810cf6 --- /dev/null +++ b/php-bug77418.patch @@ -0,0 +1,103 @@ +From 9d6c59eeea88a3e9d7039cb4fed5126ef704593a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 6 Jan 2019 23:31:15 -0800 +Subject: [PATCH] Fix bug #77418 - Heap overflow in utf32be_mbc_to_code + +--- + NEWS | 7 ++++--- + ext/mbstring/oniguruma/enc/utf16_be.c | 4 +++- + ext/mbstring/oniguruma/enc/utf16_le.c | 3 ++- + ext/mbstring/oniguruma/enc/utf32_be.c | 1 + + ext/mbstring/oniguruma/enc/utf32_le.c | 1 + + ext/mbstring/tests/bug77418.phpt | 14 ++++++++++++++ + 6 files changed, 25 insertions(+), 5 deletions(-) + create mode 100644 ext/mbstring/tests/bug77418.phpt + +diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c +index 1e909ebbf293..9e2f73b0735e 100644 +--- a/ext/mbstring/oniguruma/enc/utf16_be.c ++++ b/ext/mbstring/oniguruma/enc/utf16_be.c +@@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++utf16be_mbc_to_code(const UChar* p, const UChar* end) + { + OnigCodePoint code; + + if (UTF16_IS_SURROGATE_FIRST(*p)) { ++ if (end - p < 4) return 0; + code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16) + + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8) + + p[3]; + } + else { ++ if (end - p < 2) return 0; + code = p[0] * 256 + p[1]; + } + return code; +diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c +index 5cc07591173a..580f8dffa2f4 100644 +--- a/ext/mbstring/oniguruma/enc/utf16_le.c ++++ b/ext/mbstring/oniguruma/enc/utf16_le.c +@@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++utf16le_mbc_to_code(const UChar* p, const UChar* end) + { + OnigCodePoint code; + UChar c0 = *p; + UChar c1 = *(p+1); + + if (UTF16_IS_SURROGATE_FIRST(c1)) { ++ if (end - p < 4) return 0; + code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16) + + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8) + + p[2]; +diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c +index b4f822607c89..5295f26b1e59 100644 +--- a/ext/mbstring/oniguruma/enc/utf32_be.c ++++ b/ext/mbstring/oniguruma/enc/utf32_be.c +@@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) + static OnigCodePoint + utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) + { ++ if (end - p < 4) return 0; + return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); + } + +diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c +index 8f413bfc74e1..a78c4d0abcc7 100644 +--- a/ext/mbstring/oniguruma/enc/utf32_le.c ++++ b/ext/mbstring/oniguruma/enc/utf32_le.c +@@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end) + static OnigCodePoint + utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) + { ++ if (end - p < 4) return 0; + return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]); + } + +diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt +new file mode 100644 +index 000000000000..b4acc45c2117 +--- /dev/null ++++ b/ext/mbstring/tests/bug77418.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++Bug #77371 (Heap overflow in utf32be_mbc_to_code) ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++mb_regex_encoding("UTF-32"); ++var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000")); ++?> ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(30) "000000000000000000000000000000" ++} @@ -126,7 +126,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: %{upver}%{?rcver:~%{rcver}} -Release: 1%{?dist} +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -187,8 +187,17 @@ Patch91: php-5.6.3-oci8conf.patch # Upstream fixes (100+) Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch +Patch102: php-openssl-cert.patch # Security fixes (200+) +Patch200: php-bug77242.patch +Patch201: php-bug77247.patch +Patch202: php-bug77370.patch +Patch203: php-bug77371.patch +Patch204: php-bug77380.patch +Patch205: php-bug77381.patch +Patch206: php-bug77369.patch +Patch207: php-bug77418.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -919,8 +928,19 @@ support for JavaScript Object Notation (JSON) to PHP. # upstream patches %patch100 -p1 -b .up1 %patch101 -p1 -b .up2 +%patch102 -p1 -b .up3 # security patches +%patch200 -p1 -b .bug77242 +%patch201 -p1 -b .bug77247 +%patch202 -p1 -b .bug77370 +%patch203 -p1 -b .bug77371 +%patch204 -p1 -b .bug77380 +%patch205 -p1 -b .bug77381 +%patch206 -p1 -b .bug77369 +%patch207 -p1 -b .bug77418 +: --------------------------- +#exit 1 # Fixes for tests %patch300 -p1 -b .datetests @@ -1854,6 +1874,23 @@ fi %changelog +* Wed Jan 9 2019 Remi Collet <remi@remirepo.net> - 7.0.33-2 +- core: + Fix #77369 memcpy with negative length via crafted DNS response +- mbstring: + Fix #77370 buffer overflow on mb regex functions - fetch_token + Fix #77371 heap buffer overflow in mb regex functions compile_string_node + Fix #77381 heap buffer overflow in multibyte match_at + Fix #77382 heap buffer overflow in expand_case_fold_string + Fix #77385 buffer overflow in fetch_token + Fix #77394 buffer overflow in multibyte case folding - unicode + Fix #77418 heap overflow in utf32be_mbc_to_code +- phar: + Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext +- xmlrpc: + Fix #77242 heap out of bounds read in xmlrpc_decode + Fix #77380 global out of bounds read in xmlrpc base64 code + * Wed Dec 5 2018 Remi Collet <remi@remirepo.net> - 7.0.33-1 - Update to 7.0.33 - http://www.php.net/releases/7_0_33.php - use oracle client library version 18.3 |