diff options
| author | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
| commit | 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch) | |
| tree | 9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a /php-bug77247.patch | |
| parent | 022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff) | |
- core:
Fix #77369 memcpy with negative length via crafted DNS response
- mbstring:
Fix #77370 buffer overflow on mb regex functions - fetch_token
Fix #77371 heap buffer overflow in mb regex functions compile_string_node
Fix #77381 heap buffer overflow in multibyte match_at
Fix #77382 heap buffer overflow in expand_case_fold_string
Fix #77385 buffer overflow in fetch_token
Fix #77394 buffer overflow in multibyte case folding - unicode
Fix #77418 heap overflow in utf32be_mbc_to_code
- phar:
Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
- xmlrpc:
Fix #77242 heap out of bounds read in xmlrpc_decode
Fix #77380 global out of bounds read in xmlrpc base64 code
Diffstat (limited to 'php-bug77247.patch')
| -rw-r--r-- | php-bug77247.patch | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/php-bug77247.patch b/php-bug77247.patch new file mode 100644 index 0000000..6a2c8b4 --- /dev/null +++ b/php-bug77247.patch @@ -0,0 +1,49 @@ +Backported for 7.0 by Remi + + +From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 18:25:37 -0800 +Subject: [PATCH] Fix bug #77247 (heap buffer overflow in + phar_detect_phar_fname_ext) + +--- + ext/phar/phar.c | 2 +- + ext/phar/tests/bug77247.phpt | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug77247.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 82a9ef31943a..0d2173195c32 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha + } + + while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) { +- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1); ++ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1); + if (!pos) { + return FAILURE; + } +diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt +new file mode 100644 +index 000000000000..588975f9f2f8 +--- /dev/null ++++ b/ext/phar/tests/bug77247.phpt +@@ -0,0 +1,14 @@ ++--TEST-- ++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) ++--SKIPIF-- ++<?php if (!extension_loaded("phar")) die("skip"); ?> ++--FILE-- ++<?php ++try { ++var_dump(new Phar('a/.b', 0,'test.phar')); ++} catch(UnexpectedValueException $e) { ++ echo "OK"; ++} ++?> ++--EXPECT-- ++OK +\ No newline at end of file |