diff options
| author | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
| commit | 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch) | |
| tree | 9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a /php-bug77370.patch | |
| parent | 022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff) | |
- core:
Fix #77369 memcpy with negative length via crafted DNS response
- mbstring:
Fix #77370 buffer overflow on mb regex functions - fetch_token
Fix #77371 heap buffer overflow in mb regex functions compile_string_node
Fix #77381 heap buffer overflow in multibyte match_at
Fix #77382 heap buffer overflow in expand_case_fold_string
Fix #77385 buffer overflow in fetch_token
Fix #77394 buffer overflow in multibyte case folding - unicode
Fix #77418 heap overflow in utf32be_mbc_to_code
- phar:
Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
- xmlrpc:
Fix #77242 heap out of bounds read in xmlrpc_decode
Fix #77380 global out of bounds read in xmlrpc base64 code
Diffstat (limited to 'php-bug77370.patch')
| -rw-r--r-- | php-bug77370.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/php-bug77370.patch b/php-bug77370.patch new file mode 100644 index 0000000..b85944a --- /dev/null +++ b/php-bug77370.patch @@ -0,0 +1,66 @@ +From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 19:51:24 -0800 +Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end + when parsing multibytes + +--- + ext/mbstring/oniguruma/regparse.c | 9 +++++++++ + ext/mbstring/tests/bug77370.phpt | 13 +++++++++++++ + 2 files changed, 22 insertions(+) + create mode 100644 ext/mbstring/tests/bug77370.phpt + +diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c +index d2925f1e81b0..252ca1871202 100644 +--- a/ext/mbstring/oniguruma/regparse.c ++++ b/ext/mbstring/oniguruma/regparse.c +@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + } + #endif + ++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) ++# define UNEXPECTED(condition) __builtin_expect(condition, 0) ++#else ++# define UNEXPECTED(condition) (condition) ++#endif ++ + /* scan pattern methods */ + #define PEND_VALUE 0 + +@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end) + c = ONIGENC_MBC_TO_CODE(enc, p, end); \ + pfetch_prev = p; \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + + #define PINC_S do { \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + #define PFETCH_S(c) do { \ + c = ONIGENC_MBC_TO_CODE(enc, p, end); \ + p += ONIGENC_MBC_ENC_LEN(enc, p); \ ++ if(UNEXPECTED(p > end)) p = end; \ + } while (0) + + #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) +diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt +new file mode 100644 +index 000000000000..c4d25582fe3b +--- /dev/null ++++ b/ext/mbstring/tests/bug77370.phpt +@@ -0,0 +1,13 @@ ++--TEST-- ++Bug #77370 (Buffer overflow on mb regex functions - fetch_token) ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++var_dump(mb_split(" \xfd","")); ++?> ++--EXPECT-- ++array(1) { ++ [0]=> ++ string(0) "" ++} |