diff options
| author | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
| commit | 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch) | |
| tree | 9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a /php-bug77380.patch | |
| parent | 022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff) | |
- core:
Fix #77369 memcpy with negative length via crafted DNS response
- mbstring:
Fix #77370 buffer overflow on mb regex functions - fetch_token
Fix #77371 heap buffer overflow in mb regex functions compile_string_node
Fix #77381 heap buffer overflow in multibyte match_at
Fix #77382 heap buffer overflow in expand_case_fold_string
Fix #77385 buffer overflow in fetch_token
Fix #77394 buffer overflow in multibyte case folding - unicode
Fix #77418 heap overflow in utf32be_mbc_to_code
- phar:
Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
- xmlrpc:
Fix #77242 heap out of bounds read in xmlrpc_decode
Fix #77380 global out of bounds read in xmlrpc base64 code
Diffstat (limited to 'php-bug77380.patch')
| -rw-r--r-- | php-bug77380.patch | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/php-bug77380.patch b/php-bug77380.patch new file mode 100644 index 0000000..4aea7b5 --- /dev/null +++ b/php-bug77380.patch @@ -0,0 +1,57 @@ +From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 1 Jan 2019 17:15:20 -0800 +Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64 + code) + +--- + ext/xmlrpc/libxmlrpc/base64.c | 4 ++-- + ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++ + 2 files changed, 19 insertions(+), 2 deletions(-) + create mode 100644 ext/xmlrpc/tests/bug77380.phpt + +diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c +index 5ebdf31f7ade..a4fa19327b76 100644 +--- a/ext/xmlrpc/libxmlrpc/base64.c ++++ b/ext/xmlrpc/libxmlrpc/base64.c +@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length) + + while (!hiteof) { + unsigned char igroup[3], ogroup[4]; +- int c, n; ++ int c, n; + + igroup[0] = igroup[1] = igroup[2] = 0; + for (n = 0; n < 3; n++) { +@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length) + return; + } + +- if (dtable[c] & 0x80) { ++ if (dtable[(unsigned char)c] & 0x80) { + /* + fprintf(stderr, "Offset %i length %i\n", offset, length); + fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]); +diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt +new file mode 100644 +index 000000000000..8559c07a5aea +--- /dev/null ++++ b/ext/xmlrpc/tests/bug77380.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #77380 (Global out of bounds read in xmlrpc base64 code) ++--SKIPIF-- ++<?php ++if (!extension_loaded("xmlrpc")) print "skip"; ++?> ++--FILE-- ++<?php ++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo="))); ++?> ++--EXPECT-- ++object(stdClass)#1 (2) { ++ ["scalar"]=> ++ string(0) "" ++ ["xmlrpc_type"]=> ++ string(6) "base64" ++} |