1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
From 6639124e6e1fbfe81a6afe5ee9f0a1fee24d0856 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 20 Jan 2020 21:42:44 -0800
Subject: [PATCH] Fix bug #79037 (global buffer-overflow in
`mbfl_filt_conv_big5_wchar`)
(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501)
---
ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++-----
ext/mbstring/tests/bug79037.phpt | 10 ++++++++++
2 files changed, 22 insertions(+), 5 deletions(-)
create mode 100644 ext/mbstring/tests/bug79037.phpt
diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
index f5ab8809ce..5e1ca815da 100644
--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = {
{0xf70f,0xf848,0xc740,0xc8fe},
};
+static inline int is_in_cp950_pua(int c1, int c) {
+ if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
+ (c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
+ return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
+ }
+ if (c1 == 0xc6) {
+ return c >= 0xa1 && c <= 0xfe;
+ }
+ return 0;
+}
+
/*
* Big5 => wchar
*/
@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter)
if (filter->from->no_encoding == mbfl_no_encoding_cp950) {
/* PUA for CP950 */
- if (w <= 0 &&
- (((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
- (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8))
- && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) ||
- ((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) {
+ if (w <= 0 && is_in_cp950_pua(c1, c)) {
c2 = c1 << 8 | c;
for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) {
if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) {
diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt
new file mode 100644
index 0000000000..94ff01a4a1
--- /dev/null
+++ b/ext/mbstring/tests/bug79037.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
+--FILE--
+<?php
+
+var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
+
+?>
+--EXPECT--
+string(1) "?"
From 18d8f6f9033a35b33e4bbf8590cd6e653b45b6d7 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 21 Jan 2020 09:06:34 +0100
Subject: [PATCH] update NEWS
---
NEWS | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/NEWS b/NEWS
index 25d352f784..e311fc78cc 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,18 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 7.2.27
+
+- Mbstring:
+ . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`).
+ (CVE-2020-7060) (Nikita)
+
+- Session:
+ . Fixed bug #79091 (heap use-after-free in session_create_id()). (cmb, Nikita)
+
+- Standard:
+ . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb)
+
Backported from 7.2.26
- Bcmath:
|