mirror of
https://github.com/php/php-src.git
synced 2024-09-23 02:47:26 +00:00
Merge branch 'PHP-5.6' into PHP-7.0
* PHP-5.6: Fix bug #77143 - add more checks to buffer reads Fix #77020: null pointer dereference in imap_mail
This commit is contained in:
commit
66a0f061f6
@ -4128,7 +4128,6 @@ PHP_FUNCTION(imap_mail)
|
||||
if (!ZSTR_LEN(message)) {
|
||||
/* this is not really an error, so it is allowed. */
|
||||
php_error_docref(NULL, E_WARNING, "No message string in mail command");
|
||||
message = NULL;
|
||||
}
|
||||
|
||||
if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL,
|
||||
|
15
ext/imap/tests/bug77020.phpt
Normal file
15
ext/imap/tests/bug77020.phpt
Normal file
@ -0,0 +1,15 @@
|
||||
--TEST--
|
||||
Bug #77020 (null pointer dereference in imap_mail)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('imap')) die('skip imap extension not available');
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
imap_mail('1', 1, NULL);
|
||||
?>
|
||||
===DONE===
|
||||
--EXPECTF--
|
||||
Warning: imap_mail(): No message string in mail command in %s on line %d
|
||||
%s
|
||||
===DONE===
|
@ -642,6 +642,18 @@ int phar_parse_metadata(char **buffer, zval *metadata, php_uint32 zip_metadata_l
|
||||
}
|
||||
/* }}}*/
|
||||
|
||||
/**
|
||||
* Size of fixed fields in the manifest.
|
||||
* See: http://php.net/manual/en/phar.fileformat.phar.php
|
||||
*/
|
||||
#define MANIFEST_FIXED_LEN 18
|
||||
|
||||
#define SAFE_PHAR_GET_32(buffer, endbuffer, var) \
|
||||
if (UNEXPECTED(buffer + 4 >= endbuffer)) { \
|
||||
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)"); \
|
||||
} \
|
||||
PHAR_GET_32(buffer, var);
|
||||
|
||||
/**
|
||||
* Does not check for a previously opened phar in the cache.
|
||||
*
|
||||
@ -725,12 +737,12 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
||||
savebuf = buffer;
|
||||
endbuffer = buffer + manifest_len;
|
||||
|
||||
if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) {
|
||||
if (manifest_len < MANIFEST_FIXED_LEN || manifest_len != php_stream_read(fp, buffer, manifest_len)) {
|
||||
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")
|
||||
}
|
||||
|
||||
/* extract the number of entries */
|
||||
PHAR_GET_32(buffer, manifest_count);
|
||||
SAFE_PHAR_GET_32(buffer, endbuffer, manifest_count);
|
||||
|
||||
if (manifest_count == 0) {
|
||||
MAPPHAR_FAIL("in phar \"%s\", manifest claims to have zero entries. Phars must have at least 1 entry");
|
||||
@ -750,7 +762,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
||||
return FAILURE;
|
||||
}
|
||||
|
||||
PHAR_GET_32(buffer, manifest_flags);
|
||||
SAFE_PHAR_GET_32(buffer, endbuffer, manifest_flags);
|
||||
|
||||
manifest_flags &= ~PHAR_HDR_COMPRESSION_MASK;
|
||||
manifest_flags &= ~PHAR_FILE_COMPRESSION_MASK;
|
||||
@ -970,13 +982,13 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
||||
}
|
||||
|
||||
/* extract alias */
|
||||
PHAR_GET_32(buffer, tmp_len);
|
||||
SAFE_PHAR_GET_32(buffer, endbuffer, tmp_len);
|
||||
|
||||
if (buffer + tmp_len > endbuffer) {
|
||||
MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)");
|
||||
}
|
||||
|
||||
if (manifest_len < 10 + tmp_len) {
|
||||
if (manifest_len < MANIFEST_FIXED_LEN + tmp_len) {
|
||||
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")
|
||||
}
|
||||
|
||||
@ -1014,7 +1026,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
||||
}
|
||||
|
||||
/* we have 5 32-bit items plus 1 byte at least */
|
||||
if (manifest_count > ((manifest_len - 10 - tmp_len) / (5 * 4 + 1))) {
|
||||
if (manifest_count > ((manifest_len - MANIFEST_FIXED_LEN - tmp_len) / (5 * 4 + 1))) {
|
||||
/* prevent serious memory issues */
|
||||
MAPPHAR_FAIL("internal corruption of phar \"%s\" (too many manifest entries for size of manifest)")
|
||||
}
|
||||
@ -1023,12 +1035,12 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
|
||||
mydata->is_persistent = PHAR_G(persist);
|
||||
|
||||
/* check whether we have meta data, zero check works regardless of byte order */
|
||||
PHAR_GET_32(buffer, len);
|
||||
SAFE_PHAR_GET_32(buffer, endbuffer, len);
|
||||
if (mydata->is_persistent) {
|
||||
mydata->metadata_len = len;
|
||||
if(!len) {
|
||||
if (!len) {
|
||||
/* FIXME: not sure why this is needed but removing it breaks tests */
|
||||
PHAR_GET_32(buffer, len);
|
||||
SAFE_PHAR_GET_32(buffer, endbuffer, len);
|
||||
}
|
||||
}
|
||||
if(len > endbuffer - buffer) {
|
||||
|
@ -13,4 +13,4 @@ echo "OK\n";
|
||||
}
|
||||
?>
|
||||
--EXPECTF--
|
||||
cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar"
|
||||
internal corruption of phar "%sbug73768.phar" (truncated manifest header)
|
||||
|
BIN
ext/phar/tests/bug77143.phar
Normal file
BIN
ext/phar/tests/bug77143.phar
Normal file
Binary file not shown.
18
ext/phar/tests/bug77143.phpt
Normal file
18
ext/phar/tests/bug77143.phpt
Normal file
@ -0,0 +1,18 @@
|
||||
--TEST--
|
||||
PHP bug #77143: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile
|
||||
--INI--
|
||||
phar.readonly=0
|
||||
--SKIPIF--
|
||||
<?php if (!extension_loaded("phar")) die("skip"); ?>
|
||||
--FILE--
|
||||
<?php
|
||||
chdir(__DIR__);
|
||||
try {
|
||||
var_dump(new Phar('bug77143.phar',0,'project.phar'));
|
||||
echo "OK\n";
|
||||
} catch(UnexpectedValueException $e) {
|
||||
echo $e->getMessage();
|
||||
}
|
||||
?>
|
||||
--EXPECTF--
|
||||
internal corruption of phar "%sbug77143.phar" (truncated manifest header)
|
Loading…
Reference in New Issue
Block a user