From b547e1358d3846fad4cd0c86e2d2e9f5a9039b35 Mon Sep 17 00:00:00 2001 From: Marc Bennewitz Date: Mon, 28 Apr 2014 19:58:10 +0200 Subject: [PATCH 01/51] Improved logarithm of base 2 and 10 of standard math functions --- ext/standard/config.m4 | 2 +- ext/standard/math.c | 27 ++++++++++++++++++++------- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/ext/standard/config.m4 b/ext/standard/config.m4 index c1f5aff7c25..e1f9941790b 100644 --- a/ext/standard/config.m4 +++ b/ext/standard/config.m4 @@ -337,7 +337,7 @@ fi dnl dnl Check for available functions dnl -AC_CHECK_FUNCS(getcwd getwd asinh acosh atanh log1p hypot glob strfmon nice fpclass isinf isnan mempcpy strpncpy) +AC_CHECK_FUNCS(getcwd getwd asinh acosh atanh log1p log2 hypot glob strfmon nice fpclass isinf isnan mempcpy strpncpy) AC_FUNC_FNMATCH dnl diff --git a/ext/standard/math.c b/ext/standard/math.c index 72f6d51c6fa..b33b6e28da5 100644 --- a/ext/standard/math.c +++ b/ext/standard/math.c @@ -697,22 +697,35 @@ PHP_FUNCTION(log1p) PHP_FUNCTION(log) { double num, base = 0; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "d|d", &num, &base) == FAILURE) { return; } + if (ZEND_NUM_ARGS() == 1) { RETURN_DOUBLE(log(num)); } + +#ifdef HAVE_LOG2 + if (base == 2.0) { + RETURN_DOUBLE(log2(num)); + } +#endif + + if (base == 10.0) { + RETURN_DOUBLE(log10(num)); + } + + if (base == 1.0) { + RETURN_DOUBLE(php_get_nan()); + } + if (base <= 0.0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "base must be greater than 0"); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "base must be greater than 0"); RETURN_FALSE; } - if (base == 1) { - RETURN_DOUBLE(php_get_nan()); - } else { - RETURN_DOUBLE(log(num) / log(base)); - } + + RETURN_DOUBLE(log(num) / log(base)); } /* }}} */ From d339ddf4176f6beb1c4c68f977d2cae010a87c4b Mon Sep 17 00:00:00 2001 From: Aidas Kasparas Date: Thu, 22 May 2014 09:54:44 +0300 Subject: [PATCH 02/51] Bug #41577 fix: reinitialization of dotnet_domain structure member --- ext/com_dotnet/com_dotnet.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/ext/com_dotnet/com_dotnet.c b/ext/com_dotnet/com_dotnet.c index 0aa1a2a9c7c..073f40f83a2 100644 --- a/ext/com_dotnet/com_dotnet.c +++ b/ext/com_dotnet/com_dotnet.c @@ -198,7 +198,8 @@ PHP_FUNCTION(com_dotnet_create_instance) IUnknown *unk = NULL; php_com_initialize(TSRMLS_C); - if (COMG(dotnet_runtime_stuff) == NULL) { + stuff = (struct dotnet_runtime_stuff*)COMG(dotnet_runtime_stuff); + if (stuff == NULL) { hr = dotnet_init(&where TSRMLS_CC); if (FAILED(hr)) { char buf[1024]; @@ -210,9 +211,35 @@ PHP_FUNCTION(com_dotnet_create_instance) ZVAL_NULL(object); return; } - } + stuff = (struct dotnet_runtime_stuff*)COMG(dotnet_runtime_stuff); - stuff = (struct dotnet_runtime_stuff*)COMG(dotnet_runtime_stuff); + } else if (stuff->dotnet_domain == NULL) { + where = "ICorRuntimeHost_GetDefaultDomain"; + hr = ICorRuntimeHost_GetDefaultDomain(stuff->dotnet_host, &unk); + if (FAILED(hr)) { + char buf[1024]; + char *err = php_win32_error_to_msg(hr); + snprintf(buf, sizeof(buf), "Failed to re-init .Net domain [%s] %s", where, err); + if (err) + LocalFree(err); + php_com_throw_exception(hr, buf TSRMLS_CC); + ZVAL_NULL(object); + return; + } + + where = "QI: System._AppDomain"; + hr = IUnknown_QueryInterface(unk, &IID_mscorlib_System_AppDomain, (LPVOID*)&stuff->dotnet_domain); + if (FAILED(hr)) { + char buf[1024]; + char *err = php_win32_error_to_msg(hr); + snprintf(buf, sizeof(buf), "Failed to re-init .Net domain [%s] %s", where, err); + if (err) + LocalFree(err); + php_com_throw_exception(hr, buf TSRMLS_CC); + ZVAL_NULL(object); + return; + } + } obj = CDNO_FETCH(object); From 08334293f8883c2bcbb74ed10b8133672fee8706 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Fri, 6 Jun 2014 14:16:04 +0200 Subject: [PATCH 03/51] Fix bug #67390 insecure temporary file use in the configure script --- acinclude.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acinclude.m4 b/acinclude.m4 index ddf72857839..2681b79f643 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -1700,7 +1700,7 @@ int main(int argc, char *argv[]) { FILE *fp; long position; - char *filename = "/tmp/phpglibccheck"; + char *filename = tmpnam(NULL); fp = fopen(filename, "w"); if (fp == NULL) { From d400b74296989afadddc960db5ad103bf61e51d0 Mon Sep 17 00:00:00 2001 From: Sara Golemon Date: Tue, 10 Jun 2014 11:18:02 -0700 Subject: [PATCH 04/51] Fix potential segfault in dns_get_record() If the remote sends us a packet with a malformed TXT record, we could end up trying to over-consume the packet and wander off into overruns. --- ext/standard/dns.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ext/standard/dns.c b/ext/standard/dns.c index 8e24a817ffc..67ea459ea22 100644 --- a/ext/standard/dns.c +++ b/ext/standard/dns.c @@ -507,6 +507,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int while (ll < dlen) { n = cp[ll]; + if ((ll + n) >= dlen) { + // Invalid chunk length, truncate + n = dlen - (ll + 1); + } memcpy(tp + ll , cp + ll + 1, n); add_next_index_stringl(entries, cp + ll + 1, n, 1); ll = ll + n + 1; From d780c2a673ef25166aaec994f14bfec4f57ab8dd Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 May 2014 18:44:14 -0700 Subject: [PATCH 05/51] Fix bug #67249: printf out-of-bounds read --- ext/standard/formatted_print.c | 6 ++++-- ext/standard/tests/strings/bug67249.phpt | 8 ++++++++ 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 ext/standard/tests/strings/bug67249.phpt diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c index d69b79bf3d2..383ca1a5bb3 100644 --- a/ext/standard/formatted_print.c +++ b/ext/standard/formatted_print.c @@ -379,6 +379,7 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC int alignment, currarg, adjusting, argnum, width, precision; char *format, *result, padding; int always_sign; + int format_len; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", &args, &argc) == FAILURE) { return NULL; @@ -417,11 +418,12 @@ php_formatted_print(int ht, int *len, int use_array, int format_offset TSRMLS_DC convert_to_string_ex(args[format_offset]); format = Z_STRVAL_PP(args[format_offset]); + format_len = Z_STRLEN_PP(args[format_offset]); result = emalloc(size); currarg = 1; - while (inpos +--EXPECT-- +string(0) "" From 3c328f09840c58698cedd6bbd30bdc8a24f5b41f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 May 2014 19:34:21 -0700 Subject: [PATCH 06/51] Fix bug #67251 - date_parse_from_format out-of-bounds read Conflicts: ext/date/lib/parse_date.c ext/date/lib/parse_date.re --- ext/date/lib/parse_date.c | 6 +++++- ext/date/lib/parse_date.re | 6 +++++- ext/date/tests/bug67251.phpt | 38 ++++++++++++++++++++++++++++++++++++ 3 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 ext/date/tests/bug67251.phpt diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c index 8583f30a595..a3364ef7f8d 100644 --- a/ext/date/lib/parse_date.c +++ b/ext/date/lib/parse_date.c @@ -25121,7 +25121,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim break; case '\\': /* escaped char */ - *fptr++; + if(!fptr[1]) { + add_pbf_error(s, "Escaped character expected", string, begin); + break; + } + fptr++; if (*ptr == *fptr) { ++ptr; } else { diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re index b130fd0e574..1fbd6705922 100644 --- a/ext/date/lib/parse_date.re +++ b/ext/date/lib/parse_date.re @@ -2128,7 +2128,11 @@ timelib_time *timelib_parse_from_format(char *format, char *string, int len, tim break; case '\\': /* escaped char */ - *fptr++; + if(!fptr[1]) { + add_pbf_error(s, "Escaped character expected", string, begin); + break; + } + fptr++; if (*ptr == *fptr) { ++ptr; } else { diff --git a/ext/date/tests/bug67251.phpt b/ext/date/tests/bug67251.phpt new file mode 100644 index 00000000000..68c56a1613b --- /dev/null +++ b/ext/date/tests/bug67251.phpt @@ -0,0 +1,38 @@ +--TEST-- +Bug #67251 (date_parse_from_format out-of-bounds read) +--INI-- +date.timezone=Europe/Berlin +--FILE-- + + bool(false) + ["month"]=> + bool(false) + ["day"]=> + bool(false) + ["hour"]=> + bool(false) + ["minute"]=> + bool(false) + ["second"]=> + bool(false) + ["fraction"]=> + bool(false) + ["warning_count"]=> + int(0) + ["warnings"]=> + array(0) { + } + ["error_count"]=> + int(2) + ["errors"]=> + array(1) { + [0]=> + string(13) "Trailing data" + } + ["is_localtime"]=> + bool(false) +} From f3230e35221f5d440480de3871416f8d000991df Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Sun, 25 Nov 2012 11:45:36 +0800 Subject: [PATCH 07/51] let make test report the run-test result --- Makefile.global | 2 ++ 1 file changed, 2 insertions(+) diff --git a/Makefile.global b/Makefile.global index 8dad0e4bf14..3a5b1c2018e 100644 --- a/Makefile.global +++ b/Makefile.global @@ -98,7 +98,9 @@ test: all TEST_PHP_SRCDIR=$(top_srcdir) \ CC="$(CC)" \ $(PHP_EXECUTABLE) -n -c $(top_builddir)/tmp-php.ini $(PHP_TEST_SETTINGS) $(top_srcdir)/run-tests.php -n -c $(top_builddir)/tmp-php.ini -d extension_dir=$(top_builddir)/modules/ $(PHP_TEST_SHARED_EXTENSIONS) $(TESTS); \ + TEST_RESULT_EXIT_CODE=$$?; \ rm $(top_builddir)/tmp-php.ini; \ + exit $$TEST_RESULT_EXIT_CODE; \ else \ echo "ERROR: Cannot run tests without CLI sapi."; \ fi From eca037a51dd007032c9ef28bd931e02863e6440d Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 8 Dec 2013 15:37:35 -0800 Subject: [PATCH 08/51] Fix bug #65873 - Integer overflow in exif_read_data() --- ext/exif/exif.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index 4f67bdd0462..862e92b5fb1 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2874,7 +2874,12 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) { + /* + dir_entry is ImageInfo->file.list[sn].data+2+i*12 + offset_base is ImageInfo->file.list[sn].data-dir_offset + dir_entry - offset_base is dir_offset+2+i*12 + */ + if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) { /* It is important to check for IMAGE_FILETYPE_TIFF * JPEG does not use absolute pointers instead its pointers are * relative to the start of the TIFF header in APP1 section. */ From a0bb3fd6793fe16dbf4d3b5eb3413093088a6b37 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 27 Nov 2013 11:13:16 +0100 Subject: [PATCH 09/51] Fixed bug #66060 (Heap buffer over-read in DateInterval) Conflicts: ext/date/lib/parse_iso_intervals.c --- ext/date/lib/parse_iso_intervals.c | 2 +- ext/date/lib/parse_iso_intervals.re | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c index 94dddaa1369..07c5b763840 100644 --- a/ext/date/lib/parse_iso_intervals.c +++ b/ext/date/lib/parse_iso_intervals.c @@ -415,7 +415,7 @@ yy6: break; } ptr++; - } while (*ptr); + } while (!s->errors->error_count && *ptr); s->have_period = 1; TIMELIB_DEINIT; return TIMELIB_PERIOD; diff --git a/ext/date/lib/parse_iso_intervals.re b/ext/date/lib/parse_iso_intervals.re index 56aa34d8e00..c5e9f677ba2 100644 --- a/ext/date/lib/parse_iso_intervals.re +++ b/ext/date/lib/parse_iso_intervals.re @@ -383,7 +383,7 @@ isoweek = year4 "-"? "W" weekofyear; break; } ptr++; - } while (*ptr); + } while (!s->errors->error_count && *ptr); s->have_period = 1; TIMELIB_DEINIT; return TIMELIB_PERIOD; From 0335d2ef3efbcb5f45e753a34fd7b74188997d87 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 24 Apr 2014 19:30:34 +0200 Subject: [PATCH 10/51] Fixed bug #66307 Fileinfo crashes with powerpoint files Conflicts: ext/fileinfo/libmagic/readcdf.c ext/fileinfo/tests/finfo_file_002.phpt --- ext/fileinfo/libmagic/readcdf.c | 5 ++++- ext/fileinfo/tests/finfo_file_002.phpt | 4 +++- ext/fileinfo/tests/resources/test.ppt | Bin 0 -> 99840 bytes 3 files changed, 7 insertions(+), 2 deletions(-) create mode 100644 ext/fileinfo/tests/resources/test.ppt diff --git a/ext/fileinfo/libmagic/readcdf.c b/ext/fileinfo/libmagic/readcdf.c index 0c28ffbfa81..dc6bcf094bd 100644 --- a/ext/fileinfo/libmagic/readcdf.c +++ b/ext/fileinfo/libmagic/readcdf.c @@ -56,6 +56,8 @@ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info, const char *s; int len; + memset(&ts, 0, sizeof(ts)); + for (i = 0; i < count; i++) { cdf_print_property_name(buf, sizeof(buf), info[i].pi_id); switch (info[i].pi_type) { @@ -142,10 +144,11 @@ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info, return -1; } else { char *c, *ec; + const time_t sec = ts.tv_sec; if (cdf_timestamp_to_timespec(&ts, tp) == -1) { return -1; } - c = cdf_ctime(&ts.tv_sec); + c = cdf_ctime(&sec); if ((ec = strchr(c, '\n')) != NULL) *ec = '\0'; diff --git a/ext/fileinfo/tests/finfo_file_002.phpt b/ext/fileinfo/tests/finfo_file_002.phpt index 3593233c399..c3f83886593 100644 --- a/ext/fileinfo/tests/finfo_file_002.phpt +++ b/ext/fileinfo/tests/finfo_file_002.phpt @@ -18,7 +18,7 @@ ksort($results); var_dump($results); ?> --EXPECTF-- -array(7) { +array(8) { ["%s/resources/dir.zip"]=> string(15) "application/zip" ["%s/resources/test.awk"]=> @@ -33,4 +33,6 @@ array(7) { string(15) "application/pdf" ["%s/resources/test.png"]=> string(9) "image/png" + ["%s/resources/test.ppt"]=> + string(29) "application/vnd.ms-powerpoint" } diff --git a/ext/fileinfo/tests/resources/test.ppt b/ext/fileinfo/tests/resources/test.ppt new file mode 100644 index 0000000000000000000000000000000000000000..713004c03de6359e80b862977884a39ec8e520c6 GIT binary patch literal 99840 zcmeEubzD|U+wMbmcc*ltq(~{!ND3ki64IT5gru}I(jXxzAT1@0v>+0KC z3;;|3EC6f(901S+V0Zxd00aPp07L*#J0Sre1t0?;2cQ6;1fT+-2A~0;1)u|<2VekT z1h@de1i%cy0>BEu2EY!$0l*2s1;7o!1HcQw2fz<-5#SPl0DvHX5P&d%2!JTSWdJdN zD*)mE5&)6_QUKBbR{^d8$N*dikOhzfkOxozPy~SF)C$fj05VY25<+!9KZs=62J=JE`T+F4S+3x9e_Q6 z1Arrd6M!>-3xF$t8-P222Y@Gl7l1c_55PSDUjRPqKq4-nv}UIvKj-pCKMM>V4$2Av0D6f(-u?9zDhRfUI=hDiY7Tmi4X6pI z>~i3FcfivfPeYu+8`*)7f9;^>BZAv!68L-1R|fGL7tZoT`cql|_ufYcJpaeD|8DuA zC-*~@1srtxAwQ@bQ2+m-!=bhg;UD+^t^`cN!m9IS{d4t1JMZ0S$q}z<&q|{h%C>-C zQ-G5u50f5zmz*qZ&?tN{Y(4L5^)S*a{cWMRTS=7@f=DOMVjGPg`cZ~1u;iGvMvZ(G zj1xb3US3y=Npd%1+TTv9+@p52Q$}FkfQyr6GXX#K|>$DOBXV7HE^Ka$g0=m+wDb) zs*IvfuhoN>BDMry&N${@u`t;DYAw`}gF=q0o>mvkzj~ctav*|Ds1(L&pWz=qkDuNf ztSQ8{e>-~Xxm6h-2Qu;}WG@v5Ei$Uv5twT$uE%UxVM(^&t-kpwYE+$tufuE8Y~Np$ zrE{9O1kst)-O=D~M&rK#2lq`)BIlE%KKnJV&U*>`OKOw$-QCP%BDvh=In)yx7$4p% z7VhBes!r~t)aSKnaqSsA{QP97R3X|zwNJKEH=iLgZsfb8(h!sTXXLm3_~9>!$Vg*n ztGQGkcQ^K-&^J8TMz70;Z}YUL^H9)UE}WL}aZkB4#&p?Q^r3=4rriy_1W``=!>gGi z?Ci=t_?(GkY97}=NJo)y`fX#6dic=VXm4oMx_zJw->}`p>wJ70zC?Xj>hYI&#~CZ_ zJo%AN+yPZzTlX!zr#!?`u|?Zk?cXNv6zDKFtPOOTw+}l{WE_QK$$Hima;Y|yt;(of z67KJFeLePYzd)H)@+G={-QagNw7W%PF1-X|Zb+|Dd1sYMXN|8}R?&x7J$2q<%2^=x z!=DwoCCTp67^mUGev6k(!-h8}!B#CFGb)X@JWl2ilNy?&NV`aQM74s2d@Cpk)q| z>uhH0Y@p#`Z|0;2iRFgEA2Z;cF)$hdsiHsz;2A$TE)ZhiXlCui%>^CLCnPSsJsk;% z12#wnaoOJ;D=>*rWjI+F*_(k!{_3&kEARKzOTdVptI8V+NRU;9A%fpFI4_@GfyZt_ zEg=_&7S0ek3>OE6w+WF+7_1!w3Wp3c3Mc~(EQA0eu{f|W0zPnt!Rm3a!O`IKcLPu- zjZ>l{WjXn+`iSb#Wycz{O$2>^)zNdU&uoVOr&?o$eVX%3i3?V>%pvq3i|KN1$ zfHs0091iRYf+4uzhIOAR8y?umsbYcdh=UH!D5uw$h%gX02M1E2 zV7z-I4$kznXCrnP7;~C}>oX^Dnix8qoNSy1L1V&`6MV=I2?q$27LN8zjKD7ef0hCY zH$*T5)(AM@_e1mp&xB-&fjD$}hHZ930WjoEdvJu~Ih%{Y1Aa)^Lm5Kv`oj;Z^fU}A z19T7Vw=-1kA90~GWQU+Lc;x9BdMI=ay$E!MN&=k&U>KX=k+A#FXcsjA3POF*3XZTA zI9y;oU%-JN)Xvk86F5{raNyuUT2u)b^%gFO1*L*wKw-PU?$N+DaVVkWu&)S^(Sn}y zlkP8mk5w2pwHvVcVN9KqEAucyPz{j3{L|iK)ehkf*m1T1V__z zh>i~VA_c;D!q3hi+dn!u0z@3x0fPBy=rO`+ML?0xveN-RD9az`vw8w1@V9I?!_Km$ z0Ck`S;=#c}zSzSK5g>6x&K`JvTtm4^fck-~I@E+AtIi5V0#+Ro)z4O)_jGbAoB*mm zFgb<@r3HO2i~y>OUnhX>gcCp+ffj-Yy?{M1iV(zMQ@^$IH>Z6S3kXi-7hz!L4Y3Ur zMQqFHdtg;G0;PTtRG4NNcQUXyxaUpdjh|J71!HNed{D%l$IVWUO!mK|) z*|3Huv$=3p*T&co^Y+#n-SjxaPPr4uW9+3v+1TM2LY%I4;o_L+*ec}b(Vu*l@8xL} zAZo_^79u;Ue|58H8*ak+Fu)Q&R&#AS)da)8Ys#p3inZvKMMtU>WtwLB zfFrJH^T%;|;SU{>lYLlnDZ zwEQwoj{WMxECwwe(K{=;(PnfctG(R6Z0nOp52K*b88q_30dO`lwl-6D_OLc{f`-nR z{c_m;JfsrunnK+yj(s?#RT&A}XxZI9!Lh~Dtw>np;4jXY?SF~o9uSw$PSjpAy@+r! z4~JiWX(ks1Im#=*L}J2W#=-KLVL3X6N6lQ`Wd{`xr((jJt3&w~srJY@PEJxGHrKPB zizVqSuW#Q`eQQ&PnX9|!HTsD0{zt0Ng*fD~(8sNUMgFwe&t4StErnRhBHZ@8_|idR zV!W>Kh>hc(L?uM&elpz8)0F47slru}bOJvHM8&Y#Vw97|4_M^bOAZ z5~oi;^Bewx)&K8|B_LM+$CCfMV~HD}tPnW`FAIYMj1vCz)xiZg|G1`wN(0^b?fzNG z5&rA?Y=naNU)N_+Gz2;S77bDBN4glgtgsHc9y)A0rr3m&W{ zBSIeFAiv))av}XG7s8)%!T%{2+@ErRxG)1E(VrM?%*Mc%LvXJFyc9I^_>0c$9o+*l znFqfynRG`9)C(*3mtH!u;P5yyg$4WvH$8gE0~`r;m0oEH~1h_S9V8f~#x1Z%$VKD!0dBi|9$Y)5jk9 zBi|kW&qA0JhBN~cRm^N=jFEj9vxWRaued!cnh$~I_%oY{{KR$u&6^1USwUmVpY&E> zR4Zh~u5S3B04p}?i5rvO6fzV*GK`}gYeQij7yU5X*DjJ6F{+)%?#`#3ODYR;F;Csl zi?R_VmAy=6GUr{zY<6gcviOBOuA|R(3<<1i`edQ0V{cg?gey9f7%H+-=9-F)MBLt! z;1X?$;?L(;q(%57ip^MSRu{LG3OC@-Dw0F%nh)>b6Z{rfvBOy_5znKfo;+a1nC~t} zq_N!LczHh-o?w4kJEW-lP*R}!_IDeoY5uvG)FOJj?}5rRW;)xNa5@QWZE0$zWaQ** z2F(cne!&ZwwzXR`wxc|xP1hHw=;yLaFU*G{%(zkZ-XH&+1c73Nec%T*;vCzX9Zs=E4)G*` zk~*9`m(c0=Z? z90e(nU%bog&!WMGcUe67u-S)z?L)<~lh$s-Y$Wup@tz82>bBIkqw;4il!H>=G6tkJ z?CETEDHP~&^V_@GQmBzbiP%+NEr}U~PV4tYFE<28sI&&qZynYK4}UY5FMo5mk5EapYS{OMC``fNzSOZ3r8=Y>#79e&nDl#W!F?%dHI+R z9+~)K@7{WZz9_oOOEdrN$9F|tC@tdT4kG#_s*(wiRb0yVG#ZBT2(3P zu}DB=_D;=CG+dDblSuLC1B=N@tG5zEf`yX;$m1;bH=ISphv7AHJc9!a`JFt=8@|h1 zCUoYBP*?h5Q$QP{enkn-+YO*eesaICBIlXid1d;0Y7U@Ye^RaI6P{O3zb7OB#`G_h z)z2ic2c#7^C5bpNOhi9Mh`7UVx`Q(=4E1zX3c865M1TWB*jxon2nU9^$pXUQU}&3X z(@VcU9`eD%&`;ArmKQSmP<%X49{k_J;XybwmmCMC60LyO7v!`7=LdVicIX#;YSLRk zC^DE(gag~kPT=ss<}q=gi&0^I?a-873-H5(ZAwmnS{Q-tL1r*oFbTW@uA%KiuE0kN z$fpZ9LfdwrtxQl1UXT)$>GaK>0+MD(T6;SeM_L;@Q_DM+W{$MhX0%SwFo)LEh1S{9+0hKFX5m1Bg9HV+ zqSJ*s=nCR-V15=64a_qlZaRYJ{SXYoZ-Rm5SWQ8kAA+%GKlJ-QClWKTAI$kwBz&iD zawd{Z1V|(VIOjzIi38$ikVsyh#y=AY6b@GAa9qLhUx~!&OeRjJLNRl9K9!D*krR*~ z)>ShXcgtlPGg@0qS2H6QEDc9HOQ)X$R9%dm9e)mxwzPF{`6&RBFlddZyZxZX3RN96 z3l4vJL^wS{0zH$w8}R*6^5%fq{*XN4PfZe<+y5bXKhD2yl0qQ<-)oXkGqeUx7HXbG zztsUhNKF8v-`WQ+SJ?g)9RE1mdVW>>7g{AgW~G3pk`KcY9mZiTgt_=3KPYr)2IKcr!n7diT<| zPWG#B)wH!&&VD@CuK1WYPy&CZZRfWD{G>v2qg$=oc`zSr1T+N$Q7!of;302Ig~)S3IL{ z$39B5?3A9YJi;UJxp^%0U9ot(tAyl|D>Sk4=c1qA#BhGw!kX5!?X(cCkAdOI{rT0l z>Lp!rI!9Gems&qnQilVmJF@{~opz}o12S~bWzPK9LFa-4i%OxPp~o=T-cMSw=yZ7u zigl(Ez_R`65O5QOjKK}TZzA9#L5dFTr|yRIQ+IO*@qTo-d9J_iZc-rr-|KFW1+WJe zzzlRZsLMg!53(5Mr#{G%KpijdwBu#`)A9c4c>i9n3Z3tGC7LI; zZ+LKzeMe?nzqF`hWDU`%N{?&hqz1BS)T2BX!ZsDEF&D*j&$)8lz}j4t@X0evEA}k= z$XCr9&4-^IJ*tb4bR13CFYu>Oy0N~CEzFLsia2(sq)Jyers{?djJ=$5*LG!m^J{@Z z`Yol+@@IvE%Ws9#T}2WGJg|1OEx8=ZH1d&y75G;z+Bp-kDUpk=6}(=5>}vIdk!nHH zQFxqSk<+y$jZ}?@jOqq`*2`#vr^qiuJ?>S$<;cj89mdt$@+VBQNOBk{NZ+w&M8bWe zT@hrn)p|0|j`{s%E>0$1;b+V{iF;r}k8QX*y&{dqt5Ds$S9L@J6m9qpis2T8xQdJ) z4aenCwsB3QF;L^tg)O`|eVVB})AZrdIJo0_YJ^ zF;SjxLc&yxO_DIO7+`75S(ftFs}c7KmtySK>rh!Kt%O5e`>MMt(najFu02QmTG|>RZ8_|Y ziu?fcln<#FLL#jC7+$}dGSx7~J$cGI4zEc!eo;G~p zws5ss;ql|(&OQKS1EG%ghh37b@(8?y*LK15)8qL;CUj1|ood3Y<(Hk$t~u}C`65Cl zBKLrCG~d_GKC7>hHzUjS zXJ$DHM~)Y)u573=qjz+M;VR0TTrji7(hcJmuVkMYMo}p27?Pt}R-1Q?R*~n-&6|CM zBF)f3ZmZJJL+>55pKXbqdRtH?ZITL7aivO1c{FKU4dl2GuI$*X0gJ_5>T>?2n6iE#%4;8j6g5y79lYho0 z|HjxPpwKyW8T8Kzuww8linOL>V@EHDd#qo0()#6f*kU?j{1PJNZT2kGptR3l%U6Rq z^{1k z>)L1z!OrHl?#i&jB5%)UDQ5m=NTloN29$`aU++*czC=)TEF5hr<`43XwY>8VgZduX0ci!e3bY@sq}Ivcox|%eA6# z?RWYEFF$lS&Ka^B3{%Yv)Q$0cPbp)sEuvzfUxPX%!`RRt z@^Iss&-_|AlIbX(m_Pr1xFZ@(jh7f=Td-W2?|5sdPjjV5vp;&8rCgX{rdmYG<`~1U z1K(F6W(^n17u@4-a^HKt{Cd1cR#J$!)!q42f8#|+3p~>SavD7@;Z>2A9cI>9bomgM zXd4Y0gt|^*Luu^f?u|`6x#vm;bm9eOF`VeE?H#s){FYO2xB;tlKK{=Qp39ZE5q+ZX zB3ItSG_9yWGDnVg-OC)em!Een23)GU00 zmDR2!f1TDneAt{H0~-E~ZNBD8gz8S}XGI!e?{e%J3t0^9Ml?S$d|M|z8XpqhO$z&- zw=p%4{H;=?=V)$kyf_uTu37xSU`62sj==yD_2TM#V!M#}1tWsHhyCh$AI4aW;`=x* z?#(gZtkUs1Hk!3i@(hr%6Uq=QE&I^^vaxmhT*&)f0i?~#3wx^(5K2?I9Uoz(7Iq{V^kib{zQaTY%ET!1%|Of=Ef)p`2Wuwmp?E)0_hLzb;q&$1{hMArLD zN*lgMHHb48B6CJ4+lEW|L#nzKx6c#@U4IG{-9Plp7_pMI( zo-|Apb}fP-fw+}JqXr&hthME4&&d;cu0|vQtjNSUNedDFW3a0FXFj*xPAvsjLm24L5eWp17$XqL`=beG?HtqSla^P7UcVSPF`;xW44v~vZmgtRd$iyb~w?q zR+hsFi5h)&4*^fO^JL3=Y^LkDtTCsVPzr5f)5FHQ%nCh5Ov<${e+vKo7eHaoB=DcY z=g#Y7VC#Q#e}~VVue%>(!bzyl3=6^x&Qj;1=o=1jL$*F;m1cW5G8`P2}3i_ z&Zpr&voY|=3J5!!vZ4h(=n6Q%%i#aTq}AjfCathRWGKzqt3b2y|7zmO1`yOA^Tem0 z_<{`%CSZo15v0BkQ9Q5<8bm=o+y4xG;Dri9L;&OtELuR5W)Op71rZ9{8Nl%$2K5hv z`ZpNVU4>^k&7es^>uA4XP!Ul|w(z`|GP|-(((irb@-YHs;*9Qhz!mMl9*3ea;4{m^ zr_Vm#WMFh%v-TbFI<6mBOBYh_RX4;MP`gh{9gsX}wRbe-Q!4r1-+Bm%3F{=@Xw;XZ zeiB=V+6J9jAX`ePR<%7Veo{WU3&Eqm4>$B~4Ni|q;oV9;rrr)D1tL%8miSw8Q3TSy z*WTE@3GeCOCdy0kY~OjA{Zs)5quGQP?ZhgG0D3n+7+?XZzP~Zf3^z> zPLhff&>etZjPn(vBo*2vaD%`$6C<+L)EO3S#({joYlt{u4>P+gUF$>dm`l5+zC89U z(Eqf=+fFg-U8b$vtj>T{fn`1KnQ))JG{9zx%)N}d?6X8?pmha?BJw?!w#v)m>^!wb zuk0?C#;N1C@m@zzlJ_ZfDWUj6YM#YRY)63{B{$J(DLSv;=2Ku-XT`VsZ*7_kOs6E5!jad?ev*7V4CA>7M1&_|ipCS}ISqUl#u zI^#T?H1voM#NGA*CH~Jc4Ck8~sDN0q!Xi_-$NJW604{>5gnl9)bdGuX9V z+3x{MobqXv&}K0IuE?%z?-$+4jKn>Yl?9rIyNV+kQcq}!tvROncOQ!`IyTXuRJSLk z708!;kz!|DrMRw_Hz%kv^;9eLJ~`=Sqdc6XZ}rWMEP}y)a-k_|d0rpv%@r%fBBLE? zqH{+Mgy8!wxia}3`C$*ZsJ-mnT)FI_Spzz48vA7B%lc-QhA%ytrTu~tf!|(^8EWv#oR*C9 zLyPF+(6#9a9qY!K$jV4>0sVgE))PX*ZSiG-(SBcDUm%e`_tw0Lf{!nNyaa$|`qPH6 zSJ0AM@J0|=a`RCgX(zql%AFT2&7I=|d&lByK~FJFu{y2Ng^b>S8koDWTPSv18ovK7 z{v$1MN)dAVg0y&_#XDEA7GM9KpxlBBsJia<4|2Sws|^}&4Ch=P;HAiut>Jluj}tPb z(x_G{Wjfr0J0gE=`l2zTZ$XTM!E2hN$7J&Yilf`aYOe(iOQW9joK&^*^gmW<^)2IA zx`t>g7_Vsg-Z<+C_o8}J^b@n9G3ue}=lc^!peTPX=v|Kl;s8)kXnuwgz}dpg#*F)? zqmq%Wk-3@U*+yq2^mbZYiFZC(ZqZYMCJijtj4S&}8+KsQY2=b!nIjp~ua_1B1PA8` z$5R!sbU4ybu)@p+xI$_-y*Uafp1hHz?BuY1*G2SU#htY0*+YUkxo#&_ABOShpr_R{ zv=i0r<8&JwGx~LmR$}4TZ!VASvMyX(WoJT%7y9+f8=K>sg#c!zM{)MIK0m$oSrN`Q zvFWJTQCuTzVc4RQ@v^gFb|t^=QZ!jXVKFLGp*yzd?$#(eur_FQCv8k{j5;P77s)|# z0T~~jtr|bkaUlmWEK~Lfy)k)8Z=>Vx1xp5r8#J*q$#ab-8w06R#jmM5FsbnASXD&y z7aeD$8Mizn;>s6i$gsGcddae-Atr4FIyaKV%vKM$&DDhoYFst;H}s(wwC@U!mlw3U zw9?L#kmwa2uJviV`c{PHLKfIQ=1O?<9SgTXEcr%;d#dpE z6$IkYSkD*c#!oEctmV)sC@)@=8Z?bUa}LqzLXd$ICyzntmBv&+BA_a>y{B*U)e6hb zG(726Wz92N!+TTp){^$+#_nPEw|Q(ZQ`Xt1k$eygt?*uN?0Ox^NWOxVZv^CPCGZV= zFl-tguuPEHafop(n=KO5^A0`!E#GmEw!Rf7Mu``{ z?BhFry&-7C}|N4~lT2jJI>kC;OXcM>DmUlJZXW9+$v=cq&a^Q5oDS=c7ub(mNhDa@AT*Q|s znlck&jPkrsc-2wWGKeDOW>0^PCB7Cv$ta&K&0;&-tXP`R@w$pSOZu}gQ*QdmBri;6 z^k7Ch^cCTI60$)}pH)9ix+EU>D_l`sroN`9$gaefZNi-LA>7ph^Iozh8tSpDb(I&1 zi*WIXXDVgAY&Uv8TObYIhomi$$83~0V<_JxJ;J(2Q2a!``<>#R*=+;1O=nrs>qmaF zI@KR)U_J`UEpX#GZ`K>Ei5q0ImL-V>Qj@;&Ii}Klqo*v;oTO9A=GzhTfYF5wQ{U9w z)cbrVhT6jO!*5ph!4D#3zru$3)w6ui#^12E@hZ(~z30FAo>P)t-T32G zD*XqdIzC>v5x>nDc-L-SoMOP;2p1iiesfr}<9V|Grhy~l)h&mQ*N8ureRi@Auzs`T zZdrRdD*|ggA|`d@Vn4n>gdr@zGhLW1cHvvR%w`giI|>Q9^#pC}IEu!#cGQ9)Yr)G( zjPYbEH?rdugx)8=lYc{wgVj)Zy(8huFNQA%k0p38oNU&}e-=4kdB~p$Ov~*PeW2BNsVf_ z+qOF02okQ5YkX~RJ>I$7`rlOBg;=AAoY-L%>hBnQ=0!WLF4)>A?O;7m@02rh9k{UO zxX~1v_yzT`m)ytoP-jy)VPPHrND=*p>X9$eQKON9_rG#pe#z>t_vr&p6|QZl_XX?8 zjFf(+zK^rkAH(Y8hWywu?(QN5rHe$P7uHlnSX(3&av*AF3+wFPyk$5MuJ%Ia;I3>% zJ$CD6lpLI^vz`JI!9sCml>);X*PTo3dEP}Kq%y5|{pC@dZXM*(+_V zQ-{%xDP8L6^=nO!5Z@K+%XD~>n&#Lnd?|O*%Le=VOnQ{kog2MR+w-$})(t|mD~jK2 z-|=YPO&}U3_$pAGY>vdkZiBSWv2LIq=ww@6W6WvMIMN%0z|Cca8E{QHzO55y#Mkg7 zr_FqaJ!tmEb#EFgcK;~s6w*MftJ@c*-D&k`*XK#enMExEIE*aeM#@Rmkq~*PIX4Zl-m$8r z(^L==OZLnDd4|*?MZ{j+`udJJP_SQ(1J2V?5bY=THx~TP^RwSm^8k7Nv_b0pO5u6F z^Ls)vKm`9pAbt}6`JB#^kKc2e_*G7)ROEaf=NrNAdBlRLmY?6|ziARb78a4fzEnL> z`iJOe+2A0GfUC>mU>`rNE7;v{X=f`&&&$O_Pitmt0=9VCnv2nEYRGU3(Sse0Mz*F# z)^@gLV)PznPW0keu+T3XiI`YBDjC_+f(&e(M2y7fEu5Y0MYy@0OaMtVa^kYHH?sxz z?$|ln7&(JWM{{mdMKzOFu#`{Rk2G5h6fO zYhi6^dl!@lI?>bKv9p#v3;5xq=e|-7qeeso?DCHzDW%A--;aQR|J%=M`jk6(Frkr@ zbUdfkh|zsqD^Uz;c0`T`IOX`Y54#l{L{g5$EX|`~SS1|drLU?}*IRXJx~?+qCD>gZ zAoC=8wk6#+=cY2wX&&Etx4hM)&z!M&or^nVhB8K5)yrx>$*D0eb}R&2HZY{w`5>C| zeQds@%ncfz%*N7HibDTa%TA9HsT%K6mk0OU*>PuC%83h15NZ&|<|;{$j+kKS?ks%k zbri0aj+)K#nv7g2x7awKuPQL_t044&aG9J8gI7Sj!3!b^HRf1Tg)OoVJWDh^GT&Qv zA~uG0WwNlX9G95snR4-86QmK%Nf^|2Z*R{)I_%HG3;Ru>x6lmF-~F(L)*b)I@4{3~ zs{q;*%g)BYu>ZUR>4yQundSo3MwZHLWl7C=+HOm`l2xL&b_D~}h|JE&*EeKa6)|n9 z^v7?K^Dg1y2$XjdcA-CrZ0gszBw17&K=ajO>E zrt#-uHgH^M8V0@oGnja#12Lc(fzxkk6pcLWT%7-KajFQOX%47O^WZkSZjLRKHLEBn`O>>~j+Ts)@%dqO^RW9vi`5IQV9UcTzo?@wq{F|e9}F|>6;6v_jCty zSU%RNK7(avWMD3T*zXB;(`#Ni?AMG4z(e}Z9!eFXi@um-h|_gEskfqkLW)B!j#Gvv zw(P9(!1lx!?cvdN_x9Ie$5oq5EOr8KO>pLo!u7snqxlc%+jw_yT)yx1Y>sS9Vdr}> zJiRu;vst>p4L>od{%59lUXflmDs^T0s-X0AmS4v16{$KC^(R4-dEv%g#e-o?L6m#- z4KJgJUuP87+j?)YG$M&@E1++T@9e!z5{htFQMm`^zkX%m&#Ot$DSmQ)!@{4}9KWaj zi!D9p`{M5ji9iqi%bxkennIr%_kgq)!14wRmI-V@)1MYP&KL3*#qy5+#}@qde}Ly} z^e2|~%a1JoFSP}YRHB?=prv8|U0YD1Ij#Jb2iK=;%(whI_Wit~A`7>edI=*7@RE%o4RY9DdDD!IX-7%c`lc2)f z=Jc(yzN#jiw0&4TyxGOUJ!CQQ$1Ohm)p<9^g{>6{NR2EE+9JxN%gt2XD_)X+Z?1T< zGTr-}9KNZ3I@@tGuKcd1A~yCc$tBr=L+@IJW}T)9)D7iND zro4ab8zXw|uma7B=C}Cl69u~2;aM=3P3?H^+T`ImXC{Pnj^1|+#gyprp0*u0ub$C8 zj=7i5%=HG2!!dHxb)XVS5;@4{_HoiT(giWgln(Tn>*_Z2TN}nlS1$|E=4&%CnC7-1q$BVUwA2_n0`C&Q1|F#Q2#s!OAoI_SjQ*IS@lT<)sYu+h~! zSH7|x#wcd>4P9FhHcm`49PJ67yTr$-8+a!ezvl_wg@i#_@yeH~30~&BEf;a$c9U<& zOlZscyl%V|FjzdC6UW4oQT~ne)qCd+OlWsUP%a0#jJaBSw5{OKyxc&5b z|Dz#VSFg!l_oD1_1DZ;4mDr2KEgu|`(agj`h+}o%&XtU|X;^g9Sp*Ry^Vqt5 zmEWoGtGPzbU4!Rj>=_WM>OxuwEAcHP9*A@YEziZW+;q)ZIkl#k}>ZX6~k}ccqfE>sEq_A#P2&%;q$MSVgEx z$3*3%%FDwk_oFQ&a5zR<(Q<*=mWvW{aW~4$6^}k0)5+Dsn3%F$x+YvR_+_t^=aICE z+FUWooGlyANb-F6rLPmUg^%dF_pg~p$|0C_ESl7+ai>|gb7rsYq$++4x zyj&8am-9#RuEg(QR!lCiM66%zHp|;rrdGCHc+uevFFk+%X{$J~W;(oW=n4iNG zZxntmk+j{f*zkI^F_-G!<-cNQ@Ng*A&fw^&`~_`!qc0ocB?_+6Fim~&Fp`j7R9-~? zn;asMRPD-c7s=gKwCF}@ueXfSAyf5ZzgG=^7Pndu;xkNnQ7}WH^jgPz6tnzckAgWA zv=Xls92vdF<%8bJ=Iq`zkwh+a3-%e@FGL77ml|v48Hg7yvp-KS^uQaXroWN(P|x~g zphMDPQA}ju3~o}Mb*<~A-+(>vLADMEGlIt zh32;?Mw?Z4**iLpLVz(I=B|%Gi7j(oBwyF@7=MDFE1W)ZSddlX-#x` z|2@nF)qt6EPf>3Lg=9pobS;maNWqpxIulLRh>ZDZ%=Z9-M2q#>yDs#yGJ?t zs9-oxx$f#{houD9EvtWo<3x0u%SuDpy}gQrD9OJ~tj{txI`c{U_zJ@3qAzt6*VZI0J_WOC zRwVIx;O4#$W9^N)ov*UswkyvS&$``ZyRQ7vW8vj?*g9(Qa^aU$joxUyw-G&N_1SVC zk*zY2BG$#MYn%I9#a&oq80l*s8TBTkAG4q_MNk!5mF{0qHy=^sl8Woj;6(jQV*J&b zPJqs9UCHNm4ovW{biYC7{sG|_Q>&-**j)-lHZ6NL@8%DDXiffi#fAnbU$bL+E))3V zJl`mz7-)O`uz7^WQG$8p_U0$GHPLH1mE&=(>Pyiu?V&pIz3= zg2AXO=5KF4Jdx^(ZvLn@5p#f}@BQ}qD%=42Lym|-_`IYx_-rq{wkP-C>-NA-oBu3g zbKbE0pfzA8$-gr?{Q?FVFqj`8HnPC?&rIb%GnIcaQ^{t}%T5H?Fb&u$`nQNp|IL}$ zHv*(h8;Wz1i-(92yycIB`r{d!rfh3;4q$D>^I8d1a;|hL@jj7071VOX81WqCso`(^ z@UCBpsziJ~eNH2xHKlbD`mEBu zqosOz!dJG-`6ZX&f^VQvp|C$K&K*@<2_w>I;$&yqoXd_!8sB40OjjK7ZPnXUE}N!u zMo$UPoZ)^oWxz%3(L0-HsmGH=6>6GhHCd+Rk#||w1zYz*GW^4tCcD^Kjm?_06ER(s zjyBVPAfBWbU%x#zzd8huF{)<4WFrIcQw zYRxakxjsbY3*(ri4$Hkcm~+xF`t@_aBPSVJt-dfz=R_*s(RDo4HkHL@C+;Sj%gI|) zLpRwM7RsCkbi$o{-?+OsR`PB?uw@vI3TEM=h@9p5^b&h^RnZ2%>K&I(={lcZ1b!tOCDFRYI9JeBe+V-LA3Eqs_F+(Mk~PMZ3i+=i0MI zg9)FT30LTwNlQjt`Cn_jkX&F;kBD?c@$1spZEm>6_omYmRz8ep?Mt!>_hKi?P-)8s z{127kqPjK?%+($p1Y)ZgiNPj^SxZo0UM}dXur9`+bVN+u^~PJqy_SkPFu8G5j}|$wxnI zbJ{);QZF zTlO?U?R1-MBf}O>!p0aUN?V7jC^8jBsnz zDHVCD9e(BF#CvbvRHp|rZz_2Y(^}T4%WQ=)@D$N{$@@K`?w5u2h3ED8vt?w}26uP2 z2Vy$vcP;bL`Io3lC+P$~@O-pQPEU2DA5Y!ft;_BpmNAEl_3&NJY(`G4=D2KQ?U&5q zj-1fzNHHI9To&8je;9OdqDGiv+@6au-e6e|hX2~5lf9qdhs4cN_qHgOYzVPY@B$OZ z^YrVK_4z(uY*z)Ys2WT^G*=Rqy^cm=Vv?JeLq|@ukl`&ZEIFa6PomJhjHI3DbW20r zTMm)THKvDw#aC6QOvT>p$ljkbAH%{wL!t1ov8r&cavb{!yzPwIm2Qgxydyn-O3s}m z$zwI-sFmxi&Hr)Q=X~w|54BGsSWJV#41x9`{b#M|pM3{^z3zkDP)zRUB5 zi*JD^E0EL9#Mw+0aX9;dy(Ja7$la3HxR$H0uC2c#ak#5_`>9q2I@ZXh@LUV?oWMgu z_q*2$hC4z#a{OhtgSG0*%j# zzx)?+GEp3c1z+UsnWK_;@=rd^3{!b4yD#HB?h(Q34{c1sxuZQx?mwLE{^*{5QYIyN zSus}pdnAgQw8z$p3>PFrrA>{|!xEoZ?AjS#J6ytYuDC5hblE_@Y@O-aNnhQq_lj3a zGBlNLWR7{U-$T5^v7-2e*<&HgpgZ=%)s0&_iCg@(BK`L`_9PzPsami%Sp^>iDLY|H z6-r%xscIw;*!v*1+miN>D7V@6d*=+pc6Fp^kc5wTDoJsAthng+fwc9@qu;Q|L*uWN zrK0N0@LHioQSh;jPz>~2d_r({_jZwtMY}*GQOzAR!Y7 z(aeKy^8S{7T+^O$d?Q5IJeTZ)@^C|!Cn>`nKAqKOmnqehVh1je)8EZzD#jGvCwoWu zi?P>WMUYYm{{!bcUaeTF{RJD}SG=z*e`#k5ow~(BmFKwde4_!IfKRqvc2*^=<)gvu zL#lkNM7k(-R;EEMi;wN!cIUYG4Z7YD&E?k_y`Zap#XQ)X)W6~ET#k?SdSg^kcF#7s zD3D_B=8T(EC(V7)P|+q^w@Ep7#&pLPt159lt{e$(`GCuKBZQ3d9dG?kJc-QSRGQgL z@?E$%H1ydgv0os-V!%XXuAgQ!wNo6Mq5M|6$?IgP@2z^2d_4s2JPL6U?9?k7BR54- z+39c@U;92;<7&`+_P^S@5`Y-D{yoVSQCSjMiY&>NwJcp_pKg{R%LvsJWsuv1G?p+3 z!xeL78A}*jvJb)_+_A)1Vk~Ja(O9~TNZI|L^B(5?0g-mI93N&PF-?2wXvUok|{iVmy?jEd4 zJ+$;>h1K?}pVeuW+rhOH`X88~6zn*iEvhog{ZX-3s+re+ zRHrn{aNzSEj>!>N?5#2T?&X?l^>N#g)yjHD)(DtlQ?Kvo?RJYEWF~AqS8~>ppQmU?ydN8_7mD=fY* zRhViKcX39sw3?9h=JL9j`4Ma_6#>_)ga!S}uOm@`sq}G5fX!>2;+V zN=Gl{`#Ac$>2sak1c^0n4m}jC8Qt#jsxnD!yh1u{T5u_;f99JL)oSjo*wDGKcWglI zUsiQ)lRNk1%--SgNo%Y1-K8-&1Vm5UbHe|^yy3fQZS7%v)F*cNo4ckEO6 z*XC6DWptC6-Y4hJ>8LW4UpqRiX!p$Sr%t>WSfNLy1?%0;TjWi1<=y$A$LsFBJWMU7 zmllM}PFJ=nbzspiZSJ1fQ?})s*~ilaw@N)tZPg^yw$jsnHu_BiZpGxDaQw0O)_MVN zgKzrWa9Tb0SiH|Aar7fWk}PS}W{be^G3y#dUK!M8b1|NNQ}7Pr}9C$@-HkJQJhd57&aqM5}{HNJ0bw0p?zl&~4GHW|0` zcY6hIc<%DpFF(JX-S?fvsZT1sC`_>$o>1%i)BaWN*BYrP-$AT;;b!byE&Qlk%x?AE z0WLKjcXn)Icy+N`#G|EUt1Qj07n|~1_ zncjoauN&vJuYXo@cex{u3T}1l(v&U_SbV;n66p)_N zZ{zjx1xJ;pvjXGQt$FqD@2%1IY>AyuaxTZrc>Q+Rcl++t-!d;~R;ANXZK@`HH-7BS zb%_-w^*Y+N<(e*)udmJ8Y8Ttr_Rh9ePtwU|&A*nW<>R*WclPCXIZaD@^yMQM$C~x! zpYO}pot{3=6C>PfWxlj8@0SLSb%o4v>)x))tFD}BmAX*2?loQ3anad{%U{lK;jtpS^2Wt|!c%7smL9rmr(ILC`}5c5 zUbgVM@le_^{FG>EMP(UH<=%$8dk+()l=QbBa&ADc;YF$iOpm(fx63}!loWO(a#KO+ zR1ZV#>8Cep*BmGmb*qus=IpEPNtd2TmPT%kPgr)MQnv-2b9Tj@QvNW=Exy5;DsPgy z)mNm~X?ebmOYfc{)s6jYhZQ;h;P~waxqG@a=-&5AxU`n6dgf5~Tg{JaUES8Z)ZaVw zK%W9tInl|*Q}Q0{udwH~P`D)Rfp9_dmaVG{I2$pzd6SnXERG%-VtZ)Z(l8Id5U(od zYy;-sKiA>Z(CkV+%|m+ot&V9HlQFkWKi_TV?~JgzHm>;1)TCY^125W5v|gWer1E-U z(+iX4Zki#88(iUhjZV>1Jp7)Gi9R2CSFvRA+!%M~GI<+y{ih`j5qeb}Jf*kqq7{?e zZZENVRrc-Jg)^31*b}qJ-M8fRbc68Xa}UK~@iP#4kja*EeUhfbNT?%Y4$ZIPEE zXI9*5g-aJl7uRVOI@q*#p5?pRZ@%UHwef2@H_OUv@l*cL)L5&9Ge+|cw&}8c^OArw z!!GBIUsrUlLww`2vrj&_dv$R{{kc(I$9Kf|NY6FM>p6deeZqo@eH;tyXE*Zj=xCX7 zN?a&xxN~>Z{uiZ%nO+6$f;TnsxL396(|s*hc3)U~wQgV5(C~6|f7yKM+U_}F4m*#X z8}Z7NFJ5yqx@>IdFsqh}kGJM+%dCAx-&SuCTgEFm!!%(uFVIFGRE>AV(0a2aPrA44 zL*C(n%fw>Mm@8ER_m0|^=Avy`$;GPqfwAY;FY~*Uxo*V%#8o41+-mDR?4bC-z7%`S zHuZr{Y0E5D9DH@A@~!Zn!&0VLWlR{j*deW^|G;b8GIva$yR!DBNMA?q%$>{XHn?kZ zm+$B?;myOU)-9JzTU4j&iQEQPAMYBlcv{Qt1#8_Go@|u;qcT*oty2EDX|{DwjIy1v z-+OQFli{sO_M2#X?QG%;L#!%g$dx4TI+J_;;D6O>Zuy?g#s}{yn%gt`Nx5^a;?Cd7 z4O#QoqXB+g=YMCPGZ$Jld?XWn&QaFqus-MWea`K)xjW~h&zXq>HNI&6cshZ6FsH(C zQ+#v@x59HSue(-CUVbcaw7d40)-rn5{>~orwr8Gu+_`Ou#@e@6x@Dx!-{kDSKfL$L zXUZGTBfIxFt5=64H`zV>Vgvr*<96jYg`MJOo?YE|Po=Hv>~_veT9DRx)_`4hEn6=; zG~tI$61OzpgW-MWdC%P8xw4b5G0Mx~O0etjQA1h@>*X}8(pxffW%i_=Ro+zFC-&@` z72R~hc-89M1Duxsg%9Z`MzBs9t<>)kCHhc@s2Ep1x8T<4O!XTXXHm4l6y5Nw$yOTyoCO zqtyK;#dO@=|Dd#E%sEG1s=i*+Ez`P8-oLOQR~F_naO>21$Iqv&dp3N@@SAm0YFu~Q za&2(s=ifhgx?uXv{inK}KRMm6#*c#yFBTW9%IF#r-un9)URBrhYU?@cZAt#3(EBCl z$bA-C*9}+B)x-}jFE4tj^|*(v{8AF<8*Vu+$=cMv<%Zr}>P9z8-v5K+thQMxKUu{& zBov0Z%&LELysQ1n?IDv-*IX<+(`MzfskMp(oYIXLSML6#4R)#7o<37;>cuNtM+OZZ zG@)}BeQrRhvK^L>8#Sp>QiNOHwEIIt`_C;txKEMwJr{L6ajIg6wsW0o>6SfSI=%kZ zlv^EBB4QUDmGGP#CfZI2sOSB5OA%SS{9|pB#yc;5{xrQ*`kNQ`&#Y-s%=ct?evg%f zb^VKn*79*o)V}nI5lmTIH_xTR_GcjlgPv?_ul+&!{mw?c6YrOGoxgw8lkG(|rljPT z8Mv|BIGc8Yd8WSo_6D{)Ir!?$1=bn6eg+?n@JUo7q%_(?US{%QSCcwL8Hwf zhYNn1(qPo|iQNnH0~_~$?3htMU!@edmbh@eePZ6Y9a(r6rP&hw8Rjcqfu9r2f$S1#w)>#^Sto|+TgqaeC&R?heWNADTSq9ZmvYQ{UC zwIJhQj%MK7X63ImsclQv8vp&C0bV(a zl6DRok#^~PGyQX0Ughg0I;lqE~K|H&;c)hT!ANUM>8#0h(?9e?g-yVkGRVfXfv zI&I&YFzVs6A`=JAObPb6QFwd$)qs=BW=t+Eu2Oe+z%*4zw0ka(*XdHpknHFp@kNGT zthIBC?&SHO7xLokRP4%2v6&To&Gq??6)&f)=wc9@Jd&9iGxnFvk=8d_ExjULc4~*u zkJi(l*%Vn*-ADak@X1!CbKCqpaY0qT<-3kAoBE(_xkKeWHp+ue)O2_3RnTFS{&8-P zGd^jHHjeKU*C*D_*&ch3nrbICcpT?&qe`h!A#$5qqSLB_;e+Ke_F$w5j{t zt>T!9KfUA^Z1!6&J5plolU<>CFXLL3UT0IsPV}tWnKvktf324KL@npU@i6MTk3+lNd?}RbhP;5NynlySk$*ZZn7*WJJq!OyT?J7y9xq-+2?!N-mj3i zDcR*n$bf|*jjyKvsL1j7rS+=AF^_7;hc0*%Ke^Y1+rdMuE;Jn(-7vxXm20Vz3p)*p zOc_-CMvbj!cf>mQhIZ@J@M=?!CglS*drj)U;dg?Xhi)G`M3Hx0w$Eus1o&-1K*9*Uav{z>Y6mvv8fYc9(Y95$7f(GR^zhk%<{yRzIJ# zCh5}D?4EWzh7@t|?=F!VpiZpQyhPJy79)%OtiO71=fe_V%TEn1)j3h!IyC2j;L*x5Fa7#th6%ja zkMyu?Tzq74i*8q+b=t+VFMV}v{E`Nyjq7Y0d&N#q^yIbokLl?Uv*b-f{n|?6L9Mb+ zHxw>7Ff(}F_{XzT%guaxc}~tx6X!(cxy&^#k6PGZ+0jOM0sB1fW$zkuLAA4J^2Ev$ zy6nw=?eoCx@usK^31OYA-QxQ6xv|&&_72(W!(}#JnL1)yQOorcC8b}kT)02PalS=e zzlPD{&rBa}v-kdX-^6ad#YR+$vX)yPFy>u+nn54R9ylKA;T5~^TpL@@U76AO=S zP48Xr)hGxq>E&-mwXPg~);Y97 zSkmBCz+ZwqVUv;+-$7*6@s~)e$Eb!9QDkW7D5u_G5#yZdHE-R_71o?PNfWt9T8Bd_ z~^!M~sS+IQdILL%2{#&WIE7(ubTi%Gn~zoGrnjH~9v&Q=jmt5up-uCSd>H zT%VHv&FL#2KkpG{n-mZE*WG!w2_lf+rimu$3B-@2HVi+4aV&mB&hzmja$bcW`BwdA z{D{2I;YZ|0Yi|{OosRS1m@#9_E3H2hHw+gn18Sdn7J^WVTM?Q{d!If(m5aY)eNddbU z0t^9$07HNwzz|>vFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTUvFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fqoWfFZyTUvFa#I^3;~7!Lx3T`5MT%}1Q-Gg0fxZu zL%?JzEG#5HdLb}_(WpsQ8;wS@4K>qvUGgFq!>kt$i8tWv4f8o5jc{|W^HkpGeSVsTLf6iOwPFGQx(a*~2T zM*4k8PGXAD3wKN#u%G%*iAjF&)0t^9$z~>QQ z1KQ7H^lkc3DwP-xVc3IVEk?N*LaUUDWVJ@C(;M_U4ID5gCVjCMU8xRFS`4(3wOS3b ziy;$y!MV_Az!(gDG8s6osIa3dOgH$~T;9jElGtEapLldIOo-V9Kges&pDy zs~}C8ObS8k3??mSBbO^ME`|raUawXvFp8E+rI_ge0+bE4R!82#gh)juJ`gCCED8$7 z*mN}h4TJTKCmmH162VNzXwaKXM(83ioiP~nn8-jQq19@2IxU9DnESwyJnD%z)KfaH z#`G3dSZ_4yby^^SM@*y8)N3?aqUkW2VDpV5^fymFgau{O+d`t1`cD_rMg1pam_0*) zA;1v$5(KCsiOz#atNVT-fOe78-fT8|L&$V#00vl^10e?PiMk>*8X#Lc_!3!s4L?x$ zzcm>!n1X09`o-{8gGr8Bg*zEykxPjYG6c^VF}gO9l?1t*S|UlX$8-oIF3fzOa>fW5 zH@#kGG#a3JmWZVonPEmGl}f%w`dOGCApki#I5?OL?-a<%8eO4Dk69|#hPWB77E>X} zS0p|uhAzZVW85jZ#0fqoWfFZyTpa`HZH7kBG2%?=V8Tw$DMgEv6aOidU*402H7FF0~oD$;2&OG09>tN=MG<*+8}L>NTF5|l@kLPlo3nq<5P z51yVrSY$vrSUJMGVzGqGhB2w;=1UTZ_$%e>pBXGBJ7mTRbh$MK#vNq>F-^s?EEez4 zfWrnt!(uMh@xi7eJ{8bD$uKEKnSniB^+Sb)85dTO;0=q!2n}}x0!#RXo&@rxfxwB( zh}rcu5kRwx+6U$1CnAB=AU@n7u}^sW$jPiQ`N*C<{xuPReCaa5Uo&|uRSW@!07KxP zfWZ4H>^~u||HM2>By3ss+mkz)wvee1ksTBoTAcxtR?JKddM#!;P;_7!SHw+bMIs?o zOCq6=%vG_HtA+;{$+Y*|%l1De#k5w6Ih7I2I=vAxg+>F)Cd^M^#tavl2jBrM6Qr+J zDWQ*2$Rr|>1j5B-ULyR*VD>F#l+PD{mh9u>gF9+2YADv(q1ga!Lnsmvx^iKmSR{h5 zaff`NzJh#}GAUGvP(O+#(ogRJ{FbozJEj$E49E`ZeL};CH!Hzf?EJ3hy0icqVLe-GE2ze8Z|(s zLH#jzfl!Frhnx^Jq!I`V40Dl41Z|{1AOONRo(RjnkTq8O!GDGgF3g3^Y7IHZX$Siq zQ)9dcdn_-4o&htk5()*_2n=!t%?_PABM=#<4FgpJqaeVpAo)LSB%- z$wY;S7)iXG4IF4;;OgN4oHcONOonW1Ro4t*mvBLi|NPNUL5 zzGz9HdqmBJe9`v818L|?fQ1MIlV!BesNJ-E2E1sIfH~?Hnj=VoN|rW>q#ZL74GFe* zBOH_>=s6)2c;k+=QloeyOkAincpXuA`tT7l8b*Z7_wmGL33LFI5Q3l)h)^u1loFUB z8nlgg3l~B_`w8S}!Z2fpe{>K&d?7LeCkO&UN1IQgGZo?v52&Gp&%o(v5g^(z)NT|c zi0fSz6i7LdFWLctfRDL9cw%@H;gFUJ`>o`1p%}OdfecNFxj!NrT&Q`8Y6$XIqh6?0 zf9UQT2o!llDxkiA))C172*}Hyc+vVoIyKrm7|0&~|CAnx=s!7`?f-oQNXv=Y!@nD7 z{r$)uMZ#RoKXL+YC|w^}njcY+%;rDQfRf2|9KiL@yin2*J>}2>H|%_&jNIQ$6ZCJt zY5!@<&%OmwqB4FukS}-rY;<296!XatUyLaacyW8f%@Y4sa`z8UCzO<~uI^ZCAm7%&30gX>L?(A|u%-PkRspcOgbl@5 zsvupmKmc$5aKyg3>|;R|lzSu_v;n$0gY}wkE*C7ppG5$ydq&FrEK1A+Lx3T`5MT)W zJrKZ&M*l@dL=q{ubN|JQ-^44Jsr|uZoBs|L%q8*p8Z+sX5+~^SX2eOO0lm^JUu;$a z%>%qd8W-3VI0*+H@Cc#>hzcK`K??bTqy(monF|4DOmXNe6|cNIQ5LKb?))?Jxo0$R z?h#3NYmUx*>KaDT2$y=p9jU?rwDfh5HtCTdX3unA6#@dC6%19%{4^)&eO&L}0-F~f zH>5kTs1wD<%xeW7?A`t>Q=wVMVoo8+Aim1?uUs9>@5sTq@3RTED$>C{y@S!5k^i{? zL=<;-cW{Qm0hST|l>w(&Ar?NT^b-gPlMVDNX9rtYf?X*Q3Bho7c6G;D&>$%Z1$@Yt zBPG6to`KL4-yfm{|Bx@JhTzFVbqviRPQIf4J$-P#nE|B)I!18LL8t>c7BoDGi0G5e zmsEx=iex71BM^aNNeo=75G>evU@y}|O65vW0l|55c6BuwbmSAJ9EXj1276N~CNn7? zzJTzwxsO%?RssK=`in*f7AW|=;J+cMICTwhm^pHwzT%TkWQwhj!2{AvDVktQ+LkPd zj35NQP>d8}Pc+RS_=l8|2PbI70Rpn=?(Ru;Um^;3cVGf-3Lr z$6WQ{8f2t|+IzYaGz4M^B@%n`g~$#x{DmCs)DOf51|~JrI|Kn;1k4hd0wiJZ7^#00 z43JZ~JINr54Y8r-p@lIM#X)%X@$sbmUW7wi0}y?oPeY_|!ksT5^%t-J5Gc@~ZKK*$IH3?yB0Z;B zCB#gMFhKZYqa(c0SLYXUk{LDWIGy1KgJ>^0IXa5aw4=cC_5 zJw+n}=|H_nzPk0EBuVQp$j{JkqAM4Qz<7VBJ!j*Q7@oLC1kTJ}4gMl`J%CP_>ctxO>w2OIt|Vh!N1g<^^m&>;=sIFHl9aWLpil z8HYY1kF=(k4Pc~0{Y!@v-1mO*oxxvqzsM=sFoGRPTq}(L;fFlZb4LL#*LjhRB-ndG zhFd!Hs%9cF#vvH3ApscBU@H(_q@5kYfj2zTaUFR?f2LHT^?-b7Xh5FnuW+7ixf3l5;Y}6u+29(}N7352s zCbBgNXD$Bg_zEatPZP-S=mN-YEY8(zpb7X&cO(&9eQtk;1SEc1e_@GM>?_6i^@1hs zGgp7X0zfQipD{)?w@9Ckm)74;`++Nj@?ils`=|Y{`SCXmw3GTxr>|{^CXu#OD2%jn znH$Nk9rgb(d^8TIVkn#tD}qI>A$#16#!t}W&9S4}ng`5g%P%)@--{=ae&YJ{9*0l7 z$eb7g3;~7!Lx3T`5MT%}1il^umOOU-ZxHCf8^eplzfj&NUKG!X=g*VC9Qnn8SK$@m zeJJNId9frsHTV*bU+Cxm8~+yu`^DbA?f469sv@Tq@EdYCKCAPOJYG>=zNIDa<;$=j XaRiZ77%zw?=0$ul9?avngTVg*R~FlO literal 0 HcmV?d00001 From 44be7b7f276e3536395ab22fd67d11a31f8dad79 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 24 Apr 2014 19:50:23 +0200 Subject: [PATCH 11/51] backport this piece from 5.6, related to the #66307 fix Conflicts: ext/fileinfo/libmagic/readcdf.c --- ext/fileinfo/libmagic/readcdf.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ext/fileinfo/libmagic/readcdf.c b/ext/fileinfo/libmagic/readcdf.c index dc6bcf094bd..bfc32d66526 100644 --- a/ext/fileinfo/libmagic/readcdf.c +++ b/ext/fileinfo/libmagic/readcdf.c @@ -149,7 +149,8 @@ cdf_file_property_info(struct magic_set *ms, const cdf_property_info_t *info, return -1; } c = cdf_ctime(&sec); - if ((ec = strchr(c, '\n')) != NULL) + if (c != NULL && + (ec = strchr(c, '\n')) != NULL) *ec = '\0'; if (NOTMIME(ms) && file_printf(ms, From d77ea459bd33a5267475a809a86f30a1d89ef0c2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 26 May 2014 17:42:18 -0700 Subject: [PATCH 12/51] Fix bug #67327: fileinfo: CDF infinite loop in nelements DoS Upstream fix: https://github.com/file/file/commit/f97486ef5dc3e8735440edc4fc8808c63e1a3ef0 --- ext/fileinfo/libmagic/cdf.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 7efa43e00fa..ffde3f4dcfb 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, i, inp[i].pi_id, inp[i].pi_type, q - p, offs)); if (inp[i].pi_type & CDF_VECTOR) { nelements = CDF_GETUINT32(q, 1); + if (nelements == 0) { + DPRINTF(("CDF_VECTOR with nelements == 0\n")); + goto out; + } o = 2; } else { nelements = 1; @@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, } DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n", nelements)); - for (j = 0; j < nelements; j++, i++) { + for (j = 0; j < nelements && i < sh.sh_properties; + j++, i++) + { uint32_t l = CDF_GETUINT32(q, o); inp[i].pi_str.s_len = l; inp[i].pi_str.s_buf = (const char *) From ee1ab627639b2b6f8da00c687eb2386f93ec2ef6 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 26 May 2014 17:50:14 -0700 Subject: [PATCH 13/51] Fix bug #67328 (fileinfo: numerous file_printf calls resulting in performance degradation) Upstream patch: https://github.com/file/file/commit/b8acc83781d5a24cc5101e525d15efe0482c280d --- ext/fileinfo/libmagic/cdf.c | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index ffde3f4dcfb..ea67966c49b 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -948,7 +948,7 @@ int cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count) { - size_t i, maxcount; + size_t maxcount; const cdf_summary_info_header_t *si = CAST(const cdf_summary_info_header_t *, sst->sst_tab); const cdf_section_declaration_t *sd = @@ -963,21 +963,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h, ssi->si_os = CDF_TOLE2(si->si_os); ssi->si_class = si->si_class; cdf_swap_class(&ssi->si_class); - ssi->si_count = CDF_TOLE2(si->si_count); + ssi->si_count = CDF_TOLE4(si->si_count); *count = 0; maxcount = 0; *info = NULL; - for (i = 0; i < CDF_TOLE4(si->si_count); i++) { - if (i >= CDF_LOOP_LIMIT) { - DPRINTF(("Unpack summary info loop limit")); - errno = EFTYPE; + if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info, + count, &maxcount) == -1) return -1; - } - if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), - info, count, &maxcount) == -1) { - return -1; - } - } return 0; } From 84605098bc81517919ecb43935682fdd8a249f9d Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 May 2014 17:54:27 -0700 Subject: [PATCH 14/51] Fix bug #67247 spl_fixedarray_resize integer overflow --- ext/spl/spl_fixedarray.c | 2 +- ext/spl/tests/bug67247.phpt | 13 +++++++++++++ 2 files changed, 14 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug67247.phpt diff --git a/ext/spl/spl_fixedarray.c b/ext/spl/spl_fixedarray.c index 646c002f6ff..526ed8596fe 100644 --- a/ext/spl/spl_fixedarray.c +++ b/ext/spl/spl_fixedarray.c @@ -116,7 +116,7 @@ static void spl_fixedarray_resize(spl_fixedarray *array, long size TSRMLS_DC) /* array->elements = NULL; } } else if (size > array->size) { - array->elements = erealloc(array->elements, sizeof(zval *) * size); + array->elements = safe_erealloc(array->elements, size, sizeof(zval *), 0); memset(array->elements + array->size, '\0', sizeof(zval *) * (size - array->size)); } else { /* size < array->size */ long i; diff --git a/ext/spl/tests/bug67247.phpt b/ext/spl/tests/bug67247.phpt new file mode 100644 index 00000000000..cb71445d7b7 --- /dev/null +++ b/ext/spl/tests/bug67247.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #67247 (spl_fixedarray_resize integer overflow) +--FILE-- +getSize()."\n"; +$ar->setSize((PHP_INT_SIZE==8)?0x2000000000000001:0x40000001); +echo "size: ".$ar->getSize()."\n"; +?> +--EXPECTF-- +size: 1 + +Fatal error: Possible integer overflow in memory allocation (%d * %d + 0) in %s on line %d From d4b67896ecb248796a0493a9d6205b22c7dff4e2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 May 2014 19:09:19 -0700 Subject: [PATCH 15/51] Fix bug #67250 (iptcparse out-of-bounds read) --- ext/standard/iptc.c | 3 +++ ext/standard/tests/image/bug67250.phpt | 8 ++++++++ 2 files changed, 11 insertions(+) create mode 100644 ext/standard/tests/image/bug67250.phpt diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 420111e731e..e3190d56333 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -335,6 +335,9 @@ PHP_FUNCTION(iptcparse) recnum = buffer[ inx++ ]; if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */ + if((inx+6) >= str_len) { + break; + } len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + (((long) buffer[ inx + 4 ]) << 8) + (((long) buffer[ inx + 5 ])); inx += 6; diff --git a/ext/standard/tests/image/bug67250.phpt b/ext/standard/tests/image/bug67250.phpt new file mode 100644 index 00000000000..607de9f3b65 --- /dev/null +++ b/ext/standard/tests/image/bug67250.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #67250 (iptcparse out-of-bounds read) +--FILE-- + +--EXPECT-- +bool(false) From 7f527897fe3e333f43bbed67741287d355ab4b2b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 May 2014 20:29:27 -0700 Subject: [PATCH 16/51] Fix bug #67252: convert_uudecode out-of-bounds read --- ext/standard/tests/strings/bug67252.phpt | 13 +++++++++++++ ext/standard/uuencode.c | 3 +++ 2 files changed, 16 insertions(+) create mode 100644 ext/standard/tests/strings/bug67252.phpt diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt new file mode 100644 index 00000000000..80a6ebcf1c4 --- /dev/null +++ b/ext/standard/tests/strings/bug67252.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #67252 (convert_uudecode out-of-bounds read) +--FILE-- + +--EXPECTF-- + +Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d +bool(false) diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c index f0142ed0499..212ab706bb5 100644 --- a/ext/standard/uuencode.c +++ b/ext/standard/uuencode.c @@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ } while (s < ee) { + if(s+4 > e) { + goto err; + } *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3)); From 2326401fc197cb88141561d3d51eccd7ac59fede Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 11 May 2014 21:09:11 -0700 Subject: [PATCH 17/51] fix bug #67253: timelib_meridian_with_check out-of-bounds read Conflicts: ext/date/lib/parse_date.c --- ext/date/lib/parse_date.c | 201 +++++++++++++++-------------- ext/date/lib/parse_date.re | 5 +- ext/date/lib/parse_iso_intervals.c | 2 +- ext/date/tests/bug67253.phpt | 44 +++++++ 4 files changed, 151 insertions(+), 101 deletions(-) create mode 100644 ext/date/tests/bug67253.phpt diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c index a3364ef7f8d..1d23c9b0452 100644 --- a/ext/date/lib/parse_date.c +++ b/ext/date/lib/parse_date.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Mon Dec 5 22:02:41 2011 */ +/* Generated by re2c 0.13.5 on Fri Jul 18 16:11:36 2014 */ #line 1 "ext/date/lib/parse_date.re" /* +----------------------------------------------------------------------+ @@ -403,9 +403,12 @@ static timelib_sll timelib_meridian_with_check(char **ptr, timelib_sll h) { timelib_sll retval = 0; - while (!strchr("AaPp", **ptr)) { + while (**ptr && !strchr("AaPp", **ptr)) { ++*ptr; } + if(!**ptr) { + return TIMELIB_UNSET; + } if (**ptr == 'a' || **ptr == 'A') { if (h == 12) { retval = -12; @@ -871,11 +874,11 @@ static int scan(Scanner *s, timelib_tz_get_wrapper tz_get_wrapper) std: s->tok = cursor; s->len = 0; -#line 997 "ext/date/lib/parse_date.re" +#line 1000 "ext/date/lib/parse_date.re" -#line 879 "ext/date/lib/parse_date.c" +#line 882 "ext/date/lib/parse_date.c" { YYCTYPE yych; unsigned int yyaccept = 0; @@ -995,7 +998,7 @@ std: } yy2: YYDEBUG(2, *YYCURSOR); -#line 1082 "ext/date/lib/parse_date.re" +#line 1085 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("firstdayof | lastdayof"); TIMELIB_INIT; @@ -1011,7 +1014,7 @@ yy2: TIMELIB_DEINIT; return TIMELIB_LF_DAY_OF_MONTH; } -#line 1015 "ext/date/lib/parse_date.c" +#line 1018 "ext/date/lib/parse_date.c" yy3: YYDEBUG(3, *YYCURSOR); ++YYCURSOR; @@ -1034,7 +1037,7 @@ yy3: } yy4: YYDEBUG(4, *YYCURSOR); -#line 1676 "ext/date/lib/parse_date.re" +#line 1679 "ext/date/lib/parse_date.re" { int tz_not_found; DEBUG_OUTPUT("tzcorrection | tz"); @@ -1047,7 +1050,7 @@ yy4: TIMELIB_DEINIT; return TIMELIB_TIMEZONE; } -#line 1051 "ext/date/lib/parse_date.c" +#line 1054 "ext/date/lib/parse_date.c" yy5: YYDEBUG(5, *YYCURSOR); yych = *++YYCURSOR; @@ -1358,12 +1361,12 @@ yy12: if (yych <= '9') goto yy1385; yy13: YYDEBUG(13, *YYCURSOR); -#line 1771 "ext/date/lib/parse_date.re" +#line 1774 "ext/date/lib/parse_date.re" { add_error(s, "Unexpected character"); goto std; } -#line 1367 "ext/date/lib/parse_date.c" +#line 1370 "ext/date/lib/parse_date.c" yy14: YYDEBUG(14, *YYCURSOR); yych = *++YYCURSOR; @@ -2420,11 +2423,11 @@ yy49: if (yych <= '9') goto yy55; yy50: YYDEBUG(50, *YYCURSOR); -#line 1760 "ext/date/lib/parse_date.re" +#line 1763 "ext/date/lib/parse_date.re" { goto std; } -#line 2428 "ext/date/lib/parse_date.c" +#line 2431 "ext/date/lib/parse_date.c" yy51: YYDEBUG(51, *YYCURSOR); yych = *++YYCURSOR; @@ -2433,12 +2436,12 @@ yy52: YYDEBUG(52, *YYCURSOR); ++YYCURSOR; YYDEBUG(53, *YYCURSOR); -#line 1765 "ext/date/lib/parse_date.re" +#line 1768 "ext/date/lib/parse_date.re" { s->pos = cursor; s->line++; goto std; } -#line 2442 "ext/date/lib/parse_date.c" +#line 2445 "ext/date/lib/parse_date.c" yy54: YYDEBUG(54, *YYCURSOR); yych = *++YYCURSOR; @@ -2825,7 +2828,7 @@ yy72: if (yych == 's') goto yy74; yy73: YYDEBUG(73, *YYCURSOR); -#line 1744 "ext/date/lib/parse_date.re" +#line 1747 "ext/date/lib/parse_date.re" { timelib_ull i; DEBUG_OUTPUT("relative"); @@ -2840,7 +2843,7 @@ yy73: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 2844 "ext/date/lib/parse_date.c" +#line 2847 "ext/date/lib/parse_date.c" yy74: YYDEBUG(74, *YYCURSOR); yych = *++YYCURSOR; @@ -3602,7 +3605,7 @@ yy166: } yy167: YYDEBUG(167, *YYCURSOR); -#line 1607 "ext/date/lib/parse_date.re" +#line 1610 "ext/date/lib/parse_date.re" { const timelib_relunit* relunit; DEBUG_OUTPUT("daytext"); @@ -3619,7 +3622,7 @@ yy167: TIMELIB_DEINIT; return TIMELIB_WEEKDAY; } -#line 3623 "ext/date/lib/parse_date.c" +#line 3626 "ext/date/lib/parse_date.c" yy168: YYDEBUG(168, *YYCURSOR); yych = *++YYCURSOR; @@ -4139,7 +4142,7 @@ yy193: } yy194: YYDEBUG(194, *YYCURSOR); -#line 1666 "ext/date/lib/parse_date.re" +#line 1669 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("monthtext"); TIMELIB_INIT; @@ -4148,7 +4151,7 @@ yy194: TIMELIB_DEINIT; return TIMELIB_DATE_TEXT; } -#line 4152 "ext/date/lib/parse_date.c" +#line 4155 "ext/date/lib/parse_date.c" yy195: YYDEBUG(195, *YYCURSOR); ++YYCURSOR; @@ -4199,7 +4202,7 @@ yy198: } yy199: YYDEBUG(199, *YYCURSOR); -#line 1412 "ext/date/lib/parse_date.re" +#line 1415 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("datetextual | datenoyear"); @@ -4212,7 +4215,7 @@ yy199: TIMELIB_DEINIT; return TIMELIB_DATE_TEXT; } -#line 4216 "ext/date/lib/parse_date.c" +#line 4219 "ext/date/lib/parse_date.c" yy200: YYDEBUG(200, *YYCURSOR); yyaccept = 6; @@ -4481,7 +4484,7 @@ yy222: } yy223: YYDEBUG(223, *YYCURSOR); -#line 1714 "ext/date/lib/parse_date.re" +#line 1717 "ext/date/lib/parse_date.re" { int tz_not_found; DEBUG_OUTPUT("dateshortwithtimeshort | dateshortwithtimelong | dateshortwithtimelongtz"); @@ -4510,7 +4513,7 @@ yy223: TIMELIB_DEINIT; return TIMELIB_SHORTDATE_WITH_TIME; } -#line 4514 "ext/date/lib/parse_date.c" +#line 4517 "ext/date/lib/parse_date.c" yy224: YYDEBUG(224, *YYCURSOR); yyaccept = 7; @@ -5208,7 +5211,7 @@ yy278: YYDEBUG(278, *YYCURSOR); ++YYCURSOR; YYDEBUG(279, *YYCURSOR); -#line 1690 "ext/date/lib/parse_date.re" +#line 1693 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("dateshortwithtimeshort12 | dateshortwithtimelong12"); TIMELIB_INIT; @@ -5231,7 +5234,7 @@ yy278: TIMELIB_DEINIT; return TIMELIB_SHORTDATE_WITH_TIME; } -#line 5235 "ext/date/lib/parse_date.c" +#line 5238 "ext/date/lib/parse_date.c" yy280: YYDEBUG(280, *YYCURSOR); yych = *++YYCURSOR; @@ -5409,7 +5412,7 @@ yy294: ++YYCURSOR; yy295: YYDEBUG(295, *YYCURSOR); -#line 1384 "ext/date/lib/parse_date.re" +#line 1387 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("datenoday"); @@ -5422,7 +5425,7 @@ yy295: TIMELIB_DEINIT; return TIMELIB_DATE_NO_DAY; } -#line 5426 "ext/date/lib/parse_date.c" +#line 5429 "ext/date/lib/parse_date.c" yy296: YYDEBUG(296, *YYCURSOR); yych = *++YYCURSOR; @@ -6642,7 +6645,7 @@ yy362: if (yych <= '9') goto yy365; yy364: YYDEBUG(364, *YYCURSOR); -#line 1528 "ext/date/lib/parse_date.re" +#line 1531 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("pgtextshort"); @@ -6655,7 +6658,7 @@ yy364: TIMELIB_DEINIT; return TIMELIB_PG_TEXT; } -#line 6659 "ext/date/lib/parse_date.c" +#line 6662 "ext/date/lib/parse_date.c" yy365: YYDEBUG(365, *YYCURSOR); yych = *++YYCURSOR; @@ -7293,7 +7296,7 @@ yy392: } yy393: YYDEBUG(393, *YYCURSOR); -#line 1586 "ext/date/lib/parse_date.re" +#line 1589 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("ago"); TIMELIB_INIT; @@ -7313,7 +7316,7 @@ yy393: TIMELIB_DEINIT; return TIMELIB_AGO; } -#line 7317 "ext/date/lib/parse_date.c" +#line 7320 "ext/date/lib/parse_date.c" yy394: YYDEBUG(394, *YYCURSOR); yyaccept = 5; @@ -9063,7 +9066,7 @@ yy454: ++YYCURSOR; yy455: YYDEBUG(455, *YYCURSOR); -#line 1289 "ext/date/lib/parse_date.re" +#line 1292 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("iso8601date4 | iso8601date2 | iso8601dateslash | dateslash"); TIMELIB_INIT; @@ -9074,7 +9077,7 @@ yy455: TIMELIB_DEINIT; return TIMELIB_ISO_DATE; } -#line 9078 "ext/date/lib/parse_date.c" +#line 9081 "ext/date/lib/parse_date.c" yy456: YYDEBUG(456, *YYCURSOR); yyaccept = 0; @@ -9634,7 +9637,7 @@ yy475: } yy476: YYDEBUG(476, *YYCURSOR); -#line 1426 "ext/date/lib/parse_date.re" +#line 1429 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("datenoyearrev"); TIMELIB_INIT; @@ -9645,7 +9648,7 @@ yy476: TIMELIB_DEINIT; return TIMELIB_DATE_TEXT; } -#line 9649 "ext/date/lib/parse_date.c" +#line 9652 "ext/date/lib/parse_date.c" yy477: YYDEBUG(477, *YYCURSOR); yyaccept = 10; @@ -9786,7 +9789,7 @@ yy488: YYDEBUG(488, *YYCURSOR); ++YYCURSOR; YYDEBUG(489, *YYCURSOR); -#line 1144 "ext/date/lib/parse_date.re" +#line 1147 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("timetiny12 | timeshort12 | timelong12"); TIMELIB_INIT; @@ -9802,7 +9805,7 @@ yy488: TIMELIB_DEINIT; return TIMELIB_TIME12; } -#line 9806 "ext/date/lib/parse_date.c" +#line 9809 "ext/date/lib/parse_date.c" yy490: YYDEBUG(490, *YYCURSOR); yyaccept = 11; @@ -9815,7 +9818,7 @@ yy490: } yy491: YYDEBUG(491, *YYCURSOR); -#line 1181 "ext/date/lib/parse_date.re" +#line 1184 "ext/date/lib/parse_date.re" { int tz_not_found; DEBUG_OUTPUT("timeshort24 | timelong24 | iso8601long"); @@ -9840,7 +9843,7 @@ yy491: TIMELIB_DEINIT; return TIMELIB_TIME24_WITH_ZONE; } -#line 9844 "ext/date/lib/parse_date.c" +#line 9847 "ext/date/lib/parse_date.c" yy492: YYDEBUG(492, *YYCURSOR); yyaccept = 11; @@ -10150,7 +10153,7 @@ yy523: YYDEBUG(523, *YYCURSOR); ++YYCURSOR; YYDEBUG(524, *YYCURSOR); -#line 1161 "ext/date/lib/parse_date.re" +#line 1164 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("mssqltime"); TIMELIB_INIT; @@ -10169,7 +10172,7 @@ yy523: TIMELIB_DEINIT; return TIMELIB_TIME24_WITH_ZONE; } -#line 10173 "ext/date/lib/parse_date.c" +#line 10176 "ext/date/lib/parse_date.c" yy525: YYDEBUG(525, *YYCURSOR); yyaccept = 11; @@ -10275,7 +10278,7 @@ yy534: if (yych <= '9') goto yy541; yy535: YYDEBUG(535, *YYCURSOR); -#line 1343 "ext/date/lib/parse_date.re" +#line 1346 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("datefull"); @@ -10289,7 +10292,7 @@ yy535: TIMELIB_DEINIT; return TIMELIB_DATE_FULL; } -#line 10293 "ext/date/lib/parse_date.c" +#line 10296 "ext/date/lib/parse_date.c" yy536: YYDEBUG(536, *YYCURSOR); yych = *++YYCURSOR; @@ -11026,7 +11029,7 @@ yy605: YYDEBUG(606, *YYCURSOR); ++YYCURSOR; YYDEBUG(607, *YYCURSOR); -#line 1358 "ext/date/lib/parse_date.re" +#line 1361 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("pointed date YYYY"); TIMELIB_INIT; @@ -11037,7 +11040,7 @@ yy605: TIMELIB_DEINIT; return TIMELIB_DATE_FULL_POINTED; } -#line 11041 "ext/date/lib/parse_date.c" +#line 11044 "ext/date/lib/parse_date.c" yy608: YYDEBUG(608, *YYCURSOR); yyaccept = 11; @@ -11073,7 +11076,7 @@ yy611: if (yych <= '9') goto yy605; yy612: YYDEBUG(612, *YYCURSOR); -#line 1370 "ext/date/lib/parse_date.re" +#line 1373 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("pointed date YY"); @@ -11086,7 +11089,7 @@ yy612: TIMELIB_DEINIT; return TIMELIB_DATE_FULL_POINTED; } -#line 11090 "ext/date/lib/parse_date.c" +#line 11093 "ext/date/lib/parse_date.c" yy613: YYDEBUG(613, *YYCURSOR); yyaccept = 11; @@ -11727,7 +11730,7 @@ yy656: } yy657: YYDEBUG(657, *YYCURSOR); -#line 1329 "ext/date/lib/parse_date.re" +#line 1332 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("gnudateshort"); @@ -11740,7 +11743,7 @@ yy657: TIMELIB_DEINIT; return TIMELIB_ISO_DATE; } -#line 11744 "ext/date/lib/parse_date.c" +#line 11747 "ext/date/lib/parse_date.c" yy658: YYDEBUG(658, *YYCURSOR); yyaccept = 13; @@ -11846,7 +11849,7 @@ yy666: } yy667: YYDEBUG(667, *YYCURSOR); -#line 1273 "ext/date/lib/parse_date.re" +#line 1276 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("americanshort | american"); @@ -11861,7 +11864,7 @@ yy667: TIMELIB_DEINIT; return TIMELIB_AMERICAN; } -#line 11865 "ext/date/lib/parse_date.c" +#line 11868 "ext/date/lib/parse_date.c" yy668: YYDEBUG(668, *YYCURSOR); yyaccept = 14; @@ -12094,7 +12097,7 @@ yy700: if (yych <= ':') goto yy704; yy701: YYDEBUG(701, *YYCURSOR); -#line 1556 "ext/date/lib/parse_date.re" +#line 1559 "ext/date/lib/parse_date.re" { int tz_not_found; DEBUG_OUTPUT("clf"); @@ -12114,7 +12117,7 @@ yy701: TIMELIB_DEINIT; return TIMELIB_CLF; } -#line 12118 "ext/date/lib/parse_date.c" +#line 12121 "ext/date/lib/parse_date.c" yy702: YYDEBUG(702, *YYCURSOR); yych = *++YYCURSOR; @@ -12666,7 +12669,7 @@ yy763: } yy764: YYDEBUG(764, *YYCURSOR); -#line 1301 "ext/date/lib/parse_date.re" +#line 1304 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("iso8601date2"); @@ -12679,7 +12682,7 @@ yy764: TIMELIB_DEINIT; return TIMELIB_ISO_DATE; } -#line 12683 "ext/date/lib/parse_date.c" +#line 12686 "ext/date/lib/parse_date.c" yy765: YYDEBUG(765, *YYCURSOR); yych = *++YYCURSOR; @@ -12718,7 +12721,7 @@ yy771: YYDEBUG(771, *YYCURSOR); ++YYCURSOR; YYDEBUG(772, *YYCURSOR); -#line 1542 "ext/date/lib/parse_date.re" +#line 1545 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("pgtextreverse"); @@ -12731,7 +12734,7 @@ yy771: TIMELIB_DEINIT; return TIMELIB_PG_TEXT; } -#line 12735 "ext/date/lib/parse_date.c" +#line 12738 "ext/date/lib/parse_date.c" yy773: YYDEBUG(773, *YYCURSOR); yych = *++YYCURSOR; @@ -12869,7 +12872,7 @@ yy783: } yy784: YYDEBUG(784, *YYCURSOR); -#line 1577 "ext/date/lib/parse_date.re" +#line 1580 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("year4"); TIMELIB_INIT; @@ -12877,7 +12880,7 @@ yy784: TIMELIB_DEINIT; return TIMELIB_CLF; } -#line 12881 "ext/date/lib/parse_date.c" +#line 12884 "ext/date/lib/parse_date.c" yy785: YYDEBUG(785, *YYCURSOR); yych = *++YYCURSOR; @@ -13028,7 +13031,7 @@ yy793: } yy794: YYDEBUG(794, *YYCURSOR); -#line 1398 "ext/date/lib/parse_date.re" +#line 1401 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("datenodayrev"); @@ -13041,7 +13044,7 @@ yy794: TIMELIB_DEINIT; return TIMELIB_DATE_NO_DAY; } -#line 13045 "ext/date/lib/parse_date.c" +#line 13048 "ext/date/lib/parse_date.c" yy795: YYDEBUG(795, *YYCURSOR); yych = *++YYCURSOR; @@ -13256,7 +13259,7 @@ yy814: if (yych <= '7') goto yy817; yy815: YYDEBUG(815, *YYCURSOR); -#line 1509 "ext/date/lib/parse_date.re" +#line 1512 "ext/date/lib/parse_date.re" { timelib_sll w, d; DEBUG_OUTPUT("isoweek"); @@ -13274,7 +13277,7 @@ yy815: TIMELIB_DEINIT; return TIMELIB_ISO_WEEK; } -#line 13278 "ext/date/lib/parse_date.c" +#line 13281 "ext/date/lib/parse_date.c" yy816: YYDEBUG(816, *YYCURSOR); yych = *++YYCURSOR; @@ -13284,7 +13287,7 @@ yy817: YYDEBUG(817, *YYCURSOR); ++YYCURSOR; YYDEBUG(818, *YYCURSOR); -#line 1490 "ext/date/lib/parse_date.re" +#line 1493 "ext/date/lib/parse_date.re" { timelib_sll w, d; DEBUG_OUTPUT("isoweekday"); @@ -13302,7 +13305,7 @@ yy817: TIMELIB_DEINIT; return TIMELIB_ISO_WEEK; } -#line 13306 "ext/date/lib/parse_date.c" +#line 13309 "ext/date/lib/parse_date.c" yy819: YYDEBUG(819, *YYCURSOR); yych = *++YYCURSOR; @@ -13366,7 +13369,7 @@ yy821: } yy822: YYDEBUG(822, *YYCURSOR); -#line 1476 "ext/date/lib/parse_date.re" +#line 1479 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("pgydotd"); @@ -13379,7 +13382,7 @@ yy822: TIMELIB_DEINIT; return TIMELIB_PG_YEARDAY; } -#line 13383 "ext/date/lib/parse_date.c" +#line 13386 "ext/date/lib/parse_date.c" yy823: YYDEBUG(823, *YYCURSOR); yych = *++YYCURSOR; @@ -13482,7 +13485,7 @@ yy842: ++YYCURSOR; yy843: YYDEBUG(843, *YYCURSOR); -#line 1450 "ext/date/lib/parse_date.re" +#line 1453 "ext/date/lib/parse_date.re" { int tz_not_found; DEBUG_OUTPUT("xmlrpc | xmlrpcnocolon | soap | wddx | exif"); @@ -13507,7 +13510,7 @@ yy843: TIMELIB_DEINIT; return TIMELIB_XMLRPC_SOAP; } -#line 13511 "ext/date/lib/parse_date.c" +#line 13514 "ext/date/lib/parse_date.c" yy844: YYDEBUG(844, *YYCURSOR); yych = *++YYCURSOR; @@ -13769,7 +13772,7 @@ yy848: } yy849: YYDEBUG(849, *YYCURSOR); -#line 1438 "ext/date/lib/parse_date.re" +#line 1441 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("datenocolon"); TIMELIB_INIT; @@ -13780,7 +13783,7 @@ yy849: TIMELIB_DEINIT; return TIMELIB_DATE_NOCOLON; } -#line 13784 "ext/date/lib/parse_date.c" +#line 13787 "ext/date/lib/parse_date.c" yy850: YYDEBUG(850, *YYCURSOR); yych = *++YYCURSOR; @@ -14700,7 +14703,7 @@ yy973: if (yych <= '9') goto yy996; yy974: YYDEBUG(974, *YYCURSOR); -#line 1315 "ext/date/lib/parse_date.re" +#line 1318 "ext/date/lib/parse_date.re" { int length = 0; DEBUG_OUTPUT("gnudateshorter"); @@ -14713,7 +14716,7 @@ yy974: TIMELIB_DEINIT; return TIMELIB_ISO_DATE; } -#line 14717 "ext/date/lib/parse_date.c" +#line 14720 "ext/date/lib/parse_date.c" yy975: YYDEBUG(975, *YYCURSOR); yyaccept = 22; @@ -15722,7 +15725,7 @@ yy1066: } yy1068: YYDEBUG(1068, *YYCURSOR); -#line 1207 "ext/date/lib/parse_date.re" +#line 1210 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("gnunocolon"); TIMELIB_INIT; @@ -15744,7 +15747,7 @@ yy1068: TIMELIB_DEINIT; return TIMELIB_GNU_NOCOLON; } -#line 15748 "ext/date/lib/parse_date.c" +#line 15751 "ext/date/lib/parse_date.c" yy1069: YYDEBUG(1069, *YYCURSOR); yych = *++YYCURSOR; @@ -15836,7 +15839,7 @@ yy1075: } yy1076: YYDEBUG(1076, *YYCURSOR); -#line 1253 "ext/date/lib/parse_date.re" +#line 1256 "ext/date/lib/parse_date.re" { int tz_not_found; DEBUG_OUTPUT("iso8601nocolon"); @@ -15855,7 +15858,7 @@ yy1076: TIMELIB_DEINIT; return TIMELIB_ISO_NOCOLON; } -#line 15859 "ext/date/lib/parse_date.c" +#line 15862 "ext/date/lib/parse_date.c" yy1077: YYDEBUG(1077, *YYCURSOR); yyaccept = 25; @@ -16753,7 +16756,7 @@ yy1117: } yy1118: YYDEBUG(1118, *YYCURSOR); -#line 1649 "ext/date/lib/parse_date.re" +#line 1652 "ext/date/lib/parse_date.re" { timelib_sll i; int behavior = 0; @@ -16769,7 +16772,7 @@ yy1118: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 16773 "ext/date/lib/parse_date.c" +#line 16776 "ext/date/lib/parse_date.c" yy1119: YYDEBUG(1119, *YYCURSOR); ++YYCURSOR; @@ -16820,7 +16823,7 @@ yy1126: YYDEBUG(1126, *YYCURSOR); ++YYCURSOR; YYDEBUG(1127, *YYCURSOR); -#line 1122 "ext/date/lib/parse_date.re" +#line 1125 "ext/date/lib/parse_date.re" { timelib_sll i; int behavior = 0; @@ -16841,7 +16844,7 @@ yy1126: TIMELIB_DEINIT; return TIMELIB_WEEK_DAY_OF_MONTH; } -#line 16845 "ext/date/lib/parse_date.c" +#line 16848 "ext/date/lib/parse_date.c" yy1128: YYDEBUG(1128, *YYCURSOR); yyaccept = 26; @@ -16949,7 +16952,7 @@ yy1141: } yy1142: YYDEBUG(1142, *YYCURSOR); -#line 1625 "ext/date/lib/parse_date.re" +#line 1628 "ext/date/lib/parse_date.re" { timelib_sll i; int behavior = 0; @@ -16972,7 +16975,7 @@ yy1142: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 16976 "ext/date/lib/parse_date.c" +#line 16979 "ext/date/lib/parse_date.c" yy1143: YYDEBUG(1143, *YYCURSOR); yych = *++YYCURSOR; @@ -19649,7 +19652,7 @@ yy1294: goto yy1298; yy1295: YYDEBUG(1295, *YYCURSOR); -#line 1099 "ext/date/lib/parse_date.re" +#line 1102 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("backof | frontof"); TIMELIB_INIT; @@ -19671,7 +19674,7 @@ yy1295: TIMELIB_DEINIT; return TIMELIB_LF_DAY_OF_MONTH; } -#line 19675 "ext/date/lib/parse_date.c" +#line 19678 "ext/date/lib/parse_date.c" yy1296: YYDEBUG(1296, *YYCURSOR); yyaccept = 28; @@ -21362,7 +21365,7 @@ yy1385: if (yych <= '9') goto yy1385; yy1387: YYDEBUG(1387, *YYCURSOR); -#line 1057 "ext/date/lib/parse_date.re" +#line 1060 "ext/date/lib/parse_date.re" { timelib_ull i; @@ -21386,7 +21389,7 @@ yy1387: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 21390 "ext/date/lib/parse_date.c" +#line 21393 "ext/date/lib/parse_date.c" yy1388: YYDEBUG(1388, *YYCURSOR); yych = *++YYCURSOR; @@ -21822,7 +21825,7 @@ yy1416: ++YYCURSOR; yy1417: YYDEBUG(1417, *YYCURSOR); -#line 1045 "ext/date/lib/parse_date.re" +#line 1048 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("tomorrow"); TIMELIB_INIT; @@ -21833,7 +21836,7 @@ yy1417: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 21837 "ext/date/lib/parse_date.c" +#line 21840 "ext/date/lib/parse_date.c" yy1418: YYDEBUG(1418, *YYCURSOR); yych = *++YYCURSOR; @@ -21868,7 +21871,7 @@ yy1419: } yy1420: YYDEBUG(1420, *YYCURSOR); -#line 1035 "ext/date/lib/parse_date.re" +#line 1038 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("midnight | today"); TIMELIB_INIT; @@ -21877,7 +21880,7 @@ yy1420: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 21881 "ext/date/lib/parse_date.c" +#line 21884 "ext/date/lib/parse_date.c" yy1421: YYDEBUG(1421, *YYCURSOR); yych = *++YYCURSOR; @@ -23889,7 +23892,7 @@ yy1499: } yy1500: YYDEBUG(1500, *YYCURSOR); -#line 1014 "ext/date/lib/parse_date.re" +#line 1017 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("now"); TIMELIB_INIT; @@ -23897,7 +23900,7 @@ yy1500: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 23901 "ext/date/lib/parse_date.c" +#line 23904 "ext/date/lib/parse_date.c" yy1501: YYDEBUG(1501, *YYCURSOR); yych = *++YYCURSOR; @@ -24036,7 +24039,7 @@ yy1507: } yy1508: YYDEBUG(1508, *YYCURSOR); -#line 1023 "ext/date/lib/parse_date.re" +#line 1026 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("noon"); TIMELIB_INIT; @@ -24047,7 +24050,7 @@ yy1508: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 24051 "ext/date/lib/parse_date.c" +#line 24054 "ext/date/lib/parse_date.c" yy1509: YYDEBUG(1509, *YYCURSOR); yyaccept = 0; @@ -24580,7 +24583,7 @@ yy1530: ++YYCURSOR; yy1531: YYDEBUG(1531, *YYCURSOR); -#line 1002 "ext/date/lib/parse_date.re" +#line 1005 "ext/date/lib/parse_date.re" { DEBUG_OUTPUT("yesterday"); TIMELIB_INIT; @@ -24591,7 +24594,7 @@ yy1531: TIMELIB_DEINIT; return TIMELIB_RELATIVE; } -#line 24595 "ext/date/lib/parse_date.c" +#line 24598 "ext/date/lib/parse_date.c" yy1532: YYDEBUG(1532, *YYCURSOR); yyaccept = 0; @@ -24764,7 +24767,7 @@ yy1537: goto yy1531; } } -#line 1775 "ext/date/lib/parse_date.re" +#line 1778 "ext/date/lib/parse_date.re" } diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re index 1fbd6705922..74a70336087 100644 --- a/ext/date/lib/parse_date.re +++ b/ext/date/lib/parse_date.re @@ -401,9 +401,12 @@ static timelib_sll timelib_meridian_with_check(char **ptr, timelib_sll h) { timelib_sll retval = 0; - while (!strchr("AaPp", **ptr)) { + while (**ptr && !strchr("AaPp", **ptr)) { ++*ptr; } + if(!**ptr) { + return TIMELIB_UNSET; + } if (**ptr == 'a' || **ptr == 'A') { if (h == 12) { retval = -12; diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c index 07c5b763840..ca15b67201d 100644 --- a/ext/date/lib/parse_iso_intervals.c +++ b/ext/date/lib/parse_iso_intervals.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Mon Dec 5 22:02:31 2011 */ +/* Generated by re2c 0.13.5 on Fri Jul 18 16:11:41 2014 */ #line 1 "ext/date/lib/parse_iso_intervals.re" /* +----------------------------------------------------------------------+ diff --git a/ext/date/tests/bug67253.phpt b/ext/date/tests/bug67253.phpt new file mode 100644 index 00000000000..b28cbe63c19 --- /dev/null +++ b/ext/date/tests/bug67253.phpt @@ -0,0 +1,44 @@ +--TEST-- +Bug #67253 (timelib_meridian_with_check out-of-bounds read) +--INI-- +date.timezone=Europe/Berlin +--FILE-- + + bool(false) + ["month"]=> + bool(false) + ["day"]=> + bool(false) + ["hour"]=> + int(0) + ["minute"]=> + int(0) + ["second"]=> + int(0) + ["fraction"]=> + bool(false) + ["warning_count"]=> + int(0) + ["warnings"]=> + array(0) { + } + ["error_count"]=> + int(3) + ["errors"]=> + array(3) { + [0]=> + string(51) "Meridian can only come after an hour has been found" + [1]=> + string(29) "A meridian could not be found" + [9]=> + string(12) "Data missing" + } + ["is_localtime"]=> + bool(false) +} + From 52de149ebccfea4b63da2e5bacf6f60a1bfc7ffb Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 3 Jun 2014 11:05:00 +0200 Subject: [PATCH 18/51] Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch Only revelant part applied --- ext/fileinfo/libmagic/cdf.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index ea67966c49b..f57753a9565 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs, size_t ss = CDF_SHORT_SEC_SIZE(h); size_t pos = CDF_SHORT_SEC_POS(h, id); assert(ss == len); - if (pos > CDF_SEC_SIZE(h) * sst->sst_len) { + if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) { DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %" SIZE_T_FORMAT "u\n", - pos, CDF_SEC_SIZE(h) * sst->sst_len)); + pos + len, CDF_SEC_SIZE(h) * sst->sst_len)); return -1; } (void)memcpy(((char *)buf) + offs, From ec002bd837bec0c6032b58ff2b7216a9ecf45793 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 23 Jun 2014 00:19:37 -0700 Subject: [PATCH 19/51] Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability --- ext/standard/info.c | 8 ++++---- .../tests/general_functions/bug67498.phpt | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 4 deletions(-) create mode 100644 ext/standard/tests/general_functions/bug67498.phpt diff --git a/ext/standard/info.c b/ext/standard/info.c index a7c517dc414..1256773351e 100644 --- a/ext/standard/info.c +++ b/ext/standard/info.c @@ -972,16 +972,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC) php_info_print_table_start(); php_info_print_table_header(2, "Variable", "Value"); - if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data)); } - if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) { + if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) { php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data)); } php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC); diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt new file mode 100644 index 00000000000..5b5951b0f8b --- /dev/null +++ b/ext/standard/tests/general_functions/bug67498.phpt @@ -0,0 +1,15 @@ +--TEST-- +phpinfo() Type Confusion Information Leak Vulnerability +--FILE-- + +==DONE== +--EXPECTF-- +phpinfo() + +PHP Variables +%A +==DONE== From 6bd5a06894fa2f8c1b53bf92fb809d911b740e84 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 10 Jun 2014 14:02:36 +0200 Subject: [PATCH 20/51] Fixed Bug #67410 fileinfo: mconvert incorrect handling of truncated pascal string size Upstream https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 --- ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index f9c2836dd26..e5989818395 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -777,10 +777,18 @@ mconvert(struct magic_set *ms, struct magic *m) return 1; } case FILE_PSTRING: { - char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m); + size_t sz = file_pstring_length_size(m); + char *ptr1 = p->s, *ptr2 = ptr1 + sz; size_t len = file_pstring_get_length(m, ptr1); - if (len >= sizeof(p->s)) - len = sizeof(p->s) - 1; + if (len >= sizeof(p->s)) { + /* + * The size of the pascal string length (sz) + * is 1, 2, or 4. We need at least 1 byte for NUL + * termination, but we've already truncated the + * string by p->s, so we need to deduct sz. + */ + len = sizeof(p->s) - sz; + } while (len--) *ptr1++ = *ptr2++; *ptr1 = '\0'; From 8d1d03850955855b86f949b43e532ef8c22c1cc3 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 10 Jun 2014 14:13:14 +0200 Subject: [PATCH 21/51] Fixed Bug #67411 fileinfo: cdf_check_stream_offset insufficient boundary check Upstream: https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 Conflicts: ext/fileinfo/libmagic/cdf.c --- ext/fileinfo/libmagic/cdf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index f57753a9565..5dce5ced580 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, { const char *b = (const char *)sst->sst_tab; const char *e = ((const char *)p) + tail; + size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? + CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); (void)&line; - if (e >= b && (size_t)(e - b) < CDF_SEC_SIZE(h) * sst->sst_len) + if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) return 0; DPRINTF(("%d: offset begin %p end %p %" SIZE_T_FORMAT "u" " >= %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), - CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); + ss * sst->sst_len, ss, sst->sst_len)); errno = EFTYPE; return -1; } From 892def5f12716c9f926588bd2190acd6ea99a3a0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 10 Jun 2014 14:22:04 +0200 Subject: [PATCH 22/51] Bug #67412 fileinfo: cdf_count_chain insufficient boundary check Upstream: https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 --- ext/fileinfo/libmagic/cdf.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 5dce5ced580..3b6f4881d97 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -470,7 +470,8 @@ size_t cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) { size_t i, j; - cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size); + cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) + / sizeof(maxsector)); DPRINTF(("Chain:")); for (j = i = 0; sid >= 0; i++, j++) { @@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) errno = EFTYPE; return (size_t)-1; } - if (sid > maxsector) { - DPRINTF(("Sector %d > %d\n", sid, maxsector)); + if (sid >= maxsector) { + DPRINTF(("Sector %d >= %d\n", sid, maxsector)); errno = EFTYPE; return (size_t)-1; } From 2fe5bcbeb58bb1088f9fcdb9f02599880454b602 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 10 Jun 2014 14:33:37 +0200 Subject: [PATCH 23/51] Fixed Bug #67413 fileinfo: cdf_read_property_info insufficient boundary chec Upstream: https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d Adapted for C standard. --- ext/fileinfo/libmagic/cdf.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c index 3b6f4881d97..958cf8276c9 100644 --- a/ext/fileinfo/libmagic/cdf.c +++ b/ext/fileinfo/libmagic/cdf.c @@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) goto out; for (i = 0; i < sh.sh_properties; i++) { - size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); + size_t ofs, tail = (i << 1) + 1; + if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), + __LINE__) == -1) + goto out; + ofs = CDF_GETUINT32(p, tail); q = (const uint8_t *)(const void *) ((const char *)(const void *)p + ofs - 2 * sizeof(uint32_t)); From b512adf78d2a1b5fc16cec7dc767b2e5c8f0297e Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 8 Jun 2014 23:00:38 -0700 Subject: [PATCH 24/51] Fixed bug #67399 (putenv with empty variable may lead to crash) Conflicts: ext/standard/basic_functions.c --- ext/standard/basic_functions.c | 131 +++++++++--------- .../tests/general_functions/putenv.phpt | 9 ++ 2 files changed, 74 insertions(+), 66 deletions(-) diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c index 61e2f39049a..8de6cb5455c 100644 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@ -4050,39 +4050,42 @@ PHP_FUNCTION(putenv) { char *setting; int setting_len; + char *p, **env; + putenv_entry pe; +#ifdef PHP_WIN32 + char *value = NULL; + int equals = 0; + int error_code; +#endif if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &setting, &setting_len) == FAILURE) { return; } + + if(setting_len == 0 || setting[0] == '=') { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter syntax"); + RETURN_FALSE; + } - if (setting_len) { - char *p, **env; - putenv_entry pe; + pe.putenv_string = estrndup(setting, setting_len); + pe.key = estrndup(setting, setting_len); + if ((p = strchr(pe.key, '='))) { /* nullify the '=' if there is one */ + *p = '\0'; #ifdef PHP_WIN32 - char *value = NULL; - int equals = 0; - int error_code; + equals = 1; #endif + } - pe.putenv_string = estrndup(setting, setting_len); - pe.key = estrndup(setting, setting_len); - if ((p = strchr(pe.key, '='))) { /* nullify the '=' if there is one */ - *p = '\0'; + pe.key_len = strlen(pe.key); #ifdef PHP_WIN32 - equals = 1; -#endif - } - - pe.key_len = strlen(pe.key); -#ifdef PHP_WIN32 - if (equals) { - if (pe.key_len < setting_len - 1) { - value = p + 1; - } else { - /* empty string*/ - value = p; - } + if (equals) { + if (pe.key_len < setting_len - 1) { + value = p + 1; + } else { + /* empty string*/ + value = p; } + } #endif if (PG(safe_mode)) { @@ -4120,55 +4123,51 @@ PHP_FUNCTION(putenv) zend_hash_del(&BG(putenv_ht), pe.key, pe.key_len+1); - /* find previous value */ - pe.previous_value = NULL; - for (env = environ; env != NULL && *env != NULL; env++) { - if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') { /* found it */ + /* find previous value */ + pe.previous_value = NULL; + for (env = environ; env != NULL && *env != NULL; env++) { + if (!strncmp(*env, pe.key, pe.key_len) && (*env)[pe.key_len] == '=') { /* found it */ #if defined(PHP_WIN32) - /* must copy previous value because MSVCRT's putenv can free the string without notice */ - pe.previous_value = estrdup(*env); + /* must copy previous value because MSVCRT's putenv can free the string without notice */ + pe.previous_value = estrdup(*env); #else - pe.previous_value = *env; + pe.previous_value = *env; #endif - break; - } - } - -#if HAVE_UNSETENV - if (!p) { /* no '=' means we want to unset it */ - unsetenv(pe.putenv_string); - } - if (!p || putenv(pe.putenv_string) == 0) { /* success */ -#else -# ifndef PHP_WIN32 - if (putenv(pe.putenv_string) == 0) { /* success */ -# else - error_code = SetEnvironmentVariable(pe.key, value); -# if _MSC_VER < 1500 - /* Yet another VC6 bug, unset may return env not found */ - if (error_code != 0 || - (error_code == 0 && GetLastError() == ERROR_ENVVAR_NOT_FOUND)) { -# else - if (error_code != 0) { /* success */ -# endif -# endif -#endif - zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len + 1, (void **) &pe, sizeof(putenv_entry), NULL); -#ifdef HAVE_TZSET - if (!strncmp(pe.key, "TZ", pe.key_len)) { - tzset(); - } -#endif - RETURN_TRUE; - } else { - efree(pe.putenv_string); - efree(pe.key); - RETURN_FALSE; + break; } } - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter syntax"); - RETURN_FALSE; +#if HAVE_UNSETENV + if (!p) { /* no '=' means we want to unset it */ + unsetenv(pe.putenv_string); + } + if (!p || putenv(pe.putenv_string) == 0) { /* success */ +#else +# ifndef PHP_WIN32 + if (putenv(pe.putenv_string) == 0) { /* success */ +# else + error_code = SetEnvironmentVariable(pe.key, value); +# if _MSC_VER < 1500 + /* Yet another VC6 bug, unset may return env not found */ + if (error_code != 0 || + (error_code == 0 && GetLastError() == ERROR_ENVVAR_NOT_FOUND)) { +# else + if (error_code != 0) { /* success */ +# endif +# endif +#endif + zend_hash_add(&BG(putenv_ht), pe.key, pe.key_len + 1, (void **) &pe, sizeof(putenv_entry), NULL); +#ifdef HAVE_TZSET + if (!strncmp(pe.key, "TZ", pe.key_len)) { + tzset(); + } +#endif + RETURN_TRUE; + } else { + efree(pe.putenv_string); + efree(pe.key); + RETURN_FALSE; + } } /* }}} */ #endif diff --git a/ext/standard/tests/general_functions/putenv.phpt b/ext/standard/tests/general_functions/putenv.phpt index afe1badce48..254207320be 100644 --- a/ext/standard/tests/general_functions/putenv.phpt +++ b/ext/standard/tests/general_functions/putenv.phpt @@ -15,6 +15,9 @@ var_dump(getenv($var_name)); var_dump(putenv($var_name)); var_dump(getenv($var_name)); +var_dump(putenv("=123")); +var_dump(putenv("")); + echo "Done\n"; ?> --EXPECTF-- @@ -25,4 +28,10 @@ bool(true) string(0) "" bool(true) bool(false) + +Warning: putenv(): Invalid parameter syntax in %s on line %d +bool(false) + +Warning: putenv(): Invalid parameter syntax in %s on line %d +bool(false) Done From 8ab4e2e90de44db0ee56b53e956b2b23f3c1cfa8 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Wed, 4 Jun 2014 01:06:01 -0700 Subject: [PATCH 25/51] Fix bug #67349: Locale::parseLocale Double Free --- ext/intl/locale/locale_methods.c | 7 +++---- ext/intl/tests/locale_parse_locale2.phpt | 6 +++++- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 1707c69f933..0afbba2a517 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -269,8 +269,7 @@ static char* get_icu_value_internal( char* loc_name , char* tag_name, int* resul grOffset = findOffset( LOC_GRANDFATHERED , loc_name ); if( grOffset >= 0 ){ if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ - tag_value = estrdup(loc_name); - return tag_value; + return estrdup(loc_name); } else { /* Since Grandfathered , no value , do nothing , retutn NULL */ return NULL; @@ -280,8 +279,8 @@ static char* get_icu_value_internal( char* loc_name , char* tag_name, int* resul if( fromParseLocale==1 ){ /* Handle singletons */ if( strcmp(tag_name , LOC_LANG_TAG)==0 ){ - if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){ - return loc_name; + if( strlen(loc_name)>1 && isIDPrefix(loc_name) ){ + return estrdup(loc_name); } } diff --git a/ext/intl/tests/locale_parse_locale2.phpt b/ext/intl/tests/locale_parse_locale2.phpt index 6012862a489..30cc8cc0ae5 100644 --- a/ext/intl/tests/locale_parse_locale2.phpt +++ b/ext/intl/tests/locale_parse_locale2.phpt @@ -63,7 +63,8 @@ function ut_main() //Some Invalid Tags: 'de-419-DE', 'a-DE', - 'ar-a-aaa-b-bbb-a-ccc' + 'ar-a-aaa-b-bbb-a-ccc', + 'x-AAAAAA', ); @@ -201,3 +202,6 @@ No values found from Locale parsing. --------------------- ar-a-aaa-b-bbb-a-ccc: language : 'ar' , +--------------------- +x-AAAAAA: +private0 : 'AAAAAA' , From e644aad3f9138bbb2e77520f033ba902f236b8b5 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 8 Jun 2014 13:44:40 -0700 Subject: [PATCH 26/51] Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1)) --- ext/intl/locale/locale_methods.c | 10 +++++++++- ext/intl/tests/bug67397.phpt | 21 +++++++++++++++++++++ 2 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 ext/intl/tests/bug67397.phpt diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c index 0afbba2a517..881e35618ec 100644 --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@ -497,8 +497,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME RETURN_FALSE; } + if(loc_name_len > ULOC_FULLNAME_CAPACITY) { + /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */ + spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name ); + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, msg , 1 TSRMLS_CC ); + efree(msg); + RETURN_FALSE; + } + if(loc_name_len == 0) { - loc_name = INTL_G(default_locale); + loc_name = INTL_G(default_locale); } if( strcmp(tag_name, DISP_NAME) != 0 ){ diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt new file mode 100644 index 00000000000..b2b2911f8a0 --- /dev/null +++ b/ext/intl/tests/bug67397.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1)) +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +false +'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR' From 8e9777a1f19f079c68df92c8c4ee163e6087a1d1 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 24 Jun 2014 11:21:43 -0700 Subject: [PATCH 27/51] Fix test - because of big #67397 we don't allow overlong locales anymore --- ext/intl/tests/bug62082.phpt | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/ext/intl/tests/bug62082.phpt b/ext/intl/tests/bug62082.phpt index e6ca73e3006..dab1252afda 100644 --- a/ext/intl/tests/bug62082.phpt +++ b/ext/intl/tests/bug62082.phpt @@ -10,6 +10,7 @@ var_dump(locale_get_display_name(str_repeat("a", 300), null)); var_dump(locale_get_display_name(str_repeat("a", 512), null)); var_dump(locale_get_display_name(str_repeat("a", 600), null)); --EXPECT-- -string(300) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -string(512) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" -string(600) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" +bool(false) +bool(false) +bool(false) + From e2ba5c7987141fc11706207b0ce24ea2eb6dea87 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 10 Jun 2014 23:17:30 -0700 Subject: [PATCH 28/51] Fix bug #66127 (Segmentation fault with ArrayObject unset) --- ext/spl/spl_array.c | 2 +- ext/spl/tests/bug66127.phpt | 25 +++++++++++++++++++++++++ ext/spl/tests/iterator_035.phpt | 2 ++ 3 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug66127.phpt diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index 77453d66734..f2f3f1c61b5 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -408,7 +408,7 @@ static zval *spl_array_read_dimension_ex(int check_inherited, zval *object, zval /* When in a write context, * ZE has to be fooled into thinking this is in a reference set * by separating (if necessary) and returning as an is_ref=1 zval (even if refcount == 1) */ - if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret)) { + if ((type == BP_VAR_W || type == BP_VAR_RW || type == BP_VAR_UNSET) && !Z_ISREF_PP(ret) && ret != &EG(uninitialized_zval_ptr)) { if (Z_REFCOUNT_PP(ret) > 1) { zval *newval; diff --git a/ext/spl/tests/bug66127.phpt b/ext/spl/tests/bug66127.phpt new file mode 100644 index 00000000000..b5d1dcac4b2 --- /dev/null +++ b/ext/spl/tests/bug66127.phpt @@ -0,0 +1,25 @@ +--TEST-- +Bug #66127 (Segmentation fault with ArrayObject unset) +--INI-- +error_reporting = E_ALL & ~E_NOTICE +--FILE-- + +--EXPECT-- +Worked! diff --git a/ext/spl/tests/iterator_035.phpt b/ext/spl/tests/iterator_035.phpt index 9ce098b69d7..fc0271e3811 100644 --- a/ext/spl/tests/iterator_035.phpt +++ b/ext/spl/tests/iterator_035.phpt @@ -12,4 +12,6 @@ $a[] = &$tmp; echo "Done\n"; ?> --EXPECTF-- +Notice: Indirect modification of overloaded element of ArrayIterator has no effect in %s on line %d + Fatal error: Cannot assign by reference to overloaded object in %s on line %d From b5051ff939eb9dbada8ce10fbea8cf37e50b5a36 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Sun, 1 Jun 2014 19:41:01 +0800 Subject: [PATCH 29/51] Fixed bug #67359 (Segfault in recursiveDirectoryIterator) --- ext/spl/spl_directory.c | 2 ++ ext/spl/spl_iterators.c | 2 ++ ext/spl/tests/bug67359.phpt | 28 ++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+) create mode 100644 ext/spl/tests/bug67359.phpt diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index 13af7815c54..149db9ab812 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -819,6 +819,7 @@ SPL_METHOD(DirectoryIterator, seek) zend_call_method_with_0_params(&this_ptr, Z_OBJCE_P(getThis()), &intern->u.dir.func_rewind, "rewind", &retval); if (retval) { zval_ptr_dtor(&retval); + retval = NULL; } } @@ -828,6 +829,7 @@ SPL_METHOD(DirectoryIterator, seek) if (retval) { valid = zend_is_true(retval); zval_ptr_dtor(&retval); + retval = NULL; } if (!valid) { break; diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c index cd0af8fbc52..d83f4507520 100644 --- a/ext/spl/spl_iterators.c +++ b/ext/spl/spl_iterators.c @@ -858,6 +858,8 @@ static union _zend_function *spl_recursive_it_get_method(zval **object_ptr, char *object_ptr = zobj; function_handler = Z_OBJ_HT_P(*object_ptr)->get_method(object_ptr, method, method_len TSRMLS_CC); } + } else { + *object_ptr = zobj; } } return function_handler; diff --git a/ext/spl/tests/bug67359.phpt b/ext/spl/tests/bug67359.phpt new file mode 100644 index 00000000000..e2e61133f31 --- /dev/null +++ b/ext/spl/tests/bug67359.phpt @@ -0,0 +1,28 @@ +--TEST-- +Bug #67359 (Segfault in recursiveDirectoryIterator) +--FILE-- +seek(1); + while( $it->valid()) + { + if( $it->isFile() ) + { + $it->current(); + } + + $it->next(); + } + + $it->current(); +} +catch(Exception $e) +{ +} +echo "okey" +?> +--EXPECTF-- +okey From c74efe1b2efd7222b27d36f383623cd19ed0e102 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 21 Jun 2014 19:46:16 -0700 Subject: [PATCH 30/51] Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion Conflicts: ext/spl/spl_array.c ext/spl/tests/SplObjectStorage_unserialize_bad.phpt --- ext/spl/spl_array.c | 2 +- ext/spl/spl_observer.c | 2 +- ext/spl/tests/SplObjectStorage_unserialize_bad.phpt | 9 ++++++--- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c index f2f3f1c61b5..312beaa0084 100644 --- a/ext/spl/spl_array.c +++ b/ext/spl/spl_array.c @@ -1816,7 +1816,7 @@ void spl_array_unserialize_helper(spl_array_object *intern, const unsigned char ++p; ALLOC_INIT_ZVAL(pmembers); - if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC)) { + if (!php_var_unserialize(&pmembers, &p, s + buf_len, var_hash_p TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { zval_ptr_dtor(&pmembers); goto outexcept; } diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c index 876efea6889..1a491e1f48a 100644 --- a/ext/spl/spl_observer.c +++ b/ext/spl/spl_observer.c @@ -801,7 +801,7 @@ SPL_METHOD(SplObjectStorage, unserialize) ++p; ALLOC_INIT_ZVAL(pmembers); - if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) { + if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) { zval_ptr_dtor(&pmembers); goto outexcept; } diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt index 9e3f3605b77..4adfa6f7b4c 100644 --- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt +++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt @@ -5,8 +5,9 @@ SPL: Test that serialized blob contains unique elements (CVE-2010-2225) $badblobs = array( 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', -'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:1;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}', +'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"', ); foreach($badblobs as $blob) { try { @@ -17,6 +18,7 @@ try { echo $e->getMessage()."\n"; } } +echo "DONE\n"; --EXPECTF-- Error at offset 6 of 34 bytes Error at offset 46 of 89 bytes @@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) { } } } - +Error at offset 79 of 78 bytes +DONE From 1ffb7fddc233f1f64290c54fde478a5c2be5db99 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Fri, 18 Jul 2014 16:49:00 -0700 Subject: [PATCH 31/51] update NEWS --- NEWS | 50 ++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/NEWS b/NEWS index 264b438b595..0a5aea3d80c 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,56 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 201?, PHP 5.3.29 +- Core: + . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) + . Fixed bug #67247 (spl_fixedarray_resize integer overflow). (Stas) + . Fixed bug #67249 (printf out-of-bounds read). (Stas) + . Fixed bug #67250 (iptcparse out-of-bounds read). (Stas) + . Fixed bug #67252 (convert_uudecode out-of-bounds read). (Stas) + . Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence) + . Fixed bug #67390 (insecure temporary file use in the configure script). + (Remi) (CVE-2014-3981) + . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) + . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type + Confusion) (CVE-2014-3515). (Stefan Esser) + . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). + (Stefan Esser) + +- Date: + . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712) + (Remi) + . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas) + . Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas) + +- Exif: + . Fixed bug #65873 (Integer overflow in exif_read_data()). (Stas) + +- Fileinfo: + . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol) + . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary + check). (CVE-2014-0207) + . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). + (CVE-2014-0238) + . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in + performance degradation). (CVE-2014-0237) + . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal + string size). (Francisco Alonso, Jan Kaluza, Remi) + . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary + check). (Francisco Alonso, Jan Kaluza, Remi) + . Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check). + (Francisco Alonso, Jan Kaluza, Remi) + . Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary + check). (Francisco Alonso, Jan Kaluza, Remi) + +- Intl: + . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) + . Fixed bug #67397 (Buffer overflow in locale_get_display_name and + uloc_getDisplayName (libicu 4.8.1)). (Stas) + +- Network: + . Fixed bug #67432 (Fix potential segfault in dns_check_record()). + (CVE-2014-4049). (Sara) + 12 Dec 2013, PHP 5.3.28 - Openssl: From 0fe07a0e7454b4e313ad9ef17e85638ae000f4e5 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 27 Jul 2014 02:40:27 -0700 Subject: [PATCH 32/51] Fix missing type checks in various functions --- NEWS | 29 +++++++++++++++++++---------- ext/com_dotnet/com_com.c | 4 ++-- ext/openssl/openssl.c | 12 ++++++------ ext/openssl/tests/026.phpt | 12 ++++++++++++ ext/session/session.c | 3 ++- 5 files changed, 41 insertions(+), 19 deletions(-) create mode 100644 ext/openssl/tests/026.phpt diff --git a/NEWS b/NEWS index 0a5aea3d80c..b444ea582da 100644 --- a/NEWS +++ b/NEWS @@ -14,11 +14,14 @@ PHP NEWS . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515). (Stefan Esser) - . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). + . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (Stefan Esser) - + +- COM: + . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas). + - Date: - . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712) + . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712) (Remi) . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas) . Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas) @@ -28,12 +31,12 @@ PHP NEWS - Fileinfo: . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol) - . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary - check). (CVE-2014-0207) - . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). + . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary + check). (CVE-2014-0207) + . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238) - . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in - performance degradation). (CVE-2014-0237) + . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting + in performance degradation). (CVE-2014-0237) . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary @@ -47,11 +50,17 @@ PHP NEWS . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) . Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)). (Stas) - + - Network: - . Fixed bug #67432 (Fix potential segfault in dns_check_record()). + . Fixed bug #67432 (Fix potential segfault in dns_check_record()). (CVE-2014-4049). (Sara) +- OpenSSL: + . Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas). + +- Session: + . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas). + 12 Dec 2013, PHP 5.3.28 - Openssl: diff --git a/ext/com_dotnet/com_com.c b/ext/com_dotnet/com_com.c index 02c475c41de..4fe25fca2e2 100644 --- a/ext/com_dotnet/com_com.c +++ b/ext/com_dotnet/com_com.c @@ -698,9 +698,9 @@ PHP_FUNCTION(com_event_sink) /* 0 => typelibname, 1 => dispname */ zval **tmp; - if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS) + if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) typelibname = Z_STRVAL_PP(tmp); - if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS) + if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) dispname = Z_STRVAL_PP(tmp); } else if (sink != NULL) { convert_to_string(sink); diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 0d2d6442df1..295d6b368a6 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -649,7 +649,7 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */ return (time_t)-1; } - if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { + if (ASN1_STRING_length(timestr) != strlen((char*)ASN1_STRING_data(timestr))) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); return (time_t)-1; } @@ -765,13 +765,13 @@ static int add_oid_section(struct php_x509_request * req TSRMLS_DC) /* {{{ */ req->config_filename, req->var, req->req_config TSRMLS_CC) == FAILURE) return FAILURE #define SET_OPTIONAL_STRING_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) \ varname = Z_STRVAL_PP(item); \ else \ varname = defval #define SET_OPTIONAL_LONG_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_LONG) \ varname = Z_LVAL_PP(item); \ else \ varname = defval @@ -813,7 +813,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT); - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS) { + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_BOOL) { req->priv_key_encrypt = Z_BVAL_PP(item); } else { str = CONF_get_string(req->req_config, req->section_name, "encrypt_rsa_key"); @@ -1889,7 +1889,7 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file) } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) friendly_name = Z_STRVAL_PP(item); /* certpbe (default RC2-40) keypbe (default 3DES) @@ -1967,7 +1967,7 @@ PHP_FUNCTION(openssl_pkcs12_export) } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) friendly_name = Z_STRVAL_PP(item); if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS) diff --git a/ext/openssl/tests/026.phpt b/ext/openssl/tests/026.phpt new file mode 100644 index 00000000000..38d626d742a --- /dev/null +++ b/ext/openssl/tests/026.phpt @@ -0,0 +1,12 @@ +--TEST-- +Options type checks +--SKIPIF-- + +--FILE-- + "DE"], $x, ["x509_extensions" => 0xDEADBEEF]); +?> +DONE +--EXPECT-- +DONE diff --git a/ext/session/session.c b/ext/session/session.c index 5374db0b60d..c659d2cceed 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -362,7 +362,8 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"), (void **) &array) == SUCCESS && Z_TYPE_PP(array) == IS_ARRAY && - zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS + zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS && + Z_TYPE_PP(token) == IS_STRING ) { remote_addr = Z_STRVAL_PP(token); } From 990ecc12fcd61f16609d708edd2daf42aaf2a6ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Schl=C3=BCter?= Date: Thu, 31 Jul 2014 15:40:51 +0200 Subject: [PATCH 33/51] PHP 5.3.29RC1 --- NEWS | 2 +- configure.in | 2 +- main/php_version.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index b444ea582da..1b679f39e76 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 201?, PHP 5.3.29 +31 Jul 2014, PHP 5.3.29RC1 - Core: . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) diff --git a/configure.in b/configure.in index d57b7a5616c..77e81d6fd51 100644 --- a/configure.in +++ b/configure.in @@ -42,7 +42,7 @@ AC_CONFIG_HEADER(main/php_config.h) PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=3 PHP_RELEASE_VERSION=29 -PHP_EXTRA_VERSION="-dev" +PHP_EXTRA_VERSION="RC1" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 1d26f58d250..63ddb95eaba 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 3 #define PHP_RELEASE_VERSION 29 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "5.3.29-dev" +#define PHP_EXTRA_VERSION "RC1" +#define PHP_VERSION "5.3.29RC1" #define PHP_VERSION_ID 50329 From d73d44c23709df5b6bebf347cd98088ddd6c8091 Mon Sep 17 00:00:00 2001 From: David Zuelke Date: Sat, 9 Aug 2014 08:14:23 +0200 Subject: [PATCH 34/51] Revert "Merge branch 'pull-request/694' into PHP-5.6" This reverts commit d96de86b5b4ca8adf63ac6e07ab57fc2ec9d87f4, reversing changes made to b1e32a4f7a6c2351a2006c2c1b9085336ba513e4. --- sapi/fpm/fpm/fpm_main.c | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index 2ee1456340f..93090832f50 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -1148,6 +1148,19 @@ static void init_request_info(TSRMLS_D) TRANSLATE_SLASHES(env_document_root); } + if (env_path_translated != NULL && env_redirect_url != NULL && + env_path_translated != script_path_translated && + strcmp(env_path_translated, script_path_translated) != 0) { + /* + * pretty much apache specific. If we have a redirect_url + * then our script_filename and script_name point to the + * php executable + */ + script_path_translated = env_path_translated; + /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */ + env_script_name = env_redirect_url; + } + #ifdef __riscos__ /* Convert path to unix format*/ __riscosify_control |= __RISCOSIFY_DONT_CHECK_DIR; @@ -1316,7 +1329,7 @@ static void init_request_info(TSRMLS_D) efree(pt); } } else { - /* make sure original values are remembered in ORIG_ copies if we've changed them */ + /* make sure path_info/translated are empty */ if (!orig_script_filename || (script_path_translated != orig_script_filename && strcmp(script_path_translated, orig_script_filename) != 0)) { @@ -1325,6 +1338,16 @@ static void init_request_info(TSRMLS_D) } script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", script_path_translated TSRMLS_CC); } + if (env_redirect_url) { + if (orig_path_info) { + _sapi_cgibin_putenv("ORIG_PATH_INFO", orig_path_info TSRMLS_CC); + _sapi_cgibin_putenv("PATH_INFO", NULL TSRMLS_CC); + } + if (orig_path_translated) { + _sapi_cgibin_putenv("ORIG_PATH_TRANSLATED", orig_path_translated TSRMLS_CC); + _sapi_cgibin_putenv("PATH_TRANSLATED", NULL TSRMLS_CC); + } + } if (env_script_name != orig_script_name) { if (orig_script_name) { _sapi_cgibin_putenv("ORIG_SCRIPT_NAME", orig_script_name TSRMLS_CC); From e6d93a11ad343efdc42315f7f69ed82515c9f374 Mon Sep 17 00:00:00 2001 From: David Zuelke Date: Sat, 9 Aug 2014 08:26:33 +0200 Subject: [PATCH 35/51] restore FPM compatibility with mod_fastcgi broken since #694 / 67541, fixes bug 67606 --- sapi/fpm/fpm/fpm_main.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index 93090832f50..cd5492d73d3 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -1148,13 +1148,16 @@ static void init_request_info(TSRMLS_D) TRANSLATE_SLASHES(env_document_root); } - if (env_path_translated != NULL && env_redirect_url != NULL && + if (!apache_was_here && env_path_translated != NULL && env_redirect_url != NULL && env_path_translated != script_path_translated && strcmp(env_path_translated, script_path_translated) != 0) { /* * pretty much apache specific. If we have a redirect_url * then our script_filename and script_name point to the * php executable + * we don't want to do this for the new mod_proxy_fcgi approach, + * where redirect_url may also exist but the below will break + * with rewrites to PATH_INFO, hence the !apache_was_here check */ script_path_translated = env_path_translated; /* we correct SCRIPT_NAME now in case we don't have PATH_INFO */ @@ -1329,7 +1332,7 @@ static void init_request_info(TSRMLS_D) efree(pt); } } else { - /* make sure path_info/translated are empty */ + /* make sure original values are remembered in ORIG_ copies if we've changed them */ if (!orig_script_filename || (script_path_translated != orig_script_filename && strcmp(script_path_translated, orig_script_filename) != 0)) { @@ -1338,7 +1341,9 @@ static void init_request_info(TSRMLS_D) } script_path_translated = _sapi_cgibin_putenv("SCRIPT_FILENAME", script_path_translated TSRMLS_CC); } - if (env_redirect_url) { + if (!apache_was_here && env_redirect_url) { + /* if we used PATH_TRANSLATED to work around Apache mod_fastcgi (but not mod_proxy_fcgi, + * hence !apache_was_here) weirdness, strip info accordingly */ if (orig_path_info) { _sapi_cgibin_putenv("ORIG_PATH_INFO", orig_path_info TSRMLS_CC); _sapi_cgibin_putenv("PATH_INFO", NULL TSRMLS_CC); From 37c08f466ec1bdb0909989a2fab54352d368d37c Mon Sep 17 00:00:00 2001 From: David Zuelke Date: Sat, 9 Aug 2014 08:30:50 +0200 Subject: [PATCH 36/51] NEWS entry for e6d93a1 / d73d44c --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 6cc1304c137..e4b0ed20532 100644 --- a/NEWS +++ b/NEWS @@ -11,6 +11,9 @@ PHP NEWS . Fixed bug #67705 (extensive backtracking in rule regular expression). (CVE-2014-3538) (Remi) +- FPM: + . Fix bug #67606 (revised fix 67541, broke mod_fastcgi BC). (David Zuelke) + - GD: . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference). (CVE-2014-2497) (Remi) From daa1fb8ba68924288216c68eec5bd0d1f8ffd98c Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 12 Aug 2014 11:49:46 +0200 Subject: [PATCH 37/51] backported the fix for bug #41577 --- ext/com_dotnet/com_dotnet.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/ext/com_dotnet/com_dotnet.c b/ext/com_dotnet/com_dotnet.c index 0aa1a2a9c7c..073f40f83a2 100644 --- a/ext/com_dotnet/com_dotnet.c +++ b/ext/com_dotnet/com_dotnet.c @@ -198,7 +198,8 @@ PHP_FUNCTION(com_dotnet_create_instance) IUnknown *unk = NULL; php_com_initialize(TSRMLS_C); - if (COMG(dotnet_runtime_stuff) == NULL) { + stuff = (struct dotnet_runtime_stuff*)COMG(dotnet_runtime_stuff); + if (stuff == NULL) { hr = dotnet_init(&where TSRMLS_CC); if (FAILED(hr)) { char buf[1024]; @@ -210,9 +211,35 @@ PHP_FUNCTION(com_dotnet_create_instance) ZVAL_NULL(object); return; } - } + stuff = (struct dotnet_runtime_stuff*)COMG(dotnet_runtime_stuff); - stuff = (struct dotnet_runtime_stuff*)COMG(dotnet_runtime_stuff); + } else if (stuff->dotnet_domain == NULL) { + where = "ICorRuntimeHost_GetDefaultDomain"; + hr = ICorRuntimeHost_GetDefaultDomain(stuff->dotnet_host, &unk); + if (FAILED(hr)) { + char buf[1024]; + char *err = php_win32_error_to_msg(hr); + snprintf(buf, sizeof(buf), "Failed to re-init .Net domain [%s] %s", where, err); + if (err) + LocalFree(err); + php_com_throw_exception(hr, buf TSRMLS_CC); + ZVAL_NULL(object); + return; + } + + where = "QI: System._AppDomain"; + hr = IUnknown_QueryInterface(unk, &IID_mscorlib_System_AppDomain, (LPVOID*)&stuff->dotnet_domain); + if (FAILED(hr)) { + char buf[1024]; + char *err = php_win32_error_to_msg(hr); + snprintf(buf, sizeof(buf), "Failed to re-init .Net domain [%s] %s", where, err); + if (err) + LocalFree(err); + php_com_throw_exception(hr, buf TSRMLS_CC); + ZVAL_NULL(object); + return; + } + } obj = CDNO_FETCH(object); From 8c247af1fc0407880e806e670607bac575472e7c Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 12 Aug 2014 11:50:26 +0200 Subject: [PATCH 38/51] updated NEWS --- NEWS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEWS b/NEWS index a13f18e1d9d..c383db1451d 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,8 @@ PHP NEWS - COM: . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas). + . Fixed bug #41577 (DOTNET is successful once per server run) + (Aidas Kasparas) - Fileinfo: . Fixed bug #67705 (extensive backtracking in rule regular expression). From de18f42047af5635f23c3eeb404dd5a279b686a1 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 12 Aug 2014 11:51:42 +0200 Subject: [PATCH 39/51] updated NEWS --- NEWS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEWS b/NEWS index 34df29b2c56..2f6a0416ecf 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,8 @@ PHP NEWS - COM: . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas). + . Fixed bug #41577 (DOTNET is successful once per server run) + (Aidas Kasparas) - Fileinfo: . Fixed bug #67705 (extensive backtracking in rule regular expression). From 00fe640b19431d7b59aea697f3b66ae5bb920f59 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Tue, 12 Aug 2014 11:52:50 +0200 Subject: [PATCH 40/51] updated NEWS --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index 6cc1304c137..96bb82f4f02 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2014, PHP 5.6.0 Release Candidate 4 +- COM: + . Fixed bug #41577 (DOTNET is successful once per server run) + (Aidas Kasparas) + - Core: . Fixed bug #67693 (incorrect push to the empty array). (Tjerk) . Removed inconsistency regarding behaviour of array in constants at From f6896e4395e89ceeacd8f8a940cbafeeee3ac4a3 Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:12:42 +0800 Subject: [PATCH 41/51] Fixed #66091 --- NEWS | 3 +++ ext/date/php_date.c | 28 +++++++++++++++++----------- ext/date/tests/bug51866.phpt | 8 ++++---- 3 files changed, 24 insertions(+), 15 deletions(-) diff --git a/NEWS b/NEWS index c383db1451d..2429492cc60 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,9 @@ PHP NEWS . Fixed bug #41631 (socket timeouts not honored in blocking SSL reads) (Daniel Lowrey). +- Date: + . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + ?? ??? 2014, PHP 5.4.32 - COM: diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 4259bf0fcba..92e9480a438 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2398,11 +2398,7 @@ static void date_object_free_storage_period(void *object TSRMLS_DC) /* Advanced Interface */ PHPAPI zval *php_date_instantiate(zend_class_entry *pce, zval *object TSRMLS_DC) { - Z_TYPE_P(object) = IS_OBJECT; object_init_ex(object, pce); - Z_SET_REFCOUNT_P(object, 1); - Z_UNSET_ISREF_P(object); - return object; } @@ -2510,14 +2506,19 @@ PHP_FUNCTION(date_create) zval *timezone_object = NULL; char *time_str = NULL; int time_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_date, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_date, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2530,14 +2531,19 @@ PHP_FUNCTION(date_create_from_format) zval *timezone_object = NULL; char *time_str = NULL, *format_str = NULL; int time_str_len = 0, format_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|O", &format_str, &format_str_len, &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_date, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_date, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2560,7 +2566,7 @@ PHP_METHOD(DateTime, __construct) } /* }}} */ -static int php_date_initialize_from_hash(zval **return_value, php_date_obj **dateobj, HashTable *myht TSRMLS_DC) +static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht TSRMLS_DC) { zval **z_date = NULL; zval **z_timezone = NULL; @@ -2630,7 +2636,7 @@ PHP_METHOD(DateTime, __set_state) php_date_instantiate(date_ce_date, return_value TSRMLS_CC); dateobj = (php_date_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTime object"); } } @@ -2648,7 +2654,7 @@ PHP_METHOD(DateTime, __wakeup) myht = Z_OBJPROP_P(object); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTime object"); } } diff --git a/ext/date/tests/bug51866.phpt b/ext/date/tests/bug51866.phpt index 9474f4f58d4..9481aebe9d4 100644 --- a/ext/date/tests/bug51866.phpt +++ b/ext/date/tests/bug51866.phpt @@ -44,7 +44,7 @@ array(4) { string(6) "Y-m-d+" string(19) "2001-11-29 13:20:01" -object(DateTime)#2 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> @@ -70,7 +70,7 @@ array(4) { string(7) "Y-m-d +" string(19) "2001-11-29 13:20:01" -object(DateTime)#3 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> @@ -96,7 +96,7 @@ array(4) { string(6) "Y-m-d+" string(10) "2001-11-29" -object(DateTime)#2 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> @@ -139,7 +139,7 @@ array(4) { string(7) "Y-m-d +" string(11) "2001-11-29 " -object(DateTime)#2 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> From b0f7cc8756b21f3b90bb6d7e52cf7d94d4a4616e Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:16:22 +0800 Subject: [PATCH 42/51] Updated NEWS for #66091 --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 34df29b2c56..ff734836ff1 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,9 @@ PHP NEWS . Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException wrong message). (tim_siebels_aurich at yahoo dot de) +- Date: + . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + ?? ??? 2014, PHP 5.5.16 - COM: From 4950209a74450acf1d1d6f8a8b6b813a8a410186 Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:20:54 +0800 Subject: [PATCH 43/51] Updated NEWS for #66091 --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index f77b2f5576d..91e0d3bfee6 100644 --- a/NEWS +++ b/NEWS @@ -36,6 +36,9 @@ PHP NEWS . Fixed bug #67724 (chained zlib filters silently fail with large amounts of data). (Mike) +- Date: + . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + 31 Jul 2014, PHP 5.6.0 Release Candidate 3 - Core: From 4b85f1d46ad90ba8b31e4f961bd84c3e6fa0f0bf Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:12:42 +0800 Subject: [PATCH 44/51] Fixed #66091 --- ext/date/php_date.c | 30 ++++++++++++++++++------------ ext/date/tests/bug51866.phpt | 8 ++++---- 2 files changed, 22 insertions(+), 16 deletions(-) diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 6ff05868a6d..1f7ee758c1c 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2534,11 +2534,7 @@ static void date_object_free_storage_period(void *object TSRMLS_DC) /* Advanced Interface */ PHPAPI zval *php_date_instantiate(zend_class_entry *pce, zval *object TSRMLS_DC) { - Z_TYPE_P(object) = IS_OBJECT; object_init_ex(object, pce); - Z_SET_REFCOUNT_P(object, 1); - Z_UNSET_ISREF_P(object); - return object; } @@ -2646,14 +2642,19 @@ PHP_FUNCTION(date_create) zval *timezone_object = NULL; char *time_str = NULL; int time_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_date, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_date, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2686,14 +2687,19 @@ PHP_FUNCTION(date_create_from_format) zval *timezone_object = NULL; char *time_str = NULL, *format_str = NULL; int time_str_len = 0, format_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|O", &format_str, &format_str_len, &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_date, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_date, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2754,7 +2760,7 @@ PHP_METHOD(DateTimeImmutable, __construct) } /* }}} */ -static int php_date_initialize_from_hash(zval **return_value, php_date_obj **dateobj, HashTable *myht TSRMLS_DC) +static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht TSRMLS_DC) { zval **z_date = NULL; zval **z_timezone = NULL; @@ -2824,7 +2830,7 @@ PHP_METHOD(DateTime, __set_state) php_date_instantiate(date_ce_date, return_value TSRMLS_CC); dateobj = (php_date_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTime object"); } } @@ -2846,7 +2852,7 @@ PHP_METHOD(DateTimeImmutable, __set_state) php_date_instantiate(date_ce_immutable, return_value TSRMLS_CC); dateobj = (php_date_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTimeImmutable object"); } } @@ -2864,7 +2870,7 @@ PHP_METHOD(DateTime, __wakeup) myht = Z_OBJPROP_P(object); - if (!php_date_initialize_from_hash(&return_value, &dateobj, myht TSRMLS_CC)) { + if (!php_date_initialize_from_hash(&dateobj, myht TSRMLS_CC)) { php_error(E_ERROR, "Invalid serialization data for DateTime object"); } } diff --git a/ext/date/tests/bug51866.phpt b/ext/date/tests/bug51866.phpt index 9474f4f58d4..9481aebe9d4 100644 --- a/ext/date/tests/bug51866.phpt +++ b/ext/date/tests/bug51866.phpt @@ -44,7 +44,7 @@ array(4) { string(6) "Y-m-d+" string(19) "2001-11-29 13:20:01" -object(DateTime)#2 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> @@ -70,7 +70,7 @@ array(4) { string(7) "Y-m-d +" string(19) "2001-11-29 13:20:01" -object(DateTime)#3 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> @@ -96,7 +96,7 @@ array(4) { string(6) "Y-m-d+" string(10) "2001-11-29" -object(DateTime)#2 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> @@ -139,7 +139,7 @@ array(4) { string(7) "Y-m-d +" string(11) "2001-11-29 " -object(DateTime)#2 (3) { +object(DateTime)#%d (3) { ["date"]=> string(26) "2001-11-29 %d:%d:%d.%d" ["timezone_type"]=> From e4905b38b78a4fa9414fd92a60c8273ceb010bcd Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:16:22 +0800 Subject: [PATCH 45/51] Updated NEWS for #66091 --- NEWS | 3 +++ 1 file changed, 3 insertions(+) diff --git a/NEWS b/NEWS index 2f6a0416ecf..d731c3549d8 100644 --- a/NEWS +++ b/NEWS @@ -10,6 +10,9 @@ PHP NEWS . Fixed bug #67813 (CachingIterator::__construct InvalidArgumentException wrong message). (tim_siebels_aurich at yahoo dot de) +- Date: + . Fixed bug #66091 (memory leaks in DateTime constructor) (Tjerk). + ?? ??? 2014, PHP 5.5.16 - COM: From 7fbc99e39021b937458752f18456848587966b84 Mon Sep 17 00:00:00 2001 From: Tjerk Meesters Date: Wed, 13 Aug 2014 20:57:10 +0800 Subject: [PATCH 46/51] Some changes were lost in the merge commit of #66091 --- ext/date/php_date.c | 18 ++++++++++++++---- 1 file changed, 14 insertions(+), 4 deletions(-) diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 1f7ee758c1c..39b25d9cb59 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2667,14 +2667,19 @@ PHP_FUNCTION(date_create_immutable) zval *timezone_object = NULL; char *time_str = NULL; int time_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sO!", &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_immutable, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_immutable, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, NULL, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ @@ -2712,14 +2717,19 @@ PHP_FUNCTION(date_create_immutable_from_format) zval *timezone_object = NULL; char *time_str = NULL, *format_str = NULL; int time_str_len = 0, format_str_len = 0; + zval datetime_object; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|O", &format_str, &format_str_len, &time_str, &time_str_len, &timezone_object, date_ce_timezone) == FAILURE) { RETURN_FALSE; } - php_date_instantiate(date_ce_immutable, return_value TSRMLS_CC); - if (!php_date_initialize(zend_object_store_get_object(return_value TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + php_date_instantiate(date_ce_immutable, &datetime_object TSRMLS_CC); + if (!php_date_initialize(zend_object_store_get_object(&datetime_object TSRMLS_CC), time_str, time_str_len, format_str, timezone_object, 0 TSRMLS_CC)) { + zval_dtor(&datetime_object); RETURN_FALSE; + } else { + zval *datetime_object_ptr = &datetime_object; + RETVAL_ZVAL(datetime_object_ptr, 0, 0); } } /* }}} */ From 1847cf10c11886850ad9ab5654c4b969810da49a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Schl=C3=BCter?= Date: Wed, 13 Aug 2014 18:36:10 +0200 Subject: [PATCH 47/51] PHP 5.3.29 --- NEWS | 2 +- configure.in | 2 +- main/php_version.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 1b679f39e76..4b1b7c235e1 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -31 Jul 2014, PHP 5.3.29RC1 +14 Aug 2014, PHP 5.3.29 - Core: . Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas) diff --git a/configure.in b/configure.in index 77e81d6fd51..183c3e3612c 100644 --- a/configure.in +++ b/configure.in @@ -42,7 +42,7 @@ AC_CONFIG_HEADER(main/php_config.h) PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=3 PHP_RELEASE_VERSION=29 -PHP_EXTRA_VERSION="RC1" +PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 63ddb95eaba..e62f0267727 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 3 #define PHP_RELEASE_VERSION 29 -#define PHP_EXTRA_VERSION "RC1" -#define PHP_VERSION "5.3.29RC1" +#define PHP_EXTRA_VERSION "" +#define PHP_VERSION "5.3.29" #define PHP_VERSION_ID 50329 From babeca356b657f2fe14a8be21d31eadadc5a971a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Schl=C3=BCter?= Date: Wed, 13 Aug 2014 21:22:50 +0200 Subject: [PATCH 48/51] It's 2014 already, fix copyright year where user visible Left out all file headers --- Zend/zend.c | 2 +- sapi/cgi/cgi_main.c | 4 ++-- sapi/cli/php.1.in | 4 ++-- sapi/cli/php_cli.c | 2 +- sapi/fpm/fpm/fpm_main.c | 4 ++-- sapi/litespeed/lsapi_main.c | 4 ++-- sapi/milter/php_milter.c | 2 +- win32/build/template.rc | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Zend/zend.c b/Zend/zend.c index d1ebcc858f9..d1f4d370485 100644 --- a/Zend/zend.c +++ b/Zend/zend.c @@ -114,7 +114,7 @@ ZEND_API zval zval_used_for_init; /* True global variable */ /* version information */ static char *zend_version_info; static uint zend_version_info_length; -#define ZEND_CORE_VERSION_INFO "Zend Engine v" ZEND_VERSION ", Copyright (c) 1998-2013 Zend Technologies\n" +#define ZEND_CORE_VERSION_INFO "Zend Engine v" ZEND_VERSION ", Copyright (c) 1998-2014 Zend Technologies\n" #define PRINT_ZVAL_INDENT 4 static void print_hash(zend_write_func_t write_func, HashTable *ht, int indent, zend_bool is_object TSRMLS_DC) /* {{{ */ diff --git a/sapi/cgi/cgi_main.c b/sapi/cgi/cgi_main.c index 1e5f437e7f7..60b474b41d7 100644 --- a/sapi/cgi/cgi_main.c +++ b/sapi/cgi/cgi_main.c @@ -1956,9 +1956,9 @@ consult the installation file that came with this distribution, or visit \n\ SG(request_info).no_headers = 1; } #if ZEND_DEBUG - php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); #else - php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); #endif php_request_shutdown((void *) 0); fcgi_shutdown(); diff --git a/sapi/cli/php.1.in b/sapi/cli/php.1.in index 2dfa499ba39..bbcea44c585 100644 --- a/sapi/cli/php.1.in +++ b/sapi/cli/php.1.in @@ -1,4 +1,4 @@ -.TH PHP 1 "2013" "The PHP Group" "Scripting Language" +.TH PHP 1 "2014" "The PHP Group" "Scripting Language" .SH NAME php \- PHP Command Line Interface 'CLI' .SH SYNOPSIS @@ -425,7 +425,7 @@ contributors all around the world. .SH VERSION INFORMATION This manpage describes \fBphp\fP, version @PHP_VERSION@. .SH COPYRIGHT -Copyright \(co 1997\-2013 The PHP Group +Copyright \(co 1997\-2014 The PHP Group .LP This source file is subject to version 3.01 of the PHP license, that is bundled with this package in the file LICENSE, and is diff --git a/sapi/cli/php_cli.c b/sapi/cli/php_cli.c index 42d2cb818a0..26c628e193a 100644 --- a/sapi/cli/php_cli.c +++ b/sapi/cli/php_cli.c @@ -826,7 +826,7 @@ int main(int argc, char *argv[]) } request_started = 1; - php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2013 The PHP Group\n%s", + php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, #if ZEND_DEBUG && defined(HAVE_GCOV) "(DEBUG GCOV)", diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c index 763327271fa..6ce8c43fa72 100644 --- a/sapi/fpm/fpm/fpm_main.c +++ b/sapi/fpm/fpm/fpm_main.c @@ -1721,9 +1721,9 @@ int main(int argc, char *argv[]) SG(request_info).no_headers = 1; #if ZEND_DEBUG - php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); #else - php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); #endif php_request_shutdown((void *) 0); fcgi_shutdown(); diff --git a/sapi/litespeed/lsapi_main.c b/sapi/litespeed/lsapi_main.c index 3e04df95ba8..961c2749573 100644 --- a/sapi/litespeed/lsapi_main.c +++ b/sapi/litespeed/lsapi_main.c @@ -719,9 +719,9 @@ static int cli_main( int argc, char * argv[] ) case 'v': if (php_request_startup(TSRMLS_C) != FAILURE) { #if ZEND_DEBUG - php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); #else - php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); #endif #ifdef PHP_OUTPUT_NEWAPI php_output_end_all(TSRMLS_C); diff --git a/sapi/milter/php_milter.c b/sapi/milter/php_milter.c index 7f2f07d0059..a9e3ad718b0 100644 --- a/sapi/milter/php_milter.c +++ b/sapi/milter/php_milter.c @@ -1111,7 +1111,7 @@ int main(int argc, char *argv[]) } SG(headers_sent) = 1; SG(request_info).no_headers = 1; - php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); + php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2014 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version()); php_end_ob_buffers(1 TSRMLS_CC); exit(1); break; diff --git a/win32/build/template.rc b/win32/build/template.rc index 13e92e9a3bd..f36f2c041c8 100644 --- a/win32/build/template.rc +++ b/win32/build/template.rc @@ -65,7 +65,7 @@ BEGIN #endif VALUE "FileVersion", EXT_VERSION VALUE "InternalName", INTERNAL_NAME - VALUE "LegalCopyright", "Copyright © 1997-2013 The PHP Group" + VALUE "LegalCopyright", "Copyright © 1997-2014 The PHP Group" VALUE "LegalTrademarks", "PHP" VALUE "OriginalFilename", FILE_NAME VALUE "ProductName", "PHP" From 7c5af1adf9adc72b795f04e453b8cc57f6889cb2 Mon Sep 17 00:00:00 2001 From: Ferenc Kovacs Date: Thu, 14 Aug 2014 02:17:55 +0200 Subject: [PATCH 49/51] new NEWS block for the next release --- NEWS | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 91e0d3bfee6..3c4f90135f5 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,8 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2014, PHP 5.6.0 Release Candidate 4 +?? ??? 2014, PHP 5.6.0 ??? + +14 Aug 2014, PHP 5.6.0 Release Candidate 4 - COM: . Fixed bug #41577 (DOTNET is successful once per server run) From 1355ea60ccc3d2b289e5ec72877adc3a99ef9f78 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Schl=C3=BCter?= Date: Thu, 14 Aug 2014 17:05:20 +0200 Subject: [PATCH 50/51] Back to -dev (with EOL notice in NEWS) --- NEWS | 4 ++++ configure.in | 4 ++-- main/php_version.h | 8 ++++---- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/NEWS b/NEWS index 4b1b7c235e1..327c9af991b 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,9 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +?? ??? 20??, PHP 5.3.30 + +You should not add anything to this tree. PHP 5.3 reached EOL. + 14 Aug 2014, PHP 5.3.29 - Core: diff --git a/configure.in b/configure.in index 183c3e3612c..c592816d17e 100644 --- a/configure.in +++ b/configure.in @@ -41,8 +41,8 @@ AC_CONFIG_HEADER(main/php_config.h) PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=3 -PHP_RELEASE_VERSION=29 -PHP_EXTRA_VERSION="" +PHP_RELEASE_VERSION=30 +PHP_EXTRA_VERSION="-dev" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index e62f0267727..886754b9206 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 3 -#define PHP_RELEASE_VERSION 29 -#define PHP_EXTRA_VERSION "" -#define PHP_VERSION "5.3.29" -#define PHP_VERSION_ID 50329 +#define PHP_RELEASE_VERSION 30 +#define PHP_EXTRA_VERSION "-dev" +#define PHP_VERSION "5.3.30-dev" +#define PHP_VERSION_ID 50330 From 7311087cf06bf9f3d6b5863d9b54272f3d163ba9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Johannes=20Schl=C3=BCter?= Date: Thu, 14 Aug 2014 17:08:02 +0200 Subject: [PATCH 51/51] Update Git rules --- README.GIT-RULES | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/README.GIT-RULES b/README.GIT-RULES index 6e90aa97b6f..30686af8123 100644 --- a/README.GIT-RULES +++ b/README.GIT-RULES @@ -51,9 +51,7 @@ Currently we have the following branches in use:: PHP-5.4 Is used to release the PHP 5.4.x series. This is a current stable version and is open for bugfixes only. - PHP-5.3 Is used to release the PHP 5.3.x series. This is currently - in extended support and open forsecurity fixes only. Triaged - via security@php.net + PHP-5.3 This branch is closed. PHP-5.2 This branch is closed. @@ -63,7 +61,7 @@ Currently we have the following branches in use:: The next few rules are more of a technical nature:: - 1. All changes should first go to the lowest branch (i.e. 5.3) and then + 1. All changes should first go to the lowest branch (i.e. 5.4) and then get merged up to all other branches. If a change is not needed for later branches (i.e. fixes for features which where dropped from later branches) an empty merge should be done.