mirror of
https://github.com/php/php-src.git
synced 2024-09-21 18:07:23 +00:00
Merge branch 'PHP-7.2' into PHP-7.3
* PHP-7.2: Fixed bug #78910 Fix #78878: Buffer underflow in bc_shift_addsub Fix test Fix #78862: link() silently truncates after a null byte on Windows Fix #78863: DirectoryIterator class silently truncates after a null byte
This commit is contained in:
commit
a65b8abf2c
@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
|
||||
zero_int = FALSE;
|
||||
if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */
|
||||
while (*ptr == '0') ptr++; /* Skip leading zeros. */
|
||||
while (isdigit((int)*ptr)) ptr++, digits++; /* digits */
|
||||
while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */
|
||||
if (*ptr == '.') ptr++; /* decimal point */
|
||||
while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */
|
||||
while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */
|
||||
if ((*ptr != '\0') || (digits+strscale == 0))
|
||||
{
|
||||
*num = bc_copy_num (BCG(_zero_));
|
||||
|
13
ext/bcmath/tests/bug78878.phpt
Normal file
13
ext/bcmath/tests/bug78878.phpt
Normal file
@ -0,0 +1,13 @@
|
||||
--TEST--
|
||||
Bug #78878 (Buffer underflow in bc_shift_addsub)
|
||||
--SKIPIF--
|
||||
<?php
|
||||
if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
|
||||
?>
|
||||
--FILE--
|
||||
<?php
|
||||
print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
|
||||
?>
|
||||
--EXPECT--
|
||||
bc math warning: non-zero scale in modulus
|
||||
0
|
@ -3138,7 +3138,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
|
||||
/*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s)", maker_note->make?maker_note->make:"");*/
|
||||
if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))
|
||||
continue;
|
||||
if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
|
||||
if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
|
||||
continue;
|
||||
if (maker_note->id_string && value_len >= maker_note->id_string_len
|
||||
&& strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
|
||||
continue;
|
||||
break;
|
||||
}
|
||||
|
17
ext/exif/tests/bug78910.phpt
Normal file
17
ext/exif/tests/bug78910.phpt
Normal file
@ -0,0 +1,17 @@
|
||||
--TEST--
|
||||
Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
|
||||
--FILE--
|
||||
<?php
|
||||
|
||||
var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
|
||||
|
||||
?>
|
||||
--EXPECTF--
|
||||
Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d
|
||||
|
||||
Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d
|
||||
|
||||
Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
|
||||
|
||||
Warning: exif_read_data(): Invalid TIFF file in %s on line %d
|
||||
bool(false)
|
@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto
|
||||
|
||||
if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
|
||||
flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
|
||||
parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags);
|
||||
parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags);
|
||||
} else {
|
||||
flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
|
||||
parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
|
||||
parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
|
||||
}
|
||||
if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
|
||||
flags |= SPL_FILE_DIR_SKIPDOTS;
|
||||
|
@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
|
||||
$dir = new DirectoryIterator("\x00/abc");
|
||||
$dir->isFile();
|
||||
--EXPECTF--
|
||||
Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d
|
||||
Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
|
||||
Stack trace:
|
||||
#0 %s(%d): DirectoryIterator->__construct('\x00/abc')
|
||||
#1 {main}
|
||||
|
31
ext/spl/tests/bug78863.phpt
Normal file
31
ext/spl/tests/bug78863.phpt
Normal file
@ -0,0 +1,31 @@
|
||||
--TEST--
|
||||
Bug #78863 (DirectoryIterator class silently truncates after a null byte)
|
||||
--FILE--
|
||||
<?php
|
||||
$dir = __DIR__ . '/bug78863';
|
||||
mkdir($dir);
|
||||
touch("$dir/bad");
|
||||
mkdir("$dir/sub");
|
||||
touch("$dir/sub/good");
|
||||
|
||||
$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
|
||||
foreach ($it as $fileinfo) {
|
||||
if (!$fileinfo->isDot()) {
|
||||
var_dump($fileinfo->getFilename());
|
||||
}
|
||||
}
|
||||
?>
|
||||
--EXPECTF--
|
||||
Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
|
||||
Stack trace:
|
||||
#0 %s(%d): DirectoryIterator->__construct('%s')
|
||||
#1 {main}
|
||||
thrown in %s on line %d
|
||||
--CLEAN--
|
||||
<?php
|
||||
$dir = __DIR__ . '/bug78863';
|
||||
unlink("$dir/sub/good");
|
||||
rmdir("$dir/sub");
|
||||
unlink("$dir/bad");
|
||||
rmdir($dir);
|
||||
?>
|
@ -211,7 +211,7 @@ PHP_FUNCTION(link)
|
||||
|
||||
/*First argument to link function is the target and hence should go to frompath
|
||||
Second argument to link function is the link itself and hence should go to topath */
|
||||
if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
|
||||
if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
17
ext/standard/tests/file/windows_links/bug78862.phpt
Normal file
17
ext/standard/tests/file/windows_links/bug78862.phpt
Normal file
@ -0,0 +1,17 @@
|
||||
--TEST--
|
||||
Bug #78862 (link() silently truncates after a null byte on Windows)
|
||||
--FILE--
|
||||
<?php
|
||||
file_put_contents(__DIR__ . '/bug78862.target', 'foo');
|
||||
var_dump(link(__DIR__ . "/bug78862.target\0more", __DIR__ . "/bug78862.link\0more"));
|
||||
var_dump(file_exists(__DIR__ . '/bug78862.link'));
|
||||
?>
|
||||
--EXPECTF--
|
||||
Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d
|
||||
NULL
|
||||
bool(false)
|
||||
--CLEAN--
|
||||
<?php
|
||||
unlink(__DIR__ . '/bug78862.target');
|
||||
unlink(__DIR__ . '/bug78862.link');
|
||||
?>
|
Loading…
Reference in New Issue
Block a user