From d6095b4f79a1dd0823d576f1bde3d943f4ae0757 Mon Sep 17 00:00:00 2001 From: sbd Date: Tue, 22 Mar 2011 06:31:55 +0000 Subject: Pullup ticket #3393 - requested by taca security fix for lang/php5 Revisions pulled up: - lang/php5/Makefile 1.84 - lang/php5/distinfo 1.89 - lang/php5/patches/patch-main_snprintf.c 1.1 - lang/php5/patches/patch-main_snprintf.h 1.1 - lang/php5/patches/patch-main_spprintf.c 1.1 --- Module Name: pkgsrc Committed By: taca Date: Mon Mar 21 16:34:28 UTC 2011 Modified Files: pkgsrc/lang/php5: Makefile distinfo Added Files: pkgsrc/lang/php5/patches: patch-main_snprintf.c patch-main_snprintf.h patch-main_spprintf.c Log Message: Apply changes by r308525 from PHP's repository to fix bug #54055 (buffer overrun with high values for precision ini setting). It fixes one of security fixes by PHP 5.3.6. Bump PKGREVISION. --- lang/php5/Makefile | 4 ++-- lang/php5/distinfo | 5 ++++- lang/php5/patches/patch-main_snprintf.c | 26 ++++++++++++++++++++++++++ lang/php5/patches/patch-main_snprintf.h | 31 +++++++++++++++++++++++++++++++ lang/php5/patches/patch-main_spprintf.c | 26 ++++++++++++++++++++++++++ 5 files changed, 89 insertions(+), 3 deletions(-) create mode 100644 lang/php5/patches/patch-main_snprintf.c create mode 100644 lang/php5/patches/patch-main_snprintf.h create mode 100644 lang/php5/patches/patch-main_spprintf.c diff --git a/lang/php5/Makefile b/lang/php5/Makefile index f70e47ecb2a..29d3a6c8682 100644 --- a/lang/php5/Makefile +++ b/lang/php5/Makefile @@ -1,7 +1,7 @@ -# $NetBSD: Makefile,v 1.81.2.1 2011/02/23 19:12:53 tron Exp $ +# $NetBSD: Makefile,v 1.81.2.2 2011/03/22 06:31:55 sbd Exp $ PKGNAME= php-${PHP_BASE_VERS} -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= lang HOMEPAGE= http://www.php.net/ COMMENT= PHP Hypertext Preprocessor version 5 diff --git a/lang/php5/distinfo b/lang/php5/distinfo index 42d2570b69e..89ebfe23b8a 100644 --- a/lang/php5/distinfo +++ b/lang/php5/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.84.2.2 2011/03/22 06:22:17 sbd Exp $ +$NetBSD: distinfo,v 1.84.2.3 2011/03/22 06:31:55 sbd Exp $ SHA1 (php-5.2.17/php-5.2.17.tar.bz2) = d68f3b09f766990d815a3c4c63c157db8dab8095 RMD160 (php-5.2.17/php-5.2.17.tar.bz2) = 567fa8d718b93fb83a89494c83a8bec224ac99e9 @@ -19,3 +19,6 @@ SHA1 (patch-ext_exif_exif.c) = 0a6ab268751e633510cb6b334b1bdb84a014b528 SHA1 (patch-ext_shmop_shmop.c) = 6e11b87dd71ff26357b14b61df626c40b40a022d SHA1 (patch-ext_zip_lib_zip__name__locate.c) = 4030e37ae4f93dbcb1a3a937a5407c2c406a49d6 SHA1 (patch-ext_zip_php__zip.c) = 134fa566a689d72d63a2fa0aa5c96c4595619089 +SHA1 (patch-main_snprintf.c) = cb112df0cadf84aaeee5987169a31460989995a8 +SHA1 (patch-main_snprintf.h) = 86ae4c1c8ae9183254e9914cb56d3df999f719cf +SHA1 (patch-main_spprintf.c) = 0fe0888b612402c41f040c8781df7f1a7ca66275 diff --git a/lang/php5/patches/patch-main_snprintf.c b/lang/php5/patches/patch-main_snprintf.c new file mode 100644 index 00000000000..d2b94156569 --- /dev/null +++ b/lang/php5/patches/patch-main_snprintf.c @@ -0,0 +1,26 @@ +$NetBSD: patch-main_snprintf.c,v 1.1.2.2 2011/03/22 06:31:55 sbd Exp $ + +--- main/snprintf.c.orig 2010-01-03 09:23:27.000000000 +0000 ++++ main/snprintf.c +@@ -675,10 +675,6 @@ static int format_converter(register buf + + /* + * Check if a precision was specified +- * +- * XXX: an unreasonable amount of precision may be specified +- * resulting in overflow of num_buf. Currently we +- * ignore this possibility. + */ + if (*fmt == '.') { + adjust_precision = YES; +@@ -692,6 +688,10 @@ static int format_converter(register buf + precision = 0; + } else + precision = 0; ++ ++ if (precision > FORMAT_CONV_MAX_PRECISION) { ++ precision = FORMAT_CONV_MAX_PRECISION; ++ } + } else + adjust_precision = NO; + } else diff --git a/lang/php5/patches/patch-main_snprintf.h b/lang/php5/patches/patch-main_snprintf.h new file mode 100644 index 00000000000..4e0541eaf88 --- /dev/null +++ b/lang/php5/patches/patch-main_snprintf.h @@ -0,0 +1,31 @@ +$NetBSD: patch-main_snprintf.h,v 1.1.2.2 2011/03/22 06:31:55 sbd Exp $ + +--- main/snprintf.h.orig 2010-01-03 09:23:27.000000000 +0000 ++++ main/snprintf.h +@@ -12,7 +12,7 @@ + | obtain it through the world-wide-web, please send a note to | + | license@php.net so we can mail you a copy immediately. | + +----------------------------------------------------------------------+ +- | Author: Stig Sæther Bakken | ++ | Author: Stig Sæther Bakken | + | Marcus Boerger | + +----------------------------------------------------------------------+ + */ +@@ -148,6 +148,17 @@ extern char * ap_php_conv_10(register wi + extern char * ap_php_conv_p2(register u_wide_int num, register int nbits, + char format, char *buf_end, register int *len); + ++/* The maximum precision that's allowed for float conversion. Does not include ++ * decimal separator, exponent, sign, terminator. Currently does not affect ++ * the modes e/f, only g/k/H, as those have a different limit enforced at ++ * another level (see NDIG in php_conv_fp()). ++ * Applies to the formatting functions of both spprintf.c and snprintf.c, which ++ * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the ++ * call to php_gcvt(). ++ * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9 ++ * should be enough, but let's give some more space) */ ++#define FORMAT_CONV_MAX_PRECISION 500 ++ + #endif /* SNPRINTF_H */ + + /* diff --git a/lang/php5/patches/patch-main_spprintf.c b/lang/php5/patches/patch-main_spprintf.c new file mode 100644 index 00000000000..6c736abbcbb --- /dev/null +++ b/lang/php5/patches/patch-main_spprintf.c @@ -0,0 +1,26 @@ +$NetBSD: patch-main_spprintf.c,v 1.1.2.2 2011/03/22 06:31:55 sbd Exp $ + +--- main/spprintf.c.orig 2010-01-03 09:23:27.000000000 +0000 ++++ main/spprintf.c +@@ -282,10 +282,6 @@ static void xbuf_format_converter(smart_ + + /* + * Check if a precision was specified +- * +- * XXX: an unreasonable amount of precision may be specified +- * resulting in overflow of num_buf. Currently we +- * ignore this possibility. + */ + if (*fmt == '.') { + adjust_precision = YES; +@@ -299,6 +295,10 @@ static void xbuf_format_converter(smart_ + precision = 0; + } else + precision = 0; ++ ++ if (precision > FORMAT_CONV_MAX_PRECISION) { ++ precision = FORMAT_CONV_MAX_PRECISION; ++ } + } else + adjust_precision = NO; + } else -- cgit v1.2.3