diff options
| author | Ondřej Surý <ondrej@sury.org> | 2014-05-27 16:54:58 +0200 |
|---|---|---|
| committer | Ondřej Surý <ondrej@sury.org> | 2014-05-27 16:54:58 +0200 |
| commit | 32c3fbba663e5b1da38bdd2d84b0a9a78271ddfa (patch) | |
| tree | 67a05c22fdb6ad63666fb043c28701bbd6225c9f /ext/standard | |
| parent | 4bbffbee21093458feadd96f93b96d4627461cff (diff) | |
| download | php-32c3fbba663e5b1da38bdd2d84b0a9a78271ddfa.tar.gz | |
New upstream version 5.6.0~beta3+dfsgupstream/5.6.0_beta3+dfsg
Diffstat (limited to 'ext/standard')
| -rw-r--r-- | ext/standard/html.c | 4 | ||||
| -rw-r--r-- | ext/standard/iptc.c | 3 | ||||
| -rw-r--r-- | ext/standard/php_fopen_wrapper.c | 23 | ||||
| -rw-r--r-- | ext/standard/streamsfuncs.c | 22 | ||||
| -rw-r--r-- | ext/standard/tests/image/bug67250.phpt | 8 | ||||
| -rw-r--r-- | ext/standard/tests/strings/bug67252.phpt | 13 | ||||
| -rw-r--r-- | ext/standard/uuencode.c | 3 |
7 files changed, 57 insertions, 19 deletions
diff --git a/ext/standard/html.c b/ext/standard/html.c index 5bbe39ccb..fd210c808 100644 --- a/ext/standard/html.c +++ b/ext/standard/html.c @@ -901,7 +901,7 @@ static inline size_t write_octet_sequence(unsigned char *buf, enum entity_charse #if 0 return php_mb2_int_to_char(buf, code); #else -#ifdef ZEND_DEBUG +#if ZEND_DEBUG assert(code <= 0xFFU); #endif *buf = code; @@ -912,7 +912,7 @@ static inline size_t write_octet_sequence(unsigned char *buf, enum entity_charse #if 0 /* idem */ return php_mb2_int_to_char(buf, code); #else -#ifdef ZEND_DEBUG +#if ZEND_DEBUG assert(code <= 0xFFU); #endif *buf = code; diff --git a/ext/standard/iptc.c b/ext/standard/iptc.c index 325733910..ad4fa6502 100644 --- a/ext/standard/iptc.c +++ b/ext/standard/iptc.c @@ -329,6 +329,9 @@ PHP_FUNCTION(iptcparse) recnum = buffer[ inx++ ]; if (buffer[ inx ] & (unsigned char) 0x80) { /* long tag */ + if((inx+6) >= str_len) { + break; + } len = (((long) buffer[ inx + 2 ]) << 24) + (((long) buffer[ inx + 3 ]) << 16) + (((long) buffer[ inx + 4 ]) << 8) + (((long) buffer[ inx + 5 ])); inx += 6; diff --git a/ext/standard/php_fopen_wrapper.c b/ext/standard/php_fopen_wrapper.c index 3deb330a8..7e21e95d1 100644 --- a/ext/standard/php_fopen_wrapper.c +++ b/ext/standard/php_fopen_wrapper.c @@ -64,7 +64,7 @@ php_stream_ops php_stream_output_ops = { }; typedef struct php_stream_input { /* {{{ */ - php_stream **body_ptr; + php_stream *body; off_t position; } php_stream_input_t; /* }}} */ @@ -85,13 +85,13 @@ static size_t php_stream_input_read(php_stream *stream, char *buf, size_t count int read_bytes = sapi_read_post_block(buf, count TSRMLS_CC); if (read_bytes > 0) { - php_stream_seek(*input->body_ptr, 0, SEEK_END); - php_stream_write(*input->body_ptr, buf, read_bytes); + php_stream_seek(input->body, 0, SEEK_END); + php_stream_write(input->body, buf, read_bytes); } } - php_stream_seek(*input->body_ptr, input->position, SEEK_SET); - read = php_stream_read(*input->body_ptr, buf, count); + php_stream_seek(input->body, input->position, SEEK_SET); + read = php_stream_read(input->body, buf, count); if (!read || read == (size_t) -1) { stream->eof = 1; @@ -122,9 +122,9 @@ static int php_stream_input_seek(php_stream *stream, off_t offset, int whence, o { php_stream_input_t *input = stream->abstract; - if (*input->body_ptr) { - int sought = php_stream_seek(*input->body_ptr, offset, whence); - *newoffset = (*input->body_ptr)->position; + if (input->body) { + int sought = php_stream_seek(input->body, offset, whence); + *newoffset = (input->body)->position; return sought; } @@ -228,10 +228,11 @@ php_stream * php_stream_url_wrap_php(php_stream_wrapper *wrapper, const char *pa } input = ecalloc(1, sizeof(*input)); - if (*(input->body_ptr = &SG(request_info).request_body)) { - php_stream_rewind(*input->body_ptr); + if ((input->body = SG(request_info).request_body)) { + php_stream_rewind(input->body); } else { - *input->body_ptr = php_stream_temp_create(TEMP_STREAM_DEFAULT, SAPI_POST_BLOCK_SIZE); + input->body = php_stream_temp_create(TEMP_STREAM_DEFAULT, SAPI_POST_BLOCK_SIZE); + SG(request_info).request_body = input->body; } return php_stream_alloc(&php_stream_input_ops, input, 0, "rb"); diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c index 8d42a51af..68b4cceaa 100644 --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@ -40,6 +40,8 @@ typedef unsigned long long php_timeout_ull; typedef unsigned __int64 php_timeout_ull; #endif +#define GET_CTX_OPT(stream, wrapper, name, val) (stream->context && SUCCESS == php_stream_context_get_option(stream->context, wrapper, name, &val)) + static php_stream_context *decode_context_param(zval *contextresource TSRMLS_DC); /* Streams based network functions */ @@ -1491,16 +1493,27 @@ PHP_FUNCTION(stream_socket_enable_crypto) long cryptokind = 0; zval *zstream, *zsessstream = NULL; php_stream *stream, *sessstream = NULL; - zend_bool enable; + zend_bool enable, cryptokindnull; int ret; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rb|lr", &zstream, &enable, &cryptokind, &zsessstream) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rb|l!r", &zstream, &enable, &cryptokind, &cryptokindnull, &zsessstream) == FAILURE) { RETURN_FALSE; } php_stream_from_zval(stream, &zstream); - if (ZEND_NUM_ARGS() >= 3) { + if (enable) { + if (ZEND_NUM_ARGS() < 3 || cryptokindnull) { + zval **val; + + if (!GET_CTX_OPT(stream, "ssl", "crypto_method", val)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "When enabling encryption you must specify the crypto type"); + RETURN_FALSE; + } + + cryptokind = Z_LVAL_PP(val); + } + if (zsessstream) { php_stream_from_zval(sessstream, &zsessstream); } @@ -1508,9 +1521,6 @@ PHP_FUNCTION(stream_socket_enable_crypto) if (php_stream_xport_crypto_setup(stream, cryptokind, sessstream TSRMLS_CC) < 0) { RETURN_FALSE; } - } else if (enable) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "When enabling encryption you must specify the crypto type"); - RETURN_FALSE; } ret = php_stream_xport_crypto_enable(stream, enable TSRMLS_CC); diff --git a/ext/standard/tests/image/bug67250.phpt b/ext/standard/tests/image/bug67250.phpt new file mode 100644 index 000000000..607de9f3b --- /dev/null +++ b/ext/standard/tests/image/bug67250.phpt @@ -0,0 +1,8 @@ +--TEST-- +Bug #67250 (iptcparse out-of-bounds read) +--FILE-- +<?php +var_dump(iptcparse("\x1C\x02_\x80___")); +?> +--EXPECT-- +bool(false) diff --git a/ext/standard/tests/strings/bug67252.phpt b/ext/standard/tests/strings/bug67252.phpt new file mode 100644 index 000000000..80a6ebcf1 --- /dev/null +++ b/ext/standard/tests/strings/bug67252.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #67252 (convert_uudecode out-of-bounds read) +--FILE-- +<?php + +$a = "M86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A86%A"."\n"."a."; +var_dump(convert_uudecode($a)); + +?> +--EXPECTF-- + +Warning: convert_uudecode(): The given parameter is not a valid uuencoded string in %s on line %d +bool(false) diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c index 52e892ed9..8544aef9f 100644 --- a/ext/standard/uuencode.c +++ b/ext/standard/uuencode.c @@ -151,6 +151,9 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ } while (s < ee) { + if(s+4 > e) { + goto err; + } *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3)); |