diff options
Diffstat (limited to 'bug72606.patch')
| -rw-r--r-- | bug72606.patch | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/bug72606.patch b/bug72606.patch new file mode 100644 index 0000000..1d2707a --- /dev/null +++ b/bug72606.patch @@ -0,0 +1,152 @@ +From e6c48213c22ed50b2b987b479fcc1ac709394caa Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 18 Jul 2016 21:44:39 -0700 +Subject: [PATCH] Fix bug #72606: heap-buffer-overflow (write) + simplestring_addn simplestring.c + +--- + ext/xmlrpc/libxmlrpc/simplestring.c | 61 ++++++++++++++++++++++--------------- + ext/xmlrpc/libxmlrpc/simplestring.h | 2 +- + 2 files changed, 38 insertions(+), 25 deletions(-) + +diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c +index a084d0e..6477734 100644 +--- a/ext/xmlrpc/libxmlrpc/simplestring.c ++++ b/ext/xmlrpc/libxmlrpc/simplestring.c +@@ -5,28 +5,28 @@ + Epinions.com may be contacted at feedback@epinions-inc.com + */ + +-/* +- Copyright 2000 Epinions, Inc. ++/* ++ Copyright 2000 Epinions, Inc. + +- Subject to the following 3 conditions, Epinions, Inc. permits you, free +- of charge, to (a) use, copy, distribute, modify, perform and display this +- software and associated documentation files (the "Software"), and (b) +- permit others to whom the Software is furnished to do so as well. ++ Subject to the following 3 conditions, Epinions, Inc. permits you, free ++ of charge, to (a) use, copy, distribute, modify, perform and display this ++ software and associated documentation files (the "Software"), and (b) ++ permit others to whom the Software is furnished to do so as well. + +- 1) The above copyright notice and this permission notice shall be included +- without modification in all copies or substantial portions of the +- Software. ++ 1) The above copyright notice and this permission notice shall be included ++ without modification in all copies or substantial portions of the ++ Software. + +- 2) THE SOFTWARE IS PROVIDED "AS IS", WITHOUT ANY WARRANTY OR CONDITION OF +- ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION ANY +- IMPLIED WARRANTIES OF ACCURACY, MERCHANTABILITY, FITNESS FOR A PARTICULAR +- PURPOSE OR NONINFRINGEMENT. ++ 2) THE SOFTWARE IS PROVIDED "AS IS", WITHOUT ANY WARRANTY OR CONDITION OF ++ ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION ANY ++ IMPLIED WARRANTIES OF ACCURACY, MERCHANTABILITY, FITNESS FOR A PARTICULAR ++ PURPOSE OR NONINFRINGEMENT. + +- 3) IN NO EVENT SHALL EPINIONS, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, +- SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LOST PROFITS ARISING OUT +- OF OR IN CONNECTION WITH THE SOFTWARE (HOWEVER ARISING, INCLUDING +- NEGLIGENCE), EVEN IF EPINIONS, INC. IS AWARE OF THE POSSIBILITY OF SUCH +- DAMAGES. ++ 3) IN NO EVENT SHALL EPINIONS, INC. BE LIABLE FOR ANY DIRECT, INDIRECT, ++ SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LOST PROFITS ARISING OUT ++ OF OR IN CONNECTION WITH THE SOFTWARE (HOWEVER ARISING, INCLUDING ++ NEGLIGENCE), EVEN IF EPINIONS, INC. IS AWARE OF THE POSSIBILITY OF SUCH ++ DAMAGES. + + */ + +@@ -71,7 +71,7 @@ static const char rcsid[] = "#(@) $Id$"; + * + * Oh, and it is also binary safe, ie it can handle strings with embedded NULLs, + * so long as the real length is passed in. +- * ++ * + * And the masses rejoiced. + * + * BUGS +@@ -136,7 +136,7 @@ static void simplestring_init_str(simplestring* string) { + * NOTES + * This function is very fast as it does not de-allocate any memory. + * SEE ALSO +- * ++ * + * SOURCE + */ + void simplestring_clear(simplestring* string) { +@@ -190,18 +190,31 @@ void simplestring_free(simplestring* string) { + * simplestring_add () + * SOURCE + */ +-void simplestring_addn(simplestring* target, const char* source, int add_len) { ++void simplestring_addn(simplestring* target, const char* source, size_t add_len) { ++ size_t newsize = target->size, incr = 0; + if(target && source) { + if(!target->str) { + simplestring_init_str(target); + } ++ ++ if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) { ++ /* check for overflows, if there's a potential overflow do nothing */ ++ return; ++ } ++ + if(target->len + add_len + 1 > target->size) { + /* newsize is current length + new length */ +- int newsize = target->len + add_len + 1; +- int incr = target->size * 2; ++ newsize = target->len + add_len + 1; ++ incr = target->size * 2; + + /* align to SIMPLESTRING_INCR increments */ +- newsize = newsize - (newsize % incr) + incr; ++ if (incr) { ++ newsize = newsize - (newsize % incr) + incr; ++ } ++ if(newsize < (target->len + add_len + 1)) { ++ /* some kind of overflow happened */ ++ return; ++ } + target->str = (char*)realloc(target->str, newsize); + + target->size = target->str ? newsize : 0; +diff --git a/ext/xmlrpc/libxmlrpc/simplestring.h b/ext/xmlrpc/libxmlrpc/simplestring.h +index c5d98cf..7e88cd0 100644 +--- a/ext/xmlrpc/libxmlrpc/simplestring.h ++++ b/ext/xmlrpc/libxmlrpc/simplestring.h +@@ -63,7 +63,7 @@ void simplestring_init(simplestring* string); + void simplestring_clear(simplestring* string); + void simplestring_free(simplestring* string); + void simplestring_add(simplestring* string, const char* add); +-void simplestring_addn(simplestring* string, const char* add, int add_len); ++void simplestring_addn(simplestring* string, const char* add, size_t add_len); + + #ifdef __cplusplus + } +From 33c1a55b40900c61ce7e162648eb71ce9b25837c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 19 Jul 2016 00:13:25 -0700 +Subject: [PATCH] Apparently some envs miss SIZE_MAX + +--- + ext/xmlrpc/libxmlrpc/simplestring.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c +index 6477734..c88754f 100644 +--- a/ext/xmlrpc/libxmlrpc/simplestring.c ++++ b/ext/xmlrpc/libxmlrpc/simplestring.c +@@ -172,6 +172,9 @@ void simplestring_free(simplestring* string) { + } + /******/ + ++#ifndef SIZE_MAX ++#define SIZE_MAX ((size_t)-1) ++#endif + /****f* FUNC/simplestring_addn + * NAME + * simplestring_addn |