From 42bb2c9221ab019a8d42a11644eceaf7b05d39d9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 27 Apr 2016 09:04:26 +0200 Subject: php 5.4 add security patches, backported from 5.5.35 --- bug72061.patch | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 99 insertions(+) create mode 100644 bug72061.patch (limited to 'bug72061.patch') diff --git a/bug72061.patch b/bug72061.patch new file mode 100644 index 0000000..8319a75 --- /dev/null +++ b/bug72061.patch @@ -0,0 +1,99 @@ +Backported for 5.4 from 5.5.35 by Remi Collet + +From fd9689745c44341b1bd6af4756f324be8abba2fb Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 24 Apr 2016 12:49:01 -0700 +Subject: [PATCH] Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos + with negative offset + +--- + ext/intl/grapheme/grapheme_string.c | 12 +++++++----- + ext/intl/tests/bug72061.phpt | 15 +++++++++++++++ + 2 files changed, 22 insertions(+), 5 deletions(-) + create mode 100644 ext/intl/tests/bug72061.phpt + +diff --git a/ext/intl/grapheme/grapheme_string.c b/ext/intl/grapheme/grapheme_string.c +index 8a094e0..3ba9b51 100644 +--- a/ext/intl/grapheme/grapheme_string.c ++++ b/ext/intl/grapheme/grapheme_string.c +@@ -112,7 +112,7 @@ PHP_FUNCTION(grapheme_strpos) + int haystack_len, needle_len; + unsigned char *found; + long loffset = 0; +- int32_t offset = 0; ++ int32_t offset = 0, noffset = 0; + int ret_pos; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", (char **)&haystack, &haystack_len, (char **)&needle, &needle_len, &loffset) == FAILURE) { +@@ -132,6 +132,7 @@ PHP_FUNCTION(grapheme_strpos) + + /* we checked that it will fit: */ + offset = (int32_t) loffset; ++ noffset = offset >= 0 ? offset : haystack_len + offset; + + /* the offset is 'grapheme count offset' so it still might be invalid - we'll check it later */ + +@@ -146,7 +147,7 @@ PHP_FUNCTION(grapheme_strpos) + /* quick check to see if the string might be there + * I realize that 'offset' is 'grapheme count offset' but will work in spite of that + */ +- found = (unsigned char *)php_memnstr((char *)haystack + offset, (char *)needle, needle_len, (char *)haystack + haystack_len); ++ found = (unsigned char *)php_memnstr((char *)haystack + noffset, (char *)needle, needle_len, (char *)haystack + haystack_len); + + /* if it isn't there the we are done */ + if (!found) { +@@ -214,12 +215,13 @@ PHP_FUNCTION(grapheme_stripos) + is_ascii = ( grapheme_ascii_check(haystack, haystack_len) >= 0 ); + + if ( is_ascii ) { ++ int32_t noffset = offset >= 0 ? offset : haystack_len + offset; + needle_dup = (unsigned char *)estrndup((char *)needle, needle_len); + php_strtolower((char *)needle_dup, needle_len); + haystack_dup = (unsigned char *)estrndup((char *)haystack, haystack_len); + php_strtolower((char *)haystack_dup, haystack_len); + +- found = (unsigned char*) php_memnstr((char *)haystack_dup + offset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); ++ found = (unsigned char*) php_memnstr((char *)haystack_dup + noffset, (char *)needle_dup, needle_len, (char *)haystack_dup + haystack_len); + + efree(haystack_dup); + efree(needle_dup); +@@ -537,7 +539,7 @@ PHP_FUNCTION(grapheme_substr) + efree(ustr); + } + ubrk_close(bi); +- RETURN_EMPTY_STRING(); ++ RETURN_EMPTY_STRING(); + } + + /* find the end point of the string to return */ +@@ -576,7 +578,7 @@ PHP_FUNCTION(grapheme_substr) + sub_str_end_pos = ustr_len; + } + } +- ++ + if(sub_str_start_pos > sub_str_end_pos) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_substr: length is beyond start", 1 TSRMLS_CC ); + +diff --git a/ext/intl/tests/bug72061.phpt b/ext/intl/tests/bug72061.phpt +new file mode 100644 +index 0000000..782c32c +--- /dev/null ++++ b/ext/intl/tests/bug72061.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72061: Out-of-bounds reads in zif_grapheme_stripos with negative offset ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECT-- ++int(65336) ++int(65336) ++DONE +\ No newline at end of file -- cgit