1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
Backported from 5.5 for 5.4 by Remi Collet
From abd159cce48f3e34f08e4751c568e09677d5ec9c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 9 May 2016 21:55:29 -0700
Subject: [PATCH] Fix bug #72114 - int/size_t confusion in fread
---
ext/standard/file.c | 6 ++++++
ext/standard/tests/file/bug72114.phpt | 12 ++++++++++++
2 files changed, 18 insertions(+)
create mode 100644 ext/standard/tests/file/bug72114.phpt
diff --git a/ext/standard/file.c b/ext/standard/file.c
index 0abc022..e39c84f 100644
--- a/ext/standard/file.c
+++ b/ext/standard/file.c
@@ -1755,6 +1755,12 @@ PHPAPI PHP_FUNCTION(fread)
RETURN_FALSE;
}
+ if (len > INT_MAX) {
+ /* string length is int in 5.x so we can not read more than int */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+ RETURN_FALSE;
+ }
+
Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
diff --git a/ext/standard/tests/file/bug72114.phpt b/ext/standard/tests/file/bug72114.phpt
new file mode 100644
index 0000000..5e591ee
--- /dev/null
+++ b/ext/standard/tests/file/bug72114.phpt
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--FILE--
+<?php
+ini_set('memory_limit', "2500M");
+$fp = fopen("/dev/zero", "r");
+fread($fp, 2147483648);
+?>
+Done
+--EXPECTF--
+Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
+Done
From 4dd03651f3c90a754600e9b76e33c9481bd9e720 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@php.net>
Date: Wed, 25 May 2016 16:17:12 +0200
Subject: [PATCH] Skip test which is 64bits only
Diff from test output
001+ Warning: fread(): Length parameter must be greater than 0 in ...
001- Warning: fread(): Length parameter must be no more than 2147483647 in ...
---
ext/standard/tests/file/bug72114.phpt | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ext/standard/tests/file/bug72114.phpt b/ext/standard/tests/file/bug72114.phpt
index 5e591ee..3cd03fd 100644
--- a/ext/standard/tests/file/bug72114.phpt
+++ b/ext/standard/tests/file/bug72114.phpt
@@ -1,5 +1,7 @@
--TEST--
Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platform only"); ?>
--FILE--
<?php
ini_set('memory_limit', "2500M");
|
