diff options
author | Remi Collet <fedora@famillecollet.com> | 2016-09-19 14:11:20 +0200 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2016-09-19 14:11:20 +0200 |
commit | 661f662d2fe7ae74585367e5757bb04fbdea717b (patch) | |
tree | 6a2d3439a795711014d7d23761d36ea4296611eb | |
parent | a2713f204e1202b6844c114a005c304aafb008c7 (diff) |
PHP 5.5.38 with backports from 5.6.26
-rw-r--r-- | bug72860.patch | 62 | ||||
-rw-r--r-- | bug72910.patch | 61 | ||||
-rw-r--r-- | bug72926.patch | 29 | ||||
-rw-r--r-- | bug72928.patch | 92 | ||||
-rw-r--r-- | bug73007.patch | 25 | ||||
-rw-r--r-- | bug73029.patch | 89 | ||||
-rw-r--r-- | bug73035.patch | 32 | ||||
-rw-r--r-- | bug73052.patch | 65 | ||||
-rw-r--r-- | bug73065.patch | 196 | ||||
-rw-r--r-- | failed.txt | 2 | ||||
-rw-r--r-- | php55.spec | 38 |
11 files changed, 689 insertions, 2 deletions
diff --git a/bug72860.patch b/bug72860.patch new file mode 100644 index 0000000..e26cae0 --- /dev/null +++ b/bug72860.patch @@ -0,0 +1,62 @@ +Backported from 5.6.26 by Remi. + + +From 780daee62b55995a10f8e849159eff0a25bacb9d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 5 Sep 2016 23:42:31 -0700 +Subject: [PATCH] Fix bug #72860: wddx_deserialize use-after-free + +--- + ext/wddx/tests/bug72860.phpt | 27 +++++++++++++++++++++++++++ + ext/wddx/wddx.c | 3 ++- + 2 files changed, 29 insertions(+), 1 deletion(-) + create mode 100644 ext/wddx/tests/bug72860.phpt + +diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt +new file mode 100644 +index 0000000..6385457 +--- /dev/null ++++ b/ext/wddx/tests/bug72860.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #72860: wddx_deserialize use-after-free ++--SKIPIF-- ++<?php ++if (!extension_loaded('wddx')) { ++ die('skip. wddx not available'); ++} ++?> ++--FILE-- ++<?php ++ ++$xml=<<<XML ++<?xml version='1.0'?> ++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> ++<wddxPacket version='1.0'> ++ <recordset fieldNames='F'> ++ <field name='F'> ++ </recordset> ++</wddxPacket> ++XML; ++ ++var_dump(wddx_deserialize($xml)); ++?> ++DONE ++--EXPECT-- ++NULL ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index d7bd295..b02d2f0 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -232,7 +232,8 @@ static int wddx_stack_destroy(wddx_stack *stack) + + if (stack->elements) { + for (i = 0; i < stack->top; i++) { +- if (((st_entry *)stack->elements[i])->data) { ++ if (((st_entry *)stack->elements[i])->data ++ && ((st_entry *)stack->elements[i])->type != ST_FIELD) { + zval_ptr_dtor(&((st_entry *)stack->elements[i])->data); + } + if (((st_entry *)stack->elements[i])->varname) { diff --git a/bug72910.patch b/bug72910.patch new file mode 100644 index 0000000..2556b69 --- /dev/null +++ b/bug72910.patch @@ -0,0 +1,61 @@ +Backported from 5.6.26 by Remi. + + +From 486056b2153f7177cd8a7c78d93968726ee8fa65 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Thu, 1 Sep 2016 23:27:06 -0700 +Subject: [PATCH] Fix bug #72910 + +Merge upstream patch from https://github.com/kkos/oniguruma/commit/65bdf2a0d160d06556415e5f396a75f6b11bad5c +--- + ext/mbstring/oniguruma/enc/utf8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c +index 5e2c172..74122e1 100644 +--- a/ext/mbstring/oniguruma/enc/utf8.c ++++ b/ext/mbstring/oniguruma/enc/utf8.c +@@ -98,7 +98,7 @@ mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) + + len = enclen(ONIG_ENCODING_UTF8, p); + c = *p++; +- if (len > 1) { ++ if (len > 1 && p < end) { + len--; + n = c & ((1 << (6 - len)) - 1); + while (len--) { + +From b570c506815212c7702bfb0046e87d541e171eb7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 4 Sep 2016 19:13:22 -0700 +Subject: [PATCH] Sync fix for bug #72910 with current upstream + +--- + ext/mbstring/oniguruma/enc/utf8.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c +index 74122e1..9e8478f 100644 +--- a/ext/mbstring/oniguruma/enc/utf8.c ++++ b/ext/mbstring/oniguruma/enc/utf8.c +@@ -91,14 +91,16 @@ is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++mbc_to_code(const UChar* p, const UChar* end) + { + int c, len; + OnigCodePoint n; + +- len = enclen(ONIG_ENCODING_UTF8, p); ++ len = mbc_enc_len(p); ++ if (len > end - p) len = end - p; ++ + c = *p++; +- if (len > 1 && p < end) { ++ if (len > 1) { + len--; + n = c & ((1 << (6 - len)) - 1); + while (len--) { + diff --git a/bug72926.patch b/bug72926.patch new file mode 100644 index 0000000..044ed2b --- /dev/null +++ b/bug72926.patch @@ -0,0 +1,29 @@ +Backported from 5.6.26 by Remi. + + +From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 4 Sep 2016 20:49:34 -0700 +Subject: [PATCH] Same issue as #72926 in another place. + +--- + ext/exif/exif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 657a2cc1..8b0e34c 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); + if (fgot < ImageInfo->Thumbnail.size) { + EXIF_ERRLOG_THUMBEOF(ImageInfo) ++ efree(ImageInfo->Thumbnail.data); ++ ImageInfo->Thumbnail.data = NULL; ++ } else { ++ exif_thumbnail_build(ImageInfo TSRMLS_CC); + } +- exif_thumbnail_build(ImageInfo TSRMLS_CC); + } + } + } diff --git a/bug72928.patch b/bug72928.patch new file mode 100644 index 0000000..82189ae --- /dev/null +++ b/bug72928.patch @@ -0,0 +1,92 @@ +Backported from 5.6.26 by Remi. +Binary diff dropped. + + +From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 4 Sep 2016 22:07:35 -0700 +Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip + phar in phar_parse_zipfile + +--- + ext/phar/tests/bug72928.phpt | 18 ++++++++++++++++++ + ext/phar/tests/bug72928.zip | Bin 0 -> 140 bytes + ext/phar/util.c | 28 ++++++++++++++++++++++++++++ + ext/phar/zip.c | 2 +- + 4 files changed, 47 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug72928.phpt + create mode 100644 ext/phar/tests/bug72928.zip + +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 4bbd867..828be8f 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -1657,6 +1657,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[64]; + PHP_SHA512_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA512Init(&context); + read_len = end_of_phar; + +@@ -1690,6 +1697,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[32]; + PHP_SHA256_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA256Init(&context); + read_len = end_of_phar; + +@@ -1731,6 +1745,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[20]; + PHP_SHA1_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA1Init(&context); + read_len = end_of_phar; + +@@ -1764,6 +1785,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[16]; + PHP_MD5_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_MD5Init(&context); + read_len = end_of_phar; + +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index bf895e7..ed156a2 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, + php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET); + sig = (char *) emalloc(entry.uncompressed_filesize); + read = php_stream_read(fp, sig, entry.uncompressed_filesize); +- if (read != entry.uncompressed_filesize) { ++ if (read != entry.uncompressed_filesize || read <= 8) { + php_stream_close(sigfile); + efree(sig); + PHAR_ZIP_FAIL("signature cannot be read"); diff --git a/bug73007.patch b/bug73007.patch new file mode 100644 index 0000000..e707c22 --- /dev/null +++ b/bug73007.patch @@ -0,0 +1,25 @@ +Backported from 5.6.26 by Remi. + + +From 20fa323d53257a776bd7551ce7bdb2261cfe5420 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 5 Sep 2016 18:01:35 -0700 +Subject: [PATCH] Fix bug #73007: add locale length check + +--- + ext/intl/msgformat/msgformat_format.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/intl/msgformat/msgformat_format.c b/ext/intl/msgformat/msgformat_format.c +index 25c9619..9b6df38 100644 +--- a/ext/intl/msgformat/msgformat_format.c ++++ b/ext/intl/msgformat/msgformat_format.c +@@ -118,6 +118,8 @@ PHP_FUNCTION( msgfmt_format_message ) + RETURN_FALSE; + } + ++ INTL_CHECK_LOCALE_LEN(slocale_len); ++ + msgformat_data_init(&mfo->mf_data TSRMLS_CC); + + if(pattern && pattern_len) { diff --git a/bug73029.patch b/bug73029.patch new file mode 100644 index 0000000..9e52054 --- /dev/null +++ b/bug73029.patch @@ -0,0 +1,89 @@ +Backported from 5.6.26 by Remi. + + +From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Sep 2016 20:24:13 -0700 +Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing + SplArray + +--- + ext/spl/spl_array.c | 10 ++++++---- + ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 4 deletions(-) + create mode 100644 ext/spl/tests/bug73029.phpt + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 42a8e7a..700d609 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, + long index; + HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); + +- if (!offset) { ++ if (!offset || !ht) { + return &EG(uninitialized_zval_ptr); + } + +@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize) + intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; + zval_ptr_dtor(&intern->array); + ALLOC_INIT_ZVAL(intern->array); +- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) ++ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { ++ zval_ptr_dtor(&intern->array); + goto outexcept; + } + var_push_dtor(&var_hash, &intern->array); +diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt +new file mode 100644 +index 0000000..a379f80 +--- /dev/null ++++ b/ext/spl/tests/bug73029.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #73029: Missing type check when unserializing SplArray ++--FILE-- ++<?php ++try { ++$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}'; ++$m = unserialize($a); ++$x = $m[2]; ++} catch(UnexpectedValueException $e) { ++ print $e->getMessage() . "\n"; ++} ++?> ++DONE ++--EXPECTF-- ++Error at offset 10 of 19 bytes ++DONE +From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 12 Sep 2016 20:12:41 -0700 +Subject: [PATCH] Fix test + +--- + ext/spl/tests/bug70068.phpt | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt +index 92a38df..96b2fa8 100644 +--- a/ext/spl/tests/bug70068.phpt ++++ b/ext/spl/tests/bug70068.phpt +@@ -2,8 +2,13 @@ + Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) + --FILE-- + <?php ++try { + $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}'); ++} catch(Exception $e) { ++ print $e->getMessage()."\n"; ++} + ?> + OK + --EXPECT-- ++Error at offset 10 of 20 bytes + OK +\ No newline at end of file diff --git a/bug73035.patch b/bug73035.patch new file mode 100644 index 0000000..4cb7a8e --- /dev/null +++ b/bug73035.patch @@ -0,0 +1,32 @@ +Backported from 5.6.26 by Remi. +Binary diff dropped. + + +From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Sep 2016 21:37:44 -0700 +Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar + phar in phar_parse_tarfile) + +--- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug73035.phpt | 18 ++++++++++++++++++ + ext/phar/tests/bug73035.tar | Bin 0 -> 10240 bytes + 3 files changed, 19 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug73035.phpt + create mode 100644 ext/phar/tests/bug73035.tar + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 62edcb5..898ff85 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -286,7 +286,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, + } + curloc = php_stream_tell(fp); + read = php_stream_read(fp, buf, size); +- if (read != size) { ++ if (read != size || read <= 8) { + if (error) { + spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname); + } + diff --git a/bug73052.patch b/bug73052.patch new file mode 100644 index 0000000..a94e98b --- /dev/null +++ b/bug73052.patch @@ -0,0 +1,65 @@ +Backported from 5.6.26 by Remi. + + +From ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 11 Sep 2016 21:19:29 -0700 +Subject: [PATCH] Fix bug #73052 - Memory Corruption in During + Deserialized-object Destruction + +--- + Zend/zend_objects_API.c | 6 +-- + ext/standard/tests/serialize/bug73052.phpt | 18 +++++++++ + ext/standard/var_unserializer.c | 61 +++++++++++++++--------------- + ext/standard/var_unserializer.re | 1 + + 4 files changed, 53 insertions(+), 33 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug73052.phpt + +diff --git a/ext/standard/tests/serialize/bug73052.phpt b/ext/standard/tests/serialize/bug73052.phpt +new file mode 100644 +index 0000000..63b484b +--- /dev/null ++++ b/ext/standard/tests/serialize/bug73052.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #73052: Memory Corruption in During Deserialized-object Destruction ++--FILE-- ++<?php ++ ++class obj { ++ var $ryat; ++ public function __destruct() { ++ $this->ryat = null; ++ } ++} ++ ++$poc = 'O:3:"obj":1:{'; ++var_dump(unserialize($poc)); ++?> ++--EXPECTF-- ++Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d ++bool(false) +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index c8e6f8a..5491492 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -440,6 +440,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + /* We've got partially constructed object on our hands here. Wipe it. */ + if(Z_TYPE_PP(rval) == IS_OBJECT) { + zend_hash_clean(Z_OBJPROP_PP(rval)); ++ zend_object_store_ctor_failed(*rval TSRMLS_CC); + } + ZVAL_NULL(*rval); + return 0; +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 11b93c5..ce84bf5 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -446,6 +446,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + /* We've got partially constructed object on our hands here. Wipe it. */ + if(Z_TYPE_PP(rval) == IS_OBJECT) { + zend_hash_clean(Z_OBJPROP_PP(rval)); ++ zend_object_store_ctor_failed(*rval TSRMLS_CC); + } + ZVAL_NULL(*rval); + return 0; diff --git a/bug73065.patch b/bug73065.patch new file mode 100644 index 0000000..1fc4a1e --- /dev/null +++ b/bug73065.patch @@ -0,0 +1,196 @@ +Backported from 5.6.26 by Remi. + + +From 7d011b6f59a3f5a59a9835f9ad40d9b40c266bec Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 12 Sep 2016 00:35:01 -0700 +Subject: [PATCH] Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element + of wddx.c + +--- + ext/wddx/tests/bug73065.phpt | 98 ++++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 19 +++++---- + 2 files changed, 108 insertions(+), 9 deletions(-) + create mode 100644 ext/wddx/tests/bug73065.phpt + +diff --git a/ext/wddx/tests/bug73065.phpt b/ext/wddx/tests/bug73065.phpt +new file mode 100644 +index 0000000..aa301aa +--- /dev/null ++++ b/ext/wddx/tests/bug73065.phpt +@@ -0,0 +1,98 @@ ++--TEST-- ++Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c ++--SKIPIF-- ++<?php ++if (!extension_loaded('wddx')) { ++ die('skip. wddx not available'); ++} ++?> ++--FILE-- ++<?php ++ ++$xml1 = <<<XML ++<?xml version='1.0' ?> ++ <!DOCTYPE et SYSTEM 'w'> ++ <wddxPacket ven='1.0'> ++ <array> ++ <var Name="name"> ++ <boolean value="keliu"></boolean> ++ </var> ++ <var name="1111"> ++ <var name="2222"> ++ <var name="3333"></var> ++ </var> ++ </var> ++ </array> ++ </wddxPacket> ++XML; ++ ++$xml2 = <<<XML ++<?xml version='1.0' ?> ++ <!DOCTYPE et SYSTEM 'w'> ++ <wddxPacket ven='1.0'> ++ <array> ++ <char Name="code"> ++ <boolean value="keliu"></boolean> ++ </char> ++ </array> ++ </wddxPacket> ++XML; ++ ++$xml3 = <<<XML ++<?xml version='1.0' ?> ++ <!DOCTYPE et SYSTEM 'w'> ++ <wddxPacket ven='1.0'> ++ <array> ++ <boolean Name="value"> ++ <boolean value="keliu"></boolean> ++ </boolean> ++ </array> ++ </wddxPacket> ++XML; ++ ++$xml4 = <<<XML ++<?xml version='1.0' ?> ++ <!DOCTYPE et SYSTEM 'w'> ++ <wddxPacket ven='1.0'> ++ <array> ++ <recordset Name="fieldNames"> ++ <boolean value="keliu"></boolean> ++ </recordset> ++ </array> ++ </wddxPacket> ++XML; ++ ++$xml5 = <<<XML ++<?xml version='1.0' ?> ++ <!DOCTYPE et SYSTEM 'w'> ++ <wddxPacket ven='1.0'> ++ <array> ++ <field Name="name"> ++ <boolean value="keliu"></boolean> ++ </field> ++ </array> ++ </wddxPacket> ++XML; ++ ++for($i=1;$i<=5;$i++) { ++ $xmlvar = "xml$i"; ++ $array = wddx_deserialize($$xmlvar); ++ var_dump($array); ++} ++?> ++DONE ++--EXPECTF-- ++array(0) { ++} ++array(0) { ++} ++array(0) { ++} ++array(1) { ++ [0]=> ++ array(0) { ++ } ++} ++array(0) { ++} ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index b02d2f0..0e77826 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -774,10 +774,10 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + int i; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) { + char tmp_buf[2]; + +- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16)); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16)); + php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf)); + break; + } +@@ -795,7 +795,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + int i; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) { + ent.type = ST_BOOLEAN; + SET_STACK_VARNAME; + +@@ -803,7 +803,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + INIT_PZVAL(ent.data); + Z_TYPE_P(ent.data) = IS_BOOL; + wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); +- php_wddx_process_data(user_data, atts[i], strlen(atts[i])); ++ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); + break; + } + } +@@ -836,8 +836,8 @@ static void php_wddx_push_element(void * + int i; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { +- stack->varname = estrdup(atts[i]); ++ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) { ++ stack->varname = estrdup(atts[i+1]); + break; + } + } +@@ -850,11 +850,12 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + array_init(ent.data); + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) { + zval *tmp; + char *key; + char *p1, *p2, *endp; + ++ i++; + endp = (char *)atts[i] + strlen(atts[i]); + p1 = (char *)atts[i]; + while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) { +@@ -886,13 +887,13 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + ent.data = NULL; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) { + st_entry *recordset; + zval **field; + + if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS && + recordset->type == ST_RECORDSET && +- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) { ++ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) { + ent.data = *field; + } + @@ -1,4 +1,4 @@ -==== PHP 5.5.38-2 (2016-09-10) +==== PHP 5.5.38-3 (2016-09-19) $ grep -r 'Tests failed' /var/lib/mock/*/build.log @@ -141,7 +141,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.5.38 -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -222,6 +222,15 @@ Patch116: bug72838.patch Patch117: bug72848.patch Patch118: bug72849.patch Patch119: bug72850.patch +Patch120: bug72910.patch +Patch121: bug72926.patch +Patch122: bug72928.patch +Patch123: bug73007.patch +Patch124: bug72860.patch +Patch125: bug73029.patch +Patch126: bug73052.patch +Patch127: bug73035.patch +Patch128: bug73065.patch # Security fixes (200+) @@ -1007,6 +1016,15 @@ rm -rf ext/json %patch117 -p1 -b .bug72848 %patch118 -p1 -b .bug72849 %patch119 -p1 -b .bug72850 +%patch120 -p1 -b .bug72910 +%patch121 -p1 -b .bug72926 +%patch122 -p1 -b .bug72928 +%patch123 -p1 -b .bug73007 +%patch124 -p1 -b .bug72860 +%patch125 -p1 -b .bug73029 +%patch126 -p1 -b .bug73052 +%patch127 -p1 -b .bug73035 +%patch128 -p1 -b .bug73065 # Fixes for tests %patch300 -p1 -b .datetests @@ -2029,6 +2047,24 @@ EOF %changelog +* Mon Sep 19 2016 Remi Collet <remi@remirepo.net> 5.5.38-3 +- fix #72910: Out of bounds heap read in mbc_to_code() +- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage + in exif_process_IFD_in_TIFF +- fix #72928: Out of bound when verify signature of zip phar + CVE-2016-7414 +- fix #73007: add locale length check + CVE-2016-7416 +- fix #72860: wddx_deserialize use-after-free + CVE-2016-7413 +- fix #73029: Missing type check when unserializing SplArray + CVE-2016-7417 +- fix #73052: Memory Corruption in During Deserialized-object Destruction + CVE-2016-7411 +- fix #73035: Out of bound when verify signature of tar phar +- fix #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c + CVE-2016-7418 + * Mon Sep 5 2016 Remi Collet <remi@remirepo.net> 5.5.38-2 - fix #72716: initialize buffer before read (ftp) - fix #72663: destroy broken object when unserializing |