From 9263effd14b58fdcb883b9388511ed58e28e07d0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 4 Mar 2019 14:07:43 +0100 Subject: - exif: Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF Fix #77540 Invalid Read on exif_process_SOFn Fix #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE Fix #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE - phar: Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename - spl: Fix #77431 openFile() silently truncates after a null byte --- php-bug77396.patch | 47 ++++++++++++++++++++++++ php-bug77431.patch | 42 ++++++++++++++++++++++ php-bug77540.patch | 104 +++++++++++++++++++++++++++++++++++++++++++++++++++++ php-bug77563.patch | 42 ++++++++++++++++++++++ php-bug77586.patch | 73 +++++++++++++++++++++++++++++++++++++ php70.spec | 23 +++++++++++- 6 files changed, 330 insertions(+), 1 deletion(-) create mode 100644 php-bug77396.patch create mode 100644 php-bug77431.patch create mode 100644 php-bug77540.patch create mode 100644 php-bug77563.patch create mode 100644 php-bug77586.patch diff --git a/php-bug77396.patch b/php-bug77396.patch new file mode 100644 index 0000000..c54af0d --- /dev/null +++ b/php-bug77396.patch @@ -0,0 +1,47 @@ +From 7f0ab7c20c83a52862ad7c8acf31c3fa739f1274 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 3 Mar 2019 18:22:32 -0800 +Subject: [PATCH] Fix bug #77396 - Null Pointer Dereference in + phar_create_or_parse_filename + +--- + ext/phar/phar.c | 3 +++ + ext/phar/tests/bug77396.phpt | 15 +++++++++++++++ + 2 files changed, 18 insertions(+) + create mode 100644 ext/phar/tests/bug77396.phpt + +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index 0d2173195c32..e117ab0dc068 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -1390,6 +1390,9 @@ int phar_create_or_parse_filename(char *fname, int fname_len, char *alias, int a + /* set up our manifest */ + mydata = ecalloc(1, sizeof(phar_archive_data)); + mydata->fname = expand_filepath(fname, NULL); ++ if (mydata->fname == NULL) { ++ return FAILURE; ++ } + fname_len = strlen(mydata->fname); + #ifdef PHP_WIN32 + phar_unixify_path_separators(mydata->fname, fname_len); +diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt +new file mode 100644 +index 000000000000..f7a2a2f02617 +--- /dev/null ++++ b/ext/phar/tests/bug77396.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #77396 Relative filename exceeding maximum path length causes null pointer dereference. ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECTF-- ++Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d ++Stack trace: ++#0 %s/bug77396.php(%d): PharData->__construct(%s) ++#1 {main} ++ thrown in %s/bug77396.php on line %d diff --git a/php-bug77431.patch b/php-bug77431.patch new file mode 100644 index 0000000..6d38ac9 --- /dev/null +++ b/php-bug77431.patch @@ -0,0 +1,42 @@ +From 254a5914ad7f9dbdc4f6090229f6b0f4317a695e Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 9 Jan 2019 14:26:18 +0100 +Subject: [PATCH] Fix #77431 SplFileInfo::__construct() accepts NUL bytes + +`SplFileInfo::__construct()` has to expect a path instead of a string, +analogous to `SplFileObject::__construct()`. +--- + ext/spl/spl_directory.c | 2 +- + ext/spl/tests/bug77431.phpt | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + create mode 100644 ext/spl/tests/bug77431.phpt + +diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c +index fc4001ae1f8c..748b1549b54c 100644 +--- a/ext/spl/spl_directory.c ++++ b/ext/spl/spl_directory.c +@@ -1109,7 +1109,7 @@ SPL_METHOD(SplFileInfo, __construct) + char *path; + size_t len; + +- if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s", &path, &len) == FAILURE) { ++ if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p", &path, &len) == FAILURE) { + return; + } + +diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt +new file mode 100644 +index 000000000000..eb1ca96b7564 +--- /dev/null ++++ b/ext/spl/tests/bug77431.phpt +@@ -0,0 +1,9 @@ ++--TEST-- ++Bug #77431 (SplFileInfo::__construct() accepts NUL bytes) ++--FILE-- ++ ++--EXPECTF-- ++Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d ++Stack trace:%A +\ No newline at end of file diff --git a/php-bug77540.patch b/php-bug77540.patch new file mode 100644 index 0000000..643891d --- /dev/null +++ b/php-bug77540.patch @@ -0,0 +1,104 @@ +Backported for 7.0 by remi +without binary diff + + + +From 5e824a88d073d282c4f358f186cb87ddc284f83d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Fri, 1 Mar 2019 23:25:45 -0800 +Subject: [PATCH] Fix integer overflows on 32-bits + +--- + ext/exif/exif.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index cbde3effedf9..b4563927a505 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3566,10 +3566,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + tag_table_type tag_table = exif_get_tag_table(section_index); + + if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { +- return FALSE; +- } ++ return FALSE; ++ } + +- if (ImageInfo->FileSize >= dir_offset+2) { ++ if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) { + sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2); +@@ -3577,8 +3577,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */ + php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2); + num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel); +- dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; +- if (ImageInfo->FileSize >= dir_offset+dir_size) { ++ dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; ++ if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) { + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries); + #endif +@@ -3661,9 +3661,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + } + } + } +- if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) { ++ if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) { + if (ifd_size > dir_size) { +- if (dir_offset + ifd_size > ImageInfo->FileSize) { ++ if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size); + return FALSE; + } +From 5f0e62a3e5b525163e538aaab0161c2c8c5d057b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 2 Mar 2019 13:38:00 -0800 +Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn + +--- + ext/exif/exif.c | 10 ++++++++-- + ext/exif/tests/bug77540.jpg | Bin 0 -> 91 bytes + ext/exif/tests/bug77540.phpt | 16 ++++++++++++++++ + 3 files changed, 24 insertions(+), 2 deletions(-) + create mode 100644 ext/exif/tests/bug77540.jpg + create mode 100644 ext/exif/tests/bug77540.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index b4563927a505..ea88a8f115e8 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3508,7 +3508,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + return FALSE; + marker = c; + length = php_jpg_get16(data+pos); +- if (pos+length>=ImageInfo->Thumbnail.size) { ++ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { + return FALSE; + } + #ifdef EXIF_DEBUG +@@ -3529,6 +3529,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) + case M_SOF14: + case M_SOF15: + /* handle SOFn block */ ++ if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) { ++ /* exif_process_SOFn needs 8 bytes */ ++ return FALSE; ++ } + exif_process_SOFn(data+pos, marker, &sof_info); + ImageInfo->Thumbnail.height = sof_info.height; + ImageInfo->Thumbnail.width = sof_info.width; +@@ -4176,7 +4180,9 @@ PHP_FUNCTION(exif_thumbnail) + ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); + if (arg_c >= 3) { + if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { +- exif_scan_thumbnail(&ImageInfo); ++ if (!exif_scan_thumbnail(&ImageInfo)) { ++ ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0; ++ } + } + zval_dtor(p_width); + zval_dtor(p_height); + diff --git a/php-bug77563.patch b/php-bug77563.patch new file mode 100644 index 0000000..3070e2a --- /dev/null +++ b/php-bug77563.patch @@ -0,0 +1,42 @@ +Backported for 7.0 by remi +without binary diff + + + +From 8ac6fee8562533a15db90062117210ed28b44fea Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sat, 2 Mar 2019 15:07:40 -0800 +Subject: [PATCH] Fix bug #77563 - Uninitialized read in + exif_process_IFD_in_MAKERNOTE + +Also fix for bug #77659 +--- + ext/exif/exif.c | 3 ++- + ext/exif/tests/bug77563.jpg | Bin 0 -> 63 bytes + ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug77563.jpg + create mode 100644 ext/exif/tests/bug77563.phpt + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index ea88a8f115e8..fe89b8547118 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -2740,7 +2740,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + break; + } + +- if (maker_note->offset >= value_len) { ++ if (value_len < 2 || maker_note->offset >= value_len - 1) { + /* Do not go past the value end */ + exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset); + return FALSE; +@@ -2793,6 +2793,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu + break; + default: + case MN_OFFSET_NORMAL: ++ data_len = value_len; + break; + } + + diff --git a/php-bug77586.patch b/php-bug77586.patch new file mode 100644 index 0000000..cfd2eba --- /dev/null +++ b/php-bug77586.patch @@ -0,0 +1,73 @@ +Backported for 7.0 by remi +without binary diff + + + +From e0f5d62bd6690169998474b62f92a8c5ddf0e699 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 3 Mar 2019 22:33:38 -0800 +Subject: [PATCH] Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow + +--- + NEWS | 11 +++++----- + ext/phar/tar.c | 7 ++++++- + ext/phar/tests/bug71488.phpt | 5 +++-- + ext/phar/tests/bug77586.phpt | 21 +++++++++++++++++++ + ...-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC | 1 + + 5 files changed, 37 insertions(+), 8 deletions(-) + create mode 100644 ext/phar/tests/bug77586.phpt + create mode 100644 ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 9de3047f7c90..20f688272752 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -762,7 +762,12 @@ static int phar_tar_writeheaders_int(phar_entry_info *entry, void *argument) /* + header.typeflag = entry->tar_type; + + if (entry->link) { +- strncpy(header.linkname, entry->link, strlen(entry->link)); ++ if (strlcpy(header.linkname, entry->link, sizeof(header.linkname)) >= sizeof(header.linkname)) { ++ if (fp->error) { ++ spprintf(fp->error, 4096, "tar-based phar \"%s\" cannot be created, link \"%s\" is too long for format", entry->phar->fname, entry->link); ++ } ++ return ZEND_HASH_APPLY_STOP; ++ } + } + + strncpy(header.magic, "ustar", sizeof("ustar")-1); +diff --git a/ext/phar/tests/bug77586.phpt b/ext/phar/tests/bug77586.phpt +new file mode 100644 +index 000000000000..039cc16994eb +--- /dev/null ++++ b/ext/phar/tests/bug77586.phpt +@@ -0,0 +1,21 @@ ++--TEST-- ++Bug #77586 Symbolic link names in tar-formatted phar must be less than 100 bytes. ++--SKIPIF-- ++ ++--FILE-- ++buildFromDirectory($dir . "/files"); ++?> ++--CLEAN-- ++ ++--EXPECTF-- ++Fatal error: Uncaught PharException: tar-based phar "%s/bug77586.tar" cannot be created, link "%s" is too long for format %s ++Stack trace: ++#0 %s/bug77586.php(%d): PharData->buildFromDirectory('%s') ++#1 {main} ++ thrown in %s/bug77586.php %s on line %d +diff --git a/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC b/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC +new file mode 100644 +index 000000000000..1de565933b05 +--- /dev/null ++++ b/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC +@@ -0,0 +1 @@ ++target +\ No newline at end of file diff --git a/php70.spec b/php70.spec index 9859458..e193dde 100644 --- a/php70.spec +++ b/php70.spec @@ -112,7 +112,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: %{upver}%{?rcver:~%{rcver}} -Release: 2%{?dist} +Release: 4%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -178,6 +178,11 @@ Patch204: php-bug77380.patch Patch205: php-bug77381.patch Patch206: php-bug77369.patch Patch207: php-bug77418.patch +Patch208: php-bug77396.patch +Patch209: php-bug77431.patch +Patch210: php-bug77540.patch +Patch211: php-bug77563.patch +Patch212: php-bug77586.patch # Fixes for tests (300+) # Factory is droped from system tzdata @@ -1032,6 +1037,11 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi %patch205 -p1 -b .bug77381 %patch206 -p1 -b .bug77369 %patch207 -p1 -b .bug77418 +%patch208 -p1 -b .bug77396 +%patch209 -p1 -b .bug77431 +%patch210 -p1 -b .bug77540 +%patch211 -p1 -b .bug77563 +%patch212 -p1 -b .bug77586 # Fixes for tests %if 0%{?fedora} >= 21 || 0%{?rhel} >= 5 @@ -2045,6 +2055,17 @@ fi %changelog +* Mon Mar 4 2019 Remi Collet - 7.0.33-4 +- exif: + Fix #77509 Uninitialized read in exif_process_IFD_in_TIFF + Fix #77540 Invalid Read on exif_process_SOFn + Fix #77563 Uninitialized read in exif_process_IFD_in_MAKERNOTE + Fix #77659 Uninitialized read in exif_process_IFD_in_MAKERNOTE +- phar: + Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename +- spl: + Fix #77431 openFile() silently truncates after a null byte + * Wed Jan 9 2019 Remi Collet - 7.0.33-2 - core: Fix #77369 memcpy with negative length via crafted DNS response -- cgit