summaryrefslogtreecommitdiffstats
path: root/php-bug78878.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-12-17 17:57:09 +0100
committerRemi Collet <remi@remirepo.net>2019-12-17 17:57:09 +0100
commit0d443001c41652e457799d1134de2c2ab6420e08 (patch)
tree82649e9f534e050ea3ab512bcfac91ecaa30524a /php-bug78878.patch
parentd6128b53b1aa6b71cd4cae6113c821fddab7c464 (diff)
- bcmath:
Fix #78878 Buffer underflow in bc_shift_addsub CVE-2019-11046 - core: Fix #78862 link() silently truncates after a null byte on Windows CVE-2019-11044 Fix #78863 DirectoryIterator class silently truncates after a null byte CVE-2019-11045 - exif Fix #78793 Use-after-free in exif parsing under memory sanitizer CVE-2019-11050 Fix #78910 Heap-buffer-overflow READ in exif CVE-2019-11047 - use oracle client library version 19.5 (18.5 on EL-6)
Diffstat (limited to 'php-bug78878.patch')
-rw-r--r--php-bug78878.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/php-bug78878.patch b/php-bug78878.patch
new file mode 100644
index 0000000..1b9f6fe
--- /dev/null
+++ b/php-bug78878.patch
@@ -0,0 +1,68 @@
+From fc9982062527b1a58206d826449273dd2bd850cf Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 10:46:45 +0100
+Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
+
+We must not rely on `isdigit()` to detect digits, since we only support
+decimal ASCII digits in the following processing.
+
+(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
+---
+ NEWS | 6 ++++++
+ ext/bcmath/libbcmath/src/str2num.c | 4 ++--
+ ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug78878.phpt
+
+diff --git a/NEWS b/NEWS
+index 0fd96d0c91..ec0247e1f1 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,5 +1,12 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
++
++Backported from 7.2.26
++
++- Bcmath:
++ . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
++ (cmb)
++
+ 24 Oct 2019, PHP 7.1.33
+
+ - FPM:
+diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
+index f38d341570..03aec15930 100644
+--- a/ext/bcmath/libbcmath/src/str2num.c
++++ b/ext/bcmath/libbcmath/src/str2num.c
+@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
+ zero_int = FALSE;
+ if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */
+ while (*ptr == '0') ptr++; /* Skip leading zeros. */
+- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */
++ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */
+ if (*ptr == '.') ptr++; /* decimal point */
+- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */
++ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */
+ if ((*ptr != '\0') || (digits+strscale == 0))
+ {
+ *num = bc_copy_num (BCG(_zero_));
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+new file mode 100644
+index 0000000000..2c9d72b946
+--- /dev/null
++++ b/ext/bcmath/tests/bug78878.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #78878 (Buffer underflow in bc_shift_addsub)
++--SKIPIF--
++<?php
++if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
++?>
++--FILE--
++<?php
++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
++?>
++--EXPECT--
++bc math warning: non-zero scale in modulus
++0