summaryrefslogtreecommitdiffstats
path: root/bug75981.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2018-03-01 09:50:30 +0100
committerRemi Collet <remi@remirepo.net>2018-03-01 09:50:30 +0100
commit03cb94d7835b8548cd35966c0cf3e10e48808f87 (patch)
tree9dd556b7b0c66754ad6ea46395c10c997b1a91f5 /bug75981.patch
parentb9459ddfb28b45ec827d5d0e2e83ec7def175233 (diff)
fix #73549: Use after free when stream is passed to imagepng
fix #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx() CVE-2016-10167 fix #73869: Signed Integer Overflow gd_io.c CVE-2016-10168 fix #74435: Buffer over-read into uninitialized memory CVE-2017-7890 fix #75571: Potential infinite loop in gdImageCreateFromGifCtx CVE-2018-5711 fix #75981: stack-buffer-overflow while parsing HTTP response
Diffstat (limited to 'bug75981.patch')
-rw-r--r--bug75981.patch68
1 files changed, 68 insertions, 0 deletions
diff --git a/bug75981.patch b/bug75981.patch
new file mode 100644
index 0000000..27af03b
--- /dev/null
+++ b/bug75981.patch
@@ -0,0 +1,68 @@
+From 523f230c831d7b33353203fa34aee4e92ac12bba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 20 Feb 2018 15:34:43 -0800
+Subject: [PATCH] Fix bug #75981: prevent reading beyond buffer start
+
+---
+ ext/standard/http_fopen_wrapper.c | 4 ++--
+ ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
+ 2 files changed, 34 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/http/bug75981.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index ed6adc0..78bd935 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -737,9 +737,9 @@ finish:
+ tmp_line, response_code);
+ }
+ }
+- if (tmp_line[tmp_line_len - 1] == '\n') {
++ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
+ --tmp_line_len;
+- if (tmp_line[tmp_line_len - 1] == '\r') {
++ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
+ --tmp_line_len;
+ }
+ }
+diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
+new file mode 100644
+index 0000000..d415de6
+--- /dev/null
++++ b/ext/standard/tests/http/bug75981.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #75981 (stack-buffer-overflow while parsing HTTP response)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
++--FILE--
++<?php
++require 'server.inc';
++
++$options = [
++ 'http' => [
++ 'protocol_version' => '1.1',
++ 'header' => 'Connection: Close'
++ ],
++];
++
++$ctx = stream_context_create($options);
++
++$responses = [
++ "data://text/plain,000000000100\xA\xA"
++];
++$pid = http_server('tcp://127.0.0.1:12342', $responses);
++
++echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
++
++http_server_kill($pid);
++
++?>
++DONE
++--EXPECT--
++DONE
+--
+2.1.4
+