From bec6bca2de5aaf1a1b186722901dc75ec1529fea Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 15 Oct 2016 10:17:16 +0200 Subject: PHP 5.5.38 with 15 security fix from 5.6.27 --- bug73189.patch | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 78 insertions(+) create mode 100644 bug73189.patch (limited to 'bug73189.patch') diff --git a/bug73189.patch b/bug73189.patch new file mode 100644 index 0000000..7cfc2d8 --- /dev/null +++ b/bug73189.patch @@ -0,0 +1,78 @@ +Backported from 5.6.27 by Remi. + + +From da7e89cde880c66887caacd0a3eae7ecdacf9b2a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 28 Sep 2016 23:30:48 -0700 +Subject: [PATCH] Fix bug #73189 - Memcpy negative size parameter + php_resolve_path + +--- + main/fopen_wrappers.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c +index 74a493b..af9c558 100644 +--- a/main/fopen_wrappers.c ++++ b/main/fopen_wrappers.c +@@ -211,7 +211,7 @@ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path + if (path_len > 1 && path_tmp[path_len - 2] == ':') { + if (path_len != 3) { + return -1; +- } ++ } + /* this is c:\ */ + path_tmp[path_len] = '\0'; + } else { +@@ -401,7 +401,7 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC) + spprintf(&filename, 0, "%s%c%s%c%s", pw->pw_dir, PHP_DIR_SEPARATOR, PG(user_dir), PHP_DIR_SEPARATOR, s + 1); /* Safe */ + } else { + filename = SG(request_info).path_translated; +- } ++ } + #if defined(ZTS) && defined(HAVE_GETPWNAM_R) && defined(_SC_GETPW_R_SIZE_MAX) + efree(pwbuf); + #endif +@@ -494,8 +494,8 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c + return NULL; + } + +- if ((*filename == '.' && +- (IS_SLASH(filename[1]) || ++ if ((*filename == '.' && ++ (IS_SLASH(filename[1]) || + ((filename[1] == '.') && IS_SLASH(filename[2])))) || + IS_ABSOLUTE_PATH(filename, filename_length) || + !path || +@@ -522,7 +522,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c + } + end = strchr(p, DEFAULT_DIR_SEPARATOR); + if (end) { +- if ((end-ptr) + 1 + filename_length + 1 >= MAXPATHLEN) { ++ if (filename_length > (MAXPATHLEN - 2) || (end-ptr) > MAXPATHLEN || (end-ptr) + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) { + ptr = end + 1; + continue; + } +@@ -531,9 +531,9 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c + memcpy(trypath+(end-ptr)+1, filename, filename_length+1); + ptr = end+1; + } else { +- int len = strlen(ptr); ++ size_t len = strlen(ptr); + +- if (len + 1 + filename_length + 1 >= MAXPATHLEN) { ++ if (filename_length > (MAXPATHLEN - 2) || len > MAXPATHLEN || (size_t)len + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) { + break; + } + memcpy(trypath, ptr, len); +@@ -571,6 +571,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c + while ((--exec_fname_length >= 0) && !IS_SLASH(exec_fname[exec_fname_length])); + if (exec_fname && exec_fname[0] != '[' && + exec_fname_length > 0 && ++ filename_length < (MAXPATHLEN - 2) && + exec_fname_length + 1 + filename_length + 1 < MAXPATHLEN) { + memcpy(trypath, exec_fname, exec_fname_length + 1); + memcpy(trypath+exec_fname_length + 1, filename, filename_length+1); +-- +2.1.4 + -- cgit