summaryrefslogtreecommitdiffstats
path: root/bug73218.patch
blob: eacf5dbf1dbe654624154253fec393a59f4f8b3f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
Backported from 5.6.27 by Remi.


From d946d102936525bc7dcd01f3827d0a6e0bb971b0 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 4 Oct 2016 22:40:09 -0700
Subject: [PATCH] Bug #73218: add mitigation for ICU int overflow

---
 ext/intl/resourcebundle/resourcebundle_class.c | 42 +++++++++++++++++---------
 1 file changed, 27 insertions(+), 15 deletions(-)

diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c
index dc12124..90aebd4 100644
--- a/ext/intl/resourcebundle/resourcebundle_class.c
+++ b/ext/intl/resourcebundle/resourcebundle_class.c
@@ -77,7 +77,7 @@ static zend_object_value ResourceBundle_object_create( zend_class_entry *ce TSRM
 /* }}} */
 
 /* {{{ ResourceBundle_ctor */
-static void resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS) 
+static void resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS)
 {
 	const char	*bundlename;
 	int			bundlename_len = 0;
@@ -90,7 +90,7 @@ static void resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS)
 
 	intl_error_reset( NULL TSRMLS_CC );
 
-	if( zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "s!s!|b", 
+	if( zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "s!s!|b",
 		&locale, &locale_len, &bundlename, &bundlename_len, &fallback ) == FAILURE )
 	{
 		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
@@ -100,11 +100,18 @@ static void resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS)
 	}
 
 	INTL_CHECK_LOCALE_LEN_OBJ(locale_len, return_value);
-	
+
 	if (locale == NULL) {
 		locale = intl_locale_get_default(TSRMLS_C);
 	}
 
+	if (bundlename_len >= MAXPATHLEN) {
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,	"Bundle name too long", 0 TSRMLS_CC );
+		zval_dtor(return_value);
+		ZVAL_NULL(return_value);
+		RETURN_NULL();
+	}
+
 	if (fallback) {
 		rb->me = ures_open(bundlename, locale, &INTL_DATA_ERROR_CODE(rb));
 	} else {
@@ -151,7 +158,7 @@ PHP_METHOD( ResourceBundle, __construct )
 /* {{{ proto ResourceBundle ResourceBundle::create( string $locale [, string $bundlename [, bool $fallback = true ]] )
 proto ResourceBundle resourcebundle_create( string $locale [, string $bundlename [, bool $fallback = true ]] )
 */
-PHP_FUNCTION( resourcebundle_create ) 
+PHP_FUNCTION( resourcebundle_create )
 {
 	object_init_ex( return_value, ResourceBundle_ce_ptr );
 	resourcebundle_ctor(INTERNAL_FUNCTION_PARAM_PASSTHRU);
@@ -159,7 +166,7 @@ PHP_FUNCTION( resourcebundle_create )
 /* }}} */
 
 /* {{{ resourcebundle_array_fetch */
-static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_value, int fallback TSRMLS_DC) 
+static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_value, int fallback TSRMLS_DC)
 {
 	int32_t     meindex = 0;
 	char *      mekey = NULL;
@@ -167,7 +174,7 @@ static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_
 	char         *pbuf;
 	ResourceBundle_object *rb;
 
-	intl_error_reset( NULL TSRMLS_CC );	
+	intl_error_reset( NULL TSRMLS_CC );
 	RESOURCEBUNDLE_METHOD_FETCH_OBJECT;
 
 	if(Z_TYPE_P(offset) == IS_LONG) {
@@ -178,12 +185,12 @@ static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_
 		mekey = Z_STRVAL_P(offset);
 		rb->child = ures_getByKey(rb->me, mekey, rb->child, &INTL_DATA_ERROR_CODE(rb) );
 	} else {
-		intl_errors_set(INTL_DATA_ERROR_P(rb), U_ILLEGAL_ARGUMENT_ERROR,	
+		intl_errors_set(INTL_DATA_ERROR_P(rb), U_ILLEGAL_ARGUMENT_ERROR,
 			"resourcebundle_get: index should be integer or string", 0 TSRMLS_CC);
 		RETURN_NULL();
 	}
 
-	intl_error_set_code( NULL, INTL_DATA_ERROR_CODE(rb) TSRMLS_CC );	
+	intl_error_set_code( NULL, INTL_DATA_ERROR_CODE(rb) TSRMLS_CC );
 	if (U_FAILURE(INTL_DATA_ERROR_CODE(rb))) {
 		if (is_numeric) {
 			spprintf( &pbuf, 0, "Cannot load resource element %d", meindex );
@@ -213,7 +220,7 @@ static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_
 /* }}} */
 
 /* {{{ resourcebundle_array_get */
-zval *resourcebundle_array_get(zval *object, zval *offset, int type TSRMLS_DC) 
+zval *resourcebundle_array_get(zval *object, zval *offset, int type TSRMLS_DC)
 {
 	zval *retval;
 
@@ -246,7 +253,7 @@ PHP_FUNCTION( resourcebundle_get )
 	zval *      object;
 
 	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Oz|b",	&object, ResourceBundle_ce_ptr, &offset, &fallback ) == FAILURE) {
-		intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR,	
+		intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR,
 			"resourcebundle_get: unable to parse input params", 0 TSRMLS_CC);
 		RETURN_FALSE;
 	}
@@ -256,7 +263,7 @@ PHP_FUNCTION( resourcebundle_get )
 /* }}} */
 
 /* {{{ resourcebundle_array_count */
-int resourcebundle_array_count(zval *object, long *count TSRMLS_DC) 
+int resourcebundle_array_count(zval *object, long *count TSRMLS_DC)
 {
 	ResourceBundle_object *rb;
 	RESOURCEBUNDLE_METHOD_FETCH_OBJECT_NO_CHECK;
@@ -288,7 +295,7 @@ PHP_FUNCTION( resourcebundle_count )
 	RESOURCEBUNDLE_METHOD_INIT_VARS;
 
 	if( zend_parse_method_parameters( ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "O", &object, ResourceBundle_ce_ptr ) == FAILURE ) {
-		intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR,	
+		intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR,
 			"resourcebundle_count: unable to parse input params", 0 TSRMLS_CC);
 		RETURN_FALSE;
 	}
@@ -322,21 +329,26 @@ PHP_FUNCTION( resourcebundle_locales )
 
 	if( zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &bundlename, &bundlename_len ) == FAILURE )
 	{
-		intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR,	
+		intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR,
 			"resourcebundle_locales: unable to parse input params", 0 TSRMLS_CC);
 		RETURN_FALSE;
 	}
 
+	if (bundlename_len >= MAXPATHLEN) {
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,	"resourcebundle_locales: bundle name too long", 0 TSRMLS_CC );
+		RETURN_FALSE;
+	}
+
 	if(bundlename_len == 0) {
 		// fetch default locales list
 		bundlename = NULL;
 	}
 
 	icuenum = ures_openAvailableLocales( bundlename, &icuerror );
-	INTL_CHECK_STATUS(icuerror, "Cannot fetch locales list");		
+	INTL_CHECK_STATUS(icuerror, "Cannot fetch locales list");
 
 	uenum_reset( icuenum, &icuerror );
-	INTL_CHECK_STATUS(icuerror, "Cannot iterate locales list");		
+	INTL_CHECK_STATUS(icuerror, "Cannot iterate locales list");
 
 	array_init( return_value );
 	while ((entry = uenum_next( icuenum, &entry_len, &icuerror ))) {
-- 
2.1.4

From d3eb58332af433982f1e2ae9095fb087974a95f2 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 4 Oct 2016 21:28:40 -0700
Subject: [PATCH] Add more locale length checks, due to ICU bugs.

---
 ext/intl/locale/locale_methods.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 443856f..862b9f5 100644
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -395,6 +395,8 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
 	if(loc_name_len == 0) {
 		loc_name = intl_locale_get_default(TSRMLS_C);
 	}
+	
+	INTL_CHECK_LOCALE_LEN(strlen(loc_name));
 
 	/* Call ICU get */
 	tag_value = get_icu_value_internal( loc_name , tag_name , &result ,0);
@@ -1159,6 +1161,7 @@ PHP_FUNCTION(locale_get_all_variants)
 		loc_name = intl_locale_get_default(TSRMLS_C);
 	}
 
+	INTL_CHECK_LOCALE_LEN(strlen(loc_name));
 
 	array_init( return_value );
 
@@ -1267,6 +1270,9 @@ PHP_FUNCTION(locale_filter_matches)
 		RETURN_TRUE;
 	}
 
+	INTL_CHECK_LOCALE_LEN(strlen(loc_range));
+	INTL_CHECK_LOCALE_LEN(strlen(lang_tag));
+
 	if( boolCanonical ){
 		/* canonicalize loc_range */
 		can_loc_range=get_icu_value_internal( loc_range , LOC_CANONICALIZE_TAG , &result , 0);
@@ -1549,6 +1555,8 @@ PHP_FUNCTION(locale_lookup)
 		loc_range = intl_locale_get_default(TSRMLS_C);
 	}
 
+	INTL_CHECK_LOCALE_LEN(strlen(loc_range));
+
 	hash_arr = HASH_OF(arr);
 
 	if( !hash_arr || zend_hash_num_elements( hash_arr ) == 0 ) {
-- 
2.1.4

From 082d1f237531ab71c3050dfb9f598344f654d9e1 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 11 Oct 2016 16:16:20 -0700
Subject: [PATCH] Fix tests

---
 ext/intl/tests/bug72241.phpt                            | 4 +---
 ext/spl/spl_iterators.c                                 | 4 ----
 ext/spl/tests/spl_cachingiterator___toString_basic.phpt | 2 +-
 ext/standard/tests/serialize/bug69793.phpt              | 2 --
 4 files changed, 2 insertions(+), 10 deletions(-)

diff --git a/ext/intl/tests/bug72241.phpt b/ext/intl/tests/bug72241.phpt
index 397e1e7..7ac5a5b 100644
--- a/ext/intl/tests/bug72241.phpt
+++ b/ext/intl/tests/bug72241.phpt
@@ -9,6 +9,4 @@ $out = locale_get_primary_language($var1);
 echo strlen($out) . PHP_EOL;
 echo unpack('H*', $out)[1] . PHP_EOL;
 --EXPECT--
-1000
-61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
-
+0
diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
index c6d03e0..154aba0 100644
--- a/ext/spl/spl_iterators.c
+++ b/ext/spl/spl_iterators.c
@@ -2784,10 +2784,6 @@ SPL_METHOD(CachingIterator, __toString)
 
 	SPL_FETCH_AND_CHECK_DUAL_IT(intern, getThis());
 
-	if (!spl_caching_it_valid(intern TSRMLS_CC)) {
-		RETURN_EMPTY_STRING();
-	}
-
 	if (!(intern->u.caching.flags & (CIT_CALL_TOSTRING|CIT_TOSTRING_USE_KEY|CIT_TOSTRING_USE_CURRENT|CIT_TOSTRING_USE_INNER)))	{
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "%s does not fetch string value (see CachingIterator::__construct)", Z_OBJCE_P(getThis())->name);
 		return;
diff --git a/ext/spl/tests/spl_cachingiterator___toString_basic.phpt b/ext/spl/tests/spl_cachingiterator___toString_basic.phpt
index 0395b37..57ca515 100644
--- a/ext/spl/tests/spl_cachingiterator___toString_basic.phpt
+++ b/ext/spl/tests/spl_cachingiterator___toString_basic.phpt
@@ -13,4 +13,4 @@ $ci->__toString() // if conversion to string is done by echo, for example, an ex
 );
 ?>
 --EXPECTF--
-NULL
+string(0) ""
-- 
2.1.4