From 54c47c5cbf037ce982bf1868f79051c8af88bad3 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 12 Mar 2019 11:05:11 +0100 Subject: Fix #77396 Null Pointer Dereference in phar_create_or_parse_filename Fix #77586 - phar_tar_writeheaders_int() buffer overflow - spl: Fix #77431 openFile() silently truncates after a null byte - security fix synced with https://github.com/Microsoft/php-src/ --- php-bug77431.patch | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 66 insertions(+) create mode 100644 php-bug77431.patch (limited to 'php-bug77431.patch') diff --git a/php-bug77431.patch b/php-bug77431.patch new file mode 100644 index 0000000..c0c27b3 --- /dev/null +++ b/php-bug77431.patch @@ -0,0 +1,66 @@ +From 6d9dcae7b2828a2c4d1853eecc2e62743515b36b Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 9 Jan 2019 14:26:18 +0100 +Subject: [PATCH] Fix #77431 SplFileInfo::__construct() accepts NUL bytes + +`SplFileInfo::__construct()` has to expect a path instead of a string, +analogous to `SplFileObject::__construct()`. + +(cherry picked from commit 254a5914ad7f9dbdc4f6090229f6b0f4317a695e) +--- + ext/spl/spl_directory.c | 2 +- + ext/spl/tests/bug77431.phpt | 9 +++++++++ + 2 files changed, 10 insertions(+), 1 deletion(-) + create mode 100644 ext/spl/tests/bug77431.phpt + +diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c +index c08334573e..fbcf892c3d 100644 +--- a/ext/spl/spl_directory.c ++++ b/ext/spl/spl_directory.c +@@ -1135,7 +1135,7 @@ SPL_METHOD(SplFileInfo, __construct) + + zend_replace_error_handling(EH_THROW, spl_ce_RuntimeException, &error_handling TSRMLS_CC); + +- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &path, &len) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &path, &len) == FAILURE) { + zend_restore_error_handling(&error_handling TSRMLS_CC); + return; + } +diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt +new file mode 100644 +index 0000000000..eb1ca96b75 +--- /dev/null ++++ b/ext/spl/tests/bug77431.phpt +@@ -0,0 +1,9 @@ ++--TEST-- ++Bug #77431 (SplFileInfo::__construct() accepts NUL bytes) ++--FILE-- ++ ++--EXPECTF-- ++Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d ++Stack trace:%A +\ No newline at end of file +From dfea88758c8add916be72e666b193a993540cfde Mon Sep 17 00:00:00 2001 +From: Anatol Belski +Date: Wed, 6 Mar 2019 12:19:33 +0100 +Subject: [PATCH] Fix test + +--- + ext/spl/tests/bug77431.phpt | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt +index eb1ca96b75..04e4ce2eba 100644 +--- a/ext/spl/tests/bug77431.phpt ++++ b/ext/spl/tests/bug77431.phpt +@@ -5,5 +5,5 @@ Bug #77431 (SplFileInfo::__construct() accepts NUL bytes) + new SplFileInfo("bad\0good"); + ?> + --EXPECTF-- +-Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d +-Stack trace:%A +\ No newline at end of file ++Fatal error: Uncaught exception 'RuntimeException' with message 'SplFileInfo::__construct() expects parameter 1 to be a valid path, string given' in %s:%d ++Stack trace:%A -- cgit