diff options
| author | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
|---|---|---|
| committer | Remi Collet <remi@remirepo.net> | 2019-01-09 14:51:03 +0100 |
| commit | 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch) | |
| tree | 9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a /php-bug77371.patch | |
| parent | 022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff) | |
- core:
Fix #77369 memcpy with negative length via crafted DNS response
- mbstring:
Fix #77370 buffer overflow on mb regex functions - fetch_token
Fix #77371 heap buffer overflow in mb regex functions compile_string_node
Fix #77381 heap buffer overflow in multibyte match_at
Fix #77382 heap buffer overflow in expand_case_fold_string
Fix #77385 buffer overflow in fetch_token
Fix #77394 buffer overflow in multibyte case folding - unicode
Fix #77418 heap overflow in utf32be_mbc_to_code
- phar:
Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
- xmlrpc:
Fix #77242 heap out of bounds read in xmlrpc_decode
Fix #77380 global out of bounds read in xmlrpc base64 code
Diffstat (limited to 'php-bug77371.patch')
| -rw-r--r-- | php-bug77371.patch | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/php-bug77371.patch b/php-bug77371.patch new file mode 100644 index 0000000..e574827 --- /dev/null +++ b/php-bug77371.patch @@ -0,0 +1,41 @@ +From c6e34d91b88638966662caac62c4d0e90538e317 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 29 Dec 2018 20:06:08 -0800 +Subject: [PATCH] Fix bug #77371 (heap buffer overflow in mb regex functions - + compile_string_node) + +--- + ext/mbstring/oniguruma/regcomp.c | 1 + + ext/mbstring/tests/bug77371.phpt | 10 ++++++++++ + 2 files changed, 11 insertions(+) + create mode 100644 ext/mbstring/tests/bug77371.phpt + +diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c +index b93ca948a773..c72d65d6942f 100644 +--- a/ext/mbstring/oniguruma/regcomp.c ++++ b/ext/mbstring/oniguruma/regcomp.c +@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg) + + for (; p < end; ) { + len = enclen(enc, p); ++ if (p + len > end) len = end - p; + if (len == prev_len) { + slen++; + } +diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt +new file mode 100644 +index 000000000000..f23445bd0917 +--- /dev/null ++++ b/ext/mbstring/tests/bug77371.phpt +@@ -0,0 +1,10 @@ ++--TEST-- ++Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc","")) ++?> ++--EXPECT-- ++bool(false) +\ No newline at end of file |