summaryrefslogtreecommitdiffstats
path: root/php-bug78863.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-12-17 17:27:17 +0100
committerRemi Collet <remi@remirepo.net>2019-12-17 17:27:17 +0100
commit2708c128c5462b69ba61c88f5ff770d492944192 (patch)
tree55610fb188a620d434c570a5cb1159a5543c16ae /php-bug78863.patch
parent032107c8f3bb0d1f0e0941547615b5d1b72b87d8 (diff)
- bcmath
Fix #78878 Buffer underflow in bc_shift_addsub CVE-2019-11046 - core: Fix #78862 link() silently truncates after a null byte on Windows CVE-2019-11044 Fix #78863 DirectoryIterator class silently truncates after a null byte CVE-2019-11045 - exif Fix #78793 Use-after-free in exif parsing under memory sanitizer CVE-2019-11050 Fix #78910 Heap-buffer-overflow READ in exif CVE-2019-11047 - use oracle client library version 19.5 (18.5 on EL-6)
Diffstat (limited to 'php-bug78863.patch')
-rw-r--r--php-bug78863.patch85
1 files changed, 85 insertions, 0 deletions
diff --git a/php-bug78863.patch b/php-bug78863.patch
new file mode 100644
index 0000000..b218dfc
--- /dev/null
+++ b/php-bug78863.patch
@@ -0,0 +1,85 @@
+From f76bef09fce6c438ecee2d2e6f9804d54709174b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 11:03:29 +0100
+Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
+ a null byte
+
+Since the constructor of DirectoryIterator and friends is supposed to
+accepts paths (i.e. strings without NUL bytes), we must not accept
+arbitrary strings.
+
+(cherry picked from commit a5a15965da23c8e97657278fc8dfbf1dfb20c016)
+---
+ NEWS | 2 ++
+ ext/spl/spl_directory.c | 4 ++--
+ ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 35 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug78863.phpt
+
+diff --git a/NEWS b/NEWS
+index 02cd502c8c..39a2f43818 100644
+--- a/NEWS
++++ b/NEWS
+@@ -10,6 +10,8 @@ Backported from 7.2.26
+ - Core:
+ . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
+ (CVE-2019-11044). (cmb)
++ . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
++ byte). (CVE-2019-11045). (cmb)
+
+ Backported from 7.1.33
+
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index 300cf01909..abfce1525a 100644
+--- a/ext/spl/spl_directory.c
++++ b/ext/spl/spl_directory.c
+@@ -684,10 +684,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto
+
+ if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
+ flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
+- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags);
++ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags);
+ } else {
+ flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
+- parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
++ parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
+ }
+ if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
+ flags |= SPL_FILE_DIR_SKIPDOTS;
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+new file mode 100644
+index 0000000000..dc88d98dee
+--- /dev/null
++++ b/ext/spl/tests/bug78863.phpt
+@@ -0,0 +1,31 @@
++--TEST--
++Bug #78863 (DirectoryIterator class silently truncates after a null byte)
++--FILE--
++<?php
++$dir = __DIR__ . '/bug78863';
++mkdir($dir);
++touch("$dir/bad");
++mkdir("$dir/sub");
++touch("$dir/sub/good");
++
++$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
++foreach ($it as $fileinfo) {
++ if (!$fileinfo->isDot()) {
++ var_dump($fileinfo->getFilename());
++ }
++}
++?>
++--EXPECTF--
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Stack trace:
++#0 %s(%d): DirectoryIterator->__construct('%s')
++#1 {main}
++ thrown in %s on line %d
++--CLEAN--
++<?php
++$dir = __DIR__ . '/bug78863';
++unlink("$dir/sub/good");
++rmdir("$dir/sub");
++unlink("$dir/bad");
++rmdir($dir);
++?>