php5.4: add debian u5 patchset

3.15-stable
parent f09dbdb198
commit 4bccf1138d
  1. 40
      testing/php5.4/APKBUILD
  2. 16
      testing/php5.4/d05-u001-CVE-2016-5114.patch
  3. 272
      testing/php5.4/d05-u002-CVE-2016-5768.patch
  4. 375
      testing/php5.4/d05-u003-CVE-2016-5769.patch
  5. 77
      testing/php5.4/d05-u004-CVE-2016-5771.patch
  6. 65
      testing/php5.4/d05-u005-CVE-2016-5773.patch
  7. 42
      testing/php5.4/d05-u006-CVE-2016-6297.patch
  8. 132
      testing/php5.4/d05-u007-CVE-2016-6296.patch
  9. 404
      testing/php5.4/d05-u008-CVE-2016-6295.patch
  10. 76
      testing/php5.4/d05-u009-CVE-2016-6294.patch
  11. 72
      testing/php5.4/d05-u010-CVE-2016-6292.patch
  12. 64
      testing/php5.4/d05-u011-CVE-2016-6291.patch
  13. 48
      testing/php5.4/d05-u012-CVE-2016-6289.patch
  14. 72
      testing/php5.4/d05-u013-CVE-2016-6290.patch
  15. 55
      testing/php5.4/d05-u014-CVE-2016-5772.patch
  16. 820
      testing/php5.4/d05-u015-CVE-2016-5770.patch
  17. 47
      testing/php5.4/d05-u016-CVE-2016-5399.patch
  18. 36
      testing/php5.4/d05-u017-CVE-2016-4473.patch
  19. 94
      testing/php5.4/d05-u018-BUG-70436.patch
  20. 126
      testing/php5.4/d05-u019-BUG-72681.patch

@ -26,7 +26,7 @@
pkgname=php5.4
_pkgreal=php
pkgver=5.4.45
pkgrel=5
pkgrel=6
_apiver=20100412
_suffix=${pkgname#php}
_suffixA=5
@ -161,6 +161,25 @@ source="https://www.php.net/distributions/$_pkgreal-$pkgver.tar.bz2
d04-u007-CVE-TEMP-bug-70661.patch
d04-u008-CVE-TEMP-bug-70728.patch
d04-u009-CVE-TEMP-bug-70741.patch
d05-u001-CVE-2016-5114.patch
d05-u002-CVE-2016-5768.patch
d05-u003-CVE-2016-5769.patch
d05-u004-CVE-2016-5771.patch
d05-u005-CVE-2016-5773.patch
d05-u006-CVE-2016-6297.patch
d05-u007-CVE-2016-6296.patch
d05-u008-CVE-2016-6295.patch
d05-u009-CVE-2016-6294.patch
d05-u010-CVE-2016-6292.patch
d05-u011-CVE-2016-6291.patch
d05-u012-CVE-2016-6289.patch
d05-u013-CVE-2016-6290.patch
d05-u014-CVE-2016-5772.patch
d05-u015-CVE-2016-5770.patch
d05-u016-CVE-2016-5399.patch
d05-u017-CVE-2016-4473.patch
d05-u018-BUG-70436.patch
d05-u019-BUG-72681.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -758,4 +777,23 @@ da1510a4a28db341b10223666182c9c72b9e973f26bbfcbab8ea62fb7bc18d82da7dc6b6f8023633
1c2e798f09389eefb00b8ed0f2b16137dec69c061427d228805db1c40bcbba078569f9e3a0bee14b2ceb54a83b63589bc38b4d9fd52fb0ff6feed5253b4256a0 d04-u007-CVE-TEMP-bug-70661.patch
d53cd361c23644980bbb8de728f75839224eee21f72160031874c03083babbc1d0edcba89d6805f4898b2c3b9d9c53563b10c72442fceb24f4b195d43aa6b6f9 d04-u008-CVE-TEMP-bug-70728.patch
a9ed0d3f6d982e17908660aff873706ca6c0809b3832a24fef2a033410c9d2b2e05ef723a24346c1fc7abe05fe79680b8ca65404127b3fdec7ced28fb8e54e95 d04-u009-CVE-TEMP-bug-70741.patch
9150b1fdc1f8a3f09ccb3ce48334600152cadaac9281940c71442b30938d12639d56d3169688000a0449e640e503b2e59ac33a8dd4e74fc1d3b73f50441e6a4c d05-u001-CVE-2016-5114.patch
b70b848b5c9c9f5ffbadca619023b3f495afd302d66368f0e04ee00e584111111ee82426e5c9cf4b68805afd44305c3e998286b43b9c7d39d562057351061048 d05-u002-CVE-2016-5768.patch
6abe4c111e3744c3317600c0146af8a4df9af29f4aa5186e159790f42763ff0b4a6360cd9c319ff04383d3700ec3b0eb29bc9503847934ff013df3f07803640c d05-u003-CVE-2016-5769.patch
fd452c5716fd7c07c821610652a8c4d0667fac4ee425ac87dbce38e5c6809f2377acff179e0e379ea197ff530391c04d1c223192b9b7933a787efba996808828 d05-u004-CVE-2016-5771.patch
0a6cbcaece5857f419c3ab0c280c03f7271784fc6ef4a2ad72b0f67aad4a6095fdb3354460e79af69a86f45f6e70e9610167136d8e145a5a1da8914f12231b15 d05-u005-CVE-2016-5773.patch
65db1ff36331f4622936906dc10a991be545dcb630c49c064a206bf6d28e542e99df78daefab342f96b247c3cdf13bedafb28129b407f256d5a890ec9198edbf d05-u006-CVE-2016-6297.patch
1f9ca631710a1b5f108ea77212028fc64e40f0f427bb67aad4b3b6a48e31184cdcddc26c4fcf2de595ad607a026ca2e7f7afb71ee78caace514c28c6d9d77c00 d05-u007-CVE-2016-6296.patch
2786cd79c0574efc3d32d4d3ba88cf39ffc1fb0d0c3e7ffb3ca447cbe076650acc9896e4e92bdf0d33deac700073199edae753b9aaa95648309d33cd5763f731 d05-u008-CVE-2016-6295.patch
8cc87067a2a34ccb699ee80d2ca2aa5cd6fa0f6625f70c3c8064a47741b8aa90d4fddf493c4156fa9ccbf282a0b9afe34f1a83fa58e95b91287f3a1d84caaee7 d05-u009-CVE-2016-6294.patch
1820fbc734494a91049cee7a16eb374ea3242bc361c693fa6da298415229998c51ce352e7ab4b4a0b1a3eb99852b8e5f1b480fc1683224df58955d2d3a6b2c37 d05-u010-CVE-2016-6292.patch
f55346a54de4d3de6ce690f92264b38bb11f9f0d9d27c216dc86daad86fee68a0511acccb88bad8f38a1c1b4fbaa92e2359a11be3d88d38e4e39fac593cad134 d05-u011-CVE-2016-6291.patch
1fc249b79408d4c5768fa060915799442321a72dbaa488d01e242852ba73e40a7ddb7bdd0fc365b08af5da21983272c02506863497ac77f369e69e9897109dce d05-u012-CVE-2016-6289.patch
a8ff19ba72a516889040f5af2a206153272a68ce45361c054c2a74ae2d8dbc6957e4429c2d8b134aac76696a6882e69bf68e040a968af76b02e4e21f44fdbcf9 d05-u013-CVE-2016-6290.patch
427784ec548e8f742b096b1742f6a9521dab9878a48d5307d5bd760f7de6ece42aced2a1b0be857cd3404ec5ea3b32f6dec43c8e95685e5c12b1213856ccf69e d05-u014-CVE-2016-5772.patch
5510c5437d33065e7fd9b392028d6f51a5e66646ed972627d1cd322162e81946f9cb1bd6e86ed61d83d20cb2cd737855bf2f9ea75d0b021e825634690ed652a8 d05-u015-CVE-2016-5770.patch
bf493c0d321c3b4123ee9f73cf61f1491b107e1aaa89444615cd11ddea5e3f350a236e2029a8e09ba07ec5b421240b8ba4b6a7637848b99b8f5369baf4ca4886 d05-u016-CVE-2016-5399.patch
843fc857dfb7240ea2d2fe20536425e4c94f2d96da0bff9d392f3263175d6336951d70a77c38d0c0abaf78542f71aec6f94678280d13cd683a672c3ee608bee2 d05-u017-CVE-2016-4473.patch
a2691eb5fdf1b9eb40572189688af0a0990e3e79145b38c348b02ffe707b148c21a132526a576b5d9c2b3790ad4b88ae9c8ebbde3e83c10f028cf3fc412ab501 d05-u018-BUG-70436.patch
6bf961f65b347a96d44365771725567055798050de00383c2ce82844589bb04ae9d39ab322dc2e6cb1f7070fce3550d77b9d449ee0eb817dcf00cc2cde9fbcdc d05-u019-BUG-72681.patch
"

@ -0,0 +1,16 @@
Index: php5-5.4.45/sapi/fpm/fpm/fpm_log.c
===================================================================
--- php5-5.4.45.orig/sapi/fpm/fpm/fpm_log.c 2016-08-19 14:18:55.000000000 +0200
+++ php5-5.4.45/sapi/fpm/fpm/fpm_log.c 2016-08-19 14:18:55.000000000 +0200
@@ -451,6 +451,11 @@
len = FPM_LOG_BUFFER;
break;
}
+ if (len >= FPM_LOG_BUFFER) {
+ zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
+ len = FPM_LOG_BUFFER;
+ break;
+ }
continue;
}

@ -0,0 +1,272 @@
Index: php5-5.4.45/ext/mbstring/php_mbregex.c
===================================================================
--- php5-5.4.45.orig/ext/mbstring/php_mbregex.c 2016-08-19 14:25:15.000000000 +0200
+++ php5-5.4.45/ext/mbstring/php_mbregex.c 2016-08-19 14:25:15.000000000 +0200
@@ -32,7 +32,7 @@
#include "ext/standard/info.h"
#include "php_mbregex.h"
#include "mbstring.h"
-
+
#include "php_onig_compat.h" /* must come prior to the oniguruma header */
#include <oniguruma.h>
#undef UChar
@@ -55,7 +55,7 @@
#define MBREX(g) (MBSTRG(mb_regex_globals)->g)
/* {{{ static void php_mb_regex_free_cache() */
-static void php_mb_regex_free_cache(php_mb_regex_t **pre)
+static void php_mb_regex_free_cache(php_mb_regex_t **pre)
{
onig_free(*pre);
}
@@ -78,7 +78,7 @@
/* }}} */
/* {{{ _php_mb_regex_globals_dtor */
-static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
+static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
{
zend_hash_destroy(&pglobals->ht_rc);
}
@@ -466,7 +466,7 @@
retval = *rc;
}
out:
- return retval;
+ return retval;
}
/* }}} */
@@ -483,7 +483,7 @@
--len_left;
*(p++) = 'i';
}
- ++len_req;
+ ++len_req;
}
if ((option & ONIG_OPTION_EXTEND) != 0) {
@@ -491,7 +491,7 @@
--len_left;
*(p++) = 'x';
}
- ++len_req;
+ ++len_req;
}
if ((option & (ONIG_OPTION_MULTILINE | ONIG_OPTION_SINGLELINE)) ==
@@ -500,14 +500,14 @@
--len_left;
*(p++) = 'p';
}
- ++len_req;
+ ++len_req;
} else {
if ((option & ONIG_OPTION_MULTILINE) != 0) {
if (len_left > 0) {
--len_left;
*(p++) = 'm';
}
- ++len_req;
+ ++len_req;
}
if ((option & ONIG_OPTION_SINGLELINE) != 0) {
@@ -515,22 +515,22 @@
--len_left;
*(p++) = 's';
}
- ++len_req;
+ ++len_req;
}
- }
+ }
if ((option & ONIG_OPTION_FIND_LONGEST) != 0) {
if (len_left > 0) {
--len_left;
*(p++) = 'l';
}
- ++len_req;
+ ++len_req;
}
if ((option & ONIG_OPTION_FIND_NOT_EMPTY) != 0) {
if (len_left > 0) {
--len_left;
*(p++) = 'n';
}
- ++len_req;
+ ++len_req;
}
c = 0;
@@ -566,7 +566,7 @@
--len_left;
*(p++) = '\0';
}
- ++len_req;
+ ++len_req;
if (len < len_req) {
return len_req;
}
@@ -577,11 +577,11 @@
/* {{{ _php_mb_regex_init_options */
static void
-_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
+_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
{
int n;
char c;
- int optm = 0;
+ int optm = 0;
*syntax = ONIG_SYNTAX_RUBY;
@@ -636,13 +636,13 @@
*syntax = ONIG_SYNTAX_POSIX_EXTENDED;
break;
case 'e':
- if (eval != NULL) *eval = 1;
+ if (eval != NULL) *eval = 1;
break;
default:
break;
}
}
- if (option != NULL) *option|=optm;
+ if (option != NULL) *option|=optm;
}
}
/* }}} */
@@ -860,11 +860,11 @@
} else {
/* FIXME: this code is not multibyte aware! */
convert_to_long_ex(arg_pattern_zval);
- pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
+ pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
pat_buf[1] = '\0';
arg_pattern = pat_buf;
- arg_pattern_len = 1;
+ arg_pattern_len = 1;
}
/* create regex pattern buffer */
re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, options, MBREX(current_mbctype), syntax TSRMLS_CC);
@@ -934,7 +934,7 @@
}
}
}
-
+
if (eval) {
zval v;
/* null terminate buffer */
@@ -953,32 +953,31 @@
eval_buf.len = 0;
zval_dtor(&v);
} else if (is_callable) {
- zval *retval_ptr;
+ zval *retval_ptr = NULL;
zval **args[1];
zval *subpats;
int i;
-
+
MAKE_STD_ZVAL(subpats);
array_init(subpats);
-
+
for (i = 0; i < regs->num_regs; i++) {
add_next_index_stringl(subpats, string + regs->beg[i], regs->end[i] - regs->beg[i], 1);
- }
-
+ }
+
args[0] = &subpats;
/* null terminate buffer */
smart_str_0(&eval_buf);
-
+
arg_replace_fci.param_count = 1;
arg_replace_fci.params = args;
arg_replace_fci.retval_ptr_ptr = &retval_ptr;
- if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) {
+ if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) {
convert_to_string_ex(&retval_ptr);
smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr));
eval_buf.len = 0;
zval_ptr_dtor(&retval_ptr);
} else {
- efree(description);
if (!EG(exception)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function");
}
@@ -991,7 +990,7 @@
pos = (OnigUChar *)string + n;
} else {
if (pos < string_lim) {
- smart_str_appendl(&out_buf, pos, 1);
+ smart_str_appendl(&out_buf, pos, 1);
}
pos++;
}
@@ -1013,7 +1012,7 @@
smart_str_free(&eval_buf);
if (err <= -2) {
- smart_str_free(&out_buf);
+ smart_str_free(&out_buf);
RETVAL_FALSE;
} else {
smart_str_appendc(&out_buf, '\0');
@@ -1063,7 +1062,7 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
RETURN_FALSE;
- }
+ }
if (count > 0) {
count--;
@@ -1317,7 +1316,7 @@
if (zend_parse_parameters(argc TSRMLS_CC, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
return;
}
-
+
if (argc > 1 && arg_pattern_len == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty pattern");
RETURN_FALSE;
@@ -1416,7 +1415,7 @@
/* }}} */
/* {{{ php_mb_regex_set_options */
-static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
+static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
{
if (prev_options != NULL) {
*prev_options = MBREX(regex_default_options);
Index: php5-5.4.45/ext/mbstring/tests/bug72402.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/mbstring/tests/bug72402.phpt 2016-08-19 14:25:15.000000000 +0200
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72402: _php_mb_regex_ereg_replace_exec - double free
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+function throwit() {
+ throw new Exception('it');
+}
+$var10 = "throwit";
+try {
+ $var14 = mb_ereg_replace_callback("", $var10, "");
+} catch(Exception $e) {}
+?>
+DONE
+--EXPECT--
+DONE
\ No newline at end of file

@ -0,0 +1,375 @@
Index: php5-5.4.45/ext/mcrypt/mcrypt.c
===================================================================
--- php5-5.4.45.orig/ext/mcrypt/mcrypt.c 2016-08-19 14:26:30.000000000 +0200
+++ php5-5.4.45/ext/mcrypt/mcrypt.c 2016-08-19 14:26:30.000000000 +0200
@@ -44,7 +44,7 @@
static int le_mcrypt;
-typedef struct _php_mcrypt {
+typedef struct _php_mcrypt {
MCRYPT td;
zend_bool init;
} php_mcrypt;
@@ -292,7 +292,7 @@
zend_module_entry mcrypt_module_entry = {
STANDARD_MODULE_HEADER,
- "mcrypt",
+ "mcrypt",
mcrypt_functions,
PHP_MINIT(mcrypt), PHP_MSHUTDOWN(mcrypt),
NULL, NULL,
@@ -376,7 +376,7 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &mcryptind) == FAILURE) { \
return; \
} \
- ZEND_FETCH_RESOURCE (pm, php_mcrypt *, &mcryptind, -1, "MCrypt", le_mcrypt);
+ ZEND_FETCH_RESOURCE (pm, php_mcrypt *, &mcryptind, -1, "MCrypt", le_mcrypt);
#define MCRYPT_GET_MODE_DIR_ARGS(DIRECTORY) \
char *dir = NULL; \
@@ -407,7 +407,7 @@
static void php_mcrypt_module_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) /* {{{ */
{
php_mcrypt *pm = (php_mcrypt *) rsrc->ptr;
- if (pm) {
+ if (pm) {
mcrypt_generic_deinit(pm->td);
mcrypt_module_close(pm->td);
efree(pm);
@@ -531,7 +531,7 @@
smart_str_free(&tmp1);
smart_str_free(&tmp2);
php_info_print_table_end();
-
+
DISPLAY_INI_ENTRIES();
}
/* }}} */
@@ -552,17 +552,17 @@
int mode_len, mode_dir_len;
MCRYPT td;
php_mcrypt *pm;
-
+
if (zend_parse_parameters (ZEND_NUM_ARGS() TSRMLS_CC, "ssss",
&cipher, &cipher_len, &cipher_dir, &cipher_dir_len,
&mode, &mode_len, &mode_dir, &mode_dir_len)) {
return;
}
-
+
td = mcrypt_module_open (
cipher,
cipher_dir_len > 0 ? cipher_dir : MCG(algorithms_dir),
- mode,
+ mode,
mode_dir_len > 0 ? mode_dir : MCG(modes_dir)
);
@@ -589,7 +589,7 @@
int max_key_size, key_size, iv_size;
php_mcrypt *pm;
int result = 0;
-
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rss", &mcryptind, &key, &key_len, &iv, &iv_len) == FAILURE) {
return;
}
@@ -668,7 +668,7 @@
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &mcryptind, &data, &data_len) == FAILURE) {
return;
}
-
+
ZEND_FETCH_RESOURCE(pm, php_mcrypt *, &mcryptind, -1, "MCrypt", le_mcrypt);
PHP_MCRYPT_INIT_CHECK
@@ -681,6 +681,10 @@
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((data_len - 1) / block_size) + 1) * block_size;
+ if (data_size <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+ RETURN_FALSE;
+ }
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
@@ -690,7 +694,7 @@
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
}
-
+
mcrypt_generic(pm->td, data_s, data_size);
data_s[data_size] = '\0';
@@ -709,11 +713,11 @@
php_mcrypt *pm;
char* data_s;
int block_size, data_size;
-
+
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &mcryptind, &data, &data_len) == FAILURE) {
return;
}
-
+
ZEND_FETCH_RESOURCE(pm, php_mcrypt * , &mcryptind, -1, "MCrypt", le_mcrypt);
PHP_MCRYPT_INIT_CHECK
@@ -726,6 +730,10 @@
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((data_len - 1) / block_size) + 1) * block_size;
+ if (data_size <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+ RETURN_FALSE;
+ }
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
@@ -735,7 +743,7 @@
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
}
-
+
mdecrypt_generic(pm->td, data_s, data_size);
RETVAL_STRINGL(data_s, data_size, 1);
@@ -749,7 +757,7 @@
{
int i, count = 0;
int *key_sizes;
-
+
MCRYPT_GET_TD_ARG
array_init(return_value);
@@ -818,7 +826,7 @@
MCRYPT_GET_TD_ARG
if (mcrypt_enc_is_block_algorithm(pm->td) == 1) {
- RETURN_TRUE
+ RETURN_TRUE
} else {
RETURN_FALSE
}
@@ -897,7 +905,7 @@
PHP_FUNCTION(mcrypt_module_self_test)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir);
-
+
if (mcrypt_module_self_test(module, dir) == 0) {
RETURN_TRUE;
} else {
@@ -911,7 +919,7 @@
PHP_FUNCTION(mcrypt_module_is_block_algorithm_mode)
{
MCRYPT_GET_MODE_DIR_ARGS(modes_dir)
-
+
if (mcrypt_module_is_block_algorithm_mode(module, dir) == 1) {
RETURN_TRUE;
} else {
@@ -925,7 +933,7 @@
PHP_FUNCTION(mcrypt_module_is_block_algorithm)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir)
-
+
if (mcrypt_module_is_block_algorithm(module, dir) == 1) {
RETURN_TRUE;
} else {
@@ -939,7 +947,7 @@
PHP_FUNCTION(mcrypt_module_is_block_mode)
{
MCRYPT_GET_MODE_DIR_ARGS(modes_dir)
-
+
if (mcrypt_module_is_block_mode(module, dir) == 1) {
RETURN_TRUE;
} else {
@@ -953,7 +961,7 @@
PHP_FUNCTION(mcrypt_module_get_algo_block_size)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir)
-
+
RETURN_LONG(mcrypt_module_get_algo_block_size(module, dir));
}
/* }}} */
@@ -963,7 +971,7 @@
PHP_FUNCTION(mcrypt_module_get_algo_key_size)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir);
-
+
RETURN_LONG(mcrypt_module_get_algo_key_size(module, dir));
}
/* }}} */
@@ -974,7 +982,7 @@
{
int i, count = 0;
int *key_sizes;
-
+
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir)
array_init(return_value);
@@ -1000,7 +1008,7 @@
&lib_dir, &lib_dir_len) == FAILURE) {
return;
}
-
+
array_init(return_value);
modules = mcrypt_list_algorithms(lib_dir, &count);
@@ -1047,7 +1055,7 @@
{
char *cipher;
char *module;
- int cipher_len, module_len;
+ int cipher_len, module_len;
char *cipher_dir_string;
char *module_dir_string;
MCRYPT td;
@@ -1058,7 +1066,7 @@
&cipher, &cipher_len, &module, &module_len) == FAILURE) {
return;
}
-
+
td = mcrypt_module_open(cipher, cipher_dir_string, module, module_dir_string);
if (td != MCRYPT_FAILED) {
RETVAL_LONG(mcrypt_enc_get_key_size(td));
@@ -1076,7 +1084,7 @@
{
char *cipher;
char *module;
- int cipher_len, module_len;
+ int cipher_len, module_len;
char *cipher_dir_string;
char *module_dir_string;
MCRYPT td;
@@ -1087,7 +1095,7 @@
&cipher, &cipher_len, &module, &module_len) == FAILURE) {
return;
}
-
+
td = mcrypt_module_open(cipher, cipher_dir_string, module, module_dir_string);
if (td != MCRYPT_FAILED) {
RETVAL_LONG(mcrypt_enc_get_block_size(td));
@@ -1105,7 +1113,7 @@
{
char *cipher;
char *module;
- int cipher_len, module_len;
+ int cipher_len, module_len;
char *cipher_dir_string;
char *module_dir_string;
MCRYPT td;
@@ -1116,7 +1124,7 @@
&cipher, &cipher_len, &module, &module_len) == FAILURE) {
return;
}
-
+
td = mcrypt_module_open(cipher, cipher_dir_string, module, module_dir_string);
if (td != MCRYPT_FAILED) {
RETVAL_LONG(mcrypt_enc_get_iv_size(td));
@@ -1206,7 +1214,7 @@
} else { /* dertermine smallest supported key > length of requested key */
use_key_length = max_key_length; /* start with max key length */
for (i = 0; i < count; i++) {
- if (key_length_sizes[i] >= key_len &&
+ if (key_length_sizes[i] >= key_len &&
key_length_sizes[i] < use_key_length)
{
use_key_length = key_length_sizes[i];
@@ -1217,11 +1225,11 @@
memcpy(key_s, key, MIN(key_len, use_key_length));
}
mcrypt_free (key_length_sizes);
-
+
/* Check IV */
iv_s = NULL;
iv_size = mcrypt_enc_get_iv_size (td);
-
+
/* IV is required */
if (mcrypt_enc_mode_has_iv(td) == 1) {
if (argc == 5) {
@@ -1261,7 +1269,7 @@
} else {
mdecrypt_generic(td, data_s, data_size);
}
-
+
RETVAL_STRINGL(data_s, data_size, 1);
/* freeing vars */
@@ -1283,9 +1291,9 @@
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
-
+
MCRYPT_GET_CRYPT_ARGS
-
+
convert_to_string_ex(mode);
php_mcrypt_do_crypt(cipher, key, key_len, data, data_len, Z_STRVAL_PP(mode), iv, iv_len, ZEND_NUM_ARGS(), MCRYPT_ENCRYPT, return_value TSRMLS_CC);
@@ -1301,7 +1309,7 @@
int cipher_len, key_len, data_len, iv_len = 0;
MCRYPT_GET_CRYPT_ARGS
-
+
convert_to_string_ex(mode);
php_mcrypt_do_crypt(cipher, key, key_len, data, data_len, Z_STRVAL_PP(mode), iv, iv_len, ZEND_NUM_ARGS(), MCRYPT_DECRYPT, return_value TSRMLS_CC);
@@ -1315,7 +1323,7 @@
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
-
+
MCRYPT_GET_CRYPT_ARGS
convert_to_long_ex(mode);
@@ -1347,7 +1355,7 @@
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
-
+
MCRYPT_GET_CRYPT_ARGS
convert_to_long_ex(mode);
@@ -1363,7 +1371,7 @@
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
-
+
MCRYPT_GET_CRYPT_ARGS
convert_to_long_ex(mode);
@@ -1389,7 +1397,7 @@
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot create an IV with a size of less than 1 or greater than %d", INT_MAX);
RETURN_FALSE;
}
-
+
iv = ecalloc(size + 1, 1);
if (source == RANDOM || source == URANDOM) {

@ -0,0 +1,77 @@
Index: php5-5.4.45/Zend/tests/gc_024.phpt
===================================================================
--- php5-5.4.45.orig/Zend/tests/gc_024.phpt 2016-08-19 14:41:43.000000000 +0200
+++ php5-5.4.45/Zend/tests/gc_024.phpt 2016-08-19 14:41:43.000000000 +0200
@@ -13,5 +13,5 @@
echo "ok\n";
?>
--EXPECT--
-int(1)
+int(2)
ok
Index: php5-5.4.45/ext/spl/spl_array.c
===================================================================
--- php5-5.4.45.orig/ext/spl/spl_array.c 2016-08-19 14:41:43.000000000 +0200
+++ php5-5.4.45/ext/spl/spl_array.c 2016-08-19 14:41:43.000000000 +0200
@@ -831,6 +831,16 @@
}
/* }}} */
+static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+ spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
+
+ *gc_data = &intern->array;
+ *gc_data_count = 1;
+ return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */
+
static zval *spl_array_read_property(zval *object, zval *member, int type, const zend_literal *key TSRMLS_DC) /* {{{ */
{
spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
@@ -1973,6 +1983,7 @@
spl_handler_ArrayObject.get_properties = spl_array_get_properties;
spl_handler_ArrayObject.get_debug_info = spl_array_get_debug_info;
+ spl_handler_ArrayObject.get_gc = spl_array_get_gc;
spl_handler_ArrayObject.read_property = spl_array_read_property;
spl_handler_ArrayObject.write_property = spl_array_write_property;
spl_handler_ArrayObject.get_property_ptr_ptr = spl_array_get_property_ptr_ptr;
Index: php5-5.4.45/ext/standard/tests/strings/bug72433.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/strings/bug72433.phpt 2016-08-19 14:41:43.000000000 +0200
@@ -0,0 +1,32 @@
+--TEST--
+Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
+--FILE--
+<?php
+// Fill any potential freed spaces until now.
+$filler = array();
+for($i = 0; $i < 100; $i++)
+ $filler[] = "";
+// Create our payload and unserialize it.
+$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
+$free_me = unserialize($serialized_payload);
+// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
+$inc_ref_by_one = $free_me[2];
+// The call to gc_collect_cycles will free '$free_me'.
+gc_collect_cycles();
+// We now have multiple freed spaces. Fill all of them.
+$fill_freed_space_1 = "filler_zval_1";
+$fill_freed_space_2 = "filler_zval_2";
+var_dump($free_me);
+?>
+--EXPECTF--
+array(3) {
+ [0]=>
+ *RECURSION*
+ [1]=>
+ *RECURSION*
+ [2]=>
+ object(ArrayObject)#%d (1) {
+ ["storage":"ArrayObject":private]=>
+ *RECURSION*
+ }
+}

@ -0,0 +1,65 @@
Index: php5-5.4.45/ext/standard/tests/strings/bug72434.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/strings/bug72434.phpt 2016-08-19 14:46:18.000000000 +0200
@@ -0,0 +1,33 @@
+--TEST--
+Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
+--SKIPIF--
+<?php
+if(!class_exists('zip')) die('ZipArchive');
+?>
+--FILE--
+<?php
+// The following array will be serialized and this representation will be freed later on.
+$free_me = array(new StdClass());
+// Create our payload and unserialize it.
+$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
+$unserialized_payload = unserialize($serialized_payload);
+gc_collect_cycles();
+// The reference counter for $free_me is at -1 for PHP 7 right now.
+// Increment the reference counter by 1 -> rc is 0
+$a = $unserialized_payload[1];
+// Increment the reference counter by 1 again -> rc is 1
+$b = $a;
+// Trigger free of $free_me (referenced by $m[1]).
+unset($b);
+$fill_freed_space_1 = "filler_zval_1";
+$fill_freed_space_2 = "filler_zval_2";
+$fill_freed_space_3 = "filler_zval_3";
+$fill_freed_space_4 = "filler_zval_4";
+debug_zval_dump($unserialized_payload[1]);
+?>
+--EXPECTF--
+array(1) refcount(1){
+ [0]=>
+ object(stdClass)#%d (0) refcount(3){
+ }
+}
Index: php5-5.4.45/ext/zip/php_zip.c
===================================================================
--- php5-5.4.45.orig/ext/zip/php_zip.c 2016-08-19 14:46:18.000000000 +0200
+++ php5-5.4.45/ext/zip/php_zip.c 2016-08-19 14:46:18.000000000 +0200
@@ -1015,6 +1015,14 @@
}
/* }}} */
+static HashTable *php_zip_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+ *gc_data = NULL;
+ *gc_data_count = 0;
+ return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */
+
static HashTable *php_zip_get_properties(zval *object TSRMLS_DC)/* {{{ */
{
ze_zip_object *obj;
@@ -2777,6 +2785,7 @@
zip_object_handlers.clone_obj = NULL;
zip_object_handlers.get_property_ptr_ptr = php_zip_get_property_ptr_ptr;
+ zip_object_handlers.get_gc = php_zip_get_gc;
zip_object_handlers.get_properties = php_zip_get_properties;
zip_object_handlers.read_property = php_zip_read_property;
zip_object_handlers.has_property = php_zip_has_property;

@ -0,0 +1,42 @@
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fzip%2Fzip_stream.c;h=a9192d26cb8905bb3aa4ff5b8cd546337515f966;hp=400edd6e6c0b9d46d66fc315429d1561cf9de34b;hb=81406c0c1d45f75fcc7972ed974d2597abb0b9e9;hpb=0218acb7e756a469099c4ccfb22bce6c2bd1ef87
Index: php5-5.4.45/ext/zip/zip_stream.c
===================================================================
--- php5-5.4.45.orig/ext/zip/zip_stream.c 2016-08-19 15:00:49.000000000 +0200
+++ php5-5.4.45/ext/zip/zip_stream.c 2016-08-19 15:00:49.000000000 +0200
@@ -214,7 +214,7 @@
self = emalloc(sizeof(*self));
self->za = stream_za;
- self->zf = zf;
+ self->zf = zf;
self->stream = NULL;
self->cursor = 0;
stream = php_stream_alloc(&php_stream_zipio_ops, self, NULL, mode);
@@ -241,7 +241,7 @@
char **opened_path,
php_stream_context *context STREAMS_DC TSRMLS_DC)
{
- int path_len;
+ size_t path_len;
char *file_basename;
size_t file_basename_len;
@@ -250,7 +250,7 @@
struct zip *za;
struct zip_file *zf = NULL;
char *fragment;
- int fragment_len;
+ size_t fragment_len;
int err;
php_stream *stream = NULL;
@@ -293,7 +293,7 @@
self = emalloc(sizeof(*self));
self->za = za;
- self->zf = zf;
+ self->zf = zf;
self->stream = NULL;
self->cursor = 0;
stream = php_stream_alloc(&php_stream_zipio_ops, self, NULL, mode);

@ -0,0 +1,132 @@
From e6c48213c22ed50b2b987b479fcc1ac709394caa Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Jul 2016 21:44:39 -0700
Subject: [PATCH] Fix bug #72606: heap-buffer-overflow (write)
simplestring_addn simplestring.c
---
ext/xmlrpc/libxmlrpc/simplestring.c | 61 ++++++++++++++++++++++---------------
ext/xmlrpc/libxmlrpc/simplestring.h | 2 +-
2 files changed, 38 insertions(+), 25 deletions(-)
Index: php5-5.4.45/ext/xmlrpc/libxmlrpc/simplestring.c
===================================================================
--- php5-5.4.45.orig/ext/xmlrpc/libxmlrpc/simplestring.c 2016-08-19 15:06:17.000000000 +0200
+++ php5-5.4.45/ext/xmlrpc/libxmlrpc/simplestring.c 2016-08-19 15:06:17.000000000 +0200
@@ -5,28 +5,28 @@
Epinions.com may be contacted at feedback@epinions-inc.com
*/
-/*
- Copyright 2000 Epinions, Inc.
+/*
+ Copyright 2000 Epinions, Inc.
- Subject to the following 3 conditions, Epinions, Inc. permits you, free
- of charge, to (a) use, copy, distribute, modify, perform and display this
- software and associated documentation files (the "Software"), and (b)
- permit others to whom the Software is furnished to do so as well.
-
- 1) The above copyright notice and this permission notice shall be included
- without modification in all copies or substantial portions of the
- Software.
-
- 2) THE SOFTWARE IS PROVIDED "AS IS", WITHOUT ANY WARRANTY OR CONDITION OF
- ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION ANY
- IMPLIED WARRANTIES OF ACCURACY, MERCHANTABILITY, FITNESS FOR A PARTICULAR
- PURPOSE OR NONINFRINGEMENT.
-
- 3) IN NO EVENT SHALL EPINIONS, INC. BE LIABLE FOR ANY DIRECT, INDIRECT,
- SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LOST PROFITS ARISING OUT
- OF OR IN CONNECTION WITH THE SOFTWARE (HOWEVER ARISING, INCLUDING
- NEGLIGENCE), EVEN IF EPINIONS, INC. IS AWARE OF THE POSSIBILITY OF SUCH
- DAMAGES.
+ Subject to the following 3 conditions, Epinions, Inc. permits you, free
+ of charge, to (a) use, copy, distribute, modify, perform and display this
+ software and associated documentation files (the "Software"), and (b)
+ permit others to whom the Software is furnished to do so as well.
+
+ 1) The above copyright notice and this permission notice shall be included
+ without modification in all copies or substantial portions of the
+ Software.
+
+ 2) THE SOFTWARE IS PROVIDED "AS IS", WITHOUT ANY WARRANTY OR CONDITION OF
+ ANY KIND, EXPRESS, IMPLIED OR STATUTORY, INCLUDING WITHOUT LIMITATION ANY
+ IMPLIED WARRANTIES OF ACCURACY, MERCHANTABILITY, FITNESS FOR A PARTICULAR
+ PURPOSE OR NONINFRINGEMENT.
+
+ 3) IN NO EVENT SHALL EPINIONS, INC. BE LIABLE FOR ANY DIRECT, INDIRECT,
+ SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES OR LOST PROFITS ARISING OUT
+ OF OR IN CONNECTION WITH THE SOFTWARE (HOWEVER ARISING, INCLUDING
+ NEGLIGENCE), EVEN IF EPINIONS, INC. IS AWARE OF THE POSSIBILITY OF SUCH
+ DAMAGES.
*/
@@ -71,7 +71,7 @@
*
* Oh, and it is also binary safe, ie it can handle strings with embedded NULLs,
* so long as the real length is passed in.
- *
+ *
* And the masses rejoiced.
*
* BUGS
@@ -136,7 +136,7 @@
* NOTES
* This function is very fast as it does not de-allocate any memory.
* SEE ALSO
- *
+ *
* SOURCE
*/
void simplestring_clear(simplestring* string) {
@@ -190,18 +190,31 @@
* simplestring_add ()
* SOURCE
*/
-void simplestring_addn(simplestring* target, const char* source, int add_len) {
+void simplestring_addn(simplestring* target, const char* source, size_t add_len) {
+ size_t newsize = target->size, incr = 0;
if(target && source) {
if(!target->str) {
simplestring_init_str(target);
}
+
+ if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+ /* check for overflows, if there's a potential overflow do nothing */
+ return;
+ }
+
if(target->len + add_len + 1 > target->size) {
/* newsize is current length + new length */
- int newsize = target->len + add_len + 1;
- int incr = target->size * 2;
+ newsize = target->len + add_len + 1;
+ incr = target->size * 2;
/* align to SIMPLESTRING_INCR increments */
- newsize = newsize - (newsize % incr) + incr;
+ if (incr) {
+ newsize = newsize - (newsize % incr) + incr;
+ }
+ if(newsize < (target->len + add_len + 1)) {
+ /* some kind of overflow happened */
+ return;
+ }
target->str = (char*)realloc(target->str, newsize);
target->size = target->str ? newsize : 0;
Index: php5-5.4.45/ext/xmlrpc/libxmlrpc/simplestring.h
===================================================================
--- php5-5.4.45.orig/ext/xmlrpc/libxmlrpc/simplestring.h 2016-08-19 15:06:17.000000000 +0200
+++ php5-5.4.45/ext/xmlrpc/libxmlrpc/simplestring.h 2016-08-19 15:06:17.000000000 +0200
@@ -63,7 +63,7 @@
void simplestring_clear(simplestring* string);
void simplestring_free(simplestring* string);
void simplestring_add(simplestring* string, const char* add);
-void simplestring_addn(simplestring* string, const char* add, int add_len);
+void simplestring_addn(simplestring* string, const char* add, size_t add_len);
#ifdef __cplusplus
}

@ -0,0 +1,404 @@
From cab1c3b3708eead315e033359d07049b23b147a3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 26 Jun 2016 17:52:09 -0700
Subject: [PATCH] Fixed bug #72479 - same as #72434
---
ext/snmp/snmp.c | 89 ++++++++++++++++++++++++--------------------
ext/snmp/tests/bug72479.phpt | 35 +++++++++++++++++
2 files changed, 84 insertions(+), 40 deletions(-)
create mode 100644 ext/snmp/tests/bug72479.phpt
Index: php5-5.4.45/ext/snmp/snmp.c
===================================================================
--- php5-5.4.45.orig/ext/snmp/snmp.c 2016-08-19 15:09:26.000000000 +0200
+++ php5-5.4.45/ext/snmp/snmp.c 2016-08-19 15:09:26.000000000 +0200
@@ -475,7 +475,7 @@
static void php_snmp_object_free_storage(void *object TSRMLS_DC)
{
php_snmp_object *intern = (php_snmp_object *)object;
-
+
if (!intern) {
return;
}
@@ -483,7 +483,7 @@
netsnmp_session_free(&(intern->session));
zend_object_std_dtor(&intern->zo TSRMLS_CC);
-
+
efree(intern);
}
@@ -503,7 +503,7 @@
retval.handlers = (zend_object_handlers *) &php_snmp_object_handlers;
return retval;
-
+
}
/* {{{ php_snmp_error
@@ -556,7 +556,7 @@
char *dbuf = (char *)NULL;
int buflen = sizeof(sbuf) - 1;
int val_len = vars->val_len;
-
+
/* use emalloc() for large values, use static array otherwize */
/* There is no way to know the size of buffer snprint_value() needs in order to print a value there.
@@ -702,7 +702,7 @@
* SNMP object fetcher/setter for all SNMP versions
*
*/
-static void php_snmp_internal(INTERNAL_FUNCTION_PARAMETERS, int st,
+static void php_snmp_internal(INTERNAL_FUNCTION_PARAMETERS, int st,
struct snmp_session *session,
struct objid_query *objid_query)
{
@@ -721,7 +721,7 @@
/* we start with retval=FALSE. If any actual data is acquired, retval will be set to appropriate type */
RETVAL_FALSE;
-
+
/* reset errno and errstr */
php_snmp_error(getThis(), NULL TSRMLS_CC, PHP_SNMP_ERRNO_NOERROR, "");
@@ -805,8 +805,8 @@
}
for (vars = response->variables; vars; vars = vars->next_variable) {
/* do not output errors as values */
- if ( vars->type == SNMP_ENDOFMIBVIEW ||
- vars->type == SNMP_NOSUCHOBJECT ||
+ if ( vars->type == SNMP_ENDOFMIBVIEW ||
+ vars->type == SNMP_NOSUCHOBJECT ||
vars->type == SNMP_NOSUCHINSTANCE ) {
if ((st & SNMP_CMD_WALK) && Z_TYPE_P(return_value) == IS_ARRAY) {
break;
@@ -816,8 +816,8 @@
php_snmp_error(getThis(), NULL TSRMLS_CC, PHP_SNMP_ERRNO_ERROR_IN_REPLY, "Error in packet at '%s': %s", buf, buf2);
continue;
}
-
- if ((st & SNMP_CMD_WALK) &&
+
+ if ((st & SNMP_CMD_WALK) &&
(vars->name_length < rootlen || memcmp(root, vars->name, rootlen * sizeof(oid)))) { /* not part of this subtree */
if (Z_TYPE_P(return_value) == IS_ARRAY) { /* some records are fetched already, shut down further lookup */
keepwalking = 0;
@@ -1101,7 +1101,7 @@
efree(objid_query->vars);
return FALSE;
}
- } else {
+ } else {
memmove((char *)objid_query->vars[0].name, (char *)objid_mib, sizeof(objid_mib));
objid_query->vars[0].name_length = sizeof(objid_mib) / sizeof(oid);
}
@@ -1437,7 +1437,7 @@
int session_less_mode = (getThis() == NULL);
php_snmp_object *snmp_object;
php_snmp_object glob_snmp_object;
-
+
objid_query.max_repetitions = -1;
objid_query.non_repeaters = 0;
objid_query.valueretrieval = SNMP_G(valueretrieval);
@@ -1550,7 +1550,7 @@
}
php_snmp_internal(INTERNAL_FUNCTION_PARAM_PASSTHRU, st, session, &objid_query);
-
+
efree(objid_query.vars);
if (session_less_mode) {
@@ -1563,7 +1563,7 @@
}
/* }}} */
-/* {{{ proto mixed snmpget(string host, string community, mixed object_id [, int timeout [, int retries]])
+/* {{{ proto mixed snmpget(string host, string community, mixed object_id [, int timeout [, int retries]])
Fetch a SNMP object */
PHP_FUNCTION(snmpget)
{
@@ -1571,7 +1571,7 @@
}
/* }}} */
-/* {{{ proto mixed snmpgetnext(string host, string community, mixed object_id [, int timeout [, int retries]])
+/* {{{ proto mixed snmpgetnext(string host, string community, mixed object_id [, int timeout [, int retries]])
Fetch a SNMP object */
PHP_FUNCTION(snmpgetnext)
{
@@ -1579,7 +1579,7 @@
}
/* }}} */
-/* {{{ proto mixed snmpwalk(string host, string community, mixed object_id [, int timeout [, int retries]])
+/* {{{ proto mixed snmpwalk(string host, string community, mixed object_id [, int timeout [, int retries]])
Return all objects under the specified object id */
PHP_FUNCTION(snmpwalk)
{
@@ -1595,7 +1595,7 @@
}
/* }}} */
-/* {{{ proto bool snmpset(string host, string community, mixed object_id, mixed type, mixed value [, int timeout [, int retries]])
+/* {{{ proto bool snmpset(string host, string community, mixed object_id, mixed type, mixed value [, int timeout [, int retries]])
Set the value of a SNMP object */
PHP_FUNCTION(snmpset)
{
@@ -1642,7 +1642,7 @@
netsnmp_ds_set_boolean(NETSNMP_DS_LIBRARY_ID, NETSNMP_DS_LIB_PRINT_NUMERIC_ENUM, (int) a1);
RETURN_TRUE;
-}
+}
/* }}} */
/* {{{ proto bool snmp_set_oid_output_format(int oid_format)
@@ -1670,10 +1670,10 @@
RETURN_FALSE;
break;
}
-}
+}
/* }}} */
-/* {{{ proto mixed snmp2_get(string host, string community, mixed object_id [, int timeout [, int retries]])
+/* {{{ proto mixed snmp2_get(string host, string community, mixed object_id [, int timeout [, int retries]])
Fetch a SNMP object */
PHP_FUNCTION(snmp2_get)
{
@@ -1681,7 +1681,7 @@
}
/* }}} */
-/* {{{ proto mixed snmp2_getnext(string host, string community, mixed object_id [, int timeout [, int retries]])
+/* {{{ proto mixed snmp2_getnext(string host, string community, mixed object_id [, int timeout [, int retries]])
Fetch a SNMP object */
PHP_FUNCTION(snmp2_getnext)
{
@@ -1689,7 +1689,7 @@
}
/* }}} */
-/* {{{ proto mixed snmp2_walk(string host, string community, mixed object_id [, int timeout [, int retries]])
+/* {{{ proto mixed snmp2_walk(string host, string community, mixed object_id [, int timeout [, int retries]])
Return all objects under the specified object id */
PHP_FUNCTION(snmp2_walk)
{
@@ -1705,7 +1705,7 @@
}
/* }}} */
-/* {{{ proto bool snmp2_set(string host, string community, mixed object_id, mixed type, mixed value [, int timeout [, int retries]])
+/* {{{ proto bool snmp2_set(string host, string community, mixed object_id, mixed type, mixed value [, int timeout [, int retries]])
Set the value of a SNMP object */
PHP_FUNCTION(snmp2_set)
{
@@ -1821,7 +1821,7 @@
snmp_object = (php_snmp_object *)zend_object_store_get_object(object TSRMLS_CC);
zend_replace_error_handling(EH_THROW, NULL, &error_handling TSRMLS_CC);
-
+
if (zend_parse_parameters(argc TSRMLS_CC, "lss|ll", &version, &a1, &a1_len, &a2, &a2_len, &timeout, &retries) == FAILURE) {
zend_restore_error_handling(&error_handling TSRMLS_CC);
return;
@@ -1843,7 +1843,7 @@
if (snmp_object->session) {
netsnmp_session_free(&(snmp_object->session));
}
-
+
if (netsnmp_session_init(&(snmp_object->session), version, a1, a2, timeout, retries TSRMLS_CC)) {
return;
}
@@ -1857,7 +1857,7 @@
}
/* }}} */
-/* {{{ proto bool SNMP::close()
+/* {{{ proto bool SNMP::close()
Close SNMP session */
PHP_METHOD(snmp, close)
{
@@ -1900,7 +1900,7 @@
}
/* }}} */
-/* {{{ proto bool SNMP::set(mixed object_id, mixed type, mixed value)
+/* {{{ proto bool SNMP::set(mixed object_id, mixed type, mixed value)
Set the value of a SNMP object */
PHP_METHOD(snmp, set)
{
@@ -1918,7 +1918,7 @@
int argc = ZEND_NUM_ARGS();
snmp_object = (php_snmp_object *)zend_object_store_get_object(object TSRMLS_CC);
-
+
if (zend_parse_parameters(argc TSRMLS_CC, "s|ssssss", &a1, &a1_len, &a2, &a2_len, &a3, &a3_len,
&a4, &a4_len, &a5, &a5_len, &a6, &a6_len, &a7, &a7_len) == FAILURE) {
RETURN_FALSE;
@@ -1932,7 +1932,7 @@
}
/* }}} */
-/* {{{ proto long SNMP::getErrno()
+/* {{{ proto long SNMP::getErrno()
Get last error code number */
PHP_METHOD(snmp, getErrno)
{
@@ -1946,7 +1946,7 @@
}
/* }}} */
-/* {{{ proto long SNMP::getError()
+/* {{{ proto long SNMP::getError()
Get last error message */
PHP_METHOD(snmp, getError)
{
@@ -2095,6 +2095,14 @@
}
/* }}} */
+static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
+{
+ *gc_data = NULL;
+ *gc_data_count = 0;
+ return zend_std_get_properties(object TSRMLS_CC);
+}
+/* }}} */
+
/* {{{ php_snmp_get_properties(zval *object)
Returns all object properties. Injects SNMP properties into object on first call */
static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC)
@@ -2137,23 +2145,23 @@
if (snmp_object->session == NULL) {
return SUCCESS;
}
-
+
MAKE_STD_ZVAL(val);
ZVAL_STRINGL(val, snmp_object->session->peername, strlen(snmp_object->session->peername), 1);
add_assoc_zval(*retval, "hostname", val);
-
+
MAKE_STD_ZVAL(val);
ZVAL_LONG(val, snmp_object->session->remote_port);
add_assoc_zval(*retval, "port", val);
-
+
MAKE_STD_ZVAL(val);
ZVAL_LONG(val, snmp_object->session->timeout);
add_assoc_zval(*retval, "timeout", val);
-
+
MAKE_STD_ZVAL(val);
ZVAL_LONG(val, snmp_object->session->retries);
add_assoc_zval(*retval, "retries", val);
-
+
return SUCCESS;
}
/* }}} */
@@ -2226,7 +2234,7 @@
} else {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "max_oids should be positive integer or NULL, got %ld", Z_LVAL_P(newval));
}
-
+
if (newval == &ztmp) {
zval_dtor(newval);
}
@@ -2254,7 +2262,7 @@
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown SNMP value retrieval method '%ld'", Z_LVAL_P(newval));
ret = FAILURE;
}
-
+
if (newval == &ztmp) {
zval_dtor(newval);
}
@@ -2297,7 +2305,7 @@
convert_to_long(&ztmp);
newval = &ztmp;
}
-
+
switch(Z_LVAL_P(newval)) {
case NETSNMP_OID_OUTPUT_SUFFIX:
case NETSNMP_OID_OUTPUT_MODULE:
@@ -2332,7 +2340,7 @@
newval = &ztmp;
}
- snmp_object->exceptions_enabled = Z_LVAL_P(newval);
+ snmp_object->exceptions_enabled = Z_LVAL_P(newval);
if (newval == &ztmp) {
zval_dtor(newval);
@@ -2401,6 +2409,7 @@
php_snmp_object_handlers.write_property = php_snmp_write_property;
php_snmp_object_handlers.has_property = php_snmp_has_property;
php_snmp_object_handlers.get_properties = php_snmp_get_properties;
+ php_snmp_object_handlers.get_gc = php_snmp_get_gc;
/* Register SNMP Class */
INIT_CLASS_ENTRY(ce, "SNMP", php_snmp_class_methods);
@@ -2467,7 +2476,7 @@
PHP_MSHUTDOWN_FUNCTION(snmp)
{
snmp_shutdown("snmpapp");
-
+
zend_hash_destroy(&php_snmp_properties);
return SUCCESS;
Index: php5-5.4.45/ext/snmp/tests/bug72479.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/snmp/tests/bug72479.phpt 2016-08-19 15:09:26.000000000 +0200
@@ -0,0 +1,35 @@
+--TEST--
+Bug #72479: Use After Free Vulnerability in SNMP with GC and unserialize()
+--SKIPIF--
+<?php
+require_once(dirname(__FILE__).'/skipif.inc');
+?>
+--FILE--
+<?php
+$arr = [1, [1, 2, 3, 4, 5], 3, 4, 5];
+$poc = 'a:3:{i:1;N;i:2;O:4:"snmp":1:{s:11:"quick_print";'.serialize($arr).'}i:1;R:7;}';
+$out = unserialize($poc);
+gc_collect_cycles();
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+for ($i = 0; $i < 5; $i++) {
+ $v[$i] = $fakezval.$i;
+}
+var_dump($out[1]);
+
+function ptr2str($ptr)
+{
+ $out = '';
+ for ($i = 0; $i < 8; $i++) {
+ $out .= chr($ptr & 0xff);
+ $ptr >>= 8;
+ }
+ return $out;
+}
+?>
+--EXPECT--
+int(1)
\ No newline at end of file

@ -0,0 +1,76 @@
From aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 12 Jul 2016 22:37:36 -0700
Subject: [PATCH] Fix bug #72533 (locale_accept_from_http out-of-bounds access)
---
ext/intl/locale/locale_methods.c | 18 ++++++++++++++++++
ext/intl/tests/bug72533.phpt | 30 ++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
create mode 100644 ext/intl/tests/bug72533.phpt
Index: php5-5.4.45/ext/intl/locale/locale_methods.c
===================================================================
--- php5-5.4.45.orig/ext/intl/locale/locale_methods.c 2016-08-19 15:12:09.000000000 +0200
+++ php5-5.4.45/ext/intl/locale/locale_methods.c 2016-08-19 15:12:09.000000000 +0200
@@ -1596,6 +1596,24 @@
"locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC );
RETURN_FALSE;
}
+ if(http_accept_len > ULOC_FULLNAME_CAPACITY) {
+ /* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */
+ char *start = http_accept;
+ char *end;
+ size_t len;
+ do {
+ end = strchr(start, ',');
+ len = end ? end-start : http_accept_len-(start-http_accept);
+ if(len > ULOC_FULLNAME_CAPACITY) {
+ intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
+ "locale_accept_from_http: locale string too long", 0 TSRMLS_CC );
+ RETURN_FALSE;
+ }
+ if(end) {
+ start = end+1;
+ }
+ } while(end != NULL);
+ }
available = ures_openAvailableLocales(NULL, &status);
INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list");
Index: php5-5.4.45/ext/intl/tests/bug72533.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/intl/tests/bug72533.phpt 2016-08-19 15:12:09.000000000 +0200
@@ -0,0 +1,30 @@
+--TEST--
+Bug #72533 (locale_accept_from_http out-of-bounds access)
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+ $ret = var_export(ut_loc_accept_http(str_repeat('x', 256)), true);
+ $ret .= "\n";
+ if(intl_is_failure(intl_get_error_code())) {
+ $ret .= var_export(intl_get_error_message(), true);
+ }
+ $ret .= "\n";
+ $ret .= var_export(ut_loc_accept_http(str_repeat('en,', 256)), true);
+ $ret .= "\n";
+ if(intl_is_failure(intl_get_error_code())) {
+ $ret .= var_export(intl_get_error_message(), true);
+ }
+ return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_accept_from_http: locale string too long: U_ILLEGAL_ARGUMENT_ERROR'
+'en'
\ No newline at end of file

@ -0,0 +1,72 @@
From 41131cd41d2fd2e0c2f332a27988df75659c42e4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Jul 2016 23:21:51 -0700
Subject: [PATCH] Fix bug #72618: NULL Pointer Dereference in
exif_process_user_comment
Index: php5-5.4.45/ext/exif/exif.c
===================================================================
--- php5-5.4.45.orig/ext/exif/exif.c 2016-08-28 11:34:41.000000000 +0200
+++ php5-5.4.45/ext/exif/exif.c 2016-08-28 11:34:41.000000000 +0200
@@ -2623,6 +2623,7 @@
*pszEncoding = NULL;
/* Copy the comment */
if (ByteCount>=8) {
+ const zend_encoding *from, *to;
if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
@@ -2643,14 +2644,16 @@
} else {
decode = ImageInfo->decode_unicode_le;
}
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
+ from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
- if (zend_multibyte_encoding_converter(
+ if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
- zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
- zend_multibyte_fetch_encoding(decode TSRMLS_CC)
+ to,
+ from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
@@ -2665,13 +2668,15 @@
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
- if (zend_multibyte_encoding_converter(
+ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
+ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
+ if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
- zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
- zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
+ to,
+ from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
Index: php5-5.4.45/ext/xmlrpc/libxmlrpc/simplestring.c
===================================================================
--- php5-5.4.45.orig/ext/xmlrpc/libxmlrpc/simplestring.c 2016-08-28 11:34:40.000000000 +0200
+++ php5-5.4.45/ext/xmlrpc/libxmlrpc/simplestring.c 2016-08-28 11:35:30.000000000 +0200
@@ -197,6 +197,10 @@
simplestring_init_str(target);
}
+#ifndef SIZE_MAX
+# define SIZE_MAX ((size_t) -1)
+#endif
+
if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
/* check for overflows, if there's a potential overflow do nothing */
return;

@ -0,0 +1,64 @@
From eebcbd5de38a0f1c2876035402cb770e37476519 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 17 Jul 2016 16:34:21 -0700
Subject: [PATCH] Fix bug #72603: Out of bound read in
exif_process_IFD_in_MAKERNOTE
Index: php5-5.4.45/ext/exif/exif.c
===================================================================
--- php5-5.4.45.orig/ext/exif/exif.c 2016-08-19 15:28:28.000000000 +0200
+++ php5-5.4.45/ext/exif/exif.c 2016-08-19 15:28:28.000000000 +0200
@@ -2747,6 +2747,12 @@
break;
}
+ if (maker_note->offset >= value_len) {
+ /* Do not go past the value end */
+ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
+ return FALSE;
+ }
+