php7.2: update to u10 and u11

master
parent 57fddaee78
commit 6ca4be2c6f
  1. 14
      testing/php7.2/APKBUILD
  2. 128
      testing/php7.2/u11-001-CVE-2017-8923.patch
  3. 51
      testing/php7.2/u11-002-CVE-2017-9118-pre1.patch
  4. 71
      testing/php7.2/u11-003-CVE-2017-9118.patch
  5. 84
      testing/php7.2/u11-004-CVE-2017-9119.patch
  6. 41
      testing/php7.2/u11-005-CVE-2017-9120.patch
  7. 118
      testing/php7.2/u11-006-CVE-2021-21707.patch

@ -26,7 +26,7 @@
pkgname=php7.2
_pkgreal=php
pkgver=7.2.34
pkgrel=9
pkgrel=10
_apiver=20170718
_suffix=${pkgname#php}
_suffixA=7
@ -117,6 +117,12 @@ source="https://php.net/distributions/$_pkgreal-$pkgver.tar.xz
u9-001-lp-1939853-1-Fix-Segfault-with-get_result-and-PS-cursors.patch
u9-002-lp-1939853-2-MySQLnd-Support-cursors-in-store-get-result.patch
u10-001-CVE-2021-21703.patch
u11-001-CVE-2017-8923.patch
u11-002-CVE-2017-9118-pre1.patch
u11-003-CVE-2017-9118.patch
u11-004-CVE-2017-9119.patch
u11-005-CVE-2017-9120.patch
u11-006-CVE-2021-21707.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -710,4 +716,10 @@ a3b631bb2d8fa016c29a70ca0f2be4e9bf61137ed221710b5ab23b1d187086f81a8d0e1dbb2c7c2e
c837e778c17780093a47255d48cc7f47b5ca3fdd9569174145eeae73614bce8565cbbb54cae488b1510e32614edd28a716f5acf5f932cc61a422a33b5606ea4c u9-001-lp-1939853-1-Fix-Segfault-with-get_result-and-PS-cursors.patch
844b7736b3a5ecc5ad247d41419e97e466fae382b82cc1cdf6d56e9a8fa9280bc0f624a3f07fd9d52205372c5d82201d7b3b97dde46577b1d79a62dbb545b07d u9-002-lp-1939853-2-MySQLnd-Support-cursors-in-store-get-result.patch
ea82fa077ea0f5171bbbcd25f1e5265c69bf0b6b544cd601379269755ad9e76184932ade958efbddfd4c921813e333f618e7740334227d3f10bd2036727615d0 u10-001-CVE-2021-21703.patch
bba7c89f05d7663f32ab6fd1fd716496ac8ed801e07e3ace732df8d1e026c851d1ce85c1248a73ee6270a6d8844f1ef687d7e02b595f9d9768e7c550db641ab1 u11-001-CVE-2017-8923.patch
ab62b120c20ae6c1c56a7fbffa09fad6bbdab816e1aaa6888fc3933cf72e6b5a09741181a56879cf3b1b87634675194d5c256dd2bae3926f1f91185313bedec4 u11-002-CVE-2017-9118-pre1.patch
e63ae6e3385bc79ba8507d0676483467a3cd67d1134b8613b0561c5dffe0d247af7561b0a5011d6f84a56dc3f5c9234ecdc2726ee1ea2ccfa77e91a9486ad7cb u11-003-CVE-2017-9118.patch
02f47153d9873359e01e9155f413e06f3a3a0689e059e2012d3d2b3c81ab32a0d695655f98822c771c1c5867ca27123a06eb33ee6766109e235f0e2ed1851019 u11-004-CVE-2017-9119.patch
fddf6c50682b4d778908130477a9160df68dbd257f33991262d49c3eb05a220ec608a9625ce2b7f00241010aaa4ec7d9c7daa1884d66decda4ac7c4547082a4d u11-005-CVE-2017-9120.patch
64460be7ba985c5192a51badabdbec3e530e6a0818d71612f1ad2b1e5e80eedcb97bb7da3bc2b2daca2c9a610d969336432e89b7babc6aa474153f2dbe5d0451 u11-006-CVE-2021-21707.patch
"

@ -0,0 +1,128 @@
Backport of:
From 0b7dffb41f0b571c00304c973f9b85ef910d43d9 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 17 Aug 2021 16:56:52 +0200
Subject: [PATCH] Fix #73122: Integer Overflow when concatenating strings
We must avoid integer overflows in memory allocations, so we introduce
an additional check in the VM, and bail out in the rare case of an
overflow.
Closes GH-7381.
---
NEWS | 1 +
Zend/zend_vm_def.h | 3 +++
Zend/zend_vm_execute.h | 24 ++++++++++++++++++++++++
3 files changed, 28 insertions(+)
#diff --git a/NEWS b/NEWS
#index 89a09e15b61b..f33242bcd7b3 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -6,6 +6,7 @@ PHP NEWS
# . Fixed bug #81302 (Stream position after stream filter removed). (cmb)
# . Fixed bug #81346 (Non-seekable streams don't update position after write).
# (cmb)
#+ . Fixed bug #73122 (Integer Overflow when concatenating strings). (cmb)
#
# - Opcache:
# . Fixed bug #81353 (segfault with preloading and statically bound closure).
Index: php-7.2.34/Zend/zend_vm_def.h
===================================================================
--- php-7.2.34.orig/Zend/zend_vm_def.h
+++ php-7.2.34/Zend/zend_vm_def.h
@@ -316,6 +316,9 @@ ZEND_VM_HANDLER(8, ZEND_CONCAT, CONST|TM
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
Index: php-7.2.34/Zend/zend_vm_execute.h
===================================================================
--- php-7.2.34.orig/Zend/zend_vm_execute.h
+++ php-7.2.34/Zend/zend_vm_execute.h
@@ -9253,6 +9253,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -11275,6 +11278,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -35136,6 +35142,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -37690,6 +37699,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -41657,6 +41669,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -49957,6 +49972,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -51749,6 +51767,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);
@@ -53079,6 +53100,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FAST
!ZSTR_IS_INTERNED(op1_str) && GC_REFCOUNT(op1_str) == 1) {
size_t len = ZSTR_LEN(op1_str);
+ if (UNEXPECTED(len > ZSTR_MAX_LEN - ZSTR_LEN(op2_str))) {
+ zend_error_noreturn(E_ERROR, "Integer overflow in memory allocation");
+ }
str = zend_string_extend(op1_str, len + ZSTR_LEN(op2_str), 0);
memcpy(ZSTR_VAL(str) + len, ZSTR_VAL(op2_str), ZSTR_LEN(op2_str)+1);
ZVAL_NEW_STR(EX_VAR(opline->result.var), str);

@ -0,0 +1,51 @@
From 760ff841a14160f25348f7969985cb8a2c4da3cc Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 21 Jul 2021 13:55:13 +0200
Subject: [PATCH] Fix #74960: Heap buffer overflow via str_repeat
Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow, so callers may need to
check that explicitly. To make that easy in a portable way, we
introduce `ZSTR_MAX_LEN`.
Closes GH-7294.
---
NEWS | 1 +
Zend/zend_operators.c | 2 +-
Zend/zend_string.h | 2 ++
3 files changed, 4 insertions(+), 1 deletion(-)
#diff --git a/NEWS b/NEWS
#index 40a01fb4b639..277411332e52 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -15,6 +15,7 @@ PHP NEWS
# . Fixed bug #72146 (Integer overflow on substr_replace). (cmb)
# . Fixed bug #81265 (getimagesize returns 0 for 256px ICO images).
# (George Dietrich)
#+ . Fixed bug #74960 (Heap buffer overflow via str_repeat). (cmb, Dmitry)
#
# 29 Jul 2021, PHP 7.4.22
#
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@ -1759,7 +1759,7 @@ ZEND_API int ZEND_FASTCALL concat_functi
size_t result_len = op1_len + op2_len;
zend_string *result_str;
- if (UNEXPECTED(op1_len > SIZE_MAX - op2_len)) {
+ if (UNEXPECTED(op1_len > ZSTR_MAX_LEN - op2_len)) {
zend_throw_error(NULL, "String size overflow");
if (UNEXPECTED(use_copy1)) {
zval_dtor(op1);
--- a/Zend/zend_string.h
+++ b/Zend/zend_string.h
@@ -74,6 +74,8 @@ END_EXTERN_C()
#define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
+#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
+
#define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
GC_REFCOUNT(str) = 1; \

@ -0,0 +1,71 @@
Backport of:
From 712fc54e856d3d8e80a7d074a2733bc6b3a27e90 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 29 Nov 2021 15:48:41 +0100
Subject: [PATCH] Fix #74604: Out of bounds in php_pcre_replace_impl
Trying to allocate a `zend_string` with a length only slighty smaller
than `SIZE_MAX` causes an integer overflow; we make sure that this
doesn't happen by catering to the maximal overhead of a `zend_string`.
Closes GH-7597.
---
NEWS | 3 +++
Zend/zend_string.h | 3 ++-
ext/pcre/php_pcre.c | 6 +++---
3 files changed, 8 insertions(+), 4 deletions(-)
#diff --git a/NEWS b/NEWS
#index 0b46c1ad5c7a..cfe36d928117 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -16,6 +16,9 @@ PHP NEWS
# - OpenSSL:
# . Fixed bug #75725 (./configure: detecting RAND_egd). (Dilyan Palauzov)
#
#+- PCRE:
#+ . Fixed bug #74604 (Out of bounds in php_pcre_replace_impl). (cmb, Dmitry)
#+
# - Standard:
# . Fixed bug #81618 (dns_get_record fails on FreeBSD for missing type).
# (fsbruva)
Index: php-7.2.34/Zend/zend_string.h
===================================================================
--- php-7.2.34.orig/Zend/zend_string.h
+++ php-7.2.34/Zend/zend_string.h
@@ -74,7 +74,8 @@ END_EXTERN_C()
#define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
-#define ZSTR_MAX_LEN (SIZE_MAX - ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
+#define ZSTR_MAX_OVERHEAD (ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
+#define ZSTR_MAX_LEN (SIZE_MAX - ZSTR_MAX_OVERHEAD)
#define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
Index: php-7.2.34/ext/pcre/php_pcre.c
===================================================================
--- php-7.2.34.orig/ext/pcre/php_pcre.c
+++ php-7.2.34/ext/pcre/php_pcre.c
@@ -1422,7 +1422,7 @@ PHPAPI zend_string *php_pcre_replace_imp
}
if (new_len >= alloc_len) {
- alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
+ alloc_len = zend_safe_address_guarded(2, new_len, ZSTR_MAX_OVERHEAD) - ZSTR_MAX_OVERHEAD;
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {
@@ -1659,9 +1659,9 @@ static zend_string *php_pcre_replace_fun
/* Use custom function to get replacement string and its length. */
eval_result = preg_do_repl_func(fci, fcc, subject, offsets, subpat_names, count, mark);
ZEND_ASSERT(eval_result);
- new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result), new_len);
+ new_len = zend_safe_address_guarded(1, ZSTR_LEN(eval_result) + ZSTR_MAX_OVERHEAD, new_len) -ZSTR_MAX_OVERHEAD;
if (new_len >= alloc_len) {
- alloc_len = zend_safe_address_guarded(2, new_len, alloc_len);
+ alloc_len = zend_safe_address_guarded(2, new_len, ZSTR_MAX_OVERHEAD) - ZSTR_MAX_OVERHEAD;
if (result == NULL) {
result = zend_string_alloc(alloc_len, 0);
} else {

@ -0,0 +1,84 @@
Backport of:
From 573ad182d21df2457a0a2f6fd3c075e1f0bfca44 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Thu, 3 Sep 2020 09:45:54 +0200
Subject: [PATCH] Handle memory limit error during string reallocation
correctly
Do not decrement the refcount before allocating the new string,
as the allocation operation may bail out and cause a use-after-free
lateron. We can only decrement the refcount once the allocation
has succeeded.
Fixes oss-fuzz #25384.
---
Zend/zend_string.h | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
--- a/Zend/zend_string.h
+++ b/Zend/zend_string.h
@@ -211,12 +211,13 @@ static zend_always_inline zend_string *z
ZSTR_LEN(ret) = len;
zend_string_forget_hash_val(ret);
return ret;
- } else {
- GC_REFCOUNT(s)--;
}
}
ret = zend_string_alloc(len, persistent);
memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), MIN(len, ZSTR_LEN(s)) + 1);
+ if (!ZSTR_IS_INTERNED(s)) {
+ GC_REFCOUNT(s)--;
+ }
return ret;
}
@@ -231,12 +232,13 @@ static zend_always_inline zend_string *z
ZSTR_LEN(ret) = len;
zend_string_forget_hash_val(ret);
return ret;
- } else {
- GC_REFCOUNT(s)--;
}
}
ret = zend_string_alloc(len, persistent);
memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), ZSTR_LEN(s) + 1);
+ if (!ZSTR_IS_INTERNED(s)) {
+ GC_REFCOUNT(s)--;
+ }
return ret;
}
@@ -251,12 +253,13 @@ static zend_always_inline zend_string *z
ZSTR_LEN(ret) = len;
zend_string_forget_hash_val(ret);
return ret;
- } else {
- GC_REFCOUNT(s)--;
}
}
ret = zend_string_alloc(len, persistent);
memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), len + 1);
+ if (!ZSTR_IS_INTERNED(s)) {
+ GC_REFCOUNT(s)--;
+ }
return ret;
}
@@ -270,12 +273,13 @@ static zend_always_inline zend_string *z
ZSTR_LEN(ret) = (n * m) + l;
zend_string_forget_hash_val(ret);
return ret;
- } else {
- GC_REFCOUNT(s)--;
}
}
ret = zend_string_safe_alloc(n, m, l, persistent);
memcpy(ZSTR_VAL(ret), ZSTR_VAL(s), MIN((n * m) + l, ZSTR_LEN(s)) + 1);
+ if (!ZSTR_IS_INTERNED(s)) {
+ GC_REFCOUNT(s)--;
+ }
return ret;
}

@ -0,0 +1,41 @@
Backport of:
From 5977610de1aa87630e40a299a2d90fb7cd00bf7c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 9 Aug 2021 12:48:21 +0200
Subject: [PATCH] Fix #74544: Integer overflow in mysqli_real_escape_string()
The patch has been provided by @johannes.
Closes GH-7353.
---
NEWS | 4 ++++
ext/mysqli/mysqli_api.c | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
#diff --git a/NEWS b/NEWS
#index 28341f26c94c..cb5132397221 100644
#--- a/NEWS
#+++ b/NEWS
#@@ -18,6 +18,10 @@ PHP NEWS
# - GD:
# . Fixed bug #51498 (imagefilledellipse does not work for large circles). (cmb)
#
#+- MySQLi:
#+ . Fixed bug #74544 (Integer overflow in mysqli_real_escape_string()). (cmb,
#+ johannes)
#+
# - OpenSSL:
# . Fixed bug #81327 (Error build openssl extension on php 7.4.22). (cmb)
#
--- a/ext/mysqli/mysqli_api.c
+++ b/ext/mysqli/mysqli_api.c
@@ -1967,7 +1967,7 @@ PHP_FUNCTION(mysqli_real_escape_string)
}
MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID);
- newstr = zend_string_alloc(2 * escapestr_len, 0);
+ newstr = zend_string_safe_alloc(2, escapestr_len, 0, 0);
ZSTR_LEN(newstr) = mysql_real_escape_string(mysql->mysql, ZSTR_VAL(newstr), escapestr, escapestr_len);
newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0);

@ -0,0 +1,118 @@
From f15f8fc573eb38c3c73e23e0930063a6f6409ed4 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 1 Sep 2020 10:04:28 +0200
Subject: [PATCH] Fix #79971: special character is breaking the path in xml
function
The libxml based XML functions accepting a filename actually accept
URIs with possibly percent-encoded characters. Percent-encoded NUL
bytes lead to truncation, like non-encoded NUL bytes would. We catch
those, and let the functions fail with a respective warning.
---
ext/dom/domimplementation.c | 5 +++++
ext/dom/tests/bug79971_2.phpt | 20 ++++++++++++++++++++
ext/libxml/libxml.c | 9 +++++++++
ext/simplexml/tests/bug79971_1.phpt | 27 +++++++++++++++++++++++++++
ext/simplexml/tests/bug79971_1.xml | 2 ++
5 files changed, 63 insertions(+)
create mode 100644 ext/dom/tests/bug79971_2.phpt
create mode 100644 ext/simplexml/tests/bug79971_1.phpt
create mode 100644 ext/simplexml/tests/bug79971_1.xml
--- a/ext/dom/domimplementation.c
+++ b/ext/dom/domimplementation.c
@@ -114,6 +114,11 @@ PHP_METHOD(domimplementation, createDocu
pch2 = (xmlChar *) systemid;
}
+ if (strstr(name, "%00")) {
+ php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+ RETURN_FALSE;
+ }
+
uri = xmlParseURI(name);
if (uri != NULL && uri->opaque != NULL) {
localname = xmlStrdup((xmlChar *) uri->opaque);
--- /dev/null
+++ b/ext/dom/tests/bug79971_2.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #79971 (special character is breaking the path in xml function)
+--SKIPIF--
+<?php
+if (!extension_loaded('dom')) die('skip dom extension not available');
+?>
+--FILE--
+<?php
+$imp = new DOMImplementation;
+if (PHP_OS_FAMILY === 'Windows') {
+ $path = '/' . str_replace('\\', '/', __DIR__);
+} else {
+ $path = __DIR__;
+}
+$uri = "file://$path/bug79971_2.xml";
+var_dump($imp->createDocumentType("$uri%00foo"));
+?>
+--EXPECTF--
+Warning: DOMImplementation::createDocumentType(): URI must not contain percent-encoded NUL bytes in %s on line %d
+bool(false)
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -308,6 +308,10 @@ static void *php_libxml_streams_IO_open_
int isescaped=0;
xmlURI *uri;
+ if (strstr(filename, "%00")) {
+ php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+ return NULL;
+ }
uri = xmlParseURI(filename);
if (uri && (uri->scheme == NULL ||
@@ -438,6 +442,11 @@ php_libxml_output_buffer_create_filename
if (URI == NULL)
return(NULL);
+ if (strstr(URI, "%00")) {
+ php_error_docref(NULL, E_WARNING, "URI must not contain percent-encoded NUL bytes");
+ return NULL;
+ }
+
puri = xmlParseURI(URI);
if (puri != NULL) {
if (puri->scheme != NULL)
--- /dev/null
+++ b/ext/simplexml/tests/bug79971_1.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #79971 (special character is breaking the path in xml function)
+--SKIPIF--
+<?php
+if (!extension_loaded('simplexml')) die('skip simplexml extension not available');
+?>
+--FILE--
+<?php
+if (PHP_OS_FAMILY === 'Windows') {
+ $path = '/' . str_replace('\\', '/', __DIR__);
+} else {
+ $path = __DIR__;
+}
+$uri = "file://$path/bug79971_1.xml";
+var_dump(simplexml_load_file("$uri%00foo"));
+
+$sxe = simplexml_load_file($uri);
+var_dump($sxe->asXML("$uri.out%00foo"));
+?>
+--EXPECTF--
+Warning: simplexml_load_file(): URI must not contain percent-encoded NUL bytes in %s on line %d
+
+Warning: simplexml_load_file(): I/O warning : failed to load external entity "%s/bug79971_1.xml%00foo" in %s on line %d
+bool(false)
+
+Warning: SimpleXMLElement::asXML(): URI must not contain percent-encoded NUL bytes in %s on line %d
+bool(false)
--- /dev/null
+++ b/ext/simplexml/tests/bug79971_1.xml
@@ -0,0 +1,2 @@
+<?xml version="1.0"?>
+<root></root>
Loading…
Cancel
Save