php5.4: add debian u4 patchset

3.15-stable
parent daf810c4e7
commit f09dbdb198
  1. 20
      testing/php5.4/APKBUILD
  2. 772
      testing/php5.4/d04-u001-CVE-2016-5093.patch
  3. 207
      testing/php5.4/d04-u002-CVE-2016-5094.patch
  4. 25
      testing/php5.4/d04-u003-CVE-2016-5095.patch
  5. 34
      testing/php5.4/d04-u004-CVE-2016-5096.patch
  6. 16
      testing/php5.4/d04-u005-CVE-2016-5144.patch
  7. 22
      testing/php5.4/d04-u006-CVE-TEMP-bug-70480-raw.patch
  8. 87
      testing/php5.4/d04-u007-CVE-TEMP-bug-70661.patch
  9. 66
      testing/php5.4/d04-u008-CVE-TEMP-bug-70728.patch
  10. 560
      testing/php5.4/d04-u009-CVE-TEMP-bug-70741.patch

@ -26,7 +26,7 @@
pkgname=php5.4
_pkgreal=php
pkgver=5.4.45
pkgrel=4
pkgrel=5
_apiver=20100412
_suffix=${pkgname#php}
_suffixA=5
@ -152,6 +152,15 @@ source="https://www.php.net/distributions/$_pkgreal-$pkgver.tar.bz2
d03-u007-CVE-2016-4539.patch
d03-u008-CVE-2016-4540+4541.patch
d03-u009-CVE-2016-4542+4543+4544.patch
d04-u001-CVE-2016-5093.patch
d04-u002-CVE-2016-5094.patch
d04-u003-CVE-2016-5095.patch
d04-u004-CVE-2016-5096.patch
d04-u005-CVE-2016-5144.patch
d04-u006-CVE-TEMP-bug-70480-raw.patch
d04-u007-CVE-TEMP-bug-70661.patch
d04-u008-CVE-TEMP-bug-70728.patch
d04-u009-CVE-TEMP-bug-70741.patch
"
builddir="$srcdir/$_pkgreal-$pkgver"
@ -740,4 +749,13 @@ c109616b8163b56bbf413eef413bfaac8237859bad240fa099fba178090de1e0aae842b3f79bb129
0c29e08c0a7ad1f61177d498c61c3818c867b0b5b164a55a93c331bfc913bf178df18dda0f7a1cf257e0db8413908e9a7f86057acda638cfe5c6829c19f0a003 d03-u007-CVE-2016-4539.patch
ad9697a9bcf4137678942a808f0e72624af2f814a25d7249635bacebead433cdf01c20d3c22562e7477516f9544c79ae576051259af593eb53b97169c84dd902 d03-u008-CVE-2016-4540+4541.patch
6fdac7d5e460b17169b036408723becfd84a7156f78e62e082ac39cfd613bee4d8de3662c3f083e3d30c5466718d3d82f5e2739b5c6211b6468541fb8832880e d03-u009-CVE-2016-4542+4543+4544.patch
67511b13aa38c40a9e4fa9756da351233f2358b14f1a3ac584bc3bac631624ddd5875f8a78d113d6e2bd24ce3eb5dbe0cb7b2ecc6b66e11a084036342e69569b d04-u001-CVE-2016-5093.patch
1fc5057773e9cec38638dca320880d4a5f3464ca6e371e8f357564f23c455a4c5acd9eb9afa6249f46ef6f63ab0aae4c4b3018457ce8ba660e5da375f486c8f4 d04-u002-CVE-2016-5094.patch
9ae3a9ed0994dea5950f34f78c8830787c25c178de840fd8d87bc2c58c06d11d38f9a47da067cc1c3c71c8d75bf954aa7d133e9c91fd9fbb53cf5b8be3460faa d04-u003-CVE-2016-5095.patch
b1592a7545347678d2f0b6a94637db077f3b804abfd98f0b74fd4c21a794c403c1d03572d8087573afe2ab6eb6387cbdb47b135ddd4f99a2b9598eb6ab174c0a d04-u004-CVE-2016-5096.patch
8f8ba5695f7c25ae869d514c1090416eee623ab9a21b77de46e19c4bd22866b8e43419441b61806e3b3f83d8959f27f5609555d08e288b7f2417c428fb458f90 d04-u005-CVE-2016-5144.patch
da1510a4a28db341b10223666182c9c72b9e973f26bbfcbab8ea62fb7bc18d82da7dc6b6f8023633e87be747f03e5d3797d49ca36519b397a61f75e9589c8540 d04-u006-CVE-TEMP-bug-70480-raw.patch
1c2e798f09389eefb00b8ed0f2b16137dec69c061427d228805db1c40bcbba078569f9e3a0bee14b2ceb54a83b63589bc38b4d9fd52fb0ff6feed5253b4256a0 d04-u007-CVE-TEMP-bug-70661.patch
d53cd361c23644980bbb8de728f75839224eee21f72160031874c03083babbc1d0edcba89d6805f4898b2c3b9d9c53563b10c72442fceb24f4b195d43aa6b6f9 d04-u008-CVE-TEMP-bug-70728.patch
a9ed0d3f6d982e17908660aff873706ca6c0809b3832a24fef2a033410c9d2b2e05ef723a24346c1fc7abe05fe79680b8ca65404127b3fdec7ced28fb8e54e95 d04-u009-CVE-TEMP-bug-70741.patch
"

@ -0,0 +1,772 @@
Index: php5-5.4.45/ext/intl/locale/locale_methods.c
===================================================================
--- php5-5.4.45.orig/ext/intl/locale/locale_methods.c 2016-06-19 11:25:20.000000000 +0200
+++ php5-5.4.45/ext/intl/locale/locale_methods.c 2016-06-19 11:25:20.000000000 +0200
@@ -65,26 +65,26 @@
*/
static const char * const LOC_GRANDFATHERED[] = {
"art-lojban", "i-klingon", "i-lux", "i-navajo", "no-bok", "no-nyn",
- "cel-gaulish", "en-GB-oed", "i-ami",
- "i-bnn", "i-default", "i-enochian",
- "i-mingo", "i-pwn", "i-tao",
+ "cel-gaulish", "en-GB-oed", "i-ami",
+ "i-bnn", "i-default", "i-enochian",
+ "i-mingo", "i-pwn", "i-tao",
"i-tay", "i-tsu", "sgn-BE-fr",
"sgn-BE-nl", "sgn-CH-de", "zh-cmn",
"zh-cmn-Hans", "zh-cmn-Hant", "zh-gan" ,
"zh-guoyu", "zh-hakka", "zh-min",
- "zh-min-nan", "zh-wuu", "zh-xiang",
+ "zh-min-nan", "zh-wuu", "zh-xiang",
"zh-yue", NULL
};
/* Based on IANA registry at the time of writing this code
* This array lists the preferred values for the grandfathered tags if applicable
-* This is in sync with the array LOC_GRANDFATHERED
+* This is in sync with the array LOC_GRANDFATHERED
* e.g. the offsets of the grandfathered tags match the offset of the preferred value
*/
static const int LOC_PREFERRED_GRANDFATHERED_LEN = 6;
static const char * const LOC_PREFERRED_GRANDFATHERED[] = {
"jbo", "tlh", "lb",
- "nv", "nb", "nn",
+ "nv", "nb", "nn",
NULL
};
@@ -141,15 +141,15 @@
}
/* {{{
-* returns the position of next token for lookup
+* returns the position of next token for lookup
* or -1 if no token
-* strtokr equivalent search for token in reverse direction
+* strtokr equivalent search for token in reverse direction
*/
static int getStrrtokenPos(char* str, int savedPos)
{
int result =-1;
int i;
-
+
for(i=savedPos-1; i>=0; i--) {
if(isIDSeparator(*(str+i)) ){
/* delimiter found; check for singleton */
@@ -171,7 +171,7 @@
/* }}} */
/* {{{
-* returns the position of a singleton if present
+* returns the position of a singleton if present
* returns -1 if no singleton
* strtok equivalent search for singleton
*/
@@ -180,7 +180,7 @@
int result =-1;
int i=0;
int len = 0;
-
+
if( str && ((len=strlen(str))>0) ){
for( i=0; i<len ; i++){
if( isIDSeparator(*(str+i)) ){
@@ -198,7 +198,7 @@
}
}
}/* end of for */
-
+
}
return result;
}
@@ -227,7 +227,7 @@
PHP_NAMED_FUNCTION(zif_locale_set_default)
{
char* locale_name = NULL;
- int len=0;
+ int len=0;
if(zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "s",
&locale_name ,&len ) == FAILURE)
@@ -243,14 +243,14 @@
len = strlen(locale_name);
}
- zend_alter_ini_entry(LOCALE_INI_NAME, sizeof(LOCALE_INI_NAME), locale_name, len, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
+ zend_alter_ini_entry(LOCALE_INI_NAME, sizeof(LOCALE_INI_NAME), locale_name, len, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
RETURN_TRUE;
}
/* }}} */
/* {{{
-* Gets the value from ICU
+* Gets the value from ICU
* common code shared by get_primary_language,get_script or get_region or get_variant
* result = 0 if error, 1 if successful , -1 if no value
*/
@@ -287,7 +287,7 @@
}
}
- singletonPos = getSingletonPos( loc_name );
+ singletonPos = getSingletonPos( loc_name );
if( singletonPos == 0){
/* singleton at start of script, region , variant etc.
* or invalid singleton at start of language */
@@ -302,7 +302,7 @@
} /* end of if != LOC_CANONICAL_TAG */
if( mod_loc_name == NULL){
- mod_loc_name = estrdup(loc_name );
+ mod_loc_name = estrdup(loc_name );
}
/* Proceed to ICU */
@@ -329,6 +329,7 @@
if( U_FAILURE( status ) ) {
if( status == U_BUFFER_OVERFLOW_ERROR ) {
status = U_ZERO_ERROR;
+ buflen++; /* add space for \0 */
continue;
}
@@ -369,7 +370,7 @@
* Gets the value from ICU , called when PHP userspace function is called
* common code shared by get_primary_language,get_script or get_region or get_variant
*/
-static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
+static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
{
char* loc_name = NULL;
@@ -425,37 +426,37 @@
}
/* }}} */
-/* {{{ proto static string Locale::getScript($locale)
- * gets the script for the $locale
+/* {{{ proto static string Locale::getScript($locale)
+ * gets the script for the $locale
}}} */
-/* {{{ proto static string locale_get_script($locale)
- * gets the script for the $locale
+/* {{{ proto static string locale_get_script($locale)
+ * gets the script for the $locale
*/
-PHP_FUNCTION( locale_get_script )
+PHP_FUNCTION( locale_get_script )
{
get_icu_value_src_php( LOC_SCRIPT_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
/* }}} */
-/* {{{ proto static string Locale::getRegion($locale)
- * gets the region for the $locale
+/* {{{ proto static string Locale::getRegion($locale)
+ * gets the region for the $locale
}}} */
-/* {{{ proto static string locale_get_region($locale)
- * gets the region for the $locale
+/* {{{ proto static string locale_get_region($locale)
+ * gets the region for the $locale
*/
-PHP_FUNCTION( locale_get_region )
+PHP_FUNCTION( locale_get_region )
{
get_icu_value_src_php( LOC_REGION_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
/* }}} */
-/* {{{ proto static string Locale::getPrimaryLanguage($locale)
- * gets the primary language for the $locale
+/* {{{ proto static string Locale::getPrimaryLanguage($locale)
+ * gets the primary language for the $locale
}}} */
-/* {{{ proto static string locale_get_primary_language($locale)
- * gets the primary language for the $locale
+/* {{{ proto static string locale_get_primary_language($locale)
+ * gets the primary language for the $locale
*/
-PHP_FUNCTION(locale_get_primary_language )
+PHP_FUNCTION(locale_get_primary_language )
{
get_icu_value_src_php( LOC_LANG_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
@@ -463,9 +464,9 @@
/* {{{
- * common code shared by display_xyz functions to get the value from ICU
+ * common code shared by display_xyz functions to get the value from ICU
}}} */
-static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
+static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
{
char* loc_name = NULL;
int loc_name_len = 0;
@@ -491,7 +492,7 @@
intl_error_reset( NULL TSRMLS_CC );
if(zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "s|s",
- &loc_name, &loc_name_len ,
+ &loc_name, &loc_name_len ,
&disp_loc_name ,&disp_loc_name_len ) == FAILURE)
{
spprintf(&msg , 0, "locale_get_display_%s : unable to parse input params", tag_name );
@@ -528,7 +529,7 @@
if( mod_loc_name==NULL ){
mod_loc_name = estrdup( loc_name );
}
-
+
/* Check if disp_loc_name passed , if not use default locale */
if( !disp_loc_name){
disp_loc_name = estrdup(INTL_G(default_locale));
@@ -607,7 +608,7 @@
/* {{{ proto static string get_display_name($locale[, $in_locale = null])
* gets the name for the $locale in $in_locale or default_locale
*/
-PHP_FUNCTION(locale_get_display_name)
+PHP_FUNCTION(locale_get_display_name)
{
get_icu_disp_value_src_php( DISP_NAME , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
@@ -619,7 +620,7 @@
/* {{{ proto static string get_display_language($locale[, $in_locale = null])
* gets the language for the $locale in $in_locale or default_locale
*/
-PHP_FUNCTION(locale_get_display_language)
+PHP_FUNCTION(locale_get_display_language)
{
get_icu_disp_value_src_php( LOC_LANG_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
@@ -631,7 +632,7 @@
/* {{{ proto static string get_display_script($locale, $in_locale = null)
* gets the script for the $locale in $in_locale or default_locale
*/
-PHP_FUNCTION(locale_get_display_script)
+PHP_FUNCTION(locale_get_display_script)
{
get_icu_disp_value_src_php( LOC_SCRIPT_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
@@ -643,7 +644,7 @@
/* {{{ proto static string get_display_region($locale, $in_locale = null)
* gets the region for the $locale in $in_locale or default_locale
*/
-PHP_FUNCTION(locale_get_display_region)
+PHP_FUNCTION(locale_get_display_region)
{
get_icu_disp_value_src_php( LOC_REGION_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
@@ -657,7 +658,7 @@
* proto static string get_display_variant($locale, $in_locale = null)
* gets the variant for the $locale in $in_locale or default_locale
*/
-PHP_FUNCTION(locale_get_display_variant)
+PHP_FUNCTION(locale_get_display_variant)
{
get_icu_disp_value_src_php( LOC_VARIANT_TAG , INTERNAL_FUNCTION_PARAM_PASSTHRU );
}
@@ -670,7 +671,7 @@
/* {{{ proto static array locale_get_keywords(string $locale) {
* return an associative array containing keyword-value
* pairs for this locale. The keys are keys to the array (doh!)
- */
+ */
PHP_FUNCTION( locale_get_keywords )
{
UEnumeration* e = NULL;
@@ -682,10 +683,10 @@
char* loc_name = NULL;
int loc_name_len = 0;
-/*
- ICU expects the buffer to be allocated before calling the function
- and so the buffer size has been explicitly specified
- ICU uloc.h #define ULOC_KEYWORD_AND_VALUES_CAPACITY 100
+/*
+ ICU expects the buffer to be allocated before calling the function
+ and so the buffer size has been explicitly specified
+ ICU uloc.h #define ULOC_KEYWORD_AND_VALUES_CAPACITY 100
hence the kw_value buffer size is 100
*/
char* kw_value = NULL;
@@ -724,7 +725,7 @@
kw_value_len=uloc_getKeywordValue( loc_name,kw_key, kw_value, kw_value_len+1 , &status );
} else if(!U_FAILURE(status)) {
kw_value = erealloc( kw_value , kw_value_len+1);
- }
+ }
if (U_FAILURE(status)) {
intl_error_set( NULL, FAILURE, "locale_get_keywords: Error encountered while getting the keyword value for the keyword", 0 TSRMLS_CC );
if( kw_value){
@@ -743,10 +744,10 @@
}
/* }}} */
- /* {{{ proto static string Locale::canonicalize($locale)
- * @return string the canonicalized locale
+ /* {{{ proto static string Locale::canonicalize($locale)
+ * @return string the canonicalized locale
* }}} */
- /* {{{ proto static string locale_canonicalize(Locale $loc, string $locale)
+ /* {{{ proto static string locale_canonicalize(Locale $loc, string $locale)
* @param string $locale The locale string to canonicalize
*/
PHP_FUNCTION(locale_canonicalize)
@@ -755,10 +756,10 @@
}
/* }}} */
-/* {{{ append_key_value
+/* {{{ append_key_value
* Internal function which is called from locale_compose
* gets the value for the key_name and appends to the loc_name
-* returns 1 if successful , -1 if not found ,
+* returns 1 if successful , -1 if not found ,
* 0 if array element is not a string , -2 if buffer-overflow
*/
static int append_key_value(smart_str* loc_name, HashTable* hash_arr, char* key_name)
@@ -770,7 +771,7 @@
/* element value is not a string */
return FAILURE;
}
- if(strcmp(key_name, LOC_LANG_TAG) != 0 &&
+ if(strcmp(key_name, LOC_LANG_TAG) != 0 &&
strcmp(key_name, LOC_GRANDFATHERED_LANG_TAG)!=0 ) {
/* not lang or grandfathered tag */
smart_str_appendl(loc_name, SEPARATOR , sizeof(SEPARATOR)-1);
@@ -795,11 +796,11 @@
}
/* }}} */
-/* {{{ append_multiple_key_values
+/* {{{ append_multiple_key_values
* Internal function which is called from locale_compose
* gets the multiple values for the key_name and appends to the loc_name
-* used for 'variant','extlang','private'
-* returns 1 if successful , -1 if not found ,
+* used for 'variant','extlang','private'
+* returns 1 if successful , -1 if not found ,
* 0 if array element is not a string , -2 if buffer-overflow
*/
static int append_multiple_key_values(smart_str* loc_name, HashTable* hash_arr, char* key_name TSRMLS_DC)
@@ -853,8 +854,8 @@
/* Multiple variant values as variant0, variant1 ,variant2 */
isFirstSubtag = 0;
- for( i=0 ; i< max_value; i++ ){
- snprintf( cur_key_name , 30, "%s%d", key_name , i);
+ for( i=0 ; i< max_value; i++ ){
+ snprintf( cur_key_name , 30, "%s%d", key_name , i);
if( zend_hash_find( hash_arr , cur_key_name , strlen(cur_key_name) + 1,(void **)&ele_value ) == SUCCESS ){
if( Z_TYPE_PP(ele_value)!= IS_STRING ){
/* variant is not a string */
@@ -876,7 +877,7 @@
/*{{{
* If applicable sets error message and aborts locale_compose gracefully
-* returns 0 if locale_compose needs to be aborted
+* returns 0 if locale_compose needs to be aborted
* otherwise returns 1
*/
static int handleAppendResult( int result, smart_str* loc_name TSRMLS_DC)
@@ -893,11 +894,11 @@
/* }}} */
#define RETURN_SMART_STR(s) smart_str_0((s)); RETURN_STRINGL((s)->c, (s)->len, 0)
-/* {{{ proto static string Locale::composeLocale($array)
-* Creates a locale by combining the parts of locale-ID passed
+/* {{{ proto static string Locale::composeLocale($array)
+* Creates a locale by combining the parts of locale-ID passed
* }}} */
-/* {{{ proto static string compose_locale($array)
-* Creates a locale by combining the parts of locale-ID passed
+/* {{{ proto static string compose_locale($array)
+* Creates a locale by combining the parts of locale-ID passed
* }}} */
PHP_FUNCTION(locale_compose)
{
@@ -923,7 +924,7 @@
RETURN_FALSE;
/* Check for grandfathered first */
- result = append_key_value(loc_name, hash_arr, LOC_GRANDFATHERED_LANG_TAG);
+ result = append_key_value(loc_name, hash_arr, LOC_GRANDFATHERED_LANG_TAG);
if( result == SUCCESS){
RETURN_SMART_STR(loc_name);
}
@@ -932,7 +933,7 @@
}
/* Not grandfathered */
- result = append_key_value(loc_name, hash_arr , LOC_LANG_TAG);
+ result = append_key_value(loc_name, hash_arr , LOC_LANG_TAG);
if( result == LOC_NOT_FOUND ){
intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
"locale_compose: parameter array does not contain 'language' tag.", 0 TSRMLS_CC );
@@ -950,11 +951,11 @@
}
/* Script */
- result = append_key_value(loc_name, hash_arr , LOC_SCRIPT_TAG);
+ result = append_key_value(loc_name, hash_arr , LOC_SCRIPT_TAG);
if( !handleAppendResult( result, loc_name TSRMLS_CC)){
RETURN_FALSE;
}
-
+
/* Region */
result = append_key_value( loc_name, hash_arr , LOC_REGION_TAG);
if( !handleAppendResult( result, loc_name TSRMLS_CC)){
@@ -962,7 +963,7 @@
}
/* Variant */
- result = append_multiple_key_values( loc_name, hash_arr , LOC_VARIANT_TAG TSRMLS_CC);
+ result = append_multiple_key_values( loc_name, hash_arr , LOC_VARIANT_TAG TSRMLS_CC);
if( !handleAppendResult( result, loc_name TSRMLS_CC)){
RETURN_FALSE;
}
@@ -992,12 +993,12 @@
char* mod_loc_name =NULL;
if( loc_name && (len = strlen(loc_name)>0 ) ){
- mod_loc_name = loc_name ;
+ mod_loc_name = loc_name ;
len = strlen(mod_loc_name);
while( (singletonPos = getSingletonPos(mod_loc_name))!= -1){
- if( singletonPos!=-1){
- if( (*(mod_loc_name+singletonPos)=='x') || (*(mod_loc_name+singletonPos)=='X') ){
+ if( singletonPos!=-1){
+ if( (*(mod_loc_name+singletonPos)=='x') || (*(mod_loc_name+singletonPos)=='X') ){
/* private subtag start found */
if( singletonPos + 2 == len){
/* loc_name ends with '-x-' ; return NULL */
@@ -1022,7 +1023,7 @@
} /* end of while */
}
-
+
return result;
}
/* }}} */
@@ -1047,20 +1048,20 @@
} else {
key_value = get_icu_value_internal( loc_name , key_name , &result,1 );
}
- if( (strcmp(key_name , LOC_PRIVATE_TAG)==0) ||
+ if( (strcmp(key_name , LOC_PRIVATE_TAG)==0) ||
( strcmp(key_name , LOC_VARIANT_TAG)==0) ){
if( result > 0 && key_value){
/* Tokenize on the "_" or "-" */
- token = php_strtok_r( key_value , DELIMITER ,&last_ptr);
+ token = php_strtok_r( key_value , DELIMITER ,&last_ptr);
if( cur_key_name ){
efree( cur_key_name);
}
cur_key_name = (char*)ecalloc( 25, 25);
- sprintf( cur_key_name , "%s%d", key_name , cnt++);
+ sprintf( cur_key_name , "%s%d", key_name , cnt++);
add_assoc_string( hash_arr, cur_key_name , token ,TRUE );
/* tokenize on the "_" or "-" and stop at singleton if any */
while( (token = php_strtok_r(NULL , DELIMITER , &last_ptr)) && (strlen(token)>1) ){
- sprintf( cur_key_name , "%s%d", key_name , cnt++);
+ sprintf( cur_key_name , "%s%d", key_name , cnt++);
add_assoc_string( hash_arr, cur_key_name , token , TRUE );
}
/*
@@ -1080,16 +1081,16 @@
}
/*if( key_name != LOC_PRIVATE_TAG && key_value){*/
if( key_value){
- efree(key_value);
+ efree(key_value);
}
return cur_result;
}
/* }}} */
-/* {{{ proto static array Locale::parseLocale($locale)
+/* {{{ proto static array Locale::parseLocale($locale)
* parses a locale-id into an array the different parts of it
}}} */
-/* {{{ proto static array parse_locale($locale)
+/* {{{ proto static array parse_locale($locale)
* parses a locale-id into an array the different parts of it
*/
PHP_FUNCTION(locale_parse)
@@ -1147,7 +1148,7 @@
char* saved_ptr = NULL;
intl_error_reset( NULL TSRMLS_CC );
-
+
if(zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "s",
&loc_name, &loc_name_len ) == FAILURE)
{
@@ -1165,15 +1166,15 @@
array_init( return_value );
/* If the locale is grandfathered, stop, no variants */
- if( findOffset( LOC_GRANDFATHERED , loc_name ) >= 0 ){
+ if( findOffset( LOC_GRANDFATHERED , loc_name ) >= 0 ){
/* ("Grandfathered Tag. No variants."); */
}
- else {
+ else {
/* Call ICU variant */
variant = get_icu_value_internal( loc_name , LOC_VARIANT_TAG , &result ,0);
if( result > 0 && variant){
/* Tokenize on the "_" or "-" */
- token = php_strtok_r( variant , DELIMITER , &saved_ptr);
+ token = php_strtok_r( variant , DELIMITER , &saved_ptr);
add_next_index_stringl( return_value, token , strlen(token) ,TRUE );
/* tokenize on the "_" or "-" and stop at singleton if any */
while( (token = php_strtok_r(NULL , DELIMITER, &saved_ptr)) && (strlen(token)>1) ){
@@ -1184,7 +1185,7 @@
efree( variant );
}
}
-
+
}
/* }}} */
@@ -1225,11 +1226,11 @@
/* }}} */
/* {{{ proto static boolean Locale::filterMatches(string $langtag, string $locale[, bool $canonicalize])
-* Checks if a $langtag filter matches with $locale according to RFC 4647's basic filtering algorithm
+* Checks if a $langtag filter matches with $locale according to RFC 4647's basic filtering algorithm
*/
/* }}} */
/* {{{ proto boolean locale_filter_matches(string $langtag, string $locale[, bool $canonicalize])
-* Checks if a $langtag filter matches with $locale according to RFC 4647's basic filtering algorithm
+* Checks if a $langtag filter matches with $locale according to RFC 4647's basic filtering algorithm
*/
PHP_FUNCTION(locale_filter_matches)
{
@@ -1248,13 +1249,13 @@
char* cur_lang_tag = NULL;
char* cur_loc_range = NULL;
- zend_bool boolCanonical = 0;
+ zend_bool boolCanonical = 0;
UErrorCode status = U_ZERO_ERROR;
intl_error_reset( NULL TSRMLS_CC );
-
+
if(zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "ss|b",
- &lang_tag, &lang_tag_len , &loc_range , &loc_range_len ,
+ &lang_tag, &lang_tag_len , &loc_range , &loc_range_len ,
&boolCanonical) == FAILURE)
{
intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
@@ -1275,7 +1276,7 @@
/* canonicalize loc_range */
can_loc_range=get_icu_value_internal( loc_range , LOC_CANONICALIZE_TAG , &result , 0);
if( result ==0) {
- intl_error_set( NULL, status,
+ intl_error_set( NULL, status,
"locale_filter_matches : unable to canonicalize loc_range" , 0 TSRMLS_CC );
RETURN_FALSE;
}
@@ -1283,7 +1284,7 @@
/* canonicalize lang_tag */
can_lang_tag = get_icu_value_internal( lang_tag , LOC_CANONICALIZE_TAG , &result , 0);
if( result ==0) {
- intl_error_set( NULL, status,
+ intl_error_set( NULL, status,
"locale_filter_matches : unable to canonicalize lang_tag" , 0 TSRMLS_CC );
RETURN_FALSE;
}
@@ -1311,11 +1312,11 @@
/* check if prefix */
token = strstr( cur_lang_tag , cur_loc_range );
-
+
if( token && (token==cur_lang_tag) ){
/* check if the char. after match is SEPARATOR */
chrcheck = token + (strlen(cur_loc_range));
- if( isIDSeparator(*chrcheck) || isEndOfTag(*chrcheck) ){
+ if( isIDSeparator(*chrcheck) || isEndOfTag(*chrcheck) ){
if( cur_lang_tag){
efree( cur_lang_tag );
}
@@ -1351,7 +1352,7 @@
else{
/* Convert to lower case for case-insensitive comparison */
cur_lang_tag = ecalloc( 1, strlen(lang_tag ) + 1);
-
+
result = strToMatch( lang_tag , cur_lang_tag);
if( result == 0) {
efree( cur_lang_tag );
@@ -1367,11 +1368,11 @@
/* check if prefix */
token = strstr( cur_lang_tag , cur_loc_range );
-
+
if( token && (token==cur_lang_tag) ){
/* check if the char. after match is SEPARATOR */
chrcheck = token + (strlen(cur_loc_range));
- if( isIDSeparator(*chrcheck) || isEndOfTag(*chrcheck) ){
+ if( isIDSeparator(*chrcheck) || isEndOfTag(*chrcheck) ){
if( cur_lang_tag){
efree( cur_lang_tag );
}
@@ -1398,7 +1399,7 @@
static void array_cleanup( char* arr[] , int arr_size)
{
int i=0;
- for( i=0; i< arr_size; i++ ){
+ for( i=0; i< arr_size; i++ ){
if( arr[i*2] ){
efree( arr[i*2]);
}
@@ -1408,7 +1409,7 @@
#define LOOKUP_CLEAN_RETURN(value) array_cleanup(cur_arr, cur_arr_len); return (value)
/* {{{
-* returns the lookup result to lookup_loc_range_src_php
+* returns the lookup result to lookup_loc_range_src_php
* internal function
*/
static char* lookup_loc_range(char* loc_range, HashTable* hash_arr, int canonicalize TSRMLS_DC)
@@ -1432,7 +1433,7 @@
for(zend_hash_internal_pointer_reset(hash_arr);
zend_hash_has_more_elements(hash_arr) == SUCCESS;
zend_hash_move_forward(hash_arr)) {
-
+
if (zend_hash_get_current_data(hash_arr, (void**)&ele_value) == FAILURE) {
/* Should never actually fail since the key is known to exist.*/
continue;
@@ -1441,7 +1442,7 @@
/* element value is not a string */
intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR, "lookup_loc_range: locale array element is not a string", 0 TSRMLS_CC);
LOOKUP_CLEAN_RETURN(NULL);
- }
+ }
cur_arr[cur_arr_len*2] = estrndup(Z_STRVAL_PP(ele_value), Z_STRLEN_PP(ele_value));
result = strToMatch(Z_STRVAL_PP(ele_value), cur_arr[cur_arr_len*2]);
if(result == 0) {
@@ -1449,12 +1450,12 @@
LOOKUP_CLEAN_RETURN(NULL);
}
cur_arr[cur_arr_len*2+1] = Z_STRVAL_PP(ele_value);
- cur_arr_len++ ;
+ cur_arr_len++ ;
} /* end of for */
/* Canonicalize array elements */
if(canonicalize) {
- for(i=0; i<cur_arr_len; i++) {
+ for(i=0; i<cur_arr_len; i++) {
lang_tag = get_icu_value_internal(cur_arr[i*2], LOC_CANONICALIZE_TAG, &result, 0);
if(result != 1 || lang_tag == NULL || !lang_tag[0]) {
if(lang_tag) {
@@ -1464,7 +1465,7 @@
LOOKUP_CLEAN_RETURN(NULL);
}
cur_arr[i*2] = erealloc(cur_arr[i*2], strlen(lang_tag)+1);
- result = strToMatch(lang_tag, cur_arr[i*2]);
+ result = strToMatch(lang_tag, cur_arr[i*2]);
efree(lang_tag);
if(result == 0) {
intl_error_set(NULL, U_ILLEGAL_ARGUMENT_ERROR, "lookup_loc_range: unable to canonicalize lang_tag" , 0 TSRMLS_CC);
@@ -1487,11 +1488,11 @@
} else {
loc_range = can_loc_range;
}
- }
+ }
cur_loc_range = ecalloc(1, strlen(loc_range)+1);
/* convert to lower and replace hyphens */
- result = strToMatch(loc_range, cur_loc_range);
+ result = strToMatch(loc_range, cur_loc_range);
if(can_loc_range) {
efree(can_loc_range);
}
@@ -1503,8 +1504,8 @@
/* Lookup for the lang_tag match */
saved_pos = strlen(cur_loc_range);
while(saved_pos > 0) {
- for(i=0; i< cur_arr_len; i++){
- if(cur_arr[i*2] != NULL && strlen(cur_arr[i*2]) == saved_pos && strncmp(cur_loc_range, cur_arr[i*2], saved_pos) == 0) {
+ for(i=0; i< cur_arr_len; i++){
+ if(cur_arr[i*2] != NULL && strlen(cur_arr[i*2]) == saved_pos && strncmp(cur_loc_range, cur_arr[i*2], saved_pos) == 0) {
/* Match found */
return_value = estrdup(canonicalize?cur_arr[i*2]:cur_arr[i*2+1]);
efree(cur_loc_range);
@@ -1520,14 +1521,14 @@
}
/* }}} */
-/* {{{ proto string Locale::lookup(array $langtag, string $locale[, bool $canonicalize[, string $default = null]])
+/* {{{ proto string Locale::lookup(array $langtag, string $locale[, bool $canonicalize[, string $default = null]])
* Searchs the items in $langtag for the best match to the language
-* range
+* range
*/
/* }}} */
/* {{{ proto string locale_lookup(array $langtag, string $locale[, bool $canonicalize[, string $default = null]])
* Searchs the items in $langtag for the best match to the language
-* range
+* range
*/
PHP_FUNCTION(locale_lookup)
{
@@ -1557,8 +1558,8 @@
if( !hash_arr || zend_hash_num_elements( hash_arr ) == 0 ) {
RETURN_EMPTY_STRING();
- }
-
+ }
+
result = lookup_loc_range(loc_range, hash_arr, boolCanonical TSRMLS_CC);
if(result == NULL || result[0] == '\0') {
if( fallback_loc ) {
@@ -1595,10 +1596,10 @@
"locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC );
RETURN_FALSE;
}
-
+
available = ures_openAvailableLocales(NULL, &status);
INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list");
- len = uloc_acceptLanguageFromHTTP(resultLocale, INTL_MAX_LOCALE_LEN,
+ len = uloc_acceptLanguageFromHTTP(resultLocale, INTL_MAX_LOCALE_LEN,
&outResult, http_accept, available, &status);
uenum_close(available);
INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to find acceptable locale");
Index: php5-5.4.45/ext/intl/tests/bug72241.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/intl/tests/bug72241.phpt 2016-06-19 11:25:20.000000000 +0200
@@ -0,0 +1,14 @@
+--TEST--
+Bug #72241: get_icu_value_internal out-of-bounds read
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+$var1=str_repeat("A", 1000);
+$out = locale_get_primary_language($var1);
+echo strlen($out) . PHP_EOL;
+echo unpack('H*', $out)[1] . PHP_EOL;
+--EXPECT--
+1000
+61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
+

@ -0,0 +1,207 @@
Index: php5-5.4.45/ext/standard/html.c
===================================================================
--- php5-5.4.45.orig/ext/standard/html.c 2016-06-19 11:31:17.000000000 +0200
+++ php5-5.4.45/ext/standard/html.c 2016-06-19 11:31:17.000000000 +0200
@@ -163,7 +163,7 @@
else
MB_FAILURE(pos, 4);
}
-
+
this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
MB_FAILURE(pos, 4);
@@ -437,7 +437,7 @@
if (charset_hint) {
int found = 0;
-
+
/* now walk the charset map and look for the codeset */
for (i = 0; charset_map[i].codeset; i++) {
if (len == strlen(charset_map[i].codeset) && strncasecmp(charset_hint, charset_map[i].codeset, len) == 0) {
@@ -545,7 +545,7 @@
return 0;
code_key = (unsigned short) code_key_a;
-
+
while (l <= h) {
m = l + (h - l) / 2;
if (code_key < m->un_code_point)
@@ -571,7 +571,7 @@
/* identity mapping of code points to unicode */
if (code > 0xFF) {
return FAILURE;
- }
+ }
*res = code;
break;
@@ -590,7 +590,7 @@
return FAILURE;
}
break;
-
+
case cs_8859_15:
if (code < 0xA4 || (code > 0xBE && code <= 0xFF)) {
*res = code;
@@ -634,7 +634,7 @@
case cs_cp866:
table = unimap_cp866;
table_size = sizeof(unimap_cp866) / sizeof(*unimap_cp866);
-
+
table_over_7F:
if (code <= 0x7F) {
*res = code;
@@ -710,7 +710,7 @@
* Not sure this is the relevant part for HTML 5, though. I opted to
* disallow the characters that would result in a parse error when
* preprocessing of the input stream. See also section 8.1.3.
- *
+ *
* It's unclear if XHTML 1.0 allows C1 characters. I'll opt to apply to
* XHTML 1.0 the same rules as for XML 1.0.
* See <http://cmsmcq.com/2007/C1.xml>.
@@ -774,7 +774,7 @@
/* {{{ process_numeric_entity
* Auxiliary function to traverse_for_entities.
* On input, *buf should point to the first character after # and on output, it's the last
- * byte read, no matter if there was success or insuccess.
+ * byte read, no matter if there was success or insuccess.
*/
static inline int process_numeric_entity(const char **buf, unsigned *code_point)
{
@@ -784,7 +784,7 @@
if (hexadecimal && (**buf != '\0'))
(*buf)++;
-
+
/* strtol allows whitespace and other stuff in the beginning
* we're not interested */
if ((hexadecimal && !isxdigit(**buf)) ||
@@ -969,7 +969,7 @@
goto invalid_code;
/* are we allowed to decode this entity in this document type?
- * HTML 5 is the only that has a character that cannot be used in
+ * HTML 5 is the only that has a character that cannot be used in
* a numeric entity but is allowed literally (U+000D). The
* unoptimized version would be ... || !numeric_entity_is_allowed(code) */
if (!unicode_cp_is_allowed(code, doctype) ||
@@ -996,9 +996,9 @@
}
}
}
-
+
assert(*next == ';');
-
+
if (((code == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
(code == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE)))
/* && code2 == '\0' always true for current maps */)
@@ -1026,7 +1026,7 @@
*(q++) = *p;
}
}
-
+
*q = '\0';
*retlen = (size_t)(q - ret);
}
@@ -1066,7 +1066,7 @@
entity_table_opt retval = {NULL};
assert(!(doctype == ENT_HTML_DOC_XML1 && all));
-
+
if (all) {
retval.ms_table = (doctype == ENT_HTML_DOC_HTML5) ?
entity_ms_table_html5 : entity_ms_table_html4;
@@ -1111,13 +1111,13 @@
if (retlen == 0) {
goto empty_source;
}
-
+
inverse_map = unescape_inverse_map(all, flags);
-
+
/* replace numeric entities */
traverse_for_entities(old, oldlen, ret, &retlen, all, flags, inverse_map, charset);
-empty_source:
+empty_source:
*newlen = retlen;
return ret;
}
@@ -1141,7 +1141,7 @@
{
unsigned stage1_idx = ENT_STAGE1_INDEX(k);
const entity_stage3_row *c;
-
+
if (stage1_idx > 0x1D) {
*entity = NULL;
*entity_len = 0;
@@ -1162,7 +1162,7 @@
if (!(*cursor < oldlen))
goto no_suitable_2nd;
- next_char = get_next_char(charset, old, oldlen, cursor, &status);
+ next_char = get_next_char(charset, old, oldlen, cursor, &status);
if (status == FAILURE)
goto no_suitable_2nd;
@@ -1187,7 +1187,7 @@
*entity = (const unsigned char *)
c->data.multicodepoint_table[0].leading_entry.default_entity;
*entity_len = c->data.multicodepoint_table[0].leading_entry.default_entity_len;
- }
+ }
}
/* }}} */
@@ -1255,7 +1255,7 @@
/* initial estimate */
if (oldlen < 64) {
- maxlen = 128;
+ maxlen = 128;
} else {
maxlen = 2 * oldlen;
if (maxlen < oldlen) {
@@ -1423,6 +1423,11 @@
}
replaced[len] = '\0';
*newlen = len;
+ if(len > INT_MAX) {
+ zend_error_noreturn(E_ERROR, "Escaped string is too long");
+ efree(replaced);
+ return NULL;
+ }
return replaced;
}
@@ -1577,7 +1582,7 @@
} else {
spe_cp = uni_cp;
}
-
+
written_k2 = write_octet_sequence(&key[written_k1], charset, spe_cp);
memcpy(&entity[1], mcpr[i].normal_entry.entity, l);
entity[l + 1] = ';';
@@ -1615,7 +1620,7 @@
LIMIT_ALL(all, doctype, charset);
array_init(return_value);
-
+
entity_table = determine_entity_table(all, doctype);
if (all && !CHARSET_UNICODE_COMPAT(charset)) {
to_uni_table = enc_to_uni_index[charset];

@ -0,0 +1,25 @@
Index: php5-5.4.45/Zend/zend_operators.c
===================================================================
--- php5-5.4.45.orig/Zend/zend_operators.c 2016-06-19 11:35:10.000000000 +0200
+++ php5-5.4.45/Zend/zend_operators.c 2016-06-19 11:35:10.000000000 +0200
@@ -1199,6 +1199,10 @@
int length = Z_STRLEN_P(op1) + 1;
char *buf;
+ if (UNEXPECTED(length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
+
if (IS_INTERNED(Z_STRVAL_P(op1))) {
buf = (char *) emalloc(length + 1);
memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
@@ -1218,6 +1222,9 @@
int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
char *buf;
+ if (UNEXPECTED(length < 0)) {
+ zend_error(E_ERROR, "String size overflow");
+ }
if (IS_INTERNED(Z_STRVAL_P(op1))) {
buf = (char *) emalloc(length+1);
memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));

@ -0,0 +1,34 @@
Index: php5-5.4.45/ext/standard/file.c
===================================================================
--- php5-5.4.45.orig/ext/standard/file.c 2016-06-19 11:37:18.000000000 +0200
+++ php5-5.4.45/ext/standard/file.c 2016-06-19 11:37:18.000000000 +0200
@@ -1752,6 +1752,12 @@
RETURN_FALSE;
}
+ if (len > INT_MAX) {
+ /* string length is int in 5.x so we can not read more than int */
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
+ RETURN_FALSE;
+ }
+
Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
Index: php5-5.4.45/ext/standard/tests/file/bug72114.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/standard/tests/file/bug72114.phpt 2016-06-19 11:37:18.000000000 +0200
@@ -0,0 +1,12 @@
+--TEST--
+Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
+--FILE--
+<?php
+ini_set('memory_limit', "2500M");
+$fp = fopen("/dev/zero", "r");
+fread($fp, 2147483648);
+?>
+Done
+--EXPECTF--
+Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
+Done

@ -0,0 +1,16 @@
Index: php5-5.4.45/sapi/fpm/fpm/fpm_log.c
===================================================================
--- php5-5.4.45.orig/sapi/fpm/fpm/fpm_log.c 2016-06-19 11:39:45.000000000 +0200
+++ php5-5.4.45/sapi/fpm/fpm/fpm_log.c 2016-06-19 11:39:45.000000000 +0200
@@ -446,6 +446,11 @@
b += len2;
len += len2;
}
+ if (len >= FPM_LOG_BUFFER) {
+ zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
+ len = FPM_LOG_BUFFER;
+ break;
+ }
continue;
}

@ -0,0 +1,22 @@
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 28 Sep 2015 18:31:14 +0000 (-0700)
Subject: Fix bug #70480 (php_url_parse_ex() buffer overflow read)
X-Git-Tag: php-5.6.15RC1~25
X-Git-Url: https://72.52.91.13:4430/?p=php-src.git;a=commitdiff_plain;h=629e4da7cc8b174acdeab84969cbfc606a019b31
Fix bug #70480 (php_url_parse_ex() buffer overflow read)
---
Index: php5-5.4.45/ext/standard/url.c
===================================================================
--- php5-5.4.45.orig/ext/standard/url.c 2016-06-19 11:58:54.000000000 +0200
+++ php5-5.4.45/ext/standard/url.c 2016-06-19 11:58:54.000000000 +0200
@@ -321,7 +321,7 @@
nohost:
if ((p = memchr(s, '?', (ue - s)))) {
- pp = strchr(s, '#');
+ pp = memchr(s, '#', (ue - s));
if (pp && pp < p) {
if (pp - s) {

@ -0,0 +1,87 @@
Index: php5-5.4.45/ext/wddx/tests/bug70661.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug70661.phpt 2016-06-19 11:43:38.000000000 +0200
@@ -0,0 +1,69 @@
+--TEST--
+Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$x = <<<EOT
+<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <struct>
+ <recordset rowCount='1' fieldNames='ryat'>
+ <field name='ryat'>
+ <var name='php_class_name'>
+ <string>stdClass</string>
+ </var>
+ <null/>
+ </field>
+ </recordset>
+ </struct>
+ </data>
+</wddxPacket>
+EOT;
+
+$y = wddx_deserialize($x);
+
+for ($i = 0; $i < 5; $i++) {
+ $v[$i] = $fakezval.$i;
+}
+
+var_dump($y);
+
+function ptr2str($ptr)
+{
+ $out = '';
+
+ for ($i = 0; $i < 8; $i++) {
+ $out .= chr($ptr & 0xff);
+ $ptr >>= 8;
+ }
+
+ return $out;
+}
+?>
+DONE
+--EXPECTF--
+array(1) {
+ [0]=>
+ array(1) {
+ ["ryat"]=>
+ array(2) {
+ ["php_class_name"]=>
+ string(8) "stdClass"
+ [0]=>
+ NULL
+ }
+ }
+}
+DONE
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-06-19 11:43:04.000000000 +0200
+++ php5-5.4.45/ext/wddx/wddx.c 2016-06-19 11:43:04.000000000 +0200
@@ -975,7 +975,7 @@
if (ent1->varname) {
if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
- Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data)) {
+ Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && ent2->type == ST_STRUCT) {
zend_bool incomplete_class = 0;
zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));

@ -0,0 +1,66 @@
Index: php5-5.4.45/ext/xmlrpc/tests/bug70728.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/xmlrpc/tests/bug70728.phpt 2016-06-19 11:49:38.000000000 +0200
@@ -0,0 +1,30 @@
+--TEST--
+Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$obj = new stdClass;
+$obj->xmlrpc_type = 'base64';
+$obj->scalar = 0x1122334455;
+var_dump(xmlrpc_encode($obj));
+var_dump($obj);
+?>
+--EXPECTF--
+string(135) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+ <base64>NzM1ODgyMjkyMDU=&#10;</base64>
+ </value>
+</param>
+</params>
+"
+object(stdClass)#1 (2) {
+ ["xmlrpc_type"]=>
+ string(6) "base64"
+ ["scalar"]=>
+ int(73588229205)
+}
Index: php5-5.4.45/ext/xmlrpc/xmlrpc-epi-php.c
===================================================================
--- php5-5.4.45.orig/ext/xmlrpc/xmlrpc-epi-php.c 2016-06-19 11:49:11.000000000 +0200
+++ php5-5.4.45/ext/xmlrpc/xmlrpc-epi-php.c 2016-06-19 11:49:11.000000000 +0200
@@ -532,7 +532,16 @@
xReturn = XMLRPC_CreateValueEmpty();
XMLRPC_SetValueID(xReturn, key, 0);
} else {
- xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
+ if (Z_TYPE_P(val) != IS_STRING) {
+ zval *newvalue;
+ ALLOC_INIT_ZVAL(newvalue);
+ MAKE_COPY_ZVAL(&val, newvalue);
+ convert_to_string(newvalue);
+ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(newvalue), Z_STRLEN_P(newvalue));
+ zval_ptr_dtor(&newvalue);
+ } else {
+ xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL_P(val), Z_STRLEN_P(val));
+ }
}
break;
case xmlrpc_datetime:
@@ -1452,7 +1461,7 @@
if (newvalue) {
zval** val;
- if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
+ if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
if (zend_hash_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR), (void**) &val) == SUCCESS) {
*newvalue = *val;
}

@ -0,0 +1,560 @@
Index: php5-5.4.45/ext/wddx/tests/bug70741.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/wddx/tests/bug70741.phpt 2016-06-19 11:51:56.000000000 +0200
@@ -0,0 +1,26 @@
+--TEST--
+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'wddx');
+session_start();
+
+$hashtable = str_repeat('A', 66);
+$wddx = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+ <data>
+ <string>$hashtable</string>
+ </data>
+</wddxPacket>";
+session_decode($wddx);
+?>
+DONE
+--EXPECTF--
+
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+DONE
\ No newline at end of file
Index: php5-5.4.45/ext/wddx/wddx.c
===================================================================
--- php5-5.4.45.orig/ext/wddx/wddx.c 2016-06-19 11:51:56.000000000 +0200
+++ php5-5.4.45/ext/wddx/wddx.c 2016-06-19 11:51:56.000000000 +0200
@@ -72,7 +72,7 @@
stack->varname = NULL; \
} else \
ent.varname = NULL; \
-
+
static int le_wddx;
typedef struct {
@@ -171,7 +171,7 @@
/* }}} */
/* {{{ wddx_stack_init
- */
+ */
static int wddx_stack_init(wddx_stack *stack)
{
stack->top = 0;
@@ -239,7 +239,7 @@
efree(((st_entry *)stack->elements[i])->varname);
}
efree(stack->elements[i]);
- }
+ }
efree(stack->elements);
}
return SUCCESS;
@@ -270,16 +270,16 @@
php_wddx_packet_start(packet, NULL, 0);
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
-
+
PS_ENCODE_LOOP(
php_wddx_serialize_var(packet, *struc, key, key_length TSRMLS_CC);
);
-
+
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
php_wddx_packet_end(packet);
*newstr = php_wddx_gather(packet);
php_wddx_destructor(packet);
-
+
if (newlen) {
*newlen = strlen(*newstr);
}
@@ -304,11 +304,14 @@
if (vallen == 0) {
return SUCCESS;
}
-
+
MAKE_STD_ZVAL(retval);
if ((ret = php_wddx_deserialize_ex((char *)val, vallen, retval)) == SUCCESS) {
-
+ if (Z_TYPE_P(retval) != IS_ARRAY) {
+ zval_ptr_dtor(&retval);
+ return FAILURE;
+ }
for (zend_hash_internal_pointer_reset(Z_ARRVAL_P(retval));
zend_hash_get_current_data(Z_ARRVAL_P(retval), (void **) &ent) == SUCCESS;
zend_hash_move_forward(Z_ARRVAL_P(retval))) {
@@ -343,7 +346,7 @@
php_session_register_serializer("wddx",
PS_SERIALIZER_ENCODE_NAME(wddx),
PS_SERIALIZER_DECODE_NAME(wddx));
-#endif
+#endif
return SUCCESS;
}
@@ -387,7 +390,7 @@
void php_wddx_packet_end(wddx_packet *packet)
{
php_wddx_add_chunk_static(packet, WDDX_DATA_E);
- php_wddx_add_chunk_static(packet, WDDX_PACKET_E);
+ php_wddx_add_chunk_static(packet, WDDX_PACKET_E);
}
/* }}} */
@@ -423,14 +426,14 @@
{
char tmp_buf[WDDX_BUF_LEN];
zval tmp;
-
+
tmp = *var;
zval_copy_ctor(&tmp);
convert_to_string(&tmp);
snprintf(tmp_buf, sizeof(tmp_buf), WDDX_NUMBER, Z_STRVAL(tmp));
zval_dtor(&tmp);
- php_wddx_add_chunk(packet, tmp_buf);
+ php_wddx_add_chunk(packet, tmp_buf);
}
/* }}} */
@@ -473,7 +476,7 @@
if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) {
if (retval && (sleephash = HASH_OF(retval))) {
PHP_CLASS_ATTRIBUTES;
-
+
PHP_SET_CLASS_ATTRIBUTES(obj);
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
@@ -487,7 +490,7 @@
PHP_CLEANUP_CLASS_ATTRIBUTES();
objhash = HASH_OF(obj);
-
+
for (zend_hash_internal_pointer_reset(sleephash);
zend_hash_get_current_data(sleephash, (void **)&varname) == SUCCESS;
zend_hash_move_forward(sleephash)) {
@@ -500,7 +503,7 @@
php_wddx_serialize_var(packet, *ent, Z_STRVAL_PP(varname), Z_STRLEN_PP(varname) TSRMLS_CC);
}
}
-
+
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
}
} else {
@@ -519,7 +522,7 @@
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
PHP_CLEANUP_CLASS_ATTRIBUTES();
-
+
objhash = HASH_OF(obj);
for (zend_hash_internal_pointer_reset(objhash);
zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS;
@@ -530,7 +533,7 @@
if (zend_hash_get_current_key_ex(objhash, &key, &key_len, &idx, 0, NULL) == HASH_KEY_IS_STRING) {
const char *class_name, *prop_name;
-
+
zend_unmangle_property_name(key, key_len-1, &class_name, &prop_name);
php_wddx_serialize_var(packet, *ent, prop_name, strlen(prop_name)+1 TSRMLS_CC);
} else {
@@ -613,7 +616,7 @@
php_wddx_serialize_var(packet, *ent, NULL, 0 TSRMLS_CC);
}
}
-
+
if (is_struct) {
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
} else {
@@ -639,12 +642,12 @@
efree(tmp_buf);
efree(name_esc);
}
-
+
switch(Z_TYPE_P(var)) {
case IS_STRING:
php_wddx_serialize_string(packet, var TSRMLS_CC);
break;
-
+
case IS_LONG:
case IS_DOUBLE:
php_wddx_serialize_number(packet, var);
@@ -657,14 +660,14 @@
case IS_NULL:
php_wddx_serialize_unset(packet);
break;
-
+
case IS_ARRAY:
ht = Z_ARRVAL_P(var);
if (ht->nApplyCount > 1) {
php_error_docref(NULL TSRMLS_CC, E_RECOVERABLE_ERROR, "WDDX doesn't support circular references");
return;
}
- ht->nApplyCount++;
+ ht->nApplyCount++;
php_wddx_serialize_array(packet, var);
ht->nApplyCount--;
break;
@@ -680,7 +683,7 @@
ht->nApplyCount--;
break;
}
-
+
if (name) {
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
}
@@ -702,12 +705,12 @@
if (zend_hash_find(EG(active_symbol_table), Z_STRVAL_P(name_var),
Z_STRLEN_P(name_var)+1, (void**)&val) != FAILURE) {
php_wddx_serialize_var(packet, *val, Z_STRVAL_P(name_var), Z_STRLEN_P(name_var) TSRMLS_CC);
- }
+ }
} else if (Z_TYPE_P(name_var) == IS_ARRAY || Z_TYPE_P(name_var) == IS_OBJECT) {
int is_array = Z_TYPE_P(name_var) == IS_ARRAY;
-
+
target_hash = HASH_OF(name_var);
-
+
if (is_array && target_hash->nApplyCount > 1) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "recursion detected");
return;
@@ -737,10 +740,10 @@
{
st_entry ent;
wddx_stack *stack = (wddx_stack *)user_data;
-
+
if (!strcmp(name, EL_PACKET)) {
int i;
-
+
if (atts) for (i=0; atts[i]; i++) {
if (!strcmp(atts[i], EL_VERSION)) {
/* nothing for now */
@@ -749,7 +752,7 @@
} else if (!strcmp(name, EL_STRING)) {
ent.type = ST_STRING;
SET_STACK_VARNAME;
-
+
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_STRING;
@@ -759,7 +762,7 @@
} else if (!strcmp(name, EL_BINARY)) {
ent.type = ST_BINARY;
SET_STACK_VARNAME;
-
+
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_STRING;
@@ -768,7 +771,7 @@
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
} else if (!strcmp(name, EL_CHAR)) {
int i;
-
+
if (atts) for (i = 0; atts[i]; i++) {
if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
char tmp_buf[2];
@@ -781,7 +784,7 @@
} else if (!strcmp(name, EL_NUMBER)) {
ent.type = ST_NUMBER;
SET_STACK_VARNAME;
-
+
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_LONG;
@@ -810,12 +813,12 @@
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
ZVAL_NULL(ent.data);
-
+
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
} else if (!strcmp(name, EL_ARRAY)) {
ent.type = ST_ARRAY;
SET_STACK_VARNAME;
-
+
ALLOC_ZVAL(ent.data);
array_init(ent.data);
INIT_PZVAL(ent.data);
@@ -823,14 +826,14 @@
} else if (!strcmp(name, EL_STRUCT)) {
ent.type = ST_STRUCT;
SET_STACK_VARNAME;
-
+
ALLOC_ZVAL(ent.data);
array_init(ent.data);
INIT_PZVAL(ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
} else if (!strcmp(name, EL_VAR)) {
int i;
-
+
if (atts) for (i = 0; atts[i]; i++) {
if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
stack->varname = estrdup(atts[i]);
@@ -885,13 +888,13 @@
if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
st_entry *recordset;
zval **field;
-
+
if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
recordset->type == ST_RECORDSET &&
zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
ent.data = *field;
}
-
+
break;
}
}
@@ -900,7 +903,7 @@
} else if (!strcmp(name, EL_DATETIME)) {
ent.type = ST_DATETIME;
SET_STACK_VARNAME;
-
+
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_LONG;
@@ -962,14 +965,14 @@