You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
alpine-pkg/testing/php5.4/d05-u009-CVE-2016-6294.patch

76 lines
2.6 KiB

From aa82e99ed8003c01f1ef4f0940e56b85c5b032d4 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 12 Jul 2016 22:37:36 -0700
Subject: [PATCH] Fix bug #72533 (locale_accept_from_http out-of-bounds access)
---
ext/intl/locale/locale_methods.c | 18 ++++++++++++++++++
ext/intl/tests/bug72533.phpt | 30 ++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
create mode 100644 ext/intl/tests/bug72533.phpt
Index: php5-5.4.45/ext/intl/locale/locale_methods.c
===================================================================
--- php5-5.4.45.orig/ext/intl/locale/locale_methods.c 2016-08-19 15:12:09.000000000 +0200
+++ php5-5.4.45/ext/intl/locale/locale_methods.c 2016-08-19 15:12:09.000000000 +0200
@@ -1596,6 +1596,24 @@
"locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC );
RETURN_FALSE;
}
+ if(http_accept_len > ULOC_FULLNAME_CAPACITY) {
+ /* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */
+ char *start = http_accept;
+ char *end;
+ size_t len;
+ do {
+ end = strchr(start, ',');
+ len = end ? end-start : http_accept_len-(start-http_accept);
+ if(len > ULOC_FULLNAME_CAPACITY) {
+ intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
+ "locale_accept_from_http: locale string too long", 0 TSRMLS_CC );
+ RETURN_FALSE;
+ }
+ if(end) {
+ start = end+1;
+ }
+ } while(end != NULL);
+ }
available = ures_openAvailableLocales(NULL, &status);
INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list");
Index: php5-5.4.45/ext/intl/tests/bug72533.phpt
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ php5-5.4.45/ext/intl/tests/bug72533.phpt 2016-08-19 15:12:09.000000000 +0200
@@ -0,0 +1,30 @@
+--TEST--
+Bug #72533 (locale_accept_from_http out-of-bounds access)
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+ $ret = var_export(ut_loc_accept_http(str_repeat('x', 256)), true);
+ $ret .= "\n";
+ if(intl_is_failure(intl_get_error_code())) {
+ $ret .= var_export(intl_get_error_message(), true);
+ }
+ $ret .= "\n";
+ $ret .= var_export(ut_loc_accept_http(str_repeat('en,', 256)), true);
+ $ret .= "\n";
+ if(intl_is_failure(intl_get_error_code())) {
+ $ret .= var_export(intl_get_error_message(), true);
+ }
+ return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_accept_from_http: locale string too long: U_ILLEGAL_ARGUMENT_ERROR'
+'en'
\ No newline at end of file