You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 

66 lines
1.8 KiB

From: Markus Koschany <apo@debian.org>
Date: Thu, 29 Mar 2018 16:10:57 +0200
Subject: CVE-2018-7584
Origin: https://github.com/php/php-src/commit/523f230c831d7b33353203fa34aee4e92ac12bba
Bug-Upstream: https://bugs.php.net/bug.php?id=75981
---
ext/standard/http_fopen_wrapper.c | 4 ++--
ext/standard/tests/http/bug75981.phpt | 32 ++++++++++++++++++++++++++++++++
2 files changed, 34 insertions(+), 2 deletions(-)
create mode 100644 ext/standard/tests/http/bug75981.phpt
diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index bd64287..901a9b8 100644
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -696,9 +696,9 @@ finish:
tmp_line, response_code);
}
}
- if (tmp_line[tmp_line_len - 1] == '\n') {
+ if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
--tmp_line_len;
- if (tmp_line[tmp_line_len - 1] == '\r') {
+ if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
--tmp_line_len;
}
}
diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
new file mode 100644
index 0000000..d415de6
--- /dev/null
+++ b/ext/standard/tests/http/bug75981.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #75981 (stack-buffer-overflow while parsing HTTP response)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
+--FILE--
+<?php
+require 'server.inc';
+
+$options = [
+ 'http' => [
+ 'protocol_version' => '1.1',
+ 'header' => 'Connection: Close'
+ ],
+];
+
+$ctx = stream_context_create($options);
+
+$responses = [
+ "data://text/plain,000000000100\xA\xA"
+];
+$pid = http_server('tcp://127.0.0.1:12342', $responses);
+
+echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
+
+http_server_kill($pid);
+
+?>
+DONE
+--EXPECT--
+DONE