Projects
Kolab:16:Enterprise
php
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 2
View file
php.spec
Changed
@@ -72,7 +72,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php -Version: 5.4.44 +Version: 5.4.45 # Only odd release to avoid conflicts with even release used by php54 SCL Release: 5%{?dist} # All files licensed under PHP version 3.01, except @@ -1427,6 +1427,9 @@ %changelog +* Mon Jun 27 2016 Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> - 5.4.45-1 +- Update to 5.4.45 + * Thu Dec 3 2015 Jeroen van Meeuwen <vanmeeuwen@kolabsys.com> - 5.4.44-5 - Add back php-tidy, php-mcrypt
View file
php-5.4.44.tar.bz2/NEWS -> php-5.4.45.tar.bz2/NEWS
Changed
@@ -1,5 +1,41 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +03 Sep 2015 PHP 5.4.45 + +- Core: + . Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (Stas) + . Fixed bug #70219 (Use after free vulnerability in session deserializer). + (taoguangchen at icloud dot com) + +- EXIF: + . Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte + value of 32 bytes). (Stas) + +- hash: + . Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). (letsgolee + at naver dot com) + +- PCRE: + . Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). + (Anatol Belski) + +- SOAP: + . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). + (Stas) + +- SPL: + . Fixed bug #70365 (Use-after-free vulnerability in unserialize() with + SplObjectStorage). (taoguangchen at icloud dot com) + . Fixed bug #70366 (Use-after-free vulnerability in unserialize() with + SplDoublyLinkedList). (taoguangchen at icloud dot com) + +- XSLT: + . Fixed bug #69782 (NULL pointer dereference). (Stas) + +- ZIP: + . Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when + creating directories). (neal at fb dot com) + 06 Aug 2015 PHP 5.4.44 - Core: @@ -41,13 +77,14 @@ from fix to bug #68776. (Yasuo) - Mysqlnd: - . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM) (CVE-2015-3152). + . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152) (Andrey) - Phar: - . Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). (Stas) + . Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). + (CVE-2015-5589) (Stas) . Fixed bug #69923 (Buffer overflow and stack smashing error in - phar_fix_filepath). (Stas) + phar_fix_filepath). (CVE-2015-5590) (Stas) 11 Jun 2015 PHP 5.4.42 @@ -161,7 +198,7 @@ - SOAP: . Fixed bug #69085 (SoapClient's __call() type confusion through - unserialize()). (Dmitry) + unserialize()). (CVE-2015-4147, CVE-2015-4148) (Dmitry) - ZIP: . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap
View file
php-5.4.44.tar.bz2/configure -> php-5.4.45.tar.bz2/configure
Changed
@@ -3686,7 +3686,7 @@ PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 -PHP_RELEASE_VERSION=44 +PHP_RELEASE_VERSION=45 PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
View file
php-5.4.44.tar.bz2/configure.in -> php-5.4.45.tar.bz2/configure.in
Changed
@@ -119,7 +119,7 @@ PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 -PHP_RELEASE_VERSION=44 +PHP_RELEASE_VERSION=45 PHP_EXTRA_VERSION="" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
View file
php-5.4.44.tar.bz2/ext/exif/exif.c -> php-5.4.45.tar.bz2/ext/exif/exif.c
Changed
@@ -17,7 +17,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: 7f95ff43ea7cc9a2c41a912863ed70069c0e34c5 $ */ +/* $Id: 05041c5f0094cb46d9b516bd624d593b90cc38f9 $ */ /* ToDos * @@ -74,7 +74,7 @@ #include "php_ini.h" #include "ext/standard/php_string.h" #include "ext/standard/php_image.h" -#include "ext/standard/info.h" +#include "ext/standard/info.h" /* needed for ssize_t definition */ #include <sys/types.h> @@ -138,7 +138,7 @@ }; /* }}} */ -#define EXIF_VERSION "1.4 $Id: 7f95ff43ea7cc9a2c41a912863ed70069c0e34c5 $" +#define EXIF_VERSION "1.4 $Id: 05041c5f0094cb46d9b516bd624d593b90cc38f9 $" /* {{{ PHP_MINFO_FUNCTION */ @@ -161,7 +161,7 @@ char * encode_jis; char * decode_jis_be; char * decode_jis_le; -ZEND_END_MODULE_GLOBALS(exif) +ZEND_END_MODULE_GLOBALS(exif) ZEND_DECLARE_MODULE_GLOBALS(exif) @@ -170,7 +170,7 @@ #else #define EXIF_G(v) (exif_globals.v) #endif - + /* {{{ PHP_INI */ @@ -213,7 +213,7 @@ STD_PHP_INI_ENTRY("exif.decode_jis_intel", "JIS", PHP_INI_ALL, OnUpdateDecode, decode_jis_le, zend_exif_globals, exif_globals) PHP_INI_END() /* }}} */ - + /* {{{ PHP_GINIT_FUNCTION */ static PHP_GINIT_FUNCTION(exif) @@ -233,9 +233,9 @@ { REGISTER_INI_ENTRIES(); if (zend_hash_exists(&module_registry, "mbstring", sizeof("mbstring"))) { - REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT); } else { - REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT); + REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT); } return SUCCESS; } @@ -265,7 +265,7 @@ exif_module_deps, "exif", exif_functions, - PHP_MINIT(exif), + PHP_MINIT(exif), PHP_MSHUTDOWN(exif), NULL, NULL, PHP_MINFO(exif), @@ -278,7 +278,7 @@ NULL, NULL, STANDARD_MODULE_PROPERTIES_EX -#else +#else STANDARD_MODULE_PROPERTIES #endif }; @@ -667,73 +667,73 @@ { 0x0213, "YCbCrPositioning"}, { 0x0214, "ReferenceBlackWhite"}, { 0x02BC, "ExtensibleMetadataPlatform"}, /* XAP: Extensible Authoring Publishing, obsoleted by XMP: Extensible Metadata Platform */ - { 0x0301, "Gamma"}, - { 0x0302, "ICCProfileDescriptor"}, - { 0x0303, "SRGBRenderingIntent"}, - { 0x0320, "ImageTitle"}, - { 0x5001, "ResolutionXUnit"}, - { 0x5002, "ResolutionYUnit"}, - { 0x5003, "ResolutionXLengthUnit"}, - { 0x5004, "ResolutionYLengthUnit"}, - { 0x5005, "PrintFlags"}, - { 0x5006, "PrintFlagsVersion"}, - { 0x5007, "PrintFlagsCrop"}, - { 0x5008, "PrintFlagsBleedWidth"}, - { 0x5009, "PrintFlagsBleedWidthScale"}, - { 0x500A, "HalftoneLPI"}, - { 0x500B, "HalftoneLPIUnit"}, - { 0x500C, "HalftoneDegree"}, - { 0x500D, "HalftoneShape"}, - { 0x500E, "HalftoneMisc"}, - { 0x500F, "HalftoneScreen"}, - { 0x5010, "JPEGQuality"}, - { 0x5011, "GridSize"}, - { 0x5012, "ThumbnailFormat"}, - { 0x5013, "ThumbnailWidth"}, - { 0x5014, "ThumbnailHeight"}, - { 0x5015, "ThumbnailColorDepth"}, - { 0x5016, "ThumbnailPlanes"}, - { 0x5017, "ThumbnailRawBytes"}, - { 0x5018, "ThumbnailSize"}, - { 0x5019, "ThumbnailCompressedSize"}, - { 0x501A, "ColorTransferFunction"}, - { 0x501B, "ThumbnailData"}, - { 0x5020, "ThumbnailImageWidth"}, - { 0x5021, "ThumbnailImageHeight"}, - { 0x5022, "ThumbnailBitsPerSample"}, - { 0x5023, "ThumbnailCompression"}, - { 0x5024, "ThumbnailPhotometricInterp"}, - { 0x5025, "ThumbnailImageDescription"}, - { 0x5026, "ThumbnailEquipMake"}, - { 0x5027, "ThumbnailEquipModel"}, - { 0x5028, "ThumbnailStripOffsets"}, - { 0x5029, "ThumbnailOrientation"}, - { 0x502A, "ThumbnailSamplesPerPixel"}, - { 0x502B, "ThumbnailRowsPerStrip"}, - { 0x502C, "ThumbnailStripBytesCount"}, - { 0x502D, "ThumbnailResolutionX"}, - { 0x502E, "ThumbnailResolutionY"}, - { 0x502F, "ThumbnailPlanarConfig"}, - { 0x5030, "ThumbnailResolutionUnit"}, - { 0x5031, "ThumbnailTransferFunction"}, - { 0x5032, "ThumbnailSoftwareUsed"}, - { 0x5033, "ThumbnailDateTime"}, - { 0x5034, "ThumbnailArtist"}, - { 0x5035, "ThumbnailWhitePoint"}, - { 0x5036, "ThumbnailPrimaryChromaticities"}, - { 0x5037, "ThumbnailYCbCrCoefficients"}, - { 0x5038, "ThumbnailYCbCrSubsampling"}, - { 0x5039, "ThumbnailYCbCrPositioning"}, - { 0x503A, "ThumbnailRefBlackWhite"}, - { 0x503B, "ThumbnailCopyRight"}, - { 0x5090, "LuminanceTable"}, - { 0x5091, "ChrominanceTable"}, - { 0x5100, "FrameDelay"}, - { 0x5101, "LoopCount"}, - { 0x5110, "PixelUnit"}, - { 0x5111, "PixelPerUnitX"}, - { 0x5112, "PixelPerUnitY"}, - { 0x5113, "PaletteHistogram"}, + { 0x0301, "Gamma"}, + { 0x0302, "ICCProfileDescriptor"}, + { 0x0303, "SRGBRenderingIntent"}, + { 0x0320, "ImageTitle"}, + { 0x5001, "ResolutionXUnit"}, + { 0x5002, "ResolutionYUnit"}, + { 0x5003, "ResolutionXLengthUnit"}, + { 0x5004, "ResolutionYLengthUnit"}, + { 0x5005, "PrintFlags"}, + { 0x5006, "PrintFlagsVersion"}, + { 0x5007, "PrintFlagsCrop"}, + { 0x5008, "PrintFlagsBleedWidth"}, + { 0x5009, "PrintFlagsBleedWidthScale"}, + { 0x500A, "HalftoneLPI"}, + { 0x500B, "HalftoneLPIUnit"}, + { 0x500C, "HalftoneDegree"}, + { 0x500D, "HalftoneShape"}, + { 0x500E, "HalftoneMisc"}, + { 0x500F, "HalftoneScreen"}, + { 0x5010, "JPEGQuality"}, + { 0x5011, "GridSize"}, + { 0x5012, "ThumbnailFormat"}, + { 0x5013, "ThumbnailWidth"}, + { 0x5014, "ThumbnailHeight"}, + { 0x5015, "ThumbnailColorDepth"}, + { 0x5016, "ThumbnailPlanes"}, + { 0x5017, "ThumbnailRawBytes"}, + { 0x5018, "ThumbnailSize"}, + { 0x5019, "ThumbnailCompressedSize"}, + { 0x501A, "ColorTransferFunction"}, + { 0x501B, "ThumbnailData"}, + { 0x5020, "ThumbnailImageWidth"}, + { 0x5021, "ThumbnailImageHeight"}, + { 0x5022, "ThumbnailBitsPerSample"}, + { 0x5023, "ThumbnailCompression"}, + { 0x5024, "ThumbnailPhotometricInterp"}, + { 0x5025, "ThumbnailImageDescription"}, + { 0x5026, "ThumbnailEquipMake"}, + { 0x5027, "ThumbnailEquipModel"}, + { 0x5028, "ThumbnailStripOffsets"}, + { 0x5029, "ThumbnailOrientation"}, + { 0x502A, "ThumbnailSamplesPerPixel"}, + { 0x502B, "ThumbnailRowsPerStrip"}, + { 0x502C, "ThumbnailStripBytesCount"}, + { 0x502D, "ThumbnailResolutionX"},
View file
php-5.4.44.tar.bz2/ext/hash/hash_haval.c -> php-5.4.45.tar.bz2/ext/hash/hash_haval.c
Changed
@@ -336,7 +336,7 @@ /* Pad out to 118 mod 128. */ - index = (unsigned int) ((context->count[0] >> 3) & 0x3f); + index = (unsigned int) ((context->count[0] >> 3) & 0x7f); padLen = (index < 118) ? (118 - index) : (246 - index); PHP_HAVALUpdate(context, PADDING, padLen); @@ -390,7 +390,7 @@ /* Pad out to 118 mod 128. */ - index = (unsigned int) ((context->count[0] >> 3) & 0x3f); + index = (unsigned int) ((context->count[0] >> 3) & 0x7f); padLen = (index < 118) ? (118 - index) : (246 - index); PHP_HAVALUpdate(context, PADDING, padLen); @@ -444,7 +444,7 @@ /* Pad out to 118 mod 128. */ - index = (unsigned int) ((context->count[0] >> 3) & 0x3f); + index = (unsigned int) ((context->count[0] >> 3) & 0x7f); padLen = (index < 118) ? (118 - index) : (246 - index); PHP_HAVALUpdate(context, PADDING, padLen); @@ -484,7 +484,7 @@ /* Pad out to 118 mod 128. */ - index = (unsigned int) ((context->count[0] >> 3) & 0x3f); + index = (unsigned int) ((context->count[0] >> 3) & 0x7f); padLen = (index < 118) ? (118 - index) : (246 - index); PHP_HAVALUpdate(context, PADDING, padLen); @@ -525,7 +525,7 @@ /* Pad out to 118 mod 128. */ - index = (unsigned int) ((context->count[0] >> 3) & 0x3f); + index = (unsigned int) ((context->count[0] >> 3) & 0x7f); padLen = (index < 118) ? (118 - index) : (246 - index); PHP_HAVALUpdate(context, PADDING, padLen);
View file
php-5.4.45.tar.bz2/ext/hash/tests/bug70312.phpt
Added
@@ -0,0 +1,18 @@ +--TEST-- +Bug #70312 HAVAL gives wrong hashes in specific cases +--SKIPIF-- +<?php if(!extension_loaded("hash")) print "skip"; ?> +--FILE-- +<?php +var_dump(hash('haval128,5', '1234567890123456789012345678901234567890123456789012345678901234')); +var_dump(hash('haval160,5', '1234567890123456789012345678901234567890123456789012345678901234')); +var_dump(hash('haval192,5', '1234567890123456789012345678901234567890123456789012345678901234')); +var_dump(hash('haval224,5', '1234567890123456789012345678901234567890123456789012345678901234')); +var_dump(hash('haval256,5', '1234567890123456789012345678901234567890123456789012345678901234')); +?> +--EXPECTF-- +string(32) "f3f0d23819b87228b4b70ee350afaa9d" +string(40) "aded6485e137f11d7292212ba3fa961714df0564" +string(48) "e53da2b16269fe732e9a898a96707a9f28404d7333b02286" +string(56) "c574fb307f0817b514b9bb2e7c4bfaffb7ad667aca3c8b523fefcf10" +string(64) "fb73c19300b14d5cb393d929bf005e6c2d459a4c9c009e9813af1d2d3637ee8f" \ No newline at end of file
View file
php-5.4.44.tar.bz2/ext/hash/tests/hash_file_basic1.phpt -> php-5.4.45.tar.bz2/ext/hash/tests/hash_file_basic1.phpt
Changed
@@ -64,7 +64,7 @@ adler32: ff87222e crc32: 61664d33 gost: d9e65f0c0c2ef944e4f8a01f4a46365c4f33a2853756878182a7f03e1490a4cd -haval128,3: 8bb81269aca8b7f87829020d76a4e841 +haval128,3: c25962b13383c3ed9f13817c8f2ae7d6 md2: 70f791c0d8fa9edd7d08e32fcba8c354 md4: a9d034b16bb290c57a645afd6f14cd3b md5: 704bf818448f5bbb94061332d2c889aa
View file
php-5.4.44.tar.bz2/ext/hash/tests/hash_hmac_basic.phpt -> php-5.4.45.tar.bz2/ext/hash/tests/hash_hmac_basic.phpt
Changed
@@ -45,7 +45,7 @@ adler32: 12c803f7 crc32: 96859101 gost: a4a3c80bdf3f8665bf07376a34dc9c1b11af7c813f4928f62e39f0c0dc564dad -haval128,3: 82cd0f4bd36729b5c80c33efa8c13ac5 +haval128,3: 4d1318607f0406bd1b7bd50907772672 md2: 6d111dab563025e4cb5f4425c991fa12 md4: 10cdbfe843000c623f8b8da0d5d20b0b md5: 2a632783e2812cf23de100d7d6a463ae
View file
php-5.4.44.tar.bz2/ext/hash/tests/hash_hmac_file_basic.phpt -> php-5.4.45.tar.bz2/ext/hash/tests/hash_hmac_file_basic.phpt
Changed
@@ -73,7 +73,7 @@ adler32: 0f8c02f9 crc32: f2a60b9c gost: 94c39a40d5db852a8dc3d24e37eebf2d53e3d711457c59cd02b614f792a9d918 -haval128,3: e8fcff647f1a675acb429130fb94a17e +haval128,3: f1cea637451097d790354a86de3f54a3 md2: a685475e600314bb549ab4f33c3b27cb md4: cbc6bff781f48f57378d3effa27553e4 md5: 8bddf39dd1c566c27acc7fa85ec36acf
View file
php-5.4.44.tar.bz2/ext/pcre/php_pcre.c -> php-5.4.45.tar.bz2/ext/pcre/php_pcre.c
Changed
@@ -136,7 +136,7 @@ static PHP_MINIT_FUNCTION(pcre) { REGISTER_INI_ENTRIES(); - + REGISTER_LONG_CONSTANT("PREG_PATTERN_ORDER", PREG_PATTERN_ORDER, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("PREG_SET_ORDER", PREG_SET_ORDER, CONST_CS | CONST_PERSISTENT); REGISTER_LONG_CONSTANT("PREG_OFFSET_CAPTURE", PREG_OFFSET_CAPTURE, CONST_CS | CONST_PERSISTENT); @@ -276,18 +276,18 @@ #endif } } - + p = regex; - + /* Parse through the leading whitespace, and display a warning if we get to the end without encountering a delimiter. */ while (isspace((int)*(unsigned char *)p)) p++; if (*p == 0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, + php_error_docref(NULL TSRMLS_CC, E_WARNING, p < regex + regex_len ? "Null byte in regex" : "Empty regular expression"); return NULL; } - + /* Get the delimiter and display a warning if it is alphanumeric or a backslash. */ delimiter = *p++; @@ -340,7 +340,7 @@ } return NULL; } - + /* Make a copy of the actual pattern. */ pattern = estrndup(p, pp-p); @@ -348,7 +348,7 @@ pp++; /* Parse through the options, setting appropriate flags. Display - a warning if we encounter an unknown modifier. */ + a warning if we encounter an unknown modifier. */ while (pp < regex + regex_len) { switch (*pp++) { /* Perl compatible options */ @@ -356,7 +356,7 @@ case 'm': coptions |= PCRE_MULTILINE; break; case 's': coptions |= PCRE_DOTALL; break; case 'x': coptions |= PCRE_EXTENDED; break; - + /* PCRE specific options */ case 'A': coptions |= PCRE_ANCHORED; break; case 'D': coptions |= PCRE_DOLLAR_ENDONLY;break; @@ -369,12 +369,12 @@ the PCRE_UCP option. */ #ifdef PCRE_UCP coptions |= PCRE_UCP; -#endif +#endif break; /* Custom preg options */ case 'e': poptions |= PREG_REPLACE_EVAL; break; - + case ' ': case '\n': break; @@ -453,7 +453,7 @@ * at end of request. However PCRE_G(pcre_cache) must be consistent * on the next request as well. So we disable usage of interned strings * as hash keys especually for this table. - * See bug #63180 + * See bug #63180 */ if (IS_INTERNED(regex)) { regex = tmp = estrndup(regex, regex_len); @@ -482,7 +482,7 @@ if (preg_options) { *preg_options = pce ? pce->preg_options : 0; } - + return pce ? pce->re : NULL; } /* }}} */ @@ -492,7 +492,7 @@ PHPAPI pcre* pcre_get_compiled_regex_ex(char *regex, pcre_extra **extra, int *preg_options, int *compile_options TSRMLS_DC) { pcre_cache_entry * pce = pcre_get_compiled_regex_cache(regex, strlen(regex) TSRMLS_CC); - + if (extra) { *extra = pce ? pce->extra : NULL; } @@ -502,7 +502,7 @@ if (compile_options) { *compile_options = pce ? pce->compile_options : 0; } - + return pce ? pce->re : NULL; } /* }}} */ @@ -519,7 +519,7 @@ /* Add (match, offset) to the return value */ add_next_index_stringl(match_pair, str, len, 1); add_next_index_long(match_pair, offset); - + if (name) { zval_add_ref(&match_pair); zend_hash_update(Z_ARRVAL_P(result), name, strlen(name)+1, &match_pair, sizeof(zval *), NULL); @@ -544,13 +544,13 @@ &subject, &subject_len, &subpats, &flags, &start_offset) == FAILURE) { RETURN_FALSE; } - + /* Compile regex or get it from cache. */ if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) { RETURN_FALSE; } - php_pcre_match_impl(pce, subject, subject_len, return_value, subpats, + php_pcre_match_impl(pce, subject, subject_len, return_value, subpats, global, ZEND_NUM_ARGS() >= 4, flags, start_offset TSRMLS_CC); } /* }}} */ @@ -653,7 +653,7 @@ matched = 0; PCRE_G(error_code) = PHP_PCRE_NO_ERROR; - + do { /* Execute the regular expression. */ count = pcre_exec(pce->re, extra, subject, subject_len, start_offset, @@ -675,7 +675,7 @@ /* If subpatterns array has been passed, fill it in with values. */ if (subpats != NULL) { /* Try to get the list of substrings and display a warning if failed. */ - if (pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) { + if ((offsets[1] - offsets[0] < 0) || pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) { efree(subpat_names); efree(offsets); if (match_sets) efree(match_sets); @@ -710,7 +710,7 @@ ALLOC_ZVAL(result_set); array_init(result_set); INIT_PZVAL(result_set); - + /* Add all the subpatterns to it */ for (i = 0; i < count; i++) { if (offset_capture) { @@ -762,13 +762,13 @@ pcre_handle_exec_error(count TSRMLS_CC); break; } - + /* If we have matched an empty string, mimic what Perl's /g options does. This turns out to be rather cunning. First we set PCRE_NOTEMPTY and try the match again at the same point. If this fails (picked up above) we advance to the next character. */ g_notempty = (offsets[1] == offsets[0])? PCRE_NOTEMPTY | PCRE_ANCHORED : 0; - + /* Advance to the position right after the last full match */ start_offset = offsets[1]; } while (global); @@ -785,7 +785,7 @@ } efree(match_sets); } - + efree(offsets); efree(subpat_names); @@ -835,7 +835,7 @@ walk++; } else return 0; - + if (*walk && *walk >= '0' && *walk <= '9') { *backref = *backref * 10 + *walk - '0'; walk++; @@ -847,9 +847,9 @@ else walk++; }
View file
php-5.4.45.tar.bz2/ext/pcre/tests/bug70345.phpt
Added
@@ -0,0 +1,24 @@ +--TEST-- +Bug #70345 (Multiple vulnerabilities related to PCRE functions) +--FILE-- +<?php +$regex = '/(?=xyz\K)/'; +$subject = "aaaaxyzaaaa"; + +$v = preg_split($regex, $subject); +print_r($v); + +$regex = '/(a(?=xyz\K))/'; +$subject = "aaaaxyzaaaa"; +preg_match($regex, $subject, $matches); + +var_dump($matches); +--EXPECTF-- +Array +( + [0] => aaaaxyzaaaa +) + +Warning: preg_match(): Get subpatterns list failed in %s on line %d +array(0) { +}
View file
php-5.4.44.tar.bz2/ext/session/session.c -> php-5.4.45.tar.bz2/ext/session/session.c
Changed
@@ -210,16 +210,18 @@ } /* }}} */ -static void php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ +static int php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ { if (!PS(serializer)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object"); - return; + return FAILURE; } if (PS(serializer)->decode(val, vallen TSRMLS_CC) == FAILURE) { php_session_destroy(TSRMLS_C); php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode session object. Session has been destroyed"); + return FAILURE; } + return SUCCESS; } /* }}} */ @@ -413,7 +415,7 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now"); } - + outid = emalloc((size_t)((digest_len + 2) * ((8.0f / PS(hash_bits_per_character)) + 0.5))); j = (int) (bin_to_readable((char *)digest, digest_len, outid, (char)PS(hash_bits_per_character)) - outid); efree(digest); @@ -855,8 +857,11 @@ ALLOC_INIT_ZVAL(current); if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + } else { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + return FAILURE; } - zval_ptr_dtor(¤t); + var_push_dtor_no_addref(&var_hash, ¤t); } PS_ADD_VARL(name, namelen); efree(name); @@ -947,8 +952,13 @@ ALLOC_INIT_ZVAL(current); if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); + } else { + var_push_dtor_no_addref(&var_hash, ¤t); + efree(name); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + return FAILURE; } - zval_ptr_dtor(¤t); + var_push_dtor_no_addref(&var_hash, ¤t); } PS_ADD_VARL(name, namelen); skip: @@ -1744,7 +1754,7 @@ } efree(name); } - + if (PS(mod) && PS(mod) != &ps_mod_user) { zend_alter_ini_entry("session.save_handler", sizeof("session.save_handler"), "user", sizeof("user")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME); } @@ -1922,9 +1932,7 @@ return; } - php_session_decode(str, str_len TSRMLS_CC); - - RETURN_TRUE; + RETVAL_BOOL(php_session_decode(str, str_len TSRMLS_CC) == SUCCESS); } /* }}} */ @@ -2516,12 +2524,12 @@ case MULTIPART_EVENT_FILE_START: { multipart_event_file_start *data = (multipart_event_file_start *) event_data; - /* Do nothing when $_POST["PHP_SESSION_UPLOAD_PROGRESS"] is not set + /* Do nothing when $_POST["PHP_SESSION_UPLOAD_PROGRESS"] is not set * or when we have no session id */ if (!Z_TYPE(progress->sid) || !progress->key.c) { break; } - + /* First FILE_START event, initializing data */ if (!progress->data) { @@ -2571,7 +2579,7 @@ add_assoc_zval_ex(progress->current_file, "bytes_processed", sizeof("bytes_processed"), progress->current_file_bytes_processed); add_next_index_zval(progress->files, progress->current_file); - + Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; php_session_rfc1867_update(progress, 0 TSRMLS_CC); @@ -2583,7 +2591,7 @@ if (!Z_TYPE(progress->sid) || !progress->key.c) { break; } - + Z_LVAL_P(progress->current_file_bytes_processed) = data->offset + data->length; Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed; @@ -2596,7 +2604,7 @@ if (!Z_TYPE(progress->sid) || !progress->key.c) { break; } - + if (data->temp_filename) { add_assoc_string_ex(progress->current_file, "tmp_name", sizeof("tmp_name"), data->temp_filename, 1); }
View file
php-5.4.44.tar.bz2/ext/session/tests/session_decode_error2.phpt -> php-5.4.45.tar.bz2/ext/session/tests/session_decode_error2.phpt
Changed
@@ -53,563 +53,247 @@ } -- Iteration 4 -- -bool(true) -array(1) { - ["foo"]=> - NULL + +Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/session_decode_error2.php on line %d +bool(false) +array(0) { } -- Iteration 5 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 6 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 7 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 8 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 9 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 10 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 11 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 12 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 13 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 14 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 15 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 16 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 17 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 18 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 19 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 20 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 21 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 22 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 23 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 24 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false) +array(0) { } -- Iteration 25 -- -bool(true) -array(1) { - ["foo"]=> - NULL +bool(false)
View file
php-5.4.44.tar.bz2/ext/session/tests/session_decode_variation3.phpt -> php-5.4.45.tar.bz2/ext/session/tests/session_decode_variation3.phpt
Changed
@@ -49,7 +49,7 @@ } Warning: session_decode(): Unknown session.serialize_handler. Failed to decode session object in %s on line %d -bool(true) +bool(false) array(3) { ["foo"]=> int(1234567890)
View file
php-5.4.44.tar.bz2/ext/soap/soap.c -> php-5.4.45.tar.bz2/ext/soap/soap.c
Changed
@@ -989,7 +989,7 @@ HashTable *ht2; HashPosition pos1, pos2; HashTable *typemap = NULL; - + zend_hash_internal_pointer_reset_ex(ht, &pos1); while (zend_hash_get_current_data_ex(ht, (void**)&tmp, &pos1) == SUCCESS) { char *type_name = NULL; @@ -1033,7 +1033,7 @@ } } zend_hash_move_forward_ex(ht2, &pos2); - } + } if (type_name) { smart_str nscat = {0}; @@ -1063,7 +1063,7 @@ new_enc->to_xml = enc->to_xml; new_enc->to_zval = enc->to_zval; new_enc->details.map = emalloc(sizeof(soapMapping)); - memset(new_enc->details.map, 0, sizeof(soapMapping)); + memset(new_enc->details.map, 0, sizeof(soapMapping)); if (to_xml) { zval_add_ref(&to_xml); new_enc->details.map->to_xml = to_xml; @@ -1120,7 +1120,7 @@ if (Z_TYPE_P(wsdl) != IS_STRING && Z_TYPE_P(wsdl) != IS_NULL) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid parameters"); } - + service = emalloc(sizeof(soapService)); memset(service, 0, sizeof(soapService)); service->send_errors = 1; @@ -1155,7 +1155,7 @@ if (zend_hash_find(ht, "encoding", sizeof("encoding"), (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) { xmlCharEncodingHandlerPtr encoding; - + encoding = xmlFindCharEncodingHandler(Z_STRVAL_PP(tmp)); if (encoding == NULL) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid 'encoding' option - '%s'", Z_STRVAL_PP(tmp)); @@ -1215,7 +1215,7 @@ } } } - + if (typemap_ht) { service->typemap = soap_create_typemap(service->sdl, typemap_ht TSRMLS_CC); } @@ -1345,7 +1345,7 @@ if (zend_parse_parameters_none() == FAILURE) { return; } - + FETCH_THIS_SERVICE(service); array_init(return_value); @@ -1505,7 +1505,7 @@ FETCH_THIS_SERVICE(service); SOAP_GLOBAL(soap_version) = service->version; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|s", &arg, &arg_len) == FAILURE) { return; } @@ -1930,7 +1930,7 @@ if (size == 0) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Dump memory failed"); - } + } if (soap_version == SOAP_1_2) { sapi_add_header("Content-Type: application/soap+xml; charset=utf-8", sizeof("Content-Type: application/soap+xml; charset=utf-8")-1, 1); @@ -2147,10 +2147,10 @@ use_exceptions = 1; } - if ((error_num == E_USER_ERROR || - error_num == E_COMPILE_ERROR || + if ((error_num == E_USER_ERROR || + error_num == E_COMPILE_ERROR || error_num == E_CORE_ERROR || - error_num == E_ERROR || + error_num == E_ERROR || error_num == E_PARSE) && use_exceptions) { zval *fault, *exception; @@ -2219,10 +2219,10 @@ va_list argcopy; #endif - if (error_num == E_USER_ERROR || - error_num == E_COMPILE_ERROR || + if (error_num == E_USER_ERROR || + error_num == E_COMPILE_ERROR || error_num == E_CORE_ERROR || - error_num == E_ERROR || + error_num == E_ERROR || error_num == E_PARSE) { char* code = SOAP_GLOBAL(error_code); @@ -2452,13 +2452,13 @@ if (zend_hash_find(ht, "encoding", sizeof("encoding"), (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) { xmlCharEncodingHandlerPtr encoding; - + encoding = xmlFindCharEncodingHandler(Z_STRVAL_PP(tmp)); if (encoding == NULL) { php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid 'encoding' option - '%s'", Z_STRVAL_PP(tmp)); } else { xmlCharEncCloseFunc(encoding); - add_property_stringl(this_ptr, "_encoding", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); + add_property_stringl(this_ptr, "_encoding", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } } if (zend_hash_find(ht, "classmap", sizeof("classmap"), (void**)&tmp) == SUCCESS && @@ -2493,7 +2493,7 @@ if (context) { add_property_resource(this_ptr, "_stream_context", context->rsrc_id); } - + if (zend_hash_find(ht, "cache_wsdl", sizeof("cache_wsdl"), (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_LONG) { cache_wsdl = Z_LVAL_PP(tmp); @@ -2503,7 +2503,7 @@ Z_TYPE_PP(tmp) == IS_STRING) { add_property_stringl(this_ptr, "_user_agent", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } - + if (zend_hash_find(ht, "keep_alive", sizeof("keep_alive"), (void**)&tmp) == SUCCESS && (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && Z_LVAL_PP(tmp) == 0) { add_property_long(this_ptr, "_keep_alive", 0); @@ -2606,7 +2606,7 @@ xmlFree(buf); if (ret && zend_hash_find(Z_OBJPROP_P(this_ptr), "__soap_fault", sizeof("__soap_fault"), (void **) &fault) == SUCCESS) { return FALSE; - } + } return ret; } @@ -2903,8 +2903,10 @@ } zend_hash_internal_pointer_reset(default_headers); while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) { - Z_ADDREF_PP(tmp); - zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); + if(Z_TYPE_PP(tmp) == IS_OBJECT) { + Z_ADDREF_PP(tmp); + zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); + } zend_hash_move_forward(default_headers); } } else { @@ -2912,7 +2914,7 @@ free_soap_headers = 0; } } - + arg_count = zend_hash_num_elements(Z_ARRVAL_P(args)); if (arg_count > 0) { @@ -2978,7 +2980,7 @@ HashPosition pos; FETCH_THIS_SDL(sdl); - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -3007,7 +3009,7 @@ PHP_METHOD(SoapClient, __getLastRequest) { zval **tmp; - + if (zend_parse_parameters_none() == FAILURE) { return; } @@ -3030,7 +3032,7 @@ if (zend_parse_parameters_none() == FAILURE) { return; } - + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) {
View file
php-5.4.45.tar.bz2/ext/soap/tests/bug70388.phpt
Added
@@ -0,0 +1,17 @@ +--TEST-- +Bug #70388 (SOAP serialize_function_call() type confusion / RCE) +--SKIPIF-- +<?php require_once('skipif.inc'); ?> +--FILE-- +<?php +$dummy = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"X";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";a:1:{i:1;s:1337:"'.str_repeat("X", 1337).'";}}'); +try { + var_dump($dummy->notexisting()); +} catch(Exception $e) { + var_dump($e->getMessage()); + var_dump(get_class($e)); +} +?> +--EXPECTF-- +string(%d) "%s" +string(9) "SoapFault" \ No newline at end of file
View file
php-5.4.44.tar.bz2/ext/spl/spl_dllist.c -> php-5.4.45.tar.bz2/ext/spl/spl_dllist.c
Changed
@@ -1221,6 +1221,7 @@ zval_ptr_dtor(&elem); goto error; } + var_push_dtor(&var_hash, &elem); spl_ptr_llist_push(intern->llist, elem TSRMLS_CC); }
View file
php-5.4.44.tar.bz2/ext/spl/spl_observer.c -> php-5.4.45.tar.bz2/ext/spl/spl_observer.c
Changed
@@ -853,6 +853,7 @@ zval_ptr_dtor(&pentry); goto outexcept; } + var_push_dtor(&var_hash, &pentry); if(Z_TYPE_P(pentry) != IS_OBJECT) { zval_ptr_dtor(&pentry); goto outexcept; @@ -864,6 +865,7 @@ zval_ptr_dtor(&pinf); goto outexcept; } + var_push_dtor(&var_hash, &pinf); } hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
View file
php-5.4.45.tar.bz2/ext/spl/tests/bug70155.phpt
Added
@@ -0,0 +1,50 @@ +--TEST-- +SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject +--FILE-- +<?php +$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}'; +$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}'; +$data = unserialize($exploit); + +var_dump($data); +?> +===DONE=== +--EXPECTF-- +object(ArrayObject)#1 (2) { + [0]=> + int(0) + ["storage":"ArrayObject":private]=> + object(DateInterval)#2 (15) { + ["y"]=> + int(3) + ["m"]=> + int(-1) + ["d"]=> + int(-1) + ["h"]=> + int(-1) + ["i"]=> + int(-1) + ["s"]=> + int(-1) + ["weekday"]=> + int(-1) + ["weekday_behavior"]=> + int(-1) + ["first_last_day_of"]=> + int(-1) + ["invert"]=> + int(0) + ["days"]=> + int(-1) + ["special_type"]=> + int(0) + ["special_amount"]=> + int(-1) + ["have_weekday_relative"]=> + int(0) + ["have_special_relative"]=> + int(0) + } +} +===DONE===
View file
php-5.4.45.tar.bz2/ext/spl/tests/bug70365.phpt
Added
@@ -0,0 +1,50 @@ +--TEST-- +SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage +--FILE-- +<?php +class obj { + var $ryat; + function __wakeup() { + $this->ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}'; +$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; + +$data = unserialize($exploit); + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +--EXPECTF-- +array(5) { + [0]=> + int(1) + [1]=> + &int(1) + [2]=> + object(obj)#%d (1) { + ["ryat"]=> + &int(1) + } + [3]=> + int(1) + [4]=> + string(24) "%s" +}
View file
php-5.4.45.tar.bz2/ext/spl/tests/bug70366.phpt
Added
@@ -0,0 +1,54 @@ +--TEST-- +SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList +--FILE-- +<?php +class obj { + var $ryat; + function __wakeup() { + $this->ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'i:1234;:i:1;'; +$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; + +$data = unserialize($exploit); + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +array(5) { + [0]=> + int(1) + [1]=> + &int(1) + [2]=> + object(obj)#%d (1) { + ["ryat"]=> + &int(1) + } + [3]=> + array(1) { + [0]=> + int(1) + } + [4]=> + string(24) "%s" +} \ No newline at end of file
View file
php-5.4.45.tar.bz2/ext/standard/tests/serialize/bug70172.phpt
Added
@@ -0,0 +1,54 @@ +--TEST-- +Bug #70172 - Use After Free Vulnerability in unserialize() +--XFAIL-- +Memory leak on debug build, needs fix. +--FILE-- +<?php +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + $this->data = unserialize($data); + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'r:2;'; +$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +array(2) { + [0]=> + int(1) + [1]=> + object(obj)#%d (1) { + ["data"]=> + int(1) + } +} \ No newline at end of file
View file
php-5.4.45.tar.bz2/ext/standard/tests/serialize/bug70172_2.phpt
Added
@@ -0,0 +1,68 @@ +--TEST-- +Bug #70172 - Use After Free Vulnerability in unserialize() +--FILE-- +<?php +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + $this->data = unserialize($data); + } +} + +class obj2 { + var $ryat; + function __wakeup() { + $this->ryat = 1; + } +} + +$fakezval = ptr2str(1122334455); +$fakezval .= ptr2str(0); +$fakezval .= "\x00\x00\x00\x00"; +$fakezval .= "\x01"; +$fakezval .= "\x00"; +$fakezval .= "\x00\x00"; + +$inner = 'r:2;'; +$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = $fakezval.$i; +} + +var_dump($data); + +function ptr2str($ptr) +{ + $out = ''; + for ($i = 0; $i < 8; $i++) { + $out .= chr($ptr & 0xff); + $ptr >>= 8; + } + return $out; +} +?> +--EXPECTF-- +array(2) { + [0]=> + object(obj2)#%d (1) { + ["ryat"]=> + int(1) + } + [1]=> + array(1) { + [0]=> + array(1) { + [0]=> + object(obj2)#%d (1) { + ["ryat"]=> + int(1) + } + } + } +} \ No newline at end of file
View file
php-5.4.45.tar.bz2/ext/standard/tests/serialize/bug70219.phpt
Added
@@ -0,0 +1,38 @@ +--TEST-- +Bug #70219 Use after free vulnerability in session deserializer +--FILE-- +<?php +class obj implements Serializable { + var $data; + function serialize() { + return serialize($this->data); + } + function unserialize($data) { + session_start(); + session_decode($data); + } +} + +$inner = 'ryat|a:1:{i:0;a:1:{i:1;'; +$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; + +$data = unserialize($exploit); + +for ($i = 0; $i < 5; $i++) { + $v[$i] = 'hi'.$i; +} + +var_dump($data); +?> +--EXPECTF-- +Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d +array(2) { + [0]=> + object(obj)#%d (1) { + ["data"]=> + NULL + } + [1]=> + array(0) { + } +}
View file
php-5.4.44.tar.bz2/ext/standard/var.c -> php-5.4.45.tar.bz2/ext/standard/var.c
Changed
@@ -373,7 +373,7 @@ smart_str_appendc(buf, ','); smart_str_appendc(buf, '\n'); - + return 0; } /* }}} */ @@ -392,7 +392,7 @@ const char *pname; char *pname_esc; int pname_esc_len; - + zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1, &class_name, &pname); pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0, @@ -469,7 +469,7 @@ buffer_append_spaces(buf, level - 1); } smart_str_appendc(buf, ')'); - + break; case IS_OBJECT: @@ -802,7 +802,7 @@ BG(serialize_lock)++; res = call_user_function_ex(CG(function_table), &struc, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC); BG(serialize_lock)--; - + if (EG(exception)) { if (retval_ptr) { zval_ptr_dtor(&retval_ptr); @@ -951,6 +951,8 @@ int buf_len; const unsigned char *p; php_unserialize_data_t var_hash; + int oldlevel; + zval *old_rval = return_value; if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { RETURN_FALSE; @@ -970,6 +972,20 @@ } RETURN_FALSE; } + if (return_value != old_rval) { + /* + * Terrible hack due to the fact that executor passes us zval *, + * but unserialize with r/R wants to replace it with another zval * + */ + zval_dtor(old_rval); + *old_rval = *return_value; + zval_copy_ctor(old_rval); + var_push_dtor_no_addref(&var_hash, &return_value); + /* FIXME: old_rval is not freed in some scenarios, see bug #70172 + var_push_dtor_no_addref(&var_hash, &old_rval); */ + } else { + var_push_dtor(&var_hash, &return_value); + } PHP_VAR_UNSERIALIZE_DESTROY(var_hash); } /* }}} */
View file
php-5.4.44.tar.bz2/ext/standard/var_unserializer.c -> php-5.4.45.tar.bz2/ext/standard/var_unserializer.c
Changed
@@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.7.5 on Tue Mar 17 13:14:30 2015 */ +/* Generated by re2c 0.13.7.5 on Mon Aug 31 23:15:46 2015 */ /* +----------------------------------------------------------------------+ | PHP Version 5 | @@ -68,7 +68,7 @@ var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); + fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -91,9 +91,15 @@ PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) { - var_entries *var_hash = (*var_hashx)->last_dtor; + var_entries *var_hash; + + if (!var_hashx || !*var_hashx) { + return; + } + + var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); + fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -120,7 +126,7 @@ #if VAR_ENTRIES_DBG fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval)); #endif - + while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { if (var_hash->data[i] == ozval) { @@ -138,7 +144,7 @@ #if VAR_ENTRIES_DBG fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id); #endif - + while (id >= VAR_ENTRIES_MAX && var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { var_hash = var_hash->next; id -= VAR_ENTRIES_MAX; @@ -161,7 +167,7 @@ #if VAR_ENTRIES_DBG fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L); #endif - + while (var_hash) { next = var_hash->next; efree(var_hash); @@ -169,9 +175,12 @@ } var_hash = (*var_hashx)->first_dtor; - + while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { +#if VAR_ENTRIES_DBG + fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); +#endif zval_ptr_dtor(&var_hash->data[i]); } next = var_hash->next; @@ -249,7 +258,7 @@ case '+': p++; } - + while (1) { cursor = (char)*p; if (cursor >= '0' && cursor <= '9') { @@ -278,7 +287,7 @@ if (*p == '+') { p++; } - + while (1) { cursor = *p; if (cursor >= '0' && cursor <= '9') { @@ -302,24 +311,20 @@ ALLOC_INIT_ZVAL(key); if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) { - zval_dtor(key); - FREE_ZVAL(key); + var_push_dtor_no_addref(var_hash, &key); return 0; } if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) { - zval_dtor(key); - FREE_ZVAL(key); + var_push_dtor_no_addref(var_hash, &key); return 0; } ALLOC_INIT_ZVAL(data); if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { - zval_dtor(key); - FREE_ZVAL(key); - zval_dtor(data); - FREE_ZVAL(data); + var_push_dtor_no_addref(var_hash, &key); + var_push_dtor_no_addref(var_hash, &data); return 0; } @@ -348,9 +353,7 @@ sizeof data, NULL); } var_push_dtor(var_hash, &data); - - zval_dtor(key); - FREE_ZVAL(key); + var_push_dtor_no_addref(var_hash, &key); if (elements && *(*p-1) != ';' && *(*p-1) != '}') { (*p)--; @@ -400,11 +403,11 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) { long elements; - + elements = parse_iv2((*p) + 2, p); (*p) += 2; - + /* The internal class check here is a BC fix only, userspace classes implementing the Serializable interface have eventually an inconsistent behavior at this place when unserialized from a manipulated string. Additionaly the interal classes can possibly @@ -468,19 +471,19 @@ limit = max; cursor = *p; - + if (YYCURSOR >= YYLIMIT) { return 0; } - + if (var_hash && cursor[0] != 'R') { var_push(var_hash, rval); } start = cursor; - - + + { YYCTYPE yych; @@ -634,10 +637,11 @@ zval **args[1]; zval *arg_func_name; + if (!var_hash) return 0; if (*start == 'C') { custom_object = 1; } - + INIT_PZVAL(*rval); len2 = len = parse_uiv(start + 2); maxlen = max - YYCURSOR; @@ -686,14 +690,14 @@ efree(class_name); return 0; } - + /* Check for unserialize callback */ if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) { incomplete_class = 1; ce = PHP_IC_ENTRY; break; } - + /* Call unserialize callback */ MAKE_STD_ZVAL(user_func); ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
View file
php-5.4.44.tar.bz2/ext/standard/var_unserializer.re -> php-5.4.45.tar.bz2/ext/standard/var_unserializer.re
Changed
@@ -67,7 +67,7 @@ var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); + fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -90,9 +90,15 @@ PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) { - var_entries *var_hash = (*var_hashx)->last_dtor; + var_entries *var_hash; + + if (!var_hashx || !*var_hashx) { + return; + } + + var_hash = (*var_hashx)->last_dtor; #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); + fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); #endif if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { @@ -119,7 +125,7 @@ #if VAR_ENTRIES_DBG fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval)); #endif - + while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { if (var_hash->data[i] == ozval) { @@ -137,7 +143,7 @@ #if VAR_ENTRIES_DBG fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id); #endif - + while (id >= VAR_ENTRIES_MAX && var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) { var_hash = var_hash->next; id -= VAR_ENTRIES_MAX; @@ -160,7 +166,7 @@ #if VAR_ENTRIES_DBG fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L); #endif - + while (var_hash) { next = var_hash->next; efree(var_hash); @@ -168,9 +174,12 @@ } var_hash = (*var_hashx)->first_dtor; - + while (var_hash) { for (i = 0; i < var_hash->used_slots; i++) { +#if VAR_ENTRIES_DBG + fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); +#endif zval_ptr_dtor(&var_hash->data[i]); } next = var_hash->next; @@ -255,7 +264,7 @@ case '+': p++; } - + while (1) { cursor = (char)*p; if (cursor >= '0' && cursor <= '9') { @@ -284,7 +293,7 @@ if (*p == '+') { p++; } - + while (1) { cursor = *p; if (cursor >= '0' && cursor <= '9') { @@ -308,24 +317,20 @@ ALLOC_INIT_ZVAL(key); if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) { - zval_dtor(key); - FREE_ZVAL(key); + var_push_dtor_no_addref(var_hash, &key); return 0; } if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) { - zval_dtor(key); - FREE_ZVAL(key); + var_push_dtor_no_addref(var_hash, &key); return 0; } ALLOC_INIT_ZVAL(data); if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { - zval_dtor(key); - FREE_ZVAL(key); - zval_dtor(data); - FREE_ZVAL(data); + var_push_dtor_no_addref(var_hash, &key); + var_push_dtor_no_addref(var_hash, &data); return 0; } @@ -354,9 +359,7 @@ sizeof data, NULL); } var_push_dtor(var_hash, &data); - - zval_dtor(key); - FREE_ZVAL(key); + var_push_dtor_no_addref(var_hash, &key); if (elements && *(*p-1) != ';' && *(*p-1) != '}') { (*p)--; @@ -406,11 +409,11 @@ static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce) { long elements; - + elements = parse_iv2((*p) + 2, p); (*p) += 2; - + /* The internal class check here is a BC fix only, userspace classes implementing the Serializable interface have eventually an inconsistent behavior at this place when unserialized from a manipulated string. Additionaly the interal classes can possibly @@ -474,19 +477,19 @@ limit = max; cursor = *p; - + if (YYCURSOR >= YYLIMIT) { return 0; } - + if (var_hash && cursor[0] != 'R') { var_push(var_hash, rval); } start = cursor; - - + + /*!re2c "R:" iv ";" { @@ -501,12 +504,12 @@ } if (*rval != NULL) { - zval_ptr_dtor(rval); + var_push_dtor_no_addref(var_hash, rval); } *rval = *rval_ref; Z_ADDREF_PP(rval); Z_SET_ISREF_PP(rval); - + return 1; } @@ -529,7 +532,7 @@ *rval = *rval_ref; Z_ADDREF_PP(rval); Z_UNSET_ISREF_PP(rval); - + return 1; } @@ -660,6 +663,7 @@ long elements = parse_iv(start + 2); /* use iv() not uiv() in order to check data range */ *p = YYCURSOR; + if (!var_hash) return 0; if (elements < 0) { return 0; @@ -677,9 +681,10 @@ } "o:" iv ":" ["] {
View file
php-5.4.44.tar.bz2/ext/xsl/xsltprocessor.c -> php-5.4.45.tar.bz2/ext/xsl/xsltprocessor.c
Changed
@@ -81,10 +81,10 @@ /* }}} */ /* -* class xsl_xsltprocessor +* class xsl_xsltprocessor * * URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html# -* Since: +* Since: */ const zend_function_entry php_xsl_xsltprocessor_class_functions[] = { @@ -111,9 +111,9 @@ xmlChar *value; int str_len; - + str_len = xmlStrlen(string) + 3; - + if (xmlStrchr(string, '"')) { if (xmlStrchr(string, '\'')) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot create XPath expression (string contains both quote and double-quotes)"); @@ -133,7 +133,7 @@ Translates a PHP array to a libxslt parameters array */ static char **php_xsl_xslt_make_params(HashTable *parht, int xpath_params TSRMLS_DC) { - + int parsize; zval **value; char *xpath_expr, *string_key = NULL; @@ -158,7 +158,7 @@ SEPARATE_ZVAL(value); convert_to_string(*value); } - + if (!xpath_params) { xpath_expr = php_xsl_xslt_string_to_xpathexpr(Z_STRVAL_PP(value) TSRMLS_CC); } else { @@ -192,7 +192,7 @@ char *str; char *callable = NULL; xsl_object *intern; - + TSRMLS_FETCH(); if (! zend_is_executing(TSRMLS_C)) { @@ -219,15 +219,17 @@ } } } - + if (error == 1) { for (i = nargs - 1; i >= 0; i--) { obj = valuePop(ctxt); - xmlXPathFreeObject(obj); + if (obj) { + xmlXPathFreeObject(obj); + } } return; } - + fci.param_count = nargs - 1; if (fci.param_count > 0) { fci.params = safe_emalloc(fci.param_count, sizeof(zval**), 0); @@ -265,7 +267,7 @@ if (node->type == XML_NAMESPACE_DECL) { xmlNsPtr curns; xmlNodePtr nsparent; - + nsparent = node->_private; curns = xmlNewNs(NULL, node->name, NULL); if (node->children) { @@ -297,14 +299,16 @@ xmlXPathFreeObject(obj); fci.params[i] = &args[i]; } - + fci.size = sizeof(fci); fci.function_table = EG(function_table); - + obj = valuePop(ctxt); - if (obj->stringval == NULL) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string"); - xmlXPathFreeObject(obj); + if (obj == NULL || obj->stringval == NULL) { + if (obj) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string"); + xmlXPathFreeObject(obj); + } valuePush(ctxt, xmlXPathNewString("")); if (fci.param_count > 0) { for (i = 0; i < nargs - 1; i++) { @@ -313,12 +317,12 @@ efree(args); efree(fci.params); } - return; + return; } INIT_PZVAL(&handler); ZVAL_STRING(&handler, obj->stringval, 1); xmlXPathFreeObject(obj); - + fci.function_name = &handler; fci.symbol_table = NULL; fci.object_ptr = NULL; @@ -328,7 +332,7 @@ if (!zend_make_callable(&handler, &callable TSRMLS_CC)) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler %s()", callable); valuePush(ctxt, xmlXPathNewString("")); - } else if ( intern->registerPhpFunctions == 2 && zend_hash_exists(intern->registered_phpfunctions, callable, strlen(callable) + 1) == 0) { + } else if ( intern->registerPhpFunctions == 2 && zend_hash_exists(intern->registered_phpfunctions, callable, strlen(callable) + 1) == 0) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Not allowed to call handler '%s()'", callable); /* Push an empty string, so that we at least have an xslt result... */ valuePush(ctxt, xmlXPathNewString("")); @@ -392,7 +396,7 @@ /* {{{ proto void xsl_xsltprocessor_import_stylesheet(domdocument doc); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html# -Since: +Since: */ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet) { @@ -404,13 +408,13 @@ xmlNode *nodep = NULL; zend_object_handlers *std_hnd; zval *cloneDocu, *member; - + if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Oo", &id, xsl_xsltprocessor_class_entry, &docp) == FAILURE) { RETURN_FALSE; } nodep = php_libxml_import_node(docp TSRMLS_CC); - + if (nodep) { doc = nodep->doc; } @@ -419,7 +423,7 @@ RETURN_FALSE; } - /* libxslt uses _private, so we must copy the imported + /* libxslt uses _private, so we must copy the imported stylesheet document otherwise the node proxies will be a mess */ newdoc = xmlCopyDoc(doc, 1); xmlNodeSetBase((xmlNodePtr) newdoc, (xmlChar *)doc->URL); @@ -436,7 +440,7 @@ RETURN_FALSE; } - intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC); + intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC); std_hnd = zend_get_std_object_handlers(); MAKE_STD_ZVAL(member); @@ -463,10 +467,10 @@ intern->hasKeys = clone_docu; } - if ((oldsheetp = (xsltStylesheetPtr)intern->ptr)) { + if ((oldsheetp = (xsltStylesheetPtr)intern->ptr)) { /* free wrapper */ if (((xsltStylesheetPtr) intern->ptr)->_private != NULL) { - ((xsltStylesheetPtr) intern->ptr)->_private = NULL; + ((xsltStylesheetPtr) intern->ptr)->_private = NULL; } xsltFreeStylesheet((xsltStylesheetPtr) intern->ptr); intern->ptr = NULL; @@ -494,7 +498,7 @@ xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); - + if (node) { doc = node->doc; } @@ -507,7 +511,7 @@ php_error_docref(NULL TSRMLS_CC, E_WARNING, "No stylesheet associated to this object"); return NULL; } - + if (intern->profiling) {
View file
php-5.4.44.tar.bz2/ext/zip/php_zip.c -> php-5.4.45.tar.bz2/ext/zip/php_zip.c
Changed
@@ -16,7 +16,7 @@ +----------------------------------------------------------------------+ */ -/* $Id: abc21c7f1559e732dba6db94c69ecf638ae5fa3f $ */ +/* $Id: 6c872ebfb022206b0cc2a183c7a388c7b6ad8685 $ */ #ifdef HAVE_CONFIG_H #include "config.h" @@ -133,7 +133,7 @@ } /* }}} */ -#ifdef PHP_ZIP_USE_OO +#ifdef PHP_ZIP_USE_OO /* {{{ php_zip_extract_file */ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int file_len TSRMLS_DC) { @@ -174,7 +174,7 @@ /* it is a directory only, see #40228 */ if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) { - len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file); + len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned); is_dir_only = 1; } else { memcpy(file_dirname, path_cleaned, path_cleaned_len); @@ -295,7 +295,7 @@ } /* }}} */ -static int php_zip_add_file(struct zip *za, const char *filename, size_t filename_len, +static int php_zip_add_file(struct zip *za, const char *filename, size_t filename_len, char *entry_name, size_t entry_name_len, long offset_start, long offset_len TSRMLS_DC) /* {{{ */ { struct zip_source *zs; @@ -345,7 +345,7 @@ } /* }}} */ -static int php_zip_parse_options(zval *options, long *remove_all_path, +static int php_zip_parse_options(zval *options, long *remove_all_path, char **remove_path, int *remove_path_len, char **add_path, int *add_path_len TSRMLS_DC) /* {{{ */ { zval **option; @@ -375,11 +375,11 @@ } if (Z_STRLEN_PP(option) >= MAXPATHLEN) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "remove_path string is too long (max: %i, %i given)", + php_error_docref(NULL TSRMLS_CC, E_WARNING, "remove_path string is too long (max: %i, %i given)", MAXPATHLEN - 1, Z_STRLEN_PP(option)); return -1; } - *remove_path_len = Z_STRLEN_PP(option); + *remove_path_len = Z_STRLEN_PP(option); *remove_path = Z_STRVAL_PP(option); } @@ -395,11 +395,11 @@ } if (Z_STRLEN_PP(option) >= MAXPATHLEN) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "add_path string too long (max: %i, %i given)", + php_error_docref(NULL TSRMLS_CC, E_WARNING, "add_path string too long (max: %i, %i given)", MAXPATHLEN - 1, Z_STRLEN_PP(option)); return -1; } - *add_path_len = Z_STRLEN_PP(option); + *add_path_len = Z_STRLEN_PP(option); *add_path = Z_STRVAL_PP(option); } return 1; @@ -528,7 +528,7 @@ glob_t globbuf; int n; int ret; - + if (pattern_len >= MAXPATHLEN) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Pattern exceeds the maximum allowed length of %d characters", MAXPATHLEN); return -1; @@ -539,9 +539,9 @@ return -1; } -#ifdef ZTS +#ifdef ZTS if (!IS_ABSOLUTE_PATH(pattern, pattern_len)) { - result = VCWD_GETCWD(cwd, MAXPATHLEN); + result = VCWD_GETCWD(cwd, MAXPATHLEN); if (!result) { cwd[0] = '\0'; } @@ -554,7 +554,7 @@ snprintf(work_pattern, MAXPATHLEN, "%s%c%s", cwd, DEFAULT_SLASH, pattern); pattern = work_pattern; - } + } #endif globbuf.gl_offs = 0; @@ -564,7 +564,7 @@ /* Some glob implementation simply return no data if no matches were found, others return the GLOB_NOMATCH error code. We don't want to treat GLOB_NOMATCH as an error condition - so that PHP glob() behaves the same on both types of + so that PHP glob() behaves the same on both types of implementations and so that 'foreach (glob() as ...' can be used for simple glob() calls without further error checking. @@ -593,11 +593,11 @@ for (n = 0; n < globbuf.gl_pathc; n++) { /* we need to do this everytime since GLOB_ONLYDIR does not guarantee that * all directories will be filtered. GNU libc documentation states the - * following: - * If the information about the type of the file is easily available - * non-directories will be rejected but no extra work will be done to - * determine the information for each file. I.e., the caller must still be - * able to filter directories out. + * following: + * If the information about the type of the file is easily available + * non-directories will be rejected but no extra work will be done to + * determine the information for each file. I.e., the caller must still be + * able to filter directories out. */ if (flags & GLOB_ONLYDIR) { struct stat s; @@ -633,9 +633,9 @@ int files_cnt; char **namelist; -#ifdef ZTS +#ifdef ZTS if (!IS_ABSOLUTE_PATH(path, path_len)) { - result = VCWD_GETCWD(cwd, MAXPATHLEN); + result = VCWD_GETCWD(cwd, MAXPATHLEN); if (!result) { cwd[0] = '\0'; } @@ -648,7 +648,7 @@ snprintf(work_path, MAXPATHLEN, "%s%c%s", cwd, DEFAULT_SLASH, path); path = work_path; - } + } #endif if (ZIP_OPENBASEDIR_CHECKPATH(path)) { @@ -665,7 +665,7 @@ re = pcre_get_compiled_regex(regexp, &pcre_extra, &preg_options TSRMLS_CC); if (!re) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid expression"); - return -1; + return -1; } array_init(return_value); @@ -678,7 +678,7 @@ int matches; int namelist_len = strlen(namelist[i]); - + if ((namelist_len == 1 && namelist[i][0] == '.') || (namelist_len == 2 && namelist[i][0] == '.' && namelist[i][1] == '.')) { efree(namelist[i]); @@ -686,7 +686,7 @@ } if ((path_len + namelist_len + 1) >= MAXPATHLEN) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "add_path string too long (max: %i, %i given)", + php_error_docref(NULL TSRMLS_CC, E_WARNING, "add_path string too long (max: %i, %i given)", MAXPATHLEN - 1, (path_len + namelist_len + 1)); efree(namelist[i]); break; @@ -709,7 +709,7 @@ /* 0 means that the vector is too small to hold all the captured substring offsets */ if (matches < 0) { efree(namelist[i]); - continue; + continue; } add_next_index_string(return_value, fullpath, 1); @@ -785,7 +785,7 @@ /* }}} */ /* {{{ ZE2 OO definitions */ -#ifdef PHP_ZIP_USE_OO +#ifdef PHP_ZIP_USE_OO static zend_class_entry *zip_class_entry; static zend_object_handlers zip_object_handlers; @@ -805,7 +805,7 @@ #endif /* }}} */ -#ifdef PHP_ZIP_USE_OO
View file
php-5.4.45.tar.bz2/ext/zip/tests/bug70350.phpt
Added
@@ -0,0 +1,33 @@ +--TEST-- +Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories) +--SKIPIF-- +<?php +if(!extension_loaded('zip')) die('skip'); +?> +--FILE-- +<?php + +$dir = dirname(__FILE__)."/bug70350"; +mkdir($dir); +$archive = new ZipArchive(); +$archive->open("$dir/a.zip",ZipArchive::CREATE); +$archive->addEmptyDir("../down2/"); +$archive->close(); + +$archive2 = new ZipArchive(); +$archive2->open("$dir/a.zip"); +$archive2->extractTo($dir); +$archive2->close(); +var_dump(file_exists("$dir/down2/")); +var_dump(file_exists("../down2/")); +?> +--CLEAN-- +<?php +$dir = dirname(__FILE__)."/bug70350"; +rmdir("$dir/down2"); +unlink("$dir/a.zip"); +rmdir($dir); +?> +--EXPECT-- +bool(true) +bool(false)
View file
php-5.4.44.tar.bz2/main/php_version.h -> php-5.4.45.tar.bz2/main/php_version.h
Changed
@@ -2,7 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 4 -#define PHP_RELEASE_VERSION 44 +#define PHP_RELEASE_VERSION 45 #define PHP_EXTRA_VERSION "" -#define PHP_VERSION "5.4.44" -#define PHP_VERSION_ID 50444 +#define PHP_VERSION "5.4.45" +#define PHP_VERSION_ID 50445
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.