Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6: fix #72519, possible OOB using imagegif fix #72512, invalid read or write for palette image when invalid transparent index is used Apparently some envs miss SIZE_MAX Fix tests Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c Fix for bug #72558, Integer overflow error within _gdContributionsAlloc() Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE Fix bug #72562 - destroy var_hash properly Fix bug #72533 (locale_accept_from_http out-of-bounds access) Fix fir bug #72520 Fix for bug #72513 Fix for bug #72513 CS fix and comments with bug ID Fix for HTTP_PROXY issue. 5.6.24RC1 add tests for bug #72512 Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access Fixed bug #72479 - same as #72434 Conflicts: Zend/zend_virtual_cwd.c ext/bz2/bz2.c ext/exif/exif.c ext/session/session.c ext/snmp/snmp.c ext/standard/basic_functions.c main/SAPI.c main/php_variables.c
dereckson · Jul 19, 2016 · b00f8f2 · b00f8f2
2 parents e9a58be + 4d0565b
commit b00f8f2
Show file tree

Hide file tree

Showing 23 changed files with 358 additions and 81 deletions.
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -2604,6 +2604,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 	*pszEncoding = NULL;
 	/* Copy the comment */
 	if (ByteCount>=8) {
+		const zend_encoding *from, *to;
 		if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
 			*pszEncoding = estrdup((const char*)szValuePtr);
 			szValuePtr = szValuePtr+8;
@@ -2624,15 +2625,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			} else {
 				decode = ImageInfo->decode_unicode_le;
 			}
+			to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode);
+			from = zend_multibyte_fetch_encoding(decode);
 			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
-			if (zend_multibyte_encoding_converter(
+			if (!to || !from || zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr,
 					&len,
 					(unsigned char*)szValuePtr,
 					ByteCount,
-					zend_multibyte_fetch_encoding(ImageInfo->encode_unicode),
-					zend_multibyte_fetch_encoding(decode)
-					) == (size_t)-1) {
+					to,
+					from) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2646,14 +2648,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			szValuePtr = szValuePtr+8;
 			ByteCount -= 8;
 			/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
-			if (zend_multibyte_encoding_converter(
+			to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis);
+			from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le);
+			if (!to || !from || zend_multibyte_encoding_converter(
 					(unsigned char**)pszInfoPtr,
 					&len,
 					(unsigned char*)szValuePtr,
 					ByteCount,
-					zend_multibyte_fetch_encoding(ImageInfo->encode_jis),
-					zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le)
-					) == (size_t)-1) {
+					to,
+					from) == (size_t)-1) {
 				len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
 			}
 			return len;
@@ -2723,6 +2726,12 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 		break;
 	}
 
+	if (maker_note->offset >= value_len) {
+		/* Do not go past the value end */
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
+		return FALSE;
+	}
+
 	dir_start = value_ptr + maker_note->offset;
 
 #ifdef EXIF_DEBUG
@@ -2751,10 +2760,19 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 			offset_base = value_ptr;
 			break;
 		case MN_OFFSET_GUESS:
+			if (maker_note->offset + 10 + 4 >= value_len) {
+				/* Can not read dir_start+10 since it's beyond value end */
+				exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X", value_len);
+				return FALSE;
+			}
 			offset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);
 #ifdef EXIF_DEBUG
 			exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Using automatic offset correction: 0x%04X", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);
 #endif
+			if (offset_diff < 0 || offset_diff >= value_len ) {
+				exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data bad offset: 0x%04X length 0x%04X", offset_diff, value_len);
+				return FALSE;
+			}
 			offset_base = value_ptr + offset_diff;
 			break;
 		default:
@@ -2763,7 +2781,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 	}
 
 	if ((2+NumDirEntries*12) > value_len) {
-		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
 		return FALSE;
 	}
 
@@ -3049,7 +3067,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 				break;
 
 			case TAG_MAKER_NOTE:
-				exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement);
+				if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement)) {
+					EFREE_IF(outside);
+					return FALSE;
+				}
 				break;
 
 			case TAG_EXIF_IFD_POINTER:

diff --git a/ext/exif/tests/bug54002.phpt b/ext/exif/tests/bug54002.phpt
@@ -13,8 +13,4 @@ exif_read_data(__DIR__ . '/bug54002_2.jpeg');
 --EXPECTF--
 Warning: exif_read_data(bug54002_1.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
 
-Warning: exif_read_data(bug54002_1.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
-
-Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
-
-Warning: exif_read_data(bug54002_2.jpeg): Process tag(xA000=FlashPixVer): Illegal pointer offset(%s) in %sbug54002.php on line %d
+Warning: exif_read_data(bug54002_2.jpeg): Process tag(x0205=UndefinedTa): Illegal byte_count in %sbug54002.php on line %d
diff --git a/ext/exif/tests/bug62523_2.phpt b/ext/exif/tests/bug62523_2.phpt
@@ -10,7 +10,9 @@ echo "Test\n";
 var_dump(count(exif_read_data(__DIR__."/bug62523_2.jpg")));
 ?>
 Done
---EXPECT--
+--EXPECTF--
 Test
-int(76)
+
+Warning: exif_read_data(bug62523_2.jpg): IFD data bad offset: 0xADB23672 length 0x0D94 in %s/bug62523_2.php on line %d
+int(30)
 Done
diff --git a/ext/exif/tests/bug72603.jpeg b/ext/exif/tests/bug72603.jpeg
diff --git a/ext/exif/tests/bug72603.phpt b/ext/exif/tests/bug72603.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72603.jpeg")));
+?>
+--EXPECTF--
+Warning: exif_read_data(bug72603.jpeg): IFD data bad offset: 0x058C length 0x001C in %s/bug72603.php on line %d
+int(13)
diff --git a/ext/exif/tests/bug72618.jpg b/ext/exif/tests/bug72618.jpg
diff --git a/ext/exif/tests/bug72618.phpt b/ext/exif/tests/bug72618.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug 72618 (NULL Pointer Dereference in exif_process_user_comment)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+var_dump(count(exif_read_data(dirname(__FILE__) . "/bug72618.jpg")));
+?>
+--EXPECTF--
+Warning: exif_read_data(bug72618.jpg): IFD data bad offset: 0x058E length 0x0030 in %s/bug72618.php on line %d
+int(13)
diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -188,7 +188,7 @@ gdImagePtr gdImageCreateTrueColor (int sx, int sy)
 		return NULL;
 	}
 
-	if (overflow2(sizeof(int), sx)) {
+	if (overflow2(sizeof(int *), sx)) {
 		return NULL;
 	}
 

diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
@@ -879,20 +879,39 @@ int getPixelInterpolated(gdImagePtr im, const double x, const double y, const in
 static inline LineContribType * _gdContributionsAlloc(unsigned int line_length, unsigned int windows_size)
 {
 	unsigned int u = 0;
-    LineContribType *res;
+	LineContribType *res;
+	int overflow_error = 0;
 
 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
 	if (!res) {
 		return NULL;
 	}
-    res->WindowSize = windows_size;
-    res->LineLength = line_length;
-    res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
-
-    for (u = 0 ; u < line_length ; u++) {
-        res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
-    }
-    return res;
+	res->WindowSize = windows_size;
+	res->LineLength = line_length;
+	if (overflow2(line_length, sizeof(ContributionType))) {
+		return NULL;
+	}
+	res->ContribRow = (ContributionType *) gdMalloc(line_length * sizeof(ContributionType));
+	if (res->ContribRow == NULL) {
+		gdFree(res);
+		return NULL;
+	}
+	for (u = 0 ; u < line_length ; u++) {
+		if (overflow2(windows_size, sizeof(double))) {
+			overflow_error = 1;
+		} else {
+			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
+		}
+		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+			u--;
+			while (u >= 0) {
+				gdFree(res->ContribRow[u].Weights);
+				u--;
+			}
+			return NULL;
+		}
+	}
+	return res;
 }
 
 static inline void _gdContributionsFree(LineContribType * p)
@@ -907,59 +926,62 @@ static inline void _gdContributionsFree(LineContribType * p)
 
 static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsigned int src_size, double scale_d,  const interpolation_method pFilter)
 {
-    double width_d;
-    double scale_f_d = 1.0;
-    const double filter_width_d = DEFAULT_BOX_RADIUS;
+	double width_d;
+	double scale_f_d = 1.0;
+	const double filter_width_d = DEFAULT_BOX_RADIUS;
 	int windows_size;
 	unsigned int u;
 	LineContribType *res;
+	int overflow_error = 0;
 
-    if (scale_d < 1.0) {
-        width_d = filter_width_d / scale_d;
-        scale_f_d = scale_d;
-    }  else {
-        width_d= filter_width_d;
-    }
-
-    windows_size = 2 * (int)ceil(width_d) + 1;
-    res = _gdContributionsAlloc(line_size, windows_size);
+	if (scale_d < 1.0) {
+		width_d = filter_width_d / scale_d;
+		scale_f_d = scale_d;
+	}  else {
+		width_d= filter_width_d;
+	}
 
-    for (u = 0; u < line_size; u++) {
-        const double dCenter = (double)u / scale_d;
-        /* get the significant edge points affecting the pixel */
-        register int iLeft = MAX(0, (int)floor (dCenter - width_d));
-        int iRight = MIN((int)ceil(dCenter + width_d), (int)src_size - 1);
-        double dTotalWeight = 0.0;
+	windows_size = 2 * (int)ceil(width_d) + 1;
+	res = _gdContributionsAlloc(line_size, windows_size);
+	if (res == NULL) {
+		return NULL;
+	}
+	for (u = 0; u < line_size; u++) {
+	const double dCenter = (double)u / scale_d;
+	/* get the significant edge points affecting the pixel */
+	register int iLeft = MAX(0, (int)floor (dCenter - width_d));
+	int iRight = MIN((int)ceil(dCenter + width_d), (int)src_size - 1);
+	double dTotalWeight = 0.0;
 		int iSrc;
 
-        /* Cut edge points to fit in filter window in case of spill-off */
-        if (iRight - iLeft + 1 > windows_size)  {
-            if (iLeft < ((int)src_size - 1 / 2))  {
-                iLeft++;
-            } else {
-                iRight--;
-            }
-        }
+	/* Cut edge points to fit in filter window in case of spill-off */
+	if (iRight - iLeft + 1 > windows_size)  {
+		if (iLeft < ((int)src_size - 1 / 2))  {
+			iLeft++;
+		} else {
+			iRight--;
+		}
+	}
 
-        res->ContribRow[u].Left = iLeft;
-        res->ContribRow[u].Right = iRight;
+	res->ContribRow[u].Left = iLeft;
+	res->ContribRow[u].Right = iRight;
 
-        for (iSrc = iLeft; iSrc <= iRight; iSrc++) {
-            dTotalWeight += (res->ContribRow[u].Weights[iSrc-iLeft] =  scale_f_d * (*pFilter)(scale_f_d * (dCenter - (double)iSrc)));
-        }
+	for (iSrc = iLeft; iSrc <= iRight; iSrc++) {
+		dTotalWeight += (res->ContribRow[u].Weights[iSrc-iLeft] =  scale_f_d * (*pFilter)(scale_f_d * (dCenter - (double)iSrc)));
+	}
 
 		if (dTotalWeight < 0.0) {
 			_gdContributionsFree(res);
 			return NULL;
 		}
 
-        if (dTotalWeight > 0.0) {
-            for (iSrc = iLeft; iSrc <= iRight; iSrc++) {
-                res->ContribRow[u].Weights[iSrc-iLeft] /= dTotalWeight;
-            }
-        }
-   }
-   return res;
+	if (dTotalWeight > 0.0) {
+		for (iSrc = iLeft; iSrc <= iRight; iSrc++) {
+			res->ContribRow[u].Weights[iSrc-iLeft] /= dTotalWeight;
+		}
+	}
+	}
+	return res;
 }
 
 static inline void _gdScaleRow(gdImagePtr pSrc,  unsigned int src_width, gdImagePtr dst, unsigned int dst_width, unsigned int row, LineContribType *contrib)

diff --git a/ext/gd/tests/bug72512_0.phpt b/ext/gd/tests/bug72512_0.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access, var 0
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+
+$img = imagecreatetruecolor(13, 1007);
+
+imagecolortransparent($img, -10066304);
+imagetruecolortopalette($img, TRUE, 3);
+imagescale($img, 1, 65535);
+?>
+==DONE==
+--EXPECT--
+==DONE==
diff --git a/ext/gd/tests/bug72512_1.phpt b/ext/gd/tests/bug72512_1.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access, var 1
+--SKIPIF--
+<?php
+	if (!extension_loaded('gd')) die("skip gd extension not available\n");
+?>
+--FILE--
+<?php
+
+$img = imagecreatetruecolor(100, 100);
+imagecolortransparent($img, -1000000);
+imagetruecolortopalette($img, TRUE, 3);
+imagecolortransparent($img, 9);
+
+?>
+==DONE==
+--EXPECT--
+==DONE==
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
@@ -1598,6 +1598,24 @@ PHP_FUNCTION(locale_accept_from_http)
 		"locale_accept_from_http: unable to parse input parameters", 0 );
 		RETURN_FALSE;
 	}
+	if(http_accept_len > ULOC_FULLNAME_CAPACITY) {
+		/* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */
+		char *start = http_accept;
+		char *end;
+		size_t len;
+		do {
+			end = strchr(start, ',');
+			len = end ? end-start : http_accept_len-(start-http_accept);
+			if(len > ULOC_FULLNAME_CAPACITY) {
+				intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
+						"locale_accept_from_http: locale string too long", 0 TSRMLS_CC );
+				RETURN_FALSE;
+			}
+			if(end) {
+				start = end+1;
+			}
+		} while(end != NULL);
+	}
 
 	available = ures_openAvailableLocales(NULL, &status);
 	INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list");