Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0: (22 commits) Fix bug #72293 - Heap overflow in mysqlnd related to BIT fields I don't think 8cceb01 is needed Fix test Add check in fgetcsv in case sizeof(unit) != sizeof(size_t) Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c Fix bug #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile) Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction Fix bug #73029 - Missing type check when unserializing SplArray Fix bug #72860: wddx_deserialize use-after-free Fix bug #73007: add locale length check Fix bug #72928 - Out of bound when verify signature of zip phar in phar_parse_zipfile sync NEWS Revert "Merge branch 'PHP-5.6' into PHP-7.0" Merge branch 'PHP-5.6' into PHP-7.0 Merge branch 'PHP-5.6' into PHP-7.0 Revert "Revert "Merge branch 'PHP-5.6' into PHP-7.0"" fix version sync NEWS Fix bug #72957 set versions ...
dereckson · Sep 13, 2016 · dad0e9d · dad0e9d
2 parents caea2c8 + 07c6bdb
commit dad0e9d
Show file tree

Hide file tree

Showing 16 changed files with 249 additions and 31 deletions.
diff --git a/ext/intl/msgformat/msgformat_format.c b/ext/intl/msgformat/msgformat_format.c
@@ -116,6 +116,8 @@ PHP_FUNCTION( msgfmt_format_message )
 		RETURN_FALSE;
 	}
 
+	INTL_CHECK_LOCALE_LEN(slocale_len);
+
 	memset(mfo, 0, sizeof(*mfo));
 	msgformat_data_init(&mfo->mf_data);
 

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
@@ -286,7 +286,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
 			}
 			curloc = php_stream_tell(fp);
 			read = php_stream_read(fp, buf, size);
-			if (read != size) {
+			if (read != size || read <= 8) {
 				if (error) {
 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname);
 				}

diff --git a/ext/phar/tests/bug72928.phpt b/ext/phar/tests/bug72928.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Phar: #72928 (Out of bound when verify signature of zip phar in phar_parse_zipfile)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$phar = new PharData('bug72928.zip');
+var_dump($phar);
+} catch(UnexpectedValueException $e) {
+	print $e->getMessage()."\n";
+}
+?>
+DONE
+--EXPECTF--
+phar error: signature cannot be read in zip-based phar "%sbug72928.zip"
+DONE
diff --git a/ext/phar/tests/bug72928.zip b/ext/phar/tests/bug72928.zip
diff --git a/ext/phar/tests/bug73035.phpt b/ext/phar/tests/bug73035.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Phar: #73035 (Out of bound when verify signature of tar phar in phar_parse_tarfile)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$phar = new PharData('bug73035.tar');
+var_dump($phar);
+} catch(UnexpectedValueException $e) {
+	print $e->getMessage()."\n";
+}
+?>
+DONE
+--EXPECTF--
+phar error: tar-based phar "%sbug73035.tar" signature cannot be read
+DONE
diff --git a/ext/phar/tests/bug73035.tar b/ext/phar/tests/bug73035.tar
diff --git a/ext/phar/util.c b/ext/phar/util.c
@@ -1603,6 +1603,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
 			unsigned char digest[64];
 			PHP_SHA512_CTX context;
 
+			if (sig_len < sizeof(digest)) {
+				if (error) {
+					spprintf(error, 0, "broken signature");
+				}
+				return FAILURE;
+			}
+
 			PHP_SHA512Init(&context);
 			read_len = end_of_phar;
 
@@ -1636,6 +1643,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
 			unsigned char digest[32];
 			PHP_SHA256_CTX context;
 
+			if (sig_len < sizeof(digest)) {
+				if (error) {
+					spprintf(error, 0, "broken signature");
+				}
+				return FAILURE;
+			}
+
 			PHP_SHA256Init(&context);
 			read_len = end_of_phar;
 
@@ -1677,6 +1691,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
 			unsigned char digest[20];
 			PHP_SHA1_CTX  context;
 
+			if (sig_len < sizeof(digest)) {
+				if (error) {
+					spprintf(error, 0, "broken signature");
+				}
+				return FAILURE;
+			}
+
 			PHP_SHA1Init(&context);
 			read_len = end_of_phar;
 
@@ -1710,6 +1731,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, uint32_t sig_type,
 			unsigned char digest[16];
 			PHP_MD5_CTX   context;
 
+			if (sig_len < sizeof(digest)) {
+				if (error) {
+					spprintf(error, 0, "broken signature");
+				}
+				return FAILURE;
+			}
+
 			PHP_MD5Init(&context);
 			read_len = end_of_phar;
 

diff --git a/ext/phar/zip.c b/ext/phar/zip.c
@@ -417,7 +417,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
 			php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
 			sig = (char *) emalloc(entry.uncompressed_filesize);
 			read = php_stream_read(fp, sig, entry.uncompressed_filesize);
-			if (read != entry.uncompressed_filesize) {
+			if (read != entry.uncompressed_filesize || read <= 8) {
 				php_stream_close(sigfile);
 				efree(sig);
 				PHAR_ZIP_FAIL("signature cannot be read");

diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -295,7 +295,7 @@ static zval *spl_array_get_dimension_ptr(int check_inherited, spl_array_object *
 	zend_string *offset_key;
 	HashTable *ht = spl_array_get_hash_table(intern);
 
-	if (!offset || Z_ISUNDEF_P(offset)) {
+	if (!offset || Z_ISUNDEF_P(offset) || !ht) {
 		return &EG(uninitialized_zval);
 	}
 
@@ -1791,7 +1791,8 @@ SPL_METHOD(Array, unserialize)
 		intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
 		zval_ptr_dtor(&intern->array);
 		ZVAL_UNDEF(&intern->array);
-		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)) {
+		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash)
+				|| (Z_TYPE(intern->array) != IS_ARRAY && Z_TYPE(intern->array) != IS_OBJECT)) {
 			goto outexcept;
 		}
 		var_push_dtor(&var_hash, &intern->array);

diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
@@ -2,8 +2,13 @@
 Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
 --FILE--
 <?php
+try {
 $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
+} catch(Exception $e) {
+	print $e->getMessage()."\n";
+}
 ?>
 OK
 --EXPECT--
+Error at offset 10 of 20 bytes
 OK
diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #73029: Missing type check when unserializing SplArray
+--FILE--
+<?php
+try {
+$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
+$m = unserialize($a);
+$x = $m[2];
+} catch(UnexpectedValueException $e) {
+	print $e->getMessage() . "\n";
+}
+?>
+DONE
+--EXPECTF--
+Error at offset 10 of 19 bytes
+DONE
diff --git a/ext/standard/tests/serialize/bug73052.phpt b/ext/standard/tests/serialize/bug73052.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #73052: Memory Corruption in During Deserialized-object Destruction
+--FILE--
+<?php
+
+class obj {
+    var $ryat;
+    public function __destruct() {
+        $this->ryat = null;
+    }
+}
+
+$poc = 'O:3:"obj":1:{';
+var_dump(unserialize($poc));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d
+bool(false)
diff --git a/ext/standard/tests/strings/bug72703.phpt b/ext/standard/tests/strings/bug72703.phpt
diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #72860: wddx_deserialize use-after-free
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml=<<<XML
+<?xml version='1.0'?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+       <recordset fieldNames='F'>
+               <field name='F'>
+       </recordset>
+</wddxPacket>
+XML;
+
+var_dump(wddx_deserialize($xml));
+?>
+DONE
+--EXPECT--
+NULL
+DONE
diff --git a/ext/wddx/tests/bug73065.phpt b/ext/wddx/tests/bug73065.phpt
@@ -0,0 +1,98 @@
+--TEST--
+Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
+--SKIPIF--
+<?php
+if (!extension_loaded('wddx')) {
+    die('skip. wddx not available');
+}
+?>
+--FILE--
+<?php
+
+$xml1 = <<<XML
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <var Name="name">
+                <boolean value="keliu"></boolean>
+            </var>
+            <var name="1111">
+                <var name="2222">
+                    <var name="3333"></var>
+                </var>
+            </var>
+        </array>
+    </wddxPacket>
+XML;
+
+$xml2 = <<<XML
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <char Name="code">
+                <boolean value="keliu"></boolean>
+            </char>
+        </array>
+    </wddxPacket>
+XML;
+
+$xml3 = <<<XML
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <boolean Name="value">
+                <boolean value="keliu"></boolean>
+            </boolean>
+        </array>
+    </wddxPacket>
+XML;
+
+$xml4 = <<<XML
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <recordset Name="fieldNames">
+                <boolean value="keliu"></boolean>
+            </recordset>
+        </array>
+    </wddxPacket>
+XML;
+
+$xml5 = <<<XML
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <field Name="name">
+                <boolean value="keliu"></boolean>
+            </field>
+        </array>
+    </wddxPacket>
+XML;
+
+for($i=1;$i<=5;$i++) {
+	$xmlvar = "xml$i";
+    $array = wddx_deserialize($$xmlvar);
+    var_dump($array);
+}
+?>
+DONE
+--EXPECTF--
+array(0) {
+}
+array(0) {
+}
+array(0) {
+}
+array(1) {
+  [0]=>
+  array(0) {
+  }
+}
+array(0) {
+}
+DONE