Commit 6bb4c3c0 authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 5.5.36+dfsg

parent cc634ed2
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
26 May 2016, PHP 5.5.36
- Core:
. Fixed bug #72114 (Integer underflow / arbitrary null write in
fread/gzread). (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)
- GD:
. Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
- Intl:
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)
- Phar:
. Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()).
(CVE-2016-4343) (Stas)
28 Apr 2016, PHP 5.5.35
- BCMath:
. Fix bug #72093 (bcpowmod accepts negative scale and corrupts _one_
. Fixed bug #72093 (bcpowmod accepts negative scale and corrupts _one_
definition). (Stas)
- Exif:
. Fix bug #72094 (Out of bounds heap read access in exif header
. Fixed bug #72094 (Out of bounds heap read access in exif header
processing). (Stas)
- GD:
. Fix bug #71912 (libgd: signedness vulnerability). (Stas)
. Fixed bug #71912 (libgd: signedness vulnerability) (CVE-2016-3074). (Stas)
- Intl:
. Fix bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
. Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
offset). (Stas)
- XML:
. Fix bug #72099 (xml_parse_into_struct segmentation fault). (Stas)
. Fixed bug #72099 (xml_parse_into_struct segmentation fault). (Stas)
31 Mar 2016, PHP 5.5.34
- Fileinfo:
. Fixed bug #71527 (Buffer over-write in finfo_open with malformed magic
file). (Anatol)
file). (CVE-2015-8865) (Anatol)
- Mbstring:
. Fixed bug #71906 (AddressSanitizer: negative-size-param (-1) in
mbfl_strcut). (Stas)
mbfl_strcut). (CVE-2016-4073) (Stas)
- ODBC
- ODBC:
. Fixed bug #71860 (Invalid memory write in phar on filename with \0 in
name). (Stas)
name). (CVE-2016-4072) (Stas)
- SNMP:
. Fixed bug #71704 (php_snmp_error() Format String Vulnerability).
(andrew at jmpesp dot org)
(CVE-2016-4071) (andrew at jmpesp dot org)
- Standard
. Fixed bug #71798 (Integer Overflow in php_raw_url_encode).
- Standard:
. Fixed bug #71798 (Integer Overflow in php_raw_url_encode). (CVE-2016-4070)
(taoguangchen at icloud dot com, Stas)
03 Mar 2016, PHP 5.5.33
......@@ -63,13 +81,16 @@ PHP NEWS
. Improved the fix for bug #70976. (Remi)
- PCRE:
. Upgraded pcrelib to 8.38.
. Upgraded pcrelib to 8.38. (CVE-2015-8383, CVE-2015-8386, CVE-2015-8387,
CVE-2015-8389, CVE-2015-8390, CVE-2015-8391, CVE-2015-8393, CVE-2015-8394)
- Phar:
. Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (Stas)
. Fixed bug #71354 (Heap corruption in tar/zip/phar parser). (CVE-2016-4342)
(Stas)
. Fixed bug #71391 (NULL Pointer Dereference in phar_tar_setupmetadata()).
(Stas)
. Fixed bug #71488 (Stack overflow when decompressing tar archives). (Stas)
. Fixed bug #71488 (Stack overflow when decompressing tar archives).
(CVE-2016-2554) (Stas)
- WDDX:
. Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). (Stas)
......@@ -81,7 +102,7 @@ PHP NEWS
- GD:
. Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index
Out of Bounds). (emmanuel dot law at gmail dot com).
Out of Bounds). (CVE-2016-1903) (emmanuel dot law at gmail dot com).
- WDDX:
. Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization).
......@@ -96,16 +117,18 @@ PHP NEWS
01 Oct 2015, PHP 5.5.30
- Phar:
. Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (Stas)
. Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()).
(CVE-2015-7803) (Stas)
. Fixed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip
entry filename is "/"). (Stas)
entry filename is "/"). (CVE-2015-7804) (Stas)
03 Sep 2015, PHP 5.5.29
- Core:
. Fixed bug #70172 (Use After Free Vulnerability in unserialize()). (Stas)
. Fixed bug #70172 (Use After Free Vulnerability in unserialize()).
(CVE-2015-6834) (Stas)
. Fixed bug #70219 (Use after free vulnerability in session deserializer).
(taoguangchen at icloud dot com)
(CVE-2015-6835) (taoguangchen at icloud dot com)
- EXIF:
. Fixed bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte
......@@ -121,20 +144,21 @@ PHP NEWS
- SOAP:
. Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE).
(Stas)
(CVE-2015-6836) (Stas)
- SPL:
. Fixed bug #70365 (Use-after-free vulnerability in unserialize() with
SplObjectStorage). (taoguangchen at icloud dot com)
SplObjectStorage). (CVE-2015-6834) (taoguangchen at icloud dot com)
. Fixed bug #70366 (Use-after-free vulnerability in unserialize() with
SplDoublyLinkedList). (taoguangchen at icloud dot com)
SplDoublyLinkedList). (CVE-2015-6834) (taoguangchen at icloud dot com)
- XSLT:
. Fixed bug #69782 (NULL pointer dereference). (Stas)
. Fixed bug #69782 (NULL pointer dereference). (CVE-2015-6837, CVE-2015-6838)
(Stas)
- ZIP:
. Fixed bug #70350 (ZipArchive::extractTo allows for directory traversal when
creating directories). (neal at fb dot com)
creating directories). (CVE-2014-9767) (neal at fb dot com)
06 Aug 2015, PHP 5.5.28
......@@ -149,12 +173,12 @@ PHP NEWS
- OpenSSL:
. Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically
secure). (Stas)
secure). (CVE-2015-8867) (Stas)
- Phar:
. Improved fix for bug #69441. (Anatol Belski)
. Fixed bug #70019 (Files extracted from archive may be placed outside of
destination directory). (Anatol Belski)
destination directory). (CVE-2015-6833) (Anatol Belski)
- SOAP:
. Fixed bug #70081 (SoapClient info leak / null pointer dereference via
......@@ -162,13 +186,13 @@ PHP NEWS
- SPL:
. Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject
items). (sean.heelan)
items). (CVE-2015-6832) (sean.heelan)
. Fixed bug #70166 (Use After Free Vulnerability in unserialize() with
SPLArrayObject). (taoguangchen at icloud dot com)
SPLArrayObject). (CVE-2015-6831) (taoguangchen at icloud dot com)
. Fixed bug #70168 (Use After Free Vulnerability in unserialize() with
SplObjectStorage). (taoguangchen at icloud dot com)
SplObjectStorage). (CVE-2015-6831) (taoguangchen at icloud dot com)
. Fixed bug #70169 (Use After Free Vulnerability in unserialize() with
SplDoublyLinkedList). (taoguangchen at icloud dot com)
SplDoublyLinkedList). (CVE-2015-6831) (taoguangchen at icloud dot com)
9 Jul 2015, PHP 5.5.27
......@@ -239,7 +263,8 @@ PHP NEWS
heap overflow). (CVE-2015-4643) (Max Spelsberg)
. Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).
(CVE-2015-4642) (Anatol Belski)
. Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas)
. Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598)
(Stas)
- GD:
. Fixed bug #69479 (GD fails to build with newer libvpx). (Remi)
......
......@@ -1254,6 +1254,10 @@ ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2)
int length = Z_STRLEN_P(op1) + 1;
char *buf;
if (UNEXPECTED(length < 0)) {
zend_error(E_ERROR, "String size overflow");
}
if (IS_INTERNED(Z_STRVAL_P(op1))) {
buf = (char *) emalloc(length + 1);
memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
......@@ -1273,6 +1277,9 @@ ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2
int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
char *buf;
if (UNEXPECTED(length < 0)) {
zend_error(E_ERROR, "String size overflow");
}
if (IS_INTERNED(Z_STRVAL_P(op1))) {
buf = (char *) emalloc(length+1);
memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
......
......@@ -3691,7 +3691,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=5
PHP_RELEASE_VERSION=35
PHP_RELEASE_VERSION=36
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
......@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=5
PHP_RELEASE_VERSION=35
PHP_RELEASE_VERSION=36
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
......
......@@ -39,8 +39,8 @@
downscaling using the fixed point implementations are usually much faster
than the existing gdImageCopyResampled while having a similar or better
quality.
For image rotations, the optimized versions have a lazy antialiasing for
For image rotations, the optimized versions have a lazy antialiasing for
the edges of the images. For a much better antialiased result, the affine
function is recommended.
*/
......@@ -633,7 +633,7 @@ static inline int _color_blend (const int dst, const int src)
}
}
static inline int _setEdgePixel(const gdImagePtr src, unsigned int x, unsigned int y, gdFixed coverage, const int bgColor)
static inline int _setEdgePixel(const gdImagePtr src, unsigned int x, unsigned int y, gdFixed coverage, const int bgColor)
{
const gdFixed f_127 = gd_itofx(127);
register int c = src->tpixels[y][x];
......@@ -934,9 +934,6 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
double dTotalWeight = 0.0;
int iSrc;
res->ContribRow[u].Left = iLeft;
res->ContribRow[u].Right = iRight;
/* Cut edge points to fit in filter window in case of spill-off */
if (iRight - iLeft + 1 > windows_size) {
if (iLeft < ((int)src_size - 1 / 2)) {
......@@ -946,6 +943,9 @@ static inline LineContribType *_gdContributionsCalc(unsigned int line_size, unsi
}
}
res->ContribRow[u].Left = iLeft;
res->ContribRow[u].Right = iRight;
for (iSrc = iLeft; iSrc <= iRight; iSrc++) {
dTotalWeight += (res->ContribRow[u].Weights[iSrc-iLeft] = scale_f_d * (*pFilter)(scale_f_d * (dCenter - (double)iSrc)));
}
......@@ -1070,12 +1070,12 @@ gdImagePtr gdImageScaleTwoPass(const gdImagePtr src, const unsigned int src_widt
dst = gdImageCreateTrueColor(new_width, new_height);
if (dst == NULL) {
gdFree(tmp_im);
gdImageDestroy(tmp_im);
return NULL;
}
gdImageSetInterpolationMethod(dst, src->interpolation_id);
_gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height);
gdFree(tmp_im);
gdImageDestroy(tmp_im);
return dst;
}
......@@ -1093,7 +1093,7 @@ gdImagePtr Scale(const gdImagePtr src, const unsigned int src_width, const unsig
_gdScaleHoriz(src, src_width, src_height, tmp_im, new_width, src_height);
_gdScaleVert(tmp_im, new_width, src_height, dst, new_width, new_height);
gdFree(tmp_im);
gdImageDestroy(tmp_im);
return dst;
}
......@@ -2273,7 +2273,7 @@ int gdTransformAffineGetImage(gdImagePtr *dst,
if (!src->trueColor) {
gdImagePaletteToTrueColor(src);
}
/* Translate to dst origin (0,0) */
gdAffineTranslate(m, -bbox.x, -bbox.y);
gdAffineConcat(m, affine, m);
......@@ -2332,7 +2332,7 @@ int gdTransformAffineCopy(gdImagePtr dst,
if (src->interpolation_id == GD_BILINEAR_FIXED || src->interpolation_id == GD_BICUBIC_FIXED || src->interpolation_id == GD_NEAREST_NEIGHBOUR) {
interpolation_id_bak = src->interpolation_id;
interpolation_bak = src->interpolation;
gdImageSetInterpolationMethod(src, GD_BICUBIC);
}
......
--TEST--
Bug #72227: imagescale out-of-bounds read
--SKIPIF--
<?php
if (!extension_loaded('gd')) die("skip gd extension not available\n");
?>
--FILE--
<?php
$img = imagecreatetruecolor ( 100, 100);
imagescale($img, 13, 1, IMG_BICUBIC);
?>
DONE
--EXPECT--
DONE
\ No newline at end of file
This diff is collapsed.
--TEST--
Bug #72241: get_icu_value_internal out-of-bounds read
--SKIPIF--
<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
--FILE--
<?php
$var1=str_repeat("A", 1000);
$out = locale_get_primary_language($var1);
echo strlen($out) . PHP_EOL;
echo unpack('H*', $out)[1] . PHP_EOL;
--EXPECT--
1000
61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
......@@ -207,6 +207,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC)
zend_hash_internal_pointer_reset(manifest);
while (FAILURE != zend_hash_has_more_elements(manifest)) {
keylen = 0;
if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &key, &keylen, &unused, 0, NULL)) {
break;
}
......@@ -214,7 +215,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC)
PHAR_STR(key, str_key);
if (keylen <= (uint)dirlen) {
if (keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) {
PHAR_STR_FREE(str_key);
if (SUCCESS != zend_hash_move_forward(manifest)) {
break;
......
......@@ -356,7 +356,7 @@ bail:
entry.filename_len = entry.uncompressed_filesize;
/* Check for overflow - bug 61065 */
if (entry.filename_len == UINT_MAX) {
if (entry.filename_len == UINT_MAX || entry.filename_len == 0) {
if (error) {
spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file (invalid entry size)", fname);
}
......
--TEST--
Bug #71331 (Uninitialized pointer in phar_make_dirstream())
--SKIPIF--
<?php if (!extension_loaded("phar")) die("skip"); ?>
--FILE--
<?php
$p = new PharData(__DIR__."/bug71331.tar");
?>
DONE
--EXPECTF--
Fatal error: Uncaught exception 'UnexpectedValueException' with message 'phar error: "%s/bug71331.tar" is a corrupted tar file (invalid entry size)' in %s/bug71331.php:2
Stack trace:
#0 %s/bug71331.php(2): PharData->__construct('%s')
#1 {main}
thrown in %s/bug71331.php on line 2
\ No newline at end of file
......@@ -1758,6 +1758,12 @@ PHPAPI PHP_FUNCTION(fread)
RETURN_FALSE;
}
if (len > INT_MAX) {
/* string length is int in 5.x so we can not read more than int */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
RETURN_FALSE;
}
Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
......
......@@ -163,7 +163,7 @@ static inline unsigned int get_next_char(
else
MB_FAILURE(pos, 4);
}
this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
MB_FAILURE(pos, 4);
......@@ -437,7 +437,7 @@ det_charset:
if (charset_hint) {
int found = 0;
/* now walk the charset map and look for the codeset */
for (i = 0; charset_map[i].codeset; i++) {
if (len == strlen(charset_map[i].codeset) && strncasecmp(charset_hint, charset_map[i].codeset, len) == 0) {
......@@ -545,7 +545,7 @@ static inline unsigned char unimap_bsearch(const uni_to_enc *table, unsigned cod
return 0;
code_key = (unsigned short) code_key_a;
while (l <= h) {
m = l + (h - l) / 2;
if (code_key < m->un_code_point)
......@@ -571,7 +571,7 @@ static inline int map_from_unicode(unsigned code, enum entity_charset charset, u
/* identity mapping of code points to unicode */
if (code > 0xFF) {
return FAILURE;
}
}
*res = code;
break;
......@@ -590,7 +590,7 @@ static inline int map_from_unicode(unsigned code, enum entity_charset charset, u
return FAILURE;
}
break;
case cs_8859_15:
if (code < 0xA4 || (code > 0xBE && code <= 0xFF)) {
*res = code;
......@@ -634,7 +634,7 @@ static inline int map_from_unicode(unsigned code, enum entity_charset charset, u
case cs_cp866:
table = unimap_cp866;
table_size = sizeof(unimap_cp866) / sizeof(*unimap_cp866);
table_over_7F:
if (code <= 0x7F) {
*res = code;
......@@ -710,7 +710,7 @@ static inline int unicode_cp_is_allowed(unsigned uni_cp, int document_type)
* Not sure this is the relevant part for HTML 5, though. I opted to
* disallow the characters that would result in a parse error when
* preprocessing of the input stream. See also section 8.1.3.
*
*
* It's unclear if XHTML 1.0 allows C1 characters. I'll opt to apply to
* XHTML 1.0 the same rules as for XML 1.0.
* See <http://cmsmcq.com/2007/C1.xml>.
......@@ -774,7 +774,7 @@ static inline int numeric_entity_is_allowed(unsigned uni_cp, int document_type)
/* {{{ process_numeric_entity
* Auxiliary function to traverse_for_entities.
* On input, *buf should point to the first character after # and on output, it's the last
* byte read, no matter if there was success or insuccess.
* byte read, no matter if there was success or insuccess.
*/
static inline int process_numeric_entity(const char **buf, unsigned *code_point)
{
......@@ -784,7 +784,7 @@ static inline int process_numeric_entity(const char **buf, unsigned *code_point)
if (hexadecimal && (**buf != '\0'))
(*buf)++;
/* strtol allows whitespace and other stuff in the beginning
* we're not interested */
if ((hexadecimal && !isxdigit(**buf)) ||
......@@ -969,7 +969,7 @@ static void traverse_for_entities(
goto invalid_code;
/* are we allowed to decode this entity in this document type?
* HTML 5 is the only that has a character that cannot be used in
* HTML 5 is the only that has a character that cannot be used in
* a numeric entity but is allowed literally (U+000D). The
* unoptimized version would be ... || !numeric_entity_is_allowed(code) */
if (!unicode_cp_is_allowed(code, doctype) ||
......@@ -996,9 +996,9 @@ static void traverse_for_entities(
}
}
}
assert(*next == ';');
if (((code == '\'' && !(flags & ENT_HTML_QUOTE_SINGLE)) ||
(code == '"' && !(flags & ENT_HTML_QUOTE_DOUBLE)))
/* && code2 == '\0' always true for current maps */)
......@@ -1026,7 +1026,7 @@ invalid_code:
*(q++) = *p;
}
}
*q = '\0';
*retlen = (size_t)(q - ret);
}
......@@ -1066,7 +1066,7 @@ static entity_table_opt determine_entity_table(int all, int doctype)
entity_table_opt retval = {NULL};
assert(!(doctype == ENT_HTML_DOC_XML1 && all));
if (all) {
retval.ms_table = (doctype == ENT_HTML_DOC_HTML5) ?
entity_ms_table_html5 : entity_ms_table_html4;
......@@ -1111,13 +1111,13 @@ PHPAPI char *php_unescape_html_entities(unsigned char *old, size_t oldlen, size_
if (retlen == 0) {
goto empty_source;
}
inverse_map = unescape_inverse_map(all, flags);
/* replace numeric entities */
traverse_for_entities(old, oldlen, ret, &retlen, all, flags, inverse_map, charset);
empty_source:
empty_source:
*newlen = retlen;
return ret;
}
......@@ -1141,7 +1141,7 @@ static inline void find_entity_for_char(
{
unsigned stage1_idx = ENT_STAGE1_INDEX(k);
const entity_stage3_row *c;
if (stage1_idx > 0x1D) {
*entity = NULL;
*entity_len = 0;
......@@ -1162,7 +1162,7 @@ static inline void find_entity_for_char(
if (!(*cursor < oldlen))
goto no_suitable_2nd;
next_char = get_next_char(charset, old, oldlen, cursor, &status);
next_char = get_next_char(charset, old, oldlen, cursor, &status);
if (status == FAILURE)
goto no_suitable_2nd;
......@@ -1187,7 +1187,7 @@ no_suitable_2nd:
*entity = (const unsigned char *)
c->data.multicodepoint_table[0].leading_entry.default_entity;
*entity_len = c->data.multicodepoint_table[0].leading_entry.default_entity_len;
}
}
}
/* }}} */
......@@ -1255,7 +1255,7 @@ PHPAPI char *php_escape_html_entities_ex(unsigned char *old, size_t oldlen, size
/* initial estimate */
if (oldlen < 64) {
maxlen = 128;
maxlen = 128;
} else {
maxlen = 2 * oldlen;
if (maxlen < oldlen) {
......@@ -1423,6 +1423,11 @@ encode_amp:
}
replaced[len] = '\0';
*newlen = len;
if(len > INT_MAX) {
zend_error_noreturn(E_ERROR, "Escaped string is too long");
efree(replaced);
return NULL;
}
return replaced;
}
......@@ -1577,7 +1582,7 @@ static inline void write_s3row_data(
} else {
spe_cp = uni_cp;
}
written_k2 = write_octet_sequence(&key[written_k1], charset, spe_cp);
memcpy(&entity[1], mcpr[i].normal_entry.entity, l);
entity[l + 1] = ';';
......@@ -1615,7 +1620,7 @@ PHP_FUNCTION(get_html_translation_table)
LIMIT_ALL(all, doctype, charset);
array_init(return_value);
entity_table = determine_entity_table(all, doctype);
if (all && !CHARSET_UNICODE_COMPAT(charset)) {
to_uni_table = enc_to_uni_index[charset];
......
--TEST--
Bug #72114 (Integer underflow / arbitrary null write in fread/gzread)
--FILE--
<?php
ini_set('memory_limit', "2500M");
$fp = fopen("/dev/zero", "r");
fread($fp, 2147483648);
?>
Done
--EXPECTF--
Warning: fread(): Length parameter must be no more than 2147483647 in %s/bug72114.php on line %d
Done
......@@ -2,7 +2,7 @@
/* edit configure.in to change version number */
#define PHP_MAJOR_VERSION 5
#define PHP_MINOR_VERSION 5
#define PHP_RELEASE_VERSION 35
#define PHP_RELEASE_VERSION 36
#define PHP_EXTRA_VERSION ""
#define PHP_VERSION "5.5.35"
#define PHP_VERSION_ID 50535
#define PHP_VERSION "5.5.36"
#define PHP_VERSION_ID 50536
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment