Commit bebda9be authored by Ondrej Sury's avatar Ondrej Sury

New upstream version 5.6.31+dfsg

parent 790af260
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
06 Jul 2017, PHP 5.6.31
- Core:
. Fixed bug #73807 (Performance problem with processing post request over
2000000 chars). (Nikita)
. Fixed bug #74111 (Heap buffer overread (READ: 1) finish_nested_data from
unserialize). (Nikita)
. Fixed bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability).
(Stas)
. Fixed bug #74819 (wddx_deserialize() heap out-of-bound read via
php_parse_date()). (Derick)
- GD:
. Fixed bug #74435 (Buffer over-read into uninitialized memory). (cmb)
- mbstring:
. Add oniguruma upstream fix (CVE-2017-9224, CVE-2017-9226, CVE-2017-9227,
CVE-2017-9228, CVE-2017-9229) (Remi, Mamoru TASAKA)
- OpenSSL:
. Fixed bug #74651 (negative-size-param (-1) in memcpy in zif_openssl_seal()).
(Stas)
- PCRE:
. Fixed bug #74087 (Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)).
(Stas)
- WDDX:
. Fixed bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV). (Stas)
19 Jan 2017, PHP 5.6.30
- EXIF:
......
--TEST--
Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability)
--SKIPIF--
<?php
if (PHP_INT_MAX !== 2147483647)
die('skip for 32-bit only');
--FILE--
<?php
var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL));
?>
--EXPECT--
array(1) {
[0]=>
string(1) "0"
}
......@@ -130,7 +130,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
{
int i_result;
int i_op1, i_op2;
char str_result[MAX_LENGTH_OF_LONG];
char str_result[MAX_LENGTH_OF_LONG+1];
i_op1 = atoi(Z_STRVAL_P(op1));
free(Z_STRVAL_P(op1));
......
......@@ -53,7 +53,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
{
int i_result;
int i_op1, i_op2;
char str_result[MAX_LENGTH_OF_LONG];
char str_result[MAX_LENGTH_OF_LONG+1];
i_op1 = atoi(Z_STRVAL_P(op1));
free(Z_STRVAL_P(op1));
......
......@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=30
PHP_RELEASE_VERSION=31
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
......@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=30
PHP_RELEASE_VERSION=31
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
......
This diff is collapsed.
......@@ -899,7 +899,7 @@ datefull = day ([ \t.-])* monthtext ([ \t.-])* year;
datenoday = monthtext ([ .\t-])* year4;
datenodayrev = year4 ([ .\t-])* monthtext;
datetextual = monthtext ([ .\t-])* day [,.stndrh\t ]+ year;
datenoyear = monthtext ([ .\t-])* day [,.stndrh\t ]*;
datenoyear = monthtext ([ .\t-])* day ([,.stndrh\t ]+|[\000]);
datenoyearrev = day ([ .\t-])* monthtext;
datenocolon = year4 monthlz daylz;
......
......@@ -34,14 +34,14 @@ foreach ( $tests as $start => $data )
echo "\n";
?>
--EXPECT--
Sat, 23 Oct 2010 00:00:00 +0000
Fri, 15 Oct 2010 23:00:00 +0000
Wed, 15 Dec 2010 16:15:00 +0000
Mon, 20 Dec 2010 00:00:00 +0000
Mon, 20 Dec 2010 10:00:00 +0000
Tue, 21 Dec 2010 12:00:00 +0000
Mon, 03 Jan 2011 00:00:00 +0000
Mon, 03 Jan 2011 09:00:00 +0000
Sat, 23 Oct 2010 00:00:00 +0100
Fri, 15 Oct 2010 23:00:00 +0100
Sun, 28 Mar 2010 00:15:00 +0000
Sun, 28 Mar 2010 02:15:00 +0100
Sun, 28 Mar 2010 02:15:00 +0100
......@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
int haveGlobalColormap;
gdImagePtr im = 0;
memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
/*1.4//imageNumber = 1; */
if (! ReadOK(fd,buf,6)) {
return 0;
......
--TEST--
Bug #74435 (Buffer over-read into uninitialized memory)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
var_dump($im);
$width = imagesx($im);
$height = imagesy($im);
for ($i = 0; $i < $width; $i += 16) {
for ($j = 0; $j < $height; $j += 16) {
if (($index = imagecolorat($im, $i, $j)) >= 2) {
list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
echo "unexpected color at ($i, $j)\n";
}
}
}
}
?>
===DONE===
--EXPECTF--
resource(%d) of type (gd)
===DONE===
......@@ -1425,14 +1425,9 @@ match_at(regex_t* reg, const UChar* str, const UChar* end,
break;
case OP_EXACT1: MOP_IN(OP_EXACT1);
#if 0
DATA_ENSURE(1);
if (*p != *s) goto fail;
p++; s++;
#endif
if (*p != *s++) goto fail;
DATA_ENSURE(0);
p++;
MOP_OUT;
break;
......@@ -3128,6 +3123,8 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
}
else {
UChar *q = p + reg->dmin;
if (q >= end) return 0; /* fail */
while (p < q) p += enclen(reg->enc, p);
}
}
......@@ -3208,7 +3205,13 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
else {
if (reg->dmax != ONIG_INFINITE_DISTANCE) {
*low = p - reg->dmax;
if (*low > s) {
if (p - str < reg->dmax) {
*low = (UChar* )str;
if (low_prev)
*low_prev = onigenc_get_prev_char_head(reg->enc, str, *low);
}
else {
if (*low > s) {
*low = onigenc_get_right_adjust_char_head_with_prev(reg->enc, s,
*low, (const UChar** )low_prev);
if (low_prev && IS_NULL(*low_prev))
......@@ -3221,6 +3224,7 @@ forward_search_range(regex_t* reg, const UChar* str, const UChar* end, UChar* s,
(pprev ? pprev : str), *low);
}
}
}
}
/* no needs to adjust *high, *high is used as range check only */
*high = p - reg->dmin;
......
......@@ -3064,7 +3064,7 @@ fetch_token_in_cc(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
PUNFETCH;
prev = p;
num = scan_unsigned_octal_number(&p, end, 3, enc);
if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
if (p == prev) { /* can't read nothing. */
num = 0; /* but, it's not error */
}
......@@ -3436,7 +3436,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
if (IS_SYNTAX_OP(syn, ONIG_SYN_OP_ESC_OCTAL3)) {
prev = p;
num = scan_unsigned_octal_number(&p, end, (c == '0' ? 2:3), enc);
if (num < 0) return ONIGERR_TOO_BIG_NUMBER;
if (num < 0 || num >= 256) return ONIGERR_TOO_BIG_NUMBER;
if (p == prev) { /* can't read nothing. */
num = 0; /* but, it's not error */
}
......@@ -4068,7 +4068,9 @@ next_state_class(CClassNode* cc, OnigCodePoint* vs, enum CCVALTYPE* type,
}
}
*state = CCS_VALUE;
if (*state != CCS_START)
*state = CCS_VALUE;
*type = CCV_CLASS;
return 0;
}
......@@ -4084,7 +4086,11 @@ next_state_val(CClassNode* cc, OnigCodePoint *vs, OnigCodePoint v,
switch (*state) {
case CCS_VALUE:
if (*type == CCV_SB)
{
if (*vs > 0xff)
return ONIGERR_INVALID_CODE_POINT_VALUE;
BITSET_SET_BIT(cc->bs, (int )(*vs));
}
else if (*type == CCV_CODE_POINT) {
r = add_code_range(&(cc->mbuf), env, *vs, *vs);
if (r < 0) return r;
......
......@@ -4982,15 +4982,15 @@ PHP_FUNCTION(openssl_seal)
buf = emalloc(data_len + EVP_CIPHER_CTX_block_size(&ctx));
EVP_CIPHER_CTX_cleanup(&ctx);
if (!EVP_SealInit(&ctx, cipher, eks, eksl, NULL, pkeys, nkeys) || !EVP_SealUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len)) {
if (EVP_SealInit(&ctx, cipher, eks, eksl, NULL, pkeys, nkeys) <= 0 ||
!EVP_SealUpdate(&ctx, buf, &len1, (unsigned char *)data, data_len) ||
!EVP_SealFinal(&ctx, buf + len1, &len2)) {
RETVAL_FALSE;
efree(buf);
EVP_CIPHER_CTX_cleanup(&ctx);
goto clean_exit;
}
EVP_SealFinal(&ctx, buf + len1, &len2);
if (len1 + len2 > 0) {
zval_dtor(sealdata);
buf[len1 + len2] = '\0';
......
-----BEGIN CERTIFICATE-----
MIIEoDCCBAmgAwIBAgIBJzANBgkqhkiG9w0BAQQFADCBkDELMAkGA1UEFhMCUk8x
EDAOBgNVBAgTB1JvbWFuaWExEDAOBgNVBAcTB0NyYWlvdmExDzANBgNVBAoTBlNl
cmdpdTETMBEGA1UECxMKU2VyZ2l1IFNSTDESMBAGA1UEAxMJU2VyZ2l1IENBMSMw
IQYJKoZIhvcNAQkBFhRuX3NlcmdpdUBob3RtYWlsLmNvbTAeFw0wNDA1MTQxMzM0
NTZaFw0wNTA1MTQxMzM0NTZaMIGaMQswCQYDVQQGEwJSTzEQMA4GA1UECBMHUm9t
YW5pYTEQMA4GA1UEBxMHQ3JhaW92YTETMBEGA1UEChMKU2VyZ2l1IFNSTDETMBEG
A1UECxMKU2VyZ2l1IFNSTDEYMBYGA1UEAxMPU2VyZ2l1IHBlcnNvbmFsMSMwIQYJ
KoZIhvcNAQkBFhRuX3NlcmdpdUBob3RtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEApNj7XXz8T8FcLIWpBniPYom3QcT6T7u0xRPHqtqzj5oboBYp
DJe5d354/y0gJTpiLt8+fTrPgWXnbHm3pOHgXzTcX6Arani0GDU0/xDi4VkCRGcS
YqX2sJpcDzAbmK9UDMt3xf/O1B8AJan3RfO0Bm3ozTEPziLMkmsiYr5b/L4CAwEA
AaOCAfwwggH4MAkGA1UdEwQCMAAwNQYJYIZIAYb4QgENBCgWJkZvciBHcmlkIHVz
ZSBvbmx5OyByZXF1ZXN0IHRhZyB1c2VyVGFnMBEGCWCGSAGG+EIBAQQEAwIF4DA/
BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vbW9iaWxlLmJsdWUtc29mdHdhcmUucm86
OTAvY2EvY3JsLnNodG1sMDUGCWCGSAGG+EIBCAQoFiZodHRwOi8vbW9iaWxlLmJs
dWUtc29mdHdhcmUucm86OTAvcHViLzAhBgNVHREEGjAYgRZzZXJnaXVAYmx1ZXNv
ZnR3YXJlLnJvMB0GA1UdDgQWBBSwp//5QRXeIzm93TEPl6CyonTg/DCBpwYDVR0j
BIGfMIGcoYGWpIGTMIGQMQswCQYDVQQGEwJSTzEQMA4GA1UECBMHUm9tYW5pYTEQ
MA4GA1UEBxMHQ3JhaW92YTEPMA0GA1UEChMGU2VyZ2l1MRMwEQYDVQQLEwpTZXJn
aXUgU1JMMRIwEAYDVQQDEwlTZXJnaXUgQ0ExIzAhBgkqhkiG9w0BCQEWFG5fc2Vy
Z2l1QGhvdG1haWwuY29tggEAMAsGA1UdDwQEAwIE8DAjBglghkgBhvhCAQIEFhYU
aHR0cDovLzYyLjIzMS45OC41Mi8wCwYDKgMEBAQ+52I0MA0GCSqGSIb3DQEBBAUA
A4GBAIBIOJ+iiLyQfNJEY+IMefayQea0nmuXYY+F+L1DFjSC7xChytgYoPNnKkhh
3dWPtxbswiqKYUnGi6y3Hi4UhDsOaDW29t2S305hSc2qgjOiNtRYQIVYQ8EHG1k7
Fl63S7uCOhnVJt+4MnUK1N6/pwgsp+Z2GvEsDG1qCKnvNpf6
-----END CERTIFICATE-----
--TEST--
Bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal()
--SKIPIF--
<?php
if (!extension_loaded("openssl")) die("skip openssl not loaded");
?>
--FILE--
<?php
$inputstr = file_get_contents(__DIR__ . "/74651.pem");
$pub_key_id = openssl_get_publickey($inputstr);
var_dump($pub_key_id);
var_dump(openssl_seal($inputstr, $sealed, $ekeys, array($pub_key_id, $pub_key_id), 'AES-128-ECB'));
?>
--EXPECTF--
resource(%d) of type (OpenSSL key)
bool(false)
\ No newline at end of file
......@@ -7307,7 +7307,7 @@ if (opcode == OP_COND || opcode == OP_SCOND)
if (*matchingpath == OP_FAIL)
stacksize = 0;
if (*matchingpath == OP_RREF)
else if (*matchingpath == OP_RREF)
{
stacksize = GET2(matchingpath, 1);
if (common->currententry == NULL)
......
......@@ -42,7 +42,7 @@ bool(false)
Notice: unserialize(): Error at offset 17 of 33 bytes in %sbug25378.php on line %d
bool(false)
Notice: unserialize(): Error at offset 33 of 32 bytes in %sbug25378.php on line %d
Notice: unserialize(): Error at offset 32 of 32 bytes in %sbug25378.php on line %d
bool(false)
Notice: unserialize(): Error at offset 2 of 13 bytes in %sbug25378.php on line %d
......
......@@ -14,5 +14,5 @@ $poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
var_dump(unserialize($poc));
?>
--EXPECT--
int(73588229205)
--EXPECTF--
%s(73588229205)
--TEST--
Bug #74111: Heap buffer overread (READ: 1) finish_nested_data from unserialize
--FILE--
<?php
$s = 'O:8:"stdClass":00000000';
var_dump(unserialize($s));
?>
--EXPECTF--
Notice: unserialize(): Error at offset 25 of 23 bytes in %s on line %d
bool(false)
......@@ -48,7 +48,7 @@ DONE
--EXPECTF--
Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d
Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d
Notice: unserialize(): Error at offset 16 of 17 bytes in %sbug70436.php on line %d
array(4) {
[0]=>
int(1)
......@@ -62,4 +62,4 @@ array(4) {
[3]=>
bool(false)
}
DONE
\ No newline at end of file
DONE
This diff is collapsed.
......@@ -410,13 +410,12 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
{
if (*((*p)++) == '}')
return 1;
if (*p >= max || **p != '}') {
return 0;
}
#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
zval_ptr_dtor(rval);
#endif
return 0;
(*p)++;
return 1;
}
static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
......
--TEST--
Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
--SKIPIF--
<?php
if (!extension_loaded("wddx")) print "skip";
?>
--FILE--
<?php
$data = file_get_contents(__DIR__ . '/bug74145.xml');
$wddx = wddx_deserialize($data);
var_dump($wddx);
?>
DONE
--EXPECTF--
NULL
DONE
\ No newline at end of file
<?xml version='1.0' ?>
<!DOCTYPE et SYSTEM 'w'>
<wddxPacket ven='1.0'>
<array>
<var Name="name">
<boolean ></boolean>
</var>
</array>
</wddxPacket>
......@@ -801,20 +801,22 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
if (atts) for (i = 0; atts[i]; i++) {
if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
break;
}
} else {
ALLOC_ZVAL(ent.data);
INIT_PZVAL(ent.data);
Z_TYPE_P(ent.data) = IS_BOOL;
ent.type = ST_BOOLEAN;
SET_STACK_VARNAME;
ZVAL_FALSE(&ent.data);
ZVAL_FALSE(ent.data);
wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
}
} else if (!strcmp(name, EL_NULL)) {
......
......@@ -237,11 +237,14 @@ typedef struct post_var_data {
char *ptr;
char *end;
uint64_t cnt;
/* Bytes in ptr that have already been scanned for '&' */
size_t already_scanned;
} post_var_data_t;
static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSRMLS_DC)
{
char *ksep, *vsep, *val;
char *start, *ksep, *vsep, *val;
size_t klen, vlen;
/* FIXME: string-size_t */
unsigned int new_vlen;
......@@ -250,9 +253,11 @@ static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSR
return 0;
}
vsep = memchr(var->ptr, '&', var->end - var->ptr);
start = var->ptr + var->already_scanned;
vsep = memchr(start, '&', var->end - start);
if (!vsep) {
if (!eof) {
var->already_scanned = var->end - var->ptr;
return 0;
} else {
vsep = var->end;
......@@ -285,6 +290,7 @@ static zend_bool add_post_var(zval *arr, post_var_data_t *var, zend_bool eof TSR
efree(val);
var->ptr = vsep + (vsep != var->end);
var->already_scanned = 0;
return 1;
}
......@@ -304,7 +310,7 @@ static inline int add_post_vars(zval *arr, post_var_data_t *vars, zend_bool eof
}
}
if (!eof) {
if (!eof && vars->str.c != vars->ptr) {
memmove(vars->str.c, vars->ptr, vars->str.len = vars->end - vars->ptr);
}
return SUCCESS;
......
......@@ -2,7 +2,7 @@
/* edit configure.in to change version number */
#define PHP_MAJOR_VERSION 5
#define PHP_MINOR_VERSION 6
#define PHP_RELEASE_VERSION 30
#define PHP_RELEASE_VERSION 31
#define PHP_EXTRA_VERSION ""
#define PHP_VERSION "5.6.30"
#define PHP_VERSION_ID 50630
#define PHP_VERSION "5.6.31"
#define PHP_VERSION_ID 50631
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment