From 8e3e034469d37d6dcc70245c12d5e950339908e2 Mon Sep 17 00:00:00 2001 From: Julien Pauli Date: Tue, 31 Mar 2015 16:03:52 +0200 Subject: [PATCH 01/27] 5.5.24RC1 --- NEWS | 8 ++++---- configure.in | 2 +- main/php_version.h | 4 ++-- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 862ef6a3fa6..960a687ef49 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2015, PHP 5.5.24 +02 Apr 2015, PHP 5.5.24RC1 - Core: . Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). @@ -17,13 +17,13 @@ PHP NEWS . Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) +- Curl: + . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) + - Date: . Export date_get_immutable_ce so that it can be used by extensions. (Derick Rethans) -- Curl: - . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - - Enchant: . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) diff --git a/configure.in b/configure.in index b56b85f12d5..3d58d4ccb48 100644 --- a/configure.in +++ b/configure.in @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=5 PHP_RELEASE_VERSION=24 -PHP_EXTRA_VERSION="-dev" +PHP_EXTRA_VERSION="RC1" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 2997684bf0c..6a8e89e681b 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 5 #define PHP_RELEASE_VERSION 24 -#define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "5.5.24-dev" +#define PHP_EXTRA_VERSION "RC1" +#define PHP_VERSION "5.5.24RC1" #define PHP_VERSION_ID 50524 From 30123005fff7f6852996ae6eb5e265ab7adf757f Mon Sep 17 00:00:00 2001 From: Derick Rethans Date: Tue, 31 Mar 2015 16:35:03 +0100 Subject: [PATCH 02/27] Fixed bug #69336 (Issues with "last day of "). --- ext/date/lib/parse_date.c | 6 +++--- ext/date/lib/parse_date.re | 4 ++-- ext/date/lib/timelib.h | 3 +++ ext/date/lib/tm2unixtime.c | 15 +++++++++++++-- ext/date/php_date.c | 2 +- ext/date/tests/bug69336.phpt | 20 ++++++++++++++++++++ 6 files changed, 42 insertions(+), 8 deletions(-) create mode 100644 ext/date/tests/bug69336.phpt diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c index afa1425565e..2a10139b433 100644 --- a/ext/date/lib/parse_date.c +++ b/ext/date/lib/parse_date.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Mon Aug 18 18:28:27 2014 */ +/* Generated by re2c 0.13.5 on Tue Mar 31 16:32:03 2015 */ #line 1 "ext/date/lib/parse_date.re" /* +----------------------------------------------------------------------+ @@ -19864,9 +19864,9 @@ yy1315: /* skip "last day of" or "first day of" */ if (*ptr == 'l' || *ptr == 'L') { - s->time->relative.first_last_day_of = 2; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_LAST_DAY_OF_MONTH; } else { - s->time->relative.first_last_day_of = 1; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH; } TIMELIB_DEINIT; diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re index 4cdbc2a37c1..66d4f223889 100644 --- a/ext/date/lib/parse_date.re +++ b/ext/date/lib/parse_date.re @@ -1030,9 +1030,9 @@ weekdayof = (reltextnumber|reltexttext) space (dayfull|dayabbr) space 'of /* skip "last day of" or "first day of" */ if (*ptr == 'l' || *ptr == 'L') { - s->time->relative.first_last_day_of = 2; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_LAST_DAY_OF_MONTH; } else { - s->time->relative.first_last_day_of = 1; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH; } TIMELIB_DEINIT; diff --git a/ext/date/lib/timelib.h b/ext/date/lib/timelib.h index 797ed10b196..28f3b8c924c 100644 --- a/ext/date/lib/timelib.h +++ b/ext/date/lib/timelib.h @@ -38,6 +38,9 @@ #define TIMELIB_SPECIAL_DAY_OF_WEEK_IN_MONTH 0x02 #define TIMELIB_SPECIAL_LAST_DAY_OF_WEEK_IN_MONTH 0x03 +#define TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH 0x01 +#define TIMELIB_SPECIAL_LAST_DAY_OF_MONTH 0x02 + #ifndef LONG_MAX #define LONG_MAX 2147483647L #endif diff --git a/ext/date/lib/tm2unixtime.c b/ext/date/lib/tm2unixtime.c index a3d48c59c42..0f59d31516b 100644 --- a/ext/date/lib/tm2unixtime.c +++ b/ext/date/lib/tm2unixtime.c @@ -205,15 +205,17 @@ static void do_adjust_relative(timelib_time* time) time->m += time->relative.m; time->y += time->relative.y; } + switch (time->relative.first_last_day_of) { - case 1: /* first */ + case TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH: /* first */ time->d = 1; break; - case 2: /* last */ + case TIMELIB_SPECIAL_LAST_DAY_OF_MONTH: /* last */ time->d = 0; time->m++; break; } + timelib_do_normalize(time); } @@ -296,6 +298,15 @@ static void do_adjust_special_early(timelib_time* time) break; } } + switch (time->relative.first_last_day_of) { + case TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH: /* first */ + time->d = 1; + break; + case TIMELIB_SPECIAL_LAST_DAY_OF_MONTH: /* last */ + time->d = 0; + time->m++; + break; + } timelib_do_normalize(time); } diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 0819b45df4e..7f05bab99e4 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2989,7 +2989,7 @@ void php_date_do_return_parsed_time(INTERNAL_FUNCTION_PARAMETERS, timelib_time * add_assoc_long(element, "weekdays", parsed_time->relative.special.amount); } if (parsed_time->relative.first_last_day_of) { - add_assoc_bool(element, parsed_time->relative.first_last_day_of == 1 ? "first_day_of_month" : "last_day_of_month", 1); + add_assoc_bool(element, parsed_time->relative.first_last_day_of == TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH ? "first_day_of_month" : "last_day_of_month", 1); } add_assoc_zval(return_value, "relative", element); } diff --git a/ext/date/tests/bug69336.phpt b/ext/date/tests/bug69336.phpt new file mode 100644 index 00000000000..8444aa30a35 --- /dev/null +++ b/ext/date/tests/bug69336.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #69336 (Issues with "last day of ") +--INI-- +date.timezone=UTC +--FILE-- + +--EXPECTF-- +string(10) "30.04.%d" +string(10) "31.03.2015" +string(10) "25.03.2015" +string(10) "29.04.2015" +string(10) "26.03.2014" +string(10) "30.04.2014" From b56f8022c8b66a58670115ac0e69ef81fd0a5fb9 Mon Sep 17 00:00:00 2001 From: Julien Pauli Date: Tue, 31 Mar 2015 17:46:23 +0200 Subject: [PATCH 03/27] Updated NEWS --- NEWS | 1 + 1 file changed, 1 insertion(+) diff --git a/NEWS b/NEWS index 960a687ef49..4ebfe1c107b 100644 --- a/NEWS +++ b/NEWS @@ -23,6 +23,7 @@ PHP NEWS - Date: . Export date_get_immutable_ce so that it can be used by extensions. (Derick Rethans) + . Fixed bug #69336 (Issues with "last day of "). (Derick Rethans) - Enchant: . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows From 80e263277600b5e62acfc993a308b8174f70581e Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:01:37 -0700 Subject: [PATCH 04/27] Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault) --- NEWS | 4 ++++ ext/fileinfo/libmagic/softmagic.c | 3 +++ ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++ ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++ 4 files changed, 51 insertions(+) create mode 100644 ext/fileinfo/tests/bug68819_001.phpt create mode 100644 ext/fileinfo/tests/bug68819_002.phpt diff --git a/NEWS b/NEWS index 365615418dd..9c8e0ec5b67 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015 PHP 5.4.40 +- Fileinfo: + . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or + segfault). (Anatol Belski)) + - SOAP: . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (Dmitry) diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index e7b7855eefe..54c1a03ef77 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1037,6 +1037,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, if (bytecnt > nbytes) { bytecnt = nbytes; } + if (offset > bytecnt) { + offset = bytecnt; + } if (s == NULL) { ms->search.s_len = 0; ms->search.s = NULL; diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt new file mode 100644 index 00000000000..ce39ee61db6 --- /dev/null +++ b/ext/fileinfo/tests/bug68819_001.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 +--SKIPIF-- + +--FILE-- +buffer($string); + +var_dump($type); +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt new file mode 100644 index 00000000000..cec238d63ed --- /dev/null +++ b/ext/fileinfo/tests/bug68819_002.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 +--SKIPIF-- + +--FILE-- + 8192 +$string .= str_repeat(chr(rand(32, 127)), 8184); + +// Ending in this string +$string .= "say"; + +$finfo = new finfo(); +$type = $finfo->buffer($string); +var_dump($type); + +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" From af1cd45d171fbb06712f846cec7bf69438db8ec2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:03:46 -0700 Subject: [PATCH 05/27] Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4) --- NEWS | 4 ++++ sapi/apache2handler/sapi_apache2.c | 1 + 2 files changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 9c8e0ec5b67..75aa306948e 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015 PHP 5.4.40 +- Apache2 Handler SAPI: + . Fixed bug #69218 (potential remote code execution with apache 2.4 + apache2handler). (Patrick Schaaf) + - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)) diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c index e97f11c69bd..cfebc5f5c65 100644 --- a/sapi/apache2handler/sapi_apache2.c +++ b/sapi/apache2handler/sapi_apache2.c @@ -688,6 +688,7 @@ zend_first_try { } zend_end_try(); } apr_brigade_cleanup(brigade); + apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); } else { ctx->r = parent_req; } From cb0d325066486efafde8d9c324e083ac3d10a174 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:58:27 -0700 Subject: [PATCH 06/27] Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER) --- NEWS | 4 +++ ext/curl/interface.c | 4 +++ ext/curl/tests/bug69316.phpt | 47 ++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 ext/curl/tests/bug69316.phpt diff --git a/NEWS b/NEWS index 75aa306948e..da926d515f3 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ PHP NEWS . Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Patrick Schaaf) +- cURL: + . Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/ + _INFILE/_WRITEHEADER). (Laruence) + - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 0423f71f9a8..7f8f276791b 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1051,6 +1051,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION"); length = -1; } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } @@ -1124,6 +1125,7 @@ static size_t curl_progress(void *clientp, double dltotal, double dlnow, double if (error == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION"); } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } @@ -1200,6 +1202,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx) length = CURL_READFUNC_ABORT; #endif } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) == IS_STRING) { length = MIN((int) (size * nmemb), Z_STRLEN_P(retval_ptr)); memcpy(data, Z_STRVAL_P(retval_ptr), length); @@ -1274,6 +1277,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION"); length = -1; } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } diff --git a/ext/curl/tests/bug69316.phpt b/ext/curl/tests/bug69316.phpt new file mode 100644 index 00000000000..0f8106b932f --- /dev/null +++ b/ext/curl/tests/bug69316.phpt @@ -0,0 +1,47 @@ +--TEST-- +Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER +--SKIPIF-- + +--FILE-- + +===DONE=== +--CLEAN-- + +--EXPECTF-- +Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d +array(1) { + ["test"]=> + string(7) "getpost" +} +array(0) { +} +===DONE=== From 920a0afbf8f83962c70aaf9a144810f320be92b3 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Thu, 29 Jan 2015 00:00:09 +0800 Subject: [PATCH 07/27] Fixed bug #68901 (use after free) --- NEWS | 3 +++ ext/phar/phar_object.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 0a83818e2e2..584defdc4e5 100644 --- a/NEWS +++ b/NEWS @@ -15,6 +15,9 @@ PHP NEWS - Sqlite3: . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) +- Phar: + . Fixed bug #68901 (use after free). (bugreports at internot dot info) + - Postgres: . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui) diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c index a021200fda5..add1fa0d5c7 100644 --- a/ext/phar/phar_object.c +++ b/ext/phar/phar_object.c @@ -2211,8 +2211,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c } its_ok: if (SUCCESS == php_stream_stat_path(newpath, &ssb)) { - efree(oldpath); zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath); + efree(oldpath); return NULL; } if (!phar->is_data) { From f938112c495b0d26572435c0be73ac0bfe642ecd Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:01:37 -0700 Subject: [PATCH 08/27] Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault) --- ext/fileinfo/libmagic/softmagic.c | 3 +++ ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++ ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++ 3 files changed, 47 insertions(+) create mode 100644 ext/fileinfo/tests/bug68819_001.phpt create mode 100644 ext/fileinfo/tests/bug68819_002.phpt diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index e7b7855eefe..54c1a03ef77 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1037,6 +1037,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, if (bytecnt > nbytes) { bytecnt = nbytes; } + if (offset > bytecnt) { + offset = bytecnt; + } if (s == NULL) { ms->search.s_len = 0; ms->search.s = NULL; diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt new file mode 100644 index 00000000000..ce39ee61db6 --- /dev/null +++ b/ext/fileinfo/tests/bug68819_001.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 +--SKIPIF-- + +--FILE-- +buffer($string); + +var_dump($type); +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt new file mode 100644 index 00000000000..cec238d63ed --- /dev/null +++ b/ext/fileinfo/tests/bug68819_002.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 +--SKIPIF-- + +--FILE-- + 8192 +$string .= str_repeat(chr(rand(32, 127)), 8184); + +// Ending in this string +$string .= "say"; + +$finfo = new finfo(); +$type = $finfo->buffer($string); +var_dump($type); + +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" From 809610f5ea38a83b284e1125d1fff129bdd615e7 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:03:46 -0700 Subject: [PATCH 09/27] Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4) --- sapi/apache2handler/sapi_apache2.c | 1 + 1 file changed, 1 insertion(+) diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c index e97f11c69bd..cfebc5f5c65 100644 --- a/sapi/apache2handler/sapi_apache2.c +++ b/sapi/apache2handler/sapi_apache2.c @@ -688,6 +688,7 @@ zend_first_try { } zend_end_try(); } apr_brigade_cleanup(brigade); + apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); } else { ctx->r = parent_req; } From 0ea75af9be8a40836951fc89f723dd5390b8b46f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:58:27 -0700 Subject: [PATCH 10/27] Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER) --- ext/curl/interface.c | 4 ++++ ext/curl/tests/bug69316.phpt | 41 ++++++++++++++++++++++++++++++++++++ 2 files changed, 45 insertions(+) create mode 100644 ext/curl/tests/bug69316.phpt diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 0423f71f9a8..7f8f276791b 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1051,6 +1051,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION"); length = -1; } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } @@ -1124,6 +1125,7 @@ static size_t curl_progress(void *clientp, double dltotal, double dlnow, double if (error == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION"); } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } @@ -1200,6 +1202,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx) length = CURL_READFUNC_ABORT; #endif } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) == IS_STRING) { length = MIN((int) (size * nmemb), Z_STRLEN_P(retval_ptr)); memcpy(data, Z_STRVAL_P(retval_ptr), length); @@ -1274,6 +1277,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION"); length = -1; } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } diff --git a/ext/curl/tests/bug69316.phpt b/ext/curl/tests/bug69316.phpt new file mode 100644 index 00000000000..2a88eb2bc94 --- /dev/null +++ b/ext/curl/tests/bug69316.phpt @@ -0,0 +1,41 @@ +--TEST-- +Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER +--SKIPIF-- + +--FILE-- + +===DONE=== +--CLEAN-- + +--EXPECTF-- +Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d +===DONE=== From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 5 Apr 2015 15:07:36 -0700 Subject: [PATCH 11/27] Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar) --- ext/phar/phar.c | 65 ++++++++++++++++------------------- ext/phar/phar_internal.h | 2 +- ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes ext/phar/tests/bug69324.phpt | 17 +++++++++ 4 files changed, 48 insertions(+), 36 deletions(-) create mode 100644 ext/phar/tests/bug69324.phar create mode 100644 ext/phar/tests/bug69324.phpt diff --git a/ext/phar/phar.c b/ext/phar/phar.c index ec823514107..bf0c985a7c3 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len * * data is the serialized zval */ -int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ +int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ { const unsigned char *p; - php_uint32 buf_len; php_unserialize_data_t var_hash; - if (!zip_metadata_len) { - PHAR_GET_32(*buffer, buf_len); - } else { - buf_len = zip_metadata_len; - } - - if (buf_len) { + if (zip_metadata_len) { ALLOC_ZVAL(*metadata); INIT_ZVAL(**metadata); p = (const unsigned char*) *buffer; PHP_VAR_UNSERIALIZE_INIT(var_hash); - if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { + if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zval_ptr_dtor(metadata); *metadata = NULL; @@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR if (PHAR_G(persist)) { /* lazy init metadata */ zval_ptr_dtor(metadata); - *metadata = (zval *) pemalloc(buf_len, 1); - memcpy(*metadata, *buffer, buf_len); - *buffer += buf_len; + *metadata = (zval *) pemalloc(zip_metadata_len, 1); + memcpy(*metadata, *buffer, zip_metadata_len); return SUCCESS; } } else { *metadata = NULL; } - if (!zip_metadata_len) { - *buffer += buf_len; - } - return SUCCESS; } /* }}}*/ @@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char phar_entry_info entry; php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; php_uint16 manifest_ver; + php_uint32 len; long offset; int sig_len, register_alias = 0, temp_alias = 0; char *signature = NULL; @@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char mydata->is_persistent = PHAR_G(persist); /* check whether we have meta data, zero check works regardless of byte order */ + PHAR_GET_32(buffer, len); if (mydata->is_persistent) { - PHAR_GET_32(buffer, mydata->metadata_len); - if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { - MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); - } - } else { - if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { - MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); + mydata->metadata_len = len; + if(!len) { + /* FIXME: not sure why this is needed but removing it breaks tests */ + PHAR_GET_32(buffer, len); } } + if(len > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); + } + if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { + MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); + } + buffer += len; /* set up our manifest */ zend_hash_init(&mydata->manifest, manifest_count, @@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.manifest_pos = manifest_index; } - if (buffer + entry.filename_len + 20 > endbuffer) { + if (entry.filename_len + 20 > endbuffer - buffer) { MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); } @@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char entry.flags |= PHAR_ENT_PERM_DEF_DIR; } + PHAR_GET_32(buffer, len); if (entry.is_persistent) { - PHAR_GET_32(buffer, entry.metadata_len); - if (!entry.metadata_len) buffer -= 4; - if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { - pefree(entry.filename, entry.is_persistent); - MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); - } + entry.metadata_len = len; } else { - if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { - pefree(entry.filename, entry.is_persistent); - MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); - } + entry.metadata_len = 0; + } + if (len > endbuffer - buffer) { + MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); + } + if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { + pefree(entry.filename, entry.is_persistent); + MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); } + buffer += len; entry.offset = entry.offset_abs = offset; offset += entry.compressed_filesize; diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h index c9306c15f4d..fcfc86457d6 100644 --- a/ext/phar/phar_internal.h +++ b/ext/phar/phar_internal.h @@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len, char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); -int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); +int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); void destroy_phar_manifest_entry(void *pDest); int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); diff --git a/ext/phar/tests/bug69324.phar b/ext/phar/tests/bug69324.phar new file mode 100644 index 0000000000000000000000000000000000000000..0882d88c224216896e5923705374e985efb6e603 GIT binary patch literal 269 zcmcDqFUTlRh>!Ph^a+V~_V*3&^l=T+(6m;tw|m9Fz`zK^0$`dMNM>Z_14*!85=iDi z5337^{`r1i;Wi-SKagE)Wo~Gtl#!`Wl95`Js$>n4PexXpe}5+%NU<_dBGJmosyfrk zz`7X70BTaQ&a^TFa!jq1pxSFeT2qkqpYggo1EgOcrXQ{sSzoc0v6WI +--FILE-- +getMetadata(); +var_dump($meta); +} catch(Exception $e) { + echo $e->getMessage(); +} +--EXPECTF-- +internal corruption of phar "%s" (truncated manifest entry) \ No newline at end of file From 4435b9142ff9813845d5c97ab29a5d637bedb257 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 5 Apr 2015 16:01:24 -0700 Subject: [PATCH 12/27] Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions) --- ext/dom/document.c | 5 ++++- ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 +++++ ext/fileinfo/fileinfo.c | 5 +++++ ext/fileinfo/tests/finfo_file_basic.phpt | 4 ++++ ext/gd/gd.c | 8 ++++---- ext/hash/hash.c | 7 ++++++- ext/hash/tests/hash_hmac_file_error.phpt | 7 +++++++ ext/pgsql/pgsql.c | 2 +- ext/standard/link.c | 2 +- ext/standard/streamsfuncs.c | 2 +- ext/xmlwriter/php_xmlwriter.c | 4 ++-- ext/zlib/zlib.c | 4 ++-- 12 files changed, 42 insertions(+), 13 deletions(-) diff --git a/ext/dom/document.c b/ext/dom/document.c index f105f6d7fe8..4666746ad2b 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -1580,6 +1580,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc xmlInitParser(); if (mode == DOM_LOAD_FILE) { + if (CHECK_NULL_PATH(source, source_len)) { + return NULL; + } char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (file_dest) { ctxt = xmlCreateFileParserCtxt(file_dest); @@ -2168,7 +2171,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ id = getThis(); - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { return; } diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt index e59ff56c5a8..75004e2a74e 100644 --- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt +++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt @@ -13,6 +13,11 @@ assert.bail=true $doc = new DOMDocument(); $result = $doc->loadHTMLFile(""); assert('$result === false'); +$doc = new DOMDocument(); +$result = $doc->loadHTMLFile("text.html\0something"); +assert('$result === null'); ?> --EXPECTF-- %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s + +%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c index 2d523ab4981..5fd95117452 100644 --- a/ext/fileinfo/fileinfo.c +++ b/ext/fileinfo/fileinfo.c @@ -506,6 +506,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime RETVAL_FALSE; goto clean; } + if (CHECK_NULL_PATH(buffer, buffer_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETVAL_FALSE; + goto clean; + } wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC); diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt index 20223fd88ea..ee70e2e2533 100644 --- a/ext/fileinfo/tests/finfo_file_basic.phpt +++ b/ext/fileinfo/tests/finfo_file_basic.phpt @@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n"; var_dump( finfo_file( $finfo, __FILE__) ); var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); var_dump( finfo_file( $finfo, $magicFile ) ); +var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); ?> ===DONE=== @@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) ); string(28) "text/x-php; charset=us-ascii" string(22) "PHP script, ASCII text" string(25) "text/plain; charset=utf-8" + +Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d +bool(false) ===DONE=== diff --git a/ext/gd/gd.c b/ext/gd/gd.c index e5657f7424a..d258c3dbc78 100644 --- a/ext/gd/gd.c +++ b/ext/gd/gd.c @@ -1495,7 +1495,7 @@ PHP_FUNCTION(imageloadfont) gdFontPtr font; php_stream *stream; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) { return; } @@ -2438,7 +2438,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, long ignore_warning; #endif if (image_type == PHP_GDIMG_TYPE_GD2PART) { - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { return; } if (width < 1 || height < 1) { @@ -2446,7 +2446,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, RETURN_FALSE; } } else { - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { return; } } @@ -4178,7 +4178,7 @@ PHP_FUNCTION(imagepsencodefont) char *enc, **enc_vector; int enc_len, *f_ind; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) { return; } diff --git a/ext/hash/hash.c b/ext/hash/hash.c index bd9dcca59fd..f5988c9c664 100644 --- a/ext/hash/hash.c +++ b/ext/hash/hash.c @@ -142,6 +142,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_ } if (isfilename) { if (CHECK_NULL_PATH(data, data_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); RETURN_FALSE; } stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); @@ -222,6 +223,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename, RETURN_FALSE; } if (isfilename) { + if (CHECK_NULL_PATH(data, data_len)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); + RETURN_FALSE; + } stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); if (!stream) { /* Stream will report errors opening file */ @@ -449,7 +454,7 @@ PHP_FUNCTION(hash_update_file) char *filename, buf[1024]; int filename_len, n; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { return; } diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt index 42ab122285c..26ba8aacbec 100644 --- a/ext/hash/tests/hash_hmac_file_error.phpt +++ b/ext/hash/tests/hash_hmac_file_error.phpt @@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg); echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; hash_hmac_file('foo', $file, $key, TRUE); +echo "\n-- Testing hash_hmac_file() function with bad path --\n"; +hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); + ?> ===Done=== --EXPECTF-- @@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d -- Testing hash_hmac_file() function with invalid hash algorithm -- Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d + +-- Testing hash_hmac_file() function with bad path -- + +Warning: hash_hmac_file(): Invalid path in %s on line %d ===Done=== \ No newline at end of file diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c index eb557777583..cd51143c903 100644 --- a/ext/pgsql/pgsql.c +++ b/ext/pgsql/pgsql.c @@ -3014,7 +3014,7 @@ PHP_FUNCTION(pg_trace) php_stream *stream; id = PGG(default_link); - if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { + if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { return; } diff --git a/ext/standard/link.c b/ext/standard/link.c index c57484e766f..686dd3e306b 100644 --- a/ext/standard/link.c +++ b/ext/standard/link.c @@ -59,7 +59,7 @@ PHP_FUNCTION(readlink) char buff[MAXPATHLEN]; int ret; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) { return; } diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c index b1b318044ea..b8f15e32c2f 100644 --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@ -1549,7 +1549,7 @@ PHP_FUNCTION(stream_resolve_include_path) char *filename, *resolved_path; int filename_len; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) { return; } diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c index 7bc35dabc41..acb87541d82 100644 --- a/ext/xmlwriter/php_xmlwriter.c +++ b/ext/xmlwriter/php_xmlwriter.c @@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity) /* }}} */ #endif -/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) +/* {{{ proto resource xmlwriter_open_uri(string source) Create new xmlwriter using source uri for output */ static PHP_FUNCTION(xmlwriter_open_uri) { @@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri) void *ioctx; #endif - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) { return; } diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c index 705fb5dd5f6..431dfde5472 100644 --- a/ext/zlib/zlib.c +++ b/ext/zlib/zlib.c @@ -581,7 +581,7 @@ static PHP_FUNCTION(gzopen) php_stream *stream; long use_include_path = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { return; } @@ -609,7 +609,7 @@ static PHP_FUNCTION(readgzfile) int size; long use_include_path = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) { return; } From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 5 Apr 2015 17:30:59 -0700 Subject: [PATCH 13/27] More fixes for bug #69152 --- Zend/zend_exceptions.c | 3 +++ ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 ext/standard/tests/serialize/bug69152.phpt diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c index bf90ae7be39..1ca2eadbf4c 100644 --- a/Zend/zend_exceptions.c +++ b/Zend/zend_exceptions.c @@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString) str = &res; trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); + if(Z_TYPE_P(trace) != IS_ARRAY) { + RETURN_FALSE; + } zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt new file mode 100644 index 00000000000..4e741685ccd --- /dev/null +++ b/ext/standard/tests/serialize/bug69152.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() +--FILE-- +test(); + +?> +--EXPECTF-- +exception 'Exception' in %s:%d +Stack trace: +#0 {main} + +Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d From 12d3bdee3dfa6605024a72080d8a17c165c5ed24 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 11 Apr 2015 16:42:16 -0700 Subject: [PATCH 14/27] Additional fix for bug #69324 Not so happy about duplication but needed due to bug #69429 --- ext/phar/phar.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ext/phar/phar.c b/ext/phar/phar.c index bf0c985a7c3..c5c8b467bcd 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -600,27 +600,28 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len * * Meta-data is in this format: * [len32][data...] - * + * * data is the serialized zval */ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ { - const unsigned char *p; php_unserialize_data_t var_hash; if (zip_metadata_len) { + const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); + p = p_buff; ALLOC_ZVAL(*metadata); INIT_ZVAL(**metadata); - p = (const unsigned char*) *buffer; PHP_VAR_UNSERIALIZE_INIT(var_hash); if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { + efree(p_buff); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); zval_ptr_dtor(metadata); *metadata = NULL; return FAILURE; } - + efree(p_buff); PHP_VAR_UNSERIALIZE_DESTROY(var_hash); if (PHAR_G(persist)) { @@ -643,7 +644,7 @@ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_ * * Parse a new one and add it to the cache, returning either SUCCESS or * FAILURE, and setting pphar to the pointer to the manifest entry - * + * * This is used by phar_open_from_filename to process the manifest, but can be called * directly. */ @@ -2236,7 +2237,7 @@ last_time: /** * Process a phar stream name, ensuring we can handle any of: - * + * * - whatever.phar * - whatever.phar.gz * - whatever.phar.bz2 From 1defbb25ed69e7a1a90e2bcb2ee3b9190ea06577 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 12 Apr 2015 00:56:02 -0700 Subject: [PATCH 15/27] Fix test --- ext/standard/tests/file/readlink_variation1.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/tests/file/readlink_variation1.phpt b/ext/standard/tests/file/readlink_variation1.phpt index 1dae17cbd49..d4f1a5ff029 100644 --- a/ext/standard/tests/file/readlink_variation1.phpt +++ b/ext/standard/tests/file/readlink_variation1.phpt @@ -65,7 +65,7 @@ bool(false) Warning: readlink(): %s in %s on line %d bool(false) -Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d +Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d NULL Warning: readlink(): %s in %s on line %d From d82d68742c69fc20a5180a2dbcca4cac52435931 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 12 Apr 2015 01:30:33 -0700 Subject: [PATCH 16/27] Fix bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability) --- ext/standard/http_fopen_wrapper.c | 79 +++++++++++++++++-------------- 1 file changed, 43 insertions(+), 36 deletions(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 13614ae3b77..9c99496ed4b 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -19,7 +19,7 @@ | Sara Golemon | +----------------------------------------------------------------------+ */ -/* $Id$ */ +/* $Id$ */ #include "php.h" #include "php_globals.h" @@ -152,7 +152,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, } if (strncasecmp(resource->scheme, "http", sizeof("http")) && strncasecmp(resource->scheme, "https", sizeof("https"))) { - if (!context || + if (!context || php_stream_context_get_option(context, wrapper->wops->label, "proxy", &tmpzval) == FAILURE || Z_TYPE_PP(tmpzval) != IS_STRING || Z_STRLEN_PP(tmpzval) <= 0) { @@ -168,7 +168,7 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, transport_string = estrndup(Z_STRVAL_PP(tmpzval), Z_STRLEN_PP(tmpzval)); } else { /* Normal http request (possibly with proxy) */ - + if (strpbrk(mode, "awx+")) { php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "HTTP wrapper does not support writeable connections"); php_url_free(resource); @@ -207,11 +207,11 @@ php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper, char *path, stream = php_stream_xport_create(transport_string, transport_len, options, STREAM_XPORT_CLIENT | STREAM_XPORT_CONNECT, NULL, &timeout, context, &errstr, NULL); - + if (stream) { php_stream_set_option(stream, PHP_STREAM_OPTION_READ_TIMEOUT, 0, &timeout); } - + if (errstr) { php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "%s", errstr); efree(errstr); @@ -328,7 +328,7 @@ finish: /* avoid buffering issues while reading header */ if (options & STREAM_WILL_CAST) chunk_size = php_stream_set_chunk_size(stream, 1); - + /* avoid problems with auto-detecting when reading the headers -> the headers * are always in canonical \r\n format */ eol_detect = stream->flags & (PHP_STREAM_FLAG_DETECT_EOL | PHP_STREAM_FLAG_EOL_MAC); @@ -359,7 +359,7 @@ finish: } } } - + if (context && php_stream_context_get_option(context, "http", "protocol_version", &tmpzval) == SUCCESS) { SEPARATE_ZVAL(tmpzval); convert_to_double_ex(tmpzval); @@ -420,7 +420,7 @@ finish: if (context && php_stream_context_get_option(context, "http", "header", &tmpzval) == SUCCESS) { tmp = NULL; - + if (Z_TYPE_PP(tmpzval) == IS_ARRAY) { HashPosition pos; zval **tmpheader = NULL; @@ -460,42 +460,42 @@ finish: strip_header(user_headers, tmp, "content-type:"); } - if ((s = strstr(tmp, "user-agent:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + if ((s = strstr(tmp, "user-agent:")) && + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { have_header |= HTTP_HEADER_USER_AGENT; } if ((s = strstr(tmp, "host:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { have_header |= HTTP_HEADER_HOST; } if ((s = strstr(tmp, "from:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { have_header |= HTTP_HEADER_FROM; } if ((s = strstr(tmp, "authorization:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { have_header |= HTTP_HEADER_AUTH; } if ((s = strstr(tmp, "content-length:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { have_header |= HTTP_HEADER_CONTENT_LENGTH; } if ((s = strstr(tmp, "content-type:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { have_header |= HTTP_HEADER_TYPE; } /* remove Proxy-Authorization header */ if (use_proxy && use_ssl && (s = strstr(tmp, "proxy-authorization:")) && - (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || + (s == tmp || *(s-1) == '\r' || *(s-1) == '\n' || *(s-1) == '\t' || *(s-1) == ' ')) { char *p = s + sizeof("proxy-authorization:") - 1; - + while (s > tmp && (*(s-1) == ' ' || *(s-1) == '\t')) s--; while (*p != 0 && *p != '\r' && *p != '\n') p++; while (*p == '\r' || *p == '\n') p++; @@ -534,7 +534,7 @@ finish: } tmp = (char*)php_base64_encode((unsigned char*)scratch, strlen(scratch), NULL); - + if (snprintf(scratch, scratch_len, "Authorization: Basic %s\r\n", tmp) > 0) { php_stream_write(stream, scratch, strlen(scratch)); php_stream_notify_info(context, PHP_STREAM_NOTIFY_AUTH_REQUIRED, NULL, 0); @@ -552,7 +552,7 @@ finish: /* Send Host: header so name-based virtual hosts work */ if ((have_header & HTTP_HEADER_HOST) == 0) { - if ((use_ssl && resource->port != 443 && resource->port != 0) || + if ((use_ssl && resource->port != 443 && resource->port != 0) || (!use_ssl && resource->port != 80 && resource->port != 0)) { if (snprintf(scratch, scratch_len, "Host: %s:%i\r\n", resource->host, resource->port) > 0) php_stream_write(stream, scratch, strlen(scratch)); @@ -563,7 +563,7 @@ finish: } } - if (context && + if (context && php_stream_context_get_option(context, "http", "user_agent", &ua_zval) == SUCCESS && Z_TYPE_PP(ua_zval) == IS_STRING) { ua_str = Z_STRVAL_PP(ua_zval); @@ -575,9 +575,9 @@ finish: #define _UA_HEADER "User-Agent: %s\r\n" char *ua; size_t ua_len; - + ua_len = sizeof(_UA_HEADER) + strlen(ua_str); - + /* ensure the header is only sent if user_agent is not blank */ if (ua_len > sizeof(_UA_HEADER)) { ua = emalloc(ua_len + 1); @@ -591,7 +591,7 @@ finish: if (ua) { efree(ua); } - } + } } if (user_headers) { @@ -649,8 +649,12 @@ finish: { zval **rh; - zend_hash_find(EG(active_symbol_table), "http_response_header", sizeof("http_response_header"), (void **) &rh); + if(zend_hash_find(EG(active_symbol_table), "http_response_header", sizeof("http_response_header"), (void **) &rh) != SUCCESS || Z_TYPE_PP(rh) != IS_ARRAY) { + php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "HTTP request failed, http_response_header overwritten"); + goto out; + } response_header = *rh; + Z_ADDREF_P(response_header); } if (!php_stream_eof(stream)) { @@ -706,9 +710,9 @@ finish: php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "HTTP request failed, unexpected end of socket!"); goto out; } - + /* read past HTTP headers */ - + http_header_line = emalloc(HTTP_HEADER_BLOCK_SIZE); while (!body && !php_stream_eof(stream)) { @@ -738,7 +742,7 @@ finish: follow_location = Z_LVAL_PP(tmpzval); } else if (!(response_code >= 300 && response_code < 304 || 307 == response_code || 308 == response_code)) { /* we shouldn't redirect automatically - if follow_location isn't set and response_code not in (300, 301, 302, 303 and 307) + if follow_location isn't set and response_code not in (300, 301, 302, 303 and 307) see http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.3.1 RFC 7238 defines 308: http://tools.ietf.org/html/rfc7238 */ follow_location = 0; @@ -778,7 +782,7 @@ finish: MAKE_STD_ZVAL(http_header); ZVAL_STRINGL(http_header, http_header_line, http_header_line_length, 1); - + zend_hash_next_index_insert(Z_ARRVAL_P(response_header), &http_header, sizeof(zval *), NULL); } } else { @@ -803,10 +807,10 @@ finish: char loc_path[HTTP_HEADER_BLOCK_SIZE]; *new_path='\0'; - if (strlen(location)<8 || (strncasecmp(location, "http://", sizeof("http://")-1) && - strncasecmp(location, "https://", sizeof("https://")-1) && - strncasecmp(location, "ftp://", sizeof("ftp://")-1) && - strncasecmp(location, "ftps://", sizeof("ftps://")-1))) + if (strlen(location)<8 || (strncasecmp(location, "http://", sizeof("http://")-1) && + strncasecmp(location, "https://", sizeof("https://")-1) && + strncasecmp(location, "ftp://", sizeof("ftp://")-1) && + strncasecmp(location, "ftps://", sizeof("ftps://")-1))) { if (*location != '/') { if (*(location+1) != '\0' && resource->path) { @@ -820,7 +824,7 @@ finish: *s = '/'; } } - s[1] = '\0'; + s[1] = '\0'; if (resource->path && *(resource->path) == '/' && *(resource->path + 1) == '\0') { snprintf(loc_path, sizeof(loc_path) - 1, "%s%s", resource->path, location); } else { @@ -893,18 +897,21 @@ out: if (stream) { if (header_init) { - zval_add_ref(&response_header); stream->wrapperdata = response_header; + } else { + if(response_header) { + Z_DELREF_P(response_header); + } } php_stream_notify_progress_init(context, 0, file_size); - + /* Restore original chunk size now that we're done with headers */ if (options & STREAM_WILL_CAST) php_stream_set_chunk_size(stream, chunk_size); /* restore the users auto-detect-line-endings setting */ stream->flags |= eol_detect; - + /* as far as streams are concerned, we are now at the start of * the stream */ stream->position = 0; From 9bed19a1e0d78612426e5710aefe6ce31ca30923 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 12 Apr 2015 20:47:27 -0700 Subject: [PATCH 17/27] fix CVE num --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 584defdc4e5..40b1a654d0d 100644 --- a/NEWS +++ b/NEWS @@ -25,7 +25,7 @@ PHP NEWS - Core: . Fixed bug #68976 (Use After Free Vulnerability in unserialize()) - (CVE-2015-0231). (Stas) + (CVE-2015-2787). (Stas) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) From a643ccfb90750e0d830106588d2a46af87706b5b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 12 Apr 2015 20:53:09 -0700 Subject: [PATCH 18/27] Fix tests --- ext/gd/tests/imageloadfont_error1.phpt | 6 ++--- ext/zlib/tests/gzopen_variation1.phpt | 28 +++++++++++------------ ext/zlib/tests/readgzfile_variation1.phpt | 10 ++++---- ext/zlib/tests/readgzfile_variation6.phpt | 4 ++-- 4 files changed, 24 insertions(+), 24 deletions(-) diff --git a/ext/gd/tests/imageloadfont_error1.phpt b/ext/gd/tests/imageloadfont_error1.phpt index 16d1a3c3a67..418bbf3cedb 100644 --- a/ext/gd/tests/imageloadfont_error1.phpt +++ b/ext/gd/tests/imageloadfont_error1.phpt @@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter --CREDITS-- Neveo Harrison #testfest #tek11 --SKIPIF-- - --FILE-- @@ -11,5 +11,5 @@ Neveo Harrison #testfest #tek11 var_dump( imageloadfont(array()) ); ?> --EXPECTF-- -Warning: imageloadfont() expects parameter 1 to be string, array given in %s on line %d -NULL \ No newline at end of file +Warning: imageloadfont() expects parameter 1 to be a valid path, array given in %s on line %d +NULL diff --git a/ext/zlib/tests/gzopen_variation1.phpt b/ext/zlib/tests/gzopen_variation1.phpt index c5a47f4d089..bca48f39c99 100644 --- a/ext/zlib/tests/gzopen_variation1.phpt +++ b/ext/zlib/tests/gzopen_variation1.phpt @@ -1,17 +1,17 @@ --TEST-- -Test gzopen() function : usage variation +Test gzopen() function : usage variation --SKIPIF-- - --FILE-- @$unset_var, - + // resource variable - 'resource' => $fp + 'resource' => $fp ); // loop through each element of the array for filename @@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d) bool(false) --empty array-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --int indexed array-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --associative array-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --nested arrays-- -Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) NULL --uppercase NULL-- @@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct bool(false) --instance of classWithoutToString-- -Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d) NULL --undefined var-- @@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d) bool(false) --resource-- -Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d) +Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d) NULL ===DONE=== diff --git a/ext/zlib/tests/readgzfile_variation1.phpt b/ext/zlib/tests/readgzfile_variation1.phpt index 5a5ec4f6e74..5d9b639d29b 100644 --- a/ext/zlib/tests/readgzfile_variation1.phpt +++ b/ext/zlib/tests/readgzfile_variation1.phpt @@ -29,15 +29,15 @@ foreach ( $variation as $var ) { ===DONE=== --EXPECTF-- -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d +Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d NULL -===DONE=== \ No newline at end of file +===DONE=== diff --git a/ext/zlib/tests/readgzfile_variation6.phpt b/ext/zlib/tests/readgzfile_variation6.phpt index 702f91850ef..9fcea02939c 100644 --- a/ext/zlib/tests/readgzfile_variation6.phpt +++ b/ext/zlib/tests/readgzfile_variation6.phpt @@ -45,5 +45,5 @@ foreach ( $variation as $var ) { --EXPECTF-- Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d) bool(false) -Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d) -NULL \ No newline at end of file +Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d) +NULL From 45facd15fb1be704ee1ae374fa306dad8450edbd Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 12 Apr 2015 22:00:18 -0700 Subject: [PATCH 19/27] fix memory leak & add test --- ext/standard/http_fopen_wrapper.c | 9 ++++-- ext/standard/tests/http/bug69337.phpt | 41 +++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 2 deletions(-) create mode 100644 ext/standard/tests/http/bug69337.phpt diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index 9c99496ed4b..bd642875ee3 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -922,8 +922,13 @@ out: if (transfer_encoding) { php_stream_filter_append(&stream->readfilters, transfer_encoding); } - } else if (transfer_encoding) { - php_stream_filter_free(transfer_encoding TSRMLS_CC); + } else { + if(response_header) { + Z_DELREF_P(response_header); + } + if (transfer_encoding) { + php_stream_filter_free(transfer_encoding TSRMLS_CC); + } } return stream; diff --git a/ext/standard/tests/http/bug69337.phpt b/ext/standard/tests/http/bug69337.phpt new file mode 100644 index 00000000000..1451d4bf01d --- /dev/null +++ b/ext/standard/tests/http/bug69337.phpt @@ -0,0 +1,41 @@ +--TEST-- +Bug #69337 (Stream context leaks when http request fails) +--SKIPIF-- + +--INI-- +allow_url_fopen=1 +allow_url_include=1 +--FILE-- + "stream_notification_callback")); + +$responses = array( + "data://text/plain,HTTP/1.0 302 Found\r\nLocation: http://127.0.0.1:22345/try-again\r\n\r\n", + "data://text/plain,HTTP/1.0 404 Not Found\r\n\r\n", +); + +$pid = http_server("tcp://127.0.0.1:22345", $responses, $output); + +$f = file_get_contents('http://127.0.0.1:22345/', 0, $ctx); + +http_server_kill($pid); +var_dump($f); +?> +==DONE== +--EXPECTF-- +string(26) "HTTP/1.0 404 Not Found + +" +==DONE== \ No newline at end of file From ff70b40dc978f3f4c457f72a71bb43fd17ee360b Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 13 Apr 2015 14:39:11 +0200 Subject: [PATCH 20/27] fix type in fix for #69085 --- ext/soap/soap.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ext/soap/soap.c b/ext/soap/soap.c index 41aa1ad892a..1b8f545b855 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -2560,7 +2560,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); } @@ -2600,7 +2600,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act } ret = FALSE; } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); } xmlFree(buf); @@ -2640,7 +2640,7 @@ static void do_soap_call(zval* this_ptr, SOAP_CLIENT_BEGIN_CODE(); if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); } From be34c82bfd0ada3804dc2e929e365a70c0a01933 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 13 Apr 2015 16:10:05 -0700 Subject: [PATCH 21/27] fix test --- ext/curl/tests/bug69316.phpt | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ext/curl/tests/bug69316.phpt b/ext/curl/tests/bug69316.phpt index 47c98fb6572..16a655eef85 100644 --- a/ext/curl/tests/bug69316.phpt +++ b/ext/curl/tests/bug69316.phpt @@ -36,4 +36,10 @@ unlink(dirname(__FILE__) . '/body.tmp'); ?> --EXPECTF-- Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d +array(1) { + ["test"]=> + string(7) "getpost" +} +array(0) { +} ===DONE=== From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 14 Apr 2015 00:03:50 -0700 Subject: [PATCH 22/27] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode) --- ext/phar/phar_internal.h | 9 ++++++--- ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ 3 files changed, 27 insertions(+), 3 deletions(-) create mode 100644 ext/phar/tests/bug69441.phar create mode 100644 ext/phar/tests/bug69441.phpt diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h index fcfc86457d6..84282d2a8fe 100644 --- a/ext/phar/phar_internal.h +++ b/ext/phar/phar_internal.h @@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */ { char tmp[MAXPATHLEN]; int tmp_len; + size_t len; - tmp_len = entry->filename_len + entry->phar->fname_len; - memcpy(tmp, entry->phar->fname, entry->phar->fname_len); - memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); + tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); + len = MIN(entry->phar->fname_len, tmp_len); + memcpy(tmp, entry->phar->fname, len); + len = MIN(tmp_len - len, entry->filename_len); + memcpy(tmp + entry->phar->fname_len, entry->filename, len); entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); } /* }}} */ diff --git a/ext/phar/tests/bug69441.phar b/ext/phar/tests/bug69441.phar new file mode 100644 index 0000000000000000000000000000000000000000..80956dce7cb4fd78117f415166c3c46f62f9f79d GIT binary patch literal 5780 zcmWIWW@cdk1DpItw?}h!tuzMmK$wp~h(WI)Be6)oxTG`z$STMy3NAIrA4WFNtt;J3<2J(Y#?PU zK)4&|&S02ZLtKMH;*H{65=#;hPGCq-d?RLEVJHLC0m8xvKO-9p^7wzDn~orZA%F=; zi2!l6FW(yrv59k63Lg-g5jOGi$0`3-1$Z-pq`?3^P#FYZG9VhnaU2DsAut*OLp=nX zkN_xaGcqx=u(Gjpyx+I>9*FNe3WyE?P +--FILE-- + + +==DONE== +--EXPECTF-- +exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d +Stack trace: +#0 %s/bug69441.php(%d): Phar->__construct('%s', 0) +#1 {main} +==DONE== \ No newline at end of file From d734e75599593fe552eebf9bf579d73addc75a1e Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 14 Apr 2015 00:22:09 -0700 Subject: [PATCH 23/27] update NEWS --- NEWS | 37 ++++++++++++++++++++++++++++++------- 1 file changed, 30 insertions(+), 7 deletions(-) diff --git a/NEWS b/NEWS index 40b1a654d0d..06fd7d9730f 100644 --- a/NEWS +++ b/NEWS @@ -1,13 +1,42 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| -?? ??? 2015 PHP 5.4.40 +16 Apr 2015 PHP 5.4.40 + +- Apache2handler: + . Fixed bug #69218 (potential remote code execution with apache 2.4 + apache2handler). (Gerrit Venema) + +- Core: + . Additional fix for bug #69152 (Type confusion vulnerability in + exception::getTraceAsString). (Stas) + . Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion + vulnerability). (Stas) + . Fixed bug #69353 (Missing null byte checks for paths in various PHP + extensions). (Stas) + +- cURL: + . Fixed bug #69316 (Use-after-free in php_curl related to + CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) - Ereg: . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) +- Fileinfo: + . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or + segfault). (Anatol Belski) + - GD: . Fixed bug #68601 (buffer read overflow in gd_gif_in.c). (Remi) +- Phar: + . Fixed bug #68901 (use after free). (bugreports at internot dot info) + . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) + . Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode). (Stas) + +- Postgres: + . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui) + - SOAP: . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (Dmitry) @@ -15,12 +44,6 @@ PHP NEWS - Sqlite3: . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) -- Phar: - . Fixed bug #68901 (use after free). (bugreports at internot dot info) - -- Postgres: - . Fixed bug #68741 (Null pointer deference) (CVE-2015-1352). (Xinchen Hui) - 19 Mar 2015 PHP 5.4.39 - Core: From ae46d1ce19b789654e90bfcf91b11edc7de122a1 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 12 Apr 2015 20:47:27 -0700 Subject: [PATCH 24/27] fix CVE num --- NEWS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 584defdc4e5..40b1a654d0d 100644 --- a/NEWS +++ b/NEWS @@ -25,7 +25,7 @@ PHP NEWS - Core: . Fixed bug #68976 (Use After Free Vulnerability in unserialize()) - (CVE-2015-0231). (Stas) + (CVE-2015-2787). (Stas) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) . Fixed bug #69207 (move_uploaded_file allows nulls in path). (Stas) From e10272c628a1163fb493910bdd1bb47b6c730813 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 14 Apr 2015 00:30:58 -0700 Subject: [PATCH 25/27] 5.4.41 next --- NEWS | 2 ++ configure.in | 2 +- main/php_version.h | 6 +++--- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 06fd7d9730f..b5e32991a2c 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,7 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +?? ??? 2015 PHP 5.4.41 + 16 Apr 2015 PHP 5.4.40 - Apache2handler: diff --git a/configure.in b/configure.in index 205d0fa2fc6..11bfa6d03c9 100644 --- a/configure.in +++ b/configure.in @@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 -PHP_RELEASE_VERSION=40 +PHP_RELEASE_VERSION=41 PHP_EXTRA_VERSION="-dev" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 44f5a70afea..e4ca1a5b6d0 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 4 -#define PHP_RELEASE_VERSION 40 +#define PHP_RELEASE_VERSION 41 #define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "5.4.40-dev" -#define PHP_VERSION_ID 50440 +#define PHP_VERSION "5.4.41-dev" +#define PHP_VERSION_ID 50441 From 7b3cce0ba0f2b5c7b9ae2ca5b492316668cf6abe Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 14 Apr 2015 00:43:19 -0700 Subject: [PATCH 26/27] update NEWS --- NEWS | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/NEWS b/NEWS index aaab16a6204..800393842dd 100644 --- a/NEWS +++ b/NEWS @@ -29,6 +29,10 @@ PHP NEWS ?? ??? 2015, PHP 5.5.24 +- Apache2handler: + . Fixed bug #69218 (potential remote code execution with apache 2.4 + apache2handler). (Gerrit Venema) + - Core: . Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). (Dmitry, Laruence) @@ -39,10 +43,16 @@ PHP NEWS . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM configuration options). (Anatol Belski) + . Additional fix for bug #69152 (Type confusion vulnerability in + exception::getTraceAsString). (Stas) . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in __call/... arg passing). (Nikita) . Fixed bug #69221 (Segmentation fault when using a generator in combination with an Iterator). (Nikita) + . Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion + vulnerability). (Stas) + . Fixed bug #69353 (Missing null byte checks for paths in various PHP + extensions). (Stas) - Date: . Export date_get_immutable_ce so that it can be used by extensions. (Derick @@ -51,11 +61,17 @@ PHP NEWS - Curl: . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) + . Fixed bug #69316 (Use-after-free in php_curl related to + CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) - Enchant: . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows builds). (Anatol) +- Fileinfo: + . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or + segfault). (Anatol Belski) + - Filter: . Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other flags are used). (Jeff Welch) @@ -77,6 +93,9 @@ PHP NEWS . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing ".tar"). (Mike) + . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) + . Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in + phar_set_inode). (Stas) - Postgres: . Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence) From 9af582bbe069b30f2bb28ff10cb70ab475474e41 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 14 Apr 2015 00:46:47 -0700 Subject: [PATCH 27/27] fix non-standard C --- ext/dom/document.c | 109 +++++++++++++++++++++++---------------------- 1 file changed, 55 insertions(+), 54 deletions(-) diff --git a/ext/dom/document.c b/ext/dom/document.c index 4666746ad2b..48a19dd05de 100644 --- a/ext/dom/document.c +++ b/ext/dom/document.c @@ -187,10 +187,10 @@ ZEND_END_ARG_INFO(); /* }}} */ /* -* class DOMDocument extends DOMNode +* class DOMDocument extends DOMNode * * URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-i-Document -* Since: +* Since: */ const zend_function_entry php_dom_document_class_functions[] = { /* {{{ */ @@ -235,10 +235,10 @@ const zend_function_entry php_dom_document_class_functions[] = { /* {{{ */ }; /* }}} */ -/* {{{ docType DOMDocumentType -readonly=yes +/* {{{ docType DOMDocumentType +readonly=yes URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-B63ED1A31 -Since: +Since: */ int dom_document_doctype_read(dom_object *obj, zval **retval TSRMLS_DC) { @@ -266,15 +266,15 @@ int dom_document_doctype_read(dom_object *obj, zval **retval TSRMLS_DC) return FAILURE; } return SUCCESS; - + } /* }}} */ -/* {{{ implementation DOMImplementation -readonly=yes +/* {{{ implementation DOMImplementation +readonly=yes URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-1B793EBA -Since: +Since: */ int dom_document_implementation_read(dom_object *obj, zval **retval TSRMLS_DC) { @@ -285,10 +285,10 @@ int dom_document_implementation_read(dom_object *obj, zval **retval TSRMLS_DC) /* }}} */ -/* {{{ documentElement DOMElement -readonly=yes +/* {{{ documentElement DOMElement +readonly=yes URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-87CD092 -Since: +Since: */ int dom_document_document_element_read(dom_object *obj, zval **retval TSRMLS_DC) { @@ -391,8 +391,8 @@ int dom_document_encoding_write(dom_object *obj, zval *newval TSRMLS_DC) /* }}} */ -/* {{{ standalone boolean -readonly=no +/* {{{ standalone boolean +readonly=no URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-Document3-standalone Since: DOM Level 3 */ @@ -455,7 +455,7 @@ int dom_document_standalone_write(dom_object *obj, zval *newval TSRMLS_DC) /* }}} */ -/* {{{ version string +/* {{{ version string readonly=no URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-Document3-version Since: DOM Level 3 @@ -520,8 +520,8 @@ int dom_document_version_write(dom_object *obj, zval *newval TSRMLS_DC) /* }}} */ -/* {{{ strictErrorChecking boolean -readonly=no +/* {{{ strictErrorChecking boolean +readonly=no URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-Document3-strictErrorChecking Since: DOM Level 3 */ @@ -565,7 +565,7 @@ int dom_document_strict_error_checking_write(dom_object *obj, zval *newval TSRML /* }}} */ -/* {{{ formatOutput boolean +/* {{{ formatOutput boolean readonly=no */ int dom_document_format_output_read(dom_object *obj, zval **retval TSRMLS_DC) @@ -607,7 +607,7 @@ int dom_document_format_output_write(dom_object *obj, zval *newval TSRMLS_DC) } /* }}} */ -/* {{{ validateOnParse boolean +/* {{{ validateOnParse boolean readonly=no */ int dom_document_validate_on_parse_read(dom_object *obj, zval **retval TSRMLS_DC) @@ -649,7 +649,7 @@ int dom_document_validate_on_parse_write(dom_object *obj, zval *newval TSRMLS_DC } /* }}} */ -/* {{{ resolveExternals boolean +/* {{{ resolveExternals boolean readonly=no */ int dom_document_resolve_externals_read(dom_object *obj, zval **retval TSRMLS_DC) @@ -691,7 +691,7 @@ int dom_document_resolve_externals_write(dom_object *obj, zval *newval TSRMLS_DC } /* }}} */ -/* {{{ preserveWhiteSpace boolean +/* {{{ preserveWhiteSpace boolean readonly=no */ int dom_document_preserve_whitespace_read(dom_object *obj, zval **retval TSRMLS_DC) @@ -733,7 +733,7 @@ int dom_document_preserve_whitespace_write(dom_object *obj, zval *newval TSRMLS_ } /* }}} */ -/* {{{ recover boolean +/* {{{ recover boolean readonly=no */ int dom_document_recover_read(dom_object *obj, zval **retval TSRMLS_DC) @@ -775,7 +775,7 @@ int dom_document_recover_write(dom_object *obj, zval *newval TSRMLS_DC) } /* }}} */ -/* {{{ substituteEntities boolean +/* {{{ substituteEntities boolean readonly=no */ int dom_document_substitue_entities_read(dom_object *obj, zval **retval TSRMLS_DC) @@ -817,8 +817,8 @@ int dom_document_substitue_entities_write(dom_object *obj, zval *newval TSRMLS_D } /* }}} */ -/* {{{ documentURI string -readonly=no +/* {{{ documentURI string +readonly=no URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-Document3-documentURI Since: DOM Level 3 */ @@ -881,8 +881,8 @@ int dom_document_document_uri_write(dom_object *obj, zval *newval TSRMLS_DC) /* }}} */ -/* {{{ config DOMConfiguration -readonly=yes +/* {{{ config DOMConfiguration +readonly=yes URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-Document3-config Since: DOM Level 3 */ @@ -897,7 +897,7 @@ int dom_document_config_read(dom_object *obj, zval **retval TSRMLS_DC) /* {{{ proto DOMElement dom_document_create_element(string tagName [, string value]); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-2141741547 -Since: +Since: */ PHP_FUNCTION(dom_document_create_element) { @@ -930,7 +930,7 @@ PHP_FUNCTION(dom_document_create_element) /* {{{ proto DOMDocumentFragment dom_document_create_document_fragment(); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-35CB04B5 -Since: +Since: */ PHP_FUNCTION(dom_document_create_document_fragment) { @@ -957,7 +957,7 @@ PHP_FUNCTION(dom_document_create_document_fragment) /* {{{ proto DOMText dom_document_create_text_node(string data); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-1975348127 -Since: +Since: */ PHP_FUNCTION(dom_document_create_text_node) { @@ -985,7 +985,7 @@ PHP_FUNCTION(dom_document_create_text_node) /* {{{ proto DOMComment dom_document_create_comment(string data); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-1334481328 -Since: +Since: */ PHP_FUNCTION(dom_document_create_comment) { @@ -1013,7 +1013,7 @@ PHP_FUNCTION(dom_document_create_comment) /* {{{ proto DOMCdataSection dom_document_create_cdatasection(string data); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-D26C0AF8 -Since: +Since: */ PHP_FUNCTION(dom_document_create_cdatasection) { @@ -1041,7 +1041,7 @@ PHP_FUNCTION(dom_document_create_cdatasection) /* {{{ proto DOMProcessingInstruction dom_document_create_processing_instruction(string target, string data); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-135944439 -Since: +Since: */ PHP_FUNCTION(dom_document_create_processing_instruction) { @@ -1076,7 +1076,7 @@ PHP_FUNCTION(dom_document_create_processing_instruction) /* {{{ proto DOMAttr dom_document_create_attribute(string name); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-1084891198 -Since: +Since: */ PHP_FUNCTION(dom_document_create_attribute) { @@ -1110,7 +1110,7 @@ PHP_FUNCTION(dom_document_create_attribute) /* {{{ proto DOMEntityReference dom_document_create_entity_reference(string name); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-392B75AE -Since: +Since: */ PHP_FUNCTION(dom_document_create_entity_reference) { @@ -1143,7 +1143,7 @@ PHP_FUNCTION(dom_document_create_entity_reference) /* {{{ proto DOMNodeList dom_document_get_elements_by_tag_name(string tagname); URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#core-ID-A6C9094 -Since: +Since: */ PHP_FUNCTION(dom_document_get_elements_by_tag_name) { @@ -1177,7 +1177,7 @@ PHP_FUNCTION(dom_document_import_node) xmlDocPtr docp; xmlNodePtr nodep, retnodep; dom_object *intern, *nodeobj; - int ret; + int ret; long recursive = 0; if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "OO|l", &id, dom_document_class_entry, &node, dom_node_class_entry, &recursive) == FAILURE) { @@ -1188,7 +1188,7 @@ PHP_FUNCTION(dom_document_import_node) DOM_GET_OBJ(nodep, node, xmlNodePtr, nodeobj); - if (nodep->type == XML_HTML_DOCUMENT_NODE || nodep->type == XML_DOCUMENT_NODE + if (nodep->type == XML_HTML_DOCUMENT_NODE || nodep->type == XML_DOCUMENT_NODE || nodep->type == XML_DOCUMENT_TYPE_NODE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot import: Node Type Not Supported"); RETURN_FALSE; @@ -1278,7 +1278,7 @@ PHP_FUNCTION(dom_document_create_element_ns) RETURN_FALSE; } - + nodep->ns = nsptr; DOM_RET_OBJ(nodep, &ret, intern); @@ -1580,14 +1580,15 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc xmlInitParser(); if (mode == DOM_LOAD_FILE) { + char *file_dest; if (CHECK_NULL_PATH(source, source_len)) { return NULL; } - char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); + file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); if (file_dest) { ctxt = xmlCreateFileParserCtxt(file_dest); } - + } else { ctxt = xmlCreateMemoryParserCtxt(source, source_len); } @@ -1909,7 +1910,7 @@ PHP_FUNCTION(dom_document_xinclude) zval *id; xmlDoc *docp; xmlNodePtr root; - long flags = 0; + long flags = 0; int err; dom_object *intern; @@ -1922,7 +1923,7 @@ PHP_FUNCTION(dom_document_xinclude) err = xmlXIncludeProcessFlags(docp, flags); /* XML_XINCLUDE_START and XML_XINCLUDE_END nodes need to be removed as these - are added via xmlXIncludeProcess to mark beginning and ending of xincluded document + are added via xmlXIncludeProcess to mark beginning and ending of xincluded document but are not wanted in resulting document - must be done even if err as it could fail after having processed some xincludes */ root = (xmlNodePtr) docp->children; @@ -1938,7 +1939,7 @@ PHP_FUNCTION(dom_document_xinclude) } else { RETVAL_FALSE; } - + } /* }}} */ @@ -1959,19 +1960,19 @@ PHP_FUNCTION(dom_document_validate) DOM_GET_OBJ(docp, id, xmlDocPtr, intern); cvp = xmlNewValidCtxt(); - + cvp->userData = NULL; cvp->error = (xmlValidityErrorFunc) php_libxml_error_handler; cvp->warning = (xmlValidityErrorFunc) php_libxml_error_handler; - + if (xmlValidateDocument(cvp, docp)) { RETVAL_TRUE; } else { RETVAL_FALSE; } - + xmlFreeValidCtxt(cvp); - + } /* }}} */ @@ -2011,7 +2012,7 @@ static void _dom_document_schema_validate(INTERNAL_FUNCTION_PARAMETERS, int type break; case DOM_LOAD_STRING: parser = xmlSchemaNewMemParserCtxt(source, source_len); - /* If loading from memory, we need to set the base directory for the document + /* If loading from memory, we need to set the base directory for the document but it is not apparent how to do that for schema's */ break; default: @@ -2100,7 +2101,7 @@ static void _dom_document_relaxNG_validate(INTERNAL_FUNCTION_PARAMETERS, int typ break; case DOM_LOAD_STRING: parser = xmlRelaxNGNewMemParserCtxt(source, source_len); - /* If loading from memory, we need to set the base directory for the document + /* If loading from memory, we need to set the base directory for the document but it is not apparent how to do that for schema's */ break; default: @@ -2168,7 +2169,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ int source_len, refcount, ret; long options = 0; htmlParserCtxtPtr ctxt; - + id = getThis(); if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { @@ -2204,7 +2205,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ htmlParseDocument(ctxt); newdoc = ctxt->myDoc; htmlFreeParserCtxt(ctxt); - + if (!newdoc) RETURN_FALSE; @@ -2326,13 +2327,13 @@ PHP_FUNCTION(dom_document_save_html) php_dom_throw_error(WRONG_DOCUMENT_ERR, dom_get_strict_error(intern->document) TSRMLS_CC); RETURN_FALSE; } - + buf = xmlBufferCreate(); if (!buf) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not fetch buffer"); RETURN_FALSE; } - + if (node->type == XML_DOCUMENT_FRAG_NODE) { int one_size;