File php-CVE-2019-9023.patch of Package php7.14228
Index: php-7.2.5/ext/mbstring/oniguruma/src/regparse.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/regparse.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/regparse.c 2019-03-11 17:56:58.618984274 +0100
@@ -304,14 +304,17 @@ strdup_with_null(OnigEncoding enc, UChar
c = ONIGENC_MBC_TO_CODE(enc, p, end); \
pfetch_prev = p; \
p += ONIGENC_MBC_ENC_LEN(enc, p); \
+ if(UNEXPECTED(p > end)) p = end; \
} while (0)
#define PINC_S do { \
p += ONIGENC_MBC_ENC_LEN(enc, p); \
+ if(UNEXPECTED(p > end)) p = end; \
} while (0)
#define PFETCH_S(c) do { \
c = ONIGENC_MBC_TO_CODE(enc, p, end); \
p += ONIGENC_MBC_ENC_LEN(enc, p); \
+ if(UNEXPECTED(p > end)) p = end; \
} while (0)
#define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
@@ -3593,7 +3596,9 @@ fetch_token(OnigToken* tok, UChar** src,
tok->u.code = c2;
}
else { /* string */
- p = tok->backp + enclen(enc, tok->backp);
+ int len;
+ SAFE_ENC_LEN(enc, tok->backp, end, len);
+ p = tok->backp + len;
}
}
break;
Index: php-7.2.5/ext/mbstring/oniguruma/src/regcomp.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/regcomp.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/regcomp.c 2019-03-11 17:56:58.618984274 +0100
@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, r
ambig = NSTRING_IS_AMBIG(node);
p = prev = sn->s;
- prev_len = enclen(enc, p);
+ SAFE_ENC_LEN(enc, p, sn->end, prev_len);
p += prev_len;
slen = 1;
rlen = 0;
for (; p < sn->end; ) {
- len = enclen(enc, p);
+ SAFE_ENC_LEN(enc, p, sn->end, len);
if (len == prev_len) {
slen++;
}
@@ -518,12 +518,12 @@ compile_string_node(Node* node, regex_t*
ambig = NSTRING_IS_AMBIG(node);
p = prev = sn->s;
- prev_len = enclen(enc, p);
+ SAFE_ENC_LEN(enc, p, end, prev_len);
p += prev_len;
slen = 1;
for (; p < end; ) {
- len = enclen(enc, p);
+ SAFE_ENC_LEN(enc, p, end, len);
if (len == prev_len) {
slen++;
}
@@ -3435,7 +3435,7 @@ expand_case_fold_string(Node* node, rege
goto err;
}
- len = enclen(reg->enc, p);
+ SAFE_ENC_LEN(reg->enc, p, end, len);
if (n == 0) {
if (IS_NULL(snode)) {
Index: php-7.2.5/ext/mbstring/oniguruma/src/unicode.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/unicode.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/unicode.c 2019-03-11 17:56:58.618984274 +0100
@@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncodi
code = ONIGENC_MBC_TO_CODE(enc, p, end);
len = enclen(enc, p);
+ if (*pp + len > end) len = end - *pp;
*pp += len;
#ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
Index: php-7.2.5/ext/mbstring/oniguruma/src/regparse.h
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/regparse.h 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/regparse.h 2019-03-11 17:56:58.618984274 +0100
@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex
#endif
#endif
+#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+#else
+# define UNEXPECTED(condition) (condition)
+#endif
+
+#define SAFE_ENC_LEN(enc, p, end, res) do { \
+ int __res = enclen(enc, p); \
+ if (UNEXPECTED(p + __res > end)) __res = end - p; \
+ res = __res; \
+} while(0);
+
#endif /* REGPARSE_H */
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf16_be.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf16_be.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf16_be.c 2019-03-11 17:56:58.622984293 +0100
@@ -82,16 +82,18 @@ utf16be_is_mbc_newline(const UChar* p, c
}
static OnigCodePoint
-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16be_mbc_to_code(const UChar* p, const UChar* end)
{
OnigCodePoint code;
if (UTF16_IS_SURROGATE_FIRST(*p)) {
+ if (end - p < 4) return 0;
code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
+ ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
+ p[3];
}
else {
+ if (end - p < 2) return 0;
code = p[0] * 256 + p[1];
}
return code;
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf16_le.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf16_le.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf16_le.c 2019-03-11 17:56:58.622984293 +0100
@@ -97,13 +97,14 @@ utf16le_is_mbc_newline(const UChar* p, c
}
static OnigCodePoint
-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16le_mbc_to_code(const UChar* p, const UChar* end)
{
OnigCodePoint code;
UChar c0 = *p;
UChar c1 = *(p+1);
if (UTF16_IS_SURROGATE_FIRST(c1)) {
+ if (end - p < 4) return 0;
code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16)
+ ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
+ p[2];
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf32_be.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf32_be.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf32_be.c 2019-03-11 17:56:58.622984293 +0100
@@ -67,6 +67,7 @@ utf32be_is_mbc_newline(const UChar* p, c
static OnigCodePoint
utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
{
+ if (end - p < 4) return 0;
return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
}
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf32_le.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf32_le.c 2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf32_le.c 2019-03-11 17:56:58.622984293 +0100
@@ -67,6 +67,7 @@ utf32le_is_mbc_newline(const UChar* p, c
static OnigCodePoint
utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
{
+ if (end - p < 4) return 0;
return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
}
