File php-CVE-2015-3411,3412,4598.patch of Package php5.openSUSE_13.1_Update
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 5 Apr 2015 23:01:24 +0000 (-0700)
Subject: Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
X-Git-Tag: php-5.5.24~14
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
---
Index: ext/dom/document.c
===================================================================
--- ext/dom/document.c.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/dom/document.c 2015-06-22 13:17:03.008970520 +0200
@@ -1574,6 +1574,9 @@
xmlInitParser();
if (mode == DOM_LOAD_FILE) {
+ if (CHECK_NULL_PATH(source, source_len)) {
+ return NULL;
+ }
char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
if (file_dest) {
ctxt = xmlCreateFileParserCtxt(file_dest);
@@ -2162,7 +2165,7 @@
id = getThis();
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
return;
}
Index: ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
===================================================================
--- ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt 2015-06-22 13:17:03.009970533 +0200
@@ -13,6 +13,11 @@
$doc = new DOMDocument();
$result = $doc->loadHTMLFile("");
assert('$result === false');
+$doc = new DOMDocument();
+$result = $doc->loadHTMLFile("text.html\0something");
+assert('$result === null');
?>
--EXPECTF--
%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s
+
+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s
Index: ext/fileinfo/fileinfo.c
===================================================================
--- ext/fileinfo/fileinfo.c.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/fileinfo/fileinfo.c 2015-06-22 13:17:03.009970533 +0200
@@ -506,6 +506,11 @@
RETVAL_FALSE;
goto clean;
}
+ if (CHECK_NULL_PATH(buffer, buffer_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+ RETVAL_FALSE;
+ goto clean;
+ }
wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC);
Index: ext/fileinfo/tests/finfo_file_basic.phpt
===================================================================
--- ext/fileinfo/tests/finfo_file_basic.phpt.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/fileinfo/tests/finfo_file_basic.phpt 2015-06-22 13:17:03.009970533 +0200
@@ -19,6 +19,7 @@
var_dump( finfo_file( $finfo, __FILE__) );
var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
var_dump( finfo_file( $finfo, $magicFile ) );
+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );
?>
===DONE===
@@ -27,4 +28,7 @@
string(28) "text/x-php; charset=us-ascii"
string(22) "PHP script, ASCII text"
string(25) "text/plain; charset=utf-8"
+
+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
+bool(false)
===DONE===
Index: ext/gd/gd.c
===================================================================
--- ext/gd/gd.c.orig 2015-06-22 13:12:07.225032514 +0200
+++ ext/gd/gd.c 2015-06-22 13:17:03.010970546 +0200
@@ -1495,7 +1495,7 @@
gdFontPtr font;
php_stream *stream;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) {
return;
}
@@ -2438,7 +2438,7 @@
long ignore_warning;
#endif
if (image_type == PHP_GDIMG_TYPE_GD2PART) {
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
return;
}
if (width < 1 || height < 1) {
@@ -2446,7 +2446,7 @@
RETURN_FALSE;
}
} else {
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
return;
}
}
@@ -4178,7 +4178,7 @@
char *enc, **enc_vector;
int enc_len, *f_ind;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) {
return;
}
Index: ext/hash/hash.c
===================================================================
--- ext/hash/hash.c.orig 2015-06-22 13:12:07.225032514 +0200
+++ ext/hash/hash.c 2015-06-22 13:17:03.011970559 +0200
@@ -142,6 +142,7 @@
}
if (isfilename) {
if (CHECK_NULL_PATH(data, data_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
RETURN_FALSE;
}
stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
@@ -222,6 +223,10 @@
RETURN_FALSE;
}
if (isfilename) {
+ if (CHECK_NULL_PATH(data, data_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+ RETURN_FALSE;
+ }
stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
if (!stream) {
/* Stream will report errors opening file */
@@ -449,7 +454,7 @@
char *filename, buf[1024];
int filename_len, n;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
return;
}
Index: ext/hash/tests/hash_hmac_file_error.phpt
===================================================================
--- ext/hash/tests/hash_hmac_file_error.phpt.orig 2015-06-22 13:12:07.225032514 +0200
+++ ext/hash/tests/hash_hmac_file_error.phpt 2015-06-22 13:17:03.011970559 +0200
@@ -28,6 +28,9 @@
echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
hash_hmac_file('foo', $file, $key, TRUE);
+echo "\n-- Testing hash_hmac_file() function with bad path --\n";
+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
+
?>
===Done===
--EXPECTF--
@@ -51,4 +54,8 @@
-- Testing hash_hmac_file() function with invalid hash algorithm --
Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
+
+-- Testing hash_hmac_file() function with bad path --
+
+Warning: hash_hmac_file(): Invalid path in %s on line %d
===Done===
\ No newline at end of file
Index: ext/pgsql/pgsql.c
===================================================================
--- ext/pgsql/pgsql.c.orig 2015-06-22 13:17:03.012970572 +0200
+++ ext/pgsql/pgsql.c 2015-06-22 13:17:25.116258641 +0200
@@ -2963,7 +2963,7 @@
php_stream *stream;
id = PGG(default_link);
- if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+ if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
return;
}
Index: ext/standard/link.c
===================================================================
--- ext/standard/link.c.orig 2013-09-18 07:48:57.000000000 +0200
+++ ext/standard/link.c 2015-06-22 13:17:03.013970585 +0200
@@ -59,7 +59,7 @@
char buff[MAXPATHLEN];
int ret;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) {
return;
}
Index: ext/standard/streamsfuncs.c
===================================================================
--- ext/standard/streamsfuncs.c.orig 2015-06-22 13:12:07.227032540 +0200
+++ ext/standard/streamsfuncs.c 2015-06-22 13:17:03.013970585 +0200
@@ -1545,7 +1545,7 @@
char *filename, *resolved_path;
int filename_len;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) {
return;
}
Index: ext/xmlwriter/php_xmlwriter.c
===================================================================
--- ext/xmlwriter/php_xmlwriter.c.orig 2015-06-22 13:12:07.227032540 +0200
+++ ext/xmlwriter/php_xmlwriter.c 2015-06-22 13:17:03.014970598 +0200
@@ -1738,7 +1738,7 @@
/* }}} */
#endif
-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
+/* {{{ proto resource xmlwriter_open_uri(string source)
Create new xmlwriter using source uri for output */
static PHP_FUNCTION(xmlwriter_open_uri)
{
@@ -1759,7 +1759,7 @@
void *ioctx;
#endif
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) {
return;
}
Index: ext/zlib/zlib.c
===================================================================
--- ext/zlib/zlib.c.orig 2015-06-22 13:12:07.228032554 +0200
+++ ext/zlib/zlib.c 2015-06-22 13:17:03.014970598 +0200
@@ -581,7 +581,7 @@
php_stream *stream;
long use_include_path = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
return;
}
@@ -609,7 +609,7 @@
int size;
long use_include_path = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) {
return;
}
