. Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
. Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type
Confusion) (CVE-2014-3515). (Stefan Esser)
- . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
+ . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
(Stefan Esser)
-
+
+- COM:
+ . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
+
- Date:
- . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
+ . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712)
(Remi)
. Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas)
. Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas)
- Fileinfo:
. Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol)
- . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary
- check). (CVE-2014-0207)
- . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS).
+ . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary
+ check). (CVE-2014-0207)
+ . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS).
(CVE-2014-0238)
- . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in
- performance degradation). (CVE-2014-0237)
+ . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting
+ in performance degradation). (CVE-2014-0237)
. Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
string size). (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
. Fixed bug #67349 (Locale::parseLocale Double Free). (Stas)
. Fixed bug #67397 (Buffer overflow in locale_get_display_name and
uloc_getDisplayName (libicu 4.8.1)). (Stas)
-
+
- Network:
- . Fixed bug #67432 (Fix potential segfault in dns_check_record()).
+ . Fixed bug #67432 (Fix potential segfault in dns_check_record()).
(CVE-2014-4049). (Sara)
+- OpenSSL:
+ . Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas).
+
+- Session:
+ . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas).
+
12 Dec 2013, PHP 5.3.28
- Openssl:
/* 0 => typelibname, 1 => dispname */
zval **tmp;
- if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS)
+ if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING)
typelibname = Z_STRVAL_PP(tmp);
- if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS)
+ if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING)
dispname = Z_STRVAL_PP(tmp);
} else if (sink != NULL) {
convert_to_string(sink);
return (time_t)-1;
}
- if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
+ if (ASN1_STRING_length(timestr) != strlen((char*)ASN1_STRING_data(timestr))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
return (time_t)-1;
}
req->config_filename, req->var, req->req_config TSRMLS_CC) == FAILURE) return FAILURE
#define SET_OPTIONAL_STRING_ARG(key, varname, defval) \
- if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \
+ if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) \
varname = Z_STRVAL_PP(item); \
else \
varname = defval
#define SET_OPTIONAL_LONG_ARG(key, varname, defval) \
- if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \
+ if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_LONG) \
varname = Z_LVAL_PP(item); \
else \
varname = defval
SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT);
- if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS) {
+ if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_BOOL) {
req->priv_key_encrypt = Z_BVAL_PP(item);
} else {
str = CONF_get_string(req->req_config, req->section_name, "encrypt_rsa_key");
}
/* parse extra config from args array, promote this to an extra function */
- if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS)
+ if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING)
friendly_name = Z_STRVAL_PP(item);
/* certpbe (default RC2-40)
keypbe (default 3DES)
}
/* parse extra config from args array, promote this to an extra function */
- if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS)
+ if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING)
friendly_name = Z_STRVAL_PP(item);
if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS)
--- /dev/null
+--TEST--
+Options type checks
+--SKIPIF--
+<?php if (!extension_loaded("openssl")) print "skip"; ?>
+--FILE--
+<?php
+$x = openssl_pkey_new();
+$csr = openssl_csr_new(["countryName" => "DE"], $x, ["x509_extensions" => 0xDEADBEEF]);
+?>
+DONE
+--EXPECT--
+DONE
if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"), (void **) &array) == SUCCESS &&
Z_TYPE_PP(array) == IS_ARRAY &&
- zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS
+ zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS &&
+ Z_TYPE_PP(token) == IS_STRING
) {
remote_addr = Z_STRVAL_PP(token);
}
projects / php / commitdiff