Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)

diff --git a/ext/dom/document.c b/ext/dom/document.c
index f105f6d7fe83ced36799094e48907bfe440a0afe..4666746ad2baec453b05ce67f56166aa2bfd4162 100644 (file)
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1580,6 +1580,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc
        xmlInitParser();
 
        if (mode == DOM_LOAD_FILE) {
+               if (CHECK_NULL_PATH(source, source_len)) {
+                       return NULL;
+               }
                char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN  TSRMLS_CC);
                if (file_dest) {
                        ctxt = xmlCreateFileParserCtxt(file_dest);
@@ -2168,7 +2171,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
        
        id = getThis();
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
                return;
        }
 

diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
index e59ff56c5a83119c443895631df5375a7382079a..75004e2a74e1f1ced7fe11b1743b1fa3e5ed04cb 100644 (file)
--- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
+++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
@@ -13,6 +13,11 @@ assert.bail=true
 $doc = new DOMDocument();
 $result = $doc->loadHTMLFile("");
 assert('$result === false');
+$doc = new DOMDocument();
+$result = $doc->loadHTMLFile("text.html\0something");
+assert('$result === null');
 ?>
 --EXPECTF--
 %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s
+
+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s

diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c
index 2d523ab49812dd43df92d26aadfc0f24e3363ac3..5fd951174520a0e1161d45d41e18182a07d507c0 100644 (file)
--- a/ext/fileinfo/fileinfo.c
+++ b/ext/fileinfo/fileinfo.c
@@ -506,6 +506,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime
                                RETVAL_FALSE;
                                goto clean;
                        }
+                       if (CHECK_NULL_PATH(buffer, buffer_len)) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+                               RETVAL_FALSE;
+                               goto clean;
+                       }
 
                        wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC);
 

diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt
index 20223fd88ea6701d79e5845602b853367ac7da39..ee70e2e2533c3e38f724697bfe2320508bf27174 100644 (file)
--- a/ext/fileinfo/tests/finfo_file_basic.phpt
+++ b/ext/fileinfo/tests/finfo_file_basic.phpt
@@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n";
 var_dump( finfo_file( $finfo, __FILE__) );
 var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
 var_dump( finfo_file( $finfo, $magicFile ) );
+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );
 
 ?>
 ===DONE===
@@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) );
 string(28) "text/x-php; charset=us-ascii"
 string(22) "PHP script, ASCII text"
 string(25) "text/plain; charset=utf-8"
+
+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
+bool(false)
 ===DONE===

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
index e5657f7424ab30c8f3ca7ec73e9201375d1fab39..d258c3dbc7862534762d3640688f1b980c031459 100644 (file)
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@@ -1495,7 +1495,7 @@ PHP_FUNCTION(imageloadfont)
        gdFontPtr font;
        php_stream *stream;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) {
                return;
        }
 
@@ -2438,7 +2438,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
        long ignore_warning;
 #endif
        if (image_type == PHP_GDIMG_TYPE_GD2PART) {
-               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
                        return;
                }
                if (width < 1 || height < 1) {
@@ -2446,7 +2446,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
                        RETURN_FALSE;
                }
        } else {
-               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+               if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
                        return;
                }
        }
@@ -4178,7 +4178,7 @@ PHP_FUNCTION(imagepsencodefont)
        char *enc, **enc_vector;
        int enc_len, *f_ind;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) {
                return;
        }
 

diff --git a/ext/hash/hash.c b/ext/hash/hash.c
index bd9dcca59fd2de27047851d792a810ed7c1e59de..f5988c9c6645737a1fb2d4ad7d9d8b5abdd23604 100644 (file)
--- a/ext/hash/hash.c
+++ b/ext/hash/hash.c
@@ -142,6 +142,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_
        }
        if (isfilename) {
                if (CHECK_NULL_PATH(data, data_len)) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
                        RETURN_FALSE;
                }
                stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
@@ -222,6 +223,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename,
                RETURN_FALSE;
        }
        if (isfilename) {
+               if (CHECK_NULL_PATH(data, data_len)) {
+                       php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+                       RETURN_FALSE;
+               }
                stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
                if (!stream) {
                        /* Stream will report errors opening file */
@@ -449,7 +454,7 @@ PHP_FUNCTION(hash_update_file)
        char *filename, buf[1024];
        int filename_len, n;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
                return;
        }
 

diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt
index 42ab122285ce6178367711bd1c43d0c1a63b2977..26ba8aacbeced1132d52406362fe4d670571a245 100644 (file)
--- a/ext/hash/tests/hash_hmac_file_error.phpt
+++ b/ext/hash/tests/hash_hmac_file_error.phpt
@@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg);
 echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
 hash_hmac_file('foo', $file, $key, TRUE);
 
+echo "\n-- Testing hash_hmac_file() function with bad path --\n";
+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
+
 ?>
 ===Done===
 --EXPECTF--
@@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d
 -- Testing hash_hmac_file() function with invalid hash algorithm --
 
 Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
+
+-- Testing hash_hmac_file() function with bad path --
+
+Warning: hash_hmac_file(): Invalid path in %s on line %d
 ===Done===
\ No newline at end of file

diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
index eb557777583f15e591c45ae9f43578ee6be85db4..cd51143c903be8f8cb5552a77a2845a31c49d927 100644 (file)
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@@ -3014,7 +3014,7 @@ PHP_FUNCTION(pg_trace)
        php_stream *stream;
        id = PGG(default_link);
 
-       if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+       if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
                return;
        }
 

diff --git a/ext/standard/link.c b/ext/standard/link.c
index c57484e766f3c2825ef2ab8999d077b5bfee2fab..686dd3e306b796af1c1894ef446e8cabfb4a2a10 100644 (file)
--- a/ext/standard/link.c
+++ b/ext/standard/link.c
@@ -59,7 +59,7 @@ PHP_FUNCTION(readlink)
        char buff[MAXPATHLEN];
        int ret;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) {
                return;
        }
 

diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c
index b1b318044ea5f0b16a2d36346c6225ae188ed65c..b8f15e32c2f56275d5c23f1cf8864c2d4dcc2b13 100644 (file)
--- a/ext/standard/streamsfuncs.c
+++ b/ext/standard/streamsfuncs.c
@@ -1549,7 +1549,7 @@ PHP_FUNCTION(stream_resolve_include_path)
        char *filename, *resolved_path;
        int filename_len;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) {
                return;
        }
 

diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c
index 7bc35dabc41a9671ab5e132890f6b3cbd8fcb29a..acb87541d825add8288b761ce9ecebbe532ffed6 100644 (file)
--- a/ext/xmlwriter/php_xmlwriter.c
+++ b/ext/xmlwriter/php_xmlwriter.c
@@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity)
 /* }}} */
 #endif
 
-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
+/* {{{ proto resource xmlwriter_open_uri(string source)
 Create new xmlwriter using source uri for output */
 static PHP_FUNCTION(xmlwriter_open_uri)
 {
@@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri)
        void *ioctx;
 #endif
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) {
                return;
        }
        

diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
index 705fb5dd5f6d95b9ced2619417cc10603672fed1..431dfde54723e86aae5df325b8922862313ad245 100644 (file)
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@@ -581,7 +581,7 @@ static PHP_FUNCTION(gzopen)
        php_stream *stream;
        long use_include_path = 0;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
                return;
        }
 
@@ -609,7 +609,7 @@ static PHP_FUNCTION(readgzfile)
        int size;
        long use_include_path = 0;
 
-       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) {
+       if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) {
                return;
        }