Fix bug #68095 - invalid read in php_getopt()

It's a hacky solution and incomplete, but I don't see other way
without refactoring the whole getopt protocol.

diff --git a/NEWS b/NEWS
index c7fd7afe4a5a07bf47be42e2edc8bce69e43666f..15a2951377ca0ff9a6b4d3ccd2337062adf1d955 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2014, PHP 5.5.19
 
 - Core:
+  . Fixed bug #68095 (AddressSanitizer reports a heap buffer overflow in 
+    php_getopt()). (Stas)
   . Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined). (Nikita)
   . Fixed bug #68129 (parse_url() - incomplete support for empty usernames
     and passwords) (Tjerk)

diff --git a/main/getopt.c b/main/getopt.c
index a31a6c75d5831fccb3f289f671cc36af108bc0ac..258173fc22c921b16dbc0729d05143d9b0bb444b 100644 (file)
--- a/main/getopt.c
+++ b/main/getopt.c
@@ -59,9 +59,17 @@ PHPAPI int php_getopt(int argc, char* const *argv, const opt_struct opts[], char
 {
        static int optchr = 0;
        static int dash = 0; /* have already seen the - */
+       static char **prev_optarg = NULL;
 
        php_optidx = -1;
 
+       if(prev_optarg && prev_optarg != optarg) {
+               /* reset the state */
+               optchr = 0;
+               dash = 0;
+       }
+       prev_optarg = optarg;
+
        if (*optind >= argc) {
                return(EOF);
        }