Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:
  Fix #77919: Potential UAF in Phar RSHUTDOWN
  Update NEWS
  Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)
  Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 6f91dda8c24a4674d84579cc6227b9d7522ca7b9..aaa2e019a59fdc86f1cd442e7b03f86a59a4dd40 100644 (file)
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3040,11 +3040,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
                        /* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
                         * since we have no encoding support for the BOM yet we skip that.
                         */
-                       if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+                       if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
                                decode = "UCS-2BE";
                                szValuePtr = szValuePtr+2;
                                ByteCount -= 2;
-                       } else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+                       } else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
                                decode = "UCS-2LE";
                                szValuePtr = szValuePtr+2;
                                ByteCount -= 2;
@@ -3919,7 +3919,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
        size_t          length=2, pos=0;
        jpeg_sof_info   sof_info;
 
-       if (!data) {
+       if (!data || ImageInfo->Thumbnail.size < 4) {
                return FALSE; /* nothing to do here */
        }
        if (memcmp(data, "\xFF\xD8\xFF", 3)) {

diff --git a/ext/exif/tests/bug78222.jpg b/ext/exif/tests/bug78222.jpg
new file mode 100644 (file)
index 0000000..a96e16b
Binary files /dev/null and b/ext/exif/tests/bug78222.jpg differ

diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt
new file mode 100644 (file)
index 0000000..0e4ead3
--- /dev/null
+++ b/ext/exif/tests/bug78222.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
\ No newline at end of file

diff --git a/ext/exif/tests/bug78256.jpg b/ext/exif/tests/bug78256.jpg
new file mode 100644 (file)
index 0000000..56bf672
Binary files /dev/null and b/ext/exif/tests/bug78256.jpg differ

diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt
new file mode 100644 (file)
index 0000000..37a3f1d
--- /dev/null
+++ b/ext/exif/tests/bug78256.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78256 (heap-buffer-overflow on exif_process_user_comment)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
\ No newline at end of file

diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 88619663f1115f4811c8bff8e5eb84982498dd73..2669413fe6543a9c23690e01de93784058744164 100644 (file)
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -2037,7 +2037,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext) /*
        char *newname = NULL, *newpath = NULL;
        zval ret, arg1;
        zend_class_entry *ce;
-       char *error;
+       char *error = NULL;
        const char *pcr_error;
        int ext_len = ext ? strlen(ext) : 0;
        size_t new_len, oldname_len, phar_ext_len;
@@ -2252,6 +2252,8 @@ its_ok:
        phar_flush(phar, 0, 0, 1, &error);
 
        if (error) {
+               zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
+               *sphar = NULL;
                zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error);
                efree(error);
                efree(oldpath);

diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
index 9c58d894881a153d64552861bd1f5f22b789be83..7f8f6c00af7d7f9deb03f5d6def931e05ca3e3e6 100644 (file)
--- a/ext/phar/tests/bug71488.phpt
+++ b/ext/phar/tests/bug71488.phpt
@@ -15,4 +15,7 @@ DONE
 ?>
 --EXPECTF--
 Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
-Stack trace:%A
\ No newline at end of file
+Stack trace:
+#0 %s(%d): PharData->decompress('test')
+#1 {main}
+  thrown in %s on line %d