From: Stanislav Malyshev Date: Tue, 21 Jun 2016 07:24:32 +0000 (-0700) Subject: Merge branch 'PHP-5.6.23' into PHP-7.0.8 X-Git-Tag: php-7.0.8~7 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=2a65544f788654946bfe49e114efa748246fdd52;p=php Merge branch 'PHP-5.6.23' into PHP-7.0.8 * PHP-5.6.23: (24 commits) iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow update NEWS fix tests fix build Fix bug #72455: Heap Overflow due to integer overflows Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize Fix bug #72407: NULL Pointer Dereference at _gdScaleVert Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free Fix bug #72298 pass2_no_dither out-of-bounds access Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow Fix bug #72262 - do not overflow int Fix bug #72400 and #72403 - prevent signed int overflows for string lengths Fix bug #72275: don't allow smart_str to overflow int Fix bug #72340: Double Free Courruption in wddx_deserialize update NEWS Fix #66387: Stack overflow with imagefilltoborder Fix bug #72321 - use efree() for emalloc allocation 5.6.23RC1 Fix bug #72140 (segfault after calling ERR_free_strings()) ... Conflicts: configure.in ext/mbstring/php_mbregex.c ext/mcrypt/mcrypt.c ext/spl/spl_array.c ext/spl/spl_directory.c ext/standard/php_smart_str.h ext/standard/string.c ext/standard/url.c ext/wddx/wddx.c ext/zip/php_zip.c main/php_version.h --- 2a65544f788654946bfe49e114efa748246fdd52 diff --cc ext/mbstring/php_mbregex.c index 73c94da5e9,67951a828e..b59e0d9b0d --- a/ext/mbstring/php_mbregex.c +++ b/ext/mbstring/php_mbregex.c @@@ -974,17 -971,15 +974,16 @@@ static void _php_mb_regex_ereg_replace_ arg_replace_fci.param_count = 1; arg_replace_fci.params = args; - arg_replace_fci.retval_ptr_ptr = &retval_ptr; - if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) { - convert_to_string_ex(&retval_ptr); - smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr)); - eval_buf.len = 0; - zval_ptr_dtor(&retval_ptr); + arg_replace_fci.retval = &retval; + if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache) == SUCCESS && + !Z_ISUNDEF(retval)) { + convert_to_string_ex(&retval); + smart_str_appendl(&out_buf, Z_STRVAL(retval), Z_STRLEN(retval)); + smart_str_free(&eval_buf); + zval_ptr_dtor(&retval); } else { - efree(description); if (!EG(exception)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function"); + php_error_docref(NULL, E_WARNING, "Unable to call custom replacement function"); } } zval_ptr_dtor(&subpats); diff --cc ext/mcrypt/mcrypt.c index 073bfec775,7539d9e53f..fb5c638c97 --- a/ext/mcrypt/mcrypt.c +++ b/ext/mcrypt/mcrypt.c @@@ -636,21 -660,26 +636,25 @@@ PHP_FUNCTION(mcrypt_generic /* Check blocksize */ if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ block_size = mcrypt_enc_get_block_size(pm->td); - data_size = (((data_len - 1) / block_size) + 1) * block_size; + data_size = ((((int)data_len - 1) / block_size) + 1) * block_size; + if (data_size <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); + RETURN_FALSE; + } - data_s = emalloc(data_size + 1); - memset(data_s, 0, data_size); - memcpy(data_s, data, data_len); + data_str = zend_string_alloc(data_size, 0); + memset(ZSTR_VAL(data_str), 0, data_size); + memcpy(ZSTR_VAL(data_str), data, data_len); } else { /* It's not a block algorithm */ - data_size = data_len; - data_s = emalloc(data_size + 1); - memset(data_s, 0, data_size); - memcpy(data_s, data, data_len); + data_size = (int)data_len; + data_str = zend_string_alloc(data_size, 0); + memset(ZSTR_VAL(data_str), 0, data_size); + memcpy(ZSTR_VAL(data_str), data, data_len); } - mcrypt_generic(pm->td, data_s, data_size); - data_s[data_size] = '\0'; + mcrypt_generic(pm->td, ZSTR_VAL(data_str), data_size); + ZSTR_VAL(data_str)[data_size] = '\0'; - RETVAL_STRINGL(data_s, data_size, 1); - efree(data_s); + RETVAL_NEW_STR(data_str); } /* }}} */ @@@ -682,8 -709,12 +686,12 @@@ PHP_FUNCTION(mdecrypt_generic /* Check blocksize */ if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ block_size = mcrypt_enc_get_block_size(pm->td); - data_size = (((data_len - 1) / block_size) + 1) * block_size; + data_size = ((((int)data_len - 1) / block_size) + 1) * block_size; - data_s = emalloc(data_size + 1); + if (data_size <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); + RETURN_FALSE; + } - data_s = emalloc(data_size + 1); ++ data_s = emalloc((size_t)data_size + 1); memset(data_s, 0, data_size); memcpy(data_s, data, data_len); } else { /* It's not a block algorithm */ diff --cc ext/wddx/wddx.c index 330cb49f08,2cbad93c3e..34b8eeb87f --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@@ -1019,8 -1105,9 +1019,9 @@@ static void php_wddx_process_data(void zval_ptr_dtor(&ent->data); if (ent->varname) { efree(ent->varname); + ent->varname = NULL; } - ent->data = NULL; + ZVAL_UNDEF(&ent->data); } break; diff --cc ext/zip/php_zip.c index 88bb518442,47477ac256..bdcba78b21 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@@ -958,15 -1042,28 +958,23 @@@ static int php_zip_has_property(zval *o } /* }}} */ -static HashTable *php_zip_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */ ++static HashTable *php_zip_get_gc(zval *object, zval **gc_data, int *gc_data_count) /* {{{ */ + { + *gc_data = NULL; + *gc_data_count = 0; - return zend_std_get_properties(object TSRMLS_CC); ++ return zend_std_get_properties(object); + } + /* }}} */ + -static HashTable *php_zip_get_properties(zval *object TSRMLS_DC)/* {{{ */ +static HashTable *php_zip_get_properties(zval *object)/* {{{ */ { ze_zip_object *obj; - zip_prop_handler *hnd; HashTable *props; - zval *val; - int ret; - char *key; - uint key_len; - HashPosition pos; - ulong num_key; + zip_prop_handler *hnd; + zend_string *key; - obj = (ze_zip_object *)zend_objects_get_address(object TSRMLS_CC); - props = zend_std_get_properties(object TSRMLS_CC); + obj = Z_ZIP_P(object); + props = zend_std_get_properties(object); if (obj->prop_handler == NULL) { return NULL; @@@ -3009,11 -3043,11 +3017,12 @@@ static PHP_MINIT_FUNCTION(zip zend_class_entry ce; memcpy(&zip_object_handlers, zend_get_std_object_handlers(), sizeof(zend_object_handlers)); - zip_object_handlers.clone_obj = NULL; + zip_object_handlers.offset = XtOffsetOf(ze_zip_object, zo); + zip_object_handlers.free_obj = php_zip_object_free_storage; + zip_object_handlers.clone_obj = NULL; zip_object_handlers.get_property_ptr_ptr = php_zip_get_property_ptr_ptr; + zip_object_handlers.get_gc = php_zip_get_gc; zip_object_handlers.get_properties = php_zip_get_properties; zip_object_handlers.read_property = php_zip_read_property; zip_object_handlers.has_property = php_zip_has_property;