From: Stanislav Malyshev Date: Tue, 19 Jul 2016 08:35:58 +0000 (-0700) Subject: Merge branch 'PHP-5.6' into PHP-7.0 X-Git-Tag: php-7.1.0beta1~28^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b00f8f2a5bae651d6375ca34c676963f1f25ee5a;p=php Merge branch 'PHP-5.6' into PHP-7.0 * PHP-5.6: fix #72519, possible OOB using imagegif fix #72512, invalid read or write for palette image when invalid transparent index is used Apparently some envs miss SIZE_MAX Fix tests Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c Fix for bug #72558, Integer overflow error within _gdContributionsAlloc() Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE Fix bug #72562 - destroy var_hash properly Fix bug #72533 (locale_accept_from_http out-of-bounds access) Fix fir bug #72520 Fix for bug #72513 Fix for bug #72513 CS fix and comments with bug ID Fix for HTTP_PROXY issue. 5.6.24RC1 add tests for bug #72512 Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access Fixed bug #72479 - same as #72434 Conflicts: Zend/zend_virtual_cwd.c ext/bz2/bz2.c ext/exif/exif.c ext/session/session.c ext/snmp/snmp.c ext/standard/basic_functions.c main/SAPI.c main/php_variables.c --- b00f8f2a5bae651d6375ca34c676963f1f25ee5a diff --cc ext/exif/exif.c index 777694538b,5564de4b4a..cf221419d5 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@@ -2624,15 -2634,17 +2625,16 @@@ static int exif_process_user_comment(im } else { decode = ImageInfo->decode_unicode_le; } - to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC); - from = zend_multibyte_fetch_encoding(decode TSRMLS_CC); ++ to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode); ++ from = zend_multibyte_fetch_encoding(decode); /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ - if (zend_multibyte_encoding_converter( + if (!to || !from || zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_unicode), - zend_multibyte_fetch_encoding(decode) - ) == (size_t)-1) { + to, - from - TSRMLS_CC) == (size_t)-1) { ++ from) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@@ -2646,14 -2658,16 +2648,15 @@@ szValuePtr = szValuePtr+8; ByteCount -= 8; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ - if (zend_multibyte_encoding_converter( - to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC); - from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC); ++ to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis); ++ from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le); + if (!to || !from || zend_multibyte_encoding_converter( (unsigned char**)pszInfoPtr, &len, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_jis), - zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le) - ) == (size_t)-1) { + to, - from - TSRMLS_CC) == (size_t)-1) { ++ from) == (size_t)-1) { len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount); } return len; @@@ -3049,7 -3078,10 +3067,10 @@@ static int exif_process_IFD_TAG(image_i break; case TAG_MAKER_NOTE: - exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement); - if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement TSRMLS_CC)) { ++ if (!exif_process_IFD_in_MAKERNOTE(ImageInfo, value_ptr, byte_count, offset_base, IFDlength, displacement)) { + EFREE_IF(outside); + return FALSE; + } break; case TAG_EXIF_IFD_POINTER: diff --cc ext/intl/locale/locale_methods.c index 857c14a005,443856ff5e..32a70d2f7f --- a/ext/intl/locale/locale_methods.c +++ b/ext/intl/locale/locale_methods.c @@@ -1592,12 -1585,30 +1592,30 @@@ PHP_FUNCTION(locale_accept_from_http char resultLocale[INTL_MAX_LOCALE_LEN+1]; UAcceptResult outResult; - if(zend_parse_parameters( ZEND_NUM_ARGS() TSRMLS_CC, "s", &http_accept, &http_accept_len) == FAILURE) + if(zend_parse_parameters( ZEND_NUM_ARGS(), "s", &http_accept, &http_accept_len) == FAILURE) { intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, - "locale_accept_from_http: unable to parse input parameters", 0 TSRMLS_CC ); + "locale_accept_from_http: unable to parse input parameters", 0 ); RETURN_FALSE; } + if(http_accept_len > ULOC_FULLNAME_CAPACITY) { + /* check each fragment, if any bigger than capacity, can't do it due to bug #72533 */ + char *start = http_accept; + char *end; + size_t len; + do { + end = strchr(start, ','); + len = end ? end-start : http_accept_len-(start-http_accept); + if(len > ULOC_FULLNAME_CAPACITY) { + intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, + "locale_accept_from_http: locale string too long", 0 TSRMLS_CC ); + RETURN_FALSE; + } + if(end) { + start = end+1; + } + } while(end != NULL); + } available = ures_openAvailableLocales(NULL, &status); INTL_CHECK_STATUS(status, "locale_accept_from_http: failed to retrieve locale list"); diff --cc ext/snmp/snmp.c index 67e39f1645,b88cdcd14c..7b685ff5dc --- a/ext/snmp/snmp.c +++ b/ext/snmp/snmp.c @@@ -2071,9 -2093,17 +2071,17 @@@ static int php_snmp_has_property(zval * } /* }}} */ + static HashTable *php_snmp_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */ + { + *gc_data = NULL; + *gc_data_count = 0; + return zend_std_get_properties(object TSRMLS_CC); + } + /* }}} */ + /* {{{ php_snmp_get_properties(zval *object) Returns all object properties. Injects SNMP properties into object on first call */ -static HashTable *php_snmp_get_properties(zval *object TSRMLS_DC) +static HashTable *php_snmp_get_properties(zval *object) { php_snmp_object *obj; php_snmp_prop_handler *hnd; diff --cc ext/standard/basic_functions.c index 1eb8e1c02c,f7776d6e5b..c4505886d6 --- a/ext/standard/basic_functions.c +++ b/ext/standard/basic_functions.c @@@ -4014,19 -3991,19 +4014,22 @@@ PHP_FUNCTION(long2ip PHP_FUNCTION(getenv) { char *ptr, *str; - int str_len; + size_t str_len; + zend_bool local_only = 0; - if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &str, &str_len) == FAILURE) { - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &local_only) == FAILURE) { ++ if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|b", &str, &str_len, &local_only) == FAILURE) { RETURN_FALSE; } - /* SAPI method returns an emalloc()'d string */ - ptr = sapi_getenv(str, str_len); - if (ptr) { - // TODO: avoid realocation ??? - RETVAL_STRING(ptr); - efree(ptr); - return; + if (!local_only) { + /* SAPI method returns an emalloc()'d string */ - ptr = sapi_getenv(str, str_len TSRMLS_CC); ++ ptr = sapi_getenv(str, str_len); + if (ptr) { - RETURN_STRING(ptr, 0); ++ // TODO: avoid realocation ??? ++ RETVAL_STRING(ptr); ++ efree(ptr); ++ return; + } } #ifdef PHP_WIN32 { diff --cc ext/zip/zip_stream.c index a1f620182c,2095ddf838..d586233dee --- a/ext/zip/zip_stream.c +++ b/ext/zip/zip_stream.c @@@ -261,12 -253,13 +261,12 @@@ php_stream *php_stream_zip_opener(php_s const char *path, const char *mode, int options, - char **opened_path, - php_stream_context *context STREAMS_DC TSRMLS_DC) + zend_string **opened_path, + php_stream_context *context STREAMS_DC) { - int path_len; + size_t path_len; - char *file_basename; - size_t file_basename_len; + zend_string *file_basename; char file_dirname[MAXPATHLEN]; struct zip *za; diff --cc main/SAPI.c index 496bbfbd12,49ffc1c9a4..9029e2e570 --- a/main/SAPI.c +++ b/main/SAPI.c @@@ -1018,10 -1018,14 +1018,14 @@@ SAPI_API zend_stat_t *sapi_get_stat(voi } } -SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC) +SAPI_API char *sapi_getenv(char *name, size_t name_len) { + if (!strncasecmp(name, "HTTP_PROXY", name_len)) { + /* Ugly fix for HTTP_PROXY issue, see bug #72573 */ + return NULL; + } if (sapi_module.getenv) { - char *value, *tmp = sapi_module.getenv(name, name_len TSRMLS_CC); + char *value, *tmp = sapi_module.getenv(name, name_len); if (tmp) { value = estrdup(tmp); } else { diff --cc main/php_variables.c index 73274d7695,018e906582..5791990038 --- a/main/php_variables.c +++ b/main/php_variables.c @@@ -730,10 -804,27 +730,26 @@@ static zend_bool php_auto_globals_creat return 0; /* don't rearm */ } + /* Upgly hack to fix HTTP_PROXY issue, see bug #72573 */ + static void check_http_proxy(HashTable *var_table) + { - if (zend_hash_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"))) { ++ if (zend_hash_str_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")-1)) { + char *local_proxy = getenv("HTTP_PROXY"); + + if (!local_proxy) { - zend_hash_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")); ++ zend_hash_str_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")-1); + } else { - zval *local_zval; - ALLOC_INIT_ZVAL(local_zval); - ZVAL_STRING(local_zval, local_proxy, 1); - zend_hash_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"), &local_zval, sizeof(zval **), NULL); ++ zval local_zval; ++ ZVAL_STRING(&local_zval, local_proxy); ++ zend_hash_str_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")-1, &local_zval); + } + } + } + -static zend_bool php_auto_globals_create_server(const char *name, uint name_len TSRMLS_DC) +static zend_bool php_auto_globals_create_server(zend_string *name) { if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) { - php_register_server_variables(TSRMLS_C); + php_register_server_variables(); if (PG(register_argc_argv)) { if (SG(request_info).argc) { @@@ -751,27 -843,41 +767,29 @@@ } } else { - zval *server_vars=NULL; - ALLOC_ZVAL(server_vars); - array_init(server_vars); - INIT_PZVAL(server_vars); - if (PG(http_globals)[TRACK_VARS_SERVER]) { - zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); - } - PG(http_globals)[TRACK_VARS_SERVER] = server_vars; + zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]); + array_init(&PG(http_globals)[TRACK_VARS_SERVER]); } - check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])); - zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL); - Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]); ++ check_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_SERVER])); + zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_SERVER]); + Z_ADDREF(PG(http_globals)[TRACK_VARS_SERVER]); return 0; /* don't rearm */ } -static zend_bool php_auto_globals_create_env(const char *name, uint name_len TSRMLS_DC) +static zend_bool php_auto_globals_create_env(zend_string *name) { - zval *env_vars = NULL; - ALLOC_ZVAL(env_vars); - array_init(env_vars); - INIT_PZVAL(env_vars); - if (PG(http_globals)[TRACK_VARS_ENV]) { - zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_ENV]); - } - PG(http_globals)[TRACK_VARS_ENV] = env_vars; + zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_ENV]); + array_init(&PG(http_globals)[TRACK_VARS_ENV]); if (PG(variables_order) && (strchr(PG(variables_order),'E') || strchr(PG(variables_order),'e'))) { - php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC); + php_import_environment_variables(&PG(http_globals)[TRACK_VARS_ENV]); } - check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV])); - zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_ENV], sizeof(zval *), NULL); - Z_ADDREF_P(PG(http_globals)[TRACK_VARS_ENV]); ++ check_http_proxy(Z_ARRVAL(PG(http_globals)[TRACK_VARS_ENV])); + zend_hash_update(&EG(symbol_table), name, &PG(http_globals)[TRACK_VARS_ENV]); + Z_ADDREF(PG(http_globals)[TRACK_VARS_ENV]); return 0; /* don't rearm */ }