From: Stanislav Malyshev Date: Tue, 2 Feb 2016 03:55:09 +0000 (-0800) Subject: Merge branch 'PHP-5.6.18' into PHP-7.0.3 X-Git-Tag: php-7.0.3~8 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=e231830f1683e753a4d6d107d69e4e0aa67a4be6;p=php Merge branch 'PHP-5.6.18' into PHP-7.0.3 * PHP-5.6.18: fix tests fix NEWS Update NEWS update NEWS Fixed bug #71488: Stack overflow when decompressing tar archives update NEWS add missing headers for SIZE_MAX backport the escapeshell* functions hardening branch add tests Fix bug #71459 - Integer overflow in iptcembed() prepare 5.6.18RC1 Fix test when run with openssl < 1.0.2 (reorder so no more SSLv2 message) Fix skip message to work improve fix for bug #71201 Fixed bug #71323 - Output of stream_get_meta_data can be falsified by its input Fix bug #71391: NULL Pointer Dereference in phar_tar_setupmetadata() Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream() Fix bug #71335: Type Confusion in WDDX Packet Deserialization Fix bug #71354 - remove UMR when size is 0 Conflicts: configure.in ext/phar/dirstream.c ext/phar/phar_object.c ext/phar/tar.c ext/standard/exec.c ext/standard/iptc.c ext/standard/math.c ext/standard/streamsfuncs.c ext/wddx/wddx.c main/php_version.h main/streams/memory.c --- e231830f1683e753a4d6d107d69e4e0aa67a4be6 diff --cc ext/phar/dirstream.c index ce6bffecbd,f843501b58..33dfffc3c0 --- a/ext/phar/dirstream.c +++ b/ext/phar/dirstream.c @@@ -199,13 -198,13 +199,14 @@@ static php_stream *phar_make_dirstream( zend_hash_internal_pointer_reset(manifest); while (FAILURE != zend_hash_has_more_elements(manifest)) { + keylen = 0; - if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { + if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key(manifest, &str_key, &unused)) { break; } + keylen = ZSTR_LEN(str_key); if (keylen <= (uint)dirlen) { - if (keylen < (uint)dirlen || !strncmp(ZSTR_VAL(str_key), dir, dirlen)) { - if (keylen == 0 || keylen < (uint)dirlen || !strncmp(str_key, dir, dirlen)) { ++ if (keylen == 0 || keylen < (uint)dirlen || !strncmp(ZSTR_VAL(str_key), dir, dirlen)) { if (SUCCESS != zend_hash_move_forward(manifest)) { break; } diff --cc ext/phar/tar.c index 5182633513,1fcfe52756..3b5158b5f1 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@@ -195,15 -195,23 +195,23 @@@ static int phar_tar_process_metadata(ph } /* }}} */ + #if !HAVE_STRNLEN + static size_t strnlen(const char *s, size_t maxlen) { + char *r = (char *)memchr(s, '\0', maxlen); + return r ? r-s : maxlen; + } + #endif + -int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error TSRMLS_DC) /* {{{ */ +int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, int alias_len, phar_archive_data** pphar, int is_data, php_uint32 compression, char **error) /* {{{ */ { char buf[512], *actual_alias = NULL, *p; phar_entry_info entry = {0}; size_t pos = 0, read, totalsize; tar_header *hdr; php_uint32 sum1, sum2, size, old; - phar_archive_data *myphar, **actual; + phar_archive_data *myphar, *actual; int last_was_longlink = 0; + int linkname_len; if (error) { *error = NULL; @@@ -264,8 -272,8 +272,8 @@@ goto next; } - if (((!old && hdr->prefix[0] == 0) || old) && strlen(hdr->name) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) { + if (((!old && hdr->prefix[0] == 0) || old) && strnlen(hdr->name, 100) == sizeof(".phar/signature.bin")-1 && !strncmp(hdr->name, ".phar/signature.bin", sizeof(".phar/signature.bin")-1)) { - off_t curloc; + zend_off_t curloc; if (size > 511) { if (error) { @@@ -472,30 -482,25 +480,32 @@@ bail } entry.link = NULL; - + /* link field is null-terminated unless it has 100 non-null chars. + * Thus we can not use strlen. */ + linkname_len = strnlen(hdr->linkname, 100); if (entry.tar_type == TAR_LINK) { - if (!zend_hash_str_exists(&myphar->manifest, hdr->linkname, strlen(hdr->linkname))) { - if (!zend_hash_exists(&myphar->manifest, hdr->linkname, linkname_len)) { ++ if (!zend_hash_str_exists(&myphar->manifest, hdr->linkname, linkname_len)) { if (error) { - spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%s\"", fname, hdr->linkname); + spprintf(error, 4096, "phar error: \"%s\" is a corrupted tar file - hard link to non-existent file \"%.*s\"", fname, linkname_len, hdr->linkname); } pefree(entry.filename, entry.is_persistent); php_stream_close(fp); - phar_destroy_phar_data(myphar TSRMLS_CC); + phar_destroy_phar_data(myphar); return FAILURE; } - entry.link = estrdup(hdr->linkname); + entry.link = estrndup(hdr->linkname, linkname_len); } else if (entry.tar_type == TAR_SYMLINK) { - entry.link = estrdup(hdr->linkname); + entry.link = estrndup(hdr->linkname, linkname_len); } - phar_set_inode(&entry TSRMLS_CC); - zend_hash_add(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info), (void **) &newentry); + phar_set_inode(&entry); + if ((newentry = zend_hash_str_add_mem(&myphar->manifest, entry.filename, entry.filename_len, (void*)&entry, sizeof(phar_entry_info))) == NULL) { + if (error) { + spprintf(error, 4096, "phar error: tar-based phar \"%s\" cannot be registered", entry.filename); + } + php_stream_close(fp); + phar_destroy_phar_data(myphar); + return FAILURE; + } if (entry.is_persistent) { ++entry.manifest_pos; diff --cc ext/standard/streamsfuncs.c index de0f016947,259d90f8da..c2f200eedd --- a/ext/standard/streamsfuncs.c +++ b/ext/standard/streamsfuncs.c @@@ -507,16 -498,24 +507,22 @@@ PHP_FUNCTION(stream_get_meta_data array_init(return_value); + if (!php_stream_populate_meta_data(stream, return_value)) { + add_assoc_bool(return_value, "timed_out", 0); + add_assoc_bool(return_value, "blocked", 1); + add_assoc_bool(return_value, "eof", php_stream_eof(stream)); + } + - if (stream->wrapperdata) { - MAKE_STD_ZVAL(newval); - MAKE_COPY_ZVAL(&stream->wrapperdata, newval); - - add_assoc_zval(return_value, "wrapper_data", newval); + if (!Z_ISUNDEF(stream->wrapperdata)) { + Z_ADDREF_P(&stream->wrapperdata); + add_assoc_zval(return_value, "wrapper_data", &stream->wrapperdata); } if (stream->wrapper) { - add_assoc_string(return_value, "wrapper_type", (char *)stream->wrapper->wops->label, 1); + add_assoc_string(return_value, "wrapper_type", (char *)stream->wrapper->wops->label); } - add_assoc_string(return_value, "stream_type", (char *)stream->ops->label, 1); + add_assoc_string(return_value, "stream_type", (char *)stream->ops->label); - add_assoc_string(return_value, "mode", stream->mode, 1); + add_assoc_string(return_value, "mode", stream->mode); #if 0 /* TODO: needs updating for new filter API */ if (stream->filterhead) { @@@ -537,14 -536,9 +543,9 @@@ add_assoc_bool(return_value, "seekable", (stream->ops->seek) && (stream->flags & PHP_STREAM_FLAG_NO_SEEK) == 0); if (stream->orig_path) { - add_assoc_string(return_value, "uri", stream->orig_path, 1); + add_assoc_string(return_value, "uri", stream->orig_path); } - if (!php_stream_populate_meta_data(stream, return_value)) { - add_assoc_bool(return_value, "timed_out", 0); - add_assoc_bool(return_value, "blocked", 1); - add_assoc_bool(return_value, "eof", php_stream_eof(stream)); - } } /* }}} */ diff --cc ext/wddx/wddx.c index c0971f8974,93526f56a1..ca7b711682 --- a/ext/wddx/wddx.c +++ b/ext/wddx/wddx.c @@@ -912,14 -976,15 +912,15 @@@ static void php_wddx_pop_element(void * if (ent1->varname) { if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) && - Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) && ent2->type == ST_STRUCT) { - Z_TYPE_P(ent1->data) == IS_STRING && Z_STRLEN_P(ent1->data) && - ent2->type == ST_STRUCT && Z_TYPE_P(ent2->data) == IS_ARRAY) { ++ Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) && ++ ent2->type == ST_STRUCT && Z_TYPE(ent2->data) == IS_ARRAY) { zend_bool incomplete_class = 0; - zend_str_tolower(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data)); - if (zend_hash_find(EG(class_table), Z_STRVAL_P(ent1->data), - Z_STRLEN_P(ent1->data)+1, (void **) &pce)==FAILURE) { + zend_str_tolower(Z_STRVAL(ent1->data), Z_STRLEN(ent1->data)); + zend_string_forget_hash_val(Z_STR(ent1->data)); + if ((pce = zend_hash_find_ptr(EG(class_table), Z_STR(ent1->data))) == NULL) { incomplete_class = 1; - pce = &PHP_IC_ENTRY; + pce = PHP_IC_ENTRY; } /* Initialize target object */ diff --cc main/streams/memory.c index e2695ff2d9,7469249e5f..09da047d86 --- a/main/streams/memory.c +++ b/main/streams/memory.c @@@ -697,7 -697,9 +697,9 @@@ static php_stream * php_stream_url_wrap plen = sep - path; vlen = (semi ? semi - sep : mlen - plen) - 1 /* '=' */; key = estrndup(path, plen); - add_assoc_stringl_ex(&meta, key, plen, sep + 1, vlen); + if (plen != sizeof("mediatype")-1 || memcmp(key, "mediatype", sizeof("mediatype")-1)) { - add_assoc_stringl_ex(meta, key, plen + 1, sep + 1, vlen, 1); ++ add_assoc_stringl_ex(&meta, key, plen, sep + 1, vlen); + } efree(key); plen += vlen + 1; mlen -= plen;