From 0fe07a0e7454b4e313ad9ef17e85638ae000f4e5 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 27 Jul 2014 02:40:27 -0700 Subject: [PATCH] Fix missing type checks in various functions --- NEWS | 29 +++++++++++++++++++---------- ext/com_dotnet/com_com.c | 4 ++-- ext/openssl/openssl.c | 12 ++++++------ ext/openssl/tests/026.phpt | 12 ++++++++++++ ext/session/session.c | 3 ++- 5 files changed, 41 insertions(+), 19 deletions(-) create mode 100644 ext/openssl/tests/026.phpt diff --git a/NEWS b/NEWS index 0a5aea3d80..b444ea582d 100644 --- a/NEWS +++ b/NEWS @@ -14,11 +14,14 @@ PHP NEWS . Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas) . Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion) (CVE-2014-3515). (Stefan Esser) - . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). + . Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability). (Stefan Esser) - + +- COM: + . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas). + - Date: - . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712) + . Fixed bug #66060 (Heap buffer over-read in DateInterval). (CVE-2013-6712) (Remi) . Fixed bug #67251 (date_parse_from_format out-of-bounds read). (Stas) . Fixed bug #67253 (timelib_meridian_with_check out-of-bounds read). (Stas) @@ -28,12 +31,12 @@ PHP NEWS - Fileinfo: . Fixed bug #66307 (Fileinfo crashes with powerpoint files). (Anatol) - . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary - check). (CVE-2014-0207) - . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). + . Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary + check). (CVE-2014-0207) + . Fixed bug #67327 (fileinfo: CDF infinite loop in nelements DoS). (CVE-2014-0238) - . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting in - performance degradation). (CVE-2014-0237) + . Fixed bug #67328 (fileinfo: fileinfo: numerous file_printf calls resulting + in performance degradation). (CVE-2014-0237) . Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal string size). (Francisco Alonso, Jan Kaluza, Remi) . Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary @@ -47,11 +50,17 @@ PHP NEWS . Fixed bug #67349 (Locale::parseLocale Double Free). (Stas) . Fixed bug #67397 (Buffer overflow in locale_get_display_name and uloc_getDisplayName (libicu 4.8.1)). (Stas) - + - Network: - . Fixed bug #67432 (Fix potential segfault in dns_check_record()). + . Fixed bug #67432 (Fix potential segfault in dns_check_record()). (CVE-2014-4049). (Sara) +- OpenSSL: + . Fixed missing type checks in OpenSSL options (Yussuf Khalil, Stas). + +- Session: + . Fixed missing type checks in php_session_create_id (Yussuf Khalil, Stas). + 12 Dec 2013, PHP 5.3.28 - Openssl: diff --git a/ext/com_dotnet/com_com.c b/ext/com_dotnet/com_com.c index 02c475c41d..4fe25fca2e 100644 --- a/ext/com_dotnet/com_com.c +++ b/ext/com_dotnet/com_com.c @@ -698,9 +698,9 @@ PHP_FUNCTION(com_event_sink) /* 0 => typelibname, 1 => dispname */ zval **tmp; - if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS) + if (zend_hash_index_find(Z_ARRVAL_P(sink), 0, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) typelibname = Z_STRVAL_PP(tmp); - if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS) + if (zend_hash_index_find(Z_ARRVAL_P(sink), 1, (void**)&tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_STRING) dispname = Z_STRVAL_PP(tmp); } else if (sink != NULL) { convert_to_string(sink); diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index 0d2d6442df..295d6b368a 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -649,7 +649,7 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */ return (time_t)-1; } - if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { + if (ASN1_STRING_length(timestr) != strlen((char*)ASN1_STRING_data(timestr))) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp"); return (time_t)-1; } @@ -765,13 +765,13 @@ static int add_oid_section(struct php_x509_request * req TSRMLS_DC) /* {{{ */ req->config_filename, req->var, req->req_config TSRMLS_CC) == FAILURE) return FAILURE #define SET_OPTIONAL_STRING_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) \ varname = Z_STRVAL_PP(item); \ else \ varname = defval #define SET_OPTIONAL_LONG_ARG(key, varname, defval) \ - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS) \ + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), key, sizeof(key), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_LONG) \ varname = Z_LVAL_PP(item); \ else \ varname = defval @@ -813,7 +813,7 @@ static int php_openssl_parse_config(struct php_x509_request * req, zval * option SET_OPTIONAL_LONG_ARG("private_key_type", req->priv_key_type, OPENSSL_KEYTYPE_DEFAULT); - if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS) { + if (optional_args && zend_hash_find(Z_ARRVAL_P(optional_args), "encrypt_key", sizeof("encrypt_key"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_BOOL) { req->priv_key_encrypt = Z_BVAL_PP(item); } else { str = CONF_get_string(req->req_config, req->section_name, "encrypt_rsa_key"); @@ -1889,7 +1889,7 @@ PHP_FUNCTION(openssl_pkcs12_export_to_file) } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) friendly_name = Z_STRVAL_PP(item); /* certpbe (default RC2-40) keypbe (default 3DES) @@ -1967,7 +1967,7 @@ PHP_FUNCTION(openssl_pkcs12_export) } /* parse extra config from args array, promote this to an extra function */ - if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS) + if (args && zend_hash_find(Z_ARRVAL_P(args), "friendly_name", sizeof("friendly_name"), (void**)&item) == SUCCESS && Z_TYPE_PP(item) == IS_STRING) friendly_name = Z_STRVAL_PP(item); if (args && zend_hash_find(Z_ARRVAL_P(args), "extracerts", sizeof("extracerts"), (void**)&item) == SUCCESS) diff --git a/ext/openssl/tests/026.phpt b/ext/openssl/tests/026.phpt new file mode 100644 index 0000000000..38d626d742 --- /dev/null +++ b/ext/openssl/tests/026.phpt @@ -0,0 +1,12 @@ +--TEST-- +Options type checks +--SKIPIF-- + +--FILE-- + "DE"], $x, ["x509_extensions" => 0xDEADBEEF]); +?> +DONE +--EXPECT-- +DONE diff --git a/ext/session/session.c b/ext/session/session.c index 5374db0b60..c659d2ccee 100644 --- a/ext/session/session.c +++ b/ext/session/session.c @@ -362,7 +362,8 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */ if (zend_hash_find(&EG(symbol_table), "_SERVER", sizeof("_SERVER"), (void **) &array) == SUCCESS && Z_TYPE_PP(array) == IS_ARRAY && - zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS + zend_hash_find(Z_ARRVAL_PP(array), "REMOTE_ADDR", sizeof("REMOTE_ADDR"), (void **) &token) == SUCCESS && + Z_TYPE_PP(token) == IS_STRING ) { remote_addr = Z_STRVAL_PP(token); } -- 2.40.0