mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-12-18 22:41:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-7.4'

Browse Source 
* PHP-7.4:
  Update NEWS
  Fix bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`)
  Fix #79099: OOB read in php_strip_tags_ex
  Fix #79091: heap use-after-free in session_create_id()
This commit is contained in:
Stanislav Malyshev 2020-01-20 22:47:28 -08:00
commit 545f77d313
6 changed files with 115 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
ext/mbstring/libmbfl/filters/mbfilter_big5.c
View File

@ -145,10 +145,10 @@ static unsigned short cp950_pua_tbl[][4] = {
static inline int is_in_cp950_pua(int c1, int c) {
if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
(c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
return (c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff);
return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
}
if (c1 == 0xc6) {
return c > 0xa0 && c < 0xff;
return c >= 0xa1 && c <= 0xfe;
}
return 0;
}

10
ext/mbstring/tests/bug79037.phpt Normal file
View File

@ -0,0 +1,10 @@
--TEST--
Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
--FILE--
<?php
var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
?>
--EXPECT--
string(1) "?"

1
ext/session/session.c
View File

@ -2295,6 +2295,7 @@ static PHP_FUNCTION(session_create_id)
/* Detect collision and retry */
if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) {
zend_string_release_ex(new_id, 0);
new_id = NULL;
continue;
}
break;

67
ext/session/tests/bug79091.phpt Normal file
View File

@ -0,0 +1,67 @@
--TEST--
Bug #79091 (heap use-after-free in session_create_id())
--SKIPIF--
<?php
if (!extension_loaded('session')) die('skip session extension not available');
?>
--FILE--
<?php
class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface
{
public function close()
{
return true;
}
public function destroy($session_id)
{
return true;
}
public function gc($maxlifetime)
{
return true;
}
public function open($save_path, $session_name)
{
return true;
}
public function read($session_id)
{
return '';
}
public function write($session_id, $session_data)
{
return true;
}
public function create_sid()
{
return uniqid();
}
public function updateTimestamp($key, $val)
{
return true;
}
public function validateId($key)
{
return false;
}
}
ob_start();
var_dump(session_set_save_handler(new MySessionHandler()));
var_dump(session_start());
ob_flush();
session_create_id();
?>
--EXPECTF--
bool(true)
bool(true)
Warning: session_create_id(): Failed to create new ID in %s on line %d

6
ext/standard/string.c
View File

@ -5006,7 +5006,7 @@ state_1:
}
lc = '>';
if (is_xml && *(p -1) == '-') {
if (is_xml && p >= buf + 1 && *(p -1) == '-') {
break;
}
in_q = state = is_xml = 0;
@ -5038,7 +5038,7 @@ state_1:
goto reg_char_1;
case '!':
/* JavaScript & Other HTML scripting languages */
if (*(p-1) == '<') {
if (p >= buf + 1 && *(p-1) == '<') {
state = 3;
lc = c;
p++;
@ -5048,7 +5048,7 @@ state_1:
}
break;
case '?':
if (*(p-1) == '<') {
if (p >= buf + 1 && *(p-1) == '<') {
br=0;
state = 2;
p++;

32
ext/standard/tests/file/bug79099.phpt Normal file
View File

@ -0,0 +1,32 @@
--TEST--
Bug #79099 (OOB read in php_strip_tags_ex)
--FILE--
<?php
$stream = fopen('php://memory', 'w+');
fputs($stream, "<?\n\"\n");
rewind($stream);
var_dump(@fgetss($stream));
var_dump(@fgetss($stream));
fclose($stream);
$stream = fopen('php://memory', 'w+');
fputs($stream, "<\0\n!\n");
rewind($stream);
var_dump(@fgetss($stream));
var_dump(@fgetss($stream));
fclose($stream);
$stream = fopen('php://memory', 'w+');
fputs($stream, "<\0\n?\n");
rewind($stream);
var_dump(@fgetss($stream));
var_dump(@fgetss($stream));
fclose($stream);
?>
--EXPECT--
string(0) ""
string(0) ""
string(0) ""
string(0) ""
string(0) ""
string(0) ""