Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2: Fix bug #77418 - Heap overflow in utf32be_mbc_to_code Add NEWS [ci skip] Add NEWS Fix more issues with encodilng length Fix #77270: imagecolormatch Out Of Bounds Write on Heap Fix bug #77380 (Global out of bounds read in xmlrpc base64 code) Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node) Fix bug #77370 - check that we do not read past buffer end when parsing multibytes Fix #77269: Potential unsigned underflow in gdImageScale Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext) Fix bug #77242 (heap out of bounds read in xmlrpc_decode()) Regenerate certs for openssl tests
2024-11-24 10:24:11 +08:00 · 2019-01-06 23:34:46 -08:00 · 2019-01-06 23:34:46 -08:00 · aeec40cb50
commit aeec40cb50
parent 7ed3cfb2e8 cfe77ea543
6 changed files with 22 additions and 2 deletions
--- a/1
+++ b/1
@ -34,6 +34,7 @@ PHP                                                                        NEWS
    expand_case_fold_string). (Stas)
  . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
  . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
+  . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)

 - MySQLnd:
  . Fixed bug #75684 (In mysqlnd_ext_plugin.h the plugin methods family has
--- a/ext/mbstring/oniguruma/src/utf16_be.c
+++ b/ext/mbstring/oniguruma/src/utf16_be.c
@ -128,16 +128,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end)
 }

 static OnigCodePoint
-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16be_mbc_to_code(const UChar* p, const UChar* end)
 {
  OnigCodePoint code;

  if (UTF16_IS_SURROGATE_FIRST(*p)) {
+    if (end - p < 4) return 0;
    code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
         + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
         + p[3];
  }
  else {
+    if (end - p < 2) return 0;
    code = p[0] * 256 + p[1];
  }
  return code;
--- a/ext/mbstring/oniguruma/src/utf16_le.c
+++ b/ext/mbstring/oniguruma/src/utf16_le.c
@ -141,13 +141,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end)
 }

 static OnigCodePoint
-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16le_mbc_to_code(const UChar* p, const UChar* end)
 {
  OnigCodePoint code;
  UChar c0 = *p;
  UChar c1 = *(p+1);

  if (UTF16_IS_SURROGATE_FIRST(c1)) {
+    if (end - p < 4) return 0;
    code = ((((c1 - 0xd8) << 2) + ((c0  & 0xc0) >> 6) + 1) << 16)
         + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
         + p[2];
--- a/ext/mbstring/oniguruma/src/utf32_be.c
+++ b/ext/mbstring/oniguruma/src/utf32_be.c
@ -67,6 +67,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
 static OnigCodePoint
 utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
 {
+  if (end - p < 4) return 0;
  return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
 }

--- a/ext/mbstring/oniguruma/src/utf32_le.c
+++ b/ext/mbstring/oniguruma/src/utf32_le.c
@ -67,6 +67,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end)
 static OnigCodePoint
 utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
 {
+  if (end - p < 4) return 0;
  return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
 }

--- a/ext/mbstring/tests/bug77418.phpt
+++ b/ext/mbstring/tests/bug77418.phpt
@ -0,0 +1,14 @@
+--TEST--
+Bug #77371 (Heap overflow in utf32be_mbc_to_code)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+mb_regex_encoding("UTF-32");
+var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(30) "000000000000000000000000000000"
+}