mirrors/php-src
0
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2024-11-23 18:04:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix in-place modification of filename in php_message_handler_for_zend

Browse Source 
php_strip_url_passwd modifies url in-place. We cannot assume from
php_message_handler_for_zend that data is a temporary, modifiable string.

Fixes oss-fuzz #64209
Closes GH-12733
This commit is contained in:
Ilija Tovilo 2023-11-20 12:37:32 +01:00 committed by Ben Ramsey
parent 1fdcfa4ebe
commit daa38dd63e
No known key found for this signature in database
GPG Key ID: F9C39DC0B9698544
3 changed files with 30 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
NEWS
View File

@ -5,6 +5,8 @@ PHP NEWS
- Core:
. Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious
error handler). (ilutov)
. Fixed oss-fuzz #64209 (In-place modification of filename in
php_message_handler_for_zend). (ilutov)
- DOM:
. Fixed bug GH-12616 (DOM: Removing XMLNS namespace node results in invalid

13
Zend/tests/oss_fuzz_64209.phpt Normal file
View File

@ -0,0 +1,13 @@
--TEST--
oss-fuzz #64209: Fix in-place modification of filename in php_message_handler_for_zend
--FILE--
<?php
require '://@';
?>
--EXPECTF--
Warning: require(://@): Failed to open stream: No such file or directory in %s on line %d
Fatal error: Uncaught Error: Failed opening required '://@' (include_path='%s') in %s:%d
Stack trace:
#0 {main}
thrown in %s on line %d

21
main/main.c
View File

@ -1585,15 +1585,24 @@ static void php_free_request_globals(void)
static ZEND_COLD void php_message_handler_for_zend(zend_long message, const void *data)
{
switch (message) {
case ZMSG_FAILED_INCLUDE_FOPEN:
php_error_docref("function.include", E_WARNING, "Failed opening '%s' for inclusion (include_path='%s')", php_strip_url_passwd((char *) data), STR_PRINT(PG(include_path)));
case ZMSG_FAILED_INCLUDE_FOPEN: {
char *tmp = estrdup((char *) data);
php_error_docref("function.include", E_WARNING, "Failed opening '%s' for inclusion (include_path='%s')", php_strip_url_passwd(tmp), STR_PRINT(PG(include_path)));
efree(tmp);
break;
case ZMSG_FAILED_REQUIRE_FOPEN:
zend_throw_error(NULL, "Failed opening required '%s' (include_path='%s')", php_strip_url_passwd((char *) data), STR_PRINT(PG(include_path)));
}
case ZMSG_FAILED_REQUIRE_FOPEN: {
char *tmp = estrdup((char *) data);
zend_throw_error(NULL, "Failed opening required '%s' (include_path='%s')", php_strip_url_passwd(tmp), STR_PRINT(PG(include_path)));
efree(tmp);
break;
case ZMSG_FAILED_HIGHLIGHT_FOPEN:
php_error_docref(NULL, E_WARNING, "Failed opening '%s' for highlighting", php_strip_url_passwd((char *) data));
}
case ZMSG_FAILED_HIGHLIGHT_FOPEN: {
char *tmp = estrdup((char *) data);
php_error_docref(NULL, E_WARNING, "Failed opening '%s' for highlighting", php_strip_url_passwd(tmp));
efree(tmp);
break;
}
case ZMSG_MEMORY_LEAK_DETECTED:
case ZMSG_MEMORY_LEAK_REPEATED:
#if ZEND_DEBUG