archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge remote-tracking branch 'phpsec/PHP-5.6.28' into PHP-5.6

Browse source
This commit is contained in:
Anatol Belski 2016-11-08 11:06:52 +01:00
commit 33766347cb
13 changed files with 137 additions and 83 deletions
Download patch file Download diff file Expand all files Collapse all files

53
ext/gd/libgd/gd.c
View file

@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
}
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
@ -1301,55 +1301,10 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
long x, y, inc, frac;
long dx, dy,tmp;
if (y1 < 0 && y2 < 0) {
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
if (y1 < 0) {
x1 += (y1 * (x1 - x2)) / (y2 - y1);
y1 = 0;
}
if (y2 < 0) {
x2 += (y2 * (x1 - x2)) / (y2 - y1);
y2 = 0;
}
/* bottom edge */
if (y1 >= im->sy && y2 >= im->sy) {
return;
}
if (y1 >= im->sy) {
x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
y1 = im->sy - 1;
}
if (y2 >= im->sy) {
x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
y2 = im->sy - 1;
}
/* left edge */
if (x1 < 0 && x2 < 0) {
return;
}
if (x1 < 0) {
y1 += (x1 * (y1 - y2)) / (x2 - x1);
x1 = 0;
}
if (x2 < 0) {
y2 += (x2 * (y1 - y2)) / (x2 - x1);
x2 = 0;
}
/* right edge */
if (x1 >= im->sx && x2 >= im->sx) {
return;
}
if (x1 >= im->sx) {
y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
x1 = im->sx - 1;
}
if (x2 >= im->sx) {
y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
x2 = im->sx - 1;
}
dx = x2 - x1;
dy = y2 - y1;
@ -1792,7 +1747,7 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
int leftLimit = -1, rightLimit;
int i, restoreAlphaBlending = 0;
if (border < 0) {
if (border < 0 || color < 0) {
/* Refuse to fill to a non-solid border */
return;
}

19
ext/gd/tests/bug72482.phpt Normal file
View file

@ -0,0 +1,19 @@
--TEST--
Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
$img = imagecreatetruecolor(13, 1007);
imageantialias($img, true);
imageline($img, 0, 0, 1073745919, 1073745919, 4096);
$img = imagecreatetruecolor(100, 100);
imageantialias($img, true);
imageline($img, 1094795585, 0, 2147483647, 255, 0xff);
?>
===DONE===
--EXPECT--
===DONE===

21
ext/gd/tests/bug72482_2.phpt Normal file
View file

@ -0,0 +1,21 @@
--TEST--
Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
$im = imagecreatetruecolor(10, 10);
imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255));
imageantialias($im, true);
imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0));
test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im);
?>
===DONE===
--EXPECT--
The images are equal.
===DONE===

BIN
ext/gd/tests/bug72482_2.png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 118 B

14
ext/gd/tests/bug72696.phpt Normal file
View file

@ -0,0 +1,14 @@
--TEST--
Bug #72696 (imagefilltoborder stackoverflow on truecolor images)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
$im = imagecreatetruecolor(10, 10);
imagefilltoborder($im, 0, 0, 1, -2);
?>
===DONE===
--EXPECT--
===DONE===

2
ext/imap/php_imap.c
View file

@ -3900,7 +3900,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
char *tsm_errmsg = NULL;
ADDRESS *addr;
char *bufferTo = NULL, *bufferCc = NULL, *bufferBcc = NULL, *bufferHeader = NULL;
int offset, bufferLen = 0;
size_t offset, bufferLen = 0;
size_t bt_len;
if (headers) {

1
ext/pdo/pdo_stmt.c
View file

@ -2338,6 +2338,7 @@ void pdo_stmt_init(TSRMLS_D)
pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */
pdo_row_ce->create_object = pdo_row_new;
pdo_row_ce->serialize = pdo_row_serialize;
pdo_row_ce->unserialize = zend_class_unserialize_deny;
}
static void free_statement(pdo_stmt_t *stmt TSRMLS_DC)

2
ext/spl/spl_array.c
View file

@ -1812,7 +1812,7 @@ SPL_METHOD(Array, unserialize)
ALLOC_INIT_ZVAL(intern->array);
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
zval_ptr_dtor(&intern->array);
// zval_ptr_dtor(&intern->array);
goto outexcept;
}
var_push_dtor(&var_hash, &intern->array);

24
ext/standard/tests/serialize/bug73341.phpt Normal file
View file

@ -0,0 +1,24 @@
--TEST--
Bug #73144 (Use-afte-free in ArrayObject Deserialization)
--FILE--
<?php
try {
$token = 'a:2:{i:0;O:1:"0":2:0s:1:"0";i:0;s:1:"0";a:1:{i:0;C:11:"ArrayObject":7:0x:i:0;r0';
$obj = unserialize($token);
} catch(Exception $e) {
echo $e->getMessage()."\n";
}
try {
$inner = 'x:i:1;O:8:"stdClass":1:{};m:a:0:{}';
$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
unserialize($exploit);
} catch(Exception $e) {
echo $e->getMessage()."\n";
}
?>
--EXPECTF--
Error at offset 6 of 7 bytes
Notice: ArrayObject::unserialize(): Unexpected end of serialized data in %sbug73341.php on line %d
Error at offset 24 of 34 bytes

4
ext/wddx/tests/bug45901.phpt
View file

@ -14,5 +14,7 @@ echo wddx_serialize_value($xml, 'Variables') . "\n";
echo "DONE";
?>
--EXPECTF--
<wddxPacket version='1.0'><header><comment>Variables</comment></header><data><struct><var name='php_class_name'><string>SimpleXMLElement</string></var><var name='test'><struct><var name='php_class_name'><string>SimpleXMLElement</string></var></struct></var></struct></data></wddxPacket>
Warning: wddx_serialize_value(): Class SimpleXMLElement can not be serialized in %sbug45901.php on line %d
<wddxPacket version='1.0'><header><comment>Variables</comment></header><data></data></wddxPacket>
DONE

2
ext/wddx/tests/bug72790.phpt
View file

@ -1,5 +1,5 @@
--TEST--
Bug 72790: wddx_deserialize null dereference with invalid xml
Bug #72790: wddx_deserialize null dereference with invalid xml
--SKIPIF--
<?php
if (!extension_loaded('wddx')) {

15
ext/wddx/tests/bug73331.phpt Normal file
View file

@ -0,0 +1,15 @@
--TEST--
Bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization with PDORow)
--SKIPIF--
<?php if (!extension_loaded("wddx") || !extension_loaded("pdo")) print "skip"; ?>
--FILE--
<?php
$wddx = "<wddxPacket version='1.0'><header/><data><struct><var name='php_class_name'><string>PDORow</string></var></struct></data></wddxPacket>";
var_dump(wddx_deserialize($wddx));
?>
--EXPECTF--
Warning: wddx_deserialize(): Class pdorow can not be unserialized in %s73331.php on line %d
NULL

63
ext/wddx/wddx.c
View file

@ -471,21 +471,26 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj)
ulong idx;
char tmp_buf[WDDX_BUF_LEN];
HashTable *objhash, *sleephash;
zend_class_entry *ce;
PHP_CLASS_ATTRIBUTES;
TSRMLS_FETCH();
PHP_SET_CLASS_ATTRIBUTES(obj);
ce = Z_OBJCE_P(obj);
if (!ce || ce->serialize || ce->unserialize) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be serialized", class_name);
PHP_CLEANUP_CLASS_ATTRIBUTES();
return;
}
MAKE_STD_ZVAL(fname);
ZVAL_STRING(fname, "__sleep", 1);
/*
* We try to call __sleep() method on object. It's supposed to return an
* array of property names to be serialized.
*/
if (call_user_function_ex(CG(function_table), &obj, fname, &retval, 0, 0, 1, NULL TSRMLS_CC) == SUCCESS) {
if (retval && (sleephash = HASH_OF(retval))) {
PHP_CLASS_ATTRIBUTES;
PHP_SET_CLASS_ATTRIBUTES(obj);
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
php_wddx_add_chunk(packet, tmp_buf);
@ -494,8 +499,6 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj)
php_wddx_add_chunk_static(packet, WDDX_STRING_E);
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
PHP_CLEANUP_CLASS_ATTRIBUTES();
objhash = HASH_OF(obj);
for (zend_hash_internal_pointer_reset(sleephash);
@ -516,10 +519,6 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj)
} else {
uint key_len;
PHP_CLASS_ATTRIBUTES;
PHP_SET_CLASS_ATTRIBUTES(obj);
php_wddx_add_chunk_static(packet, WDDX_STRUCT_S);
snprintf(tmp_buf, WDDX_BUF_LEN, WDDX_VAR_S, PHP_CLASS_NAME_VAR);
php_wddx_add_chunk(packet, tmp_buf);
@ -528,8 +527,6 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj)
php_wddx_add_chunk_static(packet, WDDX_STRING_E);
php_wddx_add_chunk_static(packet, WDDX_VAR_E);
PHP_CLEANUP_CLASS_ATTRIBUTES();
objhash = HASH_OF(obj);
for (zend_hash_internal_pointer_reset(objhash);
zend_hash_get_current_data(objhash, (void**)&ent) == SUCCESS;
@ -551,6 +548,8 @@ static void php_wddx_serialize_object(wddx_packet *packet, zval *obj)
php_wddx_add_chunk_static(packet, WDDX_STRUCT_E);
}
PHP_CLEANUP_CLASS_ATTRIBUTES();
zval_dtor(fname);
FREE_ZVAL(fname);
@ -1012,26 +1011,30 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
pce = &PHP_IC_ENTRY;
}
/* Initialize target object */
MAKE_STD_ZVAL(obj);
object_init_ex(obj, *pce);
if (pce != &PHP_IC_ENTRY && ((*pce)->serialize || (*pce)->unserialize)) {
ent2->data = NULL;
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Class %s can not be unserialized", Z_STRVAL_P(ent1->data));
} else {
/* Initialize target object */
MAKE_STD_ZVAL(obj);
object_init_ex(obj, *pce);
/* Merge current hashtable with object's default properties */
zend_hash_merge(Z_OBJPROP_P(obj),
Z_ARRVAL_P(ent2->data),
(void (*)(void *)) zval_add_ref,
(void *) &tmp, sizeof(zval *), 0);
/* Merge current hashtable with object's default properties */
zend_hash_merge(Z_OBJPROP_P(obj),
Z_ARRVAL_P(ent2->data),
(void (*)(void *)) zval_add_ref,
(void *) &tmp, sizeof(zval *), 0);
if (incomplete_class) {
php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
if (incomplete_class) {
php_store_class_name(obj, Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data));
}
/* Clean up old array entry */
zval_ptr_dtor(&ent2->data);
/* Set stack entry to point to the newly created object */
ent2->data = obj;
}
/* Clean up old array entry */
zval_ptr_dtor(&ent2->data);
/* Set stack entry to point to the newly created object */
ent2->data = obj;
/* Clean up class name var entry */
zval_ptr_dtor(&ent1->data);
} else if (Z_TYPE_P(ent2->data) == IS_OBJECT) {