archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-5.5' into PHP-5.6.23

Browse source 
* PHP-5.5:
  Fixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
  update NEWS
  fix tests
  fix build
  Fix bug #72455:  Heap Overflow due to integer overflows
  Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
  Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
  Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
  Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
  Fix bug #72298	pass2_no_dither out-of-bounds access
  Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
  Fix bug #72262 - do not overflow int
  Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
  Fix bug #72275: don't allow smart_str to overflow int
  Fix bug #72340: Double Free Courruption in wddx_deserialize
  update NEWS
  Fix #66387: Stack overflow with imagefilltoborder
  Skip test which is 64bits only
  5.5.37 now

Conflicts:
	configure.in
	ext/mcrypt/mcrypt.c
	ext/spl/spl_directory.c
	main/php_version.h
This commit is contained in:
Stanislav Malyshev 2016-06-21 00:01:48 -07:00
commit 7dde353ee7
21 changed files with 450 additions and 243 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Zend/tests/gc_024.phpt
View file

@ -13,5 +13,5 @@ var_dump(gc_collect_cycles());
echo "ok\n";
?>
--EXPECT--
int(1)
int(2)
ok

22
ext/gd/libgd/gd.c
View file

@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
return NULL;
}
if (overflow2(sizeof(unsigned char *), sx)) {
return NULL;
}
im = (gdImage *) gdCalloc(1, sizeof(gdImage));
/* Row-major ever since gd 1.3 */
@ -1098,12 +1102,12 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
int thick = im->thick;
if (color == gdAntiAliased) {
/*
/*
gdAntiAliased passed as color: use the much faster, much cheaper
and equally attractive gdImageAALine implementation. That
clips too, so don't clip twice.
*/
gdImageAALine(im, x1, y1, x2, y2, im->AA_color);
gdImageAALine(im, x1, y1, x2, y2, im->AA_color);
return;
}
@ -1886,7 +1890,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
return;
}
alphablending_bak = im->alphaBlendingFlag;
alphablending_bak = im->alphaBlendingFlag;
im->alphaBlendingFlag = 0;
if (nc==gdTiled){
@ -1898,7 +1902,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
wx2=im->sx;wy2=im->sy;
oc = gdImageGetPixel(im, x, y);
if (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) {
im->alphaBlendingFlag = alphablending_bak;
im->alphaBlendingFlag = alphablending_bak;
return;
}
@ -1961,7 +1965,7 @@ skip: for (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++);
efree(stack);
done:
im->alphaBlendingFlag = alphablending_bak;
im->alphaBlendingFlag = alphablending_bak;
}
static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
@ -2069,7 +2073,7 @@ void gdImageRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
x1ul = x1 - half;
y1ul = y1 - half;
x2lr = x2 + half;
y2lr = y2 + half;
@ -2271,7 +2275,7 @@ void gdImageCopyMerge (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int s
int tox, toy;
int ncR, ncG, ncB;
toy = dstY;
for (y = srcY; y < (srcY + h); y++) {
tox = dstX;
for (x = srcX; x < (srcX + w); x++) {
@ -2368,7 +2372,7 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
int colorMap[gdMaxColors];
/* Stretch vectors */
int *stx, *sty;
if (overflow2(sizeof(int), srcW)) {
return;
}
@ -2913,7 +2917,7 @@ int gdAlphaBlend (int dst, int src) {
src_weight = gdAlphaTransparent - src_alpha;
dst_weight = (gdAlphaTransparent - dst_alpha) * src_alpha / gdAlphaMax;
tot_weight = src_weight + dst_weight;
/* -------------------------------------------------------------------- */
/* What red, green and blue result values will we use? */
/* -------------------------------------------------------------------- */

7
ext/gd/libgd/gd_gd2.c
View file

@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
if (gd2_compressed(*fmt)) {
nc = (*ncx) * (*ncy);
GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
if (overflow2(sizeof(t_chunk_info), nc)) {
goto fail1;
}
sidx = sizeof(t_chunk_info) * nc;
if (sidx <= 0) {
goto fail1;
}
cidx = gdCalloc(sidx, 1);
if (cidx == NULL) {
goto fail1;
}
for (i = 0; i < nc; i++) {
if (gdGetInt(&cidx[i].offset, in) != 1) {
gdFree(cidx);

3
ext/gd/libgd/gd_interpolation.c
View file

@ -1047,6 +1047,9 @@ static inline void _gdScaleVert (const gdImagePtr pSrc, const unsigned int src_w
}
contrib = _gdContributionsCalc(dst_height, src_height, (double)(dst_height) / (double)(src_height), pSrc->interpolation);
if (contrib == NULL) {
return;
}
/* scale each column */
for (u = 0; u < dst_width - 1; u++) {
_gdScaleCol(pSrc, src_width, pDst, dst_width, dst_height, u, contrib);

14
ext/gd/libgd/gd_topal.c
View file

@ -43,7 +43,7 @@
* If it is not working, it's not Thomas G. Lane's fault.
*/
/*
/*
SETTING THIS ONE CAUSES STRIPED IMAGE
to be done: solve this
#define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS
@ -152,7 +152,7 @@
* color space, and repeatedly splits the "largest" remaining box until we
* have as many boxes as desired colors. Then the mean color in each
* remaining box becomes one of the possible output colors.
*
*
* The second pass over the image maps each input pixel to the closest output
* color (optionally after applying a Floyd-Steinberg dithering correction).
* This mapping is logically trivial, but making it go fast enough requires
@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo,
#else
r = gdTrueColorGetRed (*inptr);
g = gdTrueColorGetGreen (*inptr);
/*
/*
2.0.24: inptr must not be incremented until after
transparency check, if any. Thanks to "Super Pikeman."
transparency check, if any. Thanks to "Super Pikeman."
*/
b = gdTrueColorGetBlue (*inptr);
/* If the pixel is transparent, we assign it the palette index that
* will later be added at the end of the palette as the transparent
* index. */
if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1)))
if ((oim->transparent >= 0) && (oim->transparent == *inptr))
{
*outptr++ = nim->colorsTotal;
inptr++;
@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
}
} else {
nim = oim;
}
}
if (!oim->trueColor)
{
/* (Almost) nothing to do! */
@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
}
/* Success! Get rid of the truecolor image data. */
if (!cimP) {
if (!cimP) {
oim->trueColor = 0;
/* Junk the truecolor pixels */
for (i = 0; i < oim->sy; i++)

15
ext/gd/tests/bug72298.phpt Normal file
View file

@ -0,0 +1,15 @@
--TEST--
Bug #72298: pass2_no_dither out-of-bounds access
--SKIPIF--
<?php
if (!extension_loaded('gd')) die("skip gd extension not available\n");
?>
--FILE--
<?php
$img = imagecreatetruecolor (1 , 1);
imagecolortransparent($img, 0);
imagetruecolortopalette($img, false, 4);
?>
DONE
--EXPECT--
DONE

BIN
ext/gd/tests/bug72339.gd Normal file
View file

Binary file not shown.

11
ext/gd/tests/bug72339.phpt Normal file
View file

@ -0,0 +1,11 @@
--TEST--
Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
--SKIPIF--
<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
--FILE--
<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
--EXPECTF--
Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
in %sbug72339.php on line %d
Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d

65
ext/mbstring/php_mbregex.c
View file

@ -32,7 +32,7 @@
#include "ext/standard/info.h"
#include "php_mbregex.h"
#include "mbstring.h"
#include "php_onig_compat.h" /* must come prior to the oniguruma header */
#include <oniguruma.h>
#undef UChar
@ -55,7 +55,7 @@ struct _zend_mb_regex_globals {
#define MBREX(g) (MBSTRG(mb_regex_globals)->g)
/* {{{ static void php_mb_regex_free_cache() */
static void php_mb_regex_free_cache(php_mb_regex_t **pre)
static void php_mb_regex_free_cache(php_mb_regex_t **pre)
{
onig_free(*pre);
}
@ -78,7 +78,7 @@ static int _php_mb_regex_globals_ctor(zend_mb_regex_globals *pglobals TSRMLS_DC)
/* }}} */
/* {{{ _php_mb_regex_globals_dtor */
static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
{
zend_hash_destroy(&pglobals->ht_rc);
}
@ -466,7 +466,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
retval = *rc;
}
out:
return retval;
return retval;
}
/* }}} */
@ -483,7 +483,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
--len_left;
*(p++) = 'i';
}
++len_req;
++len_req;
}
if ((option & ONIG_OPTION_EXTEND) != 0) {
@ -491,7 +491,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
--len_left;
*(p++) = 'x';
}
++len_req;
++len_req;
}
if ((option & (ONIG_OPTION_MULTILINE | ONIG_OPTION_SINGLELINE)) ==
@ -500,14 +500,14 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
--len_left;
*(p++) = 'p';
}
++len_req;
++len_req;
} else {
if ((option & ONIG_OPTION_MULTILINE) != 0) {
if (len_left > 0) {
--len_left;
*(p++) = 'm';
}
++len_req;
++len_req;
}
if ((option & ONIG_OPTION_SINGLELINE) != 0) {
@ -515,22 +515,22 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
--len_left;
*(p++) = 's';
}
++len_req;
++len_req;
}
}
}
if ((option & ONIG_OPTION_FIND_LONGEST) != 0) {
if (len_left > 0) {
--len_left;
*(p++) = 'l';
}
++len_req;
++len_req;
}
if ((option & ONIG_OPTION_FIND_NOT_EMPTY) != 0) {
if (len_left > 0) {
--len_left;
*(p++) = 'n';
}
++len_req;
++len_req;
}
c = 0;
@ -566,7 +566,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
--len_left;
*(p++) = '\0';
}
++len_req;
++len_req;
if (len < len_req) {
return len_req;
}
@ -577,11 +577,11 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
/* {{{ _php_mb_regex_init_options */
static void
_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
{
int n;
char c;
int optm = 0;
int optm = 0;
*syntax = ONIG_SYNTAX_RUBY;
@ -636,13 +636,13 @@ _php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, O
*syntax = ONIG_SYNTAX_POSIX_EXTENDED;
break;
case 'e':
if (eval != NULL) *eval = 1;
if (eval != NULL) *eval = 1;
break;
default:
break;
}
}
if (option != NULL) *option|=optm;
if (option != NULL) *option|=optm;
}
}
/* }}} */
@ -860,11 +860,11 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
} else {
/* FIXME: this code is not multibyte aware! */
convert_to_long_ex(arg_pattern_zval);
pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
pat_buf[1] = '\0';
arg_pattern = pat_buf;
arg_pattern_len = 1;
arg_pattern_len = 1;
}
/* create regex pattern buffer */
re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, options, MBREX(current_mbctype), syntax TSRMLS_CC);
@ -934,7 +934,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
}
}
}
if (eval) {
zval v;
/* null terminate buffer */
@ -953,32 +953,31 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
eval_buf.len = 0;
zval_dtor(&v);
} else if (is_callable) {
zval *retval_ptr;
zval *retval_ptr = NULL;
zval **args[1];
zval *subpats;
int i;
MAKE_STD_ZVAL(subpats);
array_init(subpats);
for (i = 0; i < regs->num_regs; i++) {
add_next_index_stringl(subpats, string + regs->beg[i], regs->end[i] - regs->beg[i], 1);
}
}
args[0] = &subpats;
/* null terminate buffer */
smart_str_0(&eval_buf);
arg_replace_fci.param_count = 1;
arg_replace_fci.params = args;
arg_replace_fci.retval_ptr_ptr = &retval_ptr;
if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) {
if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) {
convert_to_string_ex(&retval_ptr);
smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr));
eval_buf.len = 0;
zval_ptr_dtor(&retval_ptr);
} else {
efree(description);
if (!EG(exception)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function");
}
@ -991,7 +990,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
pos = (OnigUChar *)string + n;
} else {
if (pos < string_lim) {
smart_str_appendl(&out_buf, pos, 1);
smart_str_appendl(&out_buf, pos, 1);
}
pos++;
}
@ -1013,7 +1012,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
smart_str_free(&eval_buf);
if (err <= -2) {
smart_str_free(&out_buf);
smart_str_free(&out_buf);
RETVAL_FALSE;
} else {
smart_str_appendc(&out_buf, '\0');
@ -1063,7 +1062,7 @@ PHP_FUNCTION(mb_split)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
RETURN_FALSE;
}
}
if (count > 0) {
count--;
@ -1317,7 +1316,7 @@ PHP_FUNCTION(mb_ereg_search_init)
if (zend_parse_parameters(argc TSRMLS_CC, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
return;
}
if (argc > 1 && arg_pattern_len == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty pattern");
RETURN_FALSE;
@ -1416,7 +1415,7 @@ PHP_FUNCTION(mb_ereg_search_setpos)
/* }}} */
/* {{{ php_mb_regex_set_options */
static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
{
if (prev_options != NULL) {
*prev_options = MBREX(regex_default_options);

17
ext/mbstring/tests/bug72402.phpt Normal file
View file

@ -0,0 +1,17 @@
--TEST--
Bug #72402: _php_mb_regex_ereg_replace_exec - double free
--SKIPIF--
<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
--FILE--
<?php
function throwit() {
throw new Exception('it');
}
$var10 = "throwit";
try {
$var14 = mb_ereg_replace_callback("", $var10, "");
} catch(Exception $e) {}
?>
DONE
--EXPECT--
DONE

78
ext/mcrypt/mcrypt.c
View file

@ -45,7 +45,7 @@
static int le_mcrypt;
typedef struct _php_mcrypt {
typedef struct _php_mcrypt {
MCRYPT td;
zend_bool init;
} php_mcrypt;
@ -295,7 +295,7 @@ ZEND_DECLARE_MODULE_GLOBALS(mcrypt)
zend_module_entry mcrypt_module_entry = {
STANDARD_MODULE_HEADER,
"mcrypt",
"mcrypt",
mcrypt_functions,
PHP_MINIT(mcrypt), PHP_MSHUTDOWN(mcrypt),
NULL, NULL,
@ -343,7 +343,7 @@ typedef enum {
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &mcryptind) == FAILURE) { \
return; \
} \
ZEND_FETCH_RESOURCE (pm, php_mcrypt *, &mcryptind, -1, "MCrypt", le_mcrypt);
ZEND_FETCH_RESOURCE (pm, php_mcrypt *, &mcryptind, -1, "MCrypt", le_mcrypt);
#define MCRYPT_GET_MODE_DIR_ARGS(DIRECTORY) \
char *dir = NULL; \
@ -374,7 +374,7 @@ PHP_INI_END()
static void php_mcrypt_module_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC) /* {{{ */
{
php_mcrypt *pm = (php_mcrypt *) rsrc->ptr;
if (pm) {
if (pm) {
mcrypt_generic_deinit(pm->td);
mcrypt_module_close(pm->td);
efree(pm);
@ -517,7 +517,7 @@ PHP_MINFO_FUNCTION(mcrypt) /* {{{ */
smart_str_free(&tmp1);
smart_str_free(&tmp2);
php_info_print_table_end();
DISPLAY_INI_ENTRIES();
}
/* }}} */
@ -532,17 +532,17 @@ PHP_FUNCTION(mcrypt_module_open)
int mode_len, mode_dir_len;
MCRYPT td;
php_mcrypt *pm;
if (zend_parse_parameters (ZEND_NUM_ARGS() TSRMLS_CC, "ssss",
&cipher, &cipher_len, &cipher_dir, &cipher_dir_len,
&mode, &mode_len, &mode_dir, &mode_dir_len)) {
return;
}
td = mcrypt_module_open (
cipher,
cipher_dir_len > 0 ? cipher_dir : MCG(algorithms_dir),
mode,
mode,
mode_dir_len > 0 ? mode_dir : MCG(modes_dir)
);
@ -569,7 +569,7 @@ PHP_FUNCTION(mcrypt_generic_init)
int max_key_size, key_size, iv_size;
php_mcrypt *pm;
int result = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rss", &mcryptind, &key, &key_len, &iv, &iv_len) == FAILURE) {
return;
}
@ -648,7 +648,7 @@ PHP_FUNCTION(mcrypt_generic)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &mcryptind, &data, &data_len) == FAILURE) {
return;
}
ZEND_FETCH_RESOURCE(pm, php_mcrypt *, &mcryptind, -1, "MCrypt", le_mcrypt);
PHP_MCRYPT_INIT_CHECK
@ -661,6 +661,10 @@ PHP_FUNCTION(mcrypt_generic)
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((data_len - 1) / block_size) + 1) * block_size;
if (data_size <= 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
RETURN_FALSE;
}
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
@ -670,7 +674,7 @@ PHP_FUNCTION(mcrypt_generic)
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
}
mcrypt_generic(pm->td, data_s, data_size);
data_s[data_size] = '\0';
@ -689,11 +693,11 @@ PHP_FUNCTION(mdecrypt_generic)
php_mcrypt *pm;
char* data_s;
int block_size, data_size;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &mcryptind, &data, &data_len) == FAILURE) {
return;
}
ZEND_FETCH_RESOURCE(pm, php_mcrypt * , &mcryptind, -1, "MCrypt", le_mcrypt);
PHP_MCRYPT_INIT_CHECK
@ -706,6 +710,10 @@ PHP_FUNCTION(mdecrypt_generic)
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((data_len - 1) / block_size) + 1) * block_size;
if (data_size <= 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
RETURN_FALSE;
}
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
@ -715,7 +723,7 @@ PHP_FUNCTION(mdecrypt_generic)
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
}
mdecrypt_generic(pm->td, data_s, data_size);
RETVAL_STRINGL(data_s, data_size, 1);
@ -729,7 +737,7 @@ PHP_FUNCTION(mcrypt_enc_get_supported_key_sizes)
{
int i, count = 0;
int *key_sizes;
MCRYPT_GET_TD_ARG
array_init(return_value);
@ -798,7 +806,7 @@ PHP_FUNCTION(mcrypt_enc_is_block_algorithm)
MCRYPT_GET_TD_ARG
if (mcrypt_enc_is_block_algorithm(pm->td) == 1) {
RETURN_TRUE
RETURN_TRUE
} else {
RETURN_FALSE
}
@ -877,7 +885,7 @@ PHP_FUNCTION(mcrypt_enc_get_modes_name)
PHP_FUNCTION(mcrypt_module_self_test)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir);
if (mcrypt_module_self_test(module, dir) == 0) {
RETURN_TRUE;
} else {
@ -891,7 +899,7 @@ PHP_FUNCTION(mcrypt_module_self_test)
PHP_FUNCTION(mcrypt_module_is_block_algorithm_mode)
{
MCRYPT_GET_MODE_DIR_ARGS(modes_dir)
if (mcrypt_module_is_block_algorithm_mode(module, dir) == 1) {
RETURN_TRUE;
} else {
@ -905,7 +913,7 @@ PHP_FUNCTION(mcrypt_module_is_block_algorithm_mode)
PHP_FUNCTION(mcrypt_module_is_block_algorithm)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir)
if (mcrypt_module_is_block_algorithm(module, dir) == 1) {
RETURN_TRUE;
} else {
@ -919,7 +927,7 @@ PHP_FUNCTION(mcrypt_module_is_block_algorithm)
PHP_FUNCTION(mcrypt_module_is_block_mode)
{
MCRYPT_GET_MODE_DIR_ARGS(modes_dir)
if (mcrypt_module_is_block_mode(module, dir) == 1) {
RETURN_TRUE;
} else {
@ -933,7 +941,7 @@ PHP_FUNCTION(mcrypt_module_is_block_mode)
PHP_FUNCTION(mcrypt_module_get_algo_block_size)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir)
RETURN_LONG(mcrypt_module_get_algo_block_size(module, dir));
}
/* }}} */
@ -943,7 +951,7 @@ PHP_FUNCTION(mcrypt_module_get_algo_block_size)
PHP_FUNCTION(mcrypt_module_get_algo_key_size)
{
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir);
RETURN_LONG(mcrypt_module_get_algo_key_size(module, dir));
}
/* }}} */
@ -954,7 +962,7 @@ PHP_FUNCTION(mcrypt_module_get_supported_key_sizes)
{
int i, count = 0;
int *key_sizes;
MCRYPT_GET_MODE_DIR_ARGS(algorithms_dir)
array_init(return_value);
@ -980,7 +988,7 @@ PHP_FUNCTION(mcrypt_list_algorithms)
&lib_dir, &lib_dir_len) == FAILURE) {
return;
}
array_init(return_value);
modules = mcrypt_list_algorithms(lib_dir, &count);
@ -1027,7 +1035,7 @@ PHP_FUNCTION(mcrypt_get_key_size)
{
char *cipher;
char *module;
int cipher_len, module_len;
int cipher_len, module_len;
char *cipher_dir_string;
char *module_dir_string;
MCRYPT td;
@ -1038,7 +1046,7 @@ PHP_FUNCTION(mcrypt_get_key_size)
&cipher, &cipher_len, &module, &module_len) == FAILURE) {
return;
}
td = mcrypt_module_open(cipher, cipher_dir_string, module, module_dir_string);
if (td != MCRYPT_FAILED) {
RETVAL_LONG(mcrypt_enc_get_key_size(td));
@ -1056,7 +1064,7 @@ PHP_FUNCTION(mcrypt_get_block_size)
{
char *cipher;
char *module;
int cipher_len, module_len;
int cipher_len, module_len;
char *cipher_dir_string;
char *module_dir_string;
MCRYPT td;
@ -1067,7 +1075,7 @@ PHP_FUNCTION(mcrypt_get_block_size)
&cipher, &cipher_len, &module, &module_len) == FAILURE) {
return;
}
td = mcrypt_module_open(cipher, cipher_dir_string, module, module_dir_string);
if (td != MCRYPT_FAILED) {
RETVAL_LONG(mcrypt_enc_get_block_size(td));
@ -1085,7 +1093,7 @@ PHP_FUNCTION(mcrypt_get_iv_size)
{
char *cipher;
char *module;
int cipher_len, module_len;
int cipher_len, module_len;
char *cipher_dir_string;
char *module_dir_string;
MCRYPT td;
@ -1096,7 +1104,7 @@ PHP_FUNCTION(mcrypt_get_iv_size)
&cipher, &cipher_len, &module, &module_len) == FAILURE) {
return;
}
td = mcrypt_module_open(cipher, cipher_dir_string, module, module_dir_string);
if (td != MCRYPT_FAILED) {
RETVAL_LONG(mcrypt_enc_get_iv_size(td));
@ -1360,7 +1368,7 @@ PHP_FUNCTION(mcrypt_ecb)
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
MCRYPT_GET_CRYPT_ARGS
convert_to_long_ex(mode);
@ -1392,7 +1400,7 @@ PHP_FUNCTION(mcrypt_cfb)
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
MCRYPT_GET_CRYPT_ARGS
convert_to_long_ex(mode);
@ -1408,7 +1416,7 @@ PHP_FUNCTION(mcrypt_ofb)
zval **mode;
char *cipher, *key, *data, *iv = NULL;
int cipher_len, key_len, data_len, iv_len = 0;
MCRYPT_GET_CRYPT_ARGS
convert_to_long_ex(mode);
@ -1434,9 +1442,9 @@ PHP_FUNCTION(mcrypt_create_iv)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot create an IV with a size of less than 1 or greater than %d", INT_MAX);
RETURN_FALSE;
}
iv = ecalloc(size + 1, 1);
if (source == RANDOM || source == URANDOM) {
#if PHP_WIN32
/* random/urandom equivalent on Windows */

11
ext/spl/spl_array.c
View file

@ -846,6 +846,16 @@ static HashTable* spl_array_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /*
}
/* }}} */
static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
{
spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
*gc_data = &intern->array;
*gc_data_count = 1;
return zend_std_get_properties(object TSRMLS_CC);
}
/* }}} */
static zval *spl_array_read_property(zval *object, zval *member, int type, const zend_literal *key TSRMLS_DC) /* {{{ */
{
spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
@ -1975,6 +1985,7 @@ PHP_MINIT_FUNCTION(spl_array)
spl_handler_ArrayObject.get_properties = spl_array_get_properties;
spl_handler_ArrayObject.get_debug_info = spl_array_get_debug_info;
spl_handler_ArrayObject.get_gc = spl_array_get_gc;
spl_handler_ArrayObject.read_property = spl_array_read_property;
spl_handler_ArrayObject.write_property = spl_array_write_property;
spl_handler_ArrayObject.get_property_ptr_ptr = spl_array_get_property_ptr_ptr;

208
ext/spl/spl_directory.c
View file

@ -79,9 +79,9 @@ static void spl_filesystem_object_free_storage(void *object TSRMLS_DC) /* {{{ */
if (intern->oth_handler && intern->oth_handler->dtor) {
intern->oth_handler->dtor(intern TSRMLS_CC);
}
zend_object_std_dtor(&intern->std TSRMLS_CC);
if (intern->_path) {
efree(intern->_path);
}
@ -98,7 +98,7 @@ static void spl_filesystem_object_free_storage(void *object TSRMLS_DC) /* {{{ */
}
if (intern->u.dir.sub_path) {
efree(intern->u.dir.sub_path);
}
}
break;
case SPL_FS_FILE:
if (intern->u.file.stream) {
@ -134,13 +134,13 @@ static void spl_filesystem_object_free_storage(void *object TSRMLS_DC) /* {{{ */
} /* }}} */
/* {{{ spl_ce_dir_object_new */
/* creates the object by
- allocating memory
/* creates the object by
- allocating memory
- initializing the object members
- storing the object
- setting it's handlers
called from
called from
- clone
- new
*/
@ -313,7 +313,7 @@ static int spl_filesystem_file_open(spl_filesystem_object *intern, int use_inclu
/* avoid reference counting in debug mode, thus do it manually */
ZVAL_RESOURCE(&intern->u.file.zresource, php_stream_get_resource_id(intern->u.file.stream));
Z_SET_REFCOUNT(intern->u.file.zresource, 1);
intern->u.file.delimiter = ',';
intern->u.file.enclosure = '"';
intern->u.file.escape = '\\';
@ -325,7 +325,7 @@ static int spl_filesystem_file_open(spl_filesystem_object *intern, int use_inclu
/* {{{ spl_filesystem_object_clone */
/* Local zend_object_value creation (on stack)
Load the 'other' object
Load the 'other' object
Create a new empty object (See spl_filesystem_object_new_ex)
Open the directory
Clone other members (properties)
@ -370,7 +370,7 @@ static zend_object_value spl_filesystem_object_clone(zval *zobject TSRMLS_DC)
php_error_docref(NULL TSRMLS_CC, E_ERROR, "An object of class %s cannot be cloned", old_object->ce->name);
break;
}
intern->file_class = source->file_class;
intern->info_class = source->info_class;
intern->oth = source->oth;
@ -389,7 +389,7 @@ static zend_object_value spl_filesystem_object_clone(zval *zobject TSRMLS_DC)
void spl_filesystem_info_set_filename(spl_filesystem_object *intern, char *path, int len, int use_copy TSRMLS_DC) /* {{{ */
{
char *p1, *p2;
if (intern->file_name) {
efree(intern->file_name);
}
@ -413,7 +413,7 @@ void spl_filesystem_info_set_filename(spl_filesystem_object *intern, char *path,
} else {
intern->_path_len = 0;
}
if (intern->_path) {
efree(intern->_path);
}
@ -459,7 +459,7 @@ static spl_filesystem_object * spl_filesystem_object_create_info(spl_filesystem_
} else {
spl_filesystem_info_set_filename(intern, file_path, file_path_len, use_copy TSRMLS_CC);
}
zend_restore_error_handling(&error_handling TSRMLS_CC);
return intern;
} /* }}} */
@ -514,7 +514,7 @@ static spl_filesystem_object * spl_filesystem_object_create_type(int ht, spl_fil
return_value->value.obj = spl_filesystem_object_new_ex(ce, &intern TSRMLS_CC);
Z_TYPE_P(return_value) = IS_OBJECT;
spl_filesystem_object_get_file_name(source TSRMLS_CC);
if (ce->constructor->common.scope != spl_ce_SplFileObject) {
@ -530,12 +530,12 @@ static spl_filesystem_object * spl_filesystem_object_create_type(int ht, spl_fil
intern->file_name_len = source->file_name_len;
intern->_path = spl_filesystem_object_get_path(source, &intern->_path_len TSRMLS_CC);
intern->_path = estrndup(intern->_path, intern->_path_len);
intern->u.file.open_mode = "r";
intern->u.file.open_mode_len = 1;
if (ht && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sbr",
&intern->u.file.open_mode, &intern->u.file.open_mode_len,
if (ht && zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sbr",
&intern->u.file.open_mode, &intern->u.file.open_mode_len,
&use_include_path, &intern->u.file.zcontext) == FAILURE) {
zend_restore_error_handling(&error_handling TSRMLS_CC);
intern->u.file.open_mode = NULL;
@ -544,7 +544,7 @@ static spl_filesystem_object * spl_filesystem_object_create_type(int ht, spl_fil
Z_TYPE_P(return_value) = IS_NULL;
return NULL;
}
if (spl_filesystem_file_open(intern, use_include_path, 0 TSRMLS_CC) == FAILURE) {
zend_restore_error_handling(&error_handling TSRMLS_CC);
zval_dtor(return_value);
@ -553,7 +553,7 @@ static spl_filesystem_object * spl_filesystem_object_create_type(int ht, spl_fil
}
}
break;
case SPL_FS_DIR:
case SPL_FS_DIR:
zend_restore_error_handling(&error_handling TSRMLS_CC);
zend_throw_exception_ex(spl_ce_RuntimeException, 0 TSRMLS_CC, "Operation not supported");
return NULL;
@ -617,7 +617,7 @@ static HashTable* spl_filesystem_object_get_debug_info(zval *obj, int *is_temp T
if (intern->file_name) {
pnstr = spl_gen_private_prop_name(spl_ce_SplFileInfo, "fileName", sizeof("fileName")-1, &pnlen TSRMLS_CC);
spl_filesystem_object_get_path(intern, &path_len TSRMLS_CC);
if (path_len && path_len < intern->file_name_len) {
add_assoc_stringl_ex(&zrv, pnstr, pnlen+1, intern->file_name + path_len + 1, intern->file_name_len - (path_len + 1), 1);
} else {
@ -665,13 +665,13 @@ static HashTable* spl_filesystem_object_get_debug_info(zval *obj, int *is_temp T
zend_function *spl_filesystem_object_get_method_check(zval **object_ptr, char *method, int method_len, const struct _zend_literal *key TSRMLS_DC) /* {{{ */
{
spl_filesystem_object *fsobj = zend_object_store_get_object(*object_ptr TSRMLS_CC);
if (fsobj->u.dir.entry.d_name[0] == '\0' && fsobj->orig_path == NULL) {
method = "_bad_state_ex";
method_len = sizeof("_bad_state_ex") - 1;
key = NULL;
}
return zend_get_std_object_handlers()->get_method(object_ptr, method, method_len, key TSRMLS_CC);
}
/* }}} */
@ -751,7 +751,7 @@ SPL_METHOD(DirectoryIterator, __construct)
SPL_METHOD(DirectoryIterator, rewind)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -769,7 +769,7 @@ SPL_METHOD(DirectoryIterator, rewind)
SPL_METHOD(DirectoryIterator, key)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -799,7 +799,7 @@ SPL_METHOD(DirectoryIterator, next)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
int skip_dots = SPL_HAS_FLAG(intern->flags, SPL_FILE_DIR_SKIPDOTS);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -860,7 +860,7 @@ SPL_METHOD(DirectoryIterator, seek)
SPL_METHOD(DirectoryIterator, valid)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -876,7 +876,7 @@ SPL_METHOD(SplFileInfo, getPath)
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
char *path;
int path_len;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -892,13 +892,13 @@ SPL_METHOD(SplFileInfo, getFilename)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
int path_len;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
spl_filesystem_object_get_path(intern, &path_len TSRMLS_CC);
if (path_len && path_len < intern->file_name_len) {
RETURN_STRINGL(intern->file_name + path_len + 1, intern->file_name_len - (path_len + 1), 1);
} else {
@ -912,7 +912,7 @@ SPL_METHOD(SplFileInfo, getFilename)
SPL_METHOD(DirectoryIterator, getFilename)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1020,7 +1020,7 @@ SPL_METHOD(SplFileInfo, getBasename)
RETURN_STRINGL(fname, flen, 0);
}
/* }}}*/
/* }}}*/
/* {{{ proto string DirectoryIterator::getBasename([string $suffix]) U
Returns filename component of current dir entry */
@ -1030,7 +1030,7 @@ SPL_METHOD(DirectoryIterator, getBasename)
char *suffix = 0, *fname;
int slen = 0;
size_t flen;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|s", &suffix, &slen) == FAILURE) {
return;
}
@ -1066,7 +1066,7 @@ SPL_METHOD(SplFileInfo, getPathname)
SPL_METHOD(FilesystemIterator, key)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1085,7 +1085,7 @@ SPL_METHOD(FilesystemIterator, key)
SPL_METHOD(FilesystemIterator, current)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1108,7 +1108,7 @@ SPL_METHOD(FilesystemIterator, current)
SPL_METHOD(DirectoryIterator, isDot)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1122,8 +1122,8 @@ SPL_METHOD(DirectoryIterator, isDot)
/* zend_replace_error_handling() is used to throw exceptions in case
the constructor fails. Here we use this to ensure the object
has a valid directory resource.
When the constructor gets called the object is already created
When the constructor gets called the object is already created
by the engine, so we must only call 'additional' initializations.
*/
SPL_METHOD(SplFileInfo, __construct)
@ -1141,11 +1141,11 @@ SPL_METHOD(SplFileInfo, __construct)
}
intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
spl_filesystem_info_set_filename(intern, path, len, 1 TSRMLS_CC);
zend_restore_error_handling(&error_handling TSRMLS_CC);
/* intern->type = SPL_FS_INFO; already set */
}
/* }}} */
@ -1250,7 +1250,7 @@ SPL_METHOD(SplFileInfo, getLinkTarget)
int ret;
char buff[MAXPATHLEN];
zend_error_handling error_handling;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1298,7 +1298,7 @@ SPL_METHOD(SplFileInfo, getRealPath)
char buff[MAXPATHLEN];
char *filename;
zend_error_handling error_handling;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1308,10 +1308,10 @@ SPL_METHOD(SplFileInfo, getRealPath)
if (intern->type == SPL_FS_DIR && !intern->file_name && intern->u.dir.entry.d_name[0]) {
spl_filesystem_object_get_file_name(intern TSRMLS_CC);
}
if (intern->orig_path) {
filename = intern->orig_path;
} else {
} else {
filename = intern->file_name;
}
@ -1349,7 +1349,7 @@ SPL_METHOD(SplFileInfo, setFileClass)
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
zend_class_entry *ce = spl_ce_SplFileObject;
zend_error_handling error_handling;
zend_replace_error_handling(EH_THROW, spl_ce_UnexpectedValueException, &error_handling TSRMLS_CC);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|C", &ce) == SUCCESS) {
@ -1367,7 +1367,7 @@ SPL_METHOD(SplFileInfo, setInfoClass)
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
zend_class_entry *ce = spl_ce_SplFileInfo;
zend_error_handling error_handling;
zend_replace_error_handling(EH_THROW, spl_ce_UnexpectedValueException, &error_handling TSRMLS_CC);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|C", &ce) == SUCCESS) {
@ -1385,7 +1385,7 @@ SPL_METHOD(SplFileInfo, getFileInfo)
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
zend_class_entry *ce = intern->info_class;
zend_error_handling error_handling;
zend_replace_error_handling(EH_THROW, spl_ce_UnexpectedValueException, &error_handling TSRMLS_CC);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|C", &ce) == SUCCESS) {
@ -1403,7 +1403,7 @@ SPL_METHOD(SplFileInfo, getPathInfo)
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
zend_class_entry *ce = intern->info_class;
zend_error_handling error_handling;
zend_replace_error_handling(EH_THROW, spl_ce_UnexpectedValueException, &error_handling TSRMLS_CC);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|C", &ce) == SUCCESS) {
@ -1464,7 +1464,7 @@ SPL_METHOD(FilesystemIterator, rewind)
SPL_METHOD(FilesystemIterator, getFlags)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1520,11 +1520,11 @@ SPL_METHOD(RecursiveDirectoryIterator, getChildren)
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
spl_filesystem_object *subdir;
char slash = SPL_HAS_FLAG(intern->flags, SPL_FILE_DIR_UNIXPATHS) ? '/' : DEFAULT_SLASH;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
spl_filesystem_object_get_file_name(intern TSRMLS_CC);
MAKE_STD_ZVAL(zflags);
@ -1555,7 +1555,7 @@ SPL_METHOD(RecursiveDirectoryIterator, getChildren)
SPL_METHOD(RecursiveDirectoryIterator, getSubPath)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1576,7 +1576,7 @@ SPL_METHOD(RecursiveDirectoryIterator, getSubPathname)
char *sub_name;
int len;
char slash = SPL_HAS_FLAG(intern->flags, SPL_FILE_DIR_UNIXPATHS) ? '/' : DEFAULT_SLASH;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1612,7 +1612,7 @@ SPL_METHOD(GlobIterator, __construct)
SPL_METHOD(GlobIterator, count)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -1667,7 +1667,7 @@ zend_object_iterator *spl_filesystem_dir_get_iterator(zend_class_entry *ce, zval
iterator->current = object;
}
zval_add_ref(&object);
return (zend_object_iterator*)iterator;
}
/* }}} */
@ -1702,7 +1702,7 @@ static int spl_filesystem_dir_it_valid(zend_object_iterator *iter TSRMLS_DC)
static void spl_filesystem_dir_it_current_data(zend_object_iterator *iter, zval ***data TSRMLS_DC)
{
spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
*data = &iterator->current;
}
/* }}} */
@ -1720,7 +1720,7 @@ static void spl_filesystem_dir_it_current_key(zend_object_iterator *iter, zval *
static void spl_filesystem_dir_it_move_forward(zend_object_iterator *iter TSRMLS_DC)
{
spl_filesystem_object *object = spl_filesystem_iterator_to_object((spl_filesystem_iterator *)iter);
object->u.dir.index++;
spl_filesystem_dir_read(object TSRMLS_CC);
if (object->file_name) {
@ -1734,7 +1734,7 @@ static void spl_filesystem_dir_it_move_forward(zend_object_iterator *iter TSRMLS
static void spl_filesystem_dir_it_rewind(zend_object_iterator *iter TSRMLS_DC)
{
spl_filesystem_object *object = spl_filesystem_iterator_to_object((spl_filesystem_iterator *)iter);
object->u.dir.index = 0;
if (object->u.dir.dirp) {
php_stream_rewinddir(object->u.dir.dirp);
@ -1804,7 +1804,7 @@ static void spl_filesystem_tree_it_move_forward(zend_object_iterator *iter TSRML
{
spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
spl_filesystem_object *object = spl_filesystem_iterator_to_object(iterator);
object->u.dir.index++;
do {
spl_filesystem_dir_read(object TSRMLS_CC);
@ -1825,7 +1825,7 @@ static void spl_filesystem_tree_it_rewind(zend_object_iterator *iter TSRMLS_DC)
{
spl_filesystem_iterator *iterator = (spl_filesystem_iterator *)iter;
spl_filesystem_object *object = spl_filesystem_iterator_to_object(iterator);
object->u.dir.index = 0;
if (object->u.dir.dirp) {
php_stream_rewinddir(object->u.dir.dirp);
@ -1869,7 +1869,7 @@ zend_object_iterator *spl_filesystem_tree_get_iterator(zend_class_entry *ce, zva
iterator->intern.funcs = &spl_filesystem_tree_it_funcs;
}
zval_add_ref(&object);
return (zend_object_iterator*)iterator;
}
/* }}} */
@ -1925,7 +1925,7 @@ static int spl_filesystem_object_cast(zval *readobj, zval *writeobj, int type TS
/* {{{ declare method parameters */
/* supply a name and default to call by parameter */
ZEND_BEGIN_ARG_INFO(arginfo_info___construct, 0)
ZEND_BEGIN_ARG_INFO(arginfo_info___construct, 0)
ZEND_ARG_INFO(0, file_name)
ZEND_END_ARG_INFO()
@ -1984,11 +1984,11 @@ static const zend_function_entry spl_SplFileInfo_functions[] = {
PHP_FE_END
};
ZEND_BEGIN_ARG_INFO(arginfo_dir___construct, 0)
ZEND_BEGIN_ARG_INFO(arginfo_dir___construct, 0)
ZEND_ARG_INFO(0, path)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO(arginfo_dir_it_seek, 0)
ZEND_BEGIN_ARG_INFO(arginfo_dir_it_seek, 0)
ZEND_ARG_INFO(0, position)
ZEND_END_ARG_INFO();
@ -2010,7 +2010,7 @@ static const zend_function_entry spl_DirectoryIterator_functions[] = {
PHP_FE_END
};
ZEND_BEGIN_ARG_INFO_EX(arginfo_r_dir___construct, 0, 0, 1)
ZEND_BEGIN_ARG_INFO_EX(arginfo_r_dir___construct, 0, 0, 1)
ZEND_ARG_INFO(0, path)
ZEND_ARG_INFO(0, flags)
ZEND_END_ARG_INFO()
@ -2059,7 +2059,7 @@ static int spl_filesystem_file_read(spl_filesystem_object *intern, int silent TS
long line_add = (intern->u.file.current_line || intern->u.file.current_zval) ? 1 : 0;
spl_filesystem_file_free_line(intern TSRMLS_CC);
if (php_stream_eof(intern->u.file.stream)) {
if (!silent) {
zend_throw_exception_ex(spl_ce_RuntimeException, 0 TSRMLS_CC, "Cannot read from file %s", intern->file_name);
@ -2087,7 +2087,7 @@ static int spl_filesystem_file_read(spl_filesystem_object *intern, int silent TS
line_len = strcspn(buf, "\r\n");
buf[line_len] = '\0';
}
intern->u.file.current_line = buf;
intern->u.file.current_line_len = line_len;
}
@ -2108,7 +2108,7 @@ static int spl_filesystem_file_call(spl_filesystem_object *intern, zend_function
zval ***params = (zval***)safe_emalloc(num_args, sizeof(zval**), 0);
params[0] = &zresource_ptr;
if (arg2) {
params[1] = &arg2;
}
@ -2160,11 +2160,11 @@ static int spl_filesystem_file_call(spl_filesystem_object *intern, zend_function
static int spl_filesystem_file_read_csv(spl_filesystem_object *intern, char delimiter, char enclosure, char escape, zval *return_value TSRMLS_DC) /* {{{ */
{
int ret = SUCCESS;
do {
ret = spl_filesystem_file_read(intern, 1 TSRMLS_CC);
} while (ret == SUCCESS && !intern->u.file.current_line_len && SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_SKIP_EMPTY));
if (ret == SUCCESS) {
size_t buf_len = intern->u.file.current_line_len;
char *buf = estrndup(intern->u.file.current_line, buf_len);
@ -2238,7 +2238,7 @@ static int spl_filesystem_file_is_empty_line(spl_filesystem_object *intern TSRML
if (SPL_HAS_FLAG(intern->flags, SPL_FILE_OBJECT_READ_CSV)
&& zend_hash_num_elements(Z_ARRVAL_P(intern->u.file.current_zval)) == 1) {
zval ** first = Z_ARRVAL_P(intern->u.file.current_zval)->pListHead->pData;
return Z_TYPE_PP(first) == IS_STRING && Z_STRLEN_PP(first) == 0;
}
return zend_hash_num_elements(Z_ARRVAL_P(intern->u.file.current_zval)) == 0;
@ -2261,7 +2261,7 @@ static int spl_filesystem_file_read_line(zval * this_ptr, spl_filesystem_object
spl_filesystem_file_free_line(intern TSRMLS_CC);
ret = spl_filesystem_file_read_line_ex(this_ptr, intern, silent TSRMLS_CC);
}
return ret;
}
/* }}} */
@ -2299,16 +2299,16 @@ SPL_METHOD(SplFileObject, __construct)
intern->u.file.open_mode = NULL;
intern->u.file.open_mode_len = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|sbr!",
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|sbr!",
&intern->file_name, &intern->file_name_len,
&intern->u.file.open_mode, &intern->u.file.open_mode_len,
&use_include_path, &intern->u.file.zcontext) == FAILURE) {
&intern->u.file.open_mode, &intern->u.file.open_mode_len,
&use_include_path, &intern->u.file.zcontext) == FAILURE) {
intern->u.file.open_mode = NULL;
intern->file_name = NULL;
zend_restore_error_handling(&error_handling TSRMLS_CC);
return;
}
if (intern->u.file.open_mode == NULL) {
intern->u.file.open_mode = "r";
intern->u.file.open_mode_len = 1;
@ -2373,7 +2373,7 @@ SPL_METHOD(SplTempFileObject, __construct)
intern->u.file.open_mode = "wb";
intern->u.file.open_mode_len = 1;
intern->u.file.zcontext = NULL;
if (spl_filesystem_file_open(intern, 0, 0 TSRMLS_CC) == SUCCESS) {
intern->_path_len = 0;
intern->_path = estrndup("", 0);
@ -2386,7 +2386,7 @@ SPL_METHOD(SplTempFileObject, __construct)
SPL_METHOD(SplFileObject, rewind)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2399,7 +2399,7 @@ SPL_METHOD(SplFileObject, rewind)
SPL_METHOD(SplFileObject, eof)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2417,7 +2417,7 @@ SPL_METHOD(SplFileObject, eof)
SPL_METHOD(SplFileObject, valid)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2437,7 +2437,7 @@ SPL_METHOD(SplFileObject, valid)
SPL_METHOD(SplFileObject, fgets)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2458,7 +2458,7 @@ SPL_METHOD(SplFileObject, fgets)
SPL_METHOD(SplFileObject, current)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2484,7 +2484,7 @@ SPL_METHOD(SplFileObject, current)
SPL_METHOD(SplFileObject, key)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2501,7 +2501,7 @@ SPL_METHOD(SplFileObject, key)
SPL_METHOD(SplFileObject, next)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2553,7 +2553,7 @@ SPL_METHOD(SplFileObject, setMaxLineLen)
zend_throw_exception_ex(spl_ce_DomainException, 0 TSRMLS_CC, "Maximum line length must be greater than or equal zero");
return;
}
intern->u.file.max_line_len = max_len;
} /* }}} */
@ -2562,7 +2562,7 @@ SPL_METHOD(SplFileObject, setMaxLineLen)
SPL_METHOD(SplFileObject, getMaxLineLen)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -2577,7 +2577,7 @@ SPL_METHOD(SplFileObject, hasChildren)
if (zend_parse_parameters_none() == FAILURE) {
return;
}
RETURN_FALSE;
} /* }}} */
@ -2608,7 +2608,7 @@ SPL_METHOD(SplFileObject, fgetcsv)
char delimiter = intern->u.file.delimiter, enclosure = intern->u.file.enclosure, escape = intern->u.file.escape;
char *delim = NULL, *enclo = NULL, *esc = NULL;
int d_len = 0, e_len = 0, esc_len = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sss", &delim, &d_len, &enclo, &e_len, &esc, &esc_len) == SUCCESS) {
if(!intern->u.file.stream) {
@ -2656,7 +2656,7 @@ SPL_METHOD(SplFileObject, fputcsv)
char *delim = NULL, *enclo = NULL, *esc = NULL;
int d_len = 0, e_len = 0, esc_len = 0, ret;
zval *fields = NULL;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "a|sss", &fields, &delim, &d_len, &enclo, &e_len, &esc, &esc_len) == SUCCESS) {
switch(ZEND_NUM_ARGS())
{
@ -2699,7 +2699,7 @@ SPL_METHOD(SplFileObject, setCsvControl)
char delimiter = ',', enclosure = '"', escape='\\';
char *delim = NULL, *enclo = NULL, *esc = NULL;
int d_len = 0, e_len = 0, esc_len = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sss", &delim, &d_len, &enclo, &e_len, &esc, &esc_len) == SUCCESS) {
switch(ZEND_NUM_ARGS())
{
@ -2742,7 +2742,7 @@ SPL_METHOD(SplFileObject, getCsvControl)
char delimiter[2], enclosure[2];
array_init(return_value);
delimiter[0] = intern->u.file.delimiter;
delimiter[1] = '\0';
enclosure[0] = intern->u.file.enclosure;
@ -2948,6 +2948,10 @@ SPL_METHOD(SplFileObject, fread)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be greater than 0");
RETURN_FALSE;
}
if (length > INT_MAX) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Length parameter must be no more than %d", INT_MAX);
RETURN_FALSE;
}
Z_STRVAL_P(return_value) = emalloc(length + 1);
Z_STRLEN_P(return_value) = php_stream_read(intern->u.file.stream, Z_STRVAL_P(return_value), length);
@ -2968,7 +2972,7 @@ SPL_METHOD(SplFileObject, ftruncate)
{
spl_filesystem_object *intern = (spl_filesystem_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
long size;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &size) == FAILURE) {
return;
}
@ -2982,7 +2986,7 @@ SPL_METHOD(SplFileObject, ftruncate)
zend_throw_exception_ex(spl_ce_LogicException, 0 TSRMLS_CC, "Can't truncate file %s", intern->file_name);
RETURN_FALSE;
}
RETURN_BOOL(0 == php_stream_truncate_set_size(intern->u.file.stream, size));
} /* }}} */
@ -3003,11 +3007,11 @@ SPL_METHOD(SplFileObject, seek)
if (line_pos < 0) {
zend_throw_exception_ex(spl_ce_LogicException, 0 TSRMLS_CC, "Can't seek file %s to negative line %ld", intern->file_name, line_pos);
RETURN_FALSE;
RETURN_FALSE;
}
spl_filesystem_file_rewind(getThis(), intern TSRMLS_CC);
while(intern->u.file.current_line_num < line_pos) {
if (spl_filesystem_file_read_line(getThis(), intern, 1 TSRMLS_CC) == FAILURE) {
break;
@ -3044,17 +3048,17 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fputcsv, 0, 0, 1)
ZEND_ARG_INFO(0, escape)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_flock, 0, 0, 1)
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_flock, 0, 0, 1)
ZEND_ARG_INFO(0, operation)
ZEND_ARG_INFO(1, wouldblock)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fseek, 0, 0, 1)
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fseek, 0, 0, 1)
ZEND_ARG_INFO(0, pos)
ZEND_ARG_INFO(0, whence)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fgetss, 0, 0, 0)
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fgetss, 0, 0, 0)
ZEND_ARG_INFO(0, allowable_tags)
ZEND_END_ARG_INFO()
@ -3063,7 +3067,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fscanf, 0, 0, 1)
ZEND_ARG_VARIADIC_INFO(1, vars)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fwrite, 0, 0, 1)
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fwrite, 0, 0, 1)
ZEND_ARG_INFO(0, str)
ZEND_ARG_INFO(0, length)
ZEND_END_ARG_INFO()
@ -3072,11 +3076,11 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fread, 0, 0, 1)
ZEND_ARG_INFO(0, length)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_ftruncate, 0, 0, 1)
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_ftruncate, 0, 0, 1)
ZEND_ARG_INFO(0, size)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_seek, 0, 0, 1)
ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_seek, 0, 0, 1)
ZEND_ARG_INFO(0, line_pos)
ZEND_END_ARG_INFO()
@ -3165,7 +3169,7 @@ PHP_MINIT_FUNCTION(spl_directory)
REGISTER_SPL_SUB_CLASS_EX(RecursiveDirectoryIterator, FilesystemIterator, spl_filesystem_object_new, spl_RecursiveDirectoryIterator_functions);
REGISTER_SPL_IMPLEMENTS(RecursiveDirectoryIterator, RecursiveIterator);
memcpy(&spl_filesystem_object_check_handlers, &spl_filesystem_object_handlers, sizeof(zend_object_handlers));
spl_filesystem_object_check_handlers.get_method = spl_filesystem_object_get_method_check;
@ -3182,7 +3186,7 @@ PHP_MINIT_FUNCTION(spl_directory)
REGISTER_SPL_CLASS_CONST_LONG(SplFileObject, "READ_AHEAD", SPL_FILE_OBJECT_READ_AHEAD);
REGISTER_SPL_CLASS_CONST_LONG(SplFileObject, "SKIP_EMPTY", SPL_FILE_OBJECT_SKIP_EMPTY);
REGISTER_SPL_CLASS_CONST_LONG(SplFileObject, "READ_CSV", SPL_FILE_OBJECT_READ_CSV);
REGISTER_SPL_SUB_CLASS_EX(SplTempFileObject, SplFileObject, spl_filesystem_object_new_check, spl_SplTempFileObject_functions);
return SUCCESS;
}

17
ext/standard/php_smart_str.h
View file

@ -63,6 +63,9 @@
newlen = (d)->len + (n); \
if (newlen >= (d)->a) { \
(d)->a = newlen + SMART_STR_PREALLOC; \
if (UNEXPECTED((d)->a >= INT_MAX)) { \
zend_error(E_ERROR, "String size overflow"); \
} \
SMART_STR_DO_REALLOC(d, what); \
} \
} \
@ -148,17 +151,17 @@
* for GCC compatible compilers, e.g.
*
* #define f(..) ({char *r;..;__r;})
*/
*/
static inline char *smart_str_print_long(char *buf, long num) {
char *r;
smart_str_print_long4(buf, num, unsigned long, r);
char *r;
smart_str_print_long4(buf, num, unsigned long, r);
return r;
}
static inline char *smart_str_print_unsigned(char *buf, long num) {
char *r;
smart_str_print_unsigned4(buf, num, unsigned long, r);
char *r;
smart_str_print_unsigned4(buf, num, unsigned long, r);
return r;
}
@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) {
smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t); \
smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type)); \
} while (0)
#define smart_str_append_unsigned_ex(dest, num, type) \
smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned)

25
ext/standard/string.c
View file

@ -132,6 +132,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t *
register unsigned char *result = NULL;
size_t i, j;
if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) {
zend_error(E_ERROR, "String size overflow");
}
result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1);
for (i = j = 0; i < oldlen; i++) {
@ -2608,6 +2611,7 @@ PHP_FUNCTION(quotemeta)
char *p, *q;
char c;
int old_len;
size_t new_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) {
return;
@ -2642,8 +2646,13 @@ PHP_FUNCTION(quotemeta)
}
}
*q = 0;
new_len = q - str;
if (UNEXPECTED(new_len > INT_MAX)) {
efree(str);
zend_error(E_ERROR, "String size overflow");
}
RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0);
RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0);
}
/* }}} */
@ -3495,7 +3504,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
char *source, *target;
char *end;
char c;
int newlen;
size_t newlen;
if (!wlength) {
wlength = strlen(what);
@ -3526,11 +3535,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
}
*target = 0;
newlen = target - new_str;
if (UNEXPECTED(newlen > INT_MAX)) {
efree(new_str);
zend_error(E_ERROR, "String size overflow");
}
if (target - new_str < length * 4) {
new_str = erealloc(new_str, newlen + 1);
}
if (new_length) {
*new_length = newlen;
*new_length = (int)newlen;
}
if (should_free) {
STR_FREE((char*)str);
@ -3582,6 +3595,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f
*target = 0;
*new_length = target - new_str;
if (UNEXPECTED(*new_length < 0)) {
zend_error(E_ERROR, "String size overflow");
}
if (should_free) {
STR_FREE(str);
}
@ -4285,6 +4301,9 @@ PHP_FUNCTION(nl2br)
size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
new_length = str_len + repl_cnt * repl_len;
if (UNEXPECTED(new_length > INT_MAX)) {
zend_error(E_ERROR, "String size overflow");
}
tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
}

32
ext/standard/tests/strings/bug72433.phpt Normal file
View file

@ -0,0 +1,32 @@
--TEST--
Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
--FILE--
<?php
// Fill any potential freed spaces until now.
$filler = array();
for($i = 0; $i < 100; $i++)
$filler[] = "";
// Create our payload and unserialize it.
$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
$free_me = unserialize($serialized_payload);
// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
$inc_ref_by_one = $free_me[2];
// The call to gc_collect_cycles will free '$free_me'.
gc_collect_cycles();
// We now have multiple freed spaces. Fill all of them.
$fill_freed_space_1 = "filler_zval_1";
$fill_freed_space_2 = "filler_zval_2";
var_dump($free_me);
?>
--EXPECTF--
array(3) {
[0]=>
*RECURSION*
[1]=>
*RECURSION*
[2]=>
object(ArrayObject)#%d (1) {
["storage":"ArrayObject":private]=>
*RECURSION*
}
}

33
ext/standard/tests/strings/bug72434.phpt Normal file
View file

@ -0,0 +1,33 @@
--TEST--
Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
--SKIPIF--
<?php
if(!class_exists('zip')) die('ZipArchive');
?>
--FILE--
<?php
// The following array will be serialized and this representation will be freed later on.
$free_me = array(new StdClass());
// Create our payload and unserialize it.
$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
$unserialized_payload = unserialize($serialized_payload);
gc_collect_cycles();
// The reference counter for $free_me is at -1 for PHP 7 right now.
// Increment the reference counter by 1 -> rc is 0
$a = $unserialized_payload[1];
// Increment the reference counter by 1 again -> rc is 1
$b = $a;
// Trigger free of $free_me (referenced by $m[1]).
unset($b);
$fill_freed_space_1 = "filler_zval_1";
$fill_freed_space_2 = "filler_zval_2";
$fill_freed_space_3 = "filler_zval_3";
$fill_freed_space_4 = "filler_zval_4";
debug_zval_dump($unserialized_payload[1]);
?>
--EXPECTF--
array(1) refcount(1){
[0]=>
object(stdClass)#%d (0) refcount(3){
}
}

96
ext/standard/url.c
View file

@ -65,27 +65,27 @@ PHPAPI char *php_replace_controlchars_ex(char *str, int len)
{
unsigned char *s = (unsigned char *)str;
unsigned char *e = (unsigned char *)str + len;
if (!str) {
return (NULL);
}
while (s < e) {
if (iscntrl(*s)) {
*s='_';
}
}
s++;
}
return (str);
}
}
/* }}} */
PHPAPI char *php_replace_controlchars(char *str)
{
return php_replace_controlchars_ex(str, strlen(str));
}
}
PHPAPI php_url *php_url_parse(char const *str)
{
@ -99,7 +99,7 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
char port_buf[6];
php_url *ret = ecalloc(1, sizeof(php_url));
char const *s, *e, *p, *pp, *ue;
s = str;
ue = s + length;
@ -118,40 +118,40 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
}
p++;
}
if (*(e + 1) == '\0') { /* only scheme is available */
ret->scheme = estrndup(s, (e - s));
php_replace_controlchars_ex(ret->scheme, (e - s));
goto end;
}
/*
/*
* certain schemas like mailto: and zlib: may not have any / after them
* this check ensures we support those.
*/
if (*(e+1) != '/') {
/* check if the data we get is a port this allows us to
/* check if the data we get is a port this allows us to
* correctly parse things like a.com:80
*/
p = e + 1;
while (isdigit(*p)) {
p++;
}
if ((*p == '\0' || *p == '/') && (p - e) < 7) {
goto parse_port;
}
ret->scheme = estrndup(s, (e-s));
php_replace_controlchars_ex(ret->scheme, (e - s));
length -= ++e - s;
s = e;
goto just_path;
} else {
ret->scheme = estrndup(s, (e-s));
php_replace_controlchars_ex(ret->scheme, (e - s));
if (*(e+2) == '/') {
s = e + 3;
if (!strncasecmp("file", ret->scheme, sizeof("file"))) {
@ -173,9 +173,9 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
length -= ++e - s;
s = e;
goto just_path;
}
}
}
}
}
} else if (e) { /* no scheme; starts with colon: look for port */
parse_port:
p = e + 1;
@ -216,9 +216,9 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
ue = s + length;
goto nohost;
}
e = ue;
if (!(p = memchr(s, '/', (ue - s)))) {
char *query, *fragment;
@ -238,14 +238,14 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
}
} else {
e = p;
}
}
/* check for login and password */
if ((p = zend_memrchr(s, '@', (e-s)))) {
if ((pp = memchr(s, ':', (p-s)))) {
ret->user = estrndup(s, (pp-s));
php_replace_controlchars_ex(ret->user, (pp - s));
pp++;
ret->pass = estrndup(pp, (p-pp));
php_replace_controlchars_ex(ret->pass, (p-pp));
@ -253,14 +253,14 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
ret->user = estrndup(s, (p-s));
php_replace_controlchars_ex(ret->user, (p-s));
}
s = p + 1;
}
/* check for port */
if (*s == '[' && *(e-1) == ']') {
/* Short circuit portscan,
we're dealing with an
/* Short circuit portscan,
we're dealing with an
IPv6 embedded address */
p = s;
} else {
@ -294,11 +294,11 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
}
}
p--;
}
}
} else {
p = e;
}
/* check if we have a valid host, if we don't reject the string as url */
if ((p-s) < 1) {
STR_FREE(ret->scheme);
@ -310,15 +310,15 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
ret->host = estrndup(s, (p-s));
php_replace_controlchars_ex(ret->host, (p - s));
if (e == ue) {
return ret;
}
s = e;
nohost:
if ((p = memchr(s, '?', (ue - s)))) {
pp = memchr(s, '#', (ue - s));
@ -330,14 +330,14 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
p = pp;
goto label_parse;
}
if (p - s) {
ret->path = estrndup(s, (p-s));
php_replace_controlchars_ex(ret->path, (p - s));
}
}
if (pp) {
if (pp - ++p) {
if (pp - ++p) {
ret->query = estrndup(p, (pp-p));
php_replace_controlchars_ex(ret->query, (pp - p));
}
@ -351,15 +351,15 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
if (p - s) {
ret->path = estrndup(s, (p-s));
php_replace_controlchars_ex(ret->path, (p - s));
}
}
label_parse:
p++;
if (ue - p) {
ret->fragment = estrndup(p, (ue-p));
php_replace_controlchars_ex(ret->fragment, (ue - p));
}
}
} else {
ret->path = estrndup(s, (ue-s));
php_replace_controlchars_ex(ret->path, (ue - s));
@ -441,7 +441,7 @@ PHP_FUNCTION(parse_url)
add_assoc_string(return_value, "query", resource->query, 1);
if (resource->fragment != NULL)
add_assoc_string(return_value, "fragment", resource->fragment, 1);
done:
done:
php_url_free(resource);
}
/* }}} */
@ -489,7 +489,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
register unsigned char c;
unsigned char *to, *start;
unsigned char const *from, *end;
from = (unsigned char *)s;
end = (unsigned char *)s + len;
start = to = (unsigned char *) safe_emalloc(3, len, 1);
@ -575,7 +575,7 @@ PHPAPI int php_url_decode(char *str, int len)
if (*data == '+') {
*dest = ' ';
}
else if (*data == '%' && len >= 2 && isxdigit((int) *(data + 1))
else if (*data == '%' && len >= 2 && isxdigit((int) *(data + 1))
&& isxdigit((int) *(data + 2))) {
#ifndef CHARSET_EBCDIC
*dest = (char) php_htoi(data + 1);
@ -625,6 +625,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
if (new_length) {
*new_length = y;
}
if (UNEXPECTED(y > INT_MAX)) {
efree(str);
zend_error(E_ERROR, "String size overflow");
}
return ((char *) str);
}
/* }}} */
@ -673,7 +677,7 @@ PHPAPI int php_raw_url_decode(char *str, int len)
char *data = str;
while (len--) {
if (*data == '%' && len >= 2 && isxdigit((int) *(data + 1))
if (*data == '%' && len >= 2 && isxdigit((int) *(data + 1))
&& isxdigit((int) *(data + 2))) {
#ifndef CHARSET_EBCDIC
*dest = (char) php_htoi(data + 1);
@ -705,7 +709,7 @@ PHP_FUNCTION(get_headers)
HashPosition pos;
HashTable *hashT;
long format = 0;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &url, &url_len, &format) == FAILURE) {
return;
}
@ -724,12 +728,12 @@ PHP_FUNCTION(get_headers)
/* check for curl-wrappers that provide headers via a special "headers" element */
if (zend_hash_find(HASH_OF(stream->wrapperdata), "headers", sizeof("headers"), (void **)&h) != FAILURE && Z_TYPE_PP(h) == IS_ARRAY) {
/* curl-wrappers don't load data until the 1st read */
/* curl-wrappers don't load data until the 1st read */
if (!Z_ARRVAL_PP(h)->nNumOfElements) {
php_stream_getc(stream);
}
zend_hash_find(HASH_OF(stream->wrapperdata), "headers", sizeof("headers"), (void **)&h);
hashT = Z_ARRVAL_PP(h);
hashT = Z_ARRVAL_PP(h);
} else {
hashT = HASH_OF(stream->wrapperdata);
}

24
ext/wddx/tests/bug72340.phpt Normal file
View file

@ -0,0 +1,24 @@
--TEST--
Bug #72340: Double Free Courruption in wddx_deserialize
--SKIPIF--
<?php
if (!extension_loaded("wddx")) print "skip";
?>
--FILE--
<?php
$xml = <<<EOF
<?xml version='1.0' ?>
<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
<wddxPacket version='1.0'>
<array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var>
<var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ">
</var></var></var>
</array>
</wddxPacket>
EOF;
$array = wddx_deserialize($xml);
var_dump($array);
?>
--EXPECT--
array(0) {
}

4
ext/wddx/wddx.c
View file

@ -1094,6 +1094,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
break;
case ST_BOOLEAN:
if(!ent->data) {
break;
}
if (!strcmp(s, "true")) {
Z_LVAL_P(ent->data) = 1;
} else if (!strcmp(s, "false")) {
@ -1102,6 +1105,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
zval_ptr_dtor(&ent->data);
if (ent->varname) {
efree(ent->varname);
ent->varname = NULL;
}
ent->data = NULL;
}

9
ext/zip/php_zip.c
View file

@ -1042,6 +1042,14 @@ static int php_zip_has_property(zval *object, zval *member, int type KEY_ARG_DC
}
/* }}} */
static HashTable *php_zip_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
{
*gc_data = NULL;
*gc_data_count = 0;
return zend_std_get_properties(object TSRMLS_CC);
}
/* }}} */
static HashTable *php_zip_get_properties(zval *object TSRMLS_DC)/* {{{ */
{
ze_zip_object *obj;
@ -3039,6 +3047,7 @@ static PHP_MINIT_FUNCTION(zip)
zip_object_handlers.clone_obj = NULL;
zip_object_handlers.get_property_ptr_ptr = php_zip_get_property_ptr_ptr;
zip_object_handlers.get_gc = php_zip_get_gc;
zip_object_handlers.get_properties = php_zip_get_properties;
zip_object_handlers.read_property = php_zip_read_property;
zip_object_handlers.has_property = php_zip_has_property;