archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix potential OOB read in zend_dirname() on Windows

Browse source 
Only on Windows `IS_SLASH_P()` may read the previous byte, and so may
in unlikely cases read one byte out of bounds.  Since `IS_SLASH_P()` is
in a public header (albeit not likely to be used by external extensions
or SAPIs), we introduce `IS_SLASH_P_EX()` which accepts a second
argument to prevent that OOB read.

It should be noted that the PHP userland function `dirname()` is not
affected by this issue, since it does not call `zend_dirname()` on
Windows.

Closes GH-16995.
This commit is contained in:
Christoph M. Becker 2024-11-29 19:43:07 +01:00
parent 9bae8933a3
commit 94fa2a4ce1
No known key found for this signature in database
GPG key ID: D66C9593118BCCB6
3 changed files with 9 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

1
NEWS
View file

@ -19,6 +19,7 @@ PHP NEWS
. Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs). . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
(nielsdos) (nielsdos)
. Fix is_zend_ptr() huge block comparison. (nielsdos) . Fix is_zend_ptr() huge block comparison. (nielsdos)
. Fixed potential OOB read in zend_dirname() on Windows. (cmb)
- Curl: - Curl:
. Fix various memory leaks in curl mime handling. (nielsdos) . Fix various memory leaks in curl mime handling. (nielsdos)

6
Zend/zend_compile.c
View file

@ -1997,7 +1997,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
} }
/* Strip trailing slashes */ /* Strip trailing slashes */
while (end >= path && IS_SLASH_P(end)) { while (end >= path && IS_SLASH_P_EX(end, end == path)) {
end--; end--;
} }
if (end < path) { if (end < path) {
@ -2008,7 +2008,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
} }
/* Strip filename */ /* Strip filename */
while (end >= path && !IS_SLASH_P(end)) { while (end >= path && !IS_SLASH_P_EX(end, end == path)) {
end--; end--;
} }
if (end < path) { if (end < path) {
@ -2019,7 +2019,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
} }
/* Strip slashes which came before the file name */ /* Strip slashes which came before the file name */
while (end >= path && IS_SLASH_P(end)) { while (end >= path && IS_SLASH_P_EX(end, end == path)) {
end--; end--;
} }
if (end < path) { if (end < path) {

5
Zend/zend_virtual_cwd.h
View file

@ -73,8 +73,11 @@ typedef unsigned short mode_t;
#define DEFAULT_SLASH '\\' #define DEFAULT_SLASH '\\'
#define DEFAULT_DIR_SEPARATOR ';' #define DEFAULT_DIR_SEPARATOR ';'
#define IS_SLASH(c) ((c) == '/' || (c) == '\\') #define IS_SLASH(c) ((c) == '/' || (c) == '\\')
// IS_SLASH_P() may read the previous char on Windows, which may be OOB; use IS_SLASH_P_EX() instead
#define IS_SLASH_P(c) (*(c) == '/' || \ #define IS_SLASH_P(c) (*(c) == '/' || \
(*(c) == '\\' && !IsDBCSLeadByte(*(c-1)))) (*(c) == '\\' && !IsDBCSLeadByte(*(c-1))))
#define IS_SLASH_P_EX(c, first_byte) (*(c) == '/' || \
(*(c) == '\\' && ((first_byte) || !IsDBCSLeadByte(*(c-1)))))
/* COPY_WHEN_ABSOLUTE is 2 under Win32 because by chance both regular absolute paths /* COPY_WHEN_ABSOLUTE is 2 under Win32 because by chance both regular absolute paths
in the file system and UNC paths need copying of two characters */ in the file system and UNC paths need copying of two characters */
@ -98,7 +101,9 @@ typedef unsigned short mode_t;
#endif #endif
#define IS_SLASH(c) ((c) == '/') #define IS_SLASH(c) ((c) == '/')
// IS_SLASH_P() may read the previous char on Windows, which may be OOB; use IS_SLASH_P_EX() instead
#define IS_SLASH_P(c) (*(c) == '/') #define IS_SLASH_P(c) (*(c) == '/')
#define IS_SLASH_P_EX(c, first_byte) IS_SLASH_P(c)
#endif #endif