From 97a1b343004058404915e9a77c5f57743dd215a8 Mon Sep 17 00:00:00 2001 From: Julien Pauli Date: Tue, 31 Mar 2015 15:51:47 +0200 Subject: [PATCH 01/22] 5.5.25 now --- NEWS | 5 +++++ configure.in | 2 +- main/php_version.h | 6 +++--- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 862ef6a3fa6..5cc74f8431f 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +?? ??? 2015, PHP 5.5.25 + + + + ?? ??? 2015, PHP 5.5.24 - Core: diff --git a/configure.in b/configure.in index b56b85f12d5..1669739f069 100644 --- a/configure.in +++ b/configure.in @@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=5 -PHP_RELEASE_VERSION=24 +PHP_RELEASE_VERSION=25 PHP_EXTRA_VERSION="-dev" PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION" PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 2997684bf0c..053bc564dd9 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -2,7 +2,7 @@ /* edit configure.in to change version number */ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 5 -#define PHP_RELEASE_VERSION 24 +#define PHP_RELEASE_VERSION 25 #define PHP_EXTRA_VERSION "-dev" -#define PHP_VERSION "5.5.24-dev" -#define PHP_VERSION_ID 50524 +#define PHP_VERSION "5.5.25-dev" +#define PHP_VERSION_ID 50525 From ffbd380e4483a5b36733cfd99fab779008082d11 Mon Sep 17 00:00:00 2001 From: Derick Rethans Date: Tue, 31 Mar 2015 16:35:03 +0100 Subject: [PATCH 02/22] Fixed bug #69336 (Issues with "last day of "). --- NEWS | 1 + ext/date/lib/parse_date.c | 6 +++--- ext/date/lib/parse_date.re | 4 ++-- ext/date/lib/timelib.h | 3 +++ ext/date/lib/tm2unixtime.c | 15 +++++++++++++-- ext/date/php_date.c | 2 +- ext/date/tests/bug69336.phpt | 20 ++++++++++++++++++++ 7 files changed, 43 insertions(+), 8 deletions(-) create mode 100644 ext/date/tests/bug69336.phpt diff --git a/NEWS b/NEWS index 5cc74f8431f..36f60ff03f8 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,7 @@ PHP NEWS - Date: . Export date_get_immutable_ce so that it can be used by extensions. (Derick Rethans) + . Fixed bug #69336 (Issues with "last day of "). (Derick Rethans) - Curl: . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c index afa1425565e..2a10139b433 100644 --- a/ext/date/lib/parse_date.c +++ b/ext/date/lib/parse_date.c @@ -1,4 +1,4 @@ -/* Generated by re2c 0.13.5 on Mon Aug 18 18:28:27 2014 */ +/* Generated by re2c 0.13.5 on Tue Mar 31 16:32:03 2015 */ #line 1 "ext/date/lib/parse_date.re" /* +----------------------------------------------------------------------+ @@ -19864,9 +19864,9 @@ yy1315: /* skip "last day of" or "first day of" */ if (*ptr == 'l' || *ptr == 'L') { - s->time->relative.first_last_day_of = 2; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_LAST_DAY_OF_MONTH; } else { - s->time->relative.first_last_day_of = 1; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH; } TIMELIB_DEINIT; diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re index 4cdbc2a37c1..66d4f223889 100644 --- a/ext/date/lib/parse_date.re +++ b/ext/date/lib/parse_date.re @@ -1030,9 +1030,9 @@ weekdayof = (reltextnumber|reltexttext) space (dayfull|dayabbr) space 'of /* skip "last day of" or "first day of" */ if (*ptr == 'l' || *ptr == 'L') { - s->time->relative.first_last_day_of = 2; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_LAST_DAY_OF_MONTH; } else { - s->time->relative.first_last_day_of = 1; + s->time->relative.first_last_day_of = TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH; } TIMELIB_DEINIT; diff --git a/ext/date/lib/timelib.h b/ext/date/lib/timelib.h index 797ed10b196..28f3b8c924c 100644 --- a/ext/date/lib/timelib.h +++ b/ext/date/lib/timelib.h @@ -38,6 +38,9 @@ #define TIMELIB_SPECIAL_DAY_OF_WEEK_IN_MONTH 0x02 #define TIMELIB_SPECIAL_LAST_DAY_OF_WEEK_IN_MONTH 0x03 +#define TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH 0x01 +#define TIMELIB_SPECIAL_LAST_DAY_OF_MONTH 0x02 + #ifndef LONG_MAX #define LONG_MAX 2147483647L #endif diff --git a/ext/date/lib/tm2unixtime.c b/ext/date/lib/tm2unixtime.c index a3d48c59c42..0f59d31516b 100644 --- a/ext/date/lib/tm2unixtime.c +++ b/ext/date/lib/tm2unixtime.c @@ -205,15 +205,17 @@ static void do_adjust_relative(timelib_time* time) time->m += time->relative.m; time->y += time->relative.y; } + switch (time->relative.first_last_day_of) { - case 1: /* first */ + case TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH: /* first */ time->d = 1; break; - case 2: /* last */ + case TIMELIB_SPECIAL_LAST_DAY_OF_MONTH: /* last */ time->d = 0; time->m++; break; } + timelib_do_normalize(time); } @@ -296,6 +298,15 @@ static void do_adjust_special_early(timelib_time* time) break; } } + switch (time->relative.first_last_day_of) { + case TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH: /* first */ + time->d = 1; + break; + case TIMELIB_SPECIAL_LAST_DAY_OF_MONTH: /* last */ + time->d = 0; + time->m++; + break; + } timelib_do_normalize(time); } diff --git a/ext/date/php_date.c b/ext/date/php_date.c index 0819b45df4e..7f05bab99e4 100644 --- a/ext/date/php_date.c +++ b/ext/date/php_date.c @@ -2989,7 +2989,7 @@ void php_date_do_return_parsed_time(INTERNAL_FUNCTION_PARAMETERS, timelib_time * add_assoc_long(element, "weekdays", parsed_time->relative.special.amount); } if (parsed_time->relative.first_last_day_of) { - add_assoc_bool(element, parsed_time->relative.first_last_day_of == 1 ? "first_day_of_month" : "last_day_of_month", 1); + add_assoc_bool(element, parsed_time->relative.first_last_day_of == TIMELIB_SPECIAL_FIRST_DAY_OF_MONTH ? "first_day_of_month" : "last_day_of_month", 1); } add_assoc_zval(return_value, "relative", element); } diff --git a/ext/date/tests/bug69336.phpt b/ext/date/tests/bug69336.phpt new file mode 100644 index 00000000000..8444aa30a35 --- /dev/null +++ b/ext/date/tests/bug69336.phpt @@ -0,0 +1,20 @@ +--TEST-- +Bug #69336 (Issues with "last day of ") +--INI-- +date.timezone=UTC +--FILE-- + +--EXPECTF-- +string(10) "30.04.%d" +string(10) "31.03.2015" +string(10) "25.03.2015" +string(10) "29.04.2015" +string(10) "26.03.2014" +string(10) "30.04.2014" From 0a8f28b43212cc2ddbc1f2df710e37b1bec0addd Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Thu, 8 Jan 2015 16:32:20 +0800 Subject: [PATCH 03/22] Fixed bug #68677 (Use After Free in OPcache) (cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115) --- ext/opcache/zend_shared_alloc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/opcache/zend_shared_alloc.c b/ext/opcache/zend_shared_alloc.c index bbe26e81720..8880b8817ff 100644 --- a/ext/opcache/zend_shared_alloc.c +++ b/ext/opcache/zend_shared_alloc.c @@ -346,10 +346,10 @@ void *_zend_shared_memdup(void *source, size_t size, zend_bool free_source TSRML retval = ZCG(mem);; ZCG(mem) = (void*)(((char*)ZCG(mem)) + ZEND_ALIGNED_SIZE(size)); memcpy(retval, source, size); + zend_shared_alloc_register_xlat_entry(source, retval); if (free_source) { interned_efree((char*)source); } - zend_shared_alloc_register_xlat_entry(source, retval); return retval; } From 059e774db013a8fc31cf2dce0e4d051580bf9d30 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Wed, 1 Apr 2015 00:41:46 +0300 Subject: [PATCH 04/22] Fixed bug #68740 (NULL Pointer Dereference) (cherry picked from commit 124fb22a13fafa3648e4e15b4f207c7096d8155e) --- ext/ereg/regex/regcomp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c index f4bfc1c1679..c2223d7dbe0 100644 --- a/ext/ereg/regex/regcomp.c +++ b/ext/ereg/regex/regcomp.c @@ -1284,6 +1284,10 @@ int c; register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT; register unsigned uc = (unsigned char)c; + if (!g->setbits) { + return(0); + } + for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize) if (col[uc] != 0) return(1); From 1add8401a38de04f35b40d843e46186e9d318ea5 Mon Sep 17 00:00:00 2001 From: Xinchen Hui Date: Wed, 1 Apr 2015 00:57:39 +0300 Subject: [PATCH 05/22] Fixed bug #68739 (Missing break / control flow in curl) (cherry picked from commit 124fb22a13fafa3648e4e15b4f207c7096d8155e) --- ext/curl/interface.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 195912c54e4..3c7fd829c92 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -2851,6 +2851,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue TSRMLS_DC) curl_easy_setopt(ch->cp, CURLOPT_SHARE, sh->share); } } + break; #if LIBCURL_VERSION_NUM >= 0x071500 /* Available since 7.21.0 */ case CURLOPT_FNMATCH_FUNCTION: From a32c8ba719493fd2b4700c4f7db1ef130ceb7661 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Wed, 1 Apr 2015 01:45:34 +0300 Subject: [PATCH 06/22] Fixed bug #68739 (Missing break / control flow). Fixed bug #68740 (NULL Pointer Dereference). Fixed bug #68677 (Use After Free). --- NEWS | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/NEWS b/NEWS index 36f60ff03f8..d87aea455b0 100644 --- a/NEWS +++ b/NEWS @@ -2,8 +2,14 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015, PHP 5.5.25 +- cURL: + . Fixed bug #68739 (Missing break / control flow). (Laruence) +- Ereg: + . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) +- OPCache: + . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) ?? ??? 2015, PHP 5.5.24 From 59c2a55ec7cbc70cc0227a127d3859fdc95566e7 Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Wed, 1 Apr 2015 18:07:37 +0300 Subject: [PATCH 07/22] Fix typo: unitialized -> uninitialized --- NEWS | 2 +- ext/exif/tests/bug68799.phpt | 2 +- ext/pcre/pcrelib/pcre_exec.c | 2 +- ext/xmlwriter/php_xmlwriter.c | 2 +- ext/zip/php_zip.c | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-) diff --git a/NEWS b/NEWS index d87aea455b0..6fcc697f9cb 100644 --- a/NEWS +++ b/NEWS @@ -256,7 +256,7 @@ PHP NEWS CURLOPT_RETURNTRANSFER isn't set). (Jille Timmermans) - EXIF: - . Fixed bug #68799 (Free called on unitialized pointer). (CVE-2015-0232) + . Fixed bug #68799 (Free called on uninitialized pointer). (CVE-2015-0232) (Stas) - Fileinfo: diff --git a/ext/exif/tests/bug68799.phpt b/ext/exif/tests/bug68799.phpt index b09f21ca7be..f50a41b4020 100644 --- a/ext/exif/tests/bug68799.phpt +++ b/ext/exif/tests/bug68799.phpt @@ -1,5 +1,5 @@ --TEST-- -Bug #68799 (Free called on unitialized pointer) +Bug #68799 (Free called on uninitialized pointer) --SKIPIF-- --FILE-- diff --git a/ext/pcre/pcrelib/pcre_exec.c b/ext/pcre/pcrelib/pcre_exec.c index a3f0c1923f2..e4da5227a28 100644 --- a/ext/pcre/pcrelib/pcre_exec.c +++ b/ext/pcre/pcrelib/pcre_exec.c @@ -688,7 +688,7 @@ the alternative names that are used. */ #define foc number #define save_mark data -/* These statements are here to stop the compiler complaining about unitialized +/* These statements are here to stop the compiler complaining about uninitialized variables. */ #ifdef SUPPORT_UCP diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c index 206d82ab477..6b5c3557a49 100644 --- a/ext/xmlwriter/php_xmlwriter.c +++ b/ext/xmlwriter/php_xmlwriter.c @@ -113,7 +113,7 @@ static void xmlwriter_free_resource_ptr(xmlwriter_object *intern TSRMLS_DC) ze_xmlwriter_object *obj = (ze_xmlwriter_object*) zend_object_store_get_object(object TSRMLS_CC); \ intern = obj->xmlwriter_ptr; \ if (!intern) { \ - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid or unitialized XMLWriter object"); \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid or uninitialized XMLWriter object"); \ RETURN_FALSE; \ } \ } diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c index 333050f9362..c268059b542 100644 --- a/ext/zip/php_zip.c +++ b/ext/zip/php_zip.c @@ -417,7 +417,7 @@ static int php_zip_parse_options(zval *options, long *remove_all_path, ze_zip_object *obj = (ze_zip_object*) zend_object_store_get_object(object TSRMLS_CC); \ intern = obj->za; \ if (!intern) { \ - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid or unitialized Zip object"); \ + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid or uninitialized Zip object"); \ RETURN_FALSE; \ } \ } From 87cc7caa1021368d5ba7b17648679dbfe215c17c Mon Sep 17 00:00:00 2001 From: Lior Kaplan Date: Wed, 1 Apr 2015 18:19:09 +0300 Subject: [PATCH 08/22] Fix typo: unitialized -> uninitialized --- Zend/tests/bug43201.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Zend/tests/bug43201.phpt b/Zend/tests/bug43201.phpt index 89e1b667276..53bb5ba98d8 100644 --- a/Zend/tests/bug43201.phpt +++ b/Zend/tests/bug43201.phpt @@ -1,5 +1,5 @@ --TEST-- -Bug #43201 (Crash on using unitialized vals and __get/__set) +Bug #43201 (Crash on using uninitialized vals and __get/__set) --FILE-- Date: Wed, 1 Apr 2015 23:58:22 +0800 Subject: [PATCH 09/22] Fixed bug #69281 (opcache_is_script_cached no longer works) --- NEWS | 1 + ext/opcache/tests/bug69281.phpt | 17 +++++++++++++++++ ext/opcache/tests/is_script_cached.phpt | 1 + ext/opcache/zend_accelerator_module.c | 6 ++++-- 4 files changed, 23 insertions(+), 2 deletions(-) create mode 100644 ext/opcache/tests/bug69281.phpt diff --git a/NEWS b/NEWS index 6fcc697f9cb..fc4544c74d2 100644 --- a/NEWS +++ b/NEWS @@ -9,6 +9,7 @@ PHP NEWS . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) - OPCache: + . Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) ?? ??? 2015, PHP 5.5.24 diff --git a/ext/opcache/tests/bug69281.phpt b/ext/opcache/tests/bug69281.phpt new file mode 100644 index 00000000000..4d68d5007b1 --- /dev/null +++ b/ext/opcache/tests/bug69281.phpt @@ -0,0 +1,17 @@ +--TEST-- +Test that script cached info is correct with validate_timestamps disabled +--INI-- +opcache.enable=1 +opcache.enable_cli=1 +opcache.file_update_protection=0 +opcache.validate_timestamps=0 +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bool(true) +bool(false) diff --git a/ext/opcache/tests/is_script_cached.phpt b/ext/opcache/tests/is_script_cached.phpt index 0560e98d887..bac561103f5 100644 --- a/ext/opcache/tests/is_script_cached.phpt +++ b/ext/opcache/tests/is_script_cached.phpt @@ -4,6 +4,7 @@ Test that script cached info is correct opcache.enable=1 opcache.enable_cli=1 opcache.file_update_protection=0 +opcache.validate_timestamps=1 --SKIPIF-- --FILE-- diff --git a/ext/opcache/zend_accelerator_module.c b/ext/opcache/zend_accelerator_module.c index e29ff00304b..3a6da3c8b66 100644 --- a/ext/opcache/zend_accelerator_module.c +++ b/ext/opcache/zend_accelerator_module.c @@ -320,14 +320,16 @@ static int filename_is_in_cache(char *filename, int filename_len TSRMLS_DC) persistent_script = zend_accel_hash_find(&ZCSG(hash), filename, filename_len + 1); if (persistent_script) { return !persistent_script->corrupted && - validate_timestamp_and_record(persistent_script, &handle TSRMLS_CC) == SUCCESS; + (!ZCG(accel_directives).validate_timestamps || + validate_timestamp_and_record(persistent_script, &handle TSRMLS_CC) == SUCCESS); } } if ((key = accel_make_persistent_key_ex(&handle, filename_len, &key_length TSRMLS_CC)) != NULL) { persistent_script = zend_accel_hash_find(&ZCSG(hash), key, key_length + 1); return persistent_script && !persistent_script->corrupted && - validate_timestamp_and_record(persistent_script, &handle TSRMLS_CC) == SUCCESS; + (!ZCG(accel_directives).validate_timestamps || + validate_timestamp_and_record(persistent_script, &handle TSRMLS_CC) == SUCCESS); } return 0; From 0a41af216ecabf76b54a78783b7cac01ca353ef9 Mon Sep 17 00:00:00 2001 From: Ferenc Kovacs Date: Wed, 1 Apr 2015 22:03:19 +0200 Subject: [PATCH 10/22] test fixes --- ext/mysqli/tests/mysqli_fetch_field_flags.phpt | 2 -- ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt | 6 +++--- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/ext/mysqli/tests/mysqli_fetch_field_flags.phpt b/ext/mysqli/tests/mysqli_fetch_field_flags.phpt index 8259d2f505b..06b936aeed2 100644 --- a/ext/mysqli/tests/mysqli_fetch_field_flags.phpt +++ b/ext/mysqli/tests/mysqli_fetch_field_flags.phpt @@ -199,7 +199,6 @@ mysqli_close($link); if (!mysqli_query($link, 'DROP TABLE IF EXISTS test')) { printf("[008] %s [%d] %s\n", $column_def, mysqli_errno($link), mysqli_error($link)); - continue; } $column_def = array('col1 CHAR(1)', 'col2 CHAR(2)','INDEX idx_col1_col2(col1, col2)'); @@ -220,7 +219,6 @@ mysqli_close($link); while ($field = mysqli_fetch_field($res)) { if (!isset($expected_flags[$field->name])) { printf("[010] Found unexpected field '%s'\n", $field->name); - continue; } list($missing_flags, $unexpected_flags, $flags_found) = checkFlags($field->flags, $expected_flags[$field->name], $flags); if ($unexpected_flags) diff --git a/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt b/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt index 5990ab812e3..12699c5bf34 100644 --- a/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt +++ b/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt @@ -85,10 +85,10 @@ MySQLPDOTest::skip(); } catch (PDOException $e) { - printf("[001] %s, [%s] %s\n", + printf("[001] %s, [%s] %s [%s] %s\n", $e->getMessage(), - (is_object($db)) ? $db->errorCode() : 'n/a', - (is_object($db)) ? implode(' ', $db->errorInfo()) : 'n/a'); + (is_object($db1)) ? $db1->errorCode() : 'n/a', + (is_object($db2)) ? implode(' ', $db2->errorInfo()) : 'n/a'); } print "done!"; From 7c1a1189beef34dfebc1ecefc99b2c1db3793105 Mon Sep 17 00:00:00 2001 From: Ferenc Kovacs Date: Wed, 1 Apr 2015 23:06:04 +0200 Subject: [PATCH 11/22] oop, put both the error number and message for both db object to the error message --- ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt b/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt index 12699c5bf34..7972df313df 100644 --- a/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt +++ b/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt @@ -88,6 +88,8 @@ MySQLPDOTest::skip(); printf("[001] %s, [%s] %s [%s] %s\n", $e->getMessage(), (is_object($db1)) ? $db1->errorCode() : 'n/a', + (is_object($db1)) ? implode(' ', $db1->errorInfo()) : 'n/a'); + (is_object($db2)) ? $db2->errorCode() : 'n/a', (is_object($db2)) ? implode(' ', $db2->errorInfo()) : 'n/a'); } From 9991b8ecee3d8864abe6c05cec12278db1573767 Mon Sep 17 00:00:00 2001 From: Ferenc Kovacs Date: Thu, 2 Apr 2015 00:07:00 +0200 Subject: [PATCH 12/22] sigh, can't even copypaste without screwing up --- ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt b/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt index 7972df313df..d59c9303284 100644 --- a/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt +++ b/ext/pdo_mysql/tests/pdo_mysql_pconnect.phpt @@ -88,7 +88,7 @@ MySQLPDOTest::skip(); printf("[001] %s, [%s] %s [%s] %s\n", $e->getMessage(), (is_object($db1)) ? $db1->errorCode() : 'n/a', - (is_object($db1)) ? implode(' ', $db1->errorInfo()) : 'n/a'); + (is_object($db1)) ? implode(' ', $db1->errorInfo()) : 'n/a', (is_object($db2)) ? $db2->errorCode() : 'n/a', (is_object($db2)) ? implode(' ', $db2->errorInfo()) : 'n/a'); } From f29c98c1289b00e0dbb58631df6a5e006f5311d1 Mon Sep 17 00:00:00 2001 From: Dmitry Stogov Date: Thu, 2 Apr 2015 12:29:15 +0300 Subject: [PATCH 13/22] Prevent GC from changing zval or object 'color' before they are actually inserted into possible roots buffer. --- Zend/zend_gc.c | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/Zend/zend_gc.c b/Zend/zend_gc.c index 55ca456fd0b..83458db631b 100644 --- a/Zend/zend_gc.c +++ b/Zend/zend_gc.c @@ -147,8 +147,6 @@ ZEND_API void gc_zval_possible_root(zval *zv TSRMLS_DC) GC_BENCH_INC(zval_possible_root); if (GC_ZVAL_GET_COLOR(zv) != GC_PURPLE) { - GC_ZVAL_SET_PURPLE(zv); - if (!GC_ZVAL_ADDRESS(zv)) { gc_root_buffer *newRoot = GC_G(unused); @@ -159,7 +157,6 @@ ZEND_API void gc_zval_possible_root(zval *zv TSRMLS_DC) GC_G(first_unused)++; } else { if (!GC_G(gc_enabled)) { - GC_ZVAL_SET_BLACK(zv); return; } zv->refcount__gc++; @@ -169,10 +166,10 @@ ZEND_API void gc_zval_possible_root(zval *zv TSRMLS_DC) if (!newRoot) { return; } - GC_ZVAL_SET_PURPLE(zv); GC_G(unused) = newRoot->prev; } + GC_ZVAL_SET_PURPLE(zv); newRoot->next = GC_G(roots).next; newRoot->prev = &GC_G(roots); GC_G(roots).next->prev = newRoot; @@ -203,7 +200,6 @@ ZEND_API void gc_zobj_possible_root(zval *zv TSRMLS_DC) obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zv)].bucket.obj; if (GC_GET_COLOR(obj->buffered) != GC_PURPLE) { - GC_SET_PURPLE(obj->buffered); if (!GC_ADDRESS(obj->buffered)) { gc_root_buffer *newRoot = GC_G(unused); @@ -214,7 +210,6 @@ ZEND_API void gc_zobj_possible_root(zval *zv TSRMLS_DC) GC_G(first_unused)++; } else { if (!GC_G(gc_enabled)) { - GC_ZVAL_SET_BLACK(zv); return; } zv->refcount__gc++; @@ -225,10 +220,10 @@ ZEND_API void gc_zobj_possible_root(zval *zv TSRMLS_DC) return; } obj = &EG(objects_store).object_buckets[Z_OBJ_HANDLE_P(zv)].bucket.obj; - GC_SET_PURPLE(obj->buffered); GC_G(unused) = newRoot->prev; } + GC_SET_PURPLE(obj->buffered); newRoot->next = GC_G(roots).next; newRoot->prev = &GC_G(roots); GC_G(roots).next->prev = newRoot; From a5bb37117ccd4f6abcacfd8e9ddb43a9a00dbe08 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 2 Apr 2015 14:22:56 +0200 Subject: [PATCH 14/22] test fixes --- ext/odbc/tests/bug60616.phpt | 5 +++++ ext/odbc/tests/bug68087.phpt | 5 +++++ ext/odbc/tests/odbc_exec_001.phpt | 5 +++++ ext/odbc/tests/odbc_free_result_001.phpt | 2 +- 4 files changed, 16 insertions(+), 1 deletion(-) diff --git a/ext/odbc/tests/bug60616.phpt b/ext/odbc/tests/bug60616.phpt index 937049a9b8b..b816f9cd847 100644 --- a/ext/odbc/tests/bug60616.phpt +++ b/ext/odbc/tests/bug60616.phpt @@ -2,6 +2,11 @@ odbc_exec(): Getting accurate unicode data from query --SKIPIF-- + --FILE-- + --FILE-- + --FILE-- Date: Thu, 2 Apr 2015 14:23:23 +0200 Subject: [PATCH 15/22] more compliance with the ODBC 3.0 --- ext/odbc/php_odbc.c | 12 ++++++------ ext/odbc/php_odbc_includes.h | 2 ++ 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ext/odbc/php_odbc.c b/ext/odbc/php_odbc.c index d75d3012606..354b9b85519 100644 --- a/ext/odbc/php_odbc.c +++ b/ext/odbc/php_odbc.c @@ -960,9 +960,9 @@ int odbc_bindcols(odbc_result *result TSRMLS_DC) charextraalloc = 0; colfieldid = SQL_COLUMN_DISPLAY_SIZE; - rc = SQLColAttributes(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_NAME, + rc = PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_NAME, result->values[i].name, sizeof(result->values[i].name), &colnamelen, 0); - rc = SQLColAttributes(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_TYPE, + rc = PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_TYPE, NULL, 0, NULL, &result->values[i].coltype); /* Don't bind LONG / BINARY columns, so that fetch behaviour can @@ -997,7 +997,7 @@ int odbc_bindcols(odbc_result *result TSRMLS_DC) charextraalloc = 1; #endif default: - rc = SQLColAttributes(result->stmt, (SQLUSMALLINT)(i+1), colfieldid, + rc = PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(i+1), colfieldid, NULL, 0, NULL, &displaysize); /* Workaround for Oracle ODBC Driver bug (#50162) when fetching TIMESTAMP column */ if (result->values[i].coltype == SQL_TIMESTAMP) { @@ -1091,7 +1091,7 @@ void odbc_column_lengths(INTERNAL_FUNCTION_PARAMETERS, int type) RETURN_FALSE; } - SQLColAttributes(result->stmt, (SQLUSMALLINT)pv_num, (SQLUSMALLINT) (type?SQL_COLUMN_SCALE:SQL_COLUMN_PRECISION), NULL, 0, NULL, &len); + PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)pv_num, (SQLUSMALLINT) (type?SQL_COLUMN_SCALE:SQL_COLUMN_PRECISION), NULL, 0, NULL, &len); RETURN_LONG(len); } @@ -2135,7 +2135,7 @@ PHP_FUNCTION(odbc_result) fieldsize = result->longreadlen; } } else { - SQLColAttributes(result->stmt, (SQLUSMALLINT)(field_ind + 1), + PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(field_ind + 1), (SQLUSMALLINT)((sql_c_type == SQL_C_BINARY) ? SQL_COLUMN_LENGTH : SQL_COLUMN_DISPLAY_SIZE), NULL, 0, NULL, &fieldsize); @@ -2871,7 +2871,7 @@ PHP_FUNCTION(odbc_field_type) RETURN_FALSE; } - SQLColAttributes(result->stmt, (SQLUSMALLINT)pv_num, SQL_COLUMN_TYPE_NAME, tmp, 31, &tmplen, NULL); + PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)pv_num, SQL_COLUMN_TYPE_NAME, tmp, 31, &tmplen, NULL); RETURN_STRING(tmp,1) } /* }}} */ diff --git a/ext/odbc/php_odbc_includes.h b/ext/odbc/php_odbc_includes.h index 15bb737a8be..181688ae7f2 100644 --- a/ext/odbc/php_odbc_includes.h +++ b/ext/odbc/php_odbc_includes.h @@ -281,8 +281,10 @@ void odbc_sql_error(ODBC_SQL_ERROR_PARAMS); #if defined(ODBCVER) && (ODBCVER >= 0x0300) #define IS_SQL_LONG(x) (x == SQL_LONGVARBINARY || x == SQL_LONGVARCHAR || x == SQL_WLONGVARCHAR) +#define PHP_ODBC_SQLCOLATTRIBUTE SQLColAttribute #else #define IS_SQL_LONG(x) (x == SQL_LONGVARBINARY || x == SQL_LONGVARCHAR) +#define PHP_ODBC_SQLCOLATTRIBUTE SQLColAttributes #endif #define IS_SQL_BINARY(x) (x == SQL_BINARY || x == SQL_VARBINARY || x == SQL_LONGVARBINARY) From d27d9158c91a8db82e4d3d69dd8f4ed2701101eb Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 2 Apr 2015 15:30:31 +0200 Subject: [PATCH 16/22] further ODBC 3.0 compliance --- ext/odbc/php_odbc.c | 2 +- ext/odbc/php_odbc_includes.h | 6 ++++++ 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/ext/odbc/php_odbc.c b/ext/odbc/php_odbc.c index 354b9b85519..0606eba2a4d 100644 --- a/ext/odbc/php_odbc.c +++ b/ext/odbc/php_odbc.c @@ -960,7 +960,7 @@ int odbc_bindcols(odbc_result *result TSRMLS_DC) charextraalloc = 0; colfieldid = SQL_COLUMN_DISPLAY_SIZE; - rc = PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_NAME, + rc = PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(i+1), PHP_ODBC_DESC_BASE_COLUMN_NAME, result->values[i].name, sizeof(result->values[i].name), &colnamelen, 0); rc = PHP_ODBC_SQLCOLATTRIBUTE(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_TYPE, NULL, 0, NULL, &result->values[i].coltype); diff --git a/ext/odbc/php_odbc_includes.h b/ext/odbc/php_odbc_includes.h index 181688ae7f2..5f0c205977d 100644 --- a/ext/odbc/php_odbc_includes.h +++ b/ext/odbc/php_odbc_includes.h @@ -281,10 +281,16 @@ void odbc_sql_error(ODBC_SQL_ERROR_PARAMS); #if defined(ODBCVER) && (ODBCVER >= 0x0300) #define IS_SQL_LONG(x) (x == SQL_LONGVARBINARY || x == SQL_LONGVARCHAR || x == SQL_WLONGVARCHAR) + #define PHP_ODBC_SQLCOLATTRIBUTE SQLColAttribute + +#define PHP_ODBC_DESC_BASE_COLUMN_NAME SQL_DESC_BASE_COLUMN_NAME #else #define IS_SQL_LONG(x) (x == SQL_LONGVARBINARY || x == SQL_LONGVARCHAR) + #define PHP_ODBC_SQLCOLATTRIBUTE SQLColAttributes + +#define PHP_ODBC_DESC_BASE_COLUMN_NAME SQL_COLUMN_NAME #endif #define IS_SQL_BINARY(x) (x == SQL_BINARY || x == SQL_VARBINARY || x == SQL_LONGVARBINARY) From 0ae0d0bc5380744b398296e3330ead9d5b0a4fa6 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Thu, 2 Apr 2015 15:37:08 +0200 Subject: [PATCH 17/22] revert skipif, this should run everywhere --- ext/odbc/tests/bug68087.phpt | 5 ----- 1 file changed, 5 deletions(-) diff --git a/ext/odbc/tests/bug68087.phpt b/ext/odbc/tests/bug68087.phpt index b7bdfa8bfa1..3bc18125a68 100644 --- a/ext/odbc/tests/bug68087.phpt +++ b/ext/odbc/tests/bug68087.phpt @@ -2,11 +2,6 @@ odbc_exec(): Getting accurate date data from query --SKIPIF-- - --FILE-- Date: Thu, 2 Apr 2015 18:50:16 +0200 Subject: [PATCH 18/22] added test for bug #69354 --- ext/odbc/tests/bug69354.phpt | 43 ++++++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 ext/odbc/tests/bug69354.phpt diff --git a/ext/odbc/tests/bug69354.phpt b/ext/odbc/tests/bug69354.phpt new file mode 100644 index 00000000000..0e53aceab30 --- /dev/null +++ b/ext/odbc/tests/bug69354.phpt @@ -0,0 +1,43 @@ +--TEST-- +Bug #69354 Incorrect use of SQLColAttributes with ODBC 3.0 +--SKIPIF-- + +--FILE-- + +==DONE== +--EXPECT-- +100 +a +a +==DONE== +--CLEAN-- + From 8751e0fe719f90863354917dcd493f3a4b18ab02 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Sat, 4 Apr 2015 21:49:09 +0200 Subject: [PATCH 19/22] updated NEWS fixes for bug #69354 was cherrypicked from master --- NEWS | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/NEWS b/NEWS index fc4544c74d2..6de9b295649 100644 --- a/NEWS +++ b/NEWS @@ -8,6 +8,10 @@ PHP NEWS - Ereg: . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) +- ODBC: + . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). + (Anatol) + - OPCache: . Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) From 80e263277600b5e62acfc993a308b8174f70581e Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:01:37 -0700 Subject: [PATCH 20/22] Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault) --- NEWS | 4 ++++ ext/fileinfo/libmagic/softmagic.c | 3 +++ ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++ ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++ 4 files changed, 51 insertions(+) create mode 100644 ext/fileinfo/tests/bug68819_001.phpt create mode 100644 ext/fileinfo/tests/bug68819_002.phpt diff --git a/NEWS b/NEWS index 365615418dd..9c8e0ec5b67 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015 PHP 5.4.40 +- Fileinfo: + . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or + segfault). (Anatol Belski)) + - SOAP: . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() with SoapFault). (Dmitry) diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c index e7b7855eefe..54c1a03ef77 100644 --- a/ext/fileinfo/libmagic/softmagic.c +++ b/ext/fileinfo/libmagic/softmagic.c @@ -1037,6 +1037,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, if (bytecnt > nbytes) { bytecnt = nbytes; } + if (offset > bytecnt) { + offset = bytecnt; + } if (s == NULL) { ms->search.s_len = 0; ms->search.s = NULL; diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt new file mode 100644 index 00000000000..ce39ee61db6 --- /dev/null +++ b/ext/fileinfo/tests/bug68819_001.phpt @@ -0,0 +1,18 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 +--SKIPIF-- + +--FILE-- +buffer($string); + +var_dump($type); +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt new file mode 100644 index 00000000000..cec238d63ed --- /dev/null +++ b/ext/fileinfo/tests/bug68819_002.phpt @@ -0,0 +1,26 @@ +--TEST-- +Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 +--SKIPIF-- + +--FILE-- + 8192 +$string .= str_repeat(chr(rand(32, 127)), 8184); + +// Ending in this string +$string .= "say"; + +$finfo = new finfo(); +$type = $finfo->buffer($string); +var_dump($type); + +?> +--EXPECT-- +string(60) "ASCII text, with very long lines, with CRLF line terminators" From af1cd45d171fbb06712f846cec7bf69438db8ec2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:03:46 -0700 Subject: [PATCH 21/22] Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4) --- NEWS | 4 ++++ sapi/apache2handler/sapi_apache2.c | 1 + 2 files changed, 5 insertions(+) diff --git a/NEWS b/NEWS index 9c8e0ec5b67..75aa306948e 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,10 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2015 PHP 5.4.40 +- Apache2 Handler SAPI: + . Fixed bug #69218 (potential remote code execution with apache 2.4 + apache2handler). (Patrick Schaaf) + - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)) diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c index e97f11c69bd..cfebc5f5c65 100644 --- a/sapi/apache2handler/sapi_apache2.c +++ b/sapi/apache2handler/sapi_apache2.c @@ -688,6 +688,7 @@ zend_first_try { } zend_end_try(); } apr_brigade_cleanup(brigade); + apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); } else { ctx->r = parent_req; } From cb0d325066486efafde8d9c324e083ac3d10a174 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 4 Apr 2015 15:58:27 -0700 Subject: [PATCH 22/22] Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER) --- NEWS | 4 +++ ext/curl/interface.c | 4 +++ ext/curl/tests/bug69316.phpt | 47 ++++++++++++++++++++++++++++++++++++ 3 files changed, 55 insertions(+) create mode 100644 ext/curl/tests/bug69316.phpt diff --git a/NEWS b/NEWS index 75aa306948e..da926d515f3 100644 --- a/NEWS +++ b/NEWS @@ -6,6 +6,10 @@ PHP NEWS . Fixed bug #69218 (potential remote code execution with apache 2.4 apache2handler). (Patrick Schaaf) +- cURL: + . Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/ + _INFILE/_WRITEHEADER). (Laruence) + - Fileinfo: . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault). (Anatol Belski)) diff --git a/ext/curl/interface.c b/ext/curl/interface.c index 0423f71f9a8..7f8f276791b 100644 --- a/ext/curl/interface.c +++ b/ext/curl/interface.c @@ -1051,6 +1051,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx) php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION"); length = -1; } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } @@ -1124,6 +1125,7 @@ static size_t curl_progress(void *clientp, double dltotal, double dlnow, double if (error == FAILURE) { php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION"); } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } @@ -1200,6 +1202,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx) length = CURL_READFUNC_ABORT; #endif } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) == IS_STRING) { length = MIN((int) (size * nmemb), Z_STRLEN_P(retval_ptr)); memcpy(data, Z_STRVAL_P(retval_ptr), length); @@ -1274,6 +1277,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION"); length = -1; } else if (retval_ptr) { + _php_curl_verify_handlers(ch, 1 TSRMLS_CC); if (Z_TYPE_P(retval_ptr) != IS_LONG) { convert_to_long_ex(&retval_ptr); } diff --git a/ext/curl/tests/bug69316.phpt b/ext/curl/tests/bug69316.phpt new file mode 100644 index 00000000000..0f8106b932f --- /dev/null +++ b/ext/curl/tests/bug69316.phpt @@ -0,0 +1,47 @@ +--TEST-- +Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER +--SKIPIF-- + +--FILE-- + +===DONE=== +--CLEAN-- + +--EXPECTF-- +Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d +array(1) { + ["test"]=> + string(7) "getpost" +} +array(0) { +} +===DONE===