archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-15 21:48:51 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-8.3' into PHP-8.4

Browse source 
* PHP-8.3:
  Fix GH-17047: UAF on iconv filter failure
This commit is contained in:
Niels Dossche 2024-12-06 17:44:01 +01:00
commit c192a341ec
No known key found for this signature in database
GPG key ID: B8A8AD166DF0E2E5
3 changed files with 23 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

3
NEWS
View file

@ -2,6 +2,9 @@ PHP NEWS
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? ????, PHP 8.4.3 ?? ??? ????, PHP 8.4.3
- Iconv:
. Fixed bug GH-17047 (UAF on iconv filter failure). (nielsdos)
- Streams: - Streams:
. Fixed bug GH-17037 (UAF in user filter when adding existing filter name due . Fixed bug GH-17037 (UAF in user filter when adding existing filter name due
to incorrect error handling). (nielsdos) to incorrect error handling). (nielsdos)

11
ext/iconv/iconv.c
View file

@ -2535,7 +2535,8 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(
if (php_iconv_stream_filter_append_bucket(self, stream, filter, if (php_iconv_stream_filter_append_bucket(self, stream, filter,
buckets_out, bucket->buf, bucket->buflen, &consumed, buckets_out, bucket->buf, bucket->buflen, &consumed,
php_stream_is_persistent(stream)) != SUCCESS) { php_stream_is_persistent(stream)) != SUCCESS) {
goto out_failure; php_stream_bucket_delref(bucket);
return PSFS_ERR_FATAL;
} }
php_stream_bucket_delref(bucket); php_stream_bucket_delref(bucket);
@ -2545,7 +2546,7 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(
if (php_iconv_stream_filter_append_bucket(self, stream, filter, if (php_iconv_stream_filter_append_bucket(self, stream, filter,
buckets_out, NULL, 0, &consumed, buckets_out, NULL, 0, &consumed,
php_stream_is_persistent(stream)) != SUCCESS) { php_stream_is_persistent(stream)) != SUCCESS) {
goto out_failure; return PSFS_ERR_FATAL;
} }
} }
@ -2554,12 +2555,6 @@ static php_stream_filter_status_t php_iconv_stream_filter_do_filter(
} }
return PSFS_PASS_ON; return PSFS_PASS_ON;
out_failure:
if (bucket != NULL) {
php_stream_bucket_delref(bucket);
}
return PSFS_ERR_FATAL;
} }
/* }}} */ /* }}} */

17
ext/iconv/tests/gh17047.phpt Normal file
View file

@ -0,0 +1,17 @@
--TEST--
GH-17047 (UAF on iconv filter failure)
--EXTENSIONS--
iconv
--FILE--
<?php
$stream = fopen('php://temp', 'w+');
stream_filter_append($stream, 'convert.iconv.UTF-16BE.UTF-8');
stream_filter_append($stream, 'convert.iconv.UTF-16BE.UTF-16BE');
fputs($stream, 'test');
rewind($stream);
var_dump(stream_get_contents($stream));
fclose($stream);
?>
--EXPECTF--
Warning: stream_get_contents(): iconv stream filter ("UTF-16BE"=>"UTF-16BE"): invalid multibyte sequence in %s on line %d
string(0) ""