archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Merge branch 'PHP-5.5' into PHP-5.6

Browse source 
* PHP-5.5:
  update NEWS
  add NEWS for fixes
  Improve fix for #70172
  Fix bug #70312 - HAVAL gives wrong hashes in specific cases
  fix test
  add test
  Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
  Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
  Fix bug #70172 - Use After Free Vulnerability in unserialize()
  Fix bug #70388 - SOAP serialize_function_call() type confusion
  Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
  Improve fix for #70385
  Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
  Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
  Fix bug #70219 (Use after free vulnerability in session deserializer)
  Fix for bug #69782
  Add CVE IDs asigned (post release) to PHP 5.4.43
  Add CVE IDs asigned to #69085 (PHP 5.4.39)
  5.4.45 next

Conflicts:
	ext/pcre/php_pcre.c
	ext/standard/var_unserializer.c
	ext/standard/var_unserializer.re
	ext/zip/php_zip.c
This commit is contained in:
Stanislav Malyshev 2015-09-01 12:06:41 -07:00
commit c19d59c550
24 changed files with 970 additions and 827 deletions
Download patch file Download diff file Expand all files Collapse all files

212
ext/exif/exif.c
View file

@ -64,7 +64,7 @@
#include "php_ini.h"
#include "ext/standard/php_string.h"
#include "ext/standard/php_image.h"
#include "ext/standard/info.h"
#include "ext/standard/info.h"
/* needed for ssize_t definition */
#include <sys/types.h>
@ -151,7 +151,7 @@ ZEND_BEGIN_MODULE_GLOBALS(exif)
char * encode_jis;
char * decode_jis_be;
char * decode_jis_le;
ZEND_END_MODULE_GLOBALS(exif)
ZEND_END_MODULE_GLOBALS(exif)
ZEND_DECLARE_MODULE_GLOBALS(exif)
@ -160,7 +160,7 @@ ZEND_DECLARE_MODULE_GLOBALS(exif)
#else
#define EXIF_G(v) (exif_globals.v)
#endif
/* {{{ PHP_INI
*/
@ -203,7 +203,7 @@ PHP_INI_BEGIN()
STD_PHP_INI_ENTRY("exif.decode_jis_intel", "JIS", PHP_INI_ALL, OnUpdateDecode, decode_jis_le, zend_exif_globals, exif_globals)
PHP_INI_END()
/* }}} */
/* {{{ PHP_GINIT_FUNCTION
*/
static PHP_GINIT_FUNCTION(exif)
@ -223,9 +223,9 @@ PHP_MINIT_FUNCTION(exif)
{
REGISTER_INI_ENTRIES();
if (zend_hash_exists(&module_registry, "mbstring", sizeof("mbstring"))) {
REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 1, CONST_CS | CONST_PERSISTENT);
} else {
REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("EXIF_USE_MBSTRING", 0, CONST_CS | CONST_PERSISTENT);
}
return SUCCESS;
}
@ -255,7 +255,7 @@ zend_module_entry exif_module_entry = {
exif_module_deps,
"exif",
exif_functions,
PHP_MINIT(exif),
PHP_MINIT(exif),
PHP_MSHUTDOWN(exif),
NULL, NULL,
PHP_MINFO(exif),
@ -268,7 +268,7 @@ zend_module_entry exif_module_entry = {
NULL,
NULL,
STANDARD_MODULE_PROPERTIES_EX
#else
#else
STANDARD_MODULE_PROPERTIES
#endif
};
@ -657,73 +657,73 @@ static tag_info_array tag_table_IFD = {
{ 0x0213, "YCbCrPositioning"},
{ 0x0214, "ReferenceBlackWhite"},
{ 0x02BC, "ExtensibleMetadataPlatform"}, /* XAP: Extensible Authoring Publishing, obsoleted by XMP: Extensible Metadata Platform */
{ 0x0301, "Gamma"},
{ 0x0302, "ICCProfileDescriptor"},
{ 0x0303, "SRGBRenderingIntent"},
{ 0x0320, "ImageTitle"},
{ 0x5001, "ResolutionXUnit"},
{ 0x5002, "ResolutionYUnit"},
{ 0x5003, "ResolutionXLengthUnit"},
{ 0x5004, "ResolutionYLengthUnit"},
{ 0x5005, "PrintFlags"},
{ 0x5006, "PrintFlagsVersion"},
{ 0x5007, "PrintFlagsCrop"},
{ 0x5008, "PrintFlagsBleedWidth"},
{ 0x5009, "PrintFlagsBleedWidthScale"},
{ 0x500A, "HalftoneLPI"},
{ 0x500B, "HalftoneLPIUnit"},
{ 0x500C, "HalftoneDegree"},
{ 0x500D, "HalftoneShape"},
{ 0x500E, "HalftoneMisc"},
{ 0x500F, "HalftoneScreen"},
{ 0x5010, "JPEGQuality"},
{ 0x5011, "GridSize"},
{ 0x5012, "ThumbnailFormat"},
{ 0x5013, "ThumbnailWidth"},
{ 0x5014, "ThumbnailHeight"},
{ 0x5015, "ThumbnailColorDepth"},
{ 0x5016, "ThumbnailPlanes"},
{ 0x5017, "ThumbnailRawBytes"},
{ 0x5018, "ThumbnailSize"},
{ 0x5019, "ThumbnailCompressedSize"},
{ 0x501A, "ColorTransferFunction"},
{ 0x501B, "ThumbnailData"},
{ 0x5020, "ThumbnailImageWidth"},
{ 0x5021, "ThumbnailImageHeight"},
{ 0x5022, "ThumbnailBitsPerSample"},
{ 0x5023, "ThumbnailCompression"},
{ 0x5024, "ThumbnailPhotometricInterp"},
{ 0x5025, "ThumbnailImageDescription"},
{ 0x5026, "ThumbnailEquipMake"},
{ 0x5027, "ThumbnailEquipModel"},
{ 0x5028, "ThumbnailStripOffsets"},
{ 0x5029, "ThumbnailOrientation"},
{ 0x502A, "ThumbnailSamplesPerPixel"},
{ 0x502B, "ThumbnailRowsPerStrip"},
{ 0x502C, "ThumbnailStripBytesCount"},
{ 0x502D, "ThumbnailResolutionX"},
{ 0x502E, "ThumbnailResolutionY"},
{ 0x502F, "ThumbnailPlanarConfig"},
{ 0x5030, "ThumbnailResolutionUnit"},
{ 0x5031, "ThumbnailTransferFunction"},
{ 0x5032, "ThumbnailSoftwareUsed"},
{ 0x5033, "ThumbnailDateTime"},
{ 0x5034, "ThumbnailArtist"},
{ 0x5035, "ThumbnailWhitePoint"},
{ 0x5036, "ThumbnailPrimaryChromaticities"},
{ 0x5037, "ThumbnailYCbCrCoefficients"},
{ 0x5038, "ThumbnailYCbCrSubsampling"},
{ 0x5039, "ThumbnailYCbCrPositioning"},
{ 0x503A, "ThumbnailRefBlackWhite"},
{ 0x503B, "ThumbnailCopyRight"},
{ 0x5090, "LuminanceTable"},
{ 0x5091, "ChrominanceTable"},
{ 0x5100, "FrameDelay"},
{ 0x5101, "LoopCount"},
{ 0x5110, "PixelUnit"},
{ 0x5111, "PixelPerUnitX"},
{ 0x5112, "PixelPerUnitY"},
{ 0x5113, "PaletteHistogram"},
{ 0x0301, "Gamma"},
{ 0x0302, "ICCProfileDescriptor"},
{ 0x0303, "SRGBRenderingIntent"},
{ 0x0320, "ImageTitle"},
{ 0x5001, "ResolutionXUnit"},
{ 0x5002, "ResolutionYUnit"},
{ 0x5003, "ResolutionXLengthUnit"},
{ 0x5004, "ResolutionYLengthUnit"},
{ 0x5005, "PrintFlags"},
{ 0x5006, "PrintFlagsVersion"},
{ 0x5007, "PrintFlagsCrop"},
{ 0x5008, "PrintFlagsBleedWidth"},
{ 0x5009, "PrintFlagsBleedWidthScale"},
{ 0x500A, "HalftoneLPI"},
{ 0x500B, "HalftoneLPIUnit"},
{ 0x500C, "HalftoneDegree"},
{ 0x500D, "HalftoneShape"},
{ 0x500E, "HalftoneMisc"},
{ 0x500F, "HalftoneScreen"},
{ 0x5010, "JPEGQuality"},
{ 0x5011, "GridSize"},
{ 0x5012, "ThumbnailFormat"},
{ 0x5013, "ThumbnailWidth"},
{ 0x5014, "ThumbnailHeight"},
{ 0x5015, "ThumbnailColorDepth"},
{ 0x5016, "ThumbnailPlanes"},
{ 0x5017, "ThumbnailRawBytes"},
{ 0x5018, "ThumbnailSize"},
{ 0x5019, "ThumbnailCompressedSize"},
{ 0x501A, "ColorTransferFunction"},
{ 0x501B, "ThumbnailData"},
{ 0x5020, "ThumbnailImageWidth"},
{ 0x5021, "ThumbnailImageHeight"},
{ 0x5022, "ThumbnailBitsPerSample"},
{ 0x5023, "ThumbnailCompression"},
{ 0x5024, "ThumbnailPhotometricInterp"},
{ 0x5025, "ThumbnailImageDescription"},
{ 0x5026, "ThumbnailEquipMake"},
{ 0x5027, "ThumbnailEquipModel"},
{ 0x5028, "ThumbnailStripOffsets"},
{ 0x5029, "ThumbnailOrientation"},
{ 0x502A, "ThumbnailSamplesPerPixel"},
{ 0x502B, "ThumbnailRowsPerStrip"},
{ 0x502C, "ThumbnailStripBytesCount"},
{ 0x502D, "ThumbnailResolutionX"},
{ 0x502E, "ThumbnailResolutionY"},
{ 0x502F, "ThumbnailPlanarConfig"},
{ 0x5030, "ThumbnailResolutionUnit"},
{ 0x5031, "ThumbnailTransferFunction"},
{ 0x5032, "ThumbnailSoftwareUsed"},
{ 0x5033, "ThumbnailDateTime"},
{ 0x5034, "ThumbnailArtist"},
{ 0x5035, "ThumbnailWhitePoint"},
{ 0x5036, "ThumbnailPrimaryChromaticities"},
{ 0x5037, "ThumbnailYCbCrCoefficients"},
{ 0x5038, "ThumbnailYCbCrSubsampling"},
{ 0x5039, "ThumbnailYCbCrPositioning"},
{ 0x503A, "ThumbnailRefBlackWhite"},
{ 0x503B, "ThumbnailCopyRight"},
{ 0x5090, "LuminanceTable"},
{ 0x5091, "ChrominanceTable"},
{ 0x5100, "FrameDelay"},
{ 0x5101, "LoopCount"},
{ 0x5110, "PixelUnit"},
{ 0x5111, "PixelPerUnitX"},
{ 0x5112, "PixelPerUnitY"},
{ 0x5113, "PaletteHistogram"},
{ 0x1000, "RelatedImageFileFormat"},
{ 0x800D, "ImageID"},
{ 0x80E3, "Matteing"}, /* obsoleted by ExtraSamples */
@ -929,7 +929,7 @@ static tag_info_array tag_table_VND_NIKON = {
{ 0x000b, "Converter"},
TAG_TABLE_END
};
static tag_info_array tag_table_VND_NIKON_990 = {
{ 0x0001, "Version"},
{ 0x0002, "ISOSetting"},
@ -948,7 +948,7 @@ static tag_info_array tag_table_VND_NIKON_990 = {
{ 0x0010, "DataDump"},
TAG_TABLE_END
};
static tag_info_array tag_table_VND_OLYMPUS = {
{ 0x0200, "SpecialMode"},
{ 0x0201, "JPEGQuality"},
@ -1214,7 +1214,7 @@ char * exif_dump_data(int *dump_free, int format, int components, int length, in
if (components > 0) {
dump = erealloc(dump, len + 2 + 1);
snprintf(dump + len, 2 + 1, ", ");
len += 2;
len += 2;
components--;
} else{
break;
@ -1564,7 +1564,7 @@ typedef struct {
static void exif_error_docref(const char *docref EXIFERR_DC, const image_info_type *ImageInfo, int type, const char *format, ...)
{
va_list args;
va_start(args, format);
#ifdef EXIF_DEBUG
{
@ -2617,7 +2617,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
* since we have no encoding support for the BOM yet we skip that.
*/
if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
@ -2635,8 +2635,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
}
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
@ -2656,8 +2656,8 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
@ -2691,12 +2691,12 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
* Process unicode field in IFD. */
static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
{
xp_field->tag = tag;
xp_field->tag = tag;
xp_field->value = NULL;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
(unsigned char**)&xp_field->value,
&xp_field->size,
(unsigned char**)&xp_field->value,
&xp_field->size,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
@ -2721,7 +2721,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
if (i==sizeof(maker_note_array)/sizeof(maker_note_type))
return FALSE;
maker_note = maker_note_array+i;
/*exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "check (%s,%s)", maker_note->make?maker_note->make:"", maker_note->model?maker_note->model:"");*/
if (maker_note->make && (!ImageInfo->make || strcmp(maker_note->make, ImageInfo->make)))
continue;
@ -2842,9 +2842,9 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
/* If its bigger than 4 bytes, the dir entry contains an offset. */
value_ptr = offset_base+offset_val;
/*
/*
dir_entry is ImageInfo->file.list[sn].data+2+i*12
offset_base is ImageInfo->file.list[sn].data-dir_offset
offset_base is ImageInfo->file.list[sn].data-dir_offset
dir_entry - offset_base is dir_offset+2+i*12
*/
if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
@ -2915,18 +2915,18 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
case TAG_COMP_IMAGE_WIDTH:
ImageInfo->Thumbnail.width = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC);
break;
case TAG_IMAGEHEIGHT:
case TAG_COMP_IMAGE_HEIGHT:
ImageInfo->Thumbnail.height = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC);
break;
case TAG_STRIP_OFFSETS:
case TAG_JPEG_INTERCHANGE_FORMAT:
/* accept both formats */
ImageInfo->Thumbnail.offset = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC);
break;
case TAG_STRIP_BYTE_COUNTS:
if (ImageInfo->FileType == IMAGE_FILETYPE_TIFF_II || ImageInfo->FileType == IMAGE_FILETYPE_TIFF_MM) {
ImageInfo->Thumbnail.filetype = ImageInfo->FileType;
@ -2936,7 +2936,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
}
ImageInfo->Thumbnail.size = exif_convert_any_to_int(value_ptr, format, ImageInfo->motorola_intel TSRMLS_CC);
break;
case TAG_JPEG_INTERCHANGE_FORMAT_LEN:
if (ImageInfo->Thumbnail.filetype == IMAGE_FILETYPE_UNKNOWN) {
ImageInfo->Thumbnail.filetype = IMAGE_FILETYPE_JPEG;
@ -2954,16 +2954,16 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
if (length<byte_count-1) {
/* When there are any characters after the first NUL */
ImageInfo->CopyrightPhotographer = estrdup(value_ptr);
ImageInfo->CopyrightEditor = estrdup(value_ptr+length+1);
ImageInfo->CopyrightEditor = estrndup(value_ptr+length+1, byte_count-length-1);
spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1);
/* format = TAG_FMT_UNDEFINED; this musn't be ASCII */
/* but we are not supposed to change this */
/* keep in mind that image_info does not store editor value */
} else {
ImageInfo->Copyright = estrdup(value_ptr);
ImageInfo->Copyright = estrndup(value_ptr, byte_count);
}
}
break;
break;
case TAG_USERCOMMENT:
ImageInfo->UserCommentLength = exif_process_user_comment(ImageInfo, &(ImageInfo->UserComment), &(ImageInfo->UserCommentEncoding), value_ptr, byte_count TSRMLS_CC);
@ -3051,10 +3051,10 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
break;
case TAG_MAKE:
ImageInfo->make = estrdup(value_ptr);
ImageInfo->make = estrndup(value_ptr, byte_count);
break;
case TAG_MODEL:
ImageInfo->model = estrdup(value_ptr);
ImageInfo->model = estrndup(value_ptr, byte_count);
break;
case TAG_MAKER_NOTE:
@ -3404,7 +3404,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo TSRMLS_DC)
if ((itemlen - 2) < 6) {
return FALSE;
}
exif_process_SOFn(Data, marker, &sof_info);
ImageInfo->Width = sof_info.width;
ImageInfo->Height = sof_info.height;
@ -3449,21 +3449,21 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
}
for (;;) {
pos += length;
if (pos>=ImageInfo->Thumbnail.size)
if (pos>=ImageInfo->Thumbnail.size)
return FALSE;
c = data[pos++];
if (pos>=ImageInfo->Thumbnail.size)
if (pos>=ImageInfo->Thumbnail.size)
return FALSE;
if (c != 0xFF) {
return FALSE;
}
n = 8;
while ((c = data[pos++]) == 0xFF && n--) {
if (pos+3>=ImageInfo->Thumbnail.size)
if (pos+3>=ImageInfo->Thumbnail.size)
return FALSE;
/* +3 = pos++ of next check when reaching marker + 2 bytes for length */
}
if (c == 0xFF)
if (c == 0xFF)
return FALSE;
marker = c;
length = php_jpg_get16(data+pos);
@ -3777,7 +3777,7 @@ static int exif_scan_FILE_header(image_info_type *ImageInfo TSRMLS_DC)
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "File has TIFF/II format");
#endif
ImageInfo->sections_found |= FOUND_IFD0;
if (exif_process_IFD_in_TIFF(ImageInfo,
if (exif_process_IFD_in_TIFF(ImageInfo,
php_ifd_get32u(file_header + 4, ImageInfo->motorola_intel),
SECTION_IFD0 TSRMLS_CC)) {
ret = TRUE;
@ -3957,7 +3957,7 @@ PHP_FUNCTION(exif_read_data)
sections_str = exif_get_sectionlist(ImageInfo.sections_found TSRMLS_CC);
#ifdef EXIF_DEBUG
if (sections_str)
if (sections_str)
exif_error_docref(NULL EXIFERR_CC, &ImageInfo, E_NOTICE, "Sections found: %s", sections_str[0] ? sections_str : "None");
#endif

10
ext/hash/hash_haval.c
View file

@ -336,7 +336,7 @@ PHP_HASH_API void PHP_HAVAL128Final(unsigned char *digest, PHP_HAVAL_CTX * conte
/* Pad out to 118 mod 128.
*/
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
index = (unsigned int) ((context->count[0] >> 3) & 0x7f);
padLen = (index < 118) ? (118 - index) : (246 - index);
PHP_HAVALUpdate(context, PADDING, padLen);
@ -390,7 +390,7 @@ PHP_HASH_API void PHP_HAVAL160Final(unsigned char *digest, PHP_HAVAL_CTX * conte
/* Pad out to 118 mod 128.
*/
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
index = (unsigned int) ((context->count[0] >> 3) & 0x7f);
padLen = (index < 118) ? (118 - index) : (246 - index);
PHP_HAVALUpdate(context, PADDING, padLen);
@ -444,7 +444,7 @@ PHP_HASH_API void PHP_HAVAL192Final(unsigned char *digest, PHP_HAVAL_CTX * conte
/* Pad out to 118 mod 128.
*/
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
index = (unsigned int) ((context->count[0] >> 3) & 0x7f);
padLen = (index < 118) ? (118 - index) : (246 - index);
PHP_HAVALUpdate(context, PADDING, padLen);
@ -484,7 +484,7 @@ PHP_HASH_API void PHP_HAVAL224Final(unsigned char *digest, PHP_HAVAL_CTX * conte
/* Pad out to 118 mod 128.
*/
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
index = (unsigned int) ((context->count[0] >> 3) & 0x7f);
padLen = (index < 118) ? (118 - index) : (246 - index);
PHP_HAVALUpdate(context, PADDING, padLen);
@ -525,7 +525,7 @@ PHP_HASH_API void PHP_HAVAL256Final(unsigned char *digest, PHP_HAVAL_CTX * conte
/* Pad out to 118 mod 128.
*/
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
index = (unsigned int) ((context->count[0] >> 3) & 0x7f);
padLen = (index < 118) ? (118 - index) : (246 - index);
PHP_HAVALUpdate(context, PADDING, padLen);

18
ext/hash/tests/bug70312.phpt Normal file
View file

@ -0,0 +1,18 @@
--TEST--
Bug #70312 HAVAL gives wrong hashes in specific cases
--SKIPIF--
<?php if(!extension_loaded("hash")) print "skip"; ?>
--FILE--
<?php
var_dump(hash('haval128,5', '1234567890123456789012345678901234567890123456789012345678901234'));
var_dump(hash('haval160,5', '1234567890123456789012345678901234567890123456789012345678901234'));
var_dump(hash('haval192,5', '1234567890123456789012345678901234567890123456789012345678901234'));
var_dump(hash('haval224,5', '1234567890123456789012345678901234567890123456789012345678901234'));
var_dump(hash('haval256,5', '1234567890123456789012345678901234567890123456789012345678901234'));
?>
--EXPECTF--
string(32) "f3f0d23819b87228b4b70ee350afaa9d"
string(40) "aded6485e137f11d7292212ba3fa961714df0564"
string(48) "e53da2b16269fe732e9a898a96707a9f28404d7333b02286"
string(56) "c574fb307f0817b514b9bb2e7c4bfaffb7ad667aca3c8b523fefcf10"
string(64) "fb73c19300b14d5cb393d929bf005e6c2d459a4c9c009e9813af1d2d3637ee8f"

138
ext/pcre/php_pcre.c
View file

@ -141,7 +141,7 @@ static PHP_MINFO_FUNCTION(pcre)
static PHP_MINIT_FUNCTION(pcre)
{
REGISTER_INI_ENTRIES();
REGISTER_LONG_CONSTANT("PREG_PATTERN_ORDER", PREG_PATTERN_ORDER, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("PREG_SET_ORDER", PREG_SET_ORDER, CONST_CS | CONST_PERSISTENT);
REGISTER_LONG_CONSTANT("PREG_OFFSET_CAPTURE", PREG_OFFSET_CAPTURE, CONST_CS | CONST_PERSISTENT);
@ -301,18 +301,18 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le
#endif
}
}
p = regex;
/* Parse through the leading whitespace, and display a warning if we
get to the end without encountering a delimiter. */
while (isspace((int)*(unsigned char *)p)) p++;
if (*p == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING,
php_error_docref(NULL TSRMLS_CC, E_WARNING,
p < regex + regex_len ? "Null byte in regex" : "Empty regular expression");
return NULL;
}
/* Get the delimiter and display a warning if it is alphanumeric
or a backslash. */
delimiter = *p++;
@ -365,7 +365,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le
}
return NULL;
}
/* Make a copy of the actual pattern. */
pattern = estrndup(p, pp-p);
@ -373,7 +373,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le
pp++;
/* Parse through the options, setting appropriate flags. Display
a warning if we encounter an unknown modifier. */
a warning if we encounter an unknown modifier. */
while (pp < regex + regex_len) {
switch (*pp++) {
/* Perl compatible options */
@ -381,7 +381,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le
case 'm': coptions |= PCRE_MULTILINE; break;
case 's': coptions |= PCRE_DOTALL; break;
case 'x': coptions |= PCRE_EXTENDED; break;
/* PCRE specific options */
case 'A': coptions |= PCRE_ANCHORED; break;
case 'D': coptions |= PCRE_DOLLAR_ENDONLY;break;
@ -394,12 +394,12 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le
the PCRE_UCP option. */
#ifdef PCRE_UCP
coptions |= PCRE_UCP;
#endif
#endif
break;
/* Custom preg options */
case 'e': poptions |= PREG_REPLACE_EVAL; break;
case ' ':
case '\n':
break;
@ -479,7 +479,7 @@ PHPAPI pcre_cache_entry* pcre_get_compiled_regex_cache(char *regex, int regex_le
* at end of request. However PCRE_G(pcre_cache) must be consistent
* on the next request as well. So we disable usage of interned strings
* as hash keys especually for this table.
* See bug #63180
* See bug #63180
*/
if (IS_INTERNED(regex)) {
regex = tmp = estrndup(regex, regex_len);
@ -508,7 +508,7 @@ PHPAPI pcre* pcre_get_compiled_regex(char *regex, pcre_extra **extra, int *preg_
if (preg_options) {
*preg_options = pce ? pce->preg_options : 0;
}
return pce ? pce->re : NULL;
}
/* }}} */
@ -518,7 +518,7 @@ PHPAPI pcre* pcre_get_compiled_regex(char *regex, pcre_extra **extra, int *preg_
PHPAPI pcre* pcre_get_compiled_regex_ex(char *regex, pcre_extra **extra, int *preg_options, int *compile_options TSRMLS_DC)
{
pcre_cache_entry * pce = pcre_get_compiled_regex_cache(regex, strlen(regex) TSRMLS_CC);
if (extra) {
*extra = pce ? pce->extra : NULL;
}
@ -528,7 +528,7 @@ PHPAPI pcre* pcre_get_compiled_regex_ex(char *regex, pcre_extra **extra, int *pr
if (compile_options) {
*compile_options = pce ? pce->compile_options : 0;
}
return pce ? pce->re : NULL;
}
/* }}} */
@ -545,7 +545,7 @@ static inline void add_offset_pair(zval *result, char *str, int len, int offset,
/* Add (match, offset) to the return value */
add_next_index_stringl(match_pair, str, len, 1);
add_next_index_long(match_pair, offset);
if (name) {
zval_add_ref(&match_pair);
zend_hash_update(Z_ARRVAL_P(result), name, strlen(name)+1, &match_pair, sizeof(zval *), NULL);
@ -570,7 +570,7 @@ static void php_do_pcre_match(INTERNAL_FUNCTION_PARAMETERS, int global) /* {{{ *
&subject, &subject_len, &subpats, &flags, &start_offset) == FAILURE) {
RETURN_FALSE;
}
/* Compile regex or get it from cache. */
if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) {
RETURN_FALSE;
@ -687,7 +687,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec
matched = 0;
PCRE_G(error_code) = PHP_PCRE_NO_ERROR;
do {
/* Execute the regular expression. */
count = pcre_exec(pce->re, extra, subject, subject_len, start_offset,
@ -709,7 +709,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec
/* If subpatterns array has been passed, fill it in with values. */
if (subpats != NULL) {
/* Try to get the list of substrings and display a warning if failed. */
if (pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) {
if ((offsets[1] - offsets[0] < 0) || pcre_get_substring_list(subject, offsets, count, &stringlist) < 0) {
efree(subpat_names);
efree(offsets);
if (match_sets) efree(match_sets);
@ -752,7 +752,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec
ALLOC_ZVAL(result_set);
array_init(result_set);
INIT_PZVAL(result_set);
/* Add all the subpatterns to it */
for (i = 0; i < count; i++) {
if (offset_capture) {
@ -814,7 +814,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec
pcre_handle_exec_error(count TSRMLS_CC);
break;
}
/* If we have matched an empty string, mimic what Perl's /g options does.
This turns out to be rather cunning. First we set PCRE_NOTEMPTY_ATSTART and try
the match again at the same point. If this fails (picked up above) we
@ -841,7 +841,7 @@ PHPAPI void php_pcre_match_impl(pcre_cache_entry *pce, char *subject, int subjec
add_assoc_zval(subpats, "MARK", marks);
}
}
efree(offsets);
efree(subpat_names);
@ -891,7 +891,7 @@ static int preg_get_backref(char **str, int *backref)
walk++;
} else
return 0;
if (*walk && *walk >= '0' && *walk <= '9') {
*backref = *backref * 10 + *walk - '0';
walk++;
@ -903,9 +903,9 @@ static int preg_get_backref(char **str, int *backref)
else
walk++;
}
*str = walk;
return 1;
return 1;
}
/* }}} */
@ -915,7 +915,7 @@ static int preg_do_repl_func(zval *function, char *subject, int *offsets, char *
{
zval *retval_ptr; /* Function return value */
zval **args[1]; /* Argument to pass to function */
zval *subpats; /* Captured subpatterns */
zval *subpats; /* Captured subpatterns */
int result_len; /* Return value length */
int i;
@ -969,11 +969,11 @@ static int preg_do_eval(char *eval_str, int eval_str_len, char *subject,
int backref; /* Current backref */
char *compiled_string_description;
smart_str code = {0};
eval_str_end = eval_str + eval_str_len;
walk = segment = eval_str;
walk_last = 0;
while (walk < eval_str_end) {
/* If found a backreference.. */
if ('\\' == *walk || '$' == *walk) {
@ -1026,15 +1026,15 @@ static int preg_do_eval(char *eval_str, int eval_str_len, char *subject,
}
efree(compiled_string_description);
convert_to_string(&retval);
/* Save the return value and its length */
*result = estrndup(Z_STRVAL(retval), Z_STRLEN(retval));
result_len = Z_STRLEN(retval);
/* Clean up */
zval_dtor(&retval);
smart_str_free(&code);
return result_len;
}
/* }}} */
@ -1063,7 +1063,7 @@ PHPAPI char *php_pcre_replace(char *regex, int regex_len,
/* }}} */
/* {{{ php_pcre_replace_impl() */
PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int subject_len, zval *replace_val,
PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int subject_len, zval *replace_val,
int is_callable_replace, int *result_len, int limit, int *replace_count TSRMLS_DC)
{
pcre_extra *extra = pce->extra;/* Holds results of studying */
@ -1144,7 +1144,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub
}
offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0);
alloc_len = 2 * subject_len + 1;
result = safe_emalloc(alloc_len, sizeof(char), 0);
@ -1153,7 +1153,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub
*result_len = 0;
start_offset = 0;
PCRE_G(error_code) = PHP_PCRE_NO_ERROR;
while (1) {
/* Execute the regular expression. */
count = pcre_exec(pce->re, extra, subject, subject_len, start_offset,
@ -1170,7 +1170,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub
piece = subject + start_offset;
if (count > 0 && (limit == -1 || limit > 0)) {
if (count > 0 && (offsets[1] - offsets[0] >= 0) && (limit == -1 || limit > 0)) {
if (replace_count) {
++*replace_count;
}
@ -1178,7 +1178,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub
match = subject + offsets[0];
new_len = *result_len + offsets[0] - start_offset; /* part before the match */
/* If evaluating, do it and add the return string's length */
if (eval) {
eval_result_len = preg_do_eval(replace, replace_len, subject,
@ -1223,7 +1223,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub
/* copy replacement and backrefs */
walkbuf = result + *result_len;
/* If evaluating or using custom function, copy result to the buffer
* and clean up. */
if (eval || is_callable_replace) {
@ -1293,7 +1293,7 @@ PHPAPI char *php_pcre_replace_impl(pcre_cache_entry *pce, char *subject, int sub
result = NULL;
break;
}
/* If we have matched an empty string, mimic what Perl's /g options does.
This turns out to be rather cunning. First we set PCRE_NOTEMPTY_ATSTART and try
the match again at the same point. If this fails (picked up above) we
@ -1323,18 +1323,18 @@ static char *php_replace_in_subject(zval *regex, zval *replace, zval **subject,
*result;
int subject_len;
/* Make sure we're dealing with strings. */
/* Make sure we're dealing with strings. */
convert_to_string_ex(subject);
/* FIXME: This might need to be changed to STR_EMPTY_ALLOC(). Check if this zval could be dtor()'ed somehow */
ZVAL_STRINGL(&empty_replace, "", 0, 0);
/* If regex is an array */
if (Z_TYPE_P(regex) == IS_ARRAY) {
/* Duplicate subject string for repeated replacement */
subject_value = estrndup(Z_STRVAL_PP(subject), Z_STRLEN_PP(subject));
subject_len = Z_STRLEN_PP(subject);
*result_len = subject_len;
zend_hash_internal_pointer_reset(Z_ARRVAL_P(regex));
replace_value = replace;
@ -1343,9 +1343,9 @@ static char *php_replace_in_subject(zval *regex, zval *replace, zval **subject,
/* For each entry in the regex array, get the entry */
while (zend_hash_get_current_data(Z_ARRVAL_P(regex), (void **)&regex_entry) == SUCCESS) {
/* Make sure we're dealing with strings. */
/* Make sure we're dealing with strings. */
convert_to_string_ex(regex_entry);
/* If replace is an array and not a callable construct */
if (Z_TYPE_P(replace) == IS_ARRAY && !is_callable_replace) {
/* Get current entry */
@ -1360,7 +1360,7 @@ static char *php_replace_in_subject(zval *regex, zval *replace, zval **subject,
replace_value = &empty_replace;
}
}
/* Do the actual replacement and put the result back into subject_value
for further replacements. */
if ((result = php_pcre_replace(Z_STRVAL_PP(regex_entry),
@ -1417,12 +1417,12 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl
ulong num_key;
char *callback_name;
int replace_count=0, old_replace_count;
/* Get function parameters and do error-checking. */
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZZ|lZ", &regex, &replace, &subject, &limit, &zcount) == FAILURE) {
return;
}
if (!is_callable_replace && Z_TYPE_PP(replace) == IS_ARRAY && Z_TYPE_PP(regex) != IS_ARRAY) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Parameter mismatch, pattern is a string while replacement is an array");
RETURN_FALSE;
@ -1448,10 +1448,10 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl
if (ZEND_NUM_ARGS() > 3) {
limit_val = limit;
}
if (Z_TYPE_PP(regex) != IS_ARRAY)
convert_to_string_ex(regex);
/* if subject is an array */
if (Z_TYPE_PP(subject) == IS_ARRAY) {
array_init(return_value);
@ -1479,7 +1479,7 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl
efree(result);
}
}
zend_hash_move_forward(Z_ARRVAL_PP(subject));
}
} else { /* if subject is not an array */
@ -1496,7 +1496,7 @@ static void preg_replace_impl(INTERNAL_FUNCTION_PARAMETERS, int is_callable_repl
zval_dtor(*zcount);
ZVAL_LONG(*zcount, replace_count);
}
}
/* }}} */
@ -1524,7 +1524,7 @@ static PHP_FUNCTION(preg_filter)
}
/* }}} */
/* {{{ proto array preg_split(string pattern, string subject [, int limit [, int flags]])
/* {{{ proto array preg_split(string pattern, string subject [, int limit [, int flags]])
Split string into an array using a perl-style regular expression as a delimiter */
static PHP_FUNCTION(preg_split)
{
@ -1536,12 +1536,12 @@ static PHP_FUNCTION(preg_split)
long flags = 0; /* Match control flags */
pcre_cache_entry *pce; /* Compiled regular expression */
/* Get function parameters and do error checking */
/* Get function parameters and do error checking */
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|ll", &regex, &regex_len,
&subject, &subject_len, &limit_val, &flags) == FAILURE) {
RETURN_FALSE;
}
/* Compile regex or get it from cache. */
if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) {
RETURN_FALSE;
@ -1578,7 +1578,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec
no_empty = flags & PREG_SPLIT_NO_EMPTY;
delim_capture = flags & PREG_SPLIT_DELIM_CAPTURE;
offset_capture = flags & PREG_SPLIT_OFFSET_CAPTURE;
if (limit_val == 0) {
limit_val = -1;
}
@ -1604,13 +1604,13 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec
}
size_offsets = (size_offsets + 1) * 3;
offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0);
/* Start at the beginning of the string */
start_offset = 0;
next_offset = 0;
last_match = subject;
PCRE_G(error_code) = PHP_PCRE_NO_ERROR;
/* Get next piece if no limit or limit not yet reached and something matched*/
while ((limit_val == -1 || limit_val > 1)) {
count = pcre_exec(pce->re, extra, subject,
@ -1625,9 +1625,9 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec
php_error_docref(NULL TSRMLS_CC,E_NOTICE, "Matched, but too many substrings");
count = size_offsets/3;
}
/* If something matched */
if (count > 0) {
if (count > 0 && (offsets[1] - offsets[0] >= 0)) {
if (!no_empty || &subject[offsets[0]] != last_match) {
if (offset_capture) {
@ -1643,7 +1643,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec
if (limit_val != -1)
limit_val--;
}
last_match = &subject[offsets[1]];
next_offset = offsets[1];
@ -1719,7 +1719,7 @@ PHPAPI void php_pcre_split_impl(pcre_cache_entry *pce, char *subject, int subjec
}
}
/* Clean up */
efree(offsets);
}
@ -1740,13 +1740,13 @@ static PHP_FUNCTION(preg_quote)
delim_char=0, /* Delimiter character to be quoted */
c; /* Current character */
zend_bool quote_delim = 0; /* Whether to quote additional delim char */
/* Get the arguments and check for errors */
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|s", &in_str, &in_str_len,
&delim, &delim_len) == FAILURE) {
return;
}
in_str_end = in_str + in_str_len;
/* Nothing to do if we got an empty string */
@ -1758,11 +1758,11 @@ static PHP_FUNCTION(preg_quote)
delim_char = delim[0];
quote_delim = 1;
}
/* Allocate enough memory so that even if each character
is quoted, we won't run out of room */
out_str = safe_emalloc(4, in_str_len, 1);
/* Go through the string and quote necessary characters */
for(p = in_str, q = out_str; p != in_str_end; p++) {
c = *p;
@ -1806,7 +1806,7 @@ static PHP_FUNCTION(preg_quote)
}
}
*q = '\0';
/* Reallocate string and return it */
RETVAL_STRINGL(erealloc(out_str, q - out_str + 1), q - out_str, 0);
}
@ -1827,7 +1827,7 @@ static PHP_FUNCTION(preg_grep)
&input, &flags) == FAILURE) {
return;
}
/* Compile regex or get it from cache. */
if ((pce = pcre_get_compiled_regex_cache(regex, regex_len TSRMLS_CC)) == NULL) {
RETURN_FALSE;
@ -1853,9 +1853,9 @@ PHPAPI void php_pcre_grep_impl(pcre_cache_entry *pce, zval *input, zval *return
zend_bool invert; /* Whether to return non-matching
entries */
int rc;
invert = flags & PREG_GREP_INVERT ? 1 : 0;
if (extra == NULL) {
extra_data.flags = PCRE_EXTRA_MATCH_LIMIT | PCRE_EXTRA_MATCH_LIMIT_RECURSION;
extra = &extra_data;
@ -1874,7 +1874,7 @@ PHPAPI void php_pcre_grep_impl(pcre_cache_entry *pce, zval *input, zval *return
}
size_offsets = (size_offsets + 1) * 3;
offsets = (int *)safe_emalloc(size_offsets, sizeof(int), 0);
/* Initialize return array */
array_init(return_value);
@ -1987,7 +1987,7 @@ ZEND_BEGIN_ARG_INFO_EX(arginfo_preg_split, 0, 0, 2)
ZEND_ARG_INFO(0, pattern)
ZEND_ARG_INFO(0, subject)
ZEND_ARG_INFO(0, limit)
ZEND_ARG_INFO(0, flags)
ZEND_ARG_INFO(0, flags)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_preg_quote, 0, 0, 1)

24
ext/pcre/tests/bug70345.phpt Normal file
View file

@ -0,0 +1,24 @@
--TEST--
Bug #70345 (Multiple vulnerabilities related to PCRE functions)
--FILE--
<?php
$regex = '/(?=xyz\K)/';
$subject = "aaaaxyzaaaa";
$v = preg_split($regex, $subject);
print_r($v);
$regex = '/(a(?=xyz\K))/';
$subject = "aaaaxyzaaaa";
preg_match($regex, $subject, $matches);
var_dump($matches);
--EXPECTF--
Array
(
[0] => aaaaxyzaaaa
)
Warning: preg_match(): Get subpatterns list failed in %s on line %d
array(0) {
}

36
ext/session/session.c
View file

@ -216,16 +216,18 @@ static char *php_session_encode(int *newlen TSRMLS_DC) /* {{{ */
}
/* }}} */
static void php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */
static int php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */
{
if (!PS(serializer)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
return;
return FAILURE;
}
if (PS(serializer)->decode(val, vallen TSRMLS_CC) == FAILURE) {
php_session_destroy(TSRMLS_C);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode session object. Session has been destroyed");
return FAILURE;
}
return SUCCESS;
}
/* }}} */
@ -419,7 +421,7 @@ PHPAPI char *php_session_create_id(PS_CREATE_SID_ARGS) /* {{{ */
php_error_docref(NULL TSRMLS_CC, E_WARNING, "The ini setting hash_bits_per_character is out of range (should be 4, 5, or 6) - using 4 for now");
}
outid = emalloc((size_t)((digest_len + 2) * ((8.0f / PS(hash_bits_per_character)) + 0.5)));
j = (int) (bin_to_readable((char *)digest, digest_len, outid, (char)PS(hash_bits_per_character)) - outid);
efree(digest);
@ -947,8 +949,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
} else {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return FAILURE;
}
zval_ptr_dtor(&current);
var_push_dtor_no_addref(&var_hash, &current);
}
PS_ADD_VARL(name, namelen);
efree(name);
@ -1039,8 +1044,13 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
} else {
var_push_dtor_no_addref(&var_hash, &current);
efree(name);
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
return FAILURE;
}
zval_ptr_dtor(&current);
var_push_dtor_no_addref(&var_hash, &current);
}
PS_ADD_VARL(name, namelen);
skip:
@ -1884,7 +1894,7 @@ static PHP_FUNCTION(session_set_save_handler)
}
efree(name);
}
if (PS(mod) && PS(mod) != &ps_mod_user) {
zend_alter_ini_entry("session.save_handler", sizeof("session.save_handler"), "user", sizeof("user")-1, PHP_INI_USER, PHP_INI_STAGE_RUNTIME);
}
@ -2063,9 +2073,7 @@ static PHP_FUNCTION(session_decode)
return;
}
php_session_decode(str, str_len TSRMLS_CC);
RETURN_TRUE;
RETVAL_BOOL(php_session_decode(str, str_len TSRMLS_CC) == SUCCESS);
}
/* }}} */
@ -2698,12 +2706,12 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
case MULTIPART_EVENT_FILE_START: {
multipart_event_file_start *data = (multipart_event_file_start *) event_data;
/* Do nothing when $_POST["PHP_SESSION_UPLOAD_PROGRESS"] is not set
/* Do nothing when $_POST["PHP_SESSION_UPLOAD_PROGRESS"] is not set
* or when we have no session id */
if (!Z_TYPE(progress->sid) || !progress->key.c) {
break;
}
/* First FILE_START event, initializing data */
if (!progress->data) {
@ -2753,7 +2761,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
add_assoc_zval_ex(progress->current_file, "bytes_processed", sizeof("bytes_processed"), progress->current_file_bytes_processed);
add_next_index_zval(progress->files, progress->current_file);
Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
php_session_rfc1867_update(progress, 0 TSRMLS_CC);
@ -2765,7 +2773,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
if (!Z_TYPE(progress->sid) || !progress->key.c) {
break;
}
Z_LVAL_P(progress->current_file_bytes_processed) = data->offset + data->length;
Z_LVAL_P(progress->post_bytes_processed) = data->post_bytes_processed;
@ -2778,7 +2786,7 @@ static int php_session_rfc1867_callback(unsigned int event, void *event_data, vo
if (!Z_TYPE(progress->sid) || !progress->key.c) {
break;
}
if (data->temp_filename) {
add_assoc_string_ex(progress->current_file, "tmp_name", sizeof("tmp_name"), data->temp_filename, 1);
}

518
ext/session/tests/session_decode_error2.phpt
View file

@ -53,563 +53,247 @@ array(0) {
}
-- Iteration 4 --
bool(true)
array(1) {
["foo"]=>
NULL
Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/session_decode_error2.php on line %d
bool(false)
array(0) {
}
-- Iteration 5 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 6 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 7 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 8 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 9 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 10 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 11 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 12 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 13 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 14 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 15 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 16 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 17 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 18 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 19 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 20 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 21 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 22 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 23 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 24 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 25 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 26 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 27 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 28 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 29 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 30 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 31 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 32 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 33 --
bool(true)
array(1) {
["foo"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 34 --
bool(true)
array(1) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 35 --
bool(true)
array(1) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 36 --
bool(true)
array(1) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 37 --
bool(true)
array(1) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 38 --
bool(true)
array(1) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 39 --
bool(true)
array(2) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 40 --
bool(true)
array(2) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 41 --
bool(true)
array(2) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 42 --
bool(true)
array(2) {
["foo"]=>
array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 43 --
bool(true)
array(2) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 44 --
bool(true)
array(2) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 45 --
bool(true)
array(2) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 46 --
bool(true)
array(2) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 47 --
bool(true)
array(2) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
bool(false)
array(0) {
}
-- Iteration 48 --
bool(true)
array(3) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["blah"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 49 --
bool(true)
array(3) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["blah"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 50 --
bool(true)
array(3) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["blah"]=>
NULL
bool(false)
array(0) {
}
-- Iteration 51 --
bool(true)
array(3) {
["foo"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["guff"]=>
&array(3) {
[0]=>
int(1)
[1]=>
int(2)
[2]=>
int(3)
}
["blah"]=>
NULL
bool(false)
array(0) {
}
bool(true)
Done
Warning: session_destroy(): Trying to destroy uninitialized session in %s/session_decode_error2.php on line %d
bool(false)
Done

2
ext/session/tests/session_decode_variation3.phpt
View file

@ -49,7 +49,7 @@ array(3) {
}
Warning: session_decode(): Unknown session.serialize_handler. Failed to decode session object in %s on line %d
bool(true)
bool(false)
array(3) {
["foo"]=>
int(1234567890)

96
ext/soap/soap.c
View file

@ -997,7 +997,7 @@ static HashTable* soap_create_typemap(sdlPtr sdl, HashTable *ht TSRMLS_DC)
HashTable *ht2;
HashPosition pos1, pos2;
HashTable *typemap = NULL;
zend_hash_internal_pointer_reset_ex(ht, &pos1);
while (zend_hash_get_current_data_ex(ht, (void**)&tmp, &pos1) == SUCCESS) {
char *type_name = NULL;
@ -1041,7 +1041,7 @@ static HashTable* soap_create_typemap(sdlPtr sdl, HashTable *ht TSRMLS_DC)
}
}
zend_hash_move_forward_ex(ht2, &pos2);
}
}
if (type_name) {
smart_str nscat = {0};
@ -1071,7 +1071,7 @@ static HashTable* soap_create_typemap(sdlPtr sdl, HashTable *ht TSRMLS_DC)
new_enc->to_xml = enc->to_xml;
new_enc->to_zval = enc->to_zval;
new_enc->details.map = emalloc(sizeof(soapMapping));
memset(new_enc->details.map, 0, sizeof(soapMapping));
memset(new_enc->details.map, 0, sizeof(soapMapping));
if (to_xml) {
zval_add_ref(&to_xml);
new_enc->details.map->to_xml = to_xml;
@ -1128,7 +1128,7 @@ PHP_METHOD(SoapServer, SoapServer)
if (Z_TYPE_P(wsdl) != IS_STRING && Z_TYPE_P(wsdl) != IS_NULL) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid parameters");
}
service = emalloc(sizeof(soapService));
memset(service, 0, sizeof(soapService));
service->send_errors = 1;
@ -1163,7 +1163,7 @@ PHP_METHOD(SoapServer, SoapServer)
if (zend_hash_find(ht, "encoding", sizeof("encoding"), (void**)&tmp) == SUCCESS &&
Z_TYPE_PP(tmp) == IS_STRING) {
xmlCharEncodingHandlerPtr encoding;
encoding = xmlFindCharEncodingHandler(Z_STRVAL_PP(tmp));
if (encoding == NULL) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid 'encoding' option - '%s'", Z_STRVAL_PP(tmp));
@ -1223,7 +1223,7 @@ PHP_METHOD(SoapServer, SoapServer)
}
}
}
if (typemap_ht) {
service->typemap = soap_create_typemap(service->sdl, typemap_ht TSRMLS_CC);
}
@ -1353,7 +1353,7 @@ PHP_METHOD(SoapServer, getFunctions)
if (zend_parse_parameters_none() == FAILURE) {
return;
}
FETCH_THIS_SERVICE(service);
array_init(return_value);
@ -1513,7 +1513,7 @@ PHP_METHOD(SoapServer, handle)
FETCH_THIS_SERVICE(service);
SOAP_GLOBAL(soap_version) = service->version;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|s", &arg, &arg_len) == FAILURE) {
return;
}
@ -1935,7 +1935,7 @@ PHP_METHOD(SoapServer, handle)
if (size == 0) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Dump memory failed");
}
}
if (soap_version == SOAP_1_2) {
sapi_add_header("Content-Type: application/soap+xml; charset=utf-8", sizeof("Content-Type: application/soap+xml; charset=utf-8")-1, 1);
@ -2151,10 +2151,10 @@ static void soap_error_handler(int error_num, const char *error_filename, const
use_exceptions = 1;
}
if ((error_num == E_USER_ERROR ||
error_num == E_COMPILE_ERROR ||
if ((error_num == E_USER_ERROR ||
error_num == E_COMPILE_ERROR ||
error_num == E_CORE_ERROR ||
error_num == E_ERROR ||
error_num == E_ERROR ||
error_num == E_PARSE) &&
use_exceptions) {
zval *fault, *exception;
@ -2223,10 +2223,10 @@ static void soap_error_handler(int error_num, const char *error_filename, const
va_list argcopy;
#endif
if (error_num == E_USER_ERROR ||
error_num == E_COMPILE_ERROR ||
if (error_num == E_USER_ERROR ||
error_num == E_COMPILE_ERROR ||
error_num == E_CORE_ERROR ||
error_num == E_ERROR ||
error_num == E_ERROR ||
error_num == E_PARSE) {
char* code = SOAP_GLOBAL(error_code);
@ -2456,13 +2456,13 @@ PHP_METHOD(SoapClient, SoapClient)
if (zend_hash_find(ht, "encoding", sizeof("encoding"), (void**)&tmp) == SUCCESS &&
Z_TYPE_PP(tmp) == IS_STRING) {
xmlCharEncodingHandlerPtr encoding;
encoding = xmlFindCharEncodingHandler(Z_STRVAL_PP(tmp));
if (encoding == NULL) {
php_error_docref(NULL TSRMLS_CC, E_ERROR, "Invalid 'encoding' option - '%s'", Z_STRVAL_PP(tmp));
} else {
xmlCharEncCloseFunc(encoding);
add_property_stringl(this_ptr, "_encoding", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
add_property_stringl(this_ptr, "_encoding", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
}
if (zend_hash_find(ht, "classmap", sizeof("classmap"), (void**)&tmp) == SUCCESS &&
@ -2497,7 +2497,7 @@ PHP_METHOD(SoapClient, SoapClient)
if (context) {
add_property_resource(this_ptr, "_stream_context", context->rsrc_id);
}
if (zend_hash_find(ht, "cache_wsdl", sizeof("cache_wsdl"), (void**)&tmp) == SUCCESS &&
Z_TYPE_PP(tmp) == IS_LONG) {
cache_wsdl = Z_LVAL_PP(tmp);
@ -2507,7 +2507,7 @@ PHP_METHOD(SoapClient, SoapClient)
Z_TYPE_PP(tmp) == IS_STRING) {
add_property_stringl(this_ptr, "_user_agent", Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
if (zend_hash_find(ht, "keep_alive", sizeof("keep_alive"), (void**)&tmp) == SUCCESS &&
(Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && Z_LVAL_PP(tmp) == 0) {
add_property_long(this_ptr, "_keep_alive", 0);
@ -2615,7 +2615,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
xmlFree(buf);
if (ret && zend_hash_find(Z_OBJPROP_P(this_ptr), "__soap_fault", sizeof("__soap_fault"), (void **) &fault) == SUCCESS) {
return FALSE;
}
}
return ret;
}
@ -2921,8 +2921,10 @@ PHP_METHOD(SoapClient, __call)
}
zend_hash_internal_pointer_reset(default_headers);
while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) {
Z_ADDREF_PP(tmp);
zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL);
if(Z_TYPE_PP(tmp) == IS_OBJECT) {
Z_ADDREF_PP(tmp);
zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL);
}
zend_hash_move_forward(default_headers);
}
} else {
@ -2930,7 +2932,7 @@ PHP_METHOD(SoapClient, __call)
free_soap_headers = 0;
}
}
arg_count = zend_hash_num_elements(Z_ARRVAL_P(args));
if (arg_count > 0) {
@ -2996,7 +2998,7 @@ PHP_METHOD(SoapClient, __getTypes)
HashPosition pos;
FETCH_THIS_SDL(sdl);
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -3025,7 +3027,7 @@ PHP_METHOD(SoapClient, __getTypes)
PHP_METHOD(SoapClient, __getLastRequest)
{
zval **tmp;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -3048,7 +3050,7 @@ PHP_METHOD(SoapClient, __getLastResponse)
if (zend_parse_parameters_none() == FAILURE) {
return;
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS &&
Z_TYPE_PP(tmp) == IS_STRING) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
@ -3063,11 +3065,11 @@ PHP_METHOD(SoapClient, __getLastResponse)
PHP_METHOD(SoapClient, __getLastRequestHeaders)
{
zval **tmp;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS &&
Z_TYPE_PP(tmp) == IS_STRING) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
@ -3082,7 +3084,7 @@ PHP_METHOD(SoapClient, __getLastRequestHeaders)
PHP_METHOD(SoapClient, __getLastResponseHeaders)
{
zval **tmp;
if (zend_parse_parameters_none() == FAILURE) {
return;
}
@ -3227,10 +3229,10 @@ PHP_METHOD(SoapClient, __setSoapHeaders)
/* {{{ proto string SoapClient::__setLocation([string new_location])
Sets the location option (the endpoint URL that will be touched by the
Sets the location option (the endpoint URL that will be touched by the
following SOAP requests).
If new_location is not specified or null then SoapClient will use endpoint
from WSDL file.
from WSDL file.
The function returns old value of location options. */
PHP_METHOD(SoapClient, __setLocation)
{
@ -3279,10 +3281,10 @@ static void set_soap_fault(zval *obj, char *fault_code_ns, char *fault_code, cha
if (Z_TYPE_P(obj) != IS_OBJECT) {
object_init_ex(obj, soap_fault_class_entry);
}
add_property_string(obj, "faultstring", fault_string ? fault_string : "", 1);
zend_update_property_string(zend_exception_get_default(TSRMLS_C), obj, "message", sizeof("message")-1, (fault_string ? fault_string : "") TSRMLS_CC);
if (fault_code != NULL) {
int soap_version = SOAP_GLOBAL(soap_version);
@ -3707,7 +3709,7 @@ ignore_header:
func = func->children;
}
deserialize_parameters(func, function, num_params, parameters TSRMLS_CC);
encode_finish();
return function;
@ -3989,8 +3991,8 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
}
if (fault_ns == NULL &&
fault &&
fault->details &&
fault &&
fault->details &&
zend_hash_num_elements(fault->details) == 1) {
sdlParamPtr sparam;
@ -4014,7 +4016,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
xmlChar *code = xmlBuildQName(BAD_CAST(str), nsptr->prefix, NULL, 0);
xmlNodeSetContent(node, code);
xmlFree(code);
} else {
} else {
xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len);
}
str_efree(str);
@ -4040,7 +4042,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
xmlChar *code = xmlBuildQName(BAD_CAST(str), nsptr->prefix, NULL, 0);
xmlNodeSetContent(node, code);
xmlFree(code);
} else {
} else {
xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len);
}
str_efree(str);
@ -4212,7 +4214,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
encode_finish();
if (function && function->responseName == NULL &&
if (function && function->responseName == NULL &&
body->children == NULL && head == NULL) {
xmlFreeDoc(doc);
return NULL;
@ -4346,11 +4348,18 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function
if (head) {
zval** header;
zend_hash_internal_pointer_reset(soap_headers);
while (zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS) {
HashTable *ht = Z_OBJPROP_PP(header);
for(zend_hash_internal_pointer_reset(soap_headers);
zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS;
zend_hash_move_forward(soap_headers)
) {
HashTable *ht;
zval **name, **ns, **tmp;
if (Z_TYPE_PP(header) != IS_OBJECT) {
continue;
}
ht = Z_OBJPROP_PP(header);
if (zend_hash_find(ht, "name", sizeof("name"), (void**)&name) == SUCCESS &&
Z_TYPE_PP(name) == IS_STRING &&
zend_hash_find(ht, "namespace", sizeof("namespace"), (void**)&ns) == SUCCESS &&
@ -4389,7 +4398,6 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function
xmlSetNs(h, nsptr);
set_soap_header_attributes(h, ht, version);
}
zend_hash_move_forward(soap_headers);
}
}
@ -4500,7 +4508,7 @@ static sdlParamPtr get_param(sdlFunctionPtr function, char *param_name, int inde
return *tmp;
} else {
HashPosition pos;
zend_hash_internal_pointer_reset_ex(ht, &pos);
while (zend_hash_get_current_data_ex(ht, (void **)&tmp, &pos) != FAILURE) {
if ((*tmp)->paramName && strcmp(param_name, (*tmp)->paramName) == 0) {

17
ext/soap/tests/bug70388.phpt Normal file
View file

@ -0,0 +1,17 @@
--TEST--
Bug #70388 (SOAP serialize_function_call() type confusion / RCE)
--SKIPIF--
<?php require_once('skipif.inc'); ?>
--FILE--
<?php
$dummy = unserialize('O:10:"SoapClient":3:{s:3:"uri";s:1:"X";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";a:1:{i:1;s:1337:"'.str_repeat("X", 1337).'";}}');
try {
var_dump($dummy->notexisting());
} catch(Exception $e) {
var_dump($e->getMessage());
var_dump(get_class($e));
}
?>
--EXPECTF--
string(%d) "%s"
string(9) "SoapFault"

1
ext/spl/spl_dllist.c
View file

@ -1219,6 +1219,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&elem);
goto error;
}
var_push_dtor(&var_hash, &elem);
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}

2
ext/spl/spl_observer.c
View file

@ -859,6 +859,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pentry);
goto outexcept;
}
var_push_dtor(&var_hash, &pentry);
if(Z_TYPE_P(pentry) != IS_OBJECT) {
zval_ptr_dtor(&pentry);
goto outexcept;
@ -870,6 +871,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pinf);
goto outexcept;
}
var_push_dtor(&var_hash, &pinf);
}
hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);

50
ext/spl/tests/bug70155.phpt Normal file
View file

@ -0,0 +1,50 @@
--TEST--
SPL: Bug #70155 Use After Free Vulnerability in unserialize() with SPLArrayObject
--FILE--
<?php
$inner = 'x:i:0;O:12:"DateInterval":1:{s:1:"y";i:3;};m:a:1:{i:0;R:2;}';
$exploit = 'C:11:"ArrayObject":'.strlen($inner).':{'.$inner.'}';
$data = unserialize($exploit);
var_dump($data);
?>
===DONE===
--EXPECTF--
object(ArrayObject)#1 (2) {
[0]=>
int(0)
["storage":"ArrayObject":private]=>
object(DateInterval)#2 (15) {
["y"]=>
int(3)
["m"]=>
int(-1)
["d"]=>
int(-1)
["h"]=>
int(-1)
["i"]=>
int(-1)
["s"]=>
int(-1)
["weekday"]=>
int(-1)
["weekday_behavior"]=>
int(-1)
["first_last_day_of"]=>
int(-1)
["invert"]=>
int(0)
["days"]=>
int(-1)
["special_type"]=>
int(0)
["special_amount"]=>
int(-1)
["have_weekday_relative"]=>
int(0)
["have_special_relative"]=>
int(0)
}
}
===DONE===

50
ext/spl/tests/bug70365.phpt Normal file
View file

@ -0,0 +1,50 @@
--TEST--
SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage
--FILE--
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}';
$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
$data = unserialize($exploit);
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
--EXPECTF--
array(5) {
[0]=>
int(1)
[1]=>
&int(1)
[2]=>
object(obj)#%d (1) {
["ryat"]=>
&int(1)
}
[3]=>
int(1)
[4]=>
string(24) "%s"
}

54
ext/spl/tests/bug70366.phpt Normal file
View file

@ -0,0 +1,54 @@
--TEST--
SPL: Bug #70366 use-after-free vulnerability in unserialize() with SplDoublyLinkedList
--FILE--
<?php
class obj {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'i:1234;:i:1;';
$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}';
$data = unserialize($exploit);
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
--EXPECTF--
array(5) {
[0]=>
int(1)
[1]=>
&int(1)
[2]=>
object(obj)#%d (1) {
["ryat"]=>
&int(1)
}
[3]=>
array(1) {
[0]=>
int(1)
}
[4]=>
string(24) "%s"
}

54
ext/standard/tests/serialize/bug70172.phpt Normal file
View file

@ -0,0 +1,54 @@
--TEST--
Bug #70172 - Use After Free Vulnerability in unserialize()
--XFAIL--
Memory leak on debug build, needs fix.
--FILE--
<?php
class obj implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
$this->data = unserialize($data);
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'r:2;';
$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
--EXPECTF--
array(2) {
[0]=>
int(1)
[1]=>
object(obj)#%d (1) {
["data"]=>
int(1)
}
}

68
ext/standard/tests/serialize/bug70172_2.phpt Normal file
View file

@ -0,0 +1,68 @@
--TEST--
Bug #70172 - Use After Free Vulnerability in unserialize()
--FILE--
<?php
class obj implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
$this->data = unserialize($data);
}
}
class obj2 {
var $ryat;
function __wakeup() {
$this->ryat = 1;
}
}
$fakezval = ptr2str(1122334455);
$fakezval .= ptr2str(0);
$fakezval .= "\x00\x00\x00\x00";
$fakezval .= "\x01";
$fakezval .= "\x00";
$fakezval .= "\x00\x00";
$inner = 'r:2;';
$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = $fakezval.$i;
}
var_dump($data);
function ptr2str($ptr)
{
$out = '';
for ($i = 0; $i < 8; $i++) {
$out .= chr($ptr & 0xff);
$ptr >>= 8;
}
return $out;
}
?>
--EXPECTF--
array(2) {
[0]=>
object(obj2)#%d (1) {
["ryat"]=>
int(1)
}
[1]=>
array(1) {
[0]=>
array(1) {
[0]=>
object(obj2)#%d (1) {
["ryat"]=>
int(1)
}
}
}
}

38
ext/standard/tests/serialize/bug70219.phpt Normal file
View file

@ -0,0 +1,38 @@
--TEST--
Bug #70219 Use after free vulnerability in session deserializer
--FILE--
<?php
class obj implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
session_start();
session_decode($data);
}
}
$inner = 'ryat|a:1:{i:0;a:1:{i:1;';
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = 'hi'.$i;
}
var_dump($data);
?>
--EXPECTF--
Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
array(2) {
[0]=>
object(obj)#%d (1) {
["data"]=>
NULL
}
[1]=>
array(0) {
}
}

24
ext/standard/var.c
View file

@ -373,7 +373,7 @@ static int php_array_element_export(zval **zv TSRMLS_DC, int num_args, va_list a
smart_str_appendc(buf, ',');
smart_str_appendc(buf, '\n');
return 0;
}
/* }}} */
@ -392,7 +392,7 @@ static int php_object_element_export(zval **zv TSRMLS_DC, int num_args, va_list
const char *pname;
char *pname_esc;
int pname_esc_len;
zend_unmangle_property_name(hash_key->arKey, hash_key->nKeyLength - 1,
&class_name, &pname);
pname_esc = php_addcslashes(pname, strlen(pname), &pname_esc_len, 0,
@ -469,7 +469,7 @@ PHPAPI void php_var_export_ex(zval **struc, int level, smart_str *buf TSRMLS_DC)
buffer_append_spaces(buf, level - 1);
}
smart_str_appendc(buf, ')');
break;
case IS_OBJECT:
@ -799,7 +799,7 @@ static void php_var_serialize_intern(smart_str *buf, zval *struc, HashTable *var
BG(serialize_lock)++;
res = call_user_function_ex(CG(function_table), &struc, &fname, &retval_ptr, 0, 0, 1, NULL TSRMLS_CC);
BG(serialize_lock)--;
if (EG(exception)) {
if (retval_ptr) {
zval_ptr_dtor(&retval_ptr);
@ -948,6 +948,8 @@ PHP_FUNCTION(unserialize)
int buf_len;
const unsigned char *p;
php_unserialize_data_t var_hash;
int oldlevel;
zval *old_rval = return_value;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
RETURN_FALSE;
@ -967,6 +969,20 @@ PHP_FUNCTION(unserialize)
}
RETURN_FALSE;
}
if (return_value != old_rval) {
/*
* Terrible hack due to the fact that executor passes us zval *,
* but unserialize with r/R wants to replace it with another zval *
*/
zval_dtor(old_rval);
*old_rval = *return_value;
zval_copy_ctor(old_rval);
var_push_dtor_no_addref(&var_hash, &return_value);
/* FIXME: old_rval is not freed in some scenarios, see bug #70172
var_push_dtor_no_addref(&var_hash, &old_rval); */
} else {
var_push_dtor(&var_hash, &return_value);
}
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
}
/* }}} */

135
ext/standard/var_unserializer.c
View file

@ -68,7 +68,7 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
var_hash = (*var_hashx)->last_dtor;
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
#endif
if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
@ -91,9 +91,15 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval)
{
var_entries *var_hash = (*var_hashx)->last_dtor;
var_entries *var_hash;
if (!var_hashx || !*var_hashx) {
return;
}
var_hash = (*var_hashx)->last_dtor;
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
#endif
if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
@ -120,7 +126,7 @@ PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **n
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval));
#endif
while (var_hash) {
for (i = 0; i < var_hash->used_slots; i++) {
if (var_hash->data[i] == ozval) {
@ -138,7 +144,7 @@ static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id);
#endif
while (id >= VAR_ENTRIES_MAX && var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
var_hash = var_hash->next;
id -= VAR_ENTRIES_MAX;
@ -161,7 +167,7 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L);
#endif
while (var_hash) {
next = var_hash->next;
efree(var_hash);
@ -169,9 +175,12 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
}
var_hash = (*var_hashx)->first_dtor;
while (var_hash) {
for (i = 0; i < var_hash->used_slots; i++) {
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i]));
#endif
zval_ptr_dtor(&var_hash->data[i]);
}
next = var_hash->next;
@ -232,7 +241,7 @@ static char *unserialize_str(const unsigned char **p, size_t *len, size_t maxlen
#define YYMARKER marker
#line 240 "ext/standard/var_unserializer.re"
#line 249 "ext/standard/var_unserializer.re"
@ -250,7 +259,7 @@ static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
case '+':
p++;
}
while (1) {
cursor = (char)*p;
if (cursor >= '0' && cursor <= '9') {
@ -279,7 +288,7 @@ static inline size_t parse_uiv(const unsigned char *p)
if (*p == '+') {
p++;
}
while (1) {
cursor = *p;
if (cursor >= '0' && cursor <= '9') {
@ -303,23 +312,20 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
ALLOC_INIT_ZVAL(key);
if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) {
zval_dtor(key);
FREE_ZVAL(key);
var_push_dtor_no_addref(var_hash, &key);
return 0;
}
if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) {
zval_dtor(key);
FREE_ZVAL(key);
var_push_dtor_no_addref(var_hash, &key);
return 0;
}
ALLOC_INIT_ZVAL(data);
if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
zval_dtor(key);
FREE_ZVAL(key);
zval_ptr_dtor(&data);
var_push_dtor_no_addref(var_hash, &key);
var_push_dtor_no_addref(var_hash, &data);
return 0;
}
@ -348,9 +354,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
sizeof data, NULL);
}
var_push_dtor(var_hash, &data);
zval_dtor(key);
FREE_ZVAL(key);
var_push_dtor_no_addref(var_hash, &key);
if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
(*p)--;
@ -400,7 +404,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
{
long elements;
elements = parse_iv2((*p) + 2, p);
(*p) += 2;
@ -464,21 +468,21 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
limit = max;
cursor = *p;
if (YYCURSOR >= YYLIMIT) {
return 0;
}
if (var_hash && cursor[0] != 'R') {
var_push(var_hash, rval);
}
start = cursor;
#line 482 "ext/standard/var_unserializer.c"
#line 486 "ext/standard/var_unserializer.c"
{
YYCTYPE yych;
static const unsigned char yybm[] = {
@ -538,9 +542,9 @@ yy2:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy95;
yy3:
#line 833 "ext/standard/var_unserializer.re"
#line 840 "ext/standard/var_unserializer.re"
{ return 0; }
#line 544 "ext/standard/var_unserializer.c"
#line 548 "ext/standard/var_unserializer.c"
yy4:
yych = *(YYMARKER = ++YYCURSOR);
if (yych == ':') goto yy89;
@ -583,13 +587,13 @@ yy13:
goto yy3;
yy14:
++YYCURSOR;
#line 827 "ext/standard/var_unserializer.re"
#line 834 "ext/standard/var_unserializer.re"
{
/* this is the case where we have less data than planned */
php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Unexpected end of serialized data");
return 0; /* not sure if it should be 0 or 1 here? */
}
#line 593 "ext/standard/var_unserializer.c"
#line 597 "ext/standard/var_unserializer.c"
yy16:
yych = *++YYCURSOR;
goto yy3;
@ -620,7 +624,7 @@ yy20:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
#line 681 "ext/standard/var_unserializer.re"
#line 687 "ext/standard/var_unserializer.re"
{
size_t len, len2, len3, maxlen;
long elements;
@ -636,10 +640,11 @@ yy20:
zval **args[1];
zval *arg_func_name;
if (!var_hash) return 0;
if (*start == 'C') {
custom_object = 1;
}
INIT_PZVAL(*rval);
len2 = len = parse_uiv(start + 2);
maxlen = max - YYCURSOR;
@ -688,14 +693,14 @@ yy20:
efree(class_name);
return 0;
}
/* Check for unserialize callback */
if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
incomplete_class = 1;
ce = PHP_IC_ENTRY;
break;
}
/* Call unserialize callback */
MAKE_STD_ZVAL(user_func);
ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
@ -728,7 +733,7 @@ yy20:
zval_ptr_dtor(&arg_func_name);
return 0;
}
/* The callback function may have defined the class */
if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
ce = *pce;
@ -756,7 +761,7 @@ yy20:
efree(class_name);
return ret;
}
elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
if (incomplete_class) {
@ -766,7 +771,7 @@ yy20:
return object_common2(UNSERIALIZE_PASSTHRU, elements);
}
#line 770 "ext/standard/var_unserializer.c"
#line 775 "ext/standard/var_unserializer.c"
yy25:
yych = *++YYCURSOR;
if (yych <= ',') {
@ -791,15 +796,16 @@ yy27:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
#line 673 "ext/standard/var_unserializer.re"
#line 678 "ext/standard/var_unserializer.re"
{
if (!var_hash) return 0;
INIT_PZVAL(*rval);
return object_common2(UNSERIALIZE_PASSTHRU,
object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
}
#line 803 "ext/standard/var_unserializer.c"
#line 809 "ext/standard/var_unserializer.c"
yy32:
yych = *++YYCURSOR;
if (yych == '+') goto yy33;
@ -820,11 +826,12 @@ yy34:
yych = *++YYCURSOR;
if (yych != '{') goto yy18;
++YYCURSOR;
#line 653 "ext/standard/var_unserializer.re"
#line 657 "ext/standard/var_unserializer.re"
{
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
*p = YYCURSOR;
if (!var_hash) return 0;
if (elements < 0) {
return 0;
@ -840,7 +847,7 @@ yy34:
return finish_nested_data(UNSERIALIZE_PASSTHRU);
}
#line 844 "ext/standard/var_unserializer.c"
#line 851 "ext/standard/var_unserializer.c"
yy39:
yych = *++YYCURSOR;
if (yych == '+') goto yy40;
@ -861,7 +868,7 @@ yy41:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
#line 624 "ext/standard/var_unserializer.re"
#line 628 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@ -890,7 +897,7 @@ yy41:
ZVAL_STRINGL(*rval, str, len, 0);
return 1;
}
#line 894 "ext/standard/var_unserializer.c"
#line 901 "ext/standard/var_unserializer.c"
yy46:
yych = *++YYCURSOR;
if (yych == '+') goto yy47;
@ -911,7 +918,7 @@ yy48:
yych = *++YYCURSOR;
if (yych != '"') goto yy18;
++YYCURSOR;
#line 596 "ext/standard/var_unserializer.re"
#line 600 "ext/standard/var_unserializer.re"
{
size_t len, maxlen;
char *str;
@ -939,7 +946,7 @@ yy48:
ZVAL_STRINGL(*rval, str, len, 1);
return 1;
}
#line 943 "ext/standard/var_unserializer.c"
#line 950 "ext/standard/var_unserializer.c"
yy53:
yych = *++YYCURSOR;
if (yych <= '/') {
@ -1027,7 +1034,7 @@ yy61:
}
yy63:
++YYCURSOR;
#line 586 "ext/standard/var_unserializer.re"
#line 590 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
use_double:
@ -1037,7 +1044,7 @@ use_double:
ZVAL_DOUBLE(*rval, zend_strtod((const char *)start + 2, NULL));
return 1;
}
#line 1041 "ext/standard/var_unserializer.c"
#line 1048 "ext/standard/var_unserializer.c"
yy65:
yych = *++YYCURSOR;
if (yych <= ',') {
@ -1096,7 +1103,7 @@ yy73:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
#line 571 "ext/standard/var_unserializer.re"
#line 575 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
@ -1111,7 +1118,7 @@ yy73:
return 1;
}
#line 1115 "ext/standard/var_unserializer.c"
#line 1122 "ext/standard/var_unserializer.c"
yy76:
yych = *++YYCURSOR;
if (yych == 'N') goto yy73;
@ -1138,7 +1145,7 @@ yy79:
if (yych <= '9') goto yy79;
if (yych != ';') goto yy18;
++YYCURSOR;
#line 544 "ext/standard/var_unserializer.re"
#line 548 "ext/standard/var_unserializer.re"
{
#if SIZEOF_LONG == 4
int digits = YYCURSOR - start - 3;
@ -1165,7 +1172,7 @@ yy79:
ZVAL_LONG(*rval, parse_iv(start + 2));
return 1;
}
#line 1169 "ext/standard/var_unserializer.c"
#line 1176 "ext/standard/var_unserializer.c"
yy83:
yych = *++YYCURSOR;
if (yych <= '/') goto yy18;
@ -1173,24 +1180,24 @@ yy83:
yych = *++YYCURSOR;
if (yych != ';') goto yy18;
++YYCURSOR;
#line 537 "ext/standard/var_unserializer.re"
#line 541 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_BOOL(*rval, parse_iv(start + 2));
return 1;
}
#line 1184 "ext/standard/var_unserializer.c"
#line 1191 "ext/standard/var_unserializer.c"
yy87:
++YYCURSOR;
#line 530 "ext/standard/var_unserializer.re"
#line 534 "ext/standard/var_unserializer.re"
{
*p = YYCURSOR;
INIT_PZVAL(*rval);
ZVAL_NULL(*rval);
return 1;
}
#line 1194 "ext/standard/var_unserializer.c"
#line 1201 "ext/standard/var_unserializer.c"
yy89:
yych = *++YYCURSOR;
if (yych <= ',') {
@ -1213,7 +1220,7 @@ yy91:
if (yych <= '9') goto yy91;
if (yych != ';') goto yy18;
++YYCURSOR;
#line 507 "ext/standard/var_unserializer.re"
#line 511 "ext/standard/var_unserializer.re"
{
long id;
@ -1233,10 +1240,10 @@ yy91:
*rval = *rval_ref;
Z_ADDREF_PP(rval);
Z_UNSET_ISREF_PP(rval);
return 1;
}
#line 1240 "ext/standard/var_unserializer.c"
#line 1247 "ext/standard/var_unserializer.c"
yy95:
yych = *++YYCURSOR;
if (yych <= ',') {
@ -1259,7 +1266,7 @@ yy97:
if (yych <= '9') goto yy97;
if (yych != ';') goto yy18;
++YYCURSOR;
#line 486 "ext/standard/var_unserializer.re"
#line 490 "ext/standard/var_unserializer.re"
{
long id;
@ -1272,17 +1279,17 @@ yy97:
}
if (*rval != NULL) {
zval_ptr_dtor(rval);
var_push_dtor_no_addref(var_hash, rval);
}
*rval = *rval_ref;
Z_ADDREF_PP(rval);
Z_SET_ISREF_PP(rval);
return 1;
}
#line 1284 "ext/standard/var_unserializer.c"
#line 1291 "ext/standard/var_unserializer.c"
}
#line 835 "ext/standard/var_unserializer.re"
#line 842 "ext/standard/var_unserializer.re"
return 0;

73
ext/standard/var_unserializer.re
View file

@ -66,7 +66,7 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
var_hash = (*var_hashx)->last_dtor;
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
#endif
if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
@ -89,9 +89,15 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval)
{
var_entries *var_hash = (*var_hashx)->last_dtor;
var_entries *var_hash;
if (!var_hashx || !*var_hashx) {
return;
}
var_hash = (*var_hashx)->last_dtor;
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
#endif
if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) {
@ -118,7 +124,7 @@ PHPAPI void var_replace(php_unserialize_data_t *var_hashx, zval *ozval, zval **n
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_replace(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(nzval));
#endif
while (var_hash) {
for (i = 0; i < var_hash->used_slots; i++) {
if (var_hash->data[i] == ozval) {
@ -136,7 +142,7 @@ static int var_access(php_unserialize_data_t *var_hashx, long id, zval ***store)
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_access(%ld): %ld\n", var_hash?var_hash->used_slots:-1L, id);
#endif
while (id >= VAR_ENTRIES_MAX && var_hash && var_hash->used_slots == VAR_ENTRIES_MAX) {
var_hash = var_hash->next;
id -= VAR_ENTRIES_MAX;
@ -159,7 +165,7 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_destroy(%ld)\n", var_hash?var_hash->used_slots:-1L);
#endif
while (var_hash) {
next = var_hash->next;
efree(var_hash);
@ -167,9 +173,12 @@ PHPAPI void var_destroy(php_unserialize_data_t *var_hashx)
}
var_hash = (*var_hashx)->first_dtor;
while (var_hash) {
for (i = 0; i < var_hash->used_slots; i++) {
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i]));
#endif
zval_ptr_dtor(&var_hash->data[i]);
}
next = var_hash->next;
@ -254,7 +263,7 @@ static inline long parse_iv2(const unsigned char *p, const unsigned char **q)
case '+':
p++;
}
while (1) {
cursor = (char)*p;
if (cursor >= '0' && cursor <= '9') {
@ -283,7 +292,7 @@ static inline size_t parse_uiv(const unsigned char *p)
if (*p == '+') {
p++;
}
while (1) {
cursor = *p;
if (cursor >= '0' && cursor <= '9') {
@ -307,23 +316,20 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
ALLOC_INIT_ZVAL(key);
if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) {
zval_dtor(key);
FREE_ZVAL(key);
var_push_dtor_no_addref(var_hash, &key);
return 0;
}
if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) {
zval_dtor(key);
FREE_ZVAL(key);
var_push_dtor_no_addref(var_hash, &key);
return 0;
}
ALLOC_INIT_ZVAL(data);
if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
zval_dtor(key);
FREE_ZVAL(key);
zval_ptr_dtor(&data);
var_push_dtor_no_addref(var_hash, &key);
var_push_dtor_no_addref(var_hash, &data);
return 0;
}
@ -352,9 +358,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
sizeof data, NULL);
}
var_push_dtor(var_hash, &data);
zval_dtor(key);
FREE_ZVAL(key);
var_push_dtor_no_addref(var_hash, &key);
if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
(*p)--;
@ -404,7 +408,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
static inline long object_common1(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
{
long elements;
elements = parse_iv2((*p) + 2, p);
(*p) += 2;
@ -468,19 +472,19 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
limit = max;
cursor = *p;
if (YYCURSOR >= YYLIMIT) {
return 0;
}
if (var_hash && cursor[0] != 'R') {
var_push(var_hash, rval);
}
start = cursor;
/*!re2c
"R:" iv ";" {
@ -495,12 +499,12 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
}
if (*rval != NULL) {
zval_ptr_dtor(rval);
var_push_dtor_no_addref(var_hash, rval);
}
*rval = *rval_ref;
Z_ADDREF_PP(rval);
Z_SET_ISREF_PP(rval);
return 1;
}
@ -523,7 +527,7 @@ PHPAPI int php_var_unserialize(UNSERIALIZE_PARAMETER)
*rval = *rval_ref;
Z_ADDREF_PP(rval);
Z_UNSET_ISREF_PP(rval);
return 1;
}
@ -654,6 +658,7 @@ use_double:
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
*p = YYCURSOR;
if (!var_hash) return 0;
if (elements < 0) {
return 0;
@ -671,9 +676,10 @@ use_double:
}
"o:" iv ":" ["] {
if (!var_hash) return 0;
INIT_PZVAL(*rval);
return object_common2(UNSERIALIZE_PASSTHRU,
object_common1(UNSERIALIZE_PASSTHRU, ZEND_STANDARD_CLASS_DEF_PTR));
}
@ -693,10 +699,11 @@ object ":" uiv ":" ["] {
zval **args[1];
zval *arg_func_name;
if (!var_hash) return 0;
if (*start == 'C') {
custom_object = 1;
}
INIT_PZVAL(*rval);
len2 = len = parse_uiv(start + 2);
maxlen = max - YYCURSOR;
@ -745,14 +752,14 @@ object ":" uiv ":" ["] {
efree(class_name);
return 0;
}
/* Check for unserialize callback */
if ((PG(unserialize_callback_func) == NULL) || (PG(unserialize_callback_func)[0] == '\0')) {
incomplete_class = 1;
ce = PHP_IC_ENTRY;
break;
}
/* Call unserialize callback */
MAKE_STD_ZVAL(user_func);
ZVAL_STRING(user_func, PG(unserialize_callback_func), 1);
@ -785,7 +792,7 @@ object ":" uiv ":" ["] {
zval_ptr_dtor(&arg_func_name);
return 0;
}
/* The callback function may have defined the class */
if (zend_lookup_class(class_name, len2, &pce TSRMLS_CC) == SUCCESS) {
ce = *pce;
@ -813,7 +820,7 @@ object ":" uiv ":" ["] {
efree(class_name);
return ret;
}
elements = object_common1(UNSERIALIZE_PASSTHRU, ce);
if (incomplete_class) {

142
ext/xsl/xsltprocessor.c
View file

@ -81,10 +81,10 @@ ZEND_END_ARG_INFO();
/* }}} */
/*
* class xsl_xsltprocessor
* class xsl_xsltprocessor
*
* URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#
* Since:
* Since:
*/
const zend_function_entry php_xsl_xsltprocessor_class_functions[] = {
@ -111,9 +111,9 @@ static char *php_xsl_xslt_string_to_xpathexpr(const char *str TSRMLS_DC)
xmlChar *value;
int str_len;
str_len = xmlStrlen(string) + 3;
if (xmlStrchr(string, '"')) {
if (xmlStrchr(string, '\'')) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot create XPath expression (string contains both quote and double-quotes)");
@ -133,7 +133,7 @@ static char *php_xsl_xslt_string_to_xpathexpr(const char *str TSRMLS_DC)
Translates a PHP array to a libxslt parameters array */
static char **php_xsl_xslt_make_params(HashTable *parht, int xpath_params TSRMLS_DC)
{
int parsize;
zval **value;
char *xpath_expr, *string_key = NULL;
@ -158,7 +158,7 @@ static char **php_xsl_xslt_make_params(HashTable *parht, int xpath_params TSRMLS
SEPARATE_ZVAL(value);
convert_to_string(*value);
}
if (!xpath_params) {
xpath_expr = php_xsl_xslt_string_to_xpathexpr(Z_STRVAL_PP(value) TSRMLS_CC);
} else {
@ -192,7 +192,7 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
char *str;
char *callable = NULL;
xsl_object *intern;
TSRMLS_FETCH();
if (! zend_is_executing(TSRMLS_C)) {
@ -219,15 +219,17 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
}
}
}
if (error == 1) {
for (i = nargs - 1; i >= 0; i--) {
obj = valuePop(ctxt);
xmlXPathFreeObject(obj);
if (obj) {
xmlXPathFreeObject(obj);
}
}
return;
}
fci.param_count = nargs - 1;
if (fci.param_count > 0) {
fci.params = safe_emalloc(fci.param_count, sizeof(zval**), 0);
@ -265,7 +267,7 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
if (node->type == XML_NAMESPACE_DECL) {
xmlNsPtr curns;
xmlNodePtr nsparent;
nsparent = node->_private;
curns = xmlNewNs(NULL, node->name, NULL);
if (node->children) {
@ -297,14 +299,16 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
xmlXPathFreeObject(obj);
fci.params[i] = &args[i];
}
fci.size = sizeof(fci);
fci.function_table = EG(function_table);
obj = valuePop(ctxt);
if (obj->stringval == NULL) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string");
xmlXPathFreeObject(obj);
if (obj == NULL || obj->stringval == NULL) {
if (obj) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string");
xmlXPathFreeObject(obj);
}
valuePush(ctxt, xmlXPathNewString(""));
if (fci.param_count > 0) {
for (i = 0; i < nargs - 1; i++) {
@ -313,12 +317,12 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
efree(args);
efree(fci.params);
}
return;
return;
}
INIT_PZVAL(&handler);
ZVAL_STRING(&handler, obj->stringval, 1);
xmlXPathFreeObject(obj);
fci.function_name = &handler;
fci.symbol_table = NULL;
fci.object_ptr = NULL;
@ -328,7 +332,7 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t
if (!zend_make_callable(&handler, &callable TSRMLS_CC)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call handler %s()", callable);
valuePush(ctxt, xmlXPathNewString(""));
} else if ( intern->registerPhpFunctions == 2 && zend_hash_exists(intern->registered_phpfunctions, callable, strlen(callable) + 1) == 0) {
} else if ( intern->registerPhpFunctions == 2 && zend_hash_exists(intern->registered_phpfunctions, callable, strlen(callable) + 1) == 0) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Not allowed to call handler '%s()'", callable);
/* Push an empty string, so that we at least have an xslt result... */
valuePush(ctxt, xmlXPathNewString(""));
@ -392,7 +396,7 @@ void xsl_ext_function_object_php(xmlXPathParserContextPtr ctxt, int nargs) /* {{
/* {{{ proto void xsl_xsltprocessor_import_stylesheet(domdocument doc);
URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#
Since:
Since:
*/
PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
{
@ -404,13 +408,13 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
xmlNode *nodep = NULL;
zend_object_handlers *std_hnd;
zval *cloneDocu, *member;
if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Oo", &id, xsl_xsltprocessor_class_entry, &docp) == FAILURE) {
RETURN_FALSE;
}
nodep = php_libxml_import_node(docp TSRMLS_CC);
if (nodep) {
doc = nodep->doc;
}
@ -419,7 +423,7 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
RETURN_FALSE;
}
/* libxslt uses _private, so we must copy the imported
/* libxslt uses _private, so we must copy the imported
stylesheet document otherwise the node proxies will be a mess */
newdoc = xmlCopyDoc(doc, 1);
xmlNodeSetBase((xmlNodePtr) newdoc, (xmlChar *)doc->URL);
@ -436,7 +440,7 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
RETURN_FALSE;
}
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
std_hnd = zend_get_std_object_handlers();
MAKE_STD_ZVAL(member);
@ -463,10 +467,10 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet)
intern->hasKeys = clone_docu;
}
if ((oldsheetp = (xsltStylesheetPtr)intern->ptr)) {
if ((oldsheetp = (xsltStylesheetPtr)intern->ptr)) {
/* free wrapper */
if (((xsltStylesheetPtr) intern->ptr)->_private != NULL) {
((xsltStylesheetPtr) intern->ptr)->_private = NULL;
((xsltStylesheetPtr) intern->ptr)->_private = NULL;
}
xsltFreeStylesheet((xsltStylesheetPtr) intern->ptr);
intern->ptr = NULL;
@ -494,7 +498,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
xsltSecurityPrefsPtr secPrefs = NULL;
node = php_libxml_import_node(docp TSRMLS_CC);
if (node) {
doc = node->doc;
}
@ -507,7 +511,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
php_error_docref(NULL TSRMLS_CC, E_WARNING, "No stylesheet associated to this object");
return NULL;
}
if (intern->profiling) {
if (php_check_open_basedir(intern->profiling TSRMLS_CC)) {
f = NULL;
@ -517,7 +521,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
} else {
f = NULL;
}
if (intern->parameter) {
params = php_xsl_xslt_make_params(intern->parameter, 0 TSRMLS_CC);
}
@ -549,7 +553,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
efree(member);
secPrefsValue = intern->securityPrefs;
/* This whole if block can be removed, when we remove the xsl.security_prefs php.ini option in PHP 6+ */
secPrefsIni= INI_INT("xsl.security_prefs");
/* if secPrefsIni has the same value as secPrefsValue, all is fine */
@ -569,38 +573,38 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
/* if securityPrefs is set to NONE, we don't have to do any checks, but otherwise... */
if (secPrefsValue != XSL_SECPREF_NONE) {
secPrefs = xsltNewSecurityPrefs();
if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
secPrefs = xsltNewSecurityPrefs();
if (secPrefsValue & XSL_SECPREF_READ_FILE ) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
secPrefsError = 1;
}
}
if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
if (secPrefsValue & XSL_SECPREF_WRITE_FILE ) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
secPrefsError = 1;
}
}
if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
if (secPrefsValue & XSL_SECPREF_CREATE_DIRECTORY ) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
secPrefsError = 1;
}
}
if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
if (secPrefsValue & XSL_SECPREF_READ_NETWORK) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
secPrefsError = 1;
}
}
if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
if (secPrefsValue & XSL_SECPREF_WRITE_NETWORK) {
if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
secPrefsError = 1;
}
}
if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
secPrefsError = 1;
}
}
if (secPrefsError == 1) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
} else {
@ -609,7 +613,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
if (f) {
fclose(f);
}
xsltFreeTransformContext(ctxt);
if (secPrefs) {
xsltFreeSecurityPrefs(secPrefs);
@ -617,7 +621,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
if (intern->node_list != NULL) {
zend_hash_destroy(intern->node_list);
FREE_HASHTABLE(intern->node_list);
FREE_HASHTABLE(intern->node_list);
intern->node_list = NULL;
}
@ -640,7 +644,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl
/* {{{ proto domdocument xsl_xsltprocessor_transform_to_doc(domnode doc);
URL: http://www.w3.org/TR/2003/WD-DOM-Level-3-Core-20030226/DOM3-Core.html#
Since:
Since:
*/
PHP_FUNCTION(xsl_xsltprocessor_transform_to_doc)
{
@ -677,13 +681,13 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_doc)
found = zend_lookup_class(ret_class, ret_class_len, &ce TSRMLS_CC);
if ((found != SUCCESS) || !instanceof_function(*ce, curce TSRMLS_CC)) {
xmlFreeDoc(newdocp);
php_error_docref(NULL TSRMLS_CC, E_WARNING,
php_error_docref(NULL TSRMLS_CC, E_WARNING,
"Expecting class compatible with %s, '%s' given", curclass_name, ret_class);
RETURN_FALSE;
}
object_init_ex(return_value, *ce);
interndoc = (php_libxml_node_object *)zend_objects_get_address(return_value TSRMLS_CC);
php_libxml_increment_doc_ref(interndoc, newdocp TSRMLS_CC);
php_libxml_increment_node_ptr(interndoc, (xmlNodePtr)newdocp, (void *)interndoc TSRMLS_CC);
@ -693,7 +697,7 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_doc)
} else {
RETURN_FALSE;
}
}
/* }}} end xsl_xsltprocessor_transform_to_doc */
@ -707,7 +711,7 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_uri)
int ret, uri_len;
char *uri;
xsl_object *intern;
id = getThis();
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
sheetp = (xsltStylesheetPtr) intern->ptr;
@ -739,7 +743,7 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_xml)
xmlChar *doc_txt_ptr;
int doc_txt_len;
xsl_object *intern;
id = getThis();
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
sheetp = (xsltStylesheetPtr) intern->ptr;
@ -770,7 +774,7 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_xml)
*/
PHP_FUNCTION(xsl_xsltprocessor_set_parameter)
{
zval *id;
zval *array_value, **entry, *new_string;
xsl_object *intern;
@ -786,34 +790,34 @@ PHP_FUNCTION(xsl_xsltprocessor_set_parameter)
while (zend_hash_get_current_data(Z_ARRVAL_P(array_value), (void **)&entry) == SUCCESS) {
SEPARATE_ZVAL(entry);
convert_to_string_ex(entry);
if (zend_hash_get_current_key_ex(Z_ARRVAL_P(array_value), &string_key, &string_key_len, &idx, 0, NULL) != HASH_KEY_IS_STRING) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter array");
RETURN_FALSE;
}
ALLOC_ZVAL(new_string);
Z_ADDREF_PP(entry);
COPY_PZVAL_TO_ZVAL(*new_string, *entry);
zend_hash_update(intern->parameter, string_key, string_key_len, &new_string, sizeof(zval*), NULL);
zend_hash_move_forward(Z_ARRVAL_P(array_value));
}
RETURN_TRUE;
} else if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "sss", &namespace, &namespace_len, &name, &name_len, &value, &value_len) == SUCCESS) {
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
MAKE_STD_ZVAL(new_string);
ZVAL_STRING(new_string, value, 1);
zend_hash_update(intern->parameter, name, name_len + 1, &new_string, sizeof(zval*), NULL);
RETURN_TRUE;
} else {
WRONG_PARAM_COUNT;
}
}
/* }}} end xsl_xsltprocessor_set_parameter */
@ -828,7 +832,7 @@ PHP_FUNCTION(xsl_xsltprocessor_get_parameter)
xsl_object *intern;
DOM_GET_THIS(id);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &namespace, &namespace_len, &name, &name_len) == FAILURE) {
RETURN_FALSE;
}
@ -852,7 +856,7 @@ PHP_FUNCTION(xsl_xsltprocessor_remove_parameter)
xsl_object *intern;
DOM_GET_THIS(id);
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &namespace, &namespace_len, &name, &name_len) == FAILURE) {
RETURN_FALSE;
}
@ -876,7 +880,7 @@ PHP_FUNCTION(xsl_xsltprocessor_register_php_functions)
char *name;
DOM_GET_THIS(id);
if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "a", &array_value) == SUCCESS) {
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
zend_hash_internal_pointer_reset(Z_ARRVAL_P(array_value));
@ -884,10 +888,10 @@ PHP_FUNCTION(xsl_xsltprocessor_register_php_functions)
while (zend_hash_get_current_data(Z_ARRVAL_P(array_value), (void **)&entry) == SUCCESS) {
SEPARATE_ZVAL(entry);
convert_to_string_ex(entry);
MAKE_STD_ZVAL(new_string);
ZVAL_LONG(new_string,1);
zend_hash_update(intern->registered_phpfunctions, Z_STRVAL_PP(entry), Z_STRLEN_PP(entry) + 1, &new_string, sizeof(zval*), NULL);
zend_hash_move_forward(Z_ARRVAL_P(array_value));
}
@ -895,17 +899,17 @@ PHP_FUNCTION(xsl_xsltprocessor_register_php_functions)
} else if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS() TSRMLS_CC, "s", &name, &name_len) == SUCCESS) {
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
MAKE_STD_ZVAL(new_string);
ZVAL_LONG(new_string,1);
zend_hash_update(intern->registered_phpfunctions, name, name_len + 1, &new_string, sizeof(zval*), NULL);
intern->registerPhpFunctions = 2;
} else {
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
intern->registerPhpFunctions = 1;
}
}
/* }}} end xsl_xsltprocessor_register_php_functions(); */
@ -947,7 +951,7 @@ PHP_FUNCTION(xsl_xsltprocessor_set_security_prefs)
return;
}
intern = (xsl_object *)zend_object_store_get_object(id TSRMLS_CC);
oldSecurityPrefs = intern->securityPrefs;
oldSecurityPrefs = intern->securityPrefs;
intern->securityPrefs = securityPrefs;
/* set this to 1 so that we know, it was set through this method. Can be removed, when we remove the ini setting */
intern->securityPrefsSet = 1;

2
ext/zip/php_zip.c
View file

@ -200,7 +200,7 @@ static int php_zip_extract_file(struct zip * za, char *dest, char *file, int fil
/* it is a directory only, see #40228 */
if (path_cleaned_len > 1 && IS_SLASH(path_cleaned[path_cleaned_len - 1])) {
len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, file);
len = spprintf(&file_dirname_fullpath, 0, "%s/%s", dest, path_cleaned);
is_dir_only = 1;
} else {
memcpy(file_dirname, path_cleaned, path_cleaned_len);

33
ext/zip/tests/bug70350.phpt Normal file
View file

@ -0,0 +1,33 @@
--TEST--
Bug #70350 (ZipArchive::extractTo allows for directory traversal when creating directories)
--SKIPIF--
<?php
if(!extension_loaded('zip')) die('skip');
?>
--FILE--
<?php
$dir = dirname(__FILE__)."/bug70350";
mkdir($dir);
$archive = new ZipArchive();
$archive->open("$dir/a.zip",ZipArchive::CREATE);
$archive->addEmptyDir("../down2/");
$archive->close();
$archive2 = new ZipArchive();
$archive2->open("$dir/a.zip");
$archive2->extractTo($dir);
$archive2->close();
var_dump(file_exists("$dir/down2/"));
var_dump(file_exists("../down2/"));
?>
--CLEAN--
<?php
$dir = dirname(__FILE__)."/bug70350";
rmdir("$dir/down2");
unlink("$dir/a.zip");
rmdir($dir);
?>
--EXPECT--
bool(true)
bool(false)