From daa38dd63e6837ec7e3ecdecf7e7be7b13628f16 Mon Sep 17 00:00:00 2001 From: Ilija Tovilo Date: Mon, 20 Nov 2023 12:37:32 +0100 Subject: [PATCH] Fix in-place modification of filename in php_message_handler_for_zend php_strip_url_passwd modifies url in-place. We cannot assume from php_message_handler_for_zend that data is a temporary, modifiable string. Fixes oss-fuzz #64209 Closes GH-12733 --- NEWS | 2 ++ Zend/tests/oss_fuzz_64209.phpt | 13 +++++++++++++ main/main.c | 21 +++++++++++++++------ 3 files changed, 30 insertions(+), 6 deletions(-) create mode 100644 Zend/tests/oss_fuzz_64209.phpt diff --git a/NEWS b/NEWS index 92b6027c4fd..b8d860bd3d9 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,8 @@ PHP NEWS - Core: . Fixed oss-fuzz #54325 (Use-after-free of name in var-var with malicious error handler). (ilutov) + . Fixed oss-fuzz #64209 (In-place modification of filename in + php_message_handler_for_zend). (ilutov) - DOM: . Fixed bug GH-12616 (DOM: Removing XMLNS namespace node results in invalid diff --git a/Zend/tests/oss_fuzz_64209.phpt b/Zend/tests/oss_fuzz_64209.phpt new file mode 100644 index 00000000000..599ae258e5b --- /dev/null +++ b/Zend/tests/oss_fuzz_64209.phpt @@ -0,0 +1,13 @@ +--TEST-- +oss-fuzz #64209: Fix in-place modification of filename in php_message_handler_for_zend +--FILE-- + +--EXPECTF-- +Warning: require(://@): Failed to open stream: No such file or directory in %s on line %d + +Fatal error: Uncaught Error: Failed opening required '://@' (include_path='%s') in %s:%d +Stack trace: +#0 {main} + thrown in %s on line %d diff --git a/main/main.c b/main/main.c index 4868d2df400..9c62aa914eb 100644 --- a/main/main.c +++ b/main/main.c @@ -1585,15 +1585,24 @@ static void php_free_request_globals(void) static ZEND_COLD void php_message_handler_for_zend(zend_long message, const void *data) { switch (message) { - case ZMSG_FAILED_INCLUDE_FOPEN: - php_error_docref("function.include", E_WARNING, "Failed opening '%s' for inclusion (include_path='%s')", php_strip_url_passwd((char *) data), STR_PRINT(PG(include_path))); + case ZMSG_FAILED_INCLUDE_FOPEN: { + char *tmp = estrdup((char *) data); + php_error_docref("function.include", E_WARNING, "Failed opening '%s' for inclusion (include_path='%s')", php_strip_url_passwd(tmp), STR_PRINT(PG(include_path))); + efree(tmp); break; - case ZMSG_FAILED_REQUIRE_FOPEN: - zend_throw_error(NULL, "Failed opening required '%s' (include_path='%s')", php_strip_url_passwd((char *) data), STR_PRINT(PG(include_path))); + } + case ZMSG_FAILED_REQUIRE_FOPEN: { + char *tmp = estrdup((char *) data); + zend_throw_error(NULL, "Failed opening required '%s' (include_path='%s')", php_strip_url_passwd(tmp), STR_PRINT(PG(include_path))); + efree(tmp); break; - case ZMSG_FAILED_HIGHLIGHT_FOPEN: - php_error_docref(NULL, E_WARNING, "Failed opening '%s' for highlighting", php_strip_url_passwd((char *) data)); + } + case ZMSG_FAILED_HIGHLIGHT_FOPEN: { + char *tmp = estrdup((char *) data); + php_error_docref(NULL, E_WARNING, "Failed opening '%s' for highlighting", php_strip_url_passwd(tmp)); + efree(tmp); break; + } case ZMSG_MEMORY_LEAK_DETECTED: case ZMSG_MEMORY_LEAK_REPEATED: #if ZEND_DEBUG