From 11f3e24190fa45689c8ccaeea54a28db6752092e Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 11 Sep 2019 10:27:32 +0200 Subject: [PATCH 1/2] Fixed bug #78506 --- NEWS | 4 +++ ext/standard/tests/streams/bug78506.phpt | 27 +++++++++++++++++++ main/streams/streams.c | 34 +++++++++++------------- 3 files changed, 47 insertions(+), 18 deletions(-) create mode 100644 ext/standard/tests/streams/bug78506.phpt diff --git a/NEWS b/NEWS index 9563d6c3681..95f229afc71 100644 --- a/NEWS +++ b/NEWS @@ -25,6 +25,10 @@ PHP NEWS . Fixed bug #78510 (Partially uninitialized buffer returned by sodium_crypto_generichash_init()). (Frank Denis, cmb) +- Standard: + . Fixed bug #78506 (Error in a php_user_filter::filter() is not reported). + (Nikita) + 05 Sep 2019, PHP 7.4.0RC1 - Core: diff --git a/ext/standard/tests/streams/bug78506.phpt b/ext/standard/tests/streams/bug78506.phpt new file mode 100644 index 00000000000..869fa2a8ff3 --- /dev/null +++ b/ext/standard/tests/streams/bug78506.phpt @@ -0,0 +1,27 @@ +--TEST-- +Bug #78506: Error in a php_user_filter::filter() is not reported +--FILE-- + +--EXPECT-- +bool(false) diff --git a/main/streams/streams.c b/main/streams/streams.c index 566cdcde080..aef1ebe7626 100644 --- a/main/streams/streams.c +++ b/main/streams/streams.c @@ -1586,33 +1586,31 @@ PHPAPI int _php_stream_copy_to_stream_ex(php_stream *src, php_stream *dest, size while(1) { size_t readchunk = sizeof(buf); ssize_t didread; + char *writeptr; if (maxlen && (maxlen - haveread) < readchunk) { readchunk = maxlen - haveread; } didread = php_stream_read(src, buf, readchunk); + if (didread <= 0) { + *len = haveread; + return didread < 0 ? FAILURE : SUCCESS; + } - if (didread > 0) { - /* extra paranoid */ - char *writeptr; + towrite = didread; + writeptr = buf; + haveread += didread; - towrite = didread; - writeptr = buf; - haveread += didread; - - while (towrite) { - ssize_t didwrite = php_stream_write(dest, writeptr, towrite); - if (didwrite <= 0) { - *len = haveread - (didread - towrite); - return FAILURE; - } - - towrite -= didwrite; - writeptr += didwrite; + while (towrite) { + ssize_t didwrite = php_stream_write(dest, writeptr, towrite); + if (didwrite <= 0) { + *len = haveread - (didread - towrite); + return FAILURE; } - } else { - break; + + towrite -= didwrite; + writeptr += didwrite; } if (maxlen - haveread == 0) { From 1ce830a4aaa626a6c33835297273249eefb8e643 Mon Sep 17 00:00:00 2001 From: Nikita Popov Date: Wed, 11 Sep 2019 10:31:03 +0200 Subject: [PATCH 2/2] Fix another pointer indexing UB in http_fopen_wrapper Only compute the gep after checking whether the pointer is NULL. --- ext/standard/http_fopen_wrapper.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c index ff0b54798fa..478132fd403 100644 --- a/ext/standard/http_fopen_wrapper.c +++ b/ext/standard/http_fopen_wrapper.c @@ -91,9 +91,9 @@ static inline void strip_header(char *header_bag, char *lc_header_bag, ) { char *header_start = header_bag + (lc_header_start - lc_header_bag); char *lc_eol = strchr(lc_header_start, '\n'); - char *eol = header_start + (lc_eol - lc_header_start); if (lc_eol) { + char *eol = header_start + (lc_eol - lc_header_start); size_t eollen = strlen(lc_eol); memmove(lc_header_start, lc_eol+1, eollen);