archive/php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2025-08-16 05:58:45 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Fix GHSA-g665-fm4p-vhff: OOB access in ldap_escape

Browse source
This commit is contained in:
Niels Dossche 2024-09-26 22:22:27 +02:00 committed by Jakub Zelenka
parent 426a6d4539
commit f9ecf90070
No known key found for this signature in database
GPG key ID: 1C0779DC5C0A9DE4
3 changed files with 75 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

20
ext/ldap/ldap.c
View file

@ -3885,13 +3885,23 @@ static zend_string* php_ldap_do_escape(const bool *map, const char *value, size_
zend_string *ret; zend_string *ret;
for (i = 0; i < valuelen; i++) { for (i = 0; i < valuelen; i++) {
len += (map[(unsigned char) value[i]]) ? 3 : 1; size_t addend = (map[(unsigned char) value[i]]) ? 3 : 1;
if (len > ZSTR_MAX_LEN - addend) {
return NULL;
}
len += addend;
} }
/* Per RFC 4514, a leading and trailing space must be escaped */ /* Per RFC 4514, a leading and trailing space must be escaped */
if ((flags & PHP_LDAP_ESCAPE_DN) && (value[0] == ' ')) { if ((flags & PHP_LDAP_ESCAPE_DN) && (value[0] == ' ')) {
if (len > ZSTR_MAX_LEN - 2) {
return NULL;
}
len += 2; len += 2;
} }
if ((flags & PHP_LDAP_ESCAPE_DN) && ((valuelen > 1) && (value[valuelen - 1] == ' '))) { if ((flags & PHP_LDAP_ESCAPE_DN) && ((valuelen > 1) && (value[valuelen - 1] == ' '))) {
if (len > ZSTR_MAX_LEN - 2) {
return NULL;
}
len += 2; len += 2;
} }
@ -3958,7 +3968,13 @@ PHP_FUNCTION(ldap_escape)
php_ldap_escape_map_set_chars(map, ignores, ignoreslen, 0); php_ldap_escape_map_set_chars(map, ignores, ignoreslen, 0);
} }
RETURN_NEW_STR(php_ldap_do_escape(map, value, valuelen, flags)); zend_string *result = php_ldap_do_escape(map, value, valuelen, flags);
if (UNEXPECTED(!result)) {
zend_argument_value_error(1, "is too long");
RETURN_THROWS();
}
RETURN_NEW_STR(result);
} }
#ifdef STR_TRANSLATION #ifdef STR_TRANSLATION

28
ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt Normal file
View file

@ -0,0 +1,28 @@
--TEST--
GHSA-g665-fm4p-vhff (OOB access in ldap_escape)
--EXTENSIONS--
ldap
--INI--
memory_limit=-1
--SKIPIF--
<?php
if (PHP_INT_SIZE !== 4) die("skip only for 32-bit");
if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
?>
--FILE--
<?php
try {
ldap_escape(' '.str_repeat("#", 1431655758), "", LDAP_ESCAPE_DN);
} catch (ValueError $e) {
echo $e->getMessage(), "\n";
}
try {
ldap_escape(str_repeat("#", 1431655758).' ', "", LDAP_ESCAPE_DN);
} catch (ValueError $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
ldap_escape(): Argument #1 ($value) is too long
ldap_escape(): Argument #1 ($value) is too long

29
ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt Normal file
View file

@ -0,0 +1,29 @@
--TEST--
GHSA-g665-fm4p-vhff (OOB access in ldap_escape)
--EXTENSIONS--
ldap
--INI--
memory_limit=-1
--SKIPIF--
<?php
if (PHP_INT_SIZE !== 4) die("skip only for 32-bit");
if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
?>
--FILE--
<?php
try {
ldap_escape(str_repeat("*", 1431655759), "", LDAP_ESCAPE_FILTER);
} catch (ValueError $e) {
echo $e->getMessage(), "\n";
}
// would allocate a string of length 2
try {
ldap_escape(str_repeat("*", 1431655766), "", LDAP_ESCAPE_FILTER);
} catch (ValueError $e) {
echo $e->getMessage(), "\n";
}
?>
--EXPECT--
ldap_escape(): Argument #1 ($value) is too long
ldap_escape(): Argument #1 ($value) is too long