8.1.10
This commit is contained in:
Funda Wang
parent
f4d6604eaf
commit
20ca150528
@ -1,54 +0,0 @@
|
||||
From 82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 Mon Sep 17 00:00:00 2001
|
||||
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||
Date: Mon, 31 Jan 2022 15:43:24 +0100
|
||||
Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints
|
||||
|
||||
We must only release the zval, if we actually assign a new zval.
|
||||
---
|
||||
ext/filter/logical_filters.c | 2 +-
|
||||
ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++
|
||||
2 files changed, 21 insertions(+), 1 deletion(-)
|
||||
create mode 100644 ext/filter/tests/bug81708.phpt
|
||||
|
||||
diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
|
||||
index 1bf7c00d13c6..95f7a99e34b1 100644
|
||||
--- a/ext/filter/logical_filters.c
|
||||
+++ b/ext/filter/logical_filters.c
|
||||
@@ -436,10 +436,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
|
||||
|
||||
switch (is_numeric_string(num, p - num, &lval, &dval, 0)) {
|
||||
case IS_LONG:
|
||||
- zval_ptr_dtor(value);
|
||||
if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) {
|
||||
goto error;
|
||||
}
|
||||
+ zval_ptr_dtor(value);
|
||||
ZVAL_DOUBLE(value, (double)lval);
|
||||
break;
|
||||
case IS_DOUBLE:
|
||||
diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt
|
||||
new file mode 100644
|
||||
index 000000000000..d0036af13682
|
||||
--- /dev/null
|
||||
+++ b/ext/filter/tests/bug81708.phpt
|
||||
@@ -0,0 +1,20 @@
|
||||
+--TEST--
|
||||
+Bug #81708 (UAF due to php_filter_float() failing for ints)
|
||||
+--SKIPIF--
|
||||
+<?php
|
||||
+if (!extension_loaded("filter")) die("skip filter extension not available");
|
||||
+?>
|
||||
+--INI--
|
||||
+opcache.enable_cli=0
|
||||
+--FILE--
|
||||
+<?php
|
||||
+$input = "+" . str_repeat("1", 2); // avoid string interning
|
||||
+filter_var(
|
||||
+ $input,
|
||||
+ FILTER_VALIDATE_FLOAT,
|
||||
+ ["options" => ['min_range' => -1, 'max_range' => 1]]
|
||||
+);
|
||||
+var_dump($input);
|
||||
+?>
|
||||
+--EXPECT--
|
||||
+string(3) "+11"
|
||||
@ -1,68 +0,0 @@
|
||||
From 55f6895f4b4c677272fd4ee1113acdbd99c4b5ab Mon Sep 17 00:00:00 2001
|
||||
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||
Date: Tue, 17 May 2022 12:59:23 +0200
|
||||
Subject: [PATCH] Fix #81720: Uninitialized array in pg_query_params() leading
|
||||
to RCE
|
||||
|
||||
We must not free parameters which we haven't initialized yet.
|
||||
|
||||
We also fix the not directly related issue, that we checked for the
|
||||
wrong value being `NULL`, potentially causing a segfault.
|
||||
---
|
||||
ext/pgsql/pgsql.c | 6 +++---
|
||||
ext/pgsql/tests/bug81720.phpt | 27 +++++++++++++++++++++++++++
|
||||
2 files changed, 30 insertions(+), 3 deletions(-)
|
||||
create mode 100644 ext/pgsql/tests/bug81720.phpt
|
||||
|
||||
--- a/ext/pgsql/pgsql.c
|
||||
+++ b/ext/pgsql/pgsql.c
|
||||
@@ -1201,7 +1201,7 @@ PHP_FUNCTION(pg_query_params)
|
||||
} else {
|
||||
zend_string *param_str = zval_try_get_string(tmp);
|
||||
if (!param_str) {
|
||||
- _php_pgsql_free_params(params, num_params);
|
||||
+ _php_pgsql_free_params(params, i);
|
||||
RETURN_THROWS();
|
||||
}
|
||||
params[i] = estrndup(ZSTR_VAL(param_str), ZSTR_LEN(param_str));
|
||||
@@ -3918,8 +3918,8 @@ PHP_FUNCTION(pg_send_execute)
|
||||
params[i] = NULL;
|
||||
} else {
|
||||
zend_string *tmp_str = zval_try_get_string(tmp);
|
||||
- if (UNEXPECTED(!tmp)) {
|
||||
- _php_pgsql_free_params(params, num_params);
|
||||
+ if (UNEXPECTED(!tmp_str)) {
|
||||
+ _php_pgsql_free_params(params, i);
|
||||
return;
|
||||
}
|
||||
params[i] = estrndup(ZSTR_VAL(tmp_str), ZSTR_LEN(tmp_str));
|
||||
--- /dev/null
|
||||
+++ b/ext/pgsql/tests/bug81720.phpt
|
||||
@@ -0,0 +1,27 @@
|
||||
+--TEST--
|
||||
+Bug #81720 (Uninitialized array in pg_query_params() leading to RCE)
|
||||
+--SKIPIF--
|
||||
+<?php include("skipif.inc"); ?>
|
||||
+--FILE--
|
||||
+<?php
|
||||
+include('config.inc');
|
||||
+
|
||||
+$conn = pg_connect($conn_str);
|
||||
+
|
||||
+try {
|
||||
+ pg_query_params($conn, 'SELECT $1, $2', [1, new stdClass()]);
|
||||
+} catch (Throwable $ex) {
|
||||
+ echo $ex->getMessage(), PHP_EOL;
|
||||
+}
|
||||
+
|
||||
+try {
|
||||
+ pg_send_prepare($conn, "my_query", 'SELECT $1, $2');
|
||||
+ pg_get_result($conn);
|
||||
+ pg_send_execute($conn, "my_query", [1, new stdClass()]);
|
||||
+} catch (Throwable $ex) {
|
||||
+ echo $ex->getMessage(), PHP_EOL;
|
||||
+}
|
||||
+?>
|
||||
+--EXPECT--
|
||||
+Object of class stdClass could not be converted to string
|
||||
+Object of class stdClass could not be converted to string
|
||||
@ -1,21 +0,0 @@
|
||||
From 58006537fc5f133ae8549efe5118cde418b3ace9 Mon Sep 17 00:00:00 2001
|
||||
From: Stanislav Malyshev <smalyshev@gmail.com>
|
||||
Date: Mon, 6 Jun 2022 00:56:51 -0600
|
||||
Subject: [PATCH] Fix bug #81719: mysqlnd/pdo password buffer overflow
|
||||
|
||||
---
|
||||
ext/mysqlnd/mysqlnd_wireprotocol.c | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
|
||||
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
|
||||
@@ -768,7 +768,8 @@ php_mysqlnd_change_auth_response_write(M
|
||||
MYSQLND_VIO * vio = conn->vio;
|
||||
MYSQLND_STATS * stats = conn->stats;
|
||||
MYSQLND_CONNECTION_STATE * connection_state = &conn->state;
|
||||
- zend_uchar * const buffer = pfc->cmd_buffer.length >= packet->auth_data_len? pfc->cmd_buffer.buffer : mnd_emalloc(packet->auth_data_len);
|
||||
+ size_t total_packet_size = packet->auth_data_len + MYSQLND_HEADER_SIZE;
|
||||
+ zend_uchar * const buffer = pfc->cmd_buffer.length >= total_packet_size? pfc->cmd_buffer.buffer : mnd_emalloc(total_packet_size);
|
||||
zend_uchar * p = buffer + MYSQLND_HEADER_SIZE; /* start after the header */
|
||||
|
||||
DBG_ENTER("php_mysqlnd_change_auth_response_write");
|
||||
@ -1,356 +0,0 @@
|
||||
From ca6d511fa54b34d5b75bf120a86482a1b9e1e686 Mon Sep 17 00:00:00 2001
|
||||
From: "Christoph M. Becker" <cmbecker69@gmx.de>
|
||||
Date: Thu, 30 Jun 2022 17:15:22 +0200
|
||||
Subject: [PATCH] Fix #81723: Memory corruption in finfo_buffer()
|
||||
|
||||
We need to use the same memory allocator throughout.
|
||||
---
|
||||
ext/fileinfo/libmagic.patch | 112 +++++++++++++++++-------------
|
||||
ext/fileinfo/libmagic/softmagic.c | 8 +--
|
||||
ext/fileinfo/tests/bug81723.phpt | 12 ++++
|
||||
3 files changed, 79 insertions(+), 53 deletions(-)
|
||||
create mode 100644 ext/fileinfo/tests/bug81723.phpt
|
||||
|
||||
diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
|
||||
index 27124692a0..3373ae4519 100644
|
||||
--- a/ext/fileinfo/libmagic.patch
|
||||
+++ b/ext/fileinfo/libmagic.patch
|
||||
@@ -1,6 +1,6 @@
|
||||
-diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
|
||||
+diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
|
||||
--- libmagic.orig/apprentice.c 2021-02-23 01:51:11.000000000 +0100
|
||||
-+++ libmagic/apprentice.c 2021-04-06 21:34:57.332978922 +0200
|
||||
++++ libmagic/apprentice.c 2022-06-16 13:39:41.570984700 +0200
|
||||
@@ -29,6 +29,8 @@
|
||||
* apprentice - make one pass through /etc/magic, learning its secrets.
|
||||
*/
|
||||
@@ -925,9 +925,9 @@ diff -ur libmagic.orig/apprentice.c libmagic/apprentice.c
|
||||
m->str_range = swap4(m->str_range);
|
||||
m->str_flags = swap4(m->str_flags);
|
||||
}
|
||||
-diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
|
||||
+diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
|
||||
--- libmagic.orig/ascmagic.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/ascmagic.c 2021-04-06 21:34:57.332978922 +0200
|
||||
++++ libmagic/ascmagic.c 2022-06-16 13:39:41.570984700 +0200
|
||||
@@ -96,7 +96,7 @@
|
||||
rv = file_ascmagic_with_encoding(ms, &bb,
|
||||
ubuf, ulen, code, type, text);
|
||||
@@ -956,9 +956,9 @@ diff -ur libmagic.orig/ascmagic.c libmagic/ascmagic.c
|
||||
|
||||
return rv;
|
||||
}
|
||||
-diff -ur libmagic.orig/buffer.c libmagic/buffer.c
|
||||
+diff -u libmagic.orig/buffer.c libmagic/buffer.c
|
||||
--- libmagic.orig/buffer.c 2021-02-23 01:49:26.000000000 +0100
|
||||
-+++ libmagic/buffer.c 2021-04-06 21:34:57.332978922 +0200
|
||||
++++ libmagic/buffer.c 2021-09-21 13:27:27.982716100 +0200
|
||||
@@ -31,19 +31,23 @@
|
||||
#endif /* lint */
|
||||
|
||||
@@ -1012,9 +1012,9 @@ diff -ur libmagic.orig/buffer.c libmagic/buffer.c
|
||||
b->ebuf = NULL;
|
||||
goto out;
|
||||
}
|
||||
-diff -ur libmagic.orig/cdf.c libmagic/cdf.c
|
||||
+diff -u libmagic.orig/cdf.c libmagic/cdf.c
|
||||
--- libmagic.orig/cdf.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/cdf.c 2021-04-06 21:34:57.332978922 +0200
|
||||
++++ libmagic/cdf.c 2021-09-21 13:27:27.983695600 +0200
|
||||
@@ -43,7 +43,17 @@
|
||||
#include <err.h>
|
||||
#endif
|
||||
@@ -1247,9 +1247,9 @@ diff -ur libmagic.orig/cdf.c libmagic/cdf.c
|
||||
}
|
||||
|
||||
#endif
|
||||
-diff -ur libmagic.orig/cdf.h libmagic/cdf.h
|
||||
+diff -u libmagic.orig/cdf.h libmagic/cdf.h
|
||||
--- libmagic.orig/cdf.h 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/cdf.h 2021-04-06 21:34:57.332978922 +0200
|
||||
++++ libmagic/cdf.h 2021-09-21 13:27:27.984674900 +0200
|
||||
@@ -35,10 +35,10 @@
|
||||
#ifndef _H_CDF_
|
||||
#define _H_CDF_
|
||||
@@ -1264,9 +1264,9 @@ diff -ur libmagic.orig/cdf.h libmagic/cdf.h
|
||||
#endif
|
||||
#ifdef __DJGPP__
|
||||
#define timespec timeval
|
||||
-diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
|
||||
+diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
|
||||
--- libmagic.orig/cdf_time.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/cdf_time.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/cdf_time.c 2021-09-21 13:27:27.985654400 +0200
|
||||
@@ -23,6 +23,7 @@
|
||||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
||||
* POSSIBILITY OF SUCH DAMAGE.
|
||||
@@ -1293,9 +1293,9 @@ diff -ur libmagic.orig/cdf_time.c libmagic/cdf_time.c
|
||||
if (ptr != NULL)
|
||||
return buf;
|
||||
(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
|
||||
-diff -ur libmagic.orig/compress.c libmagic/compress.c
|
||||
+diff -u libmagic.orig/compress.c libmagic/compress.c
|
||||
--- libmagic.orig/compress.c 2021-02-23 01:49:07.000000000 +0100
|
||||
-+++ libmagic/compress.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/compress.c 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -51,7 +51,7 @@
|
||||
#ifndef HAVE_SIG_T
|
||||
typedef void (*sig_t)(int);
|
||||
@@ -1430,9 +1430,9 @@ diff -ur libmagic.orig/compress.c libmagic/compress.c
|
||||
}
|
||||
#endif
|
||||
+#endif
|
||||
-diff -ur libmagic.orig/der.c libmagic/der.c
|
||||
+diff -u libmagic.orig/der.c libmagic/der.c
|
||||
--- libmagic.orig/der.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/der.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/der.c 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -54,7 +54,9 @@
|
||||
#include "magic.h"
|
||||
#include "der.h"
|
||||
@@ -1443,9 +1443,9 @@ diff -ur libmagic.orig/der.c libmagic/der.c
|
||||
#include <sys/stat.h>
|
||||
#include <err.h>
|
||||
#endif
|
||||
-diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
|
||||
+diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
|
||||
--- libmagic.orig/elfclass.h 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/elfclass.h 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/elfclass.h 2021-09-21 13:27:27.989571700 +0200
|
||||
@@ -41,7 +41,7 @@
|
||||
return toomany(ms, "program headers", phnum);
|
||||
flags |= FLAGS_IS_CORE;
|
||||
@@ -1473,9 +1473,9 @@ diff -ur libmagic.orig/elfclass.h libmagic/elfclass.h
|
||||
CAST(size_t, elf_getu16(swap, elfhdr.e_shentsize)),
|
||||
fsize, elf_getu16(swap, elfhdr.e_machine),
|
||||
CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
|
||||
-diff -ur libmagic.orig/encoding.c libmagic/encoding.c
|
||||
+diff -u libmagic.orig/encoding.c libmagic/encoding.c
|
||||
--- libmagic.orig/encoding.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/encoding.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/encoding.c 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -98,14 +98,14 @@
|
||||
nbytes = ms->encoding_max;
|
||||
|
||||
@@ -1514,9 +1514,9 @@ diff -ur libmagic.orig/encoding.c libmagic/encoding.c
|
||||
} \
|
||||
if (u < 3) \
|
||||
return 0; \
|
||||
-diff -ur libmagic.orig/file.h libmagic/file.h
|
||||
+diff -u libmagic.orig/file.h libmagic/file.h
|
||||
--- libmagic.orig/file.h 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/file.h 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/file.h 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -33,17 +33,14 @@
|
||||
#ifndef __file_h__
|
||||
#define __file_h__
|
||||
@@ -1775,9 +1775,9 @@ diff -ur libmagic.orig/file.h libmagic/file.h
|
||||
+#endif
|
||||
+
|
||||
#endif /* __file_h__ */
|
||||
-diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
|
||||
+diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
|
||||
--- libmagic.orig/fsmagic.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/fsmagic.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/fsmagic.c 2021-09-21 13:27:27.992511000 +0200
|
||||
@@ -66,26 +66,10 @@
|
||||
# define minor(dev) ((dev) & 0xff)
|
||||
#endif
|
||||
@@ -2068,9 +2068,9 @@ diff -ur libmagic.orig/fsmagic.c libmagic/fsmagic.c
|
||||
#ifdef S_IFSOCK
|
||||
#ifndef __COHERENT__
|
||||
case S_IFSOCK:
|
||||
-diff -ur libmagic.orig/funcs.c libmagic/funcs.c
|
||||
+diff -u libmagic.orig/funcs.c libmagic/funcs.c
|
||||
--- libmagic.orig/funcs.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/funcs.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/funcs.c 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -51,6 +51,13 @@
|
||||
#define SIZE_MAX ((size_t)~0)
|
||||
#endif
|
||||
@@ -2388,9 +2388,9 @@ diff -ur libmagic.orig/funcs.c libmagic/funcs.c
|
||||
|
||||
protected char *
|
||||
file_strtrim(char *str)
|
||||
-diff -ur libmagic.orig/magic.c libmagic/magic.c
|
||||
+diff -u libmagic.orig/magic.c libmagic/magic.c
|
||||
--- libmagic.orig/magic.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/magic.c 2021-04-06 21:34:57.336978894 +0200
|
||||
++++ libmagic/magic.c 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -25,11 +25,6 @@
|
||||
* SUCH DAMAGE.
|
||||
*/
|
||||
@@ -2867,9 +2867,9 @@ diff -ur libmagic.orig/magic.c libmagic/magic.c
|
||||
return NULL;
|
||||
}
|
||||
return file_getbuffer(ms);
|
||||
-diff -ur libmagic.orig/magic.h libmagic/magic.h
|
||||
---- libmagic.orig/magic.h 2021-04-06 22:37:37.647426536 +0200
|
||||
-+++ libmagic/magic.h 2021-04-06 21:34:57.336978894 +0200
|
||||
+diff -u libmagic.orig/magic.h libmagic/magic.h
|
||||
+--- libmagic.orig/magic.h 2022-06-30 17:16:06.144009900 +0200
|
||||
++++ libmagic/magic.h 2022-06-16 13:39:41.586609800 +0200
|
||||
@@ -126,6 +126,7 @@
|
||||
|
||||
const char *magic_getpath(const char *, int);
|
||||
@@ -2878,9 +2878,9 @@ diff -ur libmagic.orig/magic.h libmagic/magic.h
|
||||
const char *magic_descriptor(magic_t, int);
|
||||
const char *magic_buffer(magic_t, const void *, size_t);
|
||||
|
||||
-diff -ur libmagic.orig/print.c libmagic/print.c
|
||||
+diff -u libmagic.orig/print.c libmagic/print.c
|
||||
--- libmagic.orig/print.c 2021-02-23 01:49:07.000000000 +0100
|
||||
-+++ libmagic/print.c 2021-04-06 21:34:57.340978869 +0200
|
||||
++++ libmagic/print.c 2021-09-21 13:27:27.998388700 +0200
|
||||
@@ -28,6 +28,7 @@
|
||||
/*
|
||||
* print.c - debugging printout routines
|
||||
@@ -2943,9 +2943,9 @@ diff -ur libmagic.orig/print.c libmagic/print.c
|
||||
|
||||
if (pp == NULL)
|
||||
goto out;
|
||||
-diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
|
||||
+diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
|
||||
--- libmagic.orig/readcdf.c 2021-02-23 01:49:08.000000000 +0100
|
||||
-+++ libmagic/readcdf.c 2021-04-06 21:34:57.340978869 +0200
|
||||
++++ libmagic/readcdf.c 2021-09-21 13:27:27.999369100 +0200
|
||||
@@ -31,7 +31,11 @@
|
||||
|
||||
#include <assert.h>
|
||||
@@ -3067,9 +3067,9 @@ diff -ur libmagic.orig/readcdf.c libmagic/readcdf.c
|
||||
out0:
|
||||
/* If we handled it already, return */
|
||||
if (i != -1)
|
||||
-diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
+diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
--- libmagic.orig/softmagic.c 2021-02-23 01:49:06.000000000 +0100
|
||||
-+++ libmagic/softmagic.c 2021-04-06 21:34:57.340978869 +0200
|
||||
++++ libmagic/softmagic.c 2022-06-30 16:58:15.521661800 +0200
|
||||
@@ -43,6 +43,10 @@
|
||||
#include <time.h>
|
||||
#include "der.h"
|
||||
@@ -3247,7 +3247,29 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
return rv;
|
||||
}
|
||||
|
||||
-@@ -1845,15 +1847,15 @@
|
||||
+@@ -1531,11 +1533,7 @@
|
||||
+ size_t len;
|
||||
+ *c = ms->c;
|
||||
+ len = c->len * sizeof(*c->li);
|
||||
+- ms->c.li = CAST(struct level_info *, malloc(len));
|
||||
+- if (ms->c.li == NULL) {
|
||||
+- ms->c = *c;
|
||||
+- return -1;
|
||||
+- }
|
||||
++ ms->c.li = CAST(struct level_info *, emalloc(len));
|
||||
+ memcpy(ms->c.li, c->li, len);
|
||||
+ return 0;
|
||||
+ }
|
||||
+@@ -1543,7 +1541,7 @@
|
||||
+ private void
|
||||
+ restore_cont(struct magic_set *ms, struct cont *c)
|
||||
+ {
|
||||
+- free(ms->c.li);
|
||||
++ efree(ms->c.li);
|
||||
+ ms->c = *c;
|
||||
+ }
|
||||
+
|
||||
+@@ -1845,15 +1843,15 @@
|
||||
if ((ms->flags & MAGIC_NODESC) == 0 &&
|
||||
file_printf(ms, F(ms, m->desc, "%u"), offset) == -1)
|
||||
{
|
||||
@@ -3266,7 +3288,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
return rv;
|
||||
|
||||
case FILE_USE:
|
||||
-@@ -1958,10 +1960,13 @@
|
||||
+@@ -1958,10 +1956,13 @@
|
||||
}
|
||||
else if ((flags & STRING_COMPACT_WHITESPACE) &&
|
||||
isspace(*a)) {
|
||||
@@ -3281,7 +3303,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
b++;
|
||||
}
|
||||
else {
|
||||
-@@ -1997,6 +2002,60 @@
|
||||
+@@ -1997,6 +1998,60 @@
|
||||
return file_strncmp(a, b, len, maxlen, flags);
|
||||
}
|
||||
|
||||
@@ -3342,7 +3364,7 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
private int
|
||||
magiccheck(struct magic_set *ms, struct magic *m)
|
||||
{
|
||||
-@@ -2176,65 +2235,77 @@
|
||||
+@@ -2176,65 +2231,77 @@
|
||||
break;
|
||||
}
|
||||
case FILE_REGEX: {
|
||||
@@ -3471,9 +3493,9 @@ diff -ur libmagic.orig/softmagic.c libmagic/softmagic.c
|
||||
break;
|
||||
}
|
||||
case FILE_USE:
|
||||
-diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
|
||||
+diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
|
||||
--- libmagic.orig/strcasestr.c 2021-02-23 01:49:12.000000000 +0100
|
||||
-+++ libmagic/strcasestr.c 2021-04-06 21:34:57.340978869 +0200
|
||||
++++ libmagic/strcasestr.c 2021-09-21 13:27:28.002306200 +0200
|
||||
@@ -39,6 +39,8 @@
|
||||
|
||||
#include "file.h"
|
||||
@@ -3483,7 +3505,3 @@ diff -ur libmagic.orig/strcasestr.c libmagic/strcasestr.c
|
||||
#include <assert.h>
|
||||
#include <ctype.h>
|
||||
#include <string.h>
|
||||
---- libmagic/config.h 2021-04-06 22:19:57.552120067 +0200
|
||||
-+++ /dev/null 2021-03-31 20:37:24.776503884 +0200
|
||||
-@@ -1 +0,0 @@
|
||||
--#include "php.h"
|
||||
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
|
||||
index c86524e31e..5132b4ddea 100644
|
||||
--- a/ext/fileinfo/libmagic/softmagic.c
|
||||
+++ b/ext/fileinfo/libmagic/softmagic.c
|
||||
@@ -1533,11 +1533,7 @@ save_cont(struct magic_set *ms, struct cont *c)
|
||||
size_t len;
|
||||
*c = ms->c;
|
||||
len = c->len * sizeof(*c->li);
|
||||
- ms->c.li = CAST(struct level_info *, malloc(len));
|
||||
- if (ms->c.li == NULL) {
|
||||
- ms->c = *c;
|
||||
- return -1;
|
||||
- }
|
||||
+ ms->c.li = CAST(struct level_info *, emalloc(len));
|
||||
memcpy(ms->c.li, c->li, len);
|
||||
return 0;
|
||||
}
|
||||
@@ -1545,7 +1541,7 @@ save_cont(struct magic_set *ms, struct cont *c)
|
||||
private void
|
||||
restore_cont(struct magic_set *ms, struct cont *c)
|
||||
{
|
||||
- free(ms->c.li);
|
||||
+ efree(ms->c.li);
|
||||
ms->c = *c;
|
||||
}
|
||||
|
||||
diff --git a/ext/fileinfo/tests/bug81723.phpt b/ext/fileinfo/tests/bug81723.phpt
|
||||
new file mode 100644
|
||||
index 0000000000..16bfb81f10
|
||||
--- /dev/null
|
||||
+++ b/ext/fileinfo/tests/bug81723.phpt
|
||||
@@ -0,0 +1,12 @@
|
||||
+--TEST--
|
||||
+Bug #81723 (Memory corruption in finfo_buffer())
|
||||
+--EXTENSIONS--
|
||||
+fileinfo
|
||||
+--FILE--
|
||||
+<?php
|
||||
+$data = hex2bin("00018a7570001097db97979897977d87979797000092001f0051000000000000000000ffff7fff00000000001e0000000000000000000000000c0000000000000000000000000000dc0000000100000000000000004f011900007f0000000000180039000000000000000000000000000000dc0000000100000000000000004f011900007f0000f500000000eeff0000000000000000010000fd00");
|
||||
+
|
||||
+$f = finfo_open();
|
||||
+finfo_buffer($f, $data);
|
||||
+?>
|
||||
+--EXPECT--
|
||||
--
|
||||
2.27.0
|
||||
|
||||
Binary file not shown.
8
php.spec
8
php.spec
@ -22,11 +22,11 @@
|
||||
%global with_freetds 0
|
||||
%global with_sodium 0
|
||||
%global with_pspell 0
|
||||
%global upver 8.1.1
|
||||
%global upver 8.1.10
|
||||
|
||||
Name: php
|
||||
Version: %{upver}
|
||||
Release: 5
|
||||
Release: 1
|
||||
Summary: PHP scripting language for creating dynamic web sites
|
||||
License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA and Boost
|
||||
URL: http://www.php.net/
|
||||
@ -56,10 +56,6 @@ Patch5: php-7.4.0-phpize.patch
|
||||
Patch6: php-7.4.0-ldap_r.patch
|
||||
Patch7: php-8.1.0-phpinfo.patch
|
||||
Patch8: php-7.4.0-datetests.patch
|
||||
Patch9: backport-CVE-2021-21708-Fix-81708.patch
|
||||
Patch10: backport-CVE-2022-31625.patch
|
||||
Patch11: backport-CVE-2022-31626.patch
|
||||
Patch12: backport-CVE-2022-31627.patch
|
||||
|
||||
BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
|
||||
BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user