diff options
| author | Stanislav Malyshev <stas@php.net> | 2019-01-06 23:34:02 -0800 |
|---|---|---|
| committer | Remi Collet <remi@php.net> | 2019-01-07 11:07:19 +0100 |
| commit | 9bc3ca418f9e3f8838a5a39dbcd559cf9bf1cf4b (patch) | |
| tree | 2bc9b1ded13631f57667522bad9f78c10d52ac9b | |
| parent | f94b81ce48e91ec4ebcbd45bc121466d8a816b03 (diff) | |
| download | php-git-9bc3ca418f9e3f8838a5a39dbcd559cf9bf1cf4b.tar.gz | |
Merge branch 'PHP-7.1' into PHP-7.2
* PHP-7.1:
Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
Add NEWS
[ci skip] Add NEWS
Fix more issues with encodilng length
Fix #77270: imagecolormatch Out Of Bounds Write on Heap
Fix bug #77380 (Global out of bounds read in xmlrpc base64 code)
Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
Fix #77269: Potential unsigned underflow in gdImageScale
Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
Regenerate certs for openssl tests
| -rw-r--r-- | ext/mbstring/oniguruma/src/utf16_be.c | 4 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/src/utf16_le.c | 3 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/src/utf32_be.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/oniguruma/src/utf32_le.c | 1 | ||||
| -rw-r--r-- | ext/mbstring/tests/bug77418.phpt | 14 |
5 files changed, 21 insertions, 2 deletions
diff --git a/ext/mbstring/oniguruma/src/utf16_be.c b/ext/mbstring/oniguruma/src/utf16_be.c index f220cca228..c3bf6c39dc 100644 --- a/ext/mbstring/oniguruma/src/utf16_be.c +++ b/ext/mbstring/oniguruma/src/utf16_be.c @@ -82,16 +82,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end) } static OnigCodePoint -utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf16be_mbc_to_code(const UChar* p, const UChar* end) { OnigCodePoint code; if (UTF16_IS_SURROGATE_FIRST(*p)) { + if (end - p < 4) return 0; code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16) + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8) + p[3]; } else { + if (end - p < 2) return 0; code = p[0] * 256 + p[1]; } return code; diff --git a/ext/mbstring/oniguruma/src/utf16_le.c b/ext/mbstring/oniguruma/src/utf16_le.c index 89bc72f05d..871872f478 100644 --- a/ext/mbstring/oniguruma/src/utf16_le.c +++ b/ext/mbstring/oniguruma/src/utf16_le.c @@ -97,13 +97,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end) } static OnigCodePoint -utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf16le_mbc_to_code(const UChar* p, const UChar* end) { OnigCodePoint code; UChar c0 = *p; UChar c1 = *(p+1); if (UTF16_IS_SURROGATE_FIRST(c1)) { + if (end - p < 4) return 0; code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16) + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8) + p[2]; diff --git a/ext/mbstring/oniguruma/src/utf32_be.c b/ext/mbstring/oniguruma/src/utf32_be.c index d0c7f39703..b65c1c13a6 100644 --- a/ext/mbstring/oniguruma/src/utf32_be.c +++ b/ext/mbstring/oniguruma/src/utf32_be.c @@ -67,6 +67,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end) static OnigCodePoint utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) { + if (end - p < 4) return 0; return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); } diff --git a/ext/mbstring/oniguruma/src/utf32_le.c b/ext/mbstring/oniguruma/src/utf32_le.c index 33200d104e..4c2ffc7868 100644 --- a/ext/mbstring/oniguruma/src/utf32_le.c +++ b/ext/mbstring/oniguruma/src/utf32_le.c @@ -67,6 +67,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end) static OnigCodePoint utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) { + if (end - p < 4) return 0; return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]); } diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt new file mode 100644 index 0000000000..b4acc45c21 --- /dev/null +++ b/ext/mbstring/tests/bug77418.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #77371 (Heap overflow in utf32be_mbc_to_code) +--SKIPIF-- +<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> +--FILE-- +<?php +mb_regex_encoding("UTF-32"); +var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000")); +?> +--EXPECT-- +array(1) { + [0]=> + string(30) "000000000000000000000000000000" +} |