php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-01 05:02:27 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make php_url_parse_ex() respect length argument

Browse Source 
This should fix all out-of-bounds reads that could previously
occur if the string passed to php_url_parse_ex() is not NUL
terminated.
This commit is contained in:
Nikita Popov
2016-11-18 16:41:13 +01:00
parent f0f68c7274
commit 2d19c92fc2
1 changed files with 28 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
ext/standard/url.c
View File

@@ -104,7 +104,7 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
ue = s + length;
/* parse scheme */
if ((e = memchr(s, ':', length)) && (e - s)) {
if ((e = memchr(s, ':', length)) && e != s) {
/* validate scheme */
p = s;
while (p < e) {
@@ -119,7 +119,7 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
p++;
}
if (*(e + 1) == '\0') { /* only scheme is available */
if (e + 1 == ue) { /* only scheme is available */
ret->scheme = estrndup(s, (e - s));
php_replace_controlchars_ex(ret->scheme, (e - s));
return ret;
@@ -134,11 +134,11 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
* correctly parse things like a.com:80
*/
p = e + 1;
while (isdigit(*p)) {
while (p < ue && isdigit(*p)) {
p++;
}
if ((*p == '\0' || *p == '/') && (p - e) < 7) {
if ((p == ue || *p == '/') && (p - e) < 7) {
goto parse_port;
}
@@ -151,14 +151,14 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
ret->scheme = estrndup(s, (e-s));
php_replace_controlchars_ex(ret->scheme, (e - s));
if (*(e+2) == '/') {
if (e + 2 < ue && *(e + 2) == '/') {
s = e + 3;
if (!strncasecmp("file", ret->scheme, sizeof("file"))) {
if (*(e + 3) == '/') {
if (e + 3 < ue && *(e + 3) == '/') {
/* support windows drive letters as in:
file:///c:/somedir/file.txt
*/
if (*(e + 5) == ':') {
if (e + 5 < ue && *(e + 5) == ':') {
s = e + 4;
}
goto just_path;
@@ -174,18 +174,18 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
p = e + 1;
pp = p;
while (pp-p < 6 && isdigit(*pp)) {
while (pp < ue && pp - p < 6 && isdigit(*pp)) {
pp++;
}
if (pp - p > 0 && pp - p < 6 && (*pp == '/' || *pp == '\0')) {
if (pp - p > 0 && pp - p < 6 && (pp == ue || *pp == '/')) {
long port;
memcpy(port_buf, p, (pp - p));
port_buf[pp - p] = '\0';
port = strtol(port_buf, NULL, 10);
if (port > 0 && port <= 65535) {
ret->port = (unsigned short) port;
if (*s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
s += 2;
}
} else {
@@ -193,22 +193,32 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
efree(ret);
return NULL;
}
} else if (p == pp && *pp == '\0') {
} else if (p == pp && pp == ue) {
STR_FREE(ret->scheme);
efree(ret);
return NULL;
} else if (*s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
s += 2;
} else {
goto just_path;
}
} else if (*s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
} else if (s + 1 < ue && *s == '/' && *(s + 1) == '/') { /* relative-scheme URL */
s += 2;
} else {
goto just_path;
}
e = s + strcspn(s, "/?#");
/* Binary-safe strcspn(s, "/?#") */
e = ue;
if ((p = memchr(s, '/', e - s))) {
e = p;
}
if ((p = memchr(s, '?', e - s))) {
e = p;
}
if ((p = memchr(s, '#', e - s))) {
e = p;
}
/* check for login and password */
if ((p = zend_memrchr(s, '@', (e-s)))) {
@@ -228,18 +238,16 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
}
/* check for port */
if (*s == '[' && *(e-1) == ']') {
if (s < ue && *s == '[' && *(e-1) == ']') {
/* Short circuit portscan,
we're dealing with an
IPv6 embedded address */
p = s;
p = NULL;
} else {
/* memrchr is a GNU specific extension
Emulate for wide compatibility */
for(p = e; p >= s && *p != ':'; p--);
p = zend_memrchr(s, ':', (e-s));
}
if (p >= s && *p == ':') {
if (p) {
if (!ret->port) {
p++;
if (e-p > 5) { /* port cannot be longer then 5 characters */