From 617698dfe0f22bfa6041e6f0728136002d30d2bc Mon Sep 17 00:00:00 2001 From: Taoguang Chen Date: Sat, 14 Nov 2015 23:44:59 +0100 Subject: [PATCH 1/2] Fixed bug #70914 zend_throw_or_error() format string vulnerability --- Zend/tests/bug70914.phpt | 17 +++++++++++++++++ Zend/zend_execute_API.c | 2 +- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 Zend/tests/bug70914.phpt diff --git a/Zend/tests/bug70914.phpt b/Zend/tests/bug70914.phpt new file mode 100644 index 00000000000..7da64d7d929 --- /dev/null +++ b/Zend/tests/bug70914.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #70895 null ptr deref and segfault with crafted callable +--SKIPIF-- + +--FILE-- +query('SELECT 1'); +$re = $st->fetchObject('%Z'); +?> +--EXPECTREGEX-- +Fatal error: Class '%Z' not found in .+bug70914.php on line \d+ diff --git a/Zend/zend_execute_API.c b/Zend/zend_execute_API.c index 9d255edfd44..9979aac2560 100644 --- a/Zend/zend_execute_API.c +++ b/Zend/zend_execute_API.c @@ -220,7 +220,7 @@ static void zend_throw_or_error(int fetch_type, zend_class_entry *exception_ce, if (fetch_type & ZEND_FETCH_CLASS_EXCEPTION) { zend_throw_error(exception_ce, message); } else { - zend_error(E_ERROR, message); + zend_error(E_ERROR, "%s", message); } efree(message); From e3d19e81a2498214f8d0309f22428e872c08c4c5 Mon Sep 17 00:00:00 2001 From: Anatol Belski Date: Sat, 14 Nov 2015 23:48:40 +0100 Subject: [PATCH 2/2] update NEWS --- NEWS | 2 ++ 1 file changed, 2 insertions(+) diff --git a/NEWS b/NEWS index 48746aafda8..8879a706ff3 100644 --- a/NEWS +++ b/NEWS @@ -3,6 +3,8 @@ PHP NEWS ?? ??? 2015, PHP 7.0.1 - Core: + . Fixed bug #70914 (zend_throw_or_error() format string vulnerability). + (Taoguang Chen) . Fixed bug #70912 (Null ptr dereference instantiating class with invalid array property). (Laruence) . Fixed bug #70898, #70895 (null ptr deref and segfault with crafted callable).