From 1fdffd1c55d771ca22ae217784ab75fce592ad38 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Thu, 12 Mar 2020 13:04:04 +0100 Subject: [PATCH 1/5] Fix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow We make sure that negative values are properly compared. --- ext/mbstring/php_unicode.c | 2 +- ext/mbstring/tests/bug79371.phpt | 14 ++++++++++++++ 2 files changed, 15 insertions(+), 1 deletion(-) create mode 100644 ext/mbstring/tests/bug79371.phpt diff --git a/ext/mbstring/php_unicode.c b/ext/mbstring/php_unicode.c index ac452b6a207..acb16bf06e4 100644 --- a/ext/mbstring/php_unicode.c +++ b/ext/mbstring/php_unicode.c @@ -315,7 +315,7 @@ static int convert_case_filter(int c, void *void_data) /* Handle invalid characters early, as we assign special meaning to * codepoints above 0xffffff. */ - if (UNEXPECTED(c > 0xffffff)) { + if (UNEXPECTED((unsigned) c > 0xffffff)) { (*data->next_filter->filter_function)(c, data->next_filter); return 0; } diff --git a/ext/mbstring/tests/bug79371.phpt b/ext/mbstring/tests/bug79371.phpt new file mode 100644 index 00000000000..3014feba536 --- /dev/null +++ b/ext/mbstring/tests/bug79371.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +string(8) "3f000000" From 25238bdf6005b85ab844aa2b743b589dfce9f0d2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 15 Mar 2020 17:26:00 -0700 Subject: [PATCH 2/5] Fixed bug #79282 --- ext/exif/exif.c | 7 ++++++- ext/exif/tests/bug79282.phpt | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 ext/exif/tests/bug79282.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f6dd08e8819..95d8fc9e454 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3665,6 +3665,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf, { unsigned exif_value_2a, offset_of_ifd; + if (length < 2) { + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker"); + return; + } + /* set the thumbnail stuff to nothing so we can test to see if they get set up */ if (memcmp(CharBuf, "II", 2) == 0) { ImageInfo->motorola_intel = 0; @@ -3817,7 +3822,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo) return FALSE; } - sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL); + sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL); Data = ImageInfo->file.list[sn].data; /* Store first two pre-read bytes. */ diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt new file mode 100644 index 00000000000..7b7e3656579 --- /dev/null +++ b/ext/exif/tests/bug79282.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #79282: Use-of-uninitialized-value in exif +--FILE-- + +--EXPECTF-- +Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d + +Warning: exif_read_data(): File structure corrupted in %s on line %d + +Warning: exif_read_data(): Invalid JPEG file in %s on line %d +bool(false) From 69fdc14152edefd75a33be7fe87d1194098c67f7 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 15 Mar 2020 17:30:44 -0700 Subject: [PATCH 3/5] Fix bug #79329 - get_headers should not accept \0 --- ext/standard/url.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/standard/url.c b/ext/standard/url.c index 1117d6ed631..6880e40a018 100644 --- a/ext/standard/url.c +++ b/ext/standard/url.c @@ -672,7 +672,7 @@ PHP_FUNCTION(get_headers) php_stream_context *context; ZEND_PARSE_PARAMETERS_START(1, 3) - Z_PARAM_STRING(url, url_len) + Z_PARAM_PATH(url, url_len) Z_PARAM_OPTIONAL Z_PARAM_LONG(format) Z_PARAM_RESOURCE_EX(zcontext, 1, 0) From 62e7b80267ac50364c0d74d3cd567da90639534b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 15 Mar 2020 17:55:28 -0700 Subject: [PATCH 4/5] Fix test --- ext/exif/tests/bug79282.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt index 7b7e3656579..df91127c9c5 100644 --- a/ext/exif/tests/bug79282.phpt +++ b/ext/exif/tests/bug79282.phpt @@ -7,7 +7,7 @@ var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg')); ?> --EXPECTF-- -Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d +Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d Warning: exif_read_data(): File structure corrupted in %s on line %d From e71fa03107bb7c11066420bf50c418cff1ca504f Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 15 Mar 2020 19:35:35 -0700 Subject: [PATCH 5/5] [ci skip] Update NEWS --- NEWS | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/NEWS b/NEWS index 32db597c9b9..835e7896ede 100644 --- a/NEWS +++ b/NEWS @@ -4,11 +4,21 @@ PHP NEWS - Core: . Fixed bug #79364 (When copy empty array, next key is unspecified). (cmb) + . Fixed bug #79329 (get_headers() silently truncates after a null byte) + (CVE-2020-7066) (cmb) . Fixed bug #78210 (Invalid pointer address). (cmb, Nikita) - CURL: . Fixed bug #79199 (curl_copy_handle() memory leak). (cmb) +- EXIF: + . Fixed bug #79282 (Use-of-uninitialized-value in exif) (CVE-2020-7064) + (Nikita) + +- MBstring: + . Fixed bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow at + php_unicode_tolower_full) (CVE-2020-7065) (cmb) + - SimpleXML: . Fixed bug #61597 (SXE properties may lack attributes and content). (cmb)