From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 25 Nov 2019 16:56:34 +0100 Subject: [PATCH 1/5] Fix #78863: DirectoryIterator class silently truncates after a null byte Since the constructor of DirectoryIterator and friends is supposed to accepts paths (i.e. strings without NUL bytes), we must not accept arbitrary strings. --- ext/spl/spl_directory.c | 4 ++-- ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 2 deletions(-) create mode 100644 ext/spl/tests/bug78863.phpt diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index 91ea2e02653..56e809b1c7a 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -708,10 +708,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO; - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags); + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags); } else { flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF; - parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len); + parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len); } if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) { flags |= SPL_FILE_DIR_SKIPDOTS; diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt new file mode 100644 index 00000000000..dc88d98deee --- /dev/null +++ b/ext/spl/tests/bug78863.phpt @@ -0,0 +1,31 @@ +--TEST-- +Bug #78863 (DirectoryIterator class silently truncates after a null byte) +--FILE-- +isDot()) { + var_dump($fileinfo->getFilename()); + } +} +?> +--EXPECTF-- +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d +Stack trace: +#0 %s(%d): DirectoryIterator->__construct('%s') +#1 {main} + thrown in %s on line %d +--CLEAN-- + From 0e6c0654ed06751ced134515f7629c40bd979d7f Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 23 Nov 2019 13:01:33 +0100 Subject: [PATCH 2/5] Fix #78862: link() silently truncates after a null byte on Windows Since link() is supposed to accepts paths (i.e. strings without NUL bytes), we must not accept arbitrary strings. --- ext/standard/link_win32.c | 2 +- .../tests/file/windows_links/bug78862.phpt | 17 +++++++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ext/standard/tests/file/windows_links/bug78862.phpt diff --git a/ext/standard/link_win32.c b/ext/standard/link_win32.c index b46dee6a260..0197ec02afc 100644 --- a/ext/standard/link_win32.c +++ b/ext/standard/link_win32.c @@ -211,7 +211,7 @@ PHP_FUNCTION(link) /*First argument to link function is the target and hence should go to frompath Second argument to link function is the link itself and hence should go to topath */ - if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &frompath, &frompath_len, &topath, &topath_len) == FAILURE) { return; } diff --git a/ext/standard/tests/file/windows_links/bug78862.phpt b/ext/standard/tests/file/windows_links/bug78862.phpt new file mode 100644 index 00000000000..33b4b492930 --- /dev/null +++ b/ext/standard/tests/file/windows_links/bug78862.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78862 (link() silently truncates after a null byte on Windows) +--FILE-- + +--EXPECTF-- +Warning: link() expects parameter 1 to be a valid path, string given in %s on line %d +NULL +bool(false) +--CLEAN-- + From b771a18133bdfd95ce36932e5b83a724f17a1427 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 30 Nov 2019 15:37:28 -0800 Subject: [PATCH 3/5] Fix test --- ext/spl/tests/bug54291.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt index b15a3723d47..b4c1a2dc4ba 100644 --- a/ext/spl/tests/bug54291.phpt +++ b/ext/spl/tests/bug54291.phpt @@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0) $dir = new DirectoryIterator("\x00/abc"); $dir->isFile(); --EXPECTF-- -Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d +Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d Stack trace: #0 %s(%d): DirectoryIterator->__construct('\x00/abc') #1 {main} From eb23c6008753b1cdc5359dead3a096dce46c9018 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Sat, 30 Nov 2019 12:26:37 +0100 Subject: [PATCH 4/5] Fix #78878: Buffer underflow in bc_shift_addsub We must not rely on `isdigit()` to detect digits, since we only support decimal ASCII digits in the following processing. --- ext/bcmath/libbcmath/src/str2num.c | 4 ++-- ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ 2 files changed, 15 insertions(+), 2 deletions(-) create mode 100644 ext/bcmath/tests/bug78878.phpt diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c index f38d341570f..03aec15930b 100644 --- a/ext/bcmath/libbcmath/src/str2num.c +++ b/ext/bcmath/libbcmath/src/str2num.c @@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) zero_int = FALSE; if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ while (*ptr == '0') ptr++; /* Skip leading zeros. */ - while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ if (*ptr == '.') ptr++; /* decimal point */ - while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ + while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ if ((*ptr != '\0') || (digits+strscale == 0)) { *num = bc_copy_num (BCG(_zero_)); diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt new file mode 100644 index 00000000000..2c9d72b9468 --- /dev/null +++ b/ext/bcmath/tests/bug78878.phpt @@ -0,0 +1,13 @@ +--TEST-- +Bug #78878 (Buffer underflow in bc_shift_addsub) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +bc math warning: non-zero scale in modulus +0 From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 16 Dec 2019 00:10:39 -0800 Subject: [PATCH 5/5] Fixed bug #78910 --- ext/exif/exif.c | 3 ++- ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++ 2 files changed, 19 insertions(+), 1 deletion(-) create mode 100644 ext/exif/tests/bug78910.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index f961f44a46c..c0be05922fb 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3165,7 +3165,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu continue; if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model))) continue; - if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) + if (maker_note->id_string && value_len >= maker_note->id_string_len + && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len)) continue; break; } diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt new file mode 100644 index 00000000000..f5b1c32c1bd --- /dev/null +++ b/ext/exif/tests/bug78910.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044) +--FILE-- + +--EXPECTF-- +Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote ): Illegal format code 0x2020, switching to BYTE in %s on line %d + +Warning: exif_read_data(): Process tag(x927C=MakerNote ): Illegal format code 0x2020, suppose BYTE in %s on line %d + +Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d + +Warning: exif_read_data(): Invalid TIFF file in %s on line %d +bool(false)