From 7f0ab7c20c83a52862ad7c8acf31c3fa739f1274 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 3 Mar 2019 18:22:32 -0800 Subject: [PATCH 1/8] Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename --- ext/phar/phar.c | 3 +++ ext/phar/tests/bug77396.phpt | 15 +++++++++++++++ 2 files changed, 18 insertions(+) create mode 100644 ext/phar/tests/bug77396.phpt diff --git a/ext/phar/phar.c b/ext/phar/phar.c index 0d2173195c3..e117ab0dc06 100644 --- a/ext/phar/phar.c +++ b/ext/phar/phar.c @@ -1385,6 +1385,9 @@ int phar_create_or_parse_filename(char *fname, int fname_len, char *alias, int a /* set up our manifest */ mydata = ecalloc(1, sizeof(phar_archive_data)); mydata->fname = expand_filepath(fname, NULL); + if (mydata->fname == NULL) { + return FAILURE; + } fname_len = strlen(mydata->fname); #ifdef PHP_WIN32 phar_unixify_path_separators(mydata->fname, fname_len); diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt new file mode 100644 index 00000000000..f7a2a2f0261 --- /dev/null +++ b/ext/phar/tests/bug77396.phpt @@ -0,0 +1,15 @@ +--TEST-- +Bug #77396 Relative filename exceeding maximum path length causes null pointer dereference. +--SKIPIF-- + +--FILE-- + +--EXPECTF-- +Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d +Stack trace: +#0 %s/bug77396.php(%d): PharData->__construct(%s) +#1 {main} + thrown in %s/bug77396.php on line %d From 254a5914ad7f9dbdc4f6090229f6b0f4317a695e Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 9 Jan 2019 14:26:18 +0100 Subject: [PATCH 2/8] Fix #77431 SplFileInfo::__construct() accepts NUL bytes `SplFileInfo::__construct()` has to expect a path instead of a string, analogous to `SplFileObject::__construct()`. --- ext/spl/spl_directory.c | 2 +- ext/spl/tests/bug77431.phpt | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) create mode 100644 ext/spl/tests/bug77431.phpt diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c index fc4001ae1f8..748b1549b54 100644 --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@ -1110,7 +1110,7 @@ SPL_METHOD(SplFileInfo, __construct) char *path; size_t len; - if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s", &path, &len) == FAILURE) { + if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p", &path, &len) == FAILURE) { return; } diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt new file mode 100644 index 00000000000..eb1ca96b756 --- /dev/null +++ b/ext/spl/tests/bug77431.phpt @@ -0,0 +1,9 @@ +--TEST-- +Bug #77431 (SplFileInfo::__construct() accepts NUL bytes) +--FILE-- + +--EXPECTF-- +Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d +Stack trace:%A \ No newline at end of file From 5e824a88d073d282c4f358f186cb87ddc284f83d Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Fri, 1 Mar 2019 23:25:45 -0800 Subject: [PATCH 3/8] Fix integer overflows on 32-bits --- ext/exif/exif.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/ext/exif/exif.c b/ext/exif/exif.c index cbde3effedf..b4563927a50 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3567,10 +3567,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse tag_table_type tag_table = exif_get_tag_table(section_index); if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) { - return FALSE; - } + return FALSE; + } - if (ImageInfo->FileSize >= dir_offset+2) { + if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) { sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL); #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2); @@ -3578,8 +3578,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */ php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2); num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel); - dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; - if (ImageInfo->FileSize >= dir_offset+dir_size) { + dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/; + if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) { #ifdef EXIF_DEBUG exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries); #endif @@ -3662,9 +3662,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse } } } - if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) { + if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) { if (ifd_size > dir_size) { - if (dir_offset + ifd_size > ImageInfo->FileSize) { + if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) { exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size); return FALSE; } From 5f0e62a3e5b525163e538aaab0161c2c8c5d057b Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 2 Mar 2019 13:38:00 -0800 Subject: [PATCH 4/8] Fix bug #77540 - Invalid Read on exif_process_SOFn --- ext/exif/exif.c | 10 ++++++++-- ext/exif/tests/bug77540.jpg | Bin 0 -> 91 bytes ext/exif/tests/bug77540.phpt | 16 ++++++++++++++++ 3 files changed, 24 insertions(+), 2 deletions(-) create mode 100644 ext/exif/tests/bug77540.jpg create mode 100644 ext/exif/tests/bug77540.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index b4563927a50..ea88a8f115e 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -3509,7 +3509,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) return FALSE; marker = c; length = php_jpg_get16(data+pos); - if (pos+length>=ImageInfo->Thumbnail.size) { + if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { return FALSE; } #ifdef EXIF_DEBUG @@ -3530,6 +3530,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo) case M_SOF14: case M_SOF15: /* handle SOFn block */ + if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) { + /* exif_process_SOFn needs 8 bytes */ + return FALSE; + } exif_process_SOFn(data+pos, marker, &sof_info); ImageInfo->Thumbnail.height = sof_info.height; ImageInfo->Thumbnail.width = sof_info.width; @@ -4177,7 +4181,9 @@ PHP_FUNCTION(exif_thumbnail) ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size); if (arg_c >= 3) { if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) { - exif_scan_thumbnail(&ImageInfo); + if (!exif_scan_thumbnail(&ImageInfo)) { + ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0; + } } zval_dtor(p_width); zval_dtor(p_height); diff --git a/ext/exif/tests/bug77540.jpg b/ext/exif/tests/bug77540.jpg new file mode 100644 index 0000000000000000000000000000000000000000..559022db0e886b66801f2e7495a0ec97c4036993 GIT binary patch literal 91 zcmex=;~_(+Yei-n1B0(GgBAk=0}l{GfDi*S6B7d?ki*CdA_O69TM(NO!Ujp+Vqjum O_ +--FILE-- + +DONE +--EXPECTF-- +Width 0 +Height 0 +DONE \ No newline at end of file From 8ac6fee8562533a15db90062117210ed28b44fea Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sat, 2 Mar 2019 15:07:40 -0800 Subject: [PATCH 5/8] Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE Also fix for bug #77659 --- ext/exif/exif.c | 3 ++- ext/exif/tests/bug77563.jpg | Bin 0 -> 63 bytes ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++ 3 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 ext/exif/tests/bug77563.jpg create mode 100644 ext/exif/tests/bug77563.phpt diff --git a/ext/exif/exif.c b/ext/exif/exif.c index ea88a8f115e..fe89b854711 100644 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@ -2741,7 +2741,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu break; } - if (maker_note->offset >= value_len) { + if (value_len < 2 || maker_note->offset >= value_len - 1) { /* Do not go past the value end */ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset); return FALSE; @@ -2794,6 +2794,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu break; default: case MN_OFFSET_NORMAL: + data_len = value_len; break; } diff --git a/ext/exif/tests/bug77563.jpg b/ext/exif/tests/bug77563.jpg new file mode 100644 index 0000000000000000000000000000000000000000..d6280151f096c2bbeb25477ce88360c0096f476e GIT binary patch literal 63 zcmex=;~|5MYei-n1B0(GgBAk=0}l{0FfcLlGcW>aRv=cJR0C#n0@>Prp5Fd`ewo?% Hc_1+Wd}j(# literal 0 HcmV?d00001 diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt new file mode 100644 index 00000000000..c14588664b7 --- /dev/null +++ b/ext/exif/tests/bug77563.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE) +--SKIPIF-- + +--FILE-- + +DONE +--EXPECTF-- +Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d + +Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d + +Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d +DONE \ No newline at end of file From 44f87fbf366661c22b0290e1001417fda6041be2 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 3 Mar 2019 19:30:14 -0800 Subject: [PATCH 6/8] Fix test error message --- ext/exif/tests/bug77563.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt index c14588664b7..9e7ccc768b4 100644 --- a/ext/exif/tests/bug77563.phpt +++ b/ext/exif/tests/bug77563.phpt @@ -8,7 +8,7 @@ $s = exif_thumbnail(__DIR__."/bug77563.jpg"); ?> DONE --EXPECTF-- -Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d +Warning: exif_thumbnail(bug77563.jpg): IFD data too short: 0x0009 offset 0x0008 in %s/bug77563.php on line %d Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d From 759e841b247691ca3e18fd08313db26a12a41007 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 3 Mar 2019 20:10:12 -0800 Subject: [PATCH 7/8] Update NEWS --- NEWS | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/NEWS b/NEWS index 587ed12ef11..640dd59a958 100644 --- a/NEWS +++ b/NEWS @@ -2,6 +2,22 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| ?? ??? 2019, PHP 7.1.27 +- Core: + . Fixed bug #77630 (rename() across the device may allow unwanted access during + processing). (Stas) + +- EXIF: + . Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas) + . Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas) + . Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) + . Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) + +- PHAR: + . Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). + (bishop) + +- SPL: + . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb) 10 Jan 2019, PHP 7.1.26 From e0f5d62bd6690169998474b62f92a8c5ddf0e699 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 3 Mar 2019 22:33:38 -0800 Subject: [PATCH 8/8] Fix bug #77586 - phar_tar_writeheaders_int() buffer overflow --- NEWS | 11 +++++----- ext/phar/tar.c | 7 ++++++- ext/phar/tests/bug71488.phpt | 5 +++-- ext/phar/tests/bug77586.phpt | 21 +++++++++++++++++++ ...-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC | 1 + 5 files changed, 37 insertions(+), 8 deletions(-) create mode 100644 ext/phar/tests/bug77586.phpt create mode 100644 ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC diff --git a/NEWS b/NEWS index 640dd59a958..4620c58dec4 100644 --- a/NEWS +++ b/NEWS @@ -3,18 +3,19 @@ PHP NEWS ?? ??? 2019, PHP 7.1.27 - Core: - . Fixed bug #77630 (rename() across the device may allow unwanted access during + . Fixed bug #77630 (rename() across the device may allow unwanted access during processing). (Stas) - + - EXIF: . Fixed bug #77509 (Uninitialized read in exif_process_IFD_in_TIFF). (Stas) - . Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas) - . Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) + . Fixed bug #77540 (Invalid Read on exif_process_SOFn). (Stas) + . Fixed bug #77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) . Fixed bug #77659 (Uninitialized read in exif_process_IFD_in_MAKERNOTE). (Stas) - PHAR: . Fixed bug #77396 (Null Pointer Dereference in phar_create_or_parse_filename). - (bishop) + (bishop) + . Fixed bug #77586 (phar_tar_writeheaders_int() buffer overflow). (bishop) - SPL: . Fixed bug #77431 (openFile() silently truncates after a null byte). (cmb) diff --git a/ext/phar/tar.c b/ext/phar/tar.c index 9de3047f7c9..20f68827275 100644 --- a/ext/phar/tar.c +++ b/ext/phar/tar.c @@ -762,7 +762,12 @@ static int phar_tar_writeheaders_int(phar_entry_info *entry, void *argument) /* header.typeflag = entry->tar_type; if (entry->link) { - strncpy(header.linkname, entry->link, strlen(entry->link)); + if (strlcpy(header.linkname, entry->link, sizeof(header.linkname)) >= sizeof(header.linkname)) { + if (fp->error) { + spprintf(fp->error, 4096, "tar-based phar \"%s\" cannot be created, link \"%s\" is too long for format", entry->phar->fname, entry->link); + } + return ZEND_HASH_APPLY_STOP; + } } strncpy(header.magic, "ustar", sizeof("ustar")-1); diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt index 53f1304343b..9c58d894881 100644 --- a/ext/phar/tests/bug71488.phpt +++ b/ext/phar/tests/bug71488.phpt @@ -13,5 +13,6 @@ DONE ---EXPECT-- -DONE +--EXPECTF-- +Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d +Stack trace:%A \ No newline at end of file diff --git a/ext/phar/tests/bug77586.phpt b/ext/phar/tests/bug77586.phpt new file mode 100644 index 00000000000..039cc16994e --- /dev/null +++ b/ext/phar/tests/bug77586.phpt @@ -0,0 +1,21 @@ +--TEST-- +Bug #77586 Symbolic link names in tar-formatted phar must be less than 100 bytes. +--SKIPIF-- + +--FILE-- +buildFromDirectory($dir . "/files"); +?> +--CLEAN-- + +--EXPECTF-- +Fatal error: Uncaught PharException: tar-based phar "%s/bug77586.tar" cannot be created, link "%s" is too long for format %s +Stack trace: +#0 %s/bug77586.php(%d): PharData->buildFromDirectory('%s') +#1 {main} + thrown in %s/bug77586.php %s on line %d diff --git a/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC b/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC new file mode 100644 index 00000000000..1de565933b0 --- /dev/null +++ b/ext/phar/tests/bug77586/files/link-nktarAMLdJBv7BGYnpzg-ZDycSpWN3Ne3kacltOSE-EqfhStJ1EoBpGuoua6VE-dne29hvpNWXiVbepwIf8-NRHWM9LITLo3nXZnKVNC @@ -0,0 +1 @@ +target \ No newline at end of file