From 35fd97c3c931b53459a49d06b43cf0b6912b1633 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 18 Jul 2022 15:46:38 +0200 Subject: [PATCH] Fix GH-9033: Loading blacklist file can fail due to negative length If the blacklist file contains a line with a single double-quote, we called `zend_strndup(pbuf, -1)` what causes an unnecessary bail out; instead we just ignore that line. If the blacklist file contains an empty line, we may have caused an OOB read; instead we just ignore that line. Closes GH-9036. --- NEWS | 4 ++++ ext/opcache/zend_accelerator_blacklist.c | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index a97c6f04020..1d011072352 100644 --- a/NEWS +++ b/NEWS @@ -5,6 +5,10 @@ PHP NEWS - DBA: . Fixed LMDB driver memory leak on DB creation failure (Girgias) +- OPcache: + . Fixed bug GH-9033 (Loading blacklist file can fail due to negative length). + (cmb) + - Standard: . Fixed bug GH-9017 (php_stream_sock_open_from_socket could return NULL). (Heiko Weber) diff --git a/ext/opcache/zend_accelerator_blacklist.c b/ext/opcache/zend_accelerator_blacklist.c index febe38aa925..f0e3b69ae5f 100644 --- a/ext/opcache/zend_accelerator_blacklist.c +++ b/ext/opcache/zend_accelerator_blacklist.c @@ -276,12 +276,12 @@ static void zend_accel_blacklist_loadone(zend_blacklist *blacklist, char *filena } /* strip \" */ - if (pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') { + if (path_length > 0 && pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') { *pbuf++ = 0; path_length -= 2; } - if (path_length == 0) { + if (path_length <= 0) { continue; }