php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-04-20 14:31:06 +02:00
Code Issues Packages Projects Releases Wiki Activity
96,274 Commits 547 Branches 1,483 Tags
e5beb4e828b2b9b3d79642bd407813c824950310
Commit Graph

214 Commits

Author SHA1 Message Date
Stanislav Malyshev
0496f5407f Merge branch 'PHP-5.6' into PHP-7.0 
* PHP-5.6:
  Update NEWS
  Fix bug #74087
  Fixed parsing of strange formats with mixed month/day and time strings
  Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
  Fixed bug #74111
  Fix #74435: Buffer over-read into uninitialized memory
  Fix bug #74603 - use correct buffer size
  Fix bug #74651 - check EVP_SealInit as it can return -1
  Update NEWS
  Fix bug #73807
 2017-07-04 19:44:51 -07:00
Nikita Popov
3a25a56a92 Fixed bug #74111 2017-07-04 19:38:42 -07:00
Nikita Popov
f8c514ba6b Fixed bug #74111 2017-07-04 19:06:16 -07:00
Remi Collet
4b38feabe7 Adapt for 32-bits which fails at different offset (49 vs 38) 2017-07-04 20:25:59 +02:00
Nikita Popov
d02f953faf Fixed bug #74101 and bug #74614 2017-07-04 10:39:41 +02:00
Remi Collet
0e21d8066b fix test for 32bits (int -> float) 
(cherry picked from commit 0f1ae93bfa)
 2017-02-01 11:49:52 +01:00
Remi Collet
aa9742d80d fix test for 32bits (int -> float) 2017-02-01 10:25:30 +01:00
Nikita Popov
e0ca519a8b Merge branch 'PHP-5.6' into PHP-7.0 2017-01-16 14:11:41 +01:00
Nikita Popov
6477bb724e Add additional serialize tests for fixed bugs 
These have been fixed as a side-effect of the delayed __wakeup
patch.
 2017-01-16 13:24:13 +01:00
Remi Collet
db890956ec add skip when json not loaded 2017-01-06 06:23:59 +01:00
Nikita Popov
b47c49d7a0 Merge branch 'PHP-5.6' into PHP-7.0 2017-01-05 00:24:25 +01:00
Nikita Popov
f697874e3f Add tests for delayed __wakeup() 2017-01-05 00:21:48 +01:00
Stanislav Malyshev
7f0de1a138 Merge branch 'PHP-5.6' into PHP-7.0 
* PHP-5.6:
  Fix bug #73737 FPE when parsing a tag format
  Fix bug #73773 - Seg fault when loading hostile phar
  Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
  Fix bug #73768 - Memory corruption when loading hostile phar
  Fix int overflows in phar (bug #73764)
 2017-01-02 21:01:35 -08:00
Stanislav Malyshev
fa2125df67 Merge branch 'PHP-5.6.30' into PHP-5.6 
* PHP-5.6.30:
  Fix bug #73737 FPE when parsing a tag format
  Fix bug #73773 - Seg fault when loading hostile phar
  Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
  Fix bug #73768 - Memory corruption when loading hostile phar
  Fix int overflows in phar (bug #73764)
 2017-01-02 20:56:32 -08:00
Nikita Popov
4877641962 Fixed bug #73154 
The object that is being serialized may be destroyed during the
execution of __sleep(), so operate on a copy instead.
 2017-01-01 19:24:41 +01:00
Nikita Popov
9f560baef5 Merge branch 'PHP-5.6' into PHP-7.0 2017-01-01 14:12:26 +01:00
Nikita Popov
a65ad951ad FIx bug #70213 2017-01-01 14:10:49 +01:00
Stanislav Malyshev
16b3003ffc Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data() 2016-12-30 16:59:46 -08:00
Anatol Belski
2b30b54275 Merge remote-tracking branch 'phpsec/PHP-7.0.13' into PHP-7.0 
* phpsec/PHP-7.0.13:
  Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
  Fix #72696: imagefilltoborder stackoverflow on truecolor images
  Fix #72482: Ilegal write/read access caused by gdImageAALine overflow
  Fix bug #73144 and bug #73341 - remove extra dtor
  remove unreferenced var came in with merge
  Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
  fix version
  set versions
 2016-11-08 11:13:29 +01:00
Nikita Popov
b2af4e8868 Complete the fix of bug #70172 for PHP 7 2016-11-05 23:06:27 +01:00
Stanislav Malyshev
7cf7920055 Fix bug #73144 and bug #73341 - remove extra dtor 
(cherry picked from commit f74d7d92c8)

Conflicts:
	ext/spl/spl_array.c

Merged the test only, in 7.0 tree the removed dtor call is already
not present.
 2016-11-01 13:01:58 +01:00
Stanislav Malyshev
f74d7d92c8 Fix bug #73144 and bug #73341 - remove extra dtor 2016-10-23 22:03:16 -07:00
Nikita Popov
89d3e234af Fix test output 
Changed due to eca84946a4.
 2016-10-23 22:26:25 +02:00
Stanislav Malyshev
082d1f2375 Fix tests 2016-10-11 16:18:08 -07:00
Stanislav Malyshev
6a7cc8ff85 Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction 2016-09-12 21:04:23 -07:00
Stanislav Malyshev
27876d22ef Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction 
(cherry picked from commit b6e1e5e0b3e6221c7b14fa10cba30f5c5e719e1b)

Conflicts:
	Zend/zend_objects_API.c
	ext/standard/var_unserializer.c
	ext/standard/var_unserializer.re
 2016-09-12 17:53:44 +02:00
Nikita Popov
e0f9fbdfa6 Bug #72663 - part 3 
When using the php_serialize session serialization handler, do
not use the result of the unserialization if it failed.
 2016-08-17 01:01:03 -07:00
Nikita Popov
61f2f5a0f7 Bug #72663 - part 2 
If a (nested) unserialize() call fails, we remove all the values
that were inserted into var_hash during that call. This prevents
their use in other unserializations in the same context.
 2016-08-17 00:47:02 -07:00
Nikita Popov
2135fdef9b Bug #72663 - part 1 
Don't call __destruct() on an unserialized object that has a
__wakeup() method if either
a) unserialization of its properties fails or
b) the __wakeup() call fails (e.g. by throwing).

This basically treats __wakeup() as a form of constructor and
aligns us with the usual behavior that if the constructor call
fails the destructor should not be called.

The security aspect here is that people use __wakeup() to prevent
unserialization of objects with dangerous __destruct() methods,
but this is ineffective if __destruct() can still be called while
__wakeup() was skipped.
 2016-08-17 00:45:57 -07:00
Xinchen Hui
f71fcf8bdd Merge branch 'PHP-5.6' into PHP-7.0 
* PHP-5.6:
  backport to 5.6 (we should not unset the default value)

Conflicts:
	Zend/zend_exceptions.c
	ext/standard/tests/serialize/bug69152.phpt
 2016-07-12 12:18:09 +08:00
Xinchen Hui
7903276f4c backport to 5.6 (we should not unset the default value) 2016-07-12 12:14:45 +08:00
Xinchen Hui
7989db975f Fixed bug #72229 (Wrong reference when serialize/unserialize an object) 2016-05-17 17:40:26 +08:00
Xinchen Hui
5db4d9a71c Fixed bug #71995 (Returning the same var twice from __sleep() produces broken serialized data) 2016-04-09 10:01:04 -07:00
Xinchen Hui
7e042224a2 Fixed bug #71940 (Unserialize crushes on restore object reference) 2016-04-07 13:56:55 +08:00
Xinchen Hui
fe1a3fc08b Merge branch 'PHP-5.6' into PHP-7.0 
* PHP-5.6:
  Fixed bug #71841 (EG(error_zval) is not handled well)
  Fixed bug #71840 (Unserialize accepts wrongly data)

Conflicts:
	Zend/zend_vm_def.h
	Zend/zend_vm_execute.h
	ext/standard/var_unserializer.c
 2016-03-17 15:22:44 +08:00
Xinchen Hui
6f241f5fad Fixed bug #71840 (Unserialize accepts wrongly data) 2016-03-17 15:15:28 +08:00
Anatol Belski
0d0978dfa6 fix dir separator 2016-02-02 09:56:57 +01:00
Stanislav Malyshev
52e0c4081f Fix bug #71313 - Use-after-free vulnerability in SPL(SplObjectStorage, unserialize) 2016-01-17 23:23:42 -08:00
Stanislav Malyshev
bcd64a9bdd Fixed bug #71311: Use-after-free vulnerability in SPL(ArrayObject, unserialize) 2016-01-17 17:53:03 -08:00
Xinchen Hui
fd545f4f44 Also fixed 'r' 2015-11-24 11:48:03 +08:00
Xinchen Hui
91fb1edbbf Fixed bug #70963 (Unserialize shows UNKNOW in result) 
Thanks to ryat for reportinig
 2015-11-24 11:04:42 +08:00
Stanislav Malyshev
b94f67885c Skip serialize test if ext/session is not loaded 2015-10-18 15:43:03 -07:00
Sara Golemon
a2082b7c97 Add some tests for unserialize() class filtering 2015-10-06 12:04:11 -07:00
Anatol Belski
37c85ebb94 check for test requirement 2015-09-25 11:50:15 +02:00
Xinchen Hui
49ee37d870 Seems master is not affected 2015-09-02 23:15:57 -07:00
Xinchen Hui
6290344d96 Fixed test 2015-09-02 21:59:36 -07:00
Julien Pauli
60e2207c34 Merge branch 'PHP-5.6' 
* PHP-5.6:
  5.5.30 next
  More fixes for bug #70219

Conflicts:
	ext/pcre/php_pcre.c
	ext/session/session.c
 2015-09-02 17:51:02 +02:00
Stanislav Malyshev
9c35f87e9a Temporary add XFAILs, will fix soon 2015-09-02 01:23:40 -07:00
Stanislav Malyshev
9b1a224d4e Merge branch 'PHP-5.6' 
* PHP-5.6: (21 commits)
  fix unit tests
  update NEWS
  add NEWS for fixes
  Improve fix for #70172
  Fix bug #70312 - HAVAL gives wrong hashes in specific cases
  fix test
  add test
  Fix bug #70366 - use-after-free vulnerability in unserialize() with SplDoublyLinkedList
  Fix bug #70365 - use-after-free vulnerability in unserialize() with SplObjectStorage
  Fix bug #70172 - Use After Free Vulnerability in unserialize()
  Fix bug #70388 - SOAP serialize_function_call() type confusion
  Fixed bug #70350: ZipArchive::extractTo allows for directory traversal when creating directories
  Improve fix for #70385
  Fix bug #70345 (Multiple vulnerabilities related to PCRE functions)
  Fix bug #70385 (Buffer over-read in exif_read_data with TIFF IFD tag byte value of 32 bytes)
  Fix bug #70219 (Use after free vulnerability in session deserializer)
  Fix bug ##70284 (Use after free vulnerability in unserialize() with GMP)
  Fix for bug #69782
  Add CVE IDs asigned (post release) to PHP 5.4.43
  Add CVE IDs asigned to #69085 (PHP 5.4.39)
  ...

Conflicts:
	ext/exif/exif.c
	ext/gmp/gmp.c
	ext/pcre/php_pcre.c
	ext/session/session.c
	ext/session/tests/session_decode_variation3.phpt
	ext/soap/soap.c
	ext/spl/spl_observer.c
	ext/standard/var.c
	ext/standard/var_unserializer.c
	ext/standard/var_unserializer.re
	ext/xsl/xsltprocessor.c
 2015-09-02 00:37:20 -07:00
Stanislav Malyshev
a6c063d663 Merge branch 'PHP-5.5' into PHP-5.6 
* PHP-5.5:
  More fixes for bug #70219
 2015-09-01 12:51:48 -07:00