Merge branch 'PHP-8.2' into PHP-8.3

* PHP-8.2: Fix potential OOB read in zend_dirname() on Windows
2026-03-24 00:02:20 +01:00 · 2024-11-29 22:09:15 +01:00
parent f1fc4e8ff7 94fa2a4ce1
commit 65070bb46c
3 changed files with 9 additions and 3 deletions
--- a/1
+++ b/1
@@ -19,6 +19,7 @@ PHP                                                                        NEWS
  . Fixed bug GH-16630 (UAF in lexer with encoding translation and heredocs).
    (nielsdos)
  . Fix is_zend_ptr() huge block comparison. (nielsdos)
+  . Fixed potential OOB read in zend_dirname() on Windows. (cmb)

 - Curl:
  . Fixed bug GH-16802 (open_basedir bypass using curl extension). (nielsdos)
--- a/Zend/zend_compile.c
+++ b/Zend/zend_compile.c
@@ -2122,7 +2122,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
 	}

 	/* Strip trailing slashes */
-	while (end >= path && IS_SLASH_P(end)) {
+	while (end >= path && IS_SLASH_P_EX(end, end == path)) {
 		end--;
 	}
 	if (end < path) {
@@ -2133,7 +2133,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
 	}

 	/* Strip filename */
-	while (end >= path && !IS_SLASH_P(end)) {
+	while (end >= path && !IS_SLASH_P_EX(end, end == path)) {
 		end--;
 	}
 	if (end < path) {
@@ -2144,7 +2144,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)
 	}

 	/* Strip slashes which came before the file name */
-	while (end >= path && IS_SLASH_P(end)) {
+	while (end >= path && IS_SLASH_P_EX(end, end == path)) {
 		end--;
 	}
 	if (end < path) {
--- a/Zend/zend_virtual_cwd.h
+++ b/Zend/zend_virtual_cwd.h
@@ -73,8 +73,11 @@ typedef unsigned short mode_t;
 #define DEFAULT_SLASH '\\'
 #define DEFAULT_DIR_SEPARATOR	';'
 #define IS_SLASH(c)	((c) == '/' || (c) == '\\')
+// IS_SLASH_P() may read the previous char on Windows, which may be OOB; use IS_SLASH_P_EX() instead
 #define IS_SLASH_P(c)	(*(c) == '/' || \
        (*(c) == '\\' && !IsDBCSLeadByte(*(c-1))))
+#define IS_SLASH_P_EX(c, first_byte)	(*(c) == '/' || \
+        (*(c) == '\\' && ((first_byte) || !IsDBCSLeadByte(*(c-1)))))

 /* COPY_WHEN_ABSOLUTE is 2 under Win32 because by chance both regular absolute paths
   in the file system and UNC paths need copying of two characters */
@@ -108,7 +111,9 @@ typedef unsigned short mode_t;
 #endif

 #define IS_SLASH(c)	((c) == '/')
+// IS_SLASH_P() may read the previous char on Windows, which may be OOB; use IS_SLASH_P_EX() instead
 #define IS_SLASH_P(c)	(*(c) == '/')
+#define IS_SLASH_P_EX(c, first_byte) IS_SLASH_P(c)

 #endif