Merge branch 'PHP-5.4' into PHP-5.5

smalyshev · smalyshev · commit e2ed4874b54b · 2014-06-24T10:25:09.000-07:00
* PHP-5.4:
  5.4.30
  Better fix for bug #67072 with more BC provisions
  Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
  update CVE
  Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
  Fix bug #67397 (Buffer overflow in locale_get_display_name-&gt;uloc_getDisplayName (libicu 4.8.1))
  Fix bug #67349: Locale::parseLocale Double Free
  add CVEs
  Fix potential segfault in dns_get_record()
  Fix bug #66127 (Segmentation fault with ArrayObject unset)
  5.4.30 rc1

Conflicts:
	ext/intl/locale/locale_methods.c
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
@@ -269,8 +269,7 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
 		grOffset =  findOffset( LOC_GRANDFATHERED , loc_name );
 		if( grOffset >= 0 ){
 			if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
-				tag_value = estrdup(loc_name);
-				return tag_value;
+				return estrdup(loc_name);
 			} else {
 				/* Since Grandfathered , no value , do nothing , retutn NULL */
 				return NULL;
@@ -280,8 +279,8 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
 	if( fromParseLocale==1 ){
 		/* Handle singletons */
 		if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
-			if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){
-				return (char *)loc_name;
+			if( strlen(loc_name)>1 && (isIDPrefix(loc_name) == 1) ){
+				return estrdup(loc_name);
 			}
 		}
 
@@ -498,6 +497,14 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME
 		RETURN_FALSE;
 	}
 
+    if(loc_name_len > ULOC_FULLNAME_CAPACITY) {
+        /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */
+		spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name );
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,  msg , 1 TSRMLS_CC );
+		efree(msg);
+		RETURN_FALSE;
+    }
+
 	if(loc_name_len == 0) {
 		loc_name = intl_locale_get_default(TSRMLS_C);
 	}
diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+    $ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true);
+    $ret .= "\n";
+    $ret .= var_export(intl_get_error_message(), true);
+    return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR'
diff --git a/ext/intl/tests/locale_parse_locale2.phpt b/ext/intl/tests/locale_parse_locale2.phpt
@@ -63,7 +63,8 @@ function ut_main()
 //Some Invalid Tags:
         'de-419-DE',
         'a-DE',
-        'ar-a-aaa-b-bbb-a-ccc'
+        'ar-a-aaa-b-bbb-a-ccc',
+	'x-AAAAAA',
     );
 
 
@@ -201,3 +202,6 @@ No values found from Locale parsing.
 ---------------------
 ar-a-aaa-b-bbb-a-ccc:
 language : 'ar' ,
+---------------------
+x-AAAAAA:
+private0 : 'AAAAAA' ,
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
@@ -1796,7 +1796,7 @@ SPL_METHOD(Array, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -7,6 +7,7 @@ $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
 );
 foreach($badblobs as $blob) {
 try {
@@ -17,6 +18,7 @@ try {
 	echo $e->getMessage()."\n";
 }
 }
+echo "DONE\n";
 --EXPECTF--
 Error at offset 6 of 34 bytes
 Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
     }
   }
 }
-
+Error at offset 79 of 78 bytes
+DONE
diff --git a/ext/standard/info.c b/ext/standard/info.c
@@ -866,16 +866,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
 
 		php_info_print_table_start();
 		php_info_print_table_header(2, "Variable", "Value");
-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
 		}
 		php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==

Original file line number	Diff line number	Diff line change
`@@ -1796,7 +1796,7 @@ SPL_METHOD(Array, unserialize)`
`1796`	`1796`	`++p;`
`1797`	`1797`
`1798`	`1798`	`ALLOC_INIT_ZVAL(pmembers);`
`1799`		`- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {`
	`1799`	`+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) {`
`1800`	`1800`	`zval_ptr_dtor(&pmembers);`
`1801`	`1801`	`goto outexcept;`
`1802`	`1802`	`}`
Original file line number	Diff line number	Diff line change
`@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)`
`898`	`898`	`++p;`
`899`	`899`
`900`	`900`	`ALLOC_INIT_ZVAL(pmembers);`
`901`		`- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {`
	`901`	`+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) \|\| Z_TYPE_P(pmembers) != IS_ARRAY) {`
`902`	`902`	`zval_ptr_dtor(&pmembers);`
`903`	`903`	`goto outexcept;`
`904`	`904`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ $badblobs = array(`
`7`	`7`	`'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',`
`8`	`8`	`'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',`
`9`	`9`	`'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',`
	`10`	`+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',`
`10`	`11`	`);`
`11`	`12`	`foreach($badblobs as $blob) {`
`12`	`13`	`try {`
`@@ -17,6 +18,7 @@ try {`
`17`	`18`	`echo $e->getMessage()."\n";`
`18`	`19`	`}`
`19`	`20`	`}`
	`21`	`+echo "DONE\n";`
`20`	`22`	`--EXPECTF--`
`21`	`23`	`Error at offset 6 of 34 bytes`
`22`	`24`	`Error at offset 46 of 89 bytes`
`@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {`
`42`	`44`	`}`
`43`	`45`	`}`
`44`	`46`	`}`
`45`		`-`
	`47`	`+Error at offset 79 of 78 bytes`
	`48`	`+DONE`
Original file line number	Diff line number	Diff line change
`@@ -866,16 +866,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)`
`866`	`866`
`867`	`867`	`php_info_print_table_start();`
`868`	`868`	`php_info_print_table_header(2, "Variable", "Value");`
`869`		`- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {`
	`869`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`870`	`870`	`php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));`
`871`	`871`	`}`
`872`		`- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {`
	`872`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`873`	`873`	`php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));`
`874`	`874`	`}`
`875`		`- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {`
	`875`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`876`	`876`	`php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));`
`877`	`877`	`}`
`878`		`- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {`
	`878`	`+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {`
`879`	`879`	`php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));`
`880`	`880`	`}`
`881`	`881`	`php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);`