Fix GH-9033: Loading blacklist file can fail due to negative length

cmb69 · cmb69 · commit 35fd97c3c931 · 2022-07-25T16:30:19.000+02:00
If the blacklist file contains a line with a single double-quote, we called `zend_strndup(pbuf, -1)` what causes an unnecessary bail out; instead we just ignore that line. If the blacklist file contains an empty line, we may have caused an OOB read; instead we just ignore that line. Closes GH-9036.
diff --git a/NEWS b/NEWS
@@ -5,6 +5,10 @@ PHP                                                                        NEWS
 - DBA:
   . Fixed LMDB driver memory leak on DB creation failure (Girgias)
 
+- OPcache:
+  . Fixed bug GH-9033 (Loading blacklist file can fail due to negative length).
+    (cmb)
+
 - Standard:
   . Fixed bug GH-9017 (php_stream_sock_open_from_socket could return NULL).
     (Heiko Weber)
diff --git a/ext/opcache/zend_accelerator_blacklist.c b/ext/opcache/zend_accelerator_blacklist.c
@@ -276,12 +276,12 @@ static void zend_accel_blacklist_loadone(zend_blacklist *blacklist, char *filena
 		}
 
 		/* strip \" */
-		if (pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {
+		if (path_length > 0 && pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {
 			*pbuf++ = 0;
 			path_length -= 2;
 		}
 
-		if (path_length == 0) {
+		if (path_length <= 0) {
 			continue;
 		}
 

Original file line number	Diff line number	Diff line change
`@@ -276,12 +276,12 @@ static void zend_accel_blacklist_loadone(zend_blacklist blacklist, char filena`
`276`	`276`	`}`
`277`	`277`
`278`	`278`	`/* strip \" */`
`279`		`- if (pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {`
	`279`	`+ if (path_length > 0 && pbuf[0] == '\"' && pbuf[path_length - 1]== '\"') {`
`280`	`280`	`*pbuf++ = 0;`
`281`	`281`	`path_length -= 2;`
`282`	`282`	`}`
`283`	`283`
`284`		`- if (path_length == 0) {`
	`284`	`+ if (path_length <= 0) {`
`285`	`285`	`continue;`
`286`	`286`	`}`
`287`	`287`