Merge branch 'PHP-7.1' into PHP-7.2

smalyshev · smalyshev · commit 8363df370399 · 2019-03-03T22:20:35.000-08:00
* PHP-7.1:
  Update NEWS
  Fix test error message
  Fix bug #77563 - Uninitialized read in exif_process_IFD_in_MAKERNOTE
  Fix bug #77540 - Invalid Read on exif_process_SOFn
  Fix integer overflows on 32-bits
  Fix #77431 SplFileInfo::__construct() accepts NUL bytes
  Fix bug #77396 - Null Pointer Dereference in phar_create_or_parse_filename
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
@@ -3152,7 +3152,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 		break;
 	}
 
-	if (maker_note->offset >= value_len) {
+	if (value_len < 2 || maker_note->offset >= value_len - 1) {
 		/* Do not go past the value end */
 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
 		return FALSE;
@@ -3207,6 +3207,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
 #endif
 		default:
 		case MN_OFFSET_NORMAL:
+			data_len = value_len;
 			break;
 	}
 
@@ -3930,7 +3931,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
 			return FALSE;
 		marker = c;
 		length = php_jpg_get16(data+pos);
-		if (pos+length>=ImageInfo->Thumbnail.size) {
+		if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
 			return FALSE;
 		}
 #ifdef EXIF_DEBUG
@@ -3951,6 +3952,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
 			case M_SOF14:
 			case M_SOF15:
 				/* handle SOFn block */
+				if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) {
+					/* exif_process_SOFn needs 8 bytes */
+					return FALSE;
+				}
 				exif_process_SOFn(data+pos, marker, &sof_info);
 				ImageInfo->Thumbnail.height   = sof_info.height;
 				ImageInfo->Thumbnail.width    = sof_info.width;
@@ -3988,19 +3993,19 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
 	tag_table_type tag_table = exif_get_tag_table(section_index);
 
 	if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
-                return FALSE;
-        }
+		return FALSE;
+	}
 
-	if (ImageInfo->FileSize >= dir_offset+2) {
+	if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) {
 		sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL);
 #ifdef EXIF_DEBUG
 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2);
 #endif
 		php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */
 		php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2);
 		num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel);
-		dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/;
-		if (ImageInfo->FileSize >= dir_offset+dir_size) {
+		dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/;
+		if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) {
 #ifdef EXIF_DEBUG
 			exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries);
 #endif
@@ -4083,9 +4088,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
 					}
 				}
 			}
-			if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) {
+			if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) {
 				if (ifd_size > dir_size) {
-					if (dir_offset + ifd_size > ImageInfo->FileSize) {
+					if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) {
 						exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size);
 						return FALSE;
 					}
@@ -4682,7 +4687,9 @@ PHP_FUNCTION(exif_thumbnail)
 	ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
 	if (arg_c >= 3) {
 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
-			exif_scan_thumbnail(&ImageInfo);
+			if (!exif_scan_thumbnail(&ImageInfo)) {
+				ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0;
+			}
 		}
 		zval_dtor(z_width);
 		zval_dtor(z_height);
diff --git a/ext/exif/tests/bug77540.jpg b/ext/exif/tests/bug77540.jpg
diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77540 (Invalid Read on exif_process_SOFn)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$width = $height = 42;
+$s = exif_thumbnail(__DIR__."/bug77540.jpg", $width, $height);
+echo "Width ".$width."\n";
+echo "Height ".$height."\n";
+?>
+DONE
+--EXPECTF--
+Width 0
+Height 0
+DONE
diff --git a/ext/exif/tests/bug77563.jpg b/ext/exif/tests/bug77563.jpg
diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+$s = exif_thumbnail(__DIR__."/bug77563.jpg");
+?>
+DONE
+--EXPECTF--
+Warning: exif_thumbnail(bug77563.jpg): IFD data too short: 0x0009 offset 0x0008 in %s/bug77563.php on line %d
+
+Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d
+
+Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d
+DONE
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
@@ -1385,6 +1385,9 @@ int phar_create_or_parse_filename(char *fname, int fname_len, char *alias, int a
 	/* set up our manifest */
 	mydata = ecalloc(1, sizeof(phar_archive_data));
 	mydata->fname = expand_filepath(fname, NULL);
+	if (mydata->fname == NULL) {
+		return FAILURE;
+	}
 	fname_len = strlen(mydata->fname);
 #ifdef PHP_WIN32
 	phar_unixify_path_separators(mydata->fname, fname_len);
diff --git a/ext/phar/tests/bug77396.phpt b/ext/phar/tests/bug77396.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #77396 Relative filename exceeding maximum path length causes null pointer dereference.
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$path = '../' . str_repeat("x", PHP_MAXPATHLEN) . '.tar';
+$phar = new PharData($path);
+?>
+--EXPECTF--
+Fatal error: Uncaught UnexpectedValueException: Phar creation or opening failed in %s/bug77396.php:%d
+Stack trace:
+#0 %s/bug77396.php(%d): PharData->__construct(%s)
+#1 {main}
+  thrown in %s/bug77396.php on line %d
diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
@@ -1135,7 +1135,7 @@ SPL_METHOD(SplFileInfo, __construct)
 	char *path;
 	size_t len;
 
-	if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s", &path, &len) == FAILURE) {
+	if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p", &path, &len) == FAILURE) {
 		return;
 	}
 
diff --git a/ext/spl/tests/bug77431.phpt b/ext/spl/tests/bug77431.phpt
@@ -0,0 +1,9 @@
+--TEST--
+Bug #77431 (SplFileInfo::__construct() accepts NUL bytes)
+--FILE--
+<?php
+new SplFileInfo("bad\0good");
+?>
+--EXPECTF--
+Fatal error: Uncaught TypeError: SplFileInfo::__construct() expects parameter 1 to be a valid path, string given in %s:%d
+Stack trace:%A

Original file line number	Diff line number	Diff line change
`@@ -1135,7 +1135,7 @@ SPL_METHOD(SplFileInfo, __construct)`
`1135`	`1135`	`char *path;`
`1136`	`1136`	`size_t len;`
`1137`	`1137`
`1138`		`- if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s", &path, &len) == FAILURE) {`
	`1138`	`+ if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p", &path, &len) == FAILURE) {`
`1139`	`1139`	`return;`
`1140`	`1140`	`}`
`1141`	`1141`