Merge branch 'PHP-5.5.33' into PHP-5.6.19

smalyshev · smalyshev · commit 91990bbde0d6 · 2016-03-01T22:40:00.000-08:00
* PHP-5.5.33:
  Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()
  Fixed bug #71587 - Use-After-Free / Double-Free in WDDX Deserialize
diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
@@ -7,6 +7,7 @@ Phar: bug #71488: Stack overflow when decompressing tar archives
 $p = new PharData(__DIR__."/bug71488.tar");
 $newp = $p->decompress("test");
 ?>
+
 DONE
 --CLEAN--
 <?php
diff --git a/ext/phar/tests/bug71498.phpt b/ext/phar/tests/bug71498.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Phar: bug #71498: Out-of-Bound Read in phar_parse_zipfile()
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+$p = new PharData(__DIR__."/bug71498.zip");
+} catch(UnexpectedValueException $e) {
+	echo $e->getMessage();
+}
+?>
+
+DONE
+--EXPECTF--
+phar error: end of central directory not found in zip-based phar "%s/bug71498.zip"
+DONE
diff --git a/ext/phar/tests/bug71498.zip b/ext/phar/tests/bug71498.zip
diff --git a/ext/phar/zip.c b/ext/phar/zip.c
@@ -159,7 +159,7 @@ static void phar_zip_u2d_time(time_t time, char *dtime, char *ddate) /* {{{ */
  *
  * Parse a new one and add it to the cache, returning either SUCCESS or
  * FAILURE, and setting pphar to the pointer to the manifest entry
- * 
+ *
  * This is used by phar_open_from_fp to process a zip-based phar, but can be called
  * directly.
  */
@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
 	}
 
 	while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) {
-		if (!memcmp(p + 1, "K\5\6", 3)) {
+		if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) {
 			memcpy((void *)&locator, (void *) p, sizeof(locator));
 			if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) {
 				/* split archives not handled */
@@ -1161,7 +1161,7 @@ int phar_zip_flush(phar_archive_data *phar, char *user_stub, long len, int defau
 	static const char newstub[] = "<?php // zip-based phar archive stub file\n__HALT_COMPILER();";
 	char halt_stub[] = "__HALT_COMPILER();";
 	char *tmp;
-	
+
 	php_stream *stubfile, *oldfile;
 	php_serialize_data_t metadata_hash;
 	int free_user_stub, closeoldfile = 0;
diff --git a/ext/wddx/tests/bug71587.phpt b/ext/wddx/tests/bug71587.phpt
@@ -0,0 +1,43 @@
+--TEST--
+Bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+
+$xml = <<<EOF
+<?xml version='1.0' ?>
+<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
+<wddxPacket version='1.0'>
+    <array>
+         <var name='ML'></var>
+            <string>manhluat</string>
+         <var name='ML2'></var>
+         	<boolean value='a'/>
+         <boolean value='true'/>
+    </array>
+</wddxPacket>
+EOF;
+
+$wddx = wddx_deserialize($xml);
+var_dump($wddx);
+// Print mem leak
+foreach($wddx as $k=>$v)
+	printf("Key: %s\nValue: %s\n",bin2hex($k),bin2hex($v));
+
+?>
+DONE
+--EXPECTF--
+array(2) {
+  [0]=>
+  string(8) "manhluat"
+  [1]=>
+  bool(true)
+}
+Key: 30
+Value: 6d616e686c756174
+Key: 31
+Value: 31
+DONE
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -934,6 +934,16 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 		!strcmp(name, EL_DATETIME)) {
 		wddx_stack_top(stack, (void**)&ent1);
 
+		if (!ent1->data) {
+			if (stack->top > 1) {
+				stack->top--;
+			} else {
+				stack->done = 1;
+			}
+			efree(ent1);
+			return;
+		}
+
 		if (!strcmp(name, EL_BINARY)) {
 			int new_len=0;
 			unsigned char *new_str;
@@ -1030,6 +1040,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 		}
 	} else if (!strcmp(name, EL_VAR) && stack->varname) {
 		efree(stack->varname);
+		stack->varname = NULL;
 	} else if (!strcmp(name, EL_FIELD)) {
 		st_entry *ent;
 		wddx_stack_top(stack, (void **)&ent);
@@ -1049,7 +1060,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 
 	if (!wddx_stack_is_empty(stack) && !stack->done) {
 		wddx_stack_top(stack, (void**)&ent);
-		switch (Z_TYPE_P(ent)) {
+		switch (ent->type) {
 			case ST_STRING:
 				if (Z_STRLEN_P(ent->data) == 0) {
 					STR_FREE(Z_STRVAL_P(ent->data));
@@ -1088,11 +1099,11 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
 				} else if (!strcmp(s, "false")) {
 					Z_LVAL_P(ent->data) = 0;
 				} else {
-					stack->top--;
 					zval_ptr_dtor(&ent->data);
-					if (ent->varname)
+					if (ent->varname) {
 						efree(ent->varname);
-					efree(ent);
+					}
+					ent->data = NULL;
 				}
 				break;
 
