Merge branch 'PHP-5.6' into PHP-7.0

smalyshev · smalyshev · commit 6e12e49b5be0 · 2016-11-03T20:46:25.000-07:00
* PHP-5.6:
  More string length checks &amp; fixes
diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
@@ -3950,7 +3950,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
 #define PHP_IMAP_CLEAN	if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
 #define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
 
-	bufferHeader = (char *)emalloc(bufferLen + 1);
+	bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
 	memset(bufferHeader, 0, bufferLen);
 	if (to && *to) {
 		strlcat(bufferHeader, "To: ", bufferLen + 1);
diff --git a/ext/intl/intl_convert.c b/ext/intl/intl_convert.c
@@ -53,7 +53,7 @@ void intl_convert_utf8_to_utf16(
 	UErrorCode* status )
 {
 	UChar*      dst_buf = NULL;
-	int32_t     dst_len = 0;
+	uint32_t    dst_len = 0;
 
 	/* If *target is NULL determine required destination buffer size (pre-flighting).
 	 * Otherwise, attempt to convert source string; if *target buffer is not large enough
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
@@ -268,6 +268,9 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam
 	int32_t     	buflen          = 512;
 	UErrorCode  	status          = U_ZERO_ERROR;
 
+	if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
+		return NULL;
+	}
 
 	if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
 		/* Handle  grandfathered languages */
@@ -713,6 +716,8 @@ PHP_FUNCTION( locale_get_keywords )
         RETURN_FALSE;
     }
 
+	INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
     if(loc_name_len == 0) {
         loc_name = intl_locale_get_default();
     }
@@ -1120,6 +1125,8 @@ PHP_FUNCTION(locale_parse)
         RETURN_FALSE;
     }
 
+    INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
     if(loc_name_len == 0) {
         loc_name = intl_locale_get_default();
     }
diff --git a/ext/intl/msgformat/msgformat_data.c b/ext/intl/msgformat/msgformat_data.c
@@ -83,7 +83,7 @@ msgformat_data* msgformat_data_create( void )
 int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
 {
 	if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
-		UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
+		UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
 		uint32_t npattern_len;
 		npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
 		efree(*spattern);
diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
@@ -15,6 +15,7 @@ static const char rcsid[] = "#(@) $Id$";
 /*  ENCODE  --	Encode binary file into base64.  */
 #include <stdlib.h>
 #include <ctype.h>
+#include <limits.h>
 
 #include "base64.h"
 
@@ -31,6 +32,9 @@ void buffer_new(struct buffer_st *b)
 
 void buffer_add(struct buffer_st *b, char c)
 {
+  if ((INT_MAX - b->length) <= 512) {
+		return;
+  }
   *(b->ptr++) = c;
   b->offset++;
   if (b->offset == b->length) {
@@ -79,7 +83,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
     for (n = 0; n < 3; n++) {
       c = *(source++);
       offset++;
-      if (offset > length) {
+      if (offset > length || offset <= 0) {
 	hiteof = 1;
 	break;
       }
diff --git a/ext/xmlrpc/libxmlrpc/simplestring.c b/ext/xmlrpc/libxmlrpc/simplestring.c
@@ -80,6 +80,7 @@ static const char rcsid[] = "#(@) $Id$";
 
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include "simplestring.h"
 
 #define my_free(thing)  if(thing) {free(thing); thing = 0;}
@@ -200,7 +201,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)
          simplestring_init_str(target);
       }
 
-      if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+      if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) {
     	  /* check for overflows, if there's a potential overflow do nothing */
     	  return;
       }
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
@@ -1590,7 +1590,7 @@ static ZIPARCHIVE_METHOD(addEmptyDir)
 	}
 
 	if (dirname[dirname_len-1] != '/') {
-		s=(char *)emalloc(dirname_len+2);
+		s=(char *)safe_emalloc(dirname_len, 1, 2);
 		strcpy(s, dirname);
 		s[dirname_len] = '/';
 		s[dirname_len+1] = '\0';
@@ -1805,14 +1805,14 @@ static ZIPARCHIVE_METHOD(addFromString)
 
 	ze_obj = Z_ZIP_P(self);
 	if (ze_obj->buffers_cnt) {
-		ze_obj->buffers = (char **)erealloc(ze_obj->buffers, sizeof(char *) * (ze_obj->buffers_cnt+1));
+		ze_obj->buffers = (char **)safe_erealloc(ze_obj->buffers, sizeof(char *), (ze_obj->buffers_cnt+1), 0);
 		pos = ze_obj->buffers_cnt++;
 	} else {
 		ze_obj->buffers = (char **)emalloc(sizeof(char *));
 		ze_obj->buffers_cnt++;
 		pos = 0;
 	}
-	ze_obj->buffers[pos] = (char *)emalloc(ZSTR_LEN(buffer) + 1);
+	ze_obj->buffers[pos] = (char *)safe_emalloc(ZSTR_LEN(buffer), 1, 1);
 	memcpy(ze_obj->buffers[pos], ZSTR_VAL(buffer), ZSTR_LEN(buffer) + 1);
 
 	zs = zip_source_buffer(intern, ze_obj->buffers[pos], ZSTR_LEN(buffer), 0);

Original file line number	Diff line number	Diff line change
`@@ -53,7 +53,7 @@ void intl_convert_utf8_to_utf16(`
`53`	`53`	`UErrorCode* status )`
`54`	`54`	`{`
`55`	`55`	`UChar* dst_buf = NULL;`
`56`		`- int32_t dst_len = 0;`
	`56`	`+ uint32_t dst_len = 0;`
`57`	`57`
`58`	`58`	`/* If *target is NULL determine required destination buffer size (pre-flighting).`
`59`	`59`	`* Otherwise, attempt to convert source string; if *target buffer is not large enough`
Original file line number	Diff line number	Diff line change
`@@ -268,6 +268,9 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam`
`268`	`268`	`int32_t buflen = 512;`
`269`	`269`	`UErrorCode status = U_ZERO_ERROR;`
`270`	`270`
	`271`	`+ if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {`
	`272`	`+ return NULL;`
	`273`	`+ }`
`271`	`274`
`272`	`275`	`if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){`
`273`	`276`	`/* Handle grandfathered languages */`
`@@ -713,6 +716,8 @@ PHP_FUNCTION( locale_get_keywords )`
`713`	`716`	`RETURN_FALSE;`
`714`	`717`	`}`
`715`	`718`
	`719`	`+ INTL_CHECK_LOCALE_LEN(strlen(loc_name));`
	`720`	`+`
`716`	`721`	`if(loc_name_len == 0) {`
`717`	`722`	`loc_name = intl_locale_get_default();`
`718`	`723`	`}`
`@@ -1120,6 +1125,8 @@ PHP_FUNCTION(locale_parse)`
`1120`	`1125`	`RETURN_FALSE;`
`1121`	`1126`	`}`
`1122`	`1127`
	`1128`	`+ INTL_CHECK_LOCALE_LEN(strlen(loc_name));`
	`1129`	`+`
`1123`	`1130`	`if(loc_name_len == 0) {`
`1124`	`1131`	`loc_name = intl_locale_get_default();`
`1125`	`1132`	`}`
Original file line number	Diff line number	Diff line change
`@@ -83,7 +83,7 @@ msgformat_data* msgformat_data_create( void )`
`83`	`83`	`int msgformat_fix_quotes(UChar *spattern, uint32_t spattern_len, UErrorCode *ec)`
`84`	`84`	`{`
`85`	`85`	`if(spattern && spattern_len && u_strchr(*spattern, (UChar)'\'')) {`
`86`		`- UChar npattern = emalloc(sizeof(UChar)(2(spattern_len)+1));`
	`86`	`+ UChar npattern = safe_emalloc(sizeof(UChar)2, *spattern_len, sizeof(UChar));`
`87`	`87`	`uint32_t npattern_len;`
`88`	`88`	`npattern_len = umsg_autoQuoteApostrophe(spattern, spattern_len, npattern, 2(spattern_len)+1, ec);`
`89`	`89`	`efree(*spattern);`
Original file line number	Diff line number	Diff line change
`@@ -80,6 +80,7 @@ static const char rcsid[] = "#(@) $Id$";`
`80`	`80`
`81`	`81`	`#include <stdlib.h>`
`82`	`82`	`#include <string.h>`
	`83`	`+#include <limits.h>`
`83`	`84`	`#include "simplestring.h"`
`84`	`85`
`85`	`86`	`#define my_free(thing) if(thing) {free(thing); thing = 0;}`
`@@ -200,7 +201,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)`
`200`	`201`	`simplestring_init_str(target);`
`201`	`202`	`}`
`202`	`203`
`203`		`- if((SIZE_MAX - add_len) < target->len \|\| (SIZE_MAX - add_len - 1) < target->len) {`
	`204`	`+ if((INT_MAX - add_len) < target->len \|\| (INT_MAX - add_len - 1) < target->len) {`
`204`	`205`	`/* check for overflows, if there's a potential overflow do nothing */`
`205`	`206`	`return;`
`206`	`207`	`}`