diff options
Diffstat (limited to 'CVE-2015-2783.patch')
-rw-r--r-- | CVE-2015-2783.patch | 180 |
1 files changed, 0 insertions, 180 deletions
diff --git a/CVE-2015-2783.patch b/CVE-2015-2783.patch deleted file mode 100644 index 29ad5f707876..000000000000 --- a/CVE-2015-2783.patch +++ /dev/null @@ -1,180 +0,0 @@ -Description: fix buffer overflow in unserialize when parsing Phar -Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=9faaee66fa493372c7340b1ab05f8fd115131a42 -Origin: upstream, http://git.php.net/?p=php-src.git;a=commit;h=12d3bdee3dfa6605024a72080d8a17c165c5ed24 -Bug: https://bugs.php.net/bug.php?id=69324 - -Index: php5-5.3.10/ext/phar/phar.c -=================================================================== ---- php5-5.3.10.orig/ext/phar/phar.c 2015-04-17 06:24:19.250127940 -0400 -+++ php5-5.3.10/ext/phar/phar.c 2015-04-17 06:24:19.246127904 -0400 -@@ -600,52 +600,41 @@ - * - * Meta-data is in this format: - * [len32][data...] -- * -+ * - * data is the serialized zval - */ --int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ -+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ - { -- const unsigned char *p; -- php_uint32 buf_len; - php_unserialize_data_t var_hash; - -- if (!zip_metadata_len) { -- PHAR_GET_32(*buffer, buf_len); -- } else { -- buf_len = zip_metadata_len; -- } -- -- if (buf_len) { -+ if (zip_metadata_len) { -+ const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); -+ p = p_buff; - ALLOC_ZVAL(*metadata); - INIT_ZVAL(**metadata); -- p = (const unsigned char*) *buffer; - PHP_VAR_UNSERIALIZE_INIT(var_hash); - -- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { -+ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { -+ efree(p_buff); - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - zval_ptr_dtor(metadata); - *metadata = NULL; - return FAILURE; - } -- -+ efree(p_buff); - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - - if (PHAR_G(persist)) { - /* lazy init metadata */ - zval_ptr_dtor(metadata); -- *metadata = (zval *) pemalloc(buf_len, 1); -- memcpy(*metadata, *buffer, buf_len); -- *buffer += buf_len; -+ *metadata = (zval *) pemalloc(zip_metadata_len, 1); -+ memcpy(*metadata, *buffer, zip_metadata_len); - return SUCCESS; - } - } else { - *metadata = NULL; - } - -- if (!zip_metadata_len) { -- *buffer += buf_len; -- } -- - return SUCCESS; - } - /* }}}*/ -@@ -655,7 +644,7 @@ - * - * Parse a new one and add it to the cache, returning either SUCCESS or - * FAILURE, and setting pphar to the pointer to the manifest entry -- * -+ * - * This is used by phar_open_from_filename to process the manifest, but can be called - * directly. - */ -@@ -666,6 +655,7 @@ - phar_entry_info entry; - php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; - php_uint16 manifest_ver; -+ php_uint32 len; - long offset; - int sig_len, register_alias = 0, temp_alias = 0; - char *signature = NULL; -@@ -1031,16 +1021,21 @@ - mydata->is_persistent = PHAR_G(persist); - - /* check whether we have meta data, zero check works regardless of byte order */ -+ PHAR_GET_32(buffer, len); - if (mydata->is_persistent) { -- PHAR_GET_32(buffer, mydata->metadata_len); -- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { -- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); -- } -- } else { -- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { -- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); -+ mydata->metadata_len = len; -+ if(!len) { -+ /* FIXME: not sure why this is needed but removing it breaks tests */ -+ PHAR_GET_32(buffer, len); - } - } -+ if(len > endbuffer - buffer) { -+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); -+ } -+ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { -+ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); -+ } -+ buffer += len; - - /* set up our manifest */ - zend_hash_init(&mydata->manifest, manifest_count, -@@ -1075,7 +1070,7 @@ - entry.manifest_pos = manifest_index; - } - -- if (buffer + entry.filename_len + 20 > endbuffer) { -+ if (entry.filename_len + 20 > endbuffer - buffer) { - MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); - } - -@@ -1111,19 +1106,20 @@ - entry.flags |= PHAR_ENT_PERM_DEF_DIR; - } - -+ PHAR_GET_32(buffer, len); - if (entry.is_persistent) { -- PHAR_GET_32(buffer, entry.metadata_len); -- if (!entry.metadata_len) buffer -= 4; -- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { -- pefree(entry.filename, entry.is_persistent); -- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); -- } -+ entry.metadata_len = len; - } else { -- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { -- pefree(entry.filename, entry.is_persistent); -- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); -- } -+ entry.metadata_len = 0; - } -+ if (len > endbuffer - buffer) { -+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); -+ } -+ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { -+ pefree(entry.filename, entry.is_persistent); -+ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); -+ } -+ buffer += len; - - entry.offset = entry.offset_abs = offset; - offset += entry.compressed_filesize; -@@ -2243,7 +2239,7 @@ - - /** - * Process a phar stream name, ensuring we can handle any of: -- * -+ * - * - whatever.phar - * - whatever.phar.gz - * - whatever.phar.bz2 -Index: php5-5.3.10/ext/phar/phar_internal.h -=================================================================== ---- php5-5.3.10.orig/ext/phar/phar_internal.h 2015-04-17 06:24:19.250127940 -0400 -+++ php5-5.3.10/ext/phar/phar_internal.h 2015-04-17 06:24:19.250127940 -0400 -@@ -654,7 +654,7 @@ - char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); - char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); - phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); --int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); -+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); - void destroy_phar_manifest_entry(void *pDest); - int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); - php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); |