登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
1 Star 0 Fork 33

康少强/php

forked from src-openEuler/php 
代码 Issues 0 Pull Requests 0 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
项目仓库所选许可证以仓库主分支所使用许可证为准
克隆/下载
php-CVE-2018-20783.patch 4.89 KB
一键复制 编辑 原始数据 按行查看 历史
通行百万 提交于 2020-03-12 15:55 . add CVE patches
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146
From e7c8e6cde021afd637ea535b0641a1851e57fb2a Mon Sep 17 00:00:00 2001

From: Stanislav Malyshev <stas@php.net>

Date: Mon, 12 Nov 2018 14:02:26 -0800

Subject: [PATCH] Fix bug #77143 - add more checks to buffer reads



---

 NEWS                         |   4 ++++

 ext/phar/phar.c              |  30 +++++++++++++++++++++---------

 ext/phar/tests/bug73768.phpt |   2 +-

 ext/phar/tests/bug77143.phar | Bin 0 -> 50 bytes

 ext/phar/tests/bug77143.phpt |  18 ++++++++++++++++++

 5 files changed, 44 insertions(+), 10 deletions(-)

 create mode 100644 ext/phar/tests/bug77143.phar

 create mode 100644 ext/phar/tests/bug77143.phpt



diff -Nur php-7.2.10/NEWS php-7.2.10_bak/NEWS

--- php-7.2.10/NEWS	2018-09-11 15:06:00.000000000 +0800

+++ php-7.2.10_bak/NEWS	2019-04-04 17:41:54.869000000 +0800

@@ -136,6 +136,10 @@

   . Fixed bug #76477 (Opcache causes empty return value).

     (Nikita, Laruence)

 

+- Phar:

+  . Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile).

+    (Stas)

+

 - PGSQL:

   . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol)



diff -Nur php-7.2.10/ext/phar/phar.c php-7.2.10_bak/ext/phar/phar.c

--- php-7.2.10/ext/phar/phar.c	2019-04-04 17:39:04.158000000 +0800

+++ php-7.2.10_bak/ext/phar/phar.c	2019-04-04 17:49:51.807000000 +0800

@@ -643,6 +643,18 @@

 /* }}}*/

 

 /**

+ * Size of fixed fields in the manifest.

+ * See: http://php.net/manual/en/phar.fileformat.phar.php

+ */

+#define MANIFEST_FIXED_LEN 18

+

+#define SAFE_PHAR_GET_32(buffer, endbuffer, var) \

+   if (UNEXPECTED(buffer + 4 > endbuffer)) { \

+	   MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)"); \

+   } \

+   PHAR_GET_32(buffer, var);

+

+/**

  * Does not check for a previously opened phar in the cache.

  *

  * Parse a new one and add it to the cache, returning either SUCCESS or

@@ -725,7 +737,7 @@

 	savebuf = buffer;

 	endbuffer = buffer + manifest_len;

 

-	if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) {

+    if (manifest_len < MANIFEST_FIXED_LEN || manifest_len != php_stream_read(fp, buffer, manifest_len)) {

 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")

 	}

 

@@ -750,7 +762,7 @@

 		return FAILURE;

 	}

 

-	PHAR_GET_32(buffer, manifest_flags);

+	SAFE_PHAR_GET_32(buffer, endbuffer, manifest_flags);

 

 	manifest_flags &= ~PHAR_HDR_COMPRESSION_MASK;

 	manifest_flags &= ~PHAR_FILE_COMPRESSION_MASK;

@@ -970,13 +982,13 @@

 	}

 

 	/* extract alias */

-	PHAR_GET_32(buffer, tmp_len);

+	SAFE_PHAR_GET_32(buffer, endbuffer, tmp_len);

 

 	if (buffer + tmp_len > endbuffer) {

 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)");

 	}

 

-	if (manifest_len < 10 + tmp_len) {

+	if (manifest_len < MANIFEST_FIXED_LEN + tmp_len) {

 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")

 	}

 

@@ -1014,7 +1026,7 @@

 	}

 

 	/* we have 5 32-bit items plus 1 byte at least */

-	if (manifest_count > ((manifest_len - 10 - tmp_len) / (5 * 4 + 1))) {

+	if (manifest_count > ((manifest_len - MANIFEST_FIXED_LEN - tmp_len) / (5 * 4 + 1))) {

 		/* prevent serious memory issues */

 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (too many manifest entries for size of manifest)")

 	}

@@ -1023,12 +1035,12 @@

 	mydata->is_persistent = PHAR_G(persist);

 

 	/* check whether we have meta data, zero check works regardless of byte order */

-	PHAR_GET_32(buffer, len);

+	SAFE_PHAR_GET_32(buffer, endbuffer, len);

 	if (mydata->is_persistent) {

 		mydata->metadata_len = len;

-		if(!len) {

+		if (!len) {

 			/* FIXME: not sure why this is needed but removing it breaks tests */

-			PHAR_GET_32(buffer, len);

+			SAFE_PHAR_GET_32(buffer, endbuffer, len);

 		}

 	}

 	if(len > (size_t)(endbuffer - buffer)) {

diff -Nur php-7.2.10/ext/phar/tests/bug73768.phpt php-7.2.10_bak/ext/phar/tests/bug73768.phpt

--- php-7.2.10/ext/phar/tests/bug73768.phpt	2018-09-11 15:06:03.000000000 +0800

+++ php-7.2.10_bak/ext/phar/tests/bug73768.phpt	2019-04-04 17:50:51.796000000 +0800

@@ -13,4 +13,4 @@

 }

 ?>

 --EXPECTF--

-cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar"

+internal corruption of phar "%sbug73768.phar" (truncated manifest header)

diff --git a/ext/phar/tests/bug77143.phpt b/ext/phar/tests/bug77143.phpt

new file mode 100644

index 0000000..f9f80fc

--- /dev/null

+++ b/ext/phar/tests/bug77143.phpt

@@ -0,0 +1,18 @@

+--TEST--

+PHP bug #77143: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile

+--INI--

+phar.readonly=0

+--SKIPIF--

+<?php if (!extension_loaded("phar")) die("skip"); ?>

+--FILE--

+<?php

+chdir(__DIR__);

+try {

+var_dump(new Phar('bug77143.phar',0,'project.phar'));

+echo "OK\n";

+} catch(UnexpectedValueException $e) {

+	echo $e->getMessage();

+}

+?>

+--EXPECTF--

+internal corruption of phar "%sbug77143.phar" (truncated manifest header)

-- 

2.1.4
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/kang_xiao_qiang/php.git
git@gitee.com:kang_xiao_qiang/php.git
kang_xiao_qiang
php
php
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
仓库举报
回到顶部