php/sme8/php-5.3.2-CVE-2010-3870.patch

--- php-5.3.2/ext/xml/tests/bug49687.phpt.cve3870
+++ php-5.3.2/ext/xml/tests/bug49687.phpt
@@ -0,0 +1,24 @@
+--TEST--
+Bug #49687 Several utf8_decode deficiencies and vulnerabilities
+--SKIPIF--
+<?php
+require_once("skipif.inc");
+if (!extension_loaded('xml')) die ("skip xml extension not available");
+?>
+--FILE--
+<?php
+
+$tests = array(
+    "\x41\xC2\x3E\x42",
+    "\xE3\x80\x22",
+    "\x41\x98\xBA\x42\xE2\x98\x43\xE2\x98\xBA\xE2\x98",
+);
+foreach ($tests as $t) {
+    echo bin2hex(utf8_decode($t)), "\n";
+}
+echo "Done.\n";
+--EXPECT--
+413f3e42
+3f22
+413f3f423f433f3f
+Done.
--- php-5.3.2/ext/xml/xml.c.cve3870
+++ php-5.3.2/ext/xml/xml.c
@@ -659,10 +659,111 @@ PHPAPI char *xml_utf8_encode(const char 
 }
 /* }}} */
 
+/* copied from trunk's implementation of get_next_char in ext/standard/html.c */
+#define MB_FAILURE(pos, advance) do { \
+       *cursor = pos + (advance); \
+       *status = FAILURE; \
+       return 0; \
+} while (0)
+
+#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
+#define utf8_lead(c)  ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
+#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
+
+/* {{{ php_next_utf8_char
+ */
+static inline unsigned int php_next_utf8_char(
+               const unsigned char *str,
+               size_t str_len,
+               size_t *cursor,
+               int *status)
+{
+       size_t pos = *cursor;
+       unsigned int this_char = 0;
+       unsigned char c;
+
+       *status = SUCCESS;
+
+       if (!CHECK_LEN(pos, 1))
+               MB_FAILURE(pos, 1);
+
+       /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
+               * "In a reported illegal byte sequence, do not include any
+               *  non-initial byte that encodes a valid character or is a leading
+               *  byte for a valid sequence.» */
+       c = str[pos];
+       if (c < 0x80) {
+               this_char = c;
+               pos++;
+       } else if (c < 0xc2) {
+               MB_FAILURE(pos, 1);
+       } else if (c < 0xe0) {
+               if (!CHECK_LEN(pos, 2))
+                       MB_FAILURE(pos, 1);
+
+               if (!utf8_trail(str[pos + 1])) {
+                       MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
+               }
+               this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
+               if (this_char < 0x80) { /* non-shortest form */
+                       MB_FAILURE(pos, 2);
+               }
+               pos += 2;
+       } else if (c < 0xf0) {
+               size_t avail = str_len - pos;
+
+               if (avail < 3 ||
+                               !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
+                       if (avail < 2 || utf8_lead(str[pos + 1]))
+                               MB_FAILURE(pos, 1);
+                       else if (avail < 3 || utf8_lead(str[pos + 2]))
+                               MB_FAILURE(pos, 2);
+                       else
+                               MB_FAILURE(pos, 3);
+               }
+
+               this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
+               if (this_char < 0x800) { /* non-shortest form */
+                       MB_FAILURE(pos, 3);
+               } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
+                       MB_FAILURE(pos, 3);
+               }
+               pos += 3;
+       } else if (c < 0xf5) {
+               size_t avail = str_len - pos;
+
+               if (avail < 4 ||
+                               !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
+                               !utf8_trail(str[pos + 3])) {
+                       if (avail < 2 || utf8_lead(str[pos + 1]))
+                               MB_FAILURE(pos, 1);
+                       else if (avail < 3 || utf8_lead(str[pos + 2]))
+                               MB_FAILURE(pos, 2);
+                       else if (avail < 4 || utf8_lead(str[pos + 3]))
+                               MB_FAILURE(pos, 3);
+                       else
+                               MB_FAILURE(pos, 4);
+               }
+                               
+               this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
+               if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
+                       MB_FAILURE(pos, 4);
+               }
+               pos += 4;
+       } else {
+               MB_FAILURE(pos, 1);
+       }
+       
+       *cursor = pos;
+       return this_char;
+}
+/* }}} */
+
+
 /* {{{ xml_utf8_decode */
 PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding)
 {
-       int pos = len;
+       size_t pos = 0;
        char *newbuf = emalloc(len + 1);
        unsigned int c;
        char (*decoder)(unsigned short) = NULL;
@@ -681,36 +782,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
                newbuf[*newlen] = '\0';
                return newbuf;
        }
-       while (pos > 0) {
-               c = (unsigned char)(*s);
-               if (c >= 0xf0) { /* four bytes encoded, 21 bits */
-                       if(pos-4 >= 0) {
-                               c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
-                       } else {
-                               c = '?';        
-                       }
-                       s += 4;
-                       pos -= 4;
-               } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
-                       if(pos-3 >= 0) {
-                               c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
-                       } else {
-                               c = '?';
-                       }
-                       s += 3;
-                       pos -= 3;
-               } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
-                       if(pos-2 >= 0) {
-                               c = ((s[0]&63)<<6) | (s[1]&63);
-                       } else {
-                               c = '?';
-                       }
-                       s += 2;
-                       pos -= 2;
-               } else {
-                       s++;
-                       pos--;
+
+       while (pos < (size_t)len) {
+               int status = FAILURE;
+               c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
+
+               if (status == FAILURE || c > 0xFFU) {
+                       c = '?';
                }
+
                newbuf[*newlen] = decoder ? decoder(c) : c;
                ++*newlen;
        }
1	slords	1.1	--- php-5.3.2/ext/xml/tests/bug49687.phpt.cve3870
2			+++ php-5.3.2/ext/xml/tests/bug49687.phpt
3			@@ -0,0 +1,24 @@
4			+--TEST--
5			+Bug #49687 Several utf8_decode deficiencies and vulnerabilities
6			+--SKIPIF--
7			+<?php
8			+require_once("skipif.inc");
9			+if (!extension_loaded('xml')) die ("skip xml extension not available");
10			+?>
11			+--FILE--
12			+<?php
13			+
14			+$tests = array(
15			+ "\x41\xC2\x3E\x42",
16			+ "\xE3\x80\x22",
17			+ "\x41\x98\xBA\x42\xE2\x98\x43\xE2\x98\xBA\xE2\x98",
18			+);
19			+foreach ($tests as $t) {
20			+ echo bin2hex(utf8_decode($t)), "\n";
21			+}
22			+echo "Done.\n";
23			+--EXPECT--
24			+413f3e42
25			+3f22
26			+413f3f423f433f3f
27			+Done.
28			--- php-5.3.2/ext/xml/xml.c.cve3870
29			+++ php-5.3.2/ext/xml/xml.c
30			@@ -659,10 +659,111 @@ PHPAPI char *xml_utf8_encode(const char
31			}
32			/* }}} */
33
34			+/* copied from trunk's implementation of get_next_char in ext/standard/html.c */
35			+#define MB_FAILURE(pos, advance) do { \
36			+ *cursor = pos + (advance); \
37			+ *status = FAILURE; \
38			+ return 0; \
39			+} while (0)
40			+
41			+#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
42			+#define utf8_lead(c) ((c) < 0x80 \|\| ((c) >= 0xC2 && (c) <= 0xF4))
43			+#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
44			+
45			+/* {{{ php_next_utf8_char
46			+ */
47			+static inline unsigned int php_next_utf8_char(
48			+ const unsigned char *str,
49			+ size_t str_len,
50			+ size_t *cursor,
51			+ int *status)
52			+{
53			+ size_t pos = *cursor;
54			+ unsigned int this_char = 0;
55			+ unsigned char c;
56			+
57			+ *status = SUCCESS;
58			+
59			+ if (!CHECK_LEN(pos, 1))
60			+ MB_FAILURE(pos, 1);
61			+
62			+ /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
63			+ * "In a reported illegal byte sequence, do not include any
64			+ * non-initial byte that encodes a valid character or is a leading
65			+ * byte for a valid sequence.» */
66			+ c = str[pos];
67			+ if (c < 0x80) {
68			+ this_char = c;
69			+ pos++;
70			+ } else if (c < 0xc2) {
71			+ MB_FAILURE(pos, 1);
72			+ } else if (c < 0xe0) {
73			+ if (!CHECK_LEN(pos, 2))
74			+ MB_FAILURE(pos, 1);
75			+
76			+ if (!utf8_trail(str[pos + 1])) {
77			+ MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
78			+ }
79			+ this_char = ((c & 0x1f) << 6) \| (str[pos + 1] & 0x3f);
80			+ if (this_char < 0x80) { /* non-shortest form */
81			+ MB_FAILURE(pos, 2);
82			+ }
83			+ pos += 2;
84			+ } else if (c < 0xf0) {
85			+ size_t avail = str_len - pos;
86			+
87			+ if (avail < 3 \|\|
88			+ !utf8_trail(str[pos + 1]) \|\| !utf8_trail(str[pos + 2])) {
89			+ if (avail < 2 \|\| utf8_lead(str[pos + 1]))
90			+ MB_FAILURE(pos, 1);
91			+ else if (avail < 3 \|\| utf8_lead(str[pos + 2]))
92			+ MB_FAILURE(pos, 2);
93			+ else
94			+ MB_FAILURE(pos, 3);
95			+ }
96			+
97			+ this_char = ((c & 0x0f) << 12) \| ((str[pos + 1] & 0x3f) << 6) \| (str[pos + 2] & 0x3f);
98			+ if (this_char < 0x800) { /* non-shortest form */
99			+ MB_FAILURE(pos, 3);
100			+ } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
101			+ MB_FAILURE(pos, 3);
102			+ }
103			+ pos += 3;
104			+ } else if (c < 0xf5) {
105			+ size_t avail = str_len - pos;
106			+
107			+ if (avail < 4 \|\|
108			+ !utf8_trail(str[pos + 1]) \|\| !utf8_trail(str[pos + 2]) \|\|
109			+ !utf8_trail(str[pos + 3])) {
110			+ if (avail < 2 \|\| utf8_lead(str[pos + 1]))
111			+ MB_FAILURE(pos, 1);
112			+ else if (avail < 3 \|\| utf8_lead(str[pos + 2]))
113			+ MB_FAILURE(pos, 2);
114			+ else if (avail < 4 \|\| utf8_lead(str[pos + 3]))
115			+ MB_FAILURE(pos, 3);
116			+ else
117			+ MB_FAILURE(pos, 4);
118			+ }
119			+
120			+ this_char = ((c & 0x07) << 18) \| ((str[pos + 1] & 0x3f) << 12) \| ((str[pos + 2] & 0x3f) << 6) \| (str[pos + 3] & 0x3f);
121			+ if (this_char < 0x10000 \|\| this_char > 0x10FFFF) { /* non-shortest form or outside range */
122			+ MB_FAILURE(pos, 4);
123			+ }
124			+ pos += 4;
125			+ } else {
126			+ MB_FAILURE(pos, 1);
127			+ }
128			+
129			+ *cursor = pos;
130			+ return this_char;
131			+}
132			+/* }}} */
133			+
134			+
135			/* {{{ xml_utf8_decode */
136			PHPAPI char xml_utf8_decode(const XML_Char s, int len, int newlen, const XML_Char encoding)
137			{
138			- int pos = len;
139			+ size_t pos = 0;
140			char *newbuf = emalloc(len + 1);
141			unsigned int c;
142			char (*decoder)(unsigned short) = NULL;
143			@@ -681,36 +782,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
144			newbuf[*newlen] = '\0';
145			return newbuf;
146			}
147			- while (pos > 0) {
148			- c = (unsigned char)(*s);
149			- if (c >= 0xf0) { /* four bytes encoded, 21 bits */
150			- if(pos-4 >= 0) {
151			- c = ((s[0]&7)<<18) \| ((s[1]&63)<<12) \| ((s[2]&63)<<6) \| (s[3]&63);
152			- } else {
153			- c = '?';
154			- }
155			- s += 4;
156			- pos -= 4;
157			- } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
158			- if(pos-3 >= 0) {
159			- c = ((s[0]&63)<<12) \| ((s[1]&63)<<6) \| (s[2]&63);
160			- } else {
161			- c = '?';
162			- }
163			- s += 3;
164			- pos -= 3;
165			- } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
166			- if(pos-2 >= 0) {
167			- c = ((s[0]&63)<<6) \| (s[1]&63);
168			- } else {
169			- c = '?';
170			- }
171			- s += 2;
172			- pos -= 2;
173			- } else {
174			- s++;
175			- pos--;
176			+
177			+ while (pos < (size_t)len) {
178			+ int status = FAILURE;
179			+ c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
180			+
181			+ if (status == FAILURE \|\| c > 0xFFU) {
182			+ c = '?';
183			}
184			+
185			newbuf[*newlen] = decoder ? decoder(c) : c;
186			++*newlen;
187			}