/[smeserver]/rpms/php/sme8/php-5.3.2-CVE-2010-3870.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.2-CVE-2010-3870.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Mon Jun 20 19:27:01 2011 UTC (13 years, 4 months ago) by slords
Branch: MAIN
CVS Tags: php-5_3_3-15_el5_sme, php-5_3_3-1_el5_7_3, php-5_3_3-13_el5_9_1, php-5_3_3-16_el5_sme, php-5_3_3-14_el5_sme, php-5_3_3-1_el5_sme_6, php-5_3_3-13_el5_sme_1, php-5_3_3-1_el5_sme_3, php-5_3_3-1_el5_sme_1_0, php-5_3_3-13_el5_sme_2, php-5_3_3-1_el5_sme_1_1, php-5_3_3-17_el5_sme, php-5_3_3-1_el5_7_6, php-5_3_3-13_el5_sme, php-5_3_3-13_el6, php-5_3_3-1_el5_sme_1, HEAD
Branch point for: redhat-upstream
Import upstream sources

1 --- php-5.3.2/ext/xml/tests/bug49687.phpt.cve3870
2 +++ php-5.3.2/ext/xml/tests/bug49687.phpt
3 @@ -0,0 +1,24 @@
4 +--TEST--
5 +Bug #49687 Several utf8_decode deficiencies and vulnerabilities
6 +--SKIPIF--
7 +<?php
8 +require_once("skipif.inc");
9 +if (!extension_loaded('xml')) die ("skip xml extension not available");
10 +?>
11 +--FILE--
12 +<?php
13 +
14 +$tests = array(
15 + "\x41\xC2\x3E\x42",
16 + "\xE3\x80\x22",
17 + "\x41\x98\xBA\x42\xE2\x98\x43\xE2\x98\xBA\xE2\x98",
18 +);
19 +foreach ($tests as $t) {
20 + echo bin2hex(utf8_decode($t)), "\n";
21 +}
22 +echo "Done.\n";
23 +--EXPECT--
24 +413f3e42
25 +3f22
26 +413f3f423f433f3f
27 +Done.
28 --- php-5.3.2/ext/xml/xml.c.cve3870
29 +++ php-5.3.2/ext/xml/xml.c
30 @@ -659,10 +659,111 @@ PHPAPI char *xml_utf8_encode(const char
31 }
32 /* }}} */
33
34 +/* copied from trunk's implementation of get_next_char in ext/standard/html.c */
35 +#define MB_FAILURE(pos, advance) do { \
36 + *cursor = pos + (advance); \
37 + *status = FAILURE; \
38 + return 0; \
39 +} while (0)
40 +
41 +#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
42 +#define utf8_lead(c) ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
43 +#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
44 +
45 +/* {{{ php_next_utf8_char
46 + */
47 +static inline unsigned int php_next_utf8_char(
48 + const unsigned char *str,
49 + size_t str_len,
50 + size_t *cursor,
51 + int *status)
52 +{
53 + size_t pos = *cursor;
54 + unsigned int this_char = 0;
55 + unsigned char c;
56 +
57 + *status = SUCCESS;
58 +
59 + if (!CHECK_LEN(pos, 1))
60 + MB_FAILURE(pos, 1);
61 +
62 + /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
63 + * "In a reported illegal byte sequence, do not include any
64 + * non-initial byte that encodes a valid character or is a leading
65 + * byte for a valid sequence.ยป */
66 + c = str[pos];
67 + if (c < 0x80) {
68 + this_char = c;
69 + pos++;
70 + } else if (c < 0xc2) {
71 + MB_FAILURE(pos, 1);
72 + } else if (c < 0xe0) {
73 + if (!CHECK_LEN(pos, 2))
74 + MB_FAILURE(pos, 1);
75 +
76 + if (!utf8_trail(str[pos + 1])) {
77 + MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
78 + }
79 + this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
80 + if (this_char < 0x80) { /* non-shortest form */
81 + MB_FAILURE(pos, 2);
82 + }
83 + pos += 2;
84 + } else if (c < 0xf0) {
85 + size_t avail = str_len - pos;
86 +
87 + if (avail < 3 ||
88 + !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
89 + if (avail < 2 || utf8_lead(str[pos + 1]))
90 + MB_FAILURE(pos, 1);
91 + else if (avail < 3 || utf8_lead(str[pos + 2]))
92 + MB_FAILURE(pos, 2);
93 + else
94 + MB_FAILURE(pos, 3);
95 + }
96 +
97 + this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
98 + if (this_char < 0x800) { /* non-shortest form */
99 + MB_FAILURE(pos, 3);
100 + } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
101 + MB_FAILURE(pos, 3);
102 + }
103 + pos += 3;
104 + } else if (c < 0xf5) {
105 + size_t avail = str_len - pos;
106 +
107 + if (avail < 4 ||
108 + !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
109 + !utf8_trail(str[pos + 3])) {
110 + if (avail < 2 || utf8_lead(str[pos + 1]))
111 + MB_FAILURE(pos, 1);
112 + else if (avail < 3 || utf8_lead(str[pos + 2]))
113 + MB_FAILURE(pos, 2);
114 + else if (avail < 4 || utf8_lead(str[pos + 3]))
115 + MB_FAILURE(pos, 3);
116 + else
117 + MB_FAILURE(pos, 4);
118 + }
119 +
120 + this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
121 + if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
122 + MB_FAILURE(pos, 4);
123 + }
124 + pos += 4;
125 + } else {
126 + MB_FAILURE(pos, 1);
127 + }
128 +
129 + *cursor = pos;
130 + return this_char;
131 +}
132 +/* }}} */
133 +
134 +
135 /* {{{ xml_utf8_decode */
136 PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding)
137 {
138 - int pos = len;
139 + size_t pos = 0;
140 char *newbuf = emalloc(len + 1);
141 unsigned int c;
142 char (*decoder)(unsigned short) = NULL;
143 @@ -681,36 +782,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
144 newbuf[*newlen] = '\0';
145 return newbuf;
146 }
147 - while (pos > 0) {
148 - c = (unsigned char)(*s);
149 - if (c >= 0xf0) { /* four bytes encoded, 21 bits */
150 - if(pos-4 >= 0) {
151 - c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
152 - } else {
153 - c = '?';
154 - }
155 - s += 4;
156 - pos -= 4;
157 - } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
158 - if(pos-3 >= 0) {
159 - c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
160 - } else {
161 - c = '?';
162 - }
163 - s += 3;
164 - pos -= 3;
165 - } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
166 - if(pos-2 >= 0) {
167 - c = ((s[0]&63)<<6) | (s[1]&63);
168 - } else {
169 - c = '?';
170 - }
171 - s += 2;
172 - pos -= 2;
173 - } else {
174 - s++;
175 - pos--;
176 +
177 + while (pos < (size_t)len) {
178 + int status = FAILURE;
179 + c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
180 +
181 + if (status == FAILURE || c > 0xFFU) {
182 + c = '?';
183 }
184 +
185 newbuf[*newlen] = decoder ? decoder(c) : c;
186 ++*newlen;
187 }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed