/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3597.patch
ViewVC logotype

Annotation of /rpms/php/sme8/php-5.3.3-CVE-2014-3597.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph

Revision 1.1 - (hide annotations) (download)
Sat Oct 18 10:16:16 2014 UTC (10 years ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-16_el5_sme, HEAD 
* Sat Oct 18 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-16.sme
- Resync with upstream php53, which include (see [SME: 8574])
- spl: fix use-after-free in ArrayIterator due to object
  change during sorting. CVE-2014-4698
- spl: fix use-after-free in SPL Iterators. CVE-2014-4670
- gd: fix NULL pointer dereference in gdImageCreateFromXpm.
  CVE-2014-2497
- fileinfo: fix incomplete fix for CVE-2012-1571 in
  cdf_read_property_info. CVE-2014-3587
- core: fix incomplete fix for CVE-2014-4049 DNS TXT
  record parsing. CVE-2014-3597
1 vip-ire 1.1 --- a/ext/standard/dns.c 2014-08-14 14:43:45.880377423 +0200
2     +++ b/ext/standard/dns.c 2014-08-14 14:51:15.602779946 +0200
3     @@ -402,8 +402,14 @@
4    
5     #if HAVE_FULL_DNS_FUNCS
6    
7     +#define CHECKCP(n) do { \
8     + if (cp + n > end) { \
9     + return NULL; \
10     + } \
11     +} while (0)
12     +
13     /* {{{ php_parserr */
14     -static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
15     +static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
16     {
17     u_short type, class, dlen;
18     u_long ttl;
19     @@ -415,16 +421,18 @@
20    
21     *subarray = NULL;
22    
23     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
24     + n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
25     if (n < 0) {
26     return NULL;
27     }
28     cp += n;
29    
30     + CHECKCP(10);
31     GETSHORT(type, cp);
32     GETSHORT(class, cp);
33     GETLONG(ttl, cp);
34     GETSHORT(dlen, cp);
35     + CHECKCP(dlen);
36     if (type_to_fetch != T_ANY && type != type_to_fetch) {
37     cp += dlen;
38     return cp;
39     @@ -441,12 +449,14 @@
40     add_assoc_string(*subarray, "host", name, 1);
41     switch (type) {
42     case DNS_T_A:
43     + CHECKCP(4);
44     add_assoc_string(*subarray, "type", "A", 1);
45     snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
46     add_assoc_string(*subarray, "ip", name, 1);
47     cp += dlen;
48     break;
49     case DNS_T_MX:
50     + CHECKCP(2);
51     add_assoc_string(*subarray, "type", "MX", 1);
52     GETSHORT(n, cp);
53     add_assoc_long(*subarray, "pri", n);
54     @@ -465,7 +475,7 @@
55     if (type == DNS_T_PTR) {
56     add_assoc_string(*subarray, "type", "PTR", 1);
57     }
58     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
59     + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
60     if (n < 0) {
61     return NULL;
62     }
63     @@ -475,18 +485,22 @@
64     case DNS_T_HINFO:
65     /* See RFC 1010 for values */
66     add_assoc_string(*subarray, "type", "HINFO", 1);
67     + CHECKCP(1);
68     n = *cp & 0xFF;
69     cp++;
70     + CHECKCP(n);
71     add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
72     cp += n;
73     + CHECKCP(1);
74     n = *cp & 0xFF;
75     cp++;
76     + CHECKCP(n);
77     add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
78     cp += n;
79     break;
80     case DNS_T_TXT:
81     {
82     - int ll = 0;
83     + int l1 = 0, l2 = 0;
84     zval *entries = NULL;
85    
86     add_assoc_string(*subarray, "type", "TXT", 1);
87     @@ -495,37 +509,42 @@
88     MAKE_STD_ZVAL(entries);
89     array_init(entries);
90    
91     - while (ll < dlen) {
92     - n = cp[ll];
93     - if ((ll + n) >= dlen) {
94     + while (l1 < dlen) {
95     + n = cp[l1];
96     + if ((l1 + n) >= dlen) {
97     // Invalid chunk length, truncate
98     - n = dlen - (ll + 1);
99     + n = dlen - (l1 + 1);
100     + }
101     + if (n) {
102     + memcpy(tp + l2 , cp + l1 + 1, n);
103     + add_next_index_stringl(entries, cp + l1 + 1, n, 1);
104     }
105     - memcpy(tp + ll , cp + ll + 1, n);
106     - add_next_index_stringl(entries, cp + ll + 1, n, 1);
107     - ll = ll + n + 1;
108     + l1 = l1 + n + 1;
109     + l2 = l2 + n;
110     }
111     tp[dlen] = '\0';
112     + tp[l2] = '\0';
113     cp += dlen;
114    
115     - add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
116     + add_assoc_stringl(*subarray, "txt", tp, l2, 0);
117     add_assoc_zval(*subarray, "entries", entries);
118     }
119     break;
120     case DNS_T_SOA:
121     add_assoc_string(*subarray, "type", "SOA", 1);
122     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
123     + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
124     if (n < 0) {
125     return NULL;
126     }
127     cp += n;
128     add_assoc_string(*subarray, "mname", name, 1);
129     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
130     + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
131     if (n < 0) {
132     return NULL;
133     }
134     cp += n;
135     add_assoc_string(*subarray, "rname", name, 1);
136     + CHECKCP(5*4);
137     GETLONG(n, cp);
138     add_assoc_long(*subarray, "serial", n);
139     GETLONG(n, cp);
140     @@ -539,6 +558,7 @@
141     break;
142     case DNS_T_AAAA:
143     tp = (u_char*)name;
144     + CHECKCP(8*2);
145     for(i=0; i < 8; i++) {
146     GETSHORT(s, cp);
147     if (s != 0) {
148     @@ -573,6 +593,7 @@
149     case DNS_T_A6:
150     p = cp;
151     add_assoc_string(*subarray, "type", "A6", 1);
152     + CHECKCP(1);
153     n = ((int)cp[0]) & 0xFF;
154     cp++;
155     add_assoc_long(*subarray, "masklen", n);
156     @@ -608,6 +629,7 @@
157     cp++;
158     }
159     for (i = (n + 8) / 16; i < 8; i++) {
160     + CHECKCP(2);
161     GETSHORT(s, cp);
162     if (s != 0) {
163     if (tp > (u_char *)name) {
164     @@ -637,7 +659,7 @@
165     tp[0] = '\0';
166     add_assoc_string(*subarray, "ipv6", name, 1);
167     if (cp < p + dlen) {
168     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
169     + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
170     if (n < 0) {
171     return NULL;
172     }
173     @@ -646,6 +668,7 @@
174     }
175     break;
176     case DNS_T_SRV:
177     + CHECKCP(3*2);
178     add_assoc_string(*subarray, "type", "SRV", 1);
179     GETSHORT(n, cp);
180     add_assoc_long(*subarray, "pri", n);
181     @@ -653,7 +676,7 @@
182     add_assoc_long(*subarray, "weight", n);
183     GETSHORT(n, cp);
184     add_assoc_long(*subarray, "port", n);
185     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
186     + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
187     if (n < 0) {
188     return NULL;
189     }
190     @@ -661,21 +684,35 @@
191     add_assoc_string(*subarray, "target", name, 1);
192     break;
193     case DNS_T_NAPTR:
194     + CHECKCP(2*2);
195     add_assoc_string(*subarray, "type", "NAPTR", 1);
196     GETSHORT(n, cp);
197     add_assoc_long(*subarray, "order", n);
198     GETSHORT(n, cp);
199     add_assoc_long(*subarray, "pref", n);
200     +
201     + CHECKCP(1);
202     n = (cp[0] & 0xFF);
203     - add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
204     + cp++;
205     + CHECKCP(n);
206     + add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
207     cp += n;
208     +
209     + CHECKCP(1);
210     n = (cp[0] & 0xFF);
211     - add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
212     + cp++;
213     + CHECKCP(n);
214     + add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
215     cp += n;
216     +
217     + CHECKCP(1);
218     n = (cp[0] & 0xFF);
219     - add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
220     + cp++;
221     + CHECKCP(n);
222     + add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
223     cp += n;
224     - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
225     +
226     + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
227     if (n < 0) {
228     return NULL;
229     }
230     @@ -842,7 +879,7 @@
231     while (an-- && cp && cp < end) {
232     zval *retval;
233    
234     - cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
235     + cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
236     if (retval != NULL && store_results) {
237     add_next_index_zval(return_value, retval);
238     }
239     @@ -855,7 +892,7 @@
240     while (ns-- > 0 && cp && cp < end) {
241     zval *retval = NULL;
242    
243     - cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
244     + cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
245     if (retval != NULL) {
246     add_next_index_zval(authns, retval);
247     }
248     @@ -867,7 +904,7 @@
249     while (ar-- > 0 && cp && cp < end) {
250     zval *retval = NULL;
251    
252     - cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
253     + cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
254     if (retval != NULL) {
255     add_next_index_zval(addtl, retval);
256     }
admin@koozali.org
 ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed