php/sme8/php-5.3.3-CVE-2014-3597.patch

--- a/ext/standard/dns.c        2014-08-14 14:43:45.880377423 +0200
+++ b/ext/standard/dns.c        2014-08-14 14:51:15.602779946 +0200
@@ -402,8 +402,14 @@
 
 #if HAVE_FULL_DNS_FUNCS
 
+#define CHECKCP(n) do { \
+       if (cp + n > end) { \
+               return NULL; \
+       } \
+} while (0)
+
 /* {{{ php_parserr */
-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
 {
        u_short type, class, dlen;
        u_long ttl;
@@ -415,16 +421,18 @@
 
        *subarray = NULL;
 
-       n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
+       n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
        if (n < 0) {
                return NULL;
        }
        cp += n;
 
+       CHECKCP(10);
        GETSHORT(type, cp);
        GETSHORT(class, cp);
        GETLONG(ttl, cp);
        GETSHORT(dlen, cp);
+       CHECKCP(dlen);
        if (type_to_fetch != T_ANY && type != type_to_fetch) {
                cp += dlen;
                return cp;
@@ -441,12 +449,14 @@
        add_assoc_string(*subarray, "host", name, 1);
        switch (type) {
                case DNS_T_A:
+                       CHECKCP(4);
                        add_assoc_string(*subarray, "type", "A", 1);
                        snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
                        add_assoc_string(*subarray, "ip", name, 1);
                        cp += dlen;
                        break;
                case DNS_T_MX:
+                       CHECKCP(2);
                        add_assoc_string(*subarray, "type", "MX", 1);
                        GETSHORT(n, cp);
                        add_assoc_long(*subarray, "pri", n);
@@ -465,7 +475,7 @@
                        if (type == DNS_T_PTR) {
                                add_assoc_string(*subarray, "type", "PTR", 1);
                        }
-                       n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+                       n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
                        if (n < 0) {
                                return NULL;
                        }
@@ -475,18 +485,22 @@
                case DNS_T_HINFO:
                        /* See RFC 1010 for values */
                        add_assoc_string(*subarray, "type", "HINFO", 1);
+                       CHECKCP(1);
                        n = *cp & 0xFF;
                        cp++;
+                       CHECKCP(n);
                        add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
                        cp += n;
+                       CHECKCP(1);
                        n = *cp & 0xFF;
                        cp++;
+                       CHECKCP(n);
                        add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
                        cp += n;
                        break;
                case DNS_T_TXT:
                        {
-                               int ll = 0;
+                               int l1 = 0, l2 = 0;
                                zval *entries = NULL;
 
                                add_assoc_string(*subarray, "type", "TXT", 1);
@@ -495,37 +509,42 @@
                                MAKE_STD_ZVAL(entries);
                                array_init(entries);
                                
-                               while (ll < dlen) {
-                                       n = cp[ll];
-                                       if ((ll + n) >= dlen) {
+                               while (l1 < dlen) {
+                                       n = cp[l1];
+                                       if ((l1 + n) >= dlen) {
                                                // Invalid chunk length, truncate
-                                               n = dlen - (ll + 1);
+                                               n = dlen - (l1 + 1);
+                                       }
+                                       if (n) {
+                                               memcpy(tp + l2 , cp + l1 + 1, n);
+                                               add_next_index_stringl(entries, cp + l1 + 1, n, 1);
                                        }
-                                       memcpy(tp + ll , cp + ll + 1, n);
-                                       add_next_index_stringl(entries, cp + ll + 1, n, 1);
-                                       ll = ll + n + 1;
+                                       l1 = l1 + n + 1;
+                                       l2 = l2 + n;
                                }
                                tp[dlen] = '\0';
+                               tp[l2] = '\0';
                                cp += dlen;
 
-                               add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
+                               add_assoc_stringl(*subarray, "txt", tp, l2, 0);
                                add_assoc_zval(*subarray, "entries", entries);
                        }
                        break;
                case DNS_T_SOA:
                        add_assoc_string(*subarray, "type", "SOA", 1);
-                       n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+                       n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
                        if (n < 0) {
                                return NULL;
                        }
                        cp += n;
                        add_assoc_string(*subarray, "mname", name, 1);
-                       n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+                       n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
                        if (n < 0) {
                                return NULL;
                        }
                        cp += n;
                        add_assoc_string(*subarray, "rname", name, 1);
+                       CHECKCP(5*4);
                        GETLONG(n, cp);
                        add_assoc_long(*subarray, "serial", n);
                        GETLONG(n, cp);
@@ -539,6 +558,7 @@
                        break;
                case DNS_T_AAAA:
                        tp = (u_char*)name;
+                       CHECKCP(8*2);
                        for(i=0; i < 8; i++) {
                                GETSHORT(s, cp);
                                if (s != 0) {
@@ -573,6 +593,7 @@
                case DNS_T_A6:
                        p = cp;
                        add_assoc_string(*subarray, "type", "A6", 1);
+                       CHECKCP(1);
                        n = ((int)cp[0]) & 0xFF;
                        cp++;
                        add_assoc_long(*subarray, "masklen", n);
@@ -608,6 +629,7 @@
                                cp++;
                        }
                        for (i = (n + 8) / 16; i < 8; i++) {
+                               CHECKCP(2);
                                GETSHORT(s, cp);
                                if (s != 0) {
                                        if (tp > (u_char *)name) {
@@ -637,7 +659,7 @@
                        tp[0] = '\0';
                        add_assoc_string(*subarray, "ipv6", name, 1);
                        if (cp < p + dlen) {
-                               n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+                               n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
                                if (n < 0) {
                                        return NULL;
                                }
@@ -646,6 +668,7 @@
                        }
                        break;
                case DNS_T_SRV:
+                       CHECKCP(3*2);
                        add_assoc_string(*subarray, "type", "SRV", 1);
                        GETSHORT(n, cp);
                        add_assoc_long(*subarray, "pri", n);
@@ -653,7 +676,7 @@
                        add_assoc_long(*subarray, "weight", n);
                        GETSHORT(n, cp);
                        add_assoc_long(*subarray, "port", n);
-                       n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+                       n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
                        if (n < 0) {
                                return NULL;
                        }
@@ -661,21 +684,35 @@
                        add_assoc_string(*subarray, "target", name, 1);
                        break;
                case DNS_T_NAPTR:
+                       CHECKCP(2*2);
                        add_assoc_string(*subarray, "type", "NAPTR", 1);
                        GETSHORT(n, cp);
                        add_assoc_long(*subarray, "order", n);
                        GETSHORT(n, cp);
                        add_assoc_long(*subarray, "pref", n);
+
+                       CHECKCP(1);
                        n = (cp[0] & 0xFF);
-                       add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
+                       cp++;
+                       CHECKCP(n);
+                       add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
                        cp += n;
+
+                       CHECKCP(1);
                        n = (cp[0] & 0xFF);
-                       add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
+                       cp++;
+                       CHECKCP(n);
+                       add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
                        cp += n;
+
+                       CHECKCP(1);
                        n = (cp[0] & 0xFF);
-                       add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
+                       cp++;
+                       CHECKCP(n);
+                       add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
                        cp += n;
-                       n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+
+                       n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
                        if (n < 0) {
                                return NULL;
                        }
@@ -842,7 +879,7 @@
                        while (an-- && cp && cp < end) {
                                zval *retval;
 
-                               cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
+                               cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
                                if (retval != NULL && store_results) {
                                        add_next_index_zval(return_value, retval);
                                }
@@ -855,7 +892,7 @@
                                while (ns-- > 0 && cp && cp < end) {
                                        zval *retval = NULL;
 
-                                       cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
+                                       cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
                                        if (retval != NULL) {
                                                add_next_index_zval(authns, retval);
                                        }
@@ -867,7 +904,7 @@
                                while (ar-- > 0 && cp && cp < end) {
                                        zval *retval = NULL;
 
-                                       cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
+                                       cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
                                        if (retval != NULL) {
                                                add_next_index_zval(addtl, retval);
                                        }
1	--- a/ext/standard/dns.c 2014-08-14 14:43:45.880377423 +0200
2	+++ b/ext/standard/dns.c 2014-08-14 14:51:15.602779946 +0200
3	@@ -402,8 +402,14 @@
4
5	#if HAVE_FULL_DNS_FUNCS
6
7	+#define CHECKCP(n) do { \
8	+ if (cp + n > end) { \
9	+ return NULL; \
10	+ } \
11	+} while (0)
12	+
13	/* {{{ php_parserr */
14	-static u_char php_parserr(u_char cp, querybuf answer, int type_to_fetch, int store, zval *subarray)
15	+static u_char php_parserr(u_char cp, u_char end, querybuf answer, int type_to_fetch, int store, zval **subarray)
16	{
17	u_short type, class, dlen;
18	u_long ttl;
19	@@ -415,16 +421,18 @@
20
21	*subarray = NULL;
22
23	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
24	+ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
25	if (n < 0) {
26	return NULL;
27	}
28	cp += n;
29
30	+ CHECKCP(10);
31	GETSHORT(type, cp);
32	GETSHORT(class, cp);
33	GETLONG(ttl, cp);
34	GETSHORT(dlen, cp);
35	+ CHECKCP(dlen);
36	if (type_to_fetch != T_ANY && type != type_to_fetch) {
37	cp += dlen;
38	return cp;
39	@@ -441,12 +449,14 @@
40	add_assoc_string(*subarray, "host", name, 1);
41	switch (type) {
42	case DNS_T_A:
43	+ CHECKCP(4);
44	add_assoc_string(*subarray, "type", "A", 1);
45	snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
46	add_assoc_string(*subarray, "ip", name, 1);
47	cp += dlen;
48	break;
49	case DNS_T_MX:
50	+ CHECKCP(2);
51	add_assoc_string(*subarray, "type", "MX", 1);
52	GETSHORT(n, cp);
53	add_assoc_long(*subarray, "pri", n);
54	@@ -465,7 +475,7 @@
55	if (type == DNS_T_PTR) {
56	add_assoc_string(*subarray, "type", "PTR", 1);
57	}
58	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
59	+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
60	if (n < 0) {
61	return NULL;
62	}
63	@@ -475,18 +485,22 @@
64	case DNS_T_HINFO:
65	/* See RFC 1010 for values */
66	add_assoc_string(*subarray, "type", "HINFO", 1);
67	+ CHECKCP(1);
68	n = *cp & 0xFF;
69	cp++;
70	+ CHECKCP(n);
71	add_assoc_stringl(subarray, "cpu", (char)cp, n, 1);
72	cp += n;
73	+ CHECKCP(1);
74	n = *cp & 0xFF;
75	cp++;
76	+ CHECKCP(n);
77	add_assoc_stringl(subarray, "os", (char)cp, n, 1);
78	cp += n;
79	break;
80	case DNS_T_TXT:
81	{
82	- int ll = 0;
83	+ int l1 = 0, l2 = 0;
84	zval *entries = NULL;
85
86	add_assoc_string(*subarray, "type", "TXT", 1);
87	@@ -495,37 +509,42 @@
88	MAKE_STD_ZVAL(entries);
89	array_init(entries);
90
91	- while (ll < dlen) {
92	- n = cp[ll];
93	- if ((ll + n) >= dlen) {
94	+ while (l1 < dlen) {
95	+ n = cp[l1];
96	+ if ((l1 + n) >= dlen) {
97	// Invalid chunk length, truncate
98	- n = dlen - (ll + 1);
99	+ n = dlen - (l1 + 1);
100	+ }
101	+ if (n) {
102	+ memcpy(tp + l2 , cp + l1 + 1, n);
103	+ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
104	}
105	- memcpy(tp + ll , cp + ll + 1, n);
106	- add_next_index_stringl(entries, cp + ll + 1, n, 1);
107	- ll = ll + n + 1;
108	+ l1 = l1 + n + 1;
109	+ l2 = l2 + n;
110	}
111	tp[dlen] = '\0';
112	+ tp[l2] = '\0';
113	cp += dlen;
114
115	- add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
116	+ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
117	add_assoc_zval(*subarray, "entries", entries);
118	}
119	break;
120	case DNS_T_SOA:
121	add_assoc_string(*subarray, "type", "SOA", 1);
122	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
123	+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
124	if (n < 0) {
125	return NULL;
126	}
127	cp += n;
128	add_assoc_string(*subarray, "mname", name, 1);
129	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
130	+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
131	if (n < 0) {
132	return NULL;
133	}
134	cp += n;
135	add_assoc_string(*subarray, "rname", name, 1);
136	+ CHECKCP(5*4);
137	GETLONG(n, cp);
138	add_assoc_long(*subarray, "serial", n);
139	GETLONG(n, cp);
140	@@ -539,6 +558,7 @@
141	break;
142	case DNS_T_AAAA:
143	tp = (u_char*)name;
144	+ CHECKCP(8*2);
145	for(i=0; i < 8; i++) {
146	GETSHORT(s, cp);
147	if (s != 0) {
148	@@ -573,6 +593,7 @@
149	case DNS_T_A6:
150	p = cp;
151	add_assoc_string(*subarray, "type", "A6", 1);
152	+ CHECKCP(1);
153	n = ((int)cp[0]) & 0xFF;
154	cp++;
155	add_assoc_long(*subarray, "masklen", n);
156	@@ -608,6 +629,7 @@
157	cp++;
158	}
159	for (i = (n + 8) / 16; i < 8; i++) {
160	+ CHECKCP(2);
161	GETSHORT(s, cp);
162	if (s != 0) {
163	if (tp > (u_char *)name) {
164	@@ -637,7 +659,7 @@
165	tp[0] = '\0';
166	add_assoc_string(*subarray, "ipv6", name, 1);
167	if (cp < p + dlen) {
168	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
169	+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
170	if (n < 0) {
171	return NULL;
172	}
173	@@ -646,6 +668,7 @@
174	}
175	break;
176	case DNS_T_SRV:
177	+ CHECKCP(3*2);
178	add_assoc_string(*subarray, "type", "SRV", 1);
179	GETSHORT(n, cp);
180	add_assoc_long(*subarray, "pri", n);
181	@@ -653,7 +676,7 @@
182	add_assoc_long(*subarray, "weight", n);
183	GETSHORT(n, cp);
184	add_assoc_long(*subarray, "port", n);
185	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
186	+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
187	if (n < 0) {
188	return NULL;
189	}
190	@@ -661,21 +684,35 @@
191	add_assoc_string(*subarray, "target", name, 1);
192	break;
193	case DNS_T_NAPTR:
194	+ CHECKCP(2*2);
195	add_assoc_string(*subarray, "type", "NAPTR", 1);
196	GETSHORT(n, cp);
197	add_assoc_long(*subarray, "order", n);
198	GETSHORT(n, cp);
199	add_assoc_long(*subarray, "pref", n);
200	+
201	+ CHECKCP(1);
202	n = (cp[0] & 0xFF);
203	- add_assoc_stringl(subarray, "flags", (char)++cp, n, 1);
204	+ cp++;
205	+ CHECKCP(n);
206	+ add_assoc_stringl(subarray, "flags", (char)cp, n, 1);
207	cp += n;
208	+
209	+ CHECKCP(1);
210	n = (cp[0] & 0xFF);
211	- add_assoc_stringl(subarray, "services", (char)++cp, n, 1);
212	+ cp++;
213	+ CHECKCP(n);
214	+ add_assoc_stringl(subarray, "services", (char)cp, n, 1);
215	cp += n;
216	+
217	+ CHECKCP(1);
218	n = (cp[0] & 0xFF);
219	- add_assoc_stringl(subarray, "regex", (char)++cp, n, 1);
220	+ cp++;
221	+ CHECKCP(n);
222	+ add_assoc_stringl(subarray, "regex", (char)cp, n, 1);
223	cp += n;
224	- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
225	+
226	+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
227	if (n < 0) {
228	return NULL;
229	}
230	@@ -842,7 +879,7 @@
231	while (an-- && cp && cp < end) {
232	zval *retval;
233
234	- cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
235	+ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
236	if (retval != NULL && store_results) {
237	add_next_index_zval(return_value, retval);
238	}
239	@@ -855,7 +892,7 @@
240	while (ns-- > 0 && cp && cp < end) {
241	zval *retval = NULL;
242
243	- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
244	+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
245	if (retval != NULL) {
246	add_next_index_zval(authns, retval);
247	}
248	@@ -867,7 +904,7 @@
249	while (ar-- > 0 && cp && cp < end) {
250	zval *retval = NULL;
251
252	- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
253	+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
254	if (retval != NULL) {
255	add_next_index_zval(addtl, retval);
256	}