/[smeserver]/rpms/php/sme8/php-5.3.3-CVE-2014-3597.patch
ViewVC logotype

Contents of /rpms/php/sme8/php-5.3.3-CVE-2014-3597.patch

Parent Directory Parent Directory | Revision Log Revision Log | View Revision Graph Revision Graph


Revision 1.1 - (show annotations) (download)
Sat Oct 18 10:16:16 2014 UTC (10 years, 1 month ago) by vip-ire
Branch: MAIN
CVS Tags: php-5_3_3-17_el5_sme, php-5_3_3-16_el5_sme, HEAD
* Sat Oct 18 2014 Daniel Berteaud <daniel@firewall-services.com> - 5.3.3-16.sme
- Resync with upstream php53, which include (see [SME: 8574])
- spl: fix use-after-free in ArrayIterator due to object
  change during sorting. CVE-2014-4698
- spl: fix use-after-free in SPL Iterators. CVE-2014-4670
- gd: fix NULL pointer dereference in gdImageCreateFromXpm.
  CVE-2014-2497
- fileinfo: fix incomplete fix for CVE-2012-1571 in
  cdf_read_property_info. CVE-2014-3587
- core: fix incomplete fix for CVE-2014-4049 DNS TXT
  record parsing. CVE-2014-3597

1 --- a/ext/standard/dns.c 2014-08-14 14:43:45.880377423 +0200
2 +++ b/ext/standard/dns.c 2014-08-14 14:51:15.602779946 +0200
3 @@ -402,8 +402,14 @@
4
5 #if HAVE_FULL_DNS_FUNCS
6
7 +#define CHECKCP(n) do { \
8 + if (cp + n > end) { \
9 + return NULL; \
10 + } \
11 +} while (0)
12 +
13 /* {{{ php_parserr */
14 -static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
15 +static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
16 {
17 u_short type, class, dlen;
18 u_long ttl;
19 @@ -415,16 +421,18 @@
20
21 *subarray = NULL;
22
23 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
24 + n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
25 if (n < 0) {
26 return NULL;
27 }
28 cp += n;
29
30 + CHECKCP(10);
31 GETSHORT(type, cp);
32 GETSHORT(class, cp);
33 GETLONG(ttl, cp);
34 GETSHORT(dlen, cp);
35 + CHECKCP(dlen);
36 if (type_to_fetch != T_ANY && type != type_to_fetch) {
37 cp += dlen;
38 return cp;
39 @@ -441,12 +449,14 @@
40 add_assoc_string(*subarray, "host", name, 1);
41 switch (type) {
42 case DNS_T_A:
43 + CHECKCP(4);
44 add_assoc_string(*subarray, "type", "A", 1);
45 snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
46 add_assoc_string(*subarray, "ip", name, 1);
47 cp += dlen;
48 break;
49 case DNS_T_MX:
50 + CHECKCP(2);
51 add_assoc_string(*subarray, "type", "MX", 1);
52 GETSHORT(n, cp);
53 add_assoc_long(*subarray, "pri", n);
54 @@ -465,7 +475,7 @@
55 if (type == DNS_T_PTR) {
56 add_assoc_string(*subarray, "type", "PTR", 1);
57 }
58 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
59 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
60 if (n < 0) {
61 return NULL;
62 }
63 @@ -475,18 +485,22 @@
64 case DNS_T_HINFO:
65 /* See RFC 1010 for values */
66 add_assoc_string(*subarray, "type", "HINFO", 1);
67 + CHECKCP(1);
68 n = *cp & 0xFF;
69 cp++;
70 + CHECKCP(n);
71 add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
72 cp += n;
73 + CHECKCP(1);
74 n = *cp & 0xFF;
75 cp++;
76 + CHECKCP(n);
77 add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
78 cp += n;
79 break;
80 case DNS_T_TXT:
81 {
82 - int ll = 0;
83 + int l1 = 0, l2 = 0;
84 zval *entries = NULL;
85
86 add_assoc_string(*subarray, "type", "TXT", 1);
87 @@ -495,37 +509,42 @@
88 MAKE_STD_ZVAL(entries);
89 array_init(entries);
90
91 - while (ll < dlen) {
92 - n = cp[ll];
93 - if ((ll + n) >= dlen) {
94 + while (l1 < dlen) {
95 + n = cp[l1];
96 + if ((l1 + n) >= dlen) {
97 // Invalid chunk length, truncate
98 - n = dlen - (ll + 1);
99 + n = dlen - (l1 + 1);
100 + }
101 + if (n) {
102 + memcpy(tp + l2 , cp + l1 + 1, n);
103 + add_next_index_stringl(entries, cp + l1 + 1, n, 1);
104 }
105 - memcpy(tp + ll , cp + ll + 1, n);
106 - add_next_index_stringl(entries, cp + ll + 1, n, 1);
107 - ll = ll + n + 1;
108 + l1 = l1 + n + 1;
109 + l2 = l2 + n;
110 }
111 tp[dlen] = '\0';
112 + tp[l2] = '\0';
113 cp += dlen;
114
115 - add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
116 + add_assoc_stringl(*subarray, "txt", tp, l2, 0);
117 add_assoc_zval(*subarray, "entries", entries);
118 }
119 break;
120 case DNS_T_SOA:
121 add_assoc_string(*subarray, "type", "SOA", 1);
122 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
123 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
124 if (n < 0) {
125 return NULL;
126 }
127 cp += n;
128 add_assoc_string(*subarray, "mname", name, 1);
129 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
130 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
131 if (n < 0) {
132 return NULL;
133 }
134 cp += n;
135 add_assoc_string(*subarray, "rname", name, 1);
136 + CHECKCP(5*4);
137 GETLONG(n, cp);
138 add_assoc_long(*subarray, "serial", n);
139 GETLONG(n, cp);
140 @@ -539,6 +558,7 @@
141 break;
142 case DNS_T_AAAA:
143 tp = (u_char*)name;
144 + CHECKCP(8*2);
145 for(i=0; i < 8; i++) {
146 GETSHORT(s, cp);
147 if (s != 0) {
148 @@ -573,6 +593,7 @@
149 case DNS_T_A6:
150 p = cp;
151 add_assoc_string(*subarray, "type", "A6", 1);
152 + CHECKCP(1);
153 n = ((int)cp[0]) & 0xFF;
154 cp++;
155 add_assoc_long(*subarray, "masklen", n);
156 @@ -608,6 +629,7 @@
157 cp++;
158 }
159 for (i = (n + 8) / 16; i < 8; i++) {
160 + CHECKCP(2);
161 GETSHORT(s, cp);
162 if (s != 0) {
163 if (tp > (u_char *)name) {
164 @@ -637,7 +659,7 @@
165 tp[0] = '\0';
166 add_assoc_string(*subarray, "ipv6", name, 1);
167 if (cp < p + dlen) {
168 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
169 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
170 if (n < 0) {
171 return NULL;
172 }
173 @@ -646,6 +668,7 @@
174 }
175 break;
176 case DNS_T_SRV:
177 + CHECKCP(3*2);
178 add_assoc_string(*subarray, "type", "SRV", 1);
179 GETSHORT(n, cp);
180 add_assoc_long(*subarray, "pri", n);
181 @@ -653,7 +676,7 @@
182 add_assoc_long(*subarray, "weight", n);
183 GETSHORT(n, cp);
184 add_assoc_long(*subarray, "port", n);
185 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
186 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
187 if (n < 0) {
188 return NULL;
189 }
190 @@ -661,21 +684,35 @@
191 add_assoc_string(*subarray, "target", name, 1);
192 break;
193 case DNS_T_NAPTR:
194 + CHECKCP(2*2);
195 add_assoc_string(*subarray, "type", "NAPTR", 1);
196 GETSHORT(n, cp);
197 add_assoc_long(*subarray, "order", n);
198 GETSHORT(n, cp);
199 add_assoc_long(*subarray, "pref", n);
200 +
201 + CHECKCP(1);
202 n = (cp[0] & 0xFF);
203 - add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
204 + cp++;
205 + CHECKCP(n);
206 + add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
207 cp += n;
208 +
209 + CHECKCP(1);
210 n = (cp[0] & 0xFF);
211 - add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
212 + cp++;
213 + CHECKCP(n);
214 + add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
215 cp += n;
216 +
217 + CHECKCP(1);
218 n = (cp[0] & 0xFF);
219 - add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
220 + cp++;
221 + CHECKCP(n);
222 + add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
223 cp += n;
224 - n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
225 +
226 + n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
227 if (n < 0) {
228 return NULL;
229 }
230 @@ -842,7 +879,7 @@
231 while (an-- && cp && cp < end) {
232 zval *retval;
233
234 - cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
235 + cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
236 if (retval != NULL && store_results) {
237 add_next_index_zval(return_value, retval);
238 }
239 @@ -855,7 +892,7 @@
240 while (ns-- > 0 && cp && cp < end) {
241 zval *retval = NULL;
242
243 - cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
244 + cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
245 if (retval != NULL) {
246 add_next_index_zval(authns, retval);
247 }
248 @@ -867,7 +904,7 @@
249 while (ar-- > 0 && cp && cp < end) {
250 zval *retval = NULL;
251
252 - cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
253 + cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
254 if (retval != NULL) {
255 add_next_index_zval(addtl, retval);
256 }

admin@koozali.org
ViewVC Help
Powered by ViewVC 1.2.1 RSS 2.0 feed