packages/php
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2020-7059

Browse Source
This commit is contained in:
panxiaohe 2021-01-15 15:31:34 +08:00
parent 453da26429
commit e4f73ae2d2
2 changed files with 85 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
backport-CVE-2020-7059-Fix-79099-OOB-read.patch Normal file
View File

@ -0,0 +1,80 @@
From 0f79b1bf301f455967676b5129240140c5c45b09 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 20 Jan 2020 21:33:17 -0800
Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
---
ext/standard/string.c | 6 ++---
ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 3 deletions(-)
create mode 100644 ext/standard/tests/file/bug79099.phpt
diff --git a/ext/standard/string.c b/ext/standard/string.c
index da51cd0966fc..fb44cc505d9d 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4866,7 +4866,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
if (state == 4) {
/* Inside <!-- comment --> */
break;
- } else if (state == 2 && *(p-1) != '\\') {
+ } else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
if (lc == c) {
lc = '\0';
} else if (lc != '\\') {
@@ -4893,7 +4893,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
case '!':
/* JavaScript & Other HTML scripting languages */
- if (state == 1 && *(p-1) == '<') {
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
state = 3;
lc = c;
} else {
@@ -4920,7 +4920,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, uint8_t *stateptr, const
case '?':
- if (state == 1 && *(p-1) == '<') {
+ if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
br=0;
state=2;
break;
diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
new file mode 100644
index 000000000000..7c842f4654f0
--- /dev/null
+++ b/ext/standard/tests/file/bug79099.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #79099 (OOB read in php_strip_tags_ex)
+--FILE--
+<?php
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<?\n\"\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n!\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+
+$stream = fopen('php://memory', 'w+');
+fputs($stream, "<\0\n?\n");
+rewind($stream);
+var_dump(fgetss($stream));
+var_dump(fgetss($stream));
+fclose($stream);
+?>
+--EXPECT--
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""
+string(0) ""

6
php.spec
View File

@ -28,7 +28,7 @@
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
Release: 9
Release: 10
Summary: PHP scripting language for creating dynamic web sites
License: PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
URL: http://www.php.net/
@ -97,6 +97,7 @@ Patch6023: CVE-2020-7066.patch
Patch6024: CVE-2019-11048.patch
Patch6025: CVE-2020-7068.patch
Patch6026: CVE-2020-7063.patch
Patch6027: backport-CVE-2020-7059-Fix-79099-OOB-read.patch
BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@ -1158,6 +1159,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
%changelog
* Fri Jan 15 2021 panxiaohe <panxiaohe@huawei.com> - 7.2.10-10
- Fix CVE-2020-7059
* Thu Dec 17 2020 wangchen <wangchen137@huawei.com> - 7.2.10-9
- Fix CVE-2020-7063