[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/string.c branches/PHP_5_3/ext/standard/tests/strings/bug54238.phpt trunk/ext/standard/string.c trunk/ext/standard/tests

[Stanislav Malyshev]

stas Wed, 13 Apr 2011 06:32:41 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=310194

Log:
fix bug #54238 (use-after-free in substr_replace())

Bug: http://bugs.php.net/54238 (error getting bug information)
  
Changed paths:
U   php/php-src/branches/PHP_5_3/NEWS
U   php/php-src/branches/PHP_5_3/ext/standard/string.c
A   php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug54238.phpt
U   php/php-src/trunk/ext/standard/string.c
A   php/php-src/trunk/ext/standard/tests/strings/bug54238.phpt

Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS	2011-04-13 03:32:19 UTC (rev 310193)
+++ php/php-src/branches/PHP_5_3/NEWS	2011-04-13 06:32:41 UTC (rev 310194)
@@ -17,6 +17,7 @@
   . Implemented FR #54459 (Range function accuracy). (Adam)
   . Fixed bug #54454 (substr_compare incorrectly reports equality in some
 cases). (Pierrick)
+  . Fixed bug #54238 (use-after-free in substr_replace()). (Stas)
   . Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragment).
 (tomas dot brastavicius at quantum dot lt, Pierrick)
   . Fixed bug #48465 (sys_get_temp_dir() possibly inconsistent when using

Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===
--- php/php-src/branches/PHP_5_3/ext/standard/string.c	2011-04-13 03:32:19 UTC (rev 310193)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c	2011-04-13 06:32:41 UTC (rev 310194)
@@ -2352,20 +2352,35 @@

 		zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), pos_str);
 		while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) tmp_str, pos_str) == SUCCESS) {
-			convert_to_string_ex(tmp_str);
+			zval *orig_str;
+			zval dummy;
+			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
+dummy = **tmp_str;
+orig_str = dummy;
+zval_copy_ctor(orig_str);
+convert_to_string(orig_str);
+			} else {
+orig_str = *tmp_str;
+			}

 			if (Z_TYPE_PP(from) == IS_ARRAY) {
 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) tmp_from, pos_from)) {
-	convert_to_long_ex(tmp_from);
+	if(Z_TYPE_PP(tmp_from) != IS_LONG) {
+		zval dummy = **tmp_from;
+		zval_copy_ctor(dummy);
+		convert_to_long(dummy);
+		f = Z_LVAL(dummy);
+	} else {
+		f = Z_LVAL_PP(tmp_from);
+	}

-	f = Z_LVAL_PP(tmp_from);
 	if (f  0) {
-		f = Z_STRLEN_PP(tmp_str) + f;
+		f = Z_STRLEN_P(orig_str) + f;
 		if (f  0) {
 			f = 0;
 		}
-	} else if (f  Z_STRLEN_PP(tmp_str)) {
-		f = Z_STRLEN_PP(tmp_str);
+	} else if (f  Z_STRLEN_P(orig_str)) {
+		f = Z_STRLEN_P(orig_str);
 	}
 	zend_hash_move_forward_ex(Z_ARRVAL_PP(from), pos_from);
 } else {
@@ -2374,72 +2389,94 @@
 			} else {
 f = Z_LVAL_PP(from);
 if (f  0) {
-	f = Z_STRLEN_PP(tmp_str) + f;
+	f = Z_STRLEN_P(orig_str) + f;
 	if (f  0) {
 		f = 0;
 	}
-} else if (f  Z_STRLEN_PP(tmp_str)) {
-	f = Z_STRLEN_PP(tmp_str);
+} else if (f  Z_STRLEN_P(orig_str)) {
+	f = Z_STRLEN_P(orig_str);
 }
 			}

 			if (argc  3  Z_TYPE_PP(len) == IS_ARRAY) {
 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) tmp_len, pos_len)) {
-	convert_to_long_ex(tmp_len);
+	if(Z_TYPE_PP(tmp_len) != IS_LONG) {
+		zval dummy = **tmp_len;
+		zval_copy_ctor(dummy);
+		convert_to_long(dummy);
+		l = Z_LVAL(dummy);
+	} else {
+		l = Z_LVAL_PP(tmp_len);
+	}

 	l = Z_LVAL_PP(tmp_len);
 	zend_hash_move_forward_ex(Z_ARRVAL_PP(len), pos_len);
 } else {
-	l = Z_STRLEN_PP(tmp_str);
+	l = Z_STRLEN_P(orig_str);
 }
 			} else if (argc  3) {
 l = Z_LVAL_PP(len);
 			} else {
-l = Z_STRLEN_PP(tmp_str);
+l = Z_STRLEN_P(orig_str);
 			}

 			if (l  0) {
-l = (Z_STRLEN_PP(tmp_str) - f) + l;
+l = (Z_STRLEN_P(orig_str) - f) + l;
 if (l  0) {
 	l = 0;
 }
 			}

-			if ((f + l)  Z_STRLEN_PP(tmp_str)) {
-l = Z_STRLEN_PP(tmp_str) - f;
+			if ((f + l)  Z_STRLEN_P(orig_str)) {
+l = Z_STRLEN_P(orig_str) - f;
 			}

-			result_len = Z_STRLEN_PP(tmp_str) - l;
+			result_len = Z_STRLEN_P(orig_str) - l;

 			if (Z_TYPE_PP(repl) == IS_ARRAY) {
 if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) tmp_repl, pos_repl)) {
-	convert_to_string_ex(tmp_repl);
-	result_len += Z_STRLEN_PP(tmp_repl);
+	zval *repl_str;
+	zval zrepl;
+	if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
+		zrepl = **tmp_repl;
+		repl_str = zrepl;
+		zval_copy_ctor(repl_str);
+		convert_to_string(repl_str);
+	} else {
+		repl_str = *tmp_repl;
+	}
+
+	result_len += Z_STRLEN_P(repl_str);
 	zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), pos_repl);
 	result = emalloc(result_len + 1);

-	memcpy(result, Z_STRVAL_PP(tmp_str), f);
-		

Re: [PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/NEWS branches/PHP_5_3/ext/standard/string.c branches/PHP_5_3/ext/standard/tests/strings/bug54238.phpt trunk/ext/standard/string.c trunk/ext/standard/t

[Pierre Joye]

hi Stas,

please add the CVE to the news entry.

On Wed, Apr 13, 2011 at 8:32 AM, Stanislav Malyshev s...@php.net wrote:
 stas                                     Wed, 13 Apr 2011 06:32:41 +

 Revision: http://svn.php.net/viewvc?view=revisionrevision=310194

 Log:
 fix bug #54238 (use-after-free in substr_replace())

 Bug: http://bugs.php.net/54238 (error getting bug information)

 Changed paths:
    U   php/php-src/branches/PHP_5_3/NEWS
    U   php/php-src/branches/PHP_5_3/ext/standard/string.c
    A   php/php-src/branches/PHP_5_3/ext/standard/tests/strings/bug54238.phpt
    U   php/php-src/trunk/ext/standard/string.c
    A   php/php-src/trunk/ext/standard/tests/strings/bug54238.phpt


 --
 PHP CVS Mailing List (http://www.php.net/)
 To unsubscribe, visit: http://www.php.net/unsub.php




-- 
Pierre

@pierrejoye | http://blog.thepimp.net | http://www.libgd.org

--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/standard/string.c trunk/ext/standard/string.c

[Felipe Pena]

felipe   Wed, 13 Apr 2011 13:38:52 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=310209

Log:
- Remove undesired line (reported by Gökhan Özbulak)

Changed paths:
U   php/php-src/branches/PHP_5_3/ext/standard/string.c
U   php/php-src/trunk/ext/standard/string.c

Modified: php/php-src/branches/PHP_5_3/ext/standard/string.c
===
--- php/php-src/branches/PHP_5_3/ext/standard/string.c  2011-04-13 12:23:46 UTC 
(rev 310208)
+++ php/php-src/branches/PHP_5_3/ext/standard/string.c  2011-04-13 13:38:52 UTC 
(rev 310209)
@@ -2408,8 +2408,6 @@
} else {
l = Z_LVAL_PP(tmp_len);
}
-
-   l = Z_LVAL_PP(tmp_len);

zend_hash_move_forward_ex(Z_ARRVAL_PP(len), pos_len);
} else {
l = Z_STRLEN_P(orig_str);

Modified: php/php-src/trunk/ext/standard/string.c
===
--- php/php-src/trunk/ext/standard/string.c 2011-04-13 12:23:46 UTC (rev 
310208)
+++ php/php-src/trunk/ext/standard/string.c 2011-04-13 13:38:52 UTC (rev 
310209)
@@ -2408,8 +2408,6 @@
} else {
l = Z_LVAL_PP(tmp_len);
}
-
-   l = Z_LVAL_PP(tmp_len);

zend_hash_move_forward_ex(Z_ARRVAL_PP(len), pos_len);
} else {
l = Z_STRLEN_P(orig_str);

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP-CVS] svn: /php/php-src/branches/PHP_5_3/ NEWS

[Stanislav Malyshev]

stas Wed, 13 Apr 2011 17:33:00 +

Revision: http://svn.php.net/viewvc?view=revisionrevision=310212

Log:
add CVE

Changed paths:
U   php/php-src/branches/PHP_5_3/NEWS

Modified: php/php-src/branches/PHP_5_3/NEWS
===
--- php/php-src/branches/PHP_5_3/NEWS   2011-04-13 16:09:10 UTC (rev 310211)
+++ php/php-src/branches/PHP_5_3/NEWS   2011-04-13 17:33:00 UTC (rev 310212)
@@ -18,6 +18,7 @@
   . Fixed bug #54454 (substr_compare incorrectly reports equality in some
 cases). (Pierrick)
   . Fixed bug #54238 (use-after-free in substr_replace()). (Stas)
+(CVE-2011-1148)
   . Fixed bug #54180 (parse_url() incorrectly parses path when ? in fragment).
 (tomas dot brastavicius at quantum dot lt, Pierrick)
   . Fixed bug #48465 (sys_get_temp_dir() possibly inconsistent when using

-- 
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php