Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 05 Feb 2012 15:00:11 +0100, Gustavo Lopes wrote: On Sun, 5 Feb 2012 14:37:27 +0100, Pierre Joye wrote: 2012/2/5 Gustavo Lopes : All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. SIZE_MAX is indeed the limit of size_t. See ISO/IEC 9899:TC3, section 7.18.3 on http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf (page 259). Forgetting the irrelevant case where size_t is 16 bit wide, there is indeed a potential problem if size_t is 32-bit wide. First, if you can pass a string with about 2GB you could the multiplication by 2 would wrap around. But you could even pass a smaller string (possibly 10/15 times less, I don't know what's the maximum expansion factor of htmlentities) and then it could wrap in the reallocation. I'll take this into account. See http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/html.c?r1=323079&r2=323078&pathrev=323079 I don't know if this is worth merging to 5.4 at this point; after all 5.3 has the same problem. Obrigado! I think this bug (although probably exploitable) is low risk, since it requires a large 'memory_limit' value to be triggable. Your last patch seems good to me. Nuno -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 05 Feb 2012 15:00:11 +0100, Gustavo Lopes wrote: On Sun, 5 Feb 2012 14:37:27 +0100, Pierre Joye wrote: 2012/2/5 Gustavo Lopes : All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. SIZE_MAX is indeed the limit of size_t. See ISO/IEC 9899:TC3, section 7.18.3 on http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf (page 259). Forgetting the irrelevant case where size_t is 16 bit wide, there is indeed a potential problem if size_t is 32-bit wide. First, if you can pass a string with about 2GB you could the multiplication by 2 would wrap around. But you could even pass a smaller string (possibly 10/15 times less, I don't know what's the maximum expansion factor of htmlentities) and then it could wrap in the reallocation. I'll take this into account. See http://svn.php.net/viewvc/php/php-src/trunk/ext/standard/html.c?r1=323079&r2=323078&pathrev=323079 I don't know if this is worth merging to 5.4 at this point; after all 5.3 has the same problem. -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/ext/standard/ html.c
cataphract Sun, 05 Feb 2012 14:57:57 + Revision: http://svn.php.net/viewvc?view=revision&revision=323079 Log: - Fixed possible unsigned int wrap around in html.c. Note that 5.3 has the same (potential) problem; even though the code is substantially different, the variable name and the fashion it was incremented was kept. Changed paths: U php/php-src/trunk/ext/standard/html.c Modified: php/php-src/trunk/ext/standard/html.c === --- php/php-src/trunk/ext/standard/html.c 2012-02-05 11:45:01 UTC (rev 323078) +++ php/php-src/trunk/ext/standard/html.c 2012-02-05 14:57:57 UTC (rev 323079) @@ -1257,9 +1257,13 @@ maxlen = 128; } else { maxlen = 2 * oldlen; + if (maxlen < oldlen) { + zend_error_noreturn(E_ERROR, "Input string is too long"); + return NULL; + } } - replaced = emalloc(maxlen + 1); + replaced = emalloc(maxlen + 1); /* adding 1 is safe: maxlen is even */ len = 0; cursor = 0; while (cursor < oldlen) { @@ -1271,8 +1275,9 @@ /* guarantee we have at least 40 bytes to write. * In HTML5, entities may take up to 33 bytes */ - if (len + 40 > maxlen) { - replaced = erealloc(replaced, (maxlen += 128) + 1); + if (len > maxlen - 40) { /* maxlen can never be smaller than 128 */ + replaced = safe_erealloc(replaced, maxlen , 1, 128 + 1); + maxlen += 128; } if (status == FAILURE) { @@ -1401,8 +1406,11 @@ } /* checks passed; copy entity to result */ /* entity size is unbounded, we may need more memory */ - if (maxlen < len + ent_len + 2 /* & and ; */) { - replaced = erealloc(replaced, (maxlen += ent_len + 128) + 1); + /* at this point maxlen - len >= 40 */ + if (maxlen - len < ent_len + 2 /* & and ; */) { + /* ent_len < oldlen, which is certainly <= SIZE_MAX/2 */ + replaced = safe_erealloc(replaced, maxlen, 1, ent_len + 128 + 1); + maxlen += ent_len + 128; } replaced[len++] = '&'; memcpy(&replaced[len], &old[cursor], ent_len); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 5 Feb 2012 14:37:27 +0100, Pierre Joye wrote: 2012/2/5 Gustavo Lopes : All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. SIZE_MAX is indeed the limit of size_t. See ISO/IEC 9899:TC3, section 7.18.3 on http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1124.pdf (page 259). Forgetting the irrelevant case where size_t is 16 bit wide, there is indeed a potential problem if size_t is 32-bit wide. First, if you can pass a string with about 2GB you could the multiplication by 2 would wrap around. But you could even pass a smaller string (possibly 10/15 times less, I don't know what's the maximum expansion factor of htmlentities) and then it could wrap in the reallocation. I'll take this into account. -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
2012/2/5 Gustavo Lopes : >> All the length and position variables are of type size_t, so I'd say >> we'd be out of memory long before that could be a problem (unless >> there's some architecture of which I'm not aware where SIZE_T is low >> enough for this to be a problem). > > > read: SIZE_MAX, not SIZE_T By the way, SIZE_MAX (can be up to 65k or so afair) should not be used in relation with buffer (string or other) length. It defines the maximum size of a single object allocation that the compiler can manage. Not sure if it is actually what you want here. -- Pierre @pierrejoye | http://blog.thepimp.net | http://www.libgd.org -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 05 Feb 2012 14:00:11 +0100, Gustavo Lopes wrote: On Sun, 5 Feb 2012 10:55:39 -, Nuno Lopes wrote: I didn't carefully review this patch, but doesn't this code suffer from potential math overflow? i.e. with strlen($input_str) > INT_MAX/2 (or UINT_MAX/2) All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). read: SIZE_MAX, not SIZE_T -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
On Sun, 5 Feb 2012 10:55:39 -, Nuno Lopes wrote: I didn't carefully review this patch, but doesn't this code suffer from potential math overflow? i.e. with strlen($input_str) > INT_MAX/2 (or UINT_MAX/2) All the length and position variables are of type size_t, so I'd say we'd be out of memory long before that could be a problem (unless there's some architecture of which I'm not aware where SIZE_T is low enough for this to be a problem). -- Gustavo Lopes -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/trunk/sapi/cli/ php_cli_server.c
cataphract Sun, 05 Feb 2012 11:45:01 + Revision: http://svn.php.net/viewvc?view=revision&revision=323078 Log: - Connection: close, not "closed". Changed paths: U php/php-src/trunk/sapi/cli/php_cli_server.c Modified: php/php-src/trunk/sapi/cli/php_cli_server.c === --- php/php-src/trunk/sapi/cli/php_cli_server.c 2012-02-05 10:35:56 UTC (rev 323077) +++ php/php-src/trunk/sapi/cli/php_cli_server.c 2012-02-05 11:45:01 UTC (rev 323078) @@ -351,7 +351,7 @@ smart_str_appendl_ex(buffer, "\r\n", 2, persistent); } } - smart_str_appendl_ex(buffer, "Connection: closed\r\n", sizeof("Connection: closed\r\n") - 1, persistent); + smart_str_appendl_ex(buffer, "Connection: close\r\n", sizeof("Connection: close\r\n") - 1, persistent); } /* }}} */ static const char *get_mime_type(const char *ext, size_t ext_len) /* {{{ */ -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
I didn't carefully review this patch, but doesn't this code suffer from potential math overflow? i.e. with strlen($input_str) > INT_MAX/2 (or UINT_MAX/2) Nuno - Original Message - From: "Gustavo André dos Santos Lopes" To: Sent: Sunday, February 05, 2012 9:59 AM Subject: [PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt cataphract Sun, 05 Feb 2012 09:59:33 + Revision: http://svn.php.net/viewvc?view=revision&revision=323074 Log: - Merge r323056 (see bug #60965). Bug: https://bugs.php.net/60965 (Critical) Buffer overflow on htmlspecialchars/entities with $double=false Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/ext/standard/html.c A + php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt (from php/php-src/trunk/ext/standard/tests/strings/bug60965.phpt:r323056) Modified: php/php-src/branches/PHP_5_4/NEWS === --- php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:58:50 UTC (rev 323073) +++ php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:59:33 UTC (rev 323074) @@ -1,10 +1,13 @@ PHP NEWS ||| ?? Feb 2012, PHP 5.4.0 RC 8 +- Core: + . Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with +$double=false). (Gustavo) 02 Feb 2012, PHP 5.4.0 RC 7 - Core: - . Fix bug #60895 (Possible invalid handler usage in windows random + . Fixed bug #60895 (Possible invalid handler usage in windows random functions). (Pierre) . Fixed bug #51860 (Include fails with toplevel symlink to /). (Dmitry) . Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods. Modified: php/php-src/branches/PHP_5_4/ext/standard/html.c === --- php/php-src/branches/PHP_5_4/ext/standard/html.c 2012-02-05 09:58:50 UTC (rev 323073) +++ php/php-src/branches/PHP_5_4/ext/standard/html.c 2012-02-05 09:59:33 UTC (rev 323074) @@ -1215,7 +1215,6 @@ size_t cursor, maxlen, len; char *replaced; enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC); - int matches_map; int doctype = flags & ENT_HTML_DOC_TYPE_MASK; entity_table_opt entity_table; const enc_to_uni *to_uni_table = NULL; @@ -1253,12 +1252,14 @@ } } + /* initial estimate */ if (oldlen < 64) { maxlen = 128; } else { maxlen = 2 * oldlen; } - replaced = emalloc(maxlen); + + replaced = emalloc(maxlen + 1); len = 0; cursor = 0; while (cursor < oldlen) { @@ -1271,7 +1272,7 @@ /* guarantee we have at least 40 bytes to write. * In HTML5, entities may take up to 33 bytes */ if (len + 40 > maxlen) { - replaced = erealloc(replaced, maxlen += 128); + replaced = erealloc(replaced, (maxlen += 128) + 1); } if (status == FAILURE) { @@ -1291,7 +1292,6 @@ mbsequence = &old[cursor_before]; mbseqlen = cursor - cursor_before; } - matches_map = 0; if (this_char != '&') { /* no entity on this position */ const unsigned char *rep = NULL; @@ -1302,12 +1302,15 @@ goto pass_char_through; if (all) { /* false that CHARSET_PARTIAL_SUPPORT(charset) */ - /* look for entity for this char */ if (to_uni_table != NULL) { + /* !CHARSET_UNICODE_COMPAT therefore not UTF-8; since UTF-8 + * is the only multibyte encoding with !CHARSET_PARTIAL_SUPPORT, + * we're using a single byte encoding */ map_to_unicode(this_char, to_uni_table, &this_char); if (this_char == 0x) /* no mapping; pass through */ goto pass_char_through; } + /* the cursor may advance */ find_entity_for_char(this_char, charset, entity_table.ms_table, &rep, &rep_len, old, oldlen, &cursor); } else { @@ -1397,6 +1400,10 @@ } } /* checks passed; copy entity to result */ + /* entity size is unbounded, we may need more memory */ + if (maxlen < len + ent_len + 2 /* & and ; */) { + replaced = erealloc(replaced, (maxlen += ent_len + 128) + 1); + } replaced[len++] = '&'; memcpy(&replaced[len], &old[cursor], ent_len); len += ent_len; Copied: php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt (from rev 323056, php/php-src/trunk/ext/standard/tests/strings/bug60965.phpt) === --- php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt (rev 0) +++ php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt 2012-02-05 09:59:33 UTC (rev 323074) @@ -0,0 +1,10 @@ +--TEST-- +Bug #60965: Buffer overflow on htmlspecialchars/entities with $double=false +--FILE-- ++echo htmlspecialchars('"', +ENT_QUOTES, 'UTF-8', false), "\n"; +echo "Done.\n"; +--EXPECT-- +" +Done. -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt trunk/ext/intl/tests/dateformat_localtime.phpt
rasmus Sun, 05 Feb 2012 10:35:56 + Revision: http://svn.php.net/viewvc?view=revision&revision=323077 Log: Same thing here. "June 18, 1969 8:49:59 AM " does not contain a timezone, so there is no way to know whether dst should be applied or not. Changed paths: U php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt U php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt U php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt Modified: php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt === --- php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:29:34 UTC (rev 323076) +++ php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:35:56 UTC (rev 323077) @@ -92,7 +92,7 @@ // Run the test ut_run(); ?> ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -110,7 +110,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL --- @@ -130,4 +130,4 @@ IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -IntlDateFormatter : DateType::FULL, TimeType::FULL \ No newline at end of file +IntlDateFormatter : DateType::FULL, TimeType::FULL Modified: php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt === --- php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:29:34 UTC (rev 323076) +++ php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:35:56 UTC (rev 323077) @@ -92,7 +92,7 @@ // Run the test ut_run(); ?> ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -110,7 +110,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL --- @@ -130,4 +130,4 @@ IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -IntlDateFormatter : DateType::FULL, TimeType::FULL \ No newline at end of file +IntlDateFormatter : DateType::FULL, TimeType::FULL Modified: php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt === --- php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:29:34 UTC (rev 323076) +++ php/php-src/trunk/ext/intl/tests/dateformat_localtime.phpt 2012-02-05 10:35:56 UTC (rev 323077) @@ -92,7 +92,7 @@ // Run the test ut_run(); ?> ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -110,7 +110,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL --- @@ -130,4 +130,4 @@ IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -IntlDateFormatter : DateType::FULL, TimeType::FULL \ No newline at end of file +IntlDateFormatter : DateType::FULL, TimeType::FULL -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt trunk/ext/intl/tests/date
rasmus Sun, 05 Feb 2012 10:29:34 + Revision: http://svn.php.net/viewvc?view=revision&revision=323076 Log: Without a timezone you can't know whether it is dst or not in this one Changed paths: U php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt U php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt U php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt Modified: php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt === --- php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:08:16 UTC (rev 323075) +++ php/php-src/branches/PHP_5_3/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:29:34 UTC (rev 323076) @@ -78,7 +78,7 @@ // Run the test ut_run(); ?> ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -96,7 +96,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG Error : 'Date parsing failed: U_PARSE_ERROR' IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL Error : 'Date parsing failed: U_PARSE_ERROR' --- Modified: php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt === --- php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:08:16 UTC (rev 323075) +++ php/php-src/branches/PHP_5_4/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:29:34 UTC (rev 323076) @@ -78,7 +78,7 @@ // Run the test ut_run(); ?> ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -96,7 +96,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG Error : 'Date parsing failed: U_PARSE_ERROR' IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL Error : 'Date parsing failed: U_PARSE_ERROR' --- Modified: php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt === --- php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:08:16 UTC (rev 323075) +++ php/php-src/trunk/ext/intl/tests/dateformat_parse_localtime_parsepos.phpt 2012-02-05 10:29:34 UTC (rev 323076) @@ -78,7 +78,7 @@ // Run the test ut_run(); ?> ---EXPECT-- +--EXPECTF-- --- Input text is : Thursday, December 18, 1969 8:49:59 AM PST @@ -96,7 +96,7 @@ IntlDateFormatter : DateType::LONG, TimeType::LONG Error : 'Date parsing failed: U_PARSE_ERROR' IntlDateFormatter : DateType::MEDIUM, TimeType::MEDIUM -tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '1' , +tm_sec : '59' , tm_min : '49' , tm_hour : '8' , tm_year : '69' , tm_mday : '18' , tm_wday : '3' , tm_yday : '169' , tm_mon : '5' , tm_isdst : '%d' , IntlDateFormatter : DateType::FULL, TimeType::FULL Error : 'Date parsing failed: U_PARSE_ERROR' --- -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt trunk/ext/openssl/tests/openssl_x509_pars
rasmus Sun, 05 Feb 2012 10:08:16 + Revision: http://svn.php.net/viewvc?view=revision&revision=323075 Log: Another openssl test that is dependent on the openssl version. The output has changed in more recent versions. Synch with newer output and consider changing the test to only pick out the more stable fields instead of all of them. Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt U php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt 2012-02-05 09:59:33 UTC (rev 323074) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/openssl_x509_parse_basic.phpt 2012-02-05 10:08:16 UTC (rev 323075) @@ -9,7 +9,7 @@ var_dump(openssl_x509_parse($cert)); var_dump(openssl_x509_parse($cert, false)); ?> ---EXPECT-- +--EXPECTF-- array(12) { ["name"]=> string(96) "/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnang...@php.net" @@ -27,7 +27,7 @@ string(16) "hnang...@php.net" } ["hash"]=> - string(8) "088c65c2" + string(8) "%s" ["issuer"]=> array(5) { ["C"]=> @@ -54,7 +54,7 @@ ["validTo_time_t"]=> int(1217413723) ["purposes"]=> - array(8) { + array(9) { [1]=> array(3) { [0]=> @@ -127,6 +127,15 @@ [2]=> string(10) "ocsphelper" } +[9]=> +array(3) { + [0]=> + bool(false) + [1]=> + bool(true) + [2]=> + string(13) "timestampsign" +} } ["extensions"]=> array(3) { @@ -158,7 +167,7 @@ string(16) "hnang...@php.net" } ["hash"]=> - string(8) "088c65c2" + string(8) "%s" ["issuer"]=> array(5) { ["countryName"]=> @@ -185,7 +194,7 @@ ["validTo_time_t"]=> int(1217413723) ["purposes"]=> - array(8) { + array(9) { [1]=> array(3) { [0]=> @@ -258,6 +267,15 @@ [2]=> string(11) "OCSP helper" } +[9]=> +array(3) { + [0]=> + bool(false) + [1]=> + bool(true) + [2]=> + string(18) "Time Stamp signing" +} } ["extensions"]=> array(3) { Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt 2012-02-05 09:59:33 UTC (rev 323074) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/openssl_x509_parse_basic.phpt 2012-02-05 10:08:16 UTC (rev 323075) @@ -9,7 +9,7 @@ var_dump(openssl_x509_parse($cert)); var_dump(openssl_x509_parse($cert, false)); ?> ---EXPECT-- +--EXPECTF-- array(12) { ["name"]=> string(96) "/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnang...@php.net" @@ -27,7 +27,7 @@ string(16) "hnang...@php.net" } ["hash"]=> - string(8) "088c65c2" + string(8) "%s" ["issuer"]=> array(5) { ["C"]=> @@ -54,7 +54,7 @@ ["validTo_time_t"]=> int(1217413723) ["purposes"]=> - array(8) { + array(9) { [1]=> array(3) { [0]=> @@ -127,6 +127,15 @@ [2]=> string(10) "ocsphelper" } +[9]=> +array(3) { + [0]=> + bool(false) + [1]=> + bool(true) + [2]=> + string(13) "timestampsign" +} } ["extensions"]=> array(3) { @@ -158,7 +167,7 @@ string(16) "hnang...@php.net" } ["hash"]=> - string(8) "088c65c2" + string(8) "%s" ["issuer"]=> array(5) { ["countryName"]=> @@ -185,7 +194,7 @@ ["validTo_time_t"]=> int(1217413723) ["purposes"]=> - array(8) { + array(9) { [1]=> array(3) { [0]=> @@ -258,6 +267,15 @@ [2]=> string(11) "OCSP helper" } +[9]=> +array(3) { + [0]=> + bool(false) + [1]=> + bool(true) + [2]=> + string(18) "Time Stamp signing" +} } ["extensions"]=> array(3) { Modified: php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt === --- php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt 2012-02-05 09:59:33 UTC (rev 323074) +++ php/php-src/trunk/ext/openssl/tests/openssl_x509_parse_basic.phpt 2012-02-05 10:08:16 UTC (rev 323075) @@ -9,7 +9,7 @@ var_dump(openssl_x509_parse($cert)); var_dump(openssl_x509_parse($cert, false)); ?> ---EXPECT-- +--EXPECTF-- array(12) { ["name"]=> string(96) "/C=BR/ST=Rio Grande do Sul/L=Porto Alegre/CN=Henrique do N. Angelo/emailAddress=hnang...@php.net" @@ -27,7 +27,7 @@ string(16) "hnang...@php.net" } ["hash"]=> - string(8) "088c6
[PHP-CVS] svn: /php/php-src/branches/PHP_5_4/ NEWS ext/standard/html.c ext/standard/tests/strings/bug60965.phpt
cataphract Sun, 05 Feb 2012 09:59:33 + Revision: http://svn.php.net/viewvc?view=revision&revision=323074 Log: - Merge r323056 (see bug #60965). Bug: https://bugs.php.net/60965 (Critical) Buffer overflow on htmlspecialchars/entities with $double=false Changed paths: U php/php-src/branches/PHP_5_4/NEWS U php/php-src/branches/PHP_5_4/ext/standard/html.c A + php/php-src/branches/PHP_5_4/ext/standard/tests/strings/bug60965.phpt (from php/php-src/trunk/ext/standard/tests/strings/bug60965.phpt:r323056) Modified: php/php-src/branches/PHP_5_4/NEWS === --- php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:58:50 UTC (rev 323073) +++ php/php-src/branches/PHP_5_4/NEWS 2012-02-05 09:59:33 UTC (rev 323074) @@ -1,10 +1,13 @@ PHPNEWS ||| ?? Feb 2012, PHP 5.4.0 RC 8 +- Core: + . Fixed bug #60965 (Buffer overflow on htmlspecialchars/entities with +$double=false). (Gustavo) 02 Feb 2012, PHP 5.4.0 RC 7 - Core: - . Fix bug #60895 (Possible invalid handler usage in windows random + . Fixed bug #60895 (Possible invalid handler usage in windows random functions). (Pierre) . Fixed bug #51860 (Include fails with toplevel symlink to /). (Dmitry) . Fixed (disabled) inline-caching for ZEND_OVERLOADED_FUNCTION methods. Modified: php/php-src/branches/PHP_5_4/ext/standard/html.c === --- php/php-src/branches/PHP_5_4/ext/standard/html.c2012-02-05 09:58:50 UTC (rev 323073) +++ php/php-src/branches/PHP_5_4/ext/standard/html.c2012-02-05 09:59:33 UTC (rev 323074) @@ -1215,7 +1215,6 @@ size_t cursor, maxlen, len; char *replaced; enum entity_charset charset = determine_charset(hint_charset TSRMLS_CC); - int matches_map; int doctype = flags & ENT_HTML_DOC_TYPE_MASK; entity_table_opt entity_table; const enc_to_uni *to_uni_table = NULL; @@ -1253,12 +1252,14 @@ } } + /* initial estimate */ if (oldlen < 64) { maxlen = 128; } else { maxlen = 2 * oldlen; } - replaced = emalloc(maxlen); + + replaced = emalloc(maxlen + 1); len = 0; cursor = 0; while (cursor < oldlen) { @@ -1271,7 +1272,7 @@ /* guarantee we have at least 40 bytes to write. * In HTML5, entities may take up to 33 bytes */ if (len + 40 > maxlen) { - replaced = erealloc(replaced, maxlen += 128); + replaced = erealloc(replaced, (maxlen += 128) + 1); } if (status == FAILURE) { @@ -1291,7 +1292,6 @@ mbsequence = &old[cursor_before]; mbseqlen = cursor - cursor_before; } - matches_map = 0; if (this_char != '&') { /* no entity on this position */ const unsigned char *rep= NULL; @@ -1302,12 +1302,15 @@ goto pass_char_through; if (all) { /* false that CHARSET_PARTIAL_SUPPORT(charset) */ - /* look for entity for this char */ if (to_uni_table != NULL) { + /* !CHARSET_UNICODE_COMPAT therefore not UTF-8; since UTF-8 +* is the only multibyte encoding with !CHARSET_PARTIAL_SUPPORT, +* we're using a single byte encoding */ map_to_unicode(this_char, to_uni_table, &this_char); if (this_char == 0x) /* no mapping; pass through */ goto pass_char_through; } + /* the cursor may advance */ find_entity_for_char(this_char, charset, entity_table.ms_table, &rep, &rep_len, old, oldlen, &cursor); } else { @@ -1397,6 +1400,10 @@ } } /* checks passed; copy entity to result */ + /* entity size is unbounded, we may need more memory */ + if (maxlen < len + ent_len + 2 /* & and ; */) { + replaced = erealloc(replaced, (maxlen += ent_len + 128) + 1); + } replaced[len++] = '&'; memcpy(&replaced[len], &old[cursor], ent
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt trunk/ext/pdo_firebird/tests/bug_53280.phpt
mariuz Sun, 05 Feb 2012 09:58:50 + Revision: http://svn.php.net/viewvc?view=revision&revision=323073 Log: fix gcov Warning: ibase_drop_db(): lock time-out on wait transaction object http://gcov.php.net/viewer.php?version=PHP_5_4&func=tests&file=ext%2Fpdo_firebird%2Ftests%2Fbug_53280.phpt Changed paths: U php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt U php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt U php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt Modified: php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt === --- php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05 09:52:41 UTC (rev 323072) +++ php/php-src/branches/PHP_5_3/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05 09:58:50 UTC (rev 323073) @@ -27,10 +27,9 @@ $rows = $stmth1->fetchAll(); // <--- segfault var_dump($rows); -$stmt = $dbh->prepare('DELETE FROM testz'); -$stmt->execute(); - $dbh->commit(); +unset($stmth1); +unset($stmth2); $dbh->exec('DROP TABLE testz'); Modified: php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt === --- php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05 09:52:41 UTC (rev 323072) +++ php/php-src/branches/PHP_5_4/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05 09:58:50 UTC (rev 323073) @@ -27,10 +27,9 @@ $rows = $stmth1->fetchAll(); // <--- segfault var_dump($rows); -$stmt = $dbh->prepare('DELETE FROM testz'); -$stmt->execute(); - $dbh->commit(); +unset($stmth1); +unset($stmth2); $dbh->exec('DROP TABLE testz'); Modified: php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt === --- php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05 09:52:41 UTC (rev 323072) +++ php/php-src/trunk/ext/pdo_firebird/tests/bug_53280.phpt 2012-02-05 09:58:50 UTC (rev 323073) @@ -27,10 +27,9 @@ $rows = $stmth1->fetchAll(); // <--- segfault var_dump($rows); -$stmt = $dbh->prepare('DELETE FROM testz'); -$stmt->execute(); - $dbh->commit(); +unset($stmth1); +unset($stmth2); $dbh->exec('DROP TABLE testz'); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/bug47828.phpt branches/PHP_5_4/ext/openssl/tests/bug47828.phpt trunk/ext/openssl/tests/bug47828.phpt
rasmus Sun, 05 Feb 2012 09:52:41 + Revision: http://svn.php.net/viewvc?view=revision&revision=323072 Log: Need EXPECTF here, of course Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt U php/php-src/trunk/ext/openssl/tests/bug47828.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:52:41 UTC (rev 323072) @@ -35,6 +35,6 @@ var_dump($arr['hash']); echo "Done"; ?> ---EXPECT-- +--EXPECTF-- string(8) "%s" Done Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:52:41 UTC (rev 323072) @@ -35,6 +35,6 @@ var_dump($arr['hash']); echo "Done"; ?> ---EXPECT-- +--EXPECTF-- string(8) "%s" Done Modified: php/php-src/trunk/ext/openssl/tests/bug47828.phpt === --- php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) +++ php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:52:41 UTC (rev 323072) @@ -35,6 +35,6 @@ var_dump($arr['hash']); echo "Done"; ?> ---EXPECT-- +--EXPECTF-- string(8) "%s" Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/bug47828.phpt branches/PHP_5_4/ext/openssl/tests/bug47828.phpt trunk/ext/openssl/tests/bug47828.phpt
rasmus Sun, 05 Feb 2012 09:50:14 + Revision: http://svn.php.net/viewvc?view=revision&revision=323071 Log: Getting different hashes here. But this test isn't testing the hashes, it is just making sure we actually get a hash and don't crash. Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt U php/php-src/trunk/ext/openssl/tests/bug47828.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:32:20 UTC (rev 323070) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) @@ -36,5 +36,5 @@ echo "Done"; ?> --EXPECT-- -string(8) "9337ed77" +string(8) "%s" Done Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:32:20 UTC (rev 323070) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) @@ -36,5 +36,5 @@ echo "Done"; ?> --EXPECT-- -string(8) "9337ed77" +string(8) "%s" Done Modified: php/php-src/trunk/ext/openssl/tests/bug47828.phpt === --- php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:32:20 UTC (rev 323070) +++ php/php-src/trunk/ext/openssl/tests/bug47828.phpt 2012-02-05 09:50:14 UTC (rev 323071) @@ -36,5 +36,5 @@ echo "Done"; ?> --EXPECT-- -string(8) "9337ed77" +string(8) "%s" Done -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /php/php-src/ branches/PHP_5_3/ext/openssl/tests/bug28382.phpt branches/PHP_5_4/ext/openssl/tests/bug28382.phpt trunk/ext/openssl/tests/bug28382.phpt
rasmus Sun, 05 Feb 2012 09:32:20 + Revision: http://svn.php.net/viewvc?view=revision&revision=323070 Log: According to the reports on qa this test is failing the same way for everyone. See: http://qa.php.net/reports/viewreports.php?version=5.3.10&test=%2Fext%2Fopenssl%2Ftests%2Fbug28382.phpt I'm not sure if this is due to a change in the openssl library or in the extension, so perhaps the test itself needs to change, but for now synch it with the new output and watch for failures. Bug: https://bugs.php.net/28382 (Closed) the openssl_x509_parse function does not extract the certificate extensions Changed paths: U php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt U php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt U php/php-src/trunk/ext/openssl/tests/bug28382.phpt Modified: php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt === --- php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt 2012-02-05 07:47:43 UTC (rev 323069) +++ php/php-src/branches/PHP_5_3/ext/openssl/tests/bug28382.phpt 2012-02-05 09:32:20 UTC (rev 323070) @@ -20,7 +20,9 @@ ["nsCertType"]=> string(30) "SSL Client, SSL Server, S/MIME" ["crlDistributionPoints"]=> - string(51) "URI:http://mobile.blue-software.ro:90/ca/crl.shtml + string(65) " +Full Name: + URI:http://mobile.blue-software.ro:90/ca/crl.shtml " ["nsCaPolicyUrl"]=> string(38) "http://mobile.blue-software.ro:90/pub/"; Modified: php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt === --- php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt 2012-02-05 07:47:43 UTC (rev 323069) +++ php/php-src/branches/PHP_5_4/ext/openssl/tests/bug28382.phpt 2012-02-05 09:32:20 UTC (rev 323070) @@ -20,7 +20,9 @@ ["nsCertType"]=> string(30) "SSL Client, SSL Server, S/MIME" ["crlDistributionPoints"]=> - string(51) "URI:http://mobile.blue-software.ro:90/ca/crl.shtml + string(65) " +Full Name: + URI:http://mobile.blue-software.ro:90/ca/crl.shtml " ["nsCaPolicyUrl"]=> string(38) "http://mobile.blue-software.ro:90/pub/"; Modified: php/php-src/trunk/ext/openssl/tests/bug28382.phpt === --- php/php-src/trunk/ext/openssl/tests/bug28382.phpt 2012-02-05 07:47:43 UTC (rev 323069) +++ php/php-src/trunk/ext/openssl/tests/bug28382.phpt 2012-02-05 09:32:20 UTC (rev 323070) @@ -20,7 +20,9 @@ ["nsCertType"]=> string(30) "SSL Client, SSL Server, S/MIME" ["crlDistributionPoints"]=> - string(51) "URI:http://mobile.blue-software.ro:90/ca/crl.shtml + string(65) " +Full Name: + URI:http://mobile.blue-software.ro:90/ca/crl.shtml " ["nsCaPolicyUrl"]=> string(38) "http://mobile.blue-software.ro:90/pub/"; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php