Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
php5.14088
php-CVE-2015-4148.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2015-4148.patch of Package php5.14088
From: Dmitry Stogov <dmitry@zend.com> Date: Tue, 3 Mar 2015 06:44:46 +0000 (+0300) Subject: Added type checks X-Git-Tag: php-5.4.39~9 X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8 Added type checks --- Index: ext/soap/php_encoding.c =================================================================== --- ext/soap/php_encoding.c.orig 2014-06-25 15:06:23.000000000 +0200 +++ ext/soap/php_encoding.c 2015-06-04 09:02:32.117507226 +0200 @@ -3640,18 +3640,21 @@ Z_OBJCE_PP(tmp) == soap_var_class_entry) { zval **ztype; - if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || + Z_TYPE_PP(ztype) != IS_LONG) { soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); } cur_type = Z_LVAL_PP(ztype); - if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS && + Z_TYPE_PP(ztype) == IS_STRING) { cur_stype = Z_STRVAL_PP(ztype); } else { cur_stype = NULL; } - if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS && + Z_TYPE_PP(ztype) == IS_STRING) { cur_ns = Z_STRVAL_PP(ztype); } else { cur_ns = NULL; Index: ext/soap/php_http.c =================================================================== --- ext/soap/php_http.c.orig 2014-06-25 15:06:23.000000000 +0200 +++ ext/soap/php_http.c 2015-06-04 09:02:32.117507226 +0200 @@ -36,14 +36,16 @@ { zval **login, **password; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS && + Z_TYPE_PP(login) == IS_STRING) { unsigned char* buf; int len; smart_str auth = {0}; smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); smart_str_appendc(&auth, ':'); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS && + Z_TYPE_PP(password) == IS_STRING) { smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); } smart_str_0(&auth); @@ -64,14 +66,16 @@ zval **login, **password; if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS && - !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { + Z_TYPE_PP(login) == IS_STRING && + !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { unsigned char* buf; int len; smart_str auth = {0}; smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); smart_str_appendc(&auth, ':'); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS && + Z_TYPE_PP(password) == IS_STRING) { smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); } smart_str_0(&auth); @@ -571,6 +575,7 @@ } if (!http_1_1 || (zend_hash_find(Z_OBJPROP_P(this_ptr), "_keep_alive", sizeof("_keep_alive"), (void **)&tmp) == SUCCESS && + (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && Z_LVAL_PP(tmp) == 0)) { smart_str_append_const(&soap_headers, "\r\n" "Connection: close\r\n"); @@ -804,7 +809,8 @@ } /* Send cookies along with request */ - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && + Z_TYPE_PP(cookies) == IS_ARRAY) { zval **data; char *key; int i, n; @@ -847,7 +853,7 @@ smart_str_append_const(&soap_headers, "\r\n"); smart_str_0(&soap_headers); if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1); } smart_str_appendl(&soap_headers, request, request_size); @@ -892,7 +898,7 @@ } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_LVAL_PP(trace) > 0) { + (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1); } @@ -941,7 +947,8 @@ char *eqpos, *sempos; zval **cookies; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || + Z_TYPE_PP(cookies) != IS_ARRAY) { zval *tmp_cookies; MAKE_STD_ZVAL(tmp_cookies); array_init(tmp_cookies); Index: ext/soap/soap.c =================================================================== --- ext/soap/soap.c.orig 2015-06-04 09:02:32.050506318 +0200 +++ ext/soap/soap.c 2015-06-04 09:02:32.118507239 +0200 @@ -2573,7 +2573,7 @@ } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) { + (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); } @@ -2608,7 +2608,7 @@ } ret = FALSE; } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && - Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) { + (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); } zval_ptr_dtor(¶ms[4]); @@ -2652,13 +2652,13 @@ SOAP_CLIENT_BEGIN_CODE(); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS - && Z_LVAL_PP(trace) > 0) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && + (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS - && Z_LVAL_PP(tmp) == SOAP_1_2) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) { soap_version = SOAP_1_2; } else { soap_version = SOAP_1_1; @@ -2755,7 +2755,7 @@ zval **uri; smart_str action = {0}; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) { add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC); } else if (location == NULL) { add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC); @@ -3034,7 +3034,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3052,7 +3053,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3070,7 +3072,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3088,7 +3091,8 @@ return; } - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS && + Z_TYPE_PP(tmp) == IS_STRING) { RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); } RETURN_NULL(); @@ -3144,13 +3148,15 @@ } if (val == NULL) { - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && + Z_TYPE_PP(cookies) == IS_ARRAY) { zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1); } } else { zval *zcookie; - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || + Z_TYPE_PP(cookies) != IS_ARRAY) { zval *tmp_cookies; MAKE_STD_ZVAL(tmp_cookies); @@ -3178,7 +3184,8 @@ array_init(return_value); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) != FAILURE) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) != FAILURE && + Z_TYPE_PP(cookies) == IS_ARRAY) { zend_hash_copy(Z_ARRVAL_P(return_value), Z_ARRVAL_P(*cookies), (copy_ctor_func_t) zval_add_ref, (void *)&tmp, sizeof(zval*)); } } @@ -4265,7 +4272,8 @@ } } } else { - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) { + if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS && + Z_TYPE_PP(zstyle) == IS_LONG) { style = Z_LVAL_PP(zstyle); } else { style = SOAP_RPC; @@ -4288,7 +4296,7 @@ } if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS && - Z_LVAL_PP(zuse) == SOAP_LITERAL) { + Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) { use = SOAP_LITERAL; } else { use = SOAP_ENCODED; @@ -4418,6 +4426,7 @@ zval **param_data; if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS && + Z_TYPE_PP(param_name) == IS_STRING && zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) { param_val = *param_data; name = Z_STRVAL_PP(param_name);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor