File php-CVE-2019-9023.patch of Package php72.24159

Overview Repositories Revisions Requests Users Attributes Meta

File php-CVE-2019-9023.patch of Package php72.24159

Index: php-7.2.5/ext/mbstring/oniguruma/src/regparse.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/regparse.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/regparse.c	2019-03-11 17:56:58.618984274 +0100
@@ -304,14 +304,17 @@ strdup_with_null(OnigEncoding enc, UChar
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   pfetch_prev = p; \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 
 #define PINC_S     do { \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 #define PFETCH_S(c) do { \
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 
 #define PPEEK        (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
@@ -3593,7 +3596,9 @@ fetch_token(OnigToken* tok, UChar** src,
           tok->u.code = c2;
         }
         else { /* string */
-          p = tok->backp + enclen(enc, tok->backp);
+          int len;
+          SAFE_ENC_LEN(enc, tok->backp, end, len);
+          p = tok->backp + len;
         }
       }
       break;
Index: php-7.2.5/ext/mbstring/oniguruma/src/regcomp.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/regcomp.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/regcomp.c	2019-03-11 17:56:58.618984274 +0100
@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, r
   ambig = NSTRING_IS_AMBIG(node);
 
   p = prev = sn->s;
-  prev_len = enclen(enc, p);
+  SAFE_ENC_LEN(enc, p, sn->end, prev_len);
   p += prev_len;
   slen = 1;
   rlen = 0;
 
   for (; p < sn->end; ) {
-    len = enclen(enc, p);
+    SAFE_ENC_LEN(enc, p, sn->end, len);
     if (len == prev_len) {
       slen++;
     }
@@ -518,12 +518,12 @@ compile_string_node(Node* node, regex_t*
   ambig = NSTRING_IS_AMBIG(node);
 
   p = prev = sn->s;
-  prev_len = enclen(enc, p);
+  SAFE_ENC_LEN(enc, p, end, prev_len);
   p += prev_len;
   slen = 1;
 
   for (; p < end; ) {
-    len = enclen(enc, p);
+    SAFE_ENC_LEN(enc, p, end, len);
     if (len == prev_len) {
       slen++;
     }
@@ -3435,7 +3435,7 @@ expand_case_fold_string(Node* node, rege
       goto err;
     }
 
-    len = enclen(reg->enc, p);
+    SAFE_ENC_LEN(reg->enc, p, end, len);
 
     if (n == 0) {
       if (IS_NULL(snode)) {
Index: php-7.2.5/ext/mbstring/oniguruma/src/unicode.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/unicode.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/unicode.c	2019-03-11 17:56:58.618984274 +0100
@@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncodi
 
   code = ONIGENC_MBC_TO_CODE(enc, p, end);
   len = enclen(enc, p);
+  if (*pp + len > end) len = end - *pp;
   *pp += len;
 
 #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
Index: php-7.2.5/ext/mbstring/oniguruma/src/regparse.h
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/regparse.h	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/regparse.h	2019-03-11 17:56:58.618984274 +0100
@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex
 #endif
 #endif
 
+#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+#else
+# define UNEXPECTED(condition) (condition)
+#endif
+
+#define SAFE_ENC_LEN(enc, p, end, res) do {  \
+    int __res = enclen(enc, p);              \
+    if (UNEXPECTED(p + __res > end)) __res = end - p;    \
+       res = __res;                             \
+} while(0);
+
 #endif /* REGPARSE_H */
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf16_be.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf16_be.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf16_be.c	2019-03-11 17:56:58.622984293 +0100
@@ -82,16 +82,18 @@ utf16be_is_mbc_newline(const UChar* p, c
 }
 
 static OnigCodePoint
-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16be_mbc_to_code(const UChar* p, const UChar* end)
 {
   OnigCodePoint code;
 
   if (UTF16_IS_SURROGATE_FIRST(*p)) {
+    if (end - p < 4) return 0;
     code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
          + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
          + p[3];
   }
   else {
+    if (end - p < 2) return 0;
     code = p[0] * 256 + p[1];
   }
   return code;
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf16_le.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf16_le.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf16_le.c	2019-03-11 17:56:58.622984293 +0100
@@ -97,13 +97,14 @@ utf16le_is_mbc_newline(const UChar* p, c
 }
 
 static OnigCodePoint
-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16le_mbc_to_code(const UChar* p, const UChar* end)
 {
   OnigCodePoint code;
   UChar c0 = *p;
   UChar c1 = *(p+1);
 
   if (UTF16_IS_SURROGATE_FIRST(c1)) {
+    if (end - p < 4) return 0;
     code = ((((c1 - 0xd8) << 2) + ((c0  & 0xc0) >> 6) + 1) << 16)
          + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
          + p[2];
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf32_be.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf32_be.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf32_be.c	2019-03-11 17:56:58.622984293 +0100
@@ -67,6 +67,7 @@ utf32be_is_mbc_newline(const UChar* p, c
 static OnigCodePoint
 utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
 {
+  if (end - p < 4) return 0;
   return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
 }
 
Index: php-7.2.5/ext/mbstring/oniguruma/src/utf32_le.c
===================================================================
--- php-7.2.5.orig/ext/mbstring/oniguruma/src/utf32_le.c	2018-04-24 17:09:55.000000000 +0200
+++ php-7.2.5/ext/mbstring/oniguruma/src/utf32_le.c	2019-03-11 17:56:58.622984293 +0100
@@ -67,6 +67,7 @@ utf32le_is_mbc_newline(const UChar* p, c
 static OnigCodePoint
 utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
 {
+  if (end - p < 4) return 0;
   return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
 }

Places

File php-CVE-2019-9023.patch of Package php72.24159

Places