Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP5:GA
php7
php-CVE-2019-9023.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File php-CVE-2019-9023.patch of Package php7
Index: php-7.0.7/ext/mbstring/oniguruma/regparse.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/regparse.c 2019-03-11 20:27:47.843253838 +0100 +++ php-7.0.7/ext/mbstring/oniguruma/regparse.c 2019-03-11 20:27:48.131255256 +0100 @@ -260,14 +260,17 @@ strdup_with_null(OnigEncoding enc, UChar c = ONIGENC_MBC_TO_CODE(enc, p, end); \ pfetch_prev = p; \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PINC_S do { \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PFETCH_S(c) do { \ c = ONIGENC_MBC_TO_CODE(enc, p, end); \ p += ONIGENC_MBC_ENC_LEN(enc, p); \ + if(UNEXPECTED(p > end)) p = end; \ } while (0) #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE) @@ -3580,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, tok->u.code = (OnigCodePoint )num; } else { /* string */ - p = tok->backp + enclen(enc, tok->backp); + int len; + SAFE_ENC_LEN(enc, tok->backp, end, len); + p = tok->backp + len; } break; } Index: php-7.0.7/ext/mbstring/oniguruma/regcomp.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/regcomp.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/regcomp.c 2019-03-11 20:27:48.131255256 +0100 @@ -469,13 +469,13 @@ compile_length_string_node(Node* node, r ambig = NSTRING_IS_AMBIG(node); p = prev = sn->s; - prev_len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, sn->end, prev_len); p += prev_len; slen = 1; rlen = 0; for (; p < sn->end; ) { - len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, sn->end, len); if (len == prev_len) { slen++; } @@ -518,12 +518,12 @@ compile_string_node(Node* node, regex_t* ambig = NSTRING_IS_AMBIG(node); p = prev = sn->s; - prev_len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, end, prev_len); p += prev_len; slen = 1; for (; p < end; ) { - len = enclen(enc, p); + SAFE_ENC_LEN(enc, p, end, len); if (len == prev_len) { slen++; } @@ -3390,7 +3390,7 @@ expand_case_fold_string(Node* node, rege goto err; } - len = enclen(reg->enc, p); + SAFE_ENC_LEN(reg->enc, p, end, len); if (n == 0) { if (IS_NULL(snode)) { Index: php-7.0.7/ext/mbstring/oniguruma/enc/unicode.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/enc/unicode.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/enc/unicode.c 2019-03-11 20:27:48.131255256 +0100 @@ -10989,6 +10989,7 @@ onigenc_unicode_mbc_case_fold(OnigEncodi code = ONIGENC_MBC_TO_CODE(enc, p, end); len = enclen(enc, p); + if (*pp + len > end) len = end - *pp; *pp += len; #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI Index: php-7.0.7/ext/mbstring/oniguruma/regparse.h =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/regparse.h 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/regparse.h 2019-03-11 20:27:48.131255256 +0100 @@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex #endif #endif +#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX) +# define UNEXPECTED(condition) __builtin_expect(condition, 0) +#else +# define UNEXPECTED(condition) (condition) +#endif + +#define SAFE_ENC_LEN(enc, p, end, res) do { \ + int __res = enclen(enc, p); \ + if (UNEXPECTED(p + __res > end)) __res = end - p; \ + res = __res; \ +} while(0); + #endif /* REGPARSE_H */ Index: php-7.0.7/ext/mbstring/oniguruma/enc/utf16_be.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/enc/utf16_be.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/enc/utf16_be.c 2019-03-11 20:27:48.131255256 +0100 @@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, c } static OnigCodePoint -utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf16be_mbc_to_code(const UChar* p, const UChar* end) { OnigCodePoint code; if (UTF16_IS_SURROGATE_FIRST(*p)) { + if (end - p < 4) return 0; code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16) + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8) + p[3]; } else { + if (end - p < 2) return 0; code = p[0] * 256 + p[1]; } return code; Index: php-7.0.7/ext/mbstring/oniguruma/enc/utf16_le.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/enc/utf16_le.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/enc/utf16_le.c 2019-03-11 20:27:48.131255256 +0100 @@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, c } static OnigCodePoint -utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +utf16le_mbc_to_code(const UChar* p, const UChar* end) { OnigCodePoint code; UChar c0 = *p; UChar c1 = *(p+1); if (UTF16_IS_SURROGATE_FIRST(c1)) { + if (end - p < 4) return 0; code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16) + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8) + p[2]; Index: php-7.0.7/ext/mbstring/oniguruma/enc/utf32_be.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/enc/utf32_be.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/enc/utf32_be.c 2019-03-11 20:27:48.131255256 +0100 @@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, c static OnigCodePoint utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) { + if (end - p < 4) return 0; return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]); } Index: php-7.0.7/ext/mbstring/oniguruma/enc/utf32_le.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/enc/utf32_le.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/enc/utf32_le.c 2019-03-11 20:27:48.131255256 +0100 @@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, c static OnigCodePoint utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) { + if (end - p < 4) return 0; return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]); } Index: php-7.0.7/ext/mbstring/oniguruma/enc/utf8.c =================================================================== --- php-7.0.7.orig/ext/mbstring/oniguruma/enc/utf8.c 2016-05-25 15:13:22.000000000 +0200 +++ php-7.0.7/ext/mbstring/oniguruma/enc/utf8.c 2019-03-11 21:02:36.161450733 +0100 @@ -28,6 +28,7 @@ */ #include "regenc.h" +#include "regparse.h" #define USE_INVALID_CODE_SCHEME @@ -91,12 +92,13 @@ is_mbc_newline(const UChar* p, const UCh } static OnigCodePoint -mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) +mbc_to_code(const UChar* p, const UChar* end) { int c, len; OnigCodePoint n; - len = enclen(ONIG_ENCODING_UTF8, p); + len = mbc_enc_len(p); + if (len > end - p) len = end - p; c = *p++; if (len > 1) { len--;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor