[PHP-CVS] com php-src: revamp range checks in ext/xml: ext/xml/xml.c
Commit:f195339006afa08889a0eab4c5b263c8cd8a054a Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 09:34:45 +0100 Parents: f7f8c590a5e67e79d4b0ad8e687353a32054afaf Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=f195339006afa08889a0eab4c5b263c8cd8a054a Log: revamp range checks in ext/xml Changed paths: M ext/xml/xml.c Diff: diff --git a/ext/xml/xml.c b/ext/xml/xml.c index f3571a9..24d5dcb 100644 --- a/ext/xml/xml.c +++ b/ext/xml/xml.c @@ -391,7 +391,7 @@ static zval *_xml_resource_zval(php_int_t value) static zval *_xml_string_zval(const char *str) { zval *ret; - int len = strlen(str); + size_t len = strlen(str); MAKE_STD_ZVAL(ret); Z_TYPE_P(ret) = IS_STRING; @@ -973,7 +973,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len) if (zend_hash_find(Z_ARRVAL_PP(curtag),type,sizeof(type),(void **) mytype) == SUCCESS) { if (!strcmp(Z_STRVAL_PP(mytype), cdata)) { if (zend_hash_find(Z_ARRVAL_PP(curtag),value,sizeof(value),(void **) myval) == SUCCESS) { - int newlen = Z_STRSIZE_PP(myval) + decoded_len; + zend_str_size_int newlen = Z_STRSIZE_PP(myval) + decoded_len; Z_STRVAL_PP(myval) = erealloc(Z_STRVAL_PP(myval),newlen+1); strncpy(Z_STRVAL_PP(myval) + Z_STRSIZE_PP(myval), decoded_value, decoded_len + 1); Z_STRSIZE_PP(myval) += decoded_len; @@ -1115,7 +1115,7 @@ int _xml_externalEntityRefHandler(XML_Parser parserPtr, args[4] = _xml_xmlchar_zval(publicId, 0, parser-target_encoding); if ((retval = xml_call_handler(parser, parser-externalEntityRefHandler, parser-externalEntityRefPtr, 5, args))) { convert_to_long(retval); - ret = Z_LVAL_P(retval); + ret = (0 == Z_LVAL_P(retval) ? 0 : 1) ; efree(retval); } else { ret = 0; @@ -1449,6 +1449,12 @@ PHP_FUNCTION(xml_parse) if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, rS|i, pind, data, data_len, isFinal) == FAILURE) { return; } + + if (data_len INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Input data is too long.); + RETURN_LONG(0); + } + ZEND_FETCH_RESOURCE(parser,xml_parser *, pind, -1, XML Parser, le_xml_parser); parser-isparsing = 1; @@ -1474,6 +1480,11 @@ PHP_FUNCTION(xml_parse_into_struct) return; } + if (data_len INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Input data is too long.); + RETURN_LONG(0); + } + if (info) { zval_dtor(*info); array_init(*info); @@ -1629,15 +1640,19 @@ PHP_FUNCTION(xml_parser_set_option) switch (opt) { case PHP_XML_OPTION_CASE_FOLDING: convert_to_long_ex(val); - parser-case_folding = Z_LVAL_PP(val); + parser-case_folding = (0 == Z_LVAL_PP(val) ? 0 : 1); break; case PHP_XML_OPTION_SKIP_TAGSTART: convert_to_long_ex(val); + if (Z_LVAL_PP(val) INT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Character count is too big); + RETURN_FALSE; + } parser-toffset = Z_LVAL_PP(val); break; case PHP_XML_OPTION_SKIP_WHITE: convert_to_long_ex(val); - parser-skipwhite = Z_LVAL_PP(val); + parser-skipwhite = (0 == Z_LVAL_PP(val) ? 0 : 1); break; case PHP_XML_OPTION_TARGET_ENCODING: { xml_encoding *enc; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] svn: /SVNROOT/ global_avail
bjoriTue, 10 Dec 2013 19:14:27 + Revision: http://svn.php.net/viewvc?view=revisionrevision=332341 Log: Give Phil Sturgeon doc-en karma Changed paths: U SVNROOT/global_avail Modified: SVNROOT/global_avail === --- SVNROOT/global_avail2013-12-10 13:52:31 UTC (rev 332340) +++ SVNROOT/global_avail2013-12-10 19:14:27 UTC (rev 332341) @@ -101,7 +101,7 @@ avail|aferreira,thiago|phpdoc/pt avail|machado,scar,davis,dnfeitosa,thiago,amandavale,rafa,klaussilveira,kinncj,malukenho,fibbarth|phpdoc/pt_BR avail|radical,shoty|phpdoc/ro -avail|aur,irker,oaass,ralphschindler,kazymjir,whatthejeff,dsas|phpdoc/en +avail|aur,irker,oaass,ralphschindler,kazymjir,whatthejeff,dsas,philstu|phpdoc/en avail|freespace,shafff,sveta,wanderer,kozloffsky,santiago,seprize,irker,mch,aur,das,tmn,bfl,countzero,alien,northcat|phpdoc/ru avail|cumhuronat,gulenzek,xhandros,neoprobe,faruk,infralite,flarecaster,antimon,yelekin,ecamalan|phpdoc/tr avail|pfischer|phpdoc/es -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: revamp ext/xsl: ext/xsl/xsltprocessor.c
Commit:da62a38244ce7a6976be04da7d7ef48bda232324 Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 10:15:47 +0100 Parents: f195339006afa08889a0eab4c5b263c8cd8a054a Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=da62a38244ce7a6976be04da7d7ef48bda232324 Log: revamp ext/xsl Changed paths: M ext/xsl/xsltprocessor.c Diff: diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c index 7a381f5..a77dc62 100644 --- a/ext/xsl/xsltprocessor.c +++ b/ext/xsl/xsltprocessor.c @@ -444,7 +444,7 @@ PHP_FUNCTION(xsl_xsltprocessor_import_stylesheet) cloneDocu = std_hnd-read_property(id, member, BP_VAR_IS, NULL TSRMLS_CC); if (Z_TYPE_P(cloneDocu) != IS_NULL) { convert_to_long(cloneDocu); - clone_docu = Z_LVAL_P(cloneDocu); + clone_docu = (0 == Z_LVAL_P(cloneDocu) ? 0 : 1) ; } efree(member); if (clone_docu == 0) { @@ -490,7 +490,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl zend_object_handlers *std_hnd; FILE *f; int secPrefsError = 0; - int secPrefsValue, secPrefsIni; + php_int_t secPrefsValue, secPrefsIni; xsltSecurityPrefsPtr secPrefs = NULL; node = php_libxml_import_node(docp TSRMLS_CC); @@ -544,7 +544,7 @@ static xmlDocPtr php_xsl_apply_stylesheet(zval *id, xsl_object *intern, xsltStyl doXInclude = std_hnd-read_property(id, member, BP_VAR_IS, NULL TSRMLS_CC); if (Z_TYPE_P(doXInclude) != IS_NULL) { convert_to_long(doXInclude); - ctxt-xinclude = Z_LVAL_P(doXInclude); + ctxt-xinclude = (0 == Z_LVAL_P(doXInclude) ? 0 : 1); } efree(member); @@ -665,7 +665,7 @@ PHP_FUNCTION(xsl_xsltprocessor_transform_to_doc) if (newdocp) { if (ret_class) { int found; - char *curclass_name; + const char *curclass_name; zend_class_entry *curce, **ce; php_libxml_node_object *interndoc; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: more range checks for ext/sqlite3: ext/sqlite3/sqlite3.c
Commit:34e5236836e9da4a5f0a384c73d482eb27793286 Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 15:40:19 +0100 Parents: 77d4db39571c092fff6883d92f38110c58d7f343 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=34e5236836e9da4a5f0a384c73d482eb27793286 Log: more range checks for ext/sqlite3 Changed paths: M ext/sqlite3/sqlite3.c Diff: diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c index 6f5d5e4..c43ef97 100644 --- a/ext/sqlite3/sqlite3.c +++ b/ext/sqlite3/sqlite3.c @@ -472,6 +472,11 @@ PHP_METHOD(sqlite3, prepare) stmt_obj-db_obj = db_obj; stmt_obj-db_obj_zval = getThis(); + if (sql_len INT_MAX) { + php_sqlite3_error(stmt_obj-db_obj, SQL statement is too long.); + RETURN_FALSE; + } + Z_ADDREF_P(object); errcode = sqlite3_prepare_v2(db_obj-db, sql, sql_len, (stmt_obj-stmt), NULL); @@ -531,6 +536,11 @@ PHP_METHOD(sqlite3, query) stmt_obj-db_obj = db_obj; stmt_obj-db_obj_zval = getThis(); + if (sql_len INT_MAX) { + php_sqlite3_error(stmt_obj-db_obj, SQL statement is too long.); + RETURN_FALSE; + } + Z_ADDREF_P(object); return_code = sqlite3_prepare_v2(db_obj-db, sql, sql_len, (stmt_obj-stmt), NULL); @@ -628,6 +638,11 @@ PHP_METHOD(sqlite3, querySingle) RETURN_FALSE; } + if (sql_len INT_MAX) { + php_sqlite3_error(db_obj, SQL statement is too long.); + RETURN_FALSE; + } + /* If there was no return value then just execute the query */ if (!return_value_used) { if (sqlite3_exec(db_obj-db, sql, NULL, NULL, errtext) != SQLITE_OK) { @@ -1519,12 +1534,12 @@ PHP_METHOD(sqlite3stmt, execute) case SQLITE_BLOB: { php_stream *stream = NULL; - int blength; + zend_str_size_int blength; char *buffer = NULL; if (Z_TYPE_P(param-parameter) == IS_RESOURCE) { php_stream_from_zval_no_verify(stream, param-parameter); if (stream == NULL) { - php_sqlite3_error(stmt_obj-db_obj, Unable to read stream for parameter %ld, param-param_number); + php_sqlite3_error(stmt_obj-db_obj, Unable to read stream for parameter %pd, param-param_number); RETURN_FALSE; } blength = php_stream_copy_to_mem(stream, (void *)buffer, PHP_STREAM_COPY_ALL, 0); @@ -1534,6 +1549,11 @@ PHP_METHOD(sqlite3stmt, execute) buffer = Z_STRVAL_P(param-parameter); } + if (blength INT_MAX) { + php_sqlite3_error(stmt_obj-db_obj, Input is too long for parameter %pd, param-param_number); + RETURN_FALSE; + } + sqlite3_bind_blob(stmt_obj-stmt, param-param_number, buffer, blength, SQLITE_TRANSIENT); if (stream) { @@ -1552,7 +1572,7 @@ PHP_METHOD(sqlite3stmt, execute) break; default: - php_sqlite3_error(stmt_obj-db_obj, Unknown parameter type: %ld for parameter %ld, param-type, param-param_number); + php_sqlite3_error(stmt_obj-db_obj, Unknown parameter type: %pd for parameter %pd, param-type, param-param_number); RETURN_FALSE; } zend_hash_move_forward(stmt_obj-bound_params); @@ -1613,6 +1633,11 @@ PHP_METHOD(sqlite3stmt, __construct) return; } + if (sql_len INT_MAX) { + php_sqlite3_error(stmt_obj-db_obj, SQL string is too long); + RETURN_FALSE; + } + db_obj = (php_sqlite3_db_object *)zend_object_store_get_object(db_zval TSRMLS_CC); SQLITE3_CHECK_INITIALIZED(db_obj, db_obj-initialised, SQLite3) -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'master' into str_size_and_int64: Zend/zend_builtin_functions.c Zend/zend_compile.c Zend/zend_execute_API.c Zend/zend_operators.h ext/opcache/Optimizer/pass1_5.c ex
Commit:27990438f184cfecd179a78231cfb04af6084f31 Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 19:46:40 +0100 Parents: 34e5236836e9da4a5f0a384c73d482eb27793286 8e29235b6c74a5eaaf4dec26e8e2aec92e3f44e1 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=27990438f184cfecd179a78231cfb04af6084f31 Log: Merge branch 'master' into str_size_and_int64 Conflicts: Zend/zend_builtin_functions.c ext/opcache/Optimizer/pass1_5.c ext/reflection/php_reflection.c ext/soap/soap.c Changed paths: MM Zend/zend_builtin_functions.c MM Zend/zend_compile.c MM Zend/zend_execute_API.c MM Zend/zend_operators.h MM ext/opcache/Optimizer/pass1_5.c MM ext/reflection/php_reflection.c MM ext/soap/soap.c MM sapi/cli/php_cli_server.c diff --cc Zend/zend_builtin_functions.c index 2b2de95,0a478a7..1d509ce --- a/Zend/zend_builtin_functions.c +++ b/Zend/zend_builtin_functions.c @@@ -2447,36 -2447,49 +2447,49 @@@ ZEND_FUNCTION(extension_loaded Returns an array with the names of functions belonging to the named extension */ ZEND_FUNCTION(get_extension_funcs) { - char *extension_name; - zend_str_size extension_name_len; + char *extension_name, *lcname; - int extension_name_len, array; ++ zend_str_size_int extension_name_len, array; zend_module_entry *module; - const zend_function_entry *func; - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, S, extension_name, extension_name_len) == FAILURE) { + HashPosition iterator; + zend_function *zif; + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s, extension_name, extension_name_len) == FAILURE) { return; } - if (strncasecmp(extension_name, zend, sizeof(zend))) { - char *lcname = zend_str_tolower_dup(extension_name, extension_name_len); - if (zend_hash_find(module_registry, lcname, - extension_name_len+1, (void**)module) == FAILURE) { - efree(lcname); - RETURN_FALSE; - } + lcname = zend_str_tolower_dup(extension_name, extension_name_len); + } else { + lcname = estrdup(core); + } + if (zend_hash_find(module_registry, lcname, + extension_name_len+1, (void**)module) == FAILURE) { efree(lcname); + RETURN_FALSE; + } - if (!(func = module-functions)) { - RETURN_FALSE; - } + zend_hash_internal_pointer_reset_ex(CG(function_table), iterator); + if (module-functions) { + /* avoid BC break, if functions list is empty, will return an empty array */ + array_init(return_value); + array = 1; } else { - func = builtin_functions; + array = 0; + } + while (zend_hash_get_current_data_ex(CG(function_table), (void **) zif, iterator) == SUCCESS) { + if (zif-common.type==ZEND_INTERNAL_FUNCTION +zif-internal_function.module == module) { + if (!array) { + array_init(return_value); + array = 1; + } + add_next_index_string(return_value, zif-common.function_name, 1); + } + zend_hash_move_forward_ex(CG(function_table), iterator); } - array_init(return_value); + efree(lcname); - while (func-fname) { - add_next_index_string(return_value, func-fname, 1); - func++; + if (!array) { + RETURN_FALSE; } } /* }}} */ diff --cc ext/opcache/Optimizer/pass1_5.c index 474c074,f173c3f..34a22e3 --- a/ext/opcache/Optimizer/pass1_5.c +++ b/ext/opcache/Optimizer/pass1_5.c @@@ -321,6 -321,27 +321,27 @@@ if (ZEND_OPTIMIZER_PASS_1 OPTIMIZATIO break; case ZEND_DO_FCALL: + /* define(name, scalar); */ + if (collect_constants + opline-extended_value == 2 + ZEND_OP1_TYPE(opline) == IS_CONST + Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING - Z_STRLEN(ZEND_OP1_LITERAL(opline)) == sizeof(define)-1 - zend_binary_strcasecmp(Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)), define, sizeof(define)-1) == 0 ++ Z_STRSIZE(ZEND_OP1_LITERAL(opline)) == sizeof(define)-1 ++ zend_binary_strcasecmp(Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRSIZE(ZEND_OP1_LITERAL(opline)), define, sizeof(define)-1) == 0 + (opline-1)-opcode == ZEND_SEND_VAL +
[PHP-CVS] svn: /SVNROOT/ global_avail
bjoriTue, 10 Dec 2013 19:22:33 + Revision: http://svn.php.net/viewvc?view=revisionrevision=332342 Log: Kaspar Bach Pedersen wants to write riak docs Changed paths: U SVNROOT/global_avail Modified: SVNROOT/global_avail === --- SVNROOT/global_avail2013-12-10 19:14:27 UTC (rev 332341) +++ SVNROOT/global_avail2013-12-10 19:22:33 UTC (rev 332342) @@ -101,7 +101,7 @@ avail|aferreira,thiago|phpdoc/pt avail|machado,scar,davis,dnfeitosa,thiago,amandavale,rafa,klaussilveira,kinncj,malukenho,fibbarth|phpdoc/pt_BR avail|radical,shoty|phpdoc/ro -avail|aur,irker,oaass,ralphschindler,kazymjir,whatthejeff,dsas,philstu|phpdoc/en +avail|aur,irker,oaass,ralphschindler,kazymjir,whatthejeff,dsas,philstu,kasparp|phpdoc/en avail|freespace,shafff,sveta,wanderer,kozloffsky,santiago,seprize,irker,mch,aur,das,tmn,bfl,countzero,alien,northcat|phpdoc/ru avail|cumhuronat,gulenzek,xhandros,neoprobe,faruk,infralite,flarecaster,antimon,yelekin,ecamalan|phpdoc/tr avail|pfischer|phpdoc/es -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Zend: fix overflow handling bug in non-x86 fast_add_function(): Zend/zend_operators.h
Le 10/12/2013 14:25, Ard Biesheuvel a écrit : On 10 December 2013 13:17, Dmitry Stogov dmi...@zend.com wrote: Sorry, I just read patch improperly. It's fine. Thanks for perseverance. No problem. BTW I guess nobody runs 'make test' on Windows anymore, because the same issue should have been noticeable there ... I have notice array_sum test failing on ARM. Having dig a little and found this is related to this piece of code, but haven't found the proper fix. So: thanks for fixing ;) Remi. -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: 5.4.23: NEWS configure.in main/php_version.h
Commit:733fc5cd48cbbc0ace1530d869e5d69a79049b2e Author:Stanislav Malyshev s...@php.net Tue, 10 Dec 2013 11:32:43 -0800 Parents: c7fb8f4f017dcac6bf478f900cb5fca3031616a3 Branches: PHP-5.4.23 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=733fc5cd48cbbc0ace1530d869e5d69a79049b2e Log: 5.4.23 Changed paths: M NEWS M configure.in M main/php_version.h Diff: diff --git a/NEWS b/NEWS index 3fa29b5..55aaeb5 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,6 @@ PHPNEWS ||| -28 Nov 2013, PHP 5.4.23 RC1 +28 Nov 2013, PHP 5.4.23 - Core: . Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a diff --git a/configure.in b/configure.in index e0c2c3d..3e557c2 100644 --- a/configure.in +++ b/configure.in @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...); PHP_MAJOR_VERSION=5 PHP_MINOR_VERSION=4 PHP_RELEASE_VERSION=23 -PHP_EXTRA_VERSION=RC1 +PHP_EXTRA_VERSION= PHP_VERSION=$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 1 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION` diff --git a/main/php_version.h b/main/php_version.h index 12eb7c3..563b5b8 100644 --- a/main/php_version.h +++ b/main/php_version.h @@ -3,6 +3,6 @@ #define PHP_MAJOR_VERSION 5 #define PHP_MINOR_VERSION 4 #define PHP_RELEASE_VERSION 23 -#define PHP_EXTRA_VERSION RC1 -#define PHP_VERSION 5.4.23RC1 +#define PHP_EXTRA_VERSION +#define PHP_VERSION 5.4.23 #define PHP_VERSION_ID 50423 -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] tag php-src: create tag php-5.3.28
Tag php-5.3.28 in php-src.git was created Tag: 4649c72baffe185df9d0bd6ac0cbd69099b9bee0 Tagger: Stanislav Malyshevs...@php.net Tue Dec 10 11:37:45 2013 -0800 Log: 5.3.28 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (Darwin) iF4EABEIAAYFAlKnbY0ACgkQL3lWvF2gS10DTwD/ewdWd22wRiAVPw93nA+q/giV TvnmAzCmIUpykKnHkIwA/jNXkIamodtXCnFIFAEpmMQolNaxvLecqanqM803DjAm =rJsF -END PGP SIGNATURE- Link: http://git.php.net/?p=php-src.git;a=tag;h=4649c72baffe185df9d0bd6ac0cbd69099b9bee0 Target: fabcd658d1124d9fbe5c7632ca89def06a6f8600 Author: Stanislav Malyshev s...@php.net Tue, 10 Dec 2013 11:04:57 -0800 Parents: c1224573c773b6845e83505f717fbf820fc18415 Target link: http://git.php.net/?p=php-src.git;a=commitdiff;h=fabcd658d1124d9fbe5c7632ca89def06a6f8600 Target log: 5.4.28 Changed paths: M configure.in M main/php_version.h -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'PHP-5.5' into PHP-5.6: Zend/zend_builtin_functions.c ext/reflection/php_reflection.c
Commit:45d8802441491c6daf4c0ccd7cc75a49d832193f Author:Remi Collet r...@php.net Tue, 10 Dec 2013 16:10:20 +0100 Parents: fe93347ba073d8a98e6ee850688843ce428f15b0 bc8f7761f37d0cadfe72725c7b5e37d698b4db5d Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=45d8802441491c6daf4c0ccd7cc75a49d832193f Log: Merge branch 'PHP-5.5' into PHP-5.6 * PHP-5.5: NEWS Fixed Bug #66218 zend_register_functions breaks reflection Bugs: https://bugs.php.net/66218 Changed paths: MM Zend/zend_builtin_functions.c MM ext/reflection/php_reflection.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Zend: fix overflow handling bug in non-x86 fast_add_function(): Zend/zend_operators.h
Sorry, I just read patch improperly. It's fine. Thanks for perseverance. Dmitry. On Tue, Dec 10, 2013 at 4:06 PM, Ard Biesheuvel ard.biesheu...@linaro.orgwrote: On 10 December 2013 12:57, Dmitry Stogov dmi...@zend.com wrote: You missed the second introduced addition: + Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); So for each $a + $b PHP is going to execute two add instructions instead of one (plus memory reads and writes). No it is not. Please look carefully at the assembly listing that I shared below. This is GCC generated code, I am not making this up. The add is performed only once. The only difference is that the store register operation which writes the result of the addition back to the zval is performed conditionally, i.e., only if no overflow occurred. In fact, the GCC generated code is now closer to the inline assembly you wrote for x86. So before my change: @ LONG(result) = LONG(op1) + LONG(op2) 9160: f9401ba1ldr x1, [x29,#48] 9164: f9400260ldr x0, [x19] 9168: 8b20add x0, x1, x0 Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2) follows here 916c: f9000260str x0, [x19] @ conditional branch on overflow 9170: ca010002eor x2, x0, x1 9174: b6f80262tbz x2, #63, 91c0 zif_array_sum+0x118 9178: 39005274strbw20, [x19,#20] After the change: 9118: f9400260ldr x0, [x19] 911c: f9401ba1ldr x1, [x29,#48] 9120: ca23eor x3, x1, x0 9124: 8b010002add x2, x0, x1 @ conditional branch on overflow 9128: b6f80583tbz x3, #63, 91d8 zif_array_sum+0x130 the Z_LVAL_P(result) assignment is moved here, after the conditional branch 912c: f9000262str x2, [x19] 9130: 39005274strbw20, [x19,#20] so we have the exact same instruction count, the exact same number of loads and stores, the only difference is the order. -- Ard. I have trouble understanding why this is unacceptable. The only significant difference is that the str and tbz instructions are switched. Can you elaborate please? -- Ard. It's better to change array_sum() to break aliasing instead of overall slowdown. Could you take care about a better fix? Thanks. Dmitry. On Tue, Dec 10, 2013 at 3:28 PM, Ard Biesheuvel ard.biesheu...@linaro.org wrote: On 10 December 2013 12:25, Dmitry Stogov dmi...@zend.com wrote: What exactly are you fixing with this patch? fast_add_function() is used only by VM and opcode operands can't alias (it's guaranteed by compiler). It's also used by array_sum(), but it also can't create aliases between results and operands. What is the reason to slowdown each integer addition? The patch that was applied to fix https://bugs.php.net/bug.php?id=65304 uses calls fast_add_function() like this: fast_add_function(return_value, return_value, entry_n TSRMLS_CC); so it does create aliases. If that is undesirable, perhaps we should fix array_sum() instead? However, I think the compiler will be smart enough to factor out the op1+op2 operation, so i don't expect any significant slowdown. -- Ard. Thanks. Dmitry. On Tue, Dec 10, 2013 at 3:12 PM, Ard Biesheuvel ardbiesheu...@php.net wrote: Commit:60d2e70c062e436a6c6cd3c8a17469a083a38b46 Author:Ard Biesheuvel ard.biesheu...@linaro.org Tue, 10 Dec 2013 12:07:46 +0100 Parents: 5a87b7ff39bbf427807c46d1e51e2654259ad394 Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=60d2e70c062e436a6c6cd3c8a17469a083a38b46 Log: Zend: fix overflow handling bug in non-x86 fast_add_function() The 'result' argument of fast_add_function() may alias with either of its operands (or both). Take care not to write to 'result' before reading op1 and op2. Changed paths: M Zend/zend_operators.h Diff: diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h index 0152e03..5c6fc86 100644 --- a/Zend/zend_operators.h +++ b/Zend/zend_operators.h @@ -643,13 +643,18 @@ static zend_always_inline int fast_add_function(zval *result, zval *op1, zval *o n(ZVAL_OFFSETOF_TYPE) : rax,cc); #else - Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); + /* +* 'result' may alias with op1 or op2, so we need to +* ensure that 'result' is not updated until after we +
[PHP-CVS] com php-src: Merge branch 'PHP-5.4' into PHP-5.5: Zend/zend_builtin_functions.c ext/reflection/php_reflection.c
Commit:9f4d1ee51c19c50a60284a5687f247785fd26f6a Author:Remi Collet r...@php.net Tue, 10 Dec 2013 16:09:41 +0100 Parents: 552e8b2b4c5708cb90faf148bd99e3f67fa926b5 3e963f8eb44863ef3d758eabe791190b0fd7bb9a Branches: PHP-5.5 PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=9f4d1ee51c19c50a60284a5687f247785fd26f6a Log: Merge branch 'PHP-5.4' into PHP-5.5 * PHP-5.4: Fixed Bug #66218 zend_register_functions breaks reflection Bugs: https://bugs.php.net/66218 Changed paths: MM Zend/zend_builtin_functions.c MM ext/reflection/php_reflection.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug #66252 (Problems in AST evaluation invalidating valid parent:: reference. Constant expessions have to be evaluated in context of defining class).: Zend/tests/bug66252.
Commit:5a87b7ff39bbf427807c46d1e51e2654259ad394 Author:Dmitry Stogov dmi...@zend.com Tue, 10 Dec 2013 14:19:17 +0400 Parents: 5ad11174196760ad9aa4c94c08e0e58c72eb9cb9 Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=5a87b7ff39bbf427807c46d1e51e2654259ad394 Log: Fixed bug #66252 (Problems in AST evaluation invalidating valid parent:: reference. Constant expessions have to be evaluated in context of defining class). Bugs: https://bugs.php.net/66252 Changed paths: A Zend/tests/bug66252.phpt M Zend/zend_ast.c M Zend/zend_ast.h M Zend/zend_compile.c M Zend/zend_execute_API.c diff --git a/Zend/tests/bug66252.phpt b/Zend/tests/bug66252.phpt new file mode 100644 index 000..e692a8e --- /dev/null +++ b/Zend/tests/bug66252.phpt @@ -0,0 +1,14 @@ +--TEST-- +Bug #66252 (Problems in AST evaluation invalidating valid parent:: reference) +--FILE-- +?php +class A { + const HW = this is A; +} +class B extends A { + const BHW = parent::HW . extended by B; +} +const C = B::BHW; +echo C, \n; +--EXPECT-- +this is A extended by B diff --git a/Zend/zend_ast.c b/Zend/zend_ast.c index fb5a7eb..66330d5 100644 --- a/Zend/zend_ast.c +++ b/Zend/zend_ast.c @@ -81,143 +81,143 @@ ZEND_API int zend_ast_is_ct_constant(zend_ast *ast) } } -ZEND_API void zend_ast_evaluate(zval *result, zend_ast *ast TSRMLS_DC) +ZEND_API void zend_ast_evaluate(zval *result, zend_ast *ast, zend_class_entry *scope TSRMLS_DC) { zval op1, op2; switch (ast-kind) { case ZEND_ADD: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); + zend_ast_evaluate(op2, (ast-u.child)[1], scope TSRMLS_CC); add_function(result, op1, op2 TSRMLS_CC); zval_dtor(op1); zval_dtor(op2); break; case ZEND_SUB: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); + zend_ast_evaluate(op2, (ast-u.child)[1], scope TSRMLS_CC); sub_function(result, op1, op2 TSRMLS_CC); zval_dtor(op1); zval_dtor(op2); break; case ZEND_MUL: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); + zend_ast_evaluate(op2, (ast-u.child)[1], scope TSRMLS_CC); mul_function(result, op1, op2 TSRMLS_CC); zval_dtor(op1); zval_dtor(op2); break; case ZEND_DIV: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); + zend_ast_evaluate(op2, (ast-u.child)[1], scope TSRMLS_CC); div_function(result, op1, op2 TSRMLS_CC); zval_dtor(op1); zval_dtor(op2); break; case ZEND_MOD: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); + zend_ast_evaluate(op2, (ast-u.child)[1], scope TSRMLS_CC); mod_function(result, op1, op2 TSRMLS_CC); zval_dtor(op1); zval_dtor(op2); break; case ZEND_SL: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); + zend_ast_evaluate(op2, (ast-u.child)[1], scope TSRMLS_CC); shift_left_function(result, op1, op2 TSRMLS_CC); zval_dtor(op1); zval_dtor(op2); break; case ZEND_SR: - zend_ast_evaluate(op1, (ast-u.child)[0] TSRMLS_CC); - zend_ast_evaluate(op2, (ast-u.child)[1] TSRMLS_CC); + zend_ast_evaluate(op1, (ast-u.child)[0], scope TSRMLS_CC); +
[PHP-CVS] com php-src: Merge branch 'PHP-5.4' into PHP-5.5: ext/openssl/openssl.c
Commit:41cd53329871cb99799cd9a8f76151312be2e960 Author:Stanislav Malyshev s...@php.net Tue, 10 Dec 2013 11:35:26 -0800 Parents: bc8f7761f37d0cadfe72725c7b5e37d698b4db5d b1b23abc868e25f9ee083e8837c37867516ee380 Branches: PHP-5.5 PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=41cd53329871cb99799cd9a8f76151312be2e960 Log: Merge branch 'PHP-5.4' into PHP-5.5 * PHP-5.4: 5.3.29-dev Fix CVE-2013-6420 - memory corruption in openssl_x509_parse Changed paths: MM ext/openssl/openssl.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: more range checks for ext/tidy: ext/tidy/tidy.c
On Tue, Dec 10, 2013 at 1:41 PM, Anatol Belski a...@php.net wrote: Commit:a697297f5f328442994c6321c9661d1351036c4e Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 13:41:49 +0100 Parents: 5acc0c0c5bf5afbd2b103a99adf51539874ccc48 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=a697297f5f328442994c6321c9661d1351036c4e Log: more range checks for ext/tidy Changed paths: M ext/tidy/tidy.c Diff: diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index 94daef4..69cd19e 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -604,6 +604,11 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil if (data) { TidyBuffer buf; + if (data_len UINT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Input data is too long); + RETVAL_FALSE; + } RETVAL over RETURN intentional? Nikita
[PHP-CVS] com php-src: fixed return: ext/tidy/tidy.c
Commit:77d4db39571c092fff6883d92f38110c58d7f343 Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 14:15:29 +0100 Parents: a697297f5f328442994c6321c9661d1351036c4e Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=77d4db39571c092fff6883d92f38110c58d7f343 Log: fixed return Changed paths: M ext/tidy/tidy.c Diff: diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index 69cd19e..7870ddf 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -606,7 +606,7 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil if (data_len UINT_MAX) { php_error_docref(NULL TSRMLS_CC, E_WARNING, Input data is too long); - RETVAL_FALSE; + RETURN_FALSE; } tidyBufInit(buf); -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at): NEWS ext/soap/soap.c ext/soap/tests/bugs/bug66112.phpt ext/soap/tests/b
Commit:552e8b2b4c5708cb90faf148bd99e3f67fa926b5 Author:Dmitry Stogov dmi...@zend.com Tue, 10 Dec 2013 17:57:05 +0400 Parents: a46f644b3ac4abe7577165de4e4850e5c2c88227 Branches: PHP-5.5 PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=552e8b2b4c5708cb90faf148bd99e3f67fa926b5 Log: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at) Bugs: https://bugs.php.net/66112 Changed paths: M NEWS M ext/soap/soap.c A ext/soap/tests/bugs/bug66112.phpt A ext/soap/tests/bugs/bug66112.wsdl diff --git a/NEWS b/NEWS index 0d6edf2..1e7ce53 100644 --- a/NEWS +++ b/NEWS @@ -22,6 +22,10 @@ PHP NEWS - Filter: . Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam) +- SOAP + . Fixed bug #66112 (Use after free condition in SOAP extension). +(martin dot koegler at brz dot gv dot at) + - Sockets: . Fixed bug #65923 (ext/socket assumes AI_V4MAPPED is defined). (Felipe) diff --git a/ext/soap/soap.c b/ext/soap/soap.c index 0404096..3448df4 100644 --- a/ext/soap/soap.c +++ b/ext/soap/soap.c @@ -2694,124 +2694,133 @@ static void do_soap_call(zval* this_ptr, SOAP_GLOBAL(features) = 0; } - if (sdl != NULL) { - fn = get_function(sdl, function); - if (fn != NULL) { - sdlBindingPtr binding = fn-binding; - int one_way = 0; - - if (fn-responseName == NULL - fn-responseParameters == NULL - soap_headers == NULL) { - one_way = 1; - } + zend_try { + if (sdl != NULL) { + fn = get_function(sdl, function); + if (fn != NULL) { + sdlBindingPtr binding = fn-binding; + int one_way = 0; + + if (fn-responseName == NULL + fn-responseParameters == NULL + soap_headers == NULL) { + one_way = 1; + } - if (location == NULL) { - location = binding-location; - } - if (binding-bindingType == BINDING_SOAP) { - sdlSoapBindingFunctionPtr fnb = (sdlSoapBindingFunctionPtr)fn-bindingAttributes; - request = serialize_function_call(this_ptr, fn, NULL, fnb-input.ns, real_args, arg_count, soap_version, soap_headers TSRMLS_CC); - ret = do_request(this_ptr, request, location, fnb-soapAction, soap_version, one_way, response TSRMLS_CC); - } else { - request = serialize_function_call(this_ptr, fn, NULL, sdl-target_ns, real_args, arg_count, soap_version, soap_headers TSRMLS_CC); - ret = do_request(this_ptr, request, location, NULL, soap_version, one_way, response TSRMLS_CC); - } - - xmlFreeDoc(request); - - if (ret Z_TYPE(response) == IS_STRING) { - encode_reset_ns(); - ret = parse_packet_soap(this_ptr, Z_STRVAL(response), Z_STRLEN(response), fn, NULL, return_value, output_headers TSRMLS_CC); - encode_finish(); - } + if (location == NULL) { + location = binding-location; + } + if (binding-bindingType == BINDING_SOAP) { + sdlSoapBindingFunctionPtr fnb = (sdlSoapBindingFunctionPtr)fn-bindingAttributes; + request = serialize_function_call(this_ptr, fn, NULL, fnb-input.ns, real_args, arg_count, soap_version, soap_headers TSRMLS_CC); + ret = do_request(this_ptr, request, location, fnb-soapAction, soap_version, one_way, response TSRMLS_CC); + } else { + request = serialize_function_call(this_ptr, fn, NULL, sdl-target_ns, real_args, arg_count, soap_version, soap_headers TSRMLS_CC); + ret = do_request(this_ptr, request, location, NULL, soap_version, one_way, response TSRMLS_CC); + } + + xmlFreeDoc(request); + + if (ret Z_TYPE(response) == IS_STRING) { + encode_reset_ns(); + ret =
[PHP-CVS] com php-src: Merge branch 'PHP-5.5' into PHP-5.6: ext/soap/soap.c
Commit:fe93347ba073d8a98e6ee850688843ce428f15b0 Author:Dmitry Stogov dmi...@zend.com Tue, 10 Dec 2013 17:58:22 +0400 Parents: 73f13f439b3e10cca9b17e7f15c06e7fd11eb6c9 552e8b2b4c5708cb90faf148bd99e3f67fa926b5 Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=fe93347ba073d8a98e6ee850688843ce428f15b0 Log: Merge branch 'PHP-5.5' into PHP-5.6 * PHP-5.5: Fixed bug #66112 (Use after free condition in SOAP extension). (martin dot koegler at brz dot gv dot at) Conflicts: NEWS Bugs: https://bugs.php.net/66112 Changed paths: MM ext/soap/soap.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP-CVS] com php-src: Zend: fix overflow handling bug in non-x86 fast_add_function(): Zend/zend_operators.h
On 10 December 2013 12:57, Dmitry Stogov dmi...@zend.com wrote: You missed the second introduced addition: + Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); So for each $a + $b PHP is going to execute two add instructions instead of one (plus memory reads and writes). No it is not. Please look carefully at the assembly listing that I shared below. This is GCC generated code, I am not making this up. The add is performed only once. The only difference is that the store register operation which writes the result of the addition back to the zval is performed conditionally, i.e., only if no overflow occurred. In fact, the GCC generated code is now closer to the inline assembly you wrote for x86. So before my change: @ LONG(result) = LONG(op1) + LONG(op2) 9160: f9401ba1ldr x1, [x29,#48] 9164: f9400260ldr x0, [x19] 9168: 8b20add x0, x1, x0 Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2) follows here 916c: f9000260str x0, [x19] @ conditional branch on overflow 9170: ca010002eor x2, x0, x1 9174: b6f80262tbz x2, #63, 91c0 zif_array_sum+0x118 9178: 39005274strbw20, [x19,#20] After the change: 9118: f9400260ldr x0, [x19] 911c: f9401ba1ldr x1, [x29,#48] 9120: ca23eor x3, x1, x0 9124: 8b010002add x2, x0, x1 @ conditional branch on overflow 9128: b6f80583tbz x3, #63, 91d8 zif_array_sum+0x130 the Z_LVAL_P(result) assignment is moved here, after the conditional branch 912c: f9000262str x2, [x19] 9130: 39005274strbw20, [x19,#20] so we have the exact same instruction count, the exact same number of loads and stores, the only difference is the order. -- Ard. I have trouble understanding why this is unacceptable. The only significant difference is that the str and tbz instructions are switched. Can you elaborate please? -- Ard. It's better to change array_sum() to break aliasing instead of overall slowdown. Could you take care about a better fix? Thanks. Dmitry. On Tue, Dec 10, 2013 at 3:28 PM, Ard Biesheuvel ard.biesheu...@linaro.org wrote: On 10 December 2013 12:25, Dmitry Stogov dmi...@zend.com wrote: What exactly are you fixing with this patch? fast_add_function() is used only by VM and opcode operands can't alias (it's guaranteed by compiler). It's also used by array_sum(), but it also can't create aliases between results and operands. What is the reason to slowdown each integer addition? The patch that was applied to fix https://bugs.php.net/bug.php?id=65304 uses calls fast_add_function() like this: fast_add_function(return_value, return_value, entry_n TSRMLS_CC); so it does create aliases. If that is undesirable, perhaps we should fix array_sum() instead? However, I think the compiler will be smart enough to factor out the op1+op2 operation, so i don't expect any significant slowdown. -- Ard. Thanks. Dmitry. On Tue, Dec 10, 2013 at 3:12 PM, Ard Biesheuvel ardbiesheu...@php.net wrote: Commit:60d2e70c062e436a6c6cd3c8a17469a083a38b46 Author:Ard Biesheuvel ard.biesheu...@linaro.org Tue, 10 Dec 2013 12:07:46 +0100 Parents: 5a87b7ff39bbf427807c46d1e51e2654259ad394 Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=60d2e70c062e436a6c6cd3c8a17469a083a38b46 Log: Zend: fix overflow handling bug in non-x86 fast_add_function() The 'result' argument of fast_add_function() may alias with either of its operands (or both). Take care not to write to 'result' before reading op1 and op2. Changed paths: M Zend/zend_operators.h Diff: diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h index 0152e03..5c6fc86 100644 --- a/Zend/zend_operators.h +++ b/Zend/zend_operators.h @@ -643,13 +643,18 @@ static zend_always_inline int fast_add_function(zval *result, zval *op1, zval *o n(ZVAL_OFFSETOF_TYPE) : rax,cc); #else - Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); + /* +* 'result' may alias with op1 or op2, so we need to +* ensure that 'result' is not updated until after we +* have read the values of op1 and op2. +*/ if (UNEXPECTED((Z_LVAL_P(op1) LONG_SIGN_MASK) == (Z_LVAL_P(op2) LONG_SIGN_MASK) -(Z_LVAL_P(op1) LONG_SIGN_MASK) != (Z_LVAL_P(result)
Re: [PHP-CVS] com php-src: more range checks for ext/tidy: ext/tidy/tidy.c
On Tue, December 10, 2013 13:55, Nikita Popov wrote: On Tue, Dec 10, 2013 at 1:41 PM, Anatol Belski a...@php.net wrote: Commit:a697297f5f328442994c6321c9661d1351036c4e Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 13:41:49 +0100 Parents: 5acc0c0c5bf5afbd2b103a99adf51539874ccc48 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=a697297f5f328442994c632 1c9661d1351036c4e Log: more range checks for ext/tidy Changed paths: M ext/tidy/tidy.c Diff: diff --git a/ext/tidy/tidy.c b/ext/tidy/tidy.c index 94daef4..69cd19e 100644 --- a/ext/tidy/tidy.c +++ b/ext/tidy/tidy.c @@ -604,6 +604,11 @@ static void php_tidy_quick_repair(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_fil if (data) { TidyBuffer buf; + if (data_len UINT_MAX) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, Input data is too long); + RETVAL_FALSE; + } RETVAL over RETURN intentional? Nikita uups, of course not. Thanks for keeping eye on that :) Regards anatol -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: fix function params: Zend/zend_builtin_functions.c
Commit:19161b8d4e070b8d6c2efbd13157250f50081aa6 Author:Anatol Belski a...@php.net Tue, 10 Dec 2013 20:00:59 +0100 Parents: 27990438f184cfecd179a78231cfb04af6084f31 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=19161b8d4e070b8d6c2efbd13157250f50081aa6 Log: fix function params Changed paths: M Zend/zend_builtin_functions.c Diff: diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c index 1d509ce..cde65cd 100644 --- a/Zend/zend_builtin_functions.c +++ b/Zend/zend_builtin_functions.c @@ -2452,7 +2452,7 @@ ZEND_FUNCTION(get_extension_funcs) zend_module_entry *module; HashPosition iterator; zend_function *zif; - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, s, extension_name, extension_name_len) == FAILURE) { + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, S, extension_name, extension_name_len) == FAILURE) { return; } if (strncasecmp(extension_name, zend, sizeof(zend))) { -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fixed bug #66251 (Constants get statically bound at compile time when Optimized): ext/opcache/Optimizer/pass1_5.c ext/opcache/tests/bug66251.phpt
Commit:73f13f439b3e10cca9b17e7f15c06e7fd11eb6c9 Author:Dmitry Stogov dmi...@zend.com Tue, 10 Dec 2013 17:04:17 +0400 Parents: 1e161a9c0fc215344998674401122f62077c47af Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=73f13f439b3e10cca9b17e7f15c06e7fd11eb6c9 Log: Fixed bug #66251 (Constants get statically bound at compile time when Optimized) Bugs: https://bugs.php.net/66251 Changed paths: M ext/opcache/Optimizer/pass1_5.c A ext/opcache/tests/bug66251.phpt Diff: diff --git a/ext/opcache/Optimizer/pass1_5.c b/ext/opcache/Optimizer/pass1_5.c index bd8af47..f173c3f 100644 --- a/ext/opcache/Optimizer/pass1_5.c +++ b/ext/opcache/Optimizer/pass1_5.c @@ -321,6 +321,27 @@ if (ZEND_OPTIMIZER_PASS_1 OPTIMIZATION_LEVEL) { break; case ZEND_DO_FCALL: + /* define(name, scalar); */ + if (collect_constants + opline-extended_value == 2 + ZEND_OP1_TYPE(opline) == IS_CONST + Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING + Z_STRLEN(ZEND_OP1_LITERAL(opline)) == sizeof(define)-1 + zend_binary_strcasecmp(Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)), define, sizeof(define)-1) == 0 + (opline-1)-opcode == ZEND_SEND_VAL + ZEND_OP1_TYPE(opline-1) == IS_CONST + (Z_TYPE(ZEND_OP1_LITERAL(opline-1)) = IS_BOOL || +Z_TYPE(ZEND_OP1_LITERAL(opline-1)) == IS_STRING) + (opline-2)-opcode == ZEND_SEND_VAL + ZEND_OP1_TYPE(opline-2) == IS_CONST + Z_TYPE(ZEND_OP1_LITERAL(opline-2)) == IS_STRING) { + zend_optimizer_collect_constant(constants, ZEND_OP1_LITERAL(opline-2), ZEND_OP1_LITERAL(opline-1)); + break; + } else { + /* don't colllect constants after any other function call */ + collect_constants = 0; + } + /* pre-evaluate constant functions: defined(x) constant(x) @@ -428,25 +449,7 @@ if (ZEND_OPTIMIZER_PASS_1 OPTIMIZATION_LEVEL) { MAKE_NOP(opline); } } - break; - } - - /* define(name, scalar); */ - if (collect_constants - opline-extended_value == 2 - ZEND_OP1_TYPE(opline) == IS_CONST - Z_TYPE(ZEND_OP1_LITERAL(opline)) == IS_STRING - Z_STRLEN(ZEND_OP1_LITERAL(opline)) == sizeof(define)-1 - zend_binary_strcasecmp(Z_STRVAL(ZEND_OP1_LITERAL(opline)), Z_STRLEN(ZEND_OP1_LITERAL(opline)), define, sizeof(define)-1) == 0 - (opline-1)-opcode == ZEND_SEND_VAL - ZEND_OP1_TYPE(opline-1) == IS_CONST - (Z_TYPE(ZEND_OP1_LITERAL(opline-1)) = IS_BOOL || -Z_TYPE(ZEND_OP1_LITERAL(opline-1)) == IS_STRING) - (opline-2)-opcode == ZEND_SEND_VAL - ZEND_OP1_TYPE(opline-2) == IS_CONST - Z_TYPE(ZEND_OP1_LITERAL(opline-2)) == IS_STRING) { - zend_optimizer_collect_constant(constants, ZEND_OP1_LITERAL(opline-2), ZEND_OP1_LITERAL(opline-1)); - } + } break; #if ZEND_EXTENSION_API_NO PHP_5_2_X_API_NO case ZEND_DECLARE_CONST: @@ -487,6 +490,7 @@ if (ZEND_OPTIMIZER_PASS_1 OPTIMIZATION_LEVEL) { case ZEND_FE_RESET: case ZEND_FE_FETCH: case ZEND_NEW: + case ZEND_DO_FCALL_BY_NAME: #if ZEND_EXTENSION_API_NO = PHP_5_3_X_API_NO case ZEND_JMP_SET: #endif diff --git a/ext/opcache/tests/bug66251.phpt b/ext/opcache/tests/bug66251.phpt new file mode 100644 index 000..23a5165 --- /dev/null +++ b/ext/opcache/tests/bug66251.phpt @@ -0,0 +1,17 @@ +--TEST-- +Bug #66251 (Constants get statically bound at compile time when Optimized) +--INI-- +opcache.enable=1 +opcache.enable_cli=1 +opcache.optimization_level=-1 +--SKIPIF-- +?php if (!extension_loaded('Zend OPcache') || php_sapi_name() != cli) die(skip CLI only); ? +--FILE-- +?php +printf (A=%s\n, getA()); +const A=hello; +function getA() {return A;} +? +--EXPECTF-- +Notice: Use of undefined constant A - assumed 'A' in
[PHP-CVS] tag php-src: create tag php-5.5.7
Tag php-5.5.7 in php-src.git was created Tag: 369bf8e97a3016971c18ddc7fa5e8faae6658086 Tagger: Julien Paulijpa...@php.net Wed Dec 11 00:44:13 2013 +0100 Log: Tagged 5.5.7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAABAgAGBQJSp6dZAAoJEP6FfZqQ2Q7BxxUH/0MMhnvaJXTyKHYuYptUbCmS 0R25DMn5LIjPqvtPUUmPngHJffsOwIzDuCD86/UKK5VJ/uGIT6OBOgyze2PicOpK NgdIKRW2hOFUFZOwTLiH76d0QqyuBDEfd7xFqohZ5PcOv5tZf4kF+W4EpJBm8PyY soJZckm9zvtEV4p1luFaNi7QDbzA++Nr6G62lmzQV9bmD/CHZKS9worDyRe9pi/v XTlfldjLbOLkzWBD836VWNXGA450iMbJSWDbuvV0sxMO2rQI9tXs/1vmkHWKMo5I isABkrNjPOYmKD0mF4DrY4Q83b6xeXVK3MmeoLShM4yKwK8+xo4q3L5yGIcePxk= =4Qo0 -END PGP SIGNATURE- Link: http://git.php.net/?p=php-src.git;a=tag;h=369bf8e97a3016971c18ddc7fa5e8faae6658086 Target: 6daaf1103b9ea36ecf04c5cffee9e8287fdf39c7 Author: Julien Pauli jpa...@php.net Wed, 11 Dec 2013 00:31:06 +0100 Parents: 073d24bb50eeab6b592d044c71e530afac0a474a Target link: http://git.php.net/?p=php-src.git;a=commitdiff;h=6daaf1103b9ea36ecf04c5cffee9e8287fdf39c7 Target log: 5.5.7 Changed paths: M NEWS M configure.in M main/php_version.h -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Zend: fix overflow handling bug in non-x86 fast_add_function(): Zend/zend_operators.h
Commit:60d2e70c062e436a6c6cd3c8a17469a083a38b46 Author:Ard Biesheuvel ard.biesheu...@linaro.org Tue, 10 Dec 2013 12:07:46 +0100 Parents: 5a87b7ff39bbf427807c46d1e51e2654259ad394 Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=60d2e70c062e436a6c6cd3c8a17469a083a38b46 Log: Zend: fix overflow handling bug in non-x86 fast_add_function() The 'result' argument of fast_add_function() may alias with either of its operands (or both). Take care not to write to 'result' before reading op1 and op2. Changed paths: M Zend/zend_operators.h Diff: diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h index 0152e03..5c6fc86 100644 --- a/Zend/zend_operators.h +++ b/Zend/zend_operators.h @@ -643,13 +643,18 @@ static zend_always_inline int fast_add_function(zval *result, zval *op1, zval *o n(ZVAL_OFFSETOF_TYPE) : rax,cc); #else - Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); + /* +* 'result' may alias with op1 or op2, so we need to +* ensure that 'result' is not updated until after we +* have read the values of op1 and op2. +*/ if (UNEXPECTED((Z_LVAL_P(op1) LONG_SIGN_MASK) == (Z_LVAL_P(op2) LONG_SIGN_MASK) -(Z_LVAL_P(op1) LONG_SIGN_MASK) != (Z_LVAL_P(result) LONG_SIGN_MASK))) { +(Z_LVAL_P(op1) LONG_SIGN_MASK) != ((Z_LVAL_P(op1) + Z_LVAL_P(op2)) LONG_SIGN_MASK))) { Z_DVAL_P(result) = (double) Z_LVAL_P(op1) + (double) Z_LVAL_P(op2); Z_TYPE_P(result) = IS_DOUBLE; } else { + Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); Z_TYPE_P(result) = IS_LONG; } #endif -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'PHP-5.3' into PHP-5.4: NEWS ext/openssl/openssl.c
Commit:71daf3229b5707a3553dc7d1971e8a0e77cd9dfb Author:Stanislav Malyshev s...@php.net Tue, 10 Dec 2013 11:33:40 -0800 Parents: c062c18d426e8b1e4d7e4fabb6a5eae331f6e58b 8650bbc8dc6c3b416454f5e38812430edbd438c6 Branches: PHP-5.4 PHP-5.5 PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=71daf3229b5707a3553dc7d1971e8a0e77cd9dfb Log: Merge branch 'PHP-5.3' into PHP-5.4 * PHP-5.3: 5.3.29-dev Fix CVE-2013-6420 - memory corruption in openssl_x509_parse Conflicts: configure.in main/php_version.h Changed paths: MM NEWS MM ext/openssl/openssl.c diff --cc NEWS index ebdf315,72c0939..cc85e90 --- a/NEWS +++ b/NEWS @@@ -1,319 -1,22 +1,323 @@@ PHP NEWS ||| -?? ??? 201?, PHP 5.3.29 +?? ??? 2013, PHP 5.4.24 -12 Dec 2013, PHP 5.3.28 +- Core: + . Added validation of class names in the autoload process. (Dmitry) + . Fixed invalid C code in zend_strtod.c. (Lior Kaplan) + . Fixed bug #61645 (fopen and O_NONBLOCK). (Mike) + +- Date: + . Fixed bug #66060 (Heap buffer over-read in DateInterval). (Remi) + . Fixed bug #63391 (Incorrect/inconsistent day of week prior to the year +1600). (Derick, T. Carter) + . Fixed bug #61599 (Wrong Day of Week). (Derick, T. Carter) + +- DOM: + . Fixed bug #65196 (Passing DOMDocumentFragment to DOMDocument::saveHTML() +Produces invalid Markup). (Mike) + +- Filter: + . Fixed bug #66229 (128.0.0.0/16 isn't reserved any longer). (Adam) + +- XSL + . Fixed bug #49634 (Segfault throwing an exception in a XSL registered +function). (Mike) + - ?? ??? 2013, PHP 5.4.23 ++12 Dec 2013, PHP 5.4.23 + +- Core: + . Fixed bug #66094 (unregister_tick_function tries to cast a Closure to a +string). (Laruence) + . Fixed bug #65969 (Chain assignment with T_LIST failure). (Dmitry) + . Fixed bug #65947 (basename is no more working after fgetcsv in certain +situation). (Laruence) + +- JSON + . Fixed whitespace part of bug #64874 (json_decode handles whitespace and +case-sensitivity incorrectly). (Andrea Faulds) + +- MySQLi: + . Fixed bug #66043 (Segfault calling bind_param() on mysqli). (Laruence) + +- mysqlnd: + . Fixed bug #66124 (mysqli under mysqlnd loses precision when bind_param +with 'i'). (Andrey) + . Fixed bug #66141 (mysqlnd quote function is wrong with NO_BACKSLASH_ESCAPES +after failed query). (Andrey) + - Openssl: - . Fixed handling null bytes in subjectAltName (CVE-2013-4073). -(Christian Heimes) + . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). + (Stefan Esser). + -11 Jul 2013, PHP 5.3.27 +- PDO + . Fixed bug 65946 (sql_parser permanently converts values bound to strings) + +14 Nov 2013, PHP 5.4.22 + +- Core: + . Fixed bug #65911 (scope resolution operator - strange behavior with $this). +(Bob Weinand) + +- CLI server: + . Fixed bug #65818 (Segfault with built-in webserver and chunked transfer +encoding). (Felipe) + +- Exif: + . Fixed crash on unknown encoding. (Draal) + +- FTP: + . Fixed bug #65667 (ftp_nb_continue produces segfault). (Philip Hofstetter) + +- ODBC: + . Fixed bug #65950 (Field name truncation if the field name is bigger than +32 characters). (patch submitted by: michael dot y at zend dot com, Yasuo) + +- PDO: + . Fixed bug #66033 (Segmentation Fault when constructor of PDO statement +throws an exception). (Laruence) + +- Sockets: + . Fixed bug #65808 (the socket_connect() won't work with IPv6 address). +(Mike) + +- Standard: + . Fixed bug #64760 (var_export() does not use full precision for floating-point +numbers) (Yasuo) + +- XMLReader: + . Fixed bug #51936 (Crash with clone XMLReader). (Mike) + . Fixed bug #64230 (XMLReader does not suppress errors). (Mike) + + +17 Oct 2013, PHP 5.4.21 + +- Core: + . Fixed bug #65322 (compile time errors won't trigger auto loading). (Nikita) + +- CLI server: + . Fixed bug #65633 (built-in server treat some http headers as +case-sensitive). (Adam) + +- Datetime: + . Fixed bug #64157 (DateTime::createFromFormat() reports confusing error +message). (Boro Sitnikovski) + +- DBA extension: + . Fixed bug #65708 (dba functions cast $key param to string in-place, +bypassing copy on write). (Adam) + +- Filter: + . Add RFC 6598 IPs to reserved addresses. (Sebastian Nohn) + . Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names). +(Syra) + +- IMAP: + . Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling +imap). (ryotakatsuki at gmail dot com) + +- Standard: + . Fixed bug #61548 (content-type must appear at the end of headers for 201 +Location to work in http). (Mike) + +- Build system: + . Fixed bug #62396