Re: [PHP-CVS] com php-src: Zend: fix overflow handling bug in non-x86 fast_add_function(): Zend/zend_operators.h
On 10 December 2013 12:25, Dmitry Stogov dmi...@zend.com wrote:
What exactly are you fixing with this patch?
fast_add_function() is used only by VM and opcode operands can't alias (it's
guaranteed by compiler).
It's also used by array_sum(), but it also can't create aliases between
results and operands.
What is the reason to slowdown each integer addition?
The patch that was applied to fix
https://bugs.php.net/bug.php?id=65304 uses calls fast_add_function()
like this:
fast_add_function(return_value, return_value, entry_n TSRMLS_CC);
so it does create aliases. If that is undesirable, perhaps we should
fix array_sum() instead?
However, I think the compiler will be smart enough to factor out the
op1+op2 operation, so i don't expect any significant slowdown.
--
Ard.
Thanks. Dmitry.
On Tue, Dec 10, 2013 at 3:12 PM, Ard Biesheuvel ardbiesheu...@php.net
wrote:
Commit:60d2e70c062e436a6c6cd3c8a17469a083a38b46
Author:Ard Biesheuvel ard.biesheu...@linaro.org Tue, 10 Dec
2013 12:07:46 +0100
Parents: 5a87b7ff39bbf427807c46d1e51e2654259ad394
Branches: PHP-5.6 master
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=60d2e70c062e436a6c6cd3c8a17469a083a38b46
Log:
Zend: fix overflow handling bug in non-x86 fast_add_function()
The 'result' argument of fast_add_function() may alias with either
of its operands (or both). Take care not to write to 'result' before
reading op1 and op2.
Changed paths:
M Zend/zend_operators.h
Diff:
diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h
index 0152e03..5c6fc86 100644
--- a/Zend/zend_operators.h
+++ b/Zend/zend_operators.h
@@ -643,13 +643,18 @@ static zend_always_inline int fast_add_function(zval
*result, zval *op1, zval *o
n(ZVAL_OFFSETOF_TYPE)
: rax,cc);
#else
- Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2);
+ /*
+* 'result' may alias with op1 or op2, so we need
to
+* ensure that 'result' is not updated until after
we
+* have read the values of op1 and op2.
+*/
if (UNEXPECTED((Z_LVAL_P(op1) LONG_SIGN_MASK) ==
(Z_LVAL_P(op2) LONG_SIGN_MASK)
-(Z_LVAL_P(op1) LONG_SIGN_MASK) !=
(Z_LVAL_P(result) LONG_SIGN_MASK))) {
+(Z_LVAL_P(op1) LONG_SIGN_MASK) !=
((Z_LVAL_P(op1) + Z_LVAL_P(op2)) LONG_SIGN_MASK))) {
Z_DVAL_P(result) = (double) Z_LVAL_P(op1)
+ (double) Z_LVAL_P(op2);
Z_TYPE_P(result) = IS_DOUBLE;
} else {
+ Z_LVAL_P(result) = Z_LVAL_P(op1) +
Z_LVAL_P(op2);
Z_TYPE_P(result) = IS_LONG;
}
#endif
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse: NEWS ext/openssl/openssl.c ext/openssl/tests/cve-2013-6420.crt ext/openssl/tests/cve-2013-6420.phpt
Commit:c1224573c773b6845e83505f717fbf820fc18415
Author:Stanislav Malyshev s...@php.net Sun, 8 Dec 2013 11:40:18
-0800
Parents: 32873cd0ddea7df8062213bb025beb6fb070e59d
Branches: PHP-5.3 PHP-5.4 PHP-5.5 PHP-5.6 master PHP-5.3.28
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415
Log:
Fix CVE-2013-6420 - memory corruption in openssl_x509_parse
Changed paths:
M NEWS
M ext/openssl/openssl.c
A ext/openssl/tests/cve-2013-6420.crt
A ext/openssl/tests/cve-2013-6420.phpt
Diff:
diff --git a/NEWS b/NEWS
index 70461d9..8abf65e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,10 +1,12 @@
PHPNEWS
|||
-?? ??? 2013, PHP 5.3.28
+12 Dec 2013, PHP 5.3.28
- Openssl:
. Fixed handling null bytes in subjectAltName (CVE-2013-4073).
(Christian Heimes)
+ . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).
+(Stefan Esser).
11 Jul 2013, PHP 5.3.27
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index e7672e4..0d2d644 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr
TSRMLS_DC) /* {{{ */
char * thestr;
long gmadjust = 0;
- if (timestr-length 13) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, extension author
too lazy to parse %s correctly, timestr-data);
+ if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, illegal ASN1 data
type for timestamp);
return (time_t)-1;
}
- strbuf = estrdup((char *)timestr-data);
+ if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, illegal length in
timestamp);
+ return (time_t)-1;
+ }
+
+ if (ASN1_STRING_length(timestr) 13) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, unable to parse
time string %s correctly, timestr-data);
+ return (time_t)-1;
+ }
+
+ strbuf = estrdup((char *)ASN1_STRING_data(timestr));
memset(thetime, 0, sizeof(thetime));
/* we work backwards so that we can use atoi more easily */
- thestr = strbuf + timestr-length - 3;
+ thestr = strbuf + ASN1_STRING_length(timestr) - 3;
thetime.tm_sec = atoi(thestr);
*thestr = '\0';
diff --git a/ext/openssl/tests/cve-2013-6420.crt
b/ext/openssl/tests/cve-2013-6420.crt
new file mode 100644
index 000..4543314
--- /dev/null
+++ b/ext/openssl/tests/cve-2013-6420.crt
@@ -0,0 +1,29 @@
+-BEGIN CERTIFICATE-
+MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
+VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
+S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
+cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
+ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
+ZDE5NzAwMTAxMDAwMDAwWgAA
+
+AAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
+b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
+ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
+A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
+dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
+wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
+0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
+pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
+SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
+1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
+EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
+BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
+8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
+VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
+lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
+o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
+Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
+-END CERTIFICATE-
+
+
diff --git a/ext/openssl/tests/cve-2013-6420.phpt
b/ext/openssl/tests/cve-2013-6420.phpt
new file mode 100644
index 000..b946cf0
--- /dev/null
+++ b/ext/openssl/tests/cve-2013-6420.phpt
@@ -0,0 +1,18 @@
+--TEST--
+CVE-2013-6420
+--SKIPIF--
+?php
+if (!extension_loaded(openssl)) die(skip);
+?
+--FILE--
+?php
+$crt = substr(__FILE__, 0, -4).'.crt';
+$info = openssl_x509_parse(file://$crt);
+var_dump($info['issuer']['emailAddress'], $info[validFrom_time_t]);
+?
+Done
+--EXPECTF--
+%s
[PHP-CVS] com php-src: revamp ext/pdo_mysql: ext/pdo_mysql/mysql_driver.c ext/pdo_mysql/mysql_statement.c
Commit:fa2a2c88fdb6286423bbd1c8cbe59547625dcf90
Author:Anatol Belski a...@php.net Wed, 11 Dec 2013 23:39:43 +0100
Parents: 6d5c56367ddde7d0ef79b402e37ae082fab33a8f
Branches: str_size_and_int64
Link:
http://git.php.net/?p=php-src.git;a=commitdiff;h=fa2a2c88fdb6286423bbd1c8cbe59547625dcf90
Log:
revamp ext/pdo_mysql
Changed paths:
M ext/pdo_mysql/mysql_driver.c
M ext/pdo_mysql/mysql_statement.c
Diff:
diff --git a/ext/pdo_mysql/mysql_driver.c b/ext/pdo_mysql/mysql_driver.c
index f97dbd2..641fb5c 100644
--- a/ext/pdo_mysql/mysql_driver.c
+++ b/ext/pdo_mysql/mysql_driver.c
@@ -168,7 +168,7 @@ static int mysql_handle_preparer(pdo_dbh_t *dbh, const char
*sql, zend_str_size
char *nsql = NULL;
zend_str_size_int nsql_len = 0;
int ret;
- int server_version;
+ php_uint_t server_version;
PDO_DBG_ENTER(mysql_handle_preparer);
PDO_DBG_INF_FMT(dbh=%p, dbh);
diff --git a/ext/pdo_mysql/mysql_statement.c b/ext/pdo_mysql/mysql_statement.c
index 5128366..4c4d0fb 100644
--- a/ext/pdo_mysql/mysql_statement.c
+++ b/ext/pdo_mysql/mysql_statement.c
@@ -675,7 +675,7 @@ static int pdo_mysql_stmt_describe(pdo_stmt_t *stmt, int
colno TSRMLS_DC) /* {{{
PDO_DBG_RETURN(1);
}
for (i = 0; i stmt-column_count; i++) {
- int namelen;
+ zend_str_size_int namelen;
if (S-H-fetch_table_names) {
namelen = spprintf(cols[i].name, 0, %s.%s,
S-fields[i].table, S-fields[i].name);
@@ -702,7 +702,7 @@ static int pdo_mysql_stmt_describe(pdo_stmt_t *stmt, int
colno TSRMLS_DC) /* {{{
}
/* }}} */
-static int pdo_mysql_stmt_get_col(pdo_stmt_t *stmt, int colno, char **ptr,
php_uint_t *len, int *caller_frees TSRMLS_DC) /* {{{ */
+static int pdo_mysql_stmt_get_col(pdo_stmt_t *stmt, php_int_t colno, char
**ptr, php_uint_t *len, int *caller_frees TSRMLS_DC) /* {{{ */
{
pdo_mysql_stmt *S = (pdo_mysql_stmt*)stmt-driver_data;
--
PHP CVS Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'master' into str_size_and_int64: ext/sockets/sockaddr_conv.c
Commit:adb70b9923f2ba5212f5559a283c85b3c09e102a Author:Anatol Belski a...@php.net Wed, 11 Dec 2013 19:29:21 +0100 Parents: 05fe153f490364f6f0931757d63e292650133580 98d929290c7c18c8ea5309c6813e326e2f5d47a7 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=adb70b9923f2ba5212f5559a283c85b3c09e102a Log: Merge branch 'master' into str_size_and_int64 Changed paths: MM ext/sockets/sockaddr_conv.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
