Re: [PHP-CVS] com php-src: Zend: fix overflow handling bug in non-x86 fast_add_function(): Zend/zend_operators.h
On 10 December 2013 12:25, Dmitry Stogov dmi...@zend.com wrote: What exactly are you fixing with this patch? fast_add_function() is used only by VM and opcode operands can't alias (it's guaranteed by compiler). It's also used by array_sum(), but it also can't create aliases between results and operands. What is the reason to slowdown each integer addition? The patch that was applied to fix https://bugs.php.net/bug.php?id=65304 uses calls fast_add_function() like this: fast_add_function(return_value, return_value, entry_n TSRMLS_CC); so it does create aliases. If that is undesirable, perhaps we should fix array_sum() instead? However, I think the compiler will be smart enough to factor out the op1+op2 operation, so i don't expect any significant slowdown. -- Ard. Thanks. Dmitry. On Tue, Dec 10, 2013 at 3:12 PM, Ard Biesheuvel ardbiesheu...@php.net wrote: Commit:60d2e70c062e436a6c6cd3c8a17469a083a38b46 Author:Ard Biesheuvel ard.biesheu...@linaro.org Tue, 10 Dec 2013 12:07:46 +0100 Parents: 5a87b7ff39bbf427807c46d1e51e2654259ad394 Branches: PHP-5.6 master Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=60d2e70c062e436a6c6cd3c8a17469a083a38b46 Log: Zend: fix overflow handling bug in non-x86 fast_add_function() The 'result' argument of fast_add_function() may alias with either of its operands (or both). Take care not to write to 'result' before reading op1 and op2. Changed paths: M Zend/zend_operators.h Diff: diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h index 0152e03..5c6fc86 100644 --- a/Zend/zend_operators.h +++ b/Zend/zend_operators.h @@ -643,13 +643,18 @@ static zend_always_inline int fast_add_function(zval *result, zval *op1, zval *o n(ZVAL_OFFSETOF_TYPE) : rax,cc); #else - Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); + /* +* 'result' may alias with op1 or op2, so we need to +* ensure that 'result' is not updated until after we +* have read the values of op1 and op2. +*/ if (UNEXPECTED((Z_LVAL_P(op1) LONG_SIGN_MASK) == (Z_LVAL_P(op2) LONG_SIGN_MASK) -(Z_LVAL_P(op1) LONG_SIGN_MASK) != (Z_LVAL_P(result) LONG_SIGN_MASK))) { +(Z_LVAL_P(op1) LONG_SIGN_MASK) != ((Z_LVAL_P(op1) + Z_LVAL_P(op2)) LONG_SIGN_MASK))) { Z_DVAL_P(result) = (double) Z_LVAL_P(op1) + (double) Z_LVAL_P(op2); Z_TYPE_P(result) = IS_DOUBLE; } else { + Z_LVAL_P(result) = Z_LVAL_P(op1) + Z_LVAL_P(op2); Z_TYPE_P(result) = IS_LONG; } #endif -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse: NEWS ext/openssl/openssl.c ext/openssl/tests/cve-2013-6420.crt ext/openssl/tests/cve-2013-6420.phpt
Commit:c1224573c773b6845e83505f717fbf820fc18415 Author:Stanislav Malyshev s...@php.net Sun, 8 Dec 2013 11:40:18 -0800 Parents: 32873cd0ddea7df8062213bb025beb6fb070e59d Branches: PHP-5.3 PHP-5.4 PHP-5.5 PHP-5.6 master PHP-5.3.28 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=c1224573c773b6845e83505f717fbf820fc18415 Log: Fix CVE-2013-6420 - memory corruption in openssl_x509_parse Changed paths: M NEWS M ext/openssl/openssl.c A ext/openssl/tests/cve-2013-6420.crt A ext/openssl/tests/cve-2013-6420.phpt Diff: diff --git a/NEWS b/NEWS index 70461d9..8abf65e 100644 --- a/NEWS +++ b/NEWS @@ -1,10 +1,12 @@ PHPNEWS ||| -?? ??? 2013, PHP 5.3.28 +12 Dec 2013, PHP 5.3.28 - Openssl: . Fixed handling null bytes in subjectAltName (CVE-2013-4073). (Christian Heimes) + . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420). +(Stefan Esser). 11 Jul 2013, PHP 5.3.27 diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c index e7672e4..0d2d644 100644 --- a/ext/openssl/openssl.c +++ b/ext/openssl/openssl.c @@ -644,18 +644,28 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */ char * thestr; long gmadjust = 0; - if (timestr-length 13) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, extension author too lazy to parse %s correctly, timestr-data); + if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, illegal ASN1 data type for timestamp); return (time_t)-1; } - strbuf = estrdup((char *)timestr-data); + if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, illegal length in timestamp); + return (time_t)-1; + } + + if (ASN1_STRING_length(timestr) 13) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, unable to parse time string %s correctly, timestr-data); + return (time_t)-1; + } + + strbuf = estrdup((char *)ASN1_STRING_data(timestr)); memset(thetime, 0, sizeof(thetime)); /* we work backwards so that we can use atoi more easily */ - thestr = strbuf + timestr-length - 3; + thestr = strbuf + ASN1_STRING_length(timestr) - 3; thetime.tm_sec = atoi(thestr); *thestr = '\0'; diff --git a/ext/openssl/tests/cve-2013-6420.crt b/ext/openssl/tests/cve-2013-6420.crt new file mode 100644 index 000..4543314 --- /dev/null +++ b/ext/openssl/tests/cve-2013-6420.crt @@ -0,0 +1,29 @@ +-BEGIN CERTIFICATE- +MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD +VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH +S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91 +cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k +ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY +ZDE5NzAwMTAxMDAwMDAwWgAA + +AAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO +b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT +ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G +A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz +dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB +DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu +wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh +0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8 +pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6 +SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX +1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw +EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF +BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD +8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl +VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7 +lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319 +o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg +Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg== +-END CERTIFICATE- + + diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt new file mode 100644 index 000..b946cf0 --- /dev/null +++ b/ext/openssl/tests/cve-2013-6420.phpt @@ -0,0 +1,18 @@ +--TEST-- +CVE-2013-6420 +--SKIPIF-- +?php +if (!extension_loaded(openssl)) die(skip); +? +--FILE-- +?php +$crt = substr(__FILE__, 0, -4).'.crt'; +$info = openssl_x509_parse(file://$crt); +var_dump($info['issuer']['emailAddress'], $info[validFrom_time_t]); +? +Done +--EXPECTF-- +%s
[PHP-CVS] com php-src: revamp ext/pdo_mysql: ext/pdo_mysql/mysql_driver.c ext/pdo_mysql/mysql_statement.c
Commit:fa2a2c88fdb6286423bbd1c8cbe59547625dcf90 Author:Anatol Belski a...@php.net Wed, 11 Dec 2013 23:39:43 +0100 Parents: 6d5c56367ddde7d0ef79b402e37ae082fab33a8f Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=fa2a2c88fdb6286423bbd1c8cbe59547625dcf90 Log: revamp ext/pdo_mysql Changed paths: M ext/pdo_mysql/mysql_driver.c M ext/pdo_mysql/mysql_statement.c Diff: diff --git a/ext/pdo_mysql/mysql_driver.c b/ext/pdo_mysql/mysql_driver.c index f97dbd2..641fb5c 100644 --- a/ext/pdo_mysql/mysql_driver.c +++ b/ext/pdo_mysql/mysql_driver.c @@ -168,7 +168,7 @@ static int mysql_handle_preparer(pdo_dbh_t *dbh, const char *sql, zend_str_size char *nsql = NULL; zend_str_size_int nsql_len = 0; int ret; - int server_version; + php_uint_t server_version; PDO_DBG_ENTER(mysql_handle_preparer); PDO_DBG_INF_FMT(dbh=%p, dbh); diff --git a/ext/pdo_mysql/mysql_statement.c b/ext/pdo_mysql/mysql_statement.c index 5128366..4c4d0fb 100644 --- a/ext/pdo_mysql/mysql_statement.c +++ b/ext/pdo_mysql/mysql_statement.c @@ -675,7 +675,7 @@ static int pdo_mysql_stmt_describe(pdo_stmt_t *stmt, int colno TSRMLS_DC) /* {{{ PDO_DBG_RETURN(1); } for (i = 0; i stmt-column_count; i++) { - int namelen; + zend_str_size_int namelen; if (S-H-fetch_table_names) { namelen = spprintf(cols[i].name, 0, %s.%s, S-fields[i].table, S-fields[i].name); @@ -702,7 +702,7 @@ static int pdo_mysql_stmt_describe(pdo_stmt_t *stmt, int colno TSRMLS_DC) /* {{{ } /* }}} */ -static int pdo_mysql_stmt_get_col(pdo_stmt_t *stmt, int colno, char **ptr, php_uint_t *len, int *caller_frees TSRMLS_DC) /* {{{ */ +static int pdo_mysql_stmt_get_col(pdo_stmt_t *stmt, php_int_t colno, char **ptr, php_uint_t *len, int *caller_frees TSRMLS_DC) /* {{{ */ { pdo_mysql_stmt *S = (pdo_mysql_stmt*)stmt-driver_data; -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP-CVS] com php-src: Merge branch 'master' into str_size_and_int64: ext/sockets/sockaddr_conv.c
Commit:adb70b9923f2ba5212f5559a283c85b3c09e102a Author:Anatol Belski a...@php.net Wed, 11 Dec 2013 19:29:21 +0100 Parents: 05fe153f490364f6f0931757d63e292650133580 98d929290c7c18c8ea5309c6813e326e2f5d47a7 Branches: str_size_and_int64 Link: http://git.php.net/?p=php-src.git;a=commitdiff;h=adb70b9923f2ba5212f5559a283c85b3c09e102a Log: Merge branch 'master' into str_size_and_int64 Changed paths: MM ext/sockets/sockaddr_conv.c Diff: -- PHP CVS Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php