Djam/php7
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/php7.git synced 2025-02-23 23:02:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge svace patch from 2021.1

Browse source
This commit is contained in:
survolog (Andrey Grigorev) 2023-10-05 21:33:18 +03:00
commit 16923d7872
2 changed files with 334 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

330
php-7.4.30-svace.patch Normal file
View file

@ -0,0 +1,330 @@
Return value of a function 'xmlNodeGetContent' is
dereferenced at entity.c:109 without checking for NULL,
but it is usually checked for this function (12/13).
diff -ur php-7.4.30/ext/dom/entity.c php-7.4.30_patched/ext/dom/entity.c
--- php-7.4.30/ext/dom/entity.c 2022-06-07 11:38:23.000000000 +0300
+++ php-7.4.30_patched/ext/dom/entity.c 2023-10-05 16:03:18.936740216 +0300
@@ -106,8 +106,14 @@
ZVAL_NULL(retval);
} else {
content = (char *) xmlNodeGetContent((xmlNodePtr) nodep);
- ZVAL_STRING(retval, content);
- xmlFree(content);
+ if (!content) {
+ return FAILURE;
+ }
+ if (content != NULL && content[0] != '\0') {
+ ZVAL_STRING(retval, content);
+ xmlFree(content);
+ content = NULL;
+ }
}
return SUCCESS;
After having been compared to a NULL value at
phar.c:2520, pointer 'error' is dereferenced at phar.c:2745.
diff -ur php-7.4.30/ext/phar/phar.c php-7.4.30_patched/ext/phar/phar.c
--- php-7.4.30/ext/phar/phar.c 2022-06-07 11:38:23.000000000 +0300
+++ php-7.4.30_patched/ext/phar/phar.c 2023-10-05 15:24:55.453002457 +0300
@@ -2742,9 +2742,11 @@
newentry = phar_open_jit(phar, entry, error);
if (!newentry) {
/* major problem re-opening, so we ignore this file and the error */
- efree(*error);
- *error = NULL;
- continue;
+ if (error) {
+ efree(*error);
+ *error = NULL;
+ continue;
+ }
}
entry = newentry;
}
Pointer 'temp', that can have only NULL value (checked at
phar_object.c:3488), is dereferenced at phar_object.c:3488.
https://github.com/php/php-src/commit/7b2c3c11b2c9121421a81e416e893ce6114369d1
diff -ur php-7.4.30/ext/phar/phar_object.c php-7.4.30_patched/ext/phar/phar_object.c
--- php-7.4.30/ext/phar/phar_object.c 2022-06-07 11:38:23.000000000 +0300
+++ php-7.4.30_patched/ext/phar/phar_object.c 2023-10-05 20:30:46.577499264 +0300
@@ -2654,16 +2654,14 @@
zend_throw_exception_ex(phar_ce_PharException, 0, "phar \"%s\" is persistent, unable to copy on write", phar_obj->archive->fname);
return;
}
- if (zend_hash_str_exists(&phar_obj->archive->manifest, fname, (uint32_t) fname_len)) {
- if (NULL != (entry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, fname, (uint32_t) fname_len))) {
- if (entry->is_deleted) {
- /* entry is deleted, but has not been flushed to disk yet */
- RETURN_TRUE;
- } else {
- entry->is_deleted = 1;
- entry->is_modified = 1;
- phar_obj->archive->is_modified = 1;
- }
+ if (NULL != (entry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, fname, (uint32_t) fname_len))) {
+ if (entry->is_deleted) {
+ /* entry is deleted, but has not been flushed to disk yet */
+ RETURN_TRUE;
+ } else {
+ entry->is_deleted = 1;
+ entry->is_modified = 1;
+ phar_obj->archive->is_modified = 1;
}
} else {
zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "Entry %s does not exist and cannot be deleted", fname);
@@ -3478,18 +3476,16 @@
RETURN_FALSE;
}
- if (!zend_hash_str_exists(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len) || NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) {
+ if (NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) {
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
"file \"%s\" cannot be copied to file \"%s\", file does not exist in %s", oldfile, newfile, phar_obj->archive->fname);
RETURN_FALSE;
}
- if (zend_hash_str_exists(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) {
- if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) || !temp->is_deleted) {
- zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
- "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname);
- RETURN_FALSE;
- }
+ if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) && !temp->is_deleted) {
+ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
+ "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname);
+ RETURN_FALSE;
}
tmp_len = newfile_len;
After having been compared to a NULL value at tar.c:888,
pointer 'buf->s' is dereferenced at tar.c:902.
diff -ur php-7.4.30/ext/phar/tar.c php-7.4.30_patched/ext/phar/tar.c
--- php-7.4.30/ext/phar/tar.c 2022-06-07 11:38:23.000000000 +0300
+++ php-7.4.30_patched/ext/phar/tar.c 2023-10-05 15:21:28.122687349 +0300
@@ -899,7 +899,7 @@
spprintf(error, 0, "phar error: unable to create temporary file");
return -1;
}
- if (ZSTR_LEN(entry->metadata_str.s) != php_stream_write(entry->fp, ZSTR_VAL(entry->metadata_str.s), ZSTR_LEN(entry->metadata_str.s))) {
+ if (entry->metadata_str.s && ZSTR_LEN(entry->metadata_str.s) != php_stream_write(entry->fp, ZSTR_VAL(entry->metadata_str.s), ZSTR_LEN(entry->metadata_str.s))) {
spprintf(error, 0, "phar tar error: unable to write metadata to magic metadata file \"%s\"", entry->filename);
zend_hash_str_del(&(entry->phar->manifest), entry->filename, entry->filename_len);
return ZEND_HASH_APPLY_STOP;
After having been compared to a NULL value at
sqlite3.c:877, pointer 'agg_context' is dereferenced at
sqlite3.c:880.
diff -ur php-7.4.30/ext/sqlite3/sqlite3.c php-7.4.30_patched/ext/sqlite3/sqlite3.c
--- php-7.4.30/ext/sqlite3/sqlite3.c 2022-06-07 11:38:19.000000000 +0300
+++ php-7.4.30_patched/ext/sqlite3/sqlite3.c 2023-10-05 15:17:22.836229909 +0300
@@ -877,8 +877,10 @@
if (agg_context && !Z_ISUNDEF(agg_context->zval_context)) {
zval_ptr_dtor(&agg_context->zval_context);
}
- ZVAL_COPY_VALUE(&agg_context->zval_context, &retval);
- ZVAL_UNDEF(&retval);
+ if (agg_context) {
+ ZVAL_COPY_VALUE(&agg_context->zval_context, &retval);
+ ZVAL_UNDEF(&retval);
+ }
}
if (!Z_ISUNDEF(retval)) {
After having been compared to a NULL value at
filters.c:809, pointer 'inst->lbchars' is dereferenced at
filters.c:841.
diff -ur php-7.4.30/ext/standard/filters.c php-7.4.30_patched/ext/standard/filters.c
--- php-7.4.30/ext/standard/filters.c 2022-06-07 11:38:25.000000000 +0300
+++ php-7.4.30_patched/ext/standard/filters.c 2023-10-05 15:20:01.716639804 +0300
@@ -766,7 +766,7 @@
}
#define NEXT_CHAR(ps, icnt, lb_ptr, lb_cnt, lbchars) \
- ((lb_ptr) < (lb_cnt) ? (lbchars)[(lb_ptr)] : *(ps))
+ (((lb_ptr) < (lb_cnt)) && (lbchars) ? (lbchars)[(lb_ptr)] : *(ps))
#define CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt) \
if ((lb_ptr) < (lb_cnt)) { \
Return value of a function 'zend_hash_index_find' is
dereferenced at var.c:1073 without checking for NULL, but
it is usually checked for this function (64/66).
diff -ur php-7.4.30/ext/standard/var.c php-7.4.30_patched/ext/standard/var.c
--- php-7.4.30/ext/standard/var.c 2022-06-07 11:38:28.000000000 +0300
+++ php-7.4.30_patched/ext/standard/var.c 2023-10-05 16:15:32.104092921 +0300
@@ -1070,8 +1070,10 @@
/* Mark this value in the var_hash, to avoid creating references to it. */
zval *var_idx = zend_hash_index_find(&var_hash->ht,
(zend_ulong) (zend_uintptr_t) Z_COUNTED_P(struc));
- ZVAL_LONG(var_idx, -1);
- smart_str_appendl(buf, "N;", 2);
+ if (var_idx) {
+ ZVAL_LONG(var_idx, -1);
+ smart_str_appendl(buf, "N;", 2);
+ }
}
if (serialized_data) {
efree(serialized_data);
Missing break at the end of case at line 884
diff -ur php-7.4.30/main/streams/plain_wrapper.c php-7.4.30_patched/main/streams/plain_wrapper.c
--- php-7.4.30/main/streams/plain_wrapper.c 2022-06-07 11:38:19.000000000 +0300
+++ php-7.4.30_patched/main/streams/plain_wrapper.c 2023-10-05 16:18:15.475383413 +0300
@@ -925,6 +925,7 @@
#endif
}
}
+ return PHP_STREAM_OPTION_RETURN_NOTIMPL;
#ifdef PHP_WIN32
case PHP_STREAM_OPTION_PIPE_BLOCKING:
Pointer '&(*path)[strlen(...)]' is dereferenced at fpm_
conf.c:724 by calling function 'strdup' after the referenced
memory was deallocated at fpm_conf.c:723 by calling
function 'free'.
diff -ur php-7.4.30/sapi/fpm/fpm/fpm_conf.c php-7.4.30_patched/sapi/fpm/fpm/fpm_conf.c
--- php-7.4.30/sapi/fpm/fpm/fpm_conf.c 2022-06-07 11:38:19.000000000 +0300
+++ php-7.4.30_patched/sapi/fpm/fpm/fpm_conf.c 2023-10-05 15:12:07.548354240 +0300
@@ -720,8 +720,8 @@
}
if (strlen(*path) > strlen("$prefix")) {
- free(*path);
tmp = strdup((*path) + strlen("$prefix"));
+ free(*path);
*path = tmp;
} else {
free(*path);
Uninitialized data is read from local variable 'append' at
zlog.c:403.
Pointer 'stream->msg_suffix' is passed to a function at
zlog.c:647 after the referenced memory was deallocated at
zlog.c:642 by calling function 'free'.
diff -ur php-7.4.30/sapi/fpm/fpm/zlog.c php-7.4.30_patched/sapi/fpm/fpm/zlog.c
--- php-7.4.30/sapi/fpm/fpm/zlog.c 2022-06-07 11:38:19.000000000 +0300
+++ php-7.4.30_patched/sapi/fpm/fpm/zlog.c 2023-10-05 16:25:22.197680894 +0300
@@ -348,7 +348,7 @@
static inline ssize_t zlog_stream_unbuffered_write(
struct zlog_stream *stream, const char *buf, size_t len) /* {{{ */
{
- const char *append;
+ const char *append = NULL;
size_t append_len = 0, required_len, reserved_len;
ssize_t written;
@@ -637,10 +637,10 @@
if (suffix != NULL) {
stream->msg_suffix_len = strlen(suffix);
len = stream->msg_suffix_len + 1;
- stream->msg_suffix = malloc(len);
if (stream->msg_suffix != NULL) {
free(stream->msg_suffix);
}
+ stream->msg_suffix = malloc(len);
if (stream->msg_suffix == NULL) {
return ZLOG_FALSE;
}
@@ -650,10 +650,10 @@
if (final_suffix != NULL) {
stream->msg_final_suffix_len = strlen(final_suffix);
len = stream->msg_final_suffix_len + 1;
- stream->msg_final_suffix = malloc(len);
if (stream->msg_final_suffix != NULL) {
- free(stream->msg_suffix);
+ free(stream->msg_final_suffix);
}
+ stream->msg_final_suffix = malloc(len);
if (stream->msg_final_suffix == NULL) {
return ZLOG_FALSE;
}
Return value of a function 'zend_hash_find_ptr' is
dereferenced at phpdbg_prompt.c:554 without checking for
NULL, but it is usually checked for this function (127/128).
Pointer 'module_entry', that can have only NULL value
(checked at phpdbg_prompt.c:1351), is dereferenced at
phpdbg_prompt.c:1352.
diff -ur php-7.4.30/sapi/phpdbg/phpdbg_prompt.c php-7.4.30_patched/sapi/phpdbg/phpdbg_prompt.c
--- php-7.4.30/sapi/phpdbg/phpdbg_prompt.c 2022-06-07 11:38:19.000000000 +0300
+++ php-7.4.30_patched/sapi/phpdbg/phpdbg_prompt.c 2023-10-05 16:14:28.246542871 +0300
@@ -544,6 +544,9 @@
/* remove trailing data after zero byte, used for avoiding conflicts in eval()'ed code snippets */
zend_string *source_path = strpprintf(0, "Standard input code%c%p", 0, PHPDBG_G(ops)->opcodes);
phpdbg_file_source *data = zend_hash_find_ptr(&PHPDBG_G(file_sources), source_path);
+ if (!data) {
+ return FAILURE;
+ }
dtor_func_t dtor = PHPDBG_G(file_sources).pDestructor;
PHPDBG_G(file_sources).pDestructor = NULL;
zend_hash_del(&PHPDBG_G(file_sources), source_path);
@@ -1349,7 +1352,7 @@
module_entry->handle = handle;
if ((module_entry = zend_register_module_ex(module_entry)) == NULL) {
- phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", module_entry->name);
+ phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", "Unkonown module");
goto quit;
}
After having been compared to a NULL value at zend_
builtin_functions.c:1638, pointer 'error_handler_name' is
passed as 1st parameter in call to function 'zend_string_
release_ex' at zend_builtin_functions.c:1639, where it is
dereferenced at zend_string.h:291.
diff -ur php-7.4.30/Zend/zend_builtin_functions.c php-7.4.30_patched/Zend/zend_builtin_functions.c
--- php-7.4.30/Zend/zend_builtin_functions.c 2022-06-07 11:38:30.000000000 +0300
+++ php-7.4.30_patched/Zend/zend_builtin_functions.c 2023-10-05 15:44:19.299611397 +0300
@@ -1636,7 +1636,9 @@
zend_string *error_handler_name = zend_get_callable_name(error_handler);
zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback",
get_active_function_name(), error_handler_name?ZSTR_VAL(error_handler_name):"unknown");
- zend_string_release_ex(error_handler_name, 0);
+ if (error_handler_name != NULL) {
+ zend_string_release_ex(error_handler_name, 0);
+ }
return;
}
}
@@ -1703,7 +1705,10 @@
zend_string *exception_handler_name = zend_get_callable_name(exception_handler);
zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback",
get_active_function_name(), exception_handler_name?ZSTR_VAL(exception_handler_name):"unknown");
- zend_string_release_ex(exception_handler_name, 0);
+ if (exception_handler_name != NULL) {
+ zend_string_release_ex(exception_handler_name, 0);
+ exception_handler_name = NULL;
+ }
return;
}
}
After having been compared to a NULL value at zend_
exceptions.c:1040, pointer 'file' is passed as 1st parameter
in call to function 'zend_string_release_ex' at zend_
exceptions.c:1044, where it is dereferenced at zend_
string.h:291.
diff -ur php-7.4.30/Zend/zend_exceptions.c php-7.4.30_patched/Zend/zend_exceptions.c
--- php-7.4.30/Zend/zend_exceptions.c 2022-06-07 11:38:30.000000000 +0300
+++ php-7.4.30_patched/Zend/zend_exceptions.c 2023-10-05 15:40:16.354123300 +0300
@@ -1041,7 +1041,9 @@
"Uncaught %s\n thrown", ZSTR_VAL(str));
zend_string_release_ex(str, 0);
- zend_string_release_ex(file, 0);
+ if (file != NULL) {
+ zend_string_release_ex(file, 0);
+ }
} else {
zend_error(severity, "Uncaught exception '%s'", ZSTR_VAL(ce_exception->name));
}
Return value of a function 'zend_ini_string' is dereferenced
at zend_multibyte.c:118 without checking for NULL, but it
is usually checked for this function (6/7).
diff -ur php-7.4.30/Zend/zend_multibyte.c php-7.4.30_patched/Zend/zend_multibyte.c
--- php-7.4.30/Zend/zend_multibyte.c 2022-06-07 11:38:30.000000000 +0300
+++ php-7.4.30_patched/Zend/zend_multibyte.c 2023-10-05 16:07:52.618526000 +0300
@@ -115,6 +115,9 @@
*/
{
const char *value = zend_ini_string("zend.script_encoding", sizeof("zend.script_encoding") - 1, 0);
+ if (!value) {
+ return FAILURE;
+ }
zend_multibyte_set_script_encoding_by_string(value, strlen(value));
}
return SUCCESS;

5
php7.spec
View file

@ -27,7 +27,7 @@
Summary: The PHP7 scripting language Summary: The PHP7 scripting language
Name: php Name: php
Version: 7.4.30 Version: 7.4.30
Release: 3 Release: 4
Source0: http://ch1.php.net/distributions/php-%{version}.tar.gz Source0: http://ch1.php.net/distributions/php-%{version}.tar.gz
Source1: macros.php Source1: macros.php
Group: Development/PHP Group: Development/PHP
@ -88,6 +88,8 @@ Patch124: 0060-Fix-regression-introduced-by-fixing-bug-81726.patch
Patch125: 0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch Patch125: 0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch
# CVE-2022-37454 # CVE-2022-37454
Patch126: 0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch Patch126: 0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch
# Svace 11.05.23
Patch127: php-7.4.30-svace.patch
Patch200: fix-include-e2k.patch Patch200: fix-include-e2k.patch
BuildRequires: autoconf BuildRequires: autoconf
@ -1284,6 +1286,7 @@ fi
%patch124 -p1 %patch124 -p1
%patch125 -p1 %patch125 -p1
%patch126 -p1 %patch126 -p1
%patch127 -p1
%ifarch %{e2k} %ifarch %{e2k}
%patch200 -p1 %patch200 -p1
%endif %endif