From 2fb84e35baafcebb905be25955c3bd3118758f9f Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Tue, 16 Jan 2024 14:31:05 +0300 Subject: [PATCH] w/a crash found by fuzzing (RB#14254) https://bugzilla.rosalinux.ru/show_bug.cgi?id=14254 --- ...tice-on-array-access-on-illegal-type.patch | 433 ++++++++++++++++++ php7.spec | 4 +- 2 files changed, 436 insertions(+), 1 deletion(-) create mode 100644 0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch diff --git a/0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch b/0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch new file mode 100644 index 0000000..2bc5a57 --- /dev/null +++ b/0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch @@ -0,0 +1,433 @@ +From 37c1f7580dda6d5c6022d97d861b97530cfb8cde Mon Sep 17 00:00:00 2001 +From: Mikhail Novosyolov +Date: Tue, 16 Jan 2024 12:52:30 +0300 +Subject: [PATCH] Revert "Throw notice on array access on illegal type" + +This reverts commit c42b7dd6d32b43304b76452add158a2ef325d494 +https://github.com/php/php-src/commit/c42b7dd6d32b43304 + +That commit causes a crash on the following input: + +$ echo "Uwo8P1RUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRU +VFRUVFQAAAAmIyRiYQoBJMhjW3JbWxAAGiYjJGJhCgEkyGNbcltbEABdXV1dPSR1cltbEAAaw11d +XV09JHWQk3I/Pg==" | base64 -d > input8 +$ php input8 + +php 7.4.x segfaults. The problem is in trying to access is_list. +With this revert, exit code is 0, but php 8.0.0+ more correctly gives an error about invalid input. +--- + UPGRADING | 4 ---- + Zend/tests/024.phpt | 14 ++++-------- + Zend/tests/033.phpt | 30 -------------------------- + Zend/tests/assign_to_var_003.phpt | 3 +-- + Zend/tests/call_user_func_007.phpt | 2 -- + Zend/tests/dereference_002.phpt | 2 -- + Zend/tests/dereference_010.phpt | 3 --- + Zend/tests/dereference_014.phpt | 4 ---- + Zend/tests/isset_003.phpt | 2 -- + Zend/tests/offset_bool.phpt | 19 +--------------- + Zend/tests/offset_long.phpt | 19 +--------------- + Zend/tests/offset_null.phpt | 19 +--------------- + Zend/zend_execute.c | 6 +----- + ext/spl/tests/array_026.phpt | 6 ++---- + ext/spl/tests/bug62978.phpt | 2 -- + ext/standard/tests/array/bug31158.phpt | 2 -- + tests/lang/bug25922.phpt | 1 - + tests/lang/passByReference_003.phpt | 6 ++---- + 18 files changed, 13 insertions(+), 131 deletions(-) + +diff --git a/UPGRADING b/UPGRADING +index 354e4fac02..44546f4572 100644 +--- a/UPGRADING ++++ b/UPGRADING +@@ -22,10 +22,6 @@ PHP 7.4 UPGRADE NOTES + ======================================== + + - Core: +- . Trying to use values of type null, bool, int, float or resource as an +- array (such as $null["key"]) will now generate a notice. This does not +- affect array accesses performed by list(). +- RFC: https://wiki.php.net/rfc/notice-for-non-valid-array-container + . get_declared_classes() no longer returns anonymous classes that haven't + been instantiated yet. + . "fn" is now a reserved keyword. In particular, it can no longer be used as a +diff --git a/Zend/tests/024.phpt b/Zend/tests/024.phpt +index 9e647d4231..34dac0f1e3 100644 +--- a/Zend/tests/024.phpt ++++ b/Zend/tests/024.phpt +@@ -16,23 +16,19 @@ var_dump($a->$b->{$c[1]}); + ?> + --EXPECTF-- + Notice: Undefined variable: a in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL + +-Notice: Undefined variable: a in %s on line %d +- +-Notice: Undefined variable: c in %s on line %d ++Notice: Undefined variable: %s in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d ++Notice: Undefined variable: %s in %s on line %d + NULL + + Notice: Undefined variable: a in %s on line %d + int(1) + +-Notice: Undefined variable: a in %s on line %d ++Notice: Undefined variable: %s in %s on line %d + +-Notice: Undefined variable: b in %s on line %d ++Notice: Undefined variable: %s in %s on line %d + int(0) + + Notice: Undefined variable: a in %s on line %d +@@ -49,8 +45,6 @@ NULL + + Notice: Undefined variable: c in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Trying to get property '1' of non-object in %s on line %d + + Notice: Trying to get property '' of non-object in %s on line %d +diff --git a/Zend/tests/033.phpt b/Zend/tests/033.phpt +index 1e7fca1e0d..a76a322ccf 100644 +--- a/Zend/tests/033.phpt ++++ b/Zend/tests/033.phpt +@@ -19,40 +19,10 @@ $arr[][]->bar = 2; + --EXPECTF-- + Notice: Undefined variable: arr in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Undefined variable: arr in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Undefined variable: arr in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Trying to get property 'foo' of non-object in %s on line %d + + Warning: Creating default object from empty value in %s on line %d +diff --git a/Zend/tests/assign_to_var_003.phpt b/Zend/tests/assign_to_var_003.phpt +index bbe1b372bb..b915c7231e 100644 +--- a/Zend/tests/assign_to_var_003.phpt ++++ b/Zend/tests/assign_to_var_003.phpt +@@ -12,8 +12,7 @@ var_dump($var1); + + echo "Done\n"; + ?> +---EXPECTF-- +-Notice: Trying to access array offset on value of type float in %s on line %d ++--EXPECT-- + NULL + NULL + Done +diff --git a/Zend/tests/call_user_func_007.phpt b/Zend/tests/call_user_func_007.phpt +index ed44320c3f..f73f14b1ff 100644 +--- a/Zend/tests/call_user_func_007.phpt ++++ b/Zend/tests/call_user_func_007.phpt +@@ -13,8 +13,6 @@ var_dump($a); + --EXPECTF-- + Notice: Undefined offset: 0 in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Warning: Parameter 1 to foo() expected to be a reference, value given in %s on line %d + array(0) { + } +diff --git a/Zend/tests/dereference_002.phpt b/Zend/tests/dereference_002.phpt +index 7290df7714..d16e1bb483 100644 +--- a/Zend/tests/dereference_002.phpt ++++ b/Zend/tests/dereference_002.phpt +@@ -69,8 +69,6 @@ array(2) { + int(5) + } + int(1) +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL + + Notice: Undefined offset: 4 in %s on line %d +diff --git a/Zend/tests/dereference_010.phpt b/Zend/tests/dereference_010.phpt +index c63f6acaf9..981fe31160 100644 +--- a/Zend/tests/dereference_010.phpt ++++ b/Zend/tests/dereference_010.phpt +@@ -21,10 +21,7 @@ var_dump(b()[1]); + + ?> + --EXPECTF-- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL + + Fatal error: Uncaught Error: Cannot use object of type stdClass as array in %s:%d +diff --git a/Zend/tests/dereference_014.phpt b/Zend/tests/dereference_014.phpt +index 189dca7a38..f8910dd016 100644 +--- a/Zend/tests/dereference_014.phpt ++++ b/Zend/tests/dereference_014.phpt +@@ -27,12 +27,8 @@ var_dump($h); + + ?> + --EXPECTF-- +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Trying to get property 'a' of non-object in %s on line %d + NULL + +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Trying to get property 'b' of non-object in %s on line %d + NULL +diff --git a/Zend/tests/isset_003.phpt b/Zend/tests/isset_003.phpt +index 06cbe3d51d..eac72f7e0a 100644 +--- a/Zend/tests/isset_003.phpt ++++ b/Zend/tests/isset_003.phpt +@@ -33,8 +33,6 @@ Notice: Undefined variable: c in %s on line %d + + Notice: Undefined variable: d in %s on line %d + +-Notice: Trying to access array offset on value of type null in %s on line %d +- + Notice: Trying to get property '' of non-object in %s on line %d + bool(false) + bool(true) +diff --git a/Zend/tests/offset_bool.phpt b/Zend/tests/offset_bool.phpt +index 8ed9f28e43..a08dd5450c 100644 +--- a/Zend/tests/offset_bool.phpt ++++ b/Zend/tests/offset_bool.phpt +@@ -24,31 +24,14 @@ var_dump($bool[$arr]); + + echo "Done\n"; + ?> +---EXPECTF-- +-Notice: Trying to access array offset on value of type bool in %s on line %d ++--EXPECT-- + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type bool in %s on line %d + NULL + Done +diff --git a/Zend/tests/offset_long.phpt b/Zend/tests/offset_long.phpt +index 4c6b3972d2..98b9b0f08b 100644 +--- a/Zend/tests/offset_long.phpt ++++ b/Zend/tests/offset_long.phpt +@@ -24,31 +24,14 @@ var_dump($long[$arr]); + + echo "Done\n"; + ?> +---EXPECTF-- +-Notice: Trying to access array offset on value of type int in %s on line %d ++--EXPECT-- + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type int in %s on line %d + NULL + Done +diff --git a/Zend/tests/offset_null.phpt b/Zend/tests/offset_null.phpt +index ad0b1f3049..c6ad6561db 100644 +--- a/Zend/tests/offset_null.phpt ++++ b/Zend/tests/offset_null.phpt +@@ -24,31 +24,14 @@ var_dump($null[$arr]); + + echo "Done\n"; + ?> +---EXPECTF-- +-Notice: Trying to access array offset on value of type null in %s on line %d ++--EXPECT-- + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL + Done +diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c +index 35cf24e586..7bc2248aa3 100644 +--- a/Zend/zend_execute.c ++++ b/Zend/zend_execute.c +@@ -2479,15 +2479,11 @@ try_string_offset: + } + } else { + if (type != BP_VAR_IS && UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) { +- container = ZVAL_UNDEFINED_OP1(); ++ ZVAL_UNDEFINED_OP1(); + } + if (ZEND_CONST_COND(dim_type == IS_CV, 1) && UNEXPECTED(Z_TYPE_P(dim) == IS_UNDEF)) { + ZVAL_UNDEFINED_OP2(); + } +- if (!is_list && type != BP_VAR_IS) { +- zend_error(E_NOTICE, "Trying to access array offset on value of type %s", +- zend_zval_type_name(container)); +- } + ZVAL_NULL(result); + } + } +diff --git a/ext/spl/tests/array_026.phpt b/ext/spl/tests/array_026.phpt +index 8ff6aafb93..9c79c57b66 100644 +--- a/ext/spl/tests/array_026.phpt ++++ b/ext/spl/tests/array_026.phpt +@@ -8,10 +8,8 @@ $test['d1']['d3'] = 'world'; + var_dump($test, $test3['mmmmm']); + ?> + --EXPECTF-- +-Notice: Undefined variable: test3 in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d +-object(ArrayObject)#1 (1) { ++Notice: Undefined variable: test3 in %s%earray_026.php on line %d ++object(ArrayObject)#%d (1) { + ["storage":"ArrayObject":private]=> + array(1) { + ["d1"]=> +diff --git a/ext/spl/tests/bug62978.phpt b/ext/spl/tests/bug62978.phpt +index 972bd07ce1..5c55507ad9 100644 +--- a/ext/spl/tests/bug62978.phpt ++++ b/ext/spl/tests/bug62978.phpt +@@ -32,8 +32,6 @@ Notice: Undefined index: epic_magic in %sbug62978.php on line %d + NULL + + Notice: Undefined variable: c in %sbug62978.php on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d + NULL + + Notice: Undefined index: epic_magic in %sbug62978.php on line %d +diff --git a/ext/standard/tests/array/bug31158.phpt b/ext/standard/tests/array/bug31158.phpt +index 62ba1cfaa3..d9e65bdde9 100644 +--- a/ext/standard/tests/array/bug31158.phpt ++++ b/ext/standard/tests/array/bug31158.phpt +@@ -15,6 +15,4 @@ echo "ok\n"; + ?> + --EXPECTF-- + Notice: Undefined variable: GLOBALS in %sbug31158.php on line 6 +- +-Notice: Trying to access array offset on value of type null in %sbug31158.php on line 6 + ok +diff --git a/tests/lang/bug25922.phpt b/tests/lang/bug25922.phpt +index 796ef6df82..41fb135e03 100644 +--- a/tests/lang/bug25922.phpt ++++ b/tests/lang/bug25922.phpt +@@ -20,5 +20,4 @@ test(); + ?> + --EXPECT-- + Undefined variable: data +-Trying to access array offset on value of type null + Undefined index here: '' +diff --git a/tests/lang/passByReference_003.phpt b/tests/lang/passByReference_003.phpt +index ad9e1e39de..be002031d7 100644 +--- a/tests/lang/passByReference_003.phpt ++++ b/tests/lang/passByReference_003.phpt +@@ -25,16 +25,14 @@ var_dump($undef2) + --EXPECTF-- + Passing undefined by value + +-Notice: Undefined variable: undef1 in %s on line %d +- +-Notice: Trying to access array offset on value of type null in %s on line %d ++Notice: Undefined variable: undef1 in %s on line 13 + + Inside passbyVal call: + NULL + + After call + +-Notice: Undefined variable: undef1 in %s on line %d ++Notice: Undefined variable: undef1 in %s on line 15 + NULL + + Passing undefined by reference +-- +2.40.1 + diff --git a/php7.spec b/php7.spec index 2dc6498..d263fc4 100644 --- a/php7.spec +++ b/php7.spec @@ -27,7 +27,7 @@ Summary: The PHP7 scripting language Name: php Version: 7.4.33 -Release: 4 +Release: 5 Source0: http://ch1.php.net/distributions/php-%{version}.tar.gz Source1: macros.php Group: Development/PHP @@ -83,6 +83,7 @@ Patch121: php-bug43221.diff Patch122: php-not-use-libgd-const.patch # Sauce fixes Patch127: php-7.4.30-svace-fixes.patch +Patch128: 0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch Patch200: fix-include-e2k.patch BuildRequires: autoconf @@ -1276,6 +1277,7 @@ fi %patch122 -p1 %patch127 -p1 +%patch128 -p1 %ifarch %{e2k} %patch200 -p1