Djam/php7
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/php7.git synced 2025-02-23 14:52:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

w/a crash found by fuzzing (RB#14254)

Browse source 
https://bugzilla.rosalinux.ru/show_bug.cgi?id=14254
This commit is contained in:
Mikhail Novosyolov 2024-01-16 14:31:05 +03:00
parent b9cfe0e8ee
commit 2fb84e35ba
2 changed files with 436 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

433
0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch Normal file
View file

@ -0,0 +1,433 @@
From 37c1f7580dda6d5c6022d97d861b97530cfb8cde Mon Sep 17 00:00:00 2001
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Date: Tue, 16 Jan 2024 12:52:30 +0300
Subject: [PATCH] Revert "Throw notice on array access on illegal type"
This reverts commit c42b7dd6d32b43304b76452add158a2ef325d494
https://github.com/php/php-src/commit/c42b7dd6d32b43304
That commit causes a crash on the following input:
$ echo "Uwo8P1RUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRUVFRU
VFRUVFQAAAAmIyRiYQoBJMhjW3JbWxAAGiYjJGJhCgEkyGNbcltbEABdXV1dPSR1cltbEAAaw11d
XV09JHWQk3I/Pg==" | base64 -d > input8
$ php input8
php 7.4.x segfaults. The problem is in trying to access is_list.
With this revert, exit code is 0, but php 8.0.0+ more correctly gives an error about invalid input.
---
UPGRADING | 4 ----
Zend/tests/024.phpt | 14 ++++--------
Zend/tests/033.phpt | 30 --------------------------
Zend/tests/assign_to_var_003.phpt | 3 +--
Zend/tests/call_user_func_007.phpt | 2 --
Zend/tests/dereference_002.phpt | 2 --
Zend/tests/dereference_010.phpt | 3 ---
Zend/tests/dereference_014.phpt | 4 ----
Zend/tests/isset_003.phpt | 2 --
Zend/tests/offset_bool.phpt | 19 +---------------
Zend/tests/offset_long.phpt | 19 +---------------
Zend/tests/offset_null.phpt | 19 +---------------
Zend/zend_execute.c | 6 +-----
ext/spl/tests/array_026.phpt | 6 ++----
ext/spl/tests/bug62978.phpt | 2 --
ext/standard/tests/array/bug31158.phpt | 2 --
tests/lang/bug25922.phpt | 1 -
tests/lang/passByReference_003.phpt | 6 ++----
18 files changed, 13 insertions(+), 131 deletions(-)
diff --git a/UPGRADING b/UPGRADING
index 354e4fac02..44546f4572 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -22,10 +22,6 @@ PHP 7.4 UPGRADE NOTES
========================================
- Core:
- . Trying to use values of type null, bool, int, float or resource as an
- array (such as $null["key"]) will now generate a notice. This does not
- affect array accesses performed by list().
- RFC: https://wiki.php.net/rfc/notice-for-non-valid-array-container
. get_declared_classes() no longer returns anonymous classes that haven't
been instantiated yet.
. "fn" is now a reserved keyword. In particular, it can no longer be used as a
diff --git a/Zend/tests/024.phpt b/Zend/tests/024.phpt
index 9e647d4231..34dac0f1e3 100644
--- a/Zend/tests/024.phpt
+++ b/Zend/tests/024.phpt
@@ -16,23 +16,19 @@ var_dump($a->$b->{$c[1]});
?>
--EXPECTF--
Notice: Undefined variable: a in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-Notice: Undefined variable: a in %s on line %d
-
-Notice: Undefined variable: c in %s on line %d
+Notice: Undefined variable: %s in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
+Notice: Undefined variable: %s in %s on line %d
NULL
Notice: Undefined variable: a in %s on line %d
int(1)
-Notice: Undefined variable: a in %s on line %d
+Notice: Undefined variable: %s in %s on line %d
-Notice: Undefined variable: b in %s on line %d
+Notice: Undefined variable: %s in %s on line %d
int(0)
Notice: Undefined variable: a in %s on line %d
@@ -49,8 +45,6 @@ NULL
Notice: Undefined variable: c in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Trying to get property '1' of non-object in %s on line %d
Notice: Trying to get property '' of non-object in %s on line %d
diff --git a/Zend/tests/033.phpt b/Zend/tests/033.phpt
index 1e7fca1e0d..a76a322ccf 100644
--- a/Zend/tests/033.phpt
+++ b/Zend/tests/033.phpt
@@ -19,40 +19,10 @@ $arr[][]->bar = 2;
--EXPECTF--
Notice: Undefined variable: arr in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Undefined variable: arr in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Undefined variable: arr in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Trying to get property 'foo' of non-object in %s on line %d
Warning: Creating default object from empty value in %s on line %d
diff --git a/Zend/tests/assign_to_var_003.phpt b/Zend/tests/assign_to_var_003.phpt
index bbe1b372bb..b915c7231e 100644
--- a/Zend/tests/assign_to_var_003.phpt
+++ b/Zend/tests/assign_to_var_003.phpt
@@ -12,8 +12,7 @@ var_dump($var1);
echo "Done\n";
?>
---EXPECTF--
-Notice: Trying to access array offset on value of type float in %s on line %d
+--EXPECT--
NULL
NULL
Done
diff --git a/Zend/tests/call_user_func_007.phpt b/Zend/tests/call_user_func_007.phpt
index ed44320c3f..f73f14b1ff 100644
--- a/Zend/tests/call_user_func_007.phpt
+++ b/Zend/tests/call_user_func_007.phpt
@@ -13,8 +13,6 @@ var_dump($a);
--EXPECTF--
Notice: Undefined offset: 0 in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Warning: Parameter 1 to foo() expected to be a reference, value given in %s on line %d
array(0) {
}
diff --git a/Zend/tests/dereference_002.phpt b/Zend/tests/dereference_002.phpt
index 7290df7714..d16e1bb483 100644
--- a/Zend/tests/dereference_002.phpt
+++ b/Zend/tests/dereference_002.phpt
@@ -69,8 +69,6 @@ array(2) {
int(5)
}
int(1)
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
Notice: Undefined offset: 4 in %s on line %d
diff --git a/Zend/tests/dereference_010.phpt b/Zend/tests/dereference_010.phpt
index c63f6acaf9..981fe31160 100644
--- a/Zend/tests/dereference_010.phpt
+++ b/Zend/tests/dereference_010.phpt
@@ -21,10 +21,7 @@ var_dump(b()[1]);
?>
--EXPECTF--
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
Fatal error: Uncaught Error: Cannot use object of type stdClass as array in %s:%d
diff --git a/Zend/tests/dereference_014.phpt b/Zend/tests/dereference_014.phpt
index 189dca7a38..f8910dd016 100644
--- a/Zend/tests/dereference_014.phpt
+++ b/Zend/tests/dereference_014.phpt
@@ -27,12 +27,8 @@ var_dump($h);
?>
--EXPECTF--
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Trying to get property 'a' of non-object in %s on line %d
NULL
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Trying to get property 'b' of non-object in %s on line %d
NULL
diff --git a/Zend/tests/isset_003.phpt b/Zend/tests/isset_003.phpt
index 06cbe3d51d..eac72f7e0a 100644
--- a/Zend/tests/isset_003.phpt
+++ b/Zend/tests/isset_003.phpt
@@ -33,8 +33,6 @@ Notice: Undefined variable: c in %s on line %d
Notice: Undefined variable: d in %s on line %d
-Notice: Trying to access array offset on value of type null in %s on line %d
-
Notice: Trying to get property '' of non-object in %s on line %d
bool(false)
bool(true)
diff --git a/Zend/tests/offset_bool.phpt b/Zend/tests/offset_bool.phpt
index 8ed9f28e43..a08dd5450c 100644
--- a/Zend/tests/offset_bool.phpt
+++ b/Zend/tests/offset_bool.phpt
@@ -24,31 +24,14 @@ var_dump($bool[$arr]);
echo "Done\n";
?>
---EXPECTF--
-Notice: Trying to access array offset on value of type bool in %s on line %d
+--EXPECT--
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type bool in %s on line %d
NULL
Done
diff --git a/Zend/tests/offset_long.phpt b/Zend/tests/offset_long.phpt
index 4c6b3972d2..98b9b0f08b 100644
--- a/Zend/tests/offset_long.phpt
+++ b/Zend/tests/offset_long.phpt
@@ -24,31 +24,14 @@ var_dump($long[$arr]);
echo "Done\n";
?>
---EXPECTF--
-Notice: Trying to access array offset on value of type int in %s on line %d
+--EXPECT--
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type int in %s on line %d
NULL
Done
diff --git a/Zend/tests/offset_null.phpt b/Zend/tests/offset_null.phpt
index ad0b1f3049..c6ad6561db 100644
--- a/Zend/tests/offset_null.phpt
+++ b/Zend/tests/offset_null.phpt
@@ -24,31 +24,14 @@ var_dump($null[$arr]);
echo "Done\n";
?>
---EXPECTF--
-Notice: Trying to access array offset on value of type null in %s on line %d
+--EXPECT--
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
Done
diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
index 35cf24e586..7bc2248aa3 100644
--- a/Zend/zend_execute.c
+++ b/Zend/zend_execute.c
@@ -2479,15 +2479,11 @@ try_string_offset:
}
} else {
if (type != BP_VAR_IS && UNEXPECTED(Z_TYPE_P(container) == IS_UNDEF)) {
- container = ZVAL_UNDEFINED_OP1();
+ ZVAL_UNDEFINED_OP1();
}
if (ZEND_CONST_COND(dim_type == IS_CV, 1) && UNEXPECTED(Z_TYPE_P(dim) == IS_UNDEF)) {
ZVAL_UNDEFINED_OP2();
}
- if (!is_list && type != BP_VAR_IS) {
- zend_error(E_NOTICE, "Trying to access array offset on value of type %s",
- zend_zval_type_name(container));
- }
ZVAL_NULL(result);
}
}
diff --git a/ext/spl/tests/array_026.phpt b/ext/spl/tests/array_026.phpt
index 8ff6aafb93..9c79c57b66 100644
--- a/ext/spl/tests/array_026.phpt
+++ b/ext/spl/tests/array_026.phpt
@@ -8,10 +8,8 @@ $test['d1']['d3'] = 'world';
var_dump($test, $test3['mmmmm']);
?>
--EXPECTF--
-Notice: Undefined variable: test3 in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
-object(ArrayObject)#1 (1) {
+Notice: Undefined variable: test3 in %s%earray_026.php on line %d
+object(ArrayObject)#%d (1) {
["storage":"ArrayObject":private]=>
array(1) {
["d1"]=>
diff --git a/ext/spl/tests/bug62978.phpt b/ext/spl/tests/bug62978.phpt
index 972bd07ce1..5c55507ad9 100644
--- a/ext/spl/tests/bug62978.phpt
+++ b/ext/spl/tests/bug62978.phpt
@@ -32,8 +32,6 @@ Notice: Undefined index: epic_magic in %sbug62978.php on line %d
NULL
Notice: Undefined variable: c in %sbug62978.php on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
NULL
Notice: Undefined index: epic_magic in %sbug62978.php on line %d
diff --git a/ext/standard/tests/array/bug31158.phpt b/ext/standard/tests/array/bug31158.phpt
index 62ba1cfaa3..d9e65bdde9 100644
--- a/ext/standard/tests/array/bug31158.phpt
+++ b/ext/standard/tests/array/bug31158.phpt
@@ -15,6 +15,4 @@ echo "ok\n";
?>
--EXPECTF--
Notice: Undefined variable: GLOBALS in %sbug31158.php on line 6
-
-Notice: Trying to access array offset on value of type null in %sbug31158.php on line 6
ok
diff --git a/tests/lang/bug25922.phpt b/tests/lang/bug25922.phpt
index 796ef6df82..41fb135e03 100644
--- a/tests/lang/bug25922.phpt
+++ b/tests/lang/bug25922.phpt
@@ -20,5 +20,4 @@ test();
?>
--EXPECT--
Undefined variable: data
-Trying to access array offset on value of type null
Undefined index here: ''
diff --git a/tests/lang/passByReference_003.phpt b/tests/lang/passByReference_003.phpt
index ad9e1e39de..be002031d7 100644
--- a/tests/lang/passByReference_003.phpt
+++ b/tests/lang/passByReference_003.phpt
@@ -25,16 +25,14 @@ var_dump($undef2)
--EXPECTF--
Passing undefined by value
-Notice: Undefined variable: undef1 in %s on line %d
-
-Notice: Trying to access array offset on value of type null in %s on line %d
+Notice: Undefined variable: undef1 in %s on line 13
Inside passbyVal call:
NULL
After call
-Notice: Undefined variable: undef1 in %s on line %d
+Notice: Undefined variable: undef1 in %s on line 15
NULL
Passing undefined by reference
--
2.40.1

4
php7.spec
View file

@ -27,7 +27,7 @@
Summary: The PHP7 scripting language
Name: php
Version: 7.4.33
Release: 4
Release: 5
Source0: http://ch1.php.net/distributions/php-%{version}.tar.gz
Source1: macros.php
Group: Development/PHP
@ -83,6 +83,7 @@ Patch121: php-bug43221.diff
Patch122: php-not-use-libgd-const.patch
# Sauce fixes
Patch127: php-7.4.30-svace-fixes.patch
Patch128: 0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch
Patch200: fix-include-e2k.patch
BuildRequires: autoconf
@ -1276,6 +1277,7 @@ fi
%patch122 -p1
%patch127 -p1
%patch128 -p1
%ifarch %{e2k}
%patch200 -p1