Djam/php7
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/php7.git synced 2025-02-23 14:52:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'rosa2023.1' into rosa2021.1

Browse source
This commit is contained in:
Mikhail Novosyolov 2023-10-11 13:42:15 +03:00
commit bda7af23a1
7 changed files with 257 additions and 318 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.abf.yml
View file

@ -1,2 +1,2 @@
sources:
php-7.4.30.tar.gz: 7fe1005b3677e2a4d112ecce7e54734fc9d668c9
php-7.4.33.tar.gz: 7c29812c51880390b74a5b23f0afe61e3b374645

72
0059-Fix-81726-phar-wrapper-DOS-when-using-quine-gzip-fil.patch
View file

@ -1,72 +0,0 @@
From 404e8bdb68350931176a5bdc86fc417b34fb583d Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 25 Jul 2022 15:58:59 +0200
Subject: [PATCH] Fix #81726: phar wrapper: DOS when using quine gzip file
The phar wrapper needs to uncompress the file; the uncompressed file
might be compressed, so the wrapper implementation loops. This raises
potential DOS issues regarding too deep or even infinite recursion (the
latter are called compressed file quines[1]). We avoid that by
introducing a recursion limit; we choose the somewhat arbitrary limit
`3`.
This issue has been reported by real_as3617 and gPayl0ad.
[1] <https://honno.dev/gzip-quine/>
---
NEWS | 1 +
ext/phar/phar.c | 16 +++++++++++-----
ext/phar/tests/bug81726.gz | Bin 0 -> 204 bytes
ext/phar/tests/bug81726.phpt | 14 ++++++++++++++
4 files changed, 26 insertions(+), 5 deletions(-)
create mode 100644 ext/phar/tests/bug81726.gz
create mode 100644 ext/phar/tests/bug81726.phpt
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 7cb1b06363..4a761ef799 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1584,7 +1584,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
const char zip_magic[] = "PK\x03\x04";
const char gz_magic[] = "\x1f\x8b\x08";
const char bz_magic[] = "BZh";
- char *pos, test = '\0';
+ char *pos;
+ int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
const int window_size = 1024;
char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
const zend_long readsize = sizeof(buffer) - sizeof(token);
@@ -1612,8 +1613,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
}
- if (!test) {
- test = '\1';
+ if (recursion_count) {
pos = buffer+tokenlen;
if (!memcmp(pos, gz_magic, 3)) {
char err = 0;
@@ -1673,7 +1673,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
compression = PHAR_FILE_COMPRESSED_GZ;
/* now, start over */
- test = '\0';
+ if (!--recursion_count) {
+ MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
+ break;
+ }
continue;
} else if (!memcmp(pos, bz_magic, 3)) {
php_stream_filter *filter;
@@ -1711,7 +1714,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
compression = PHAR_FILE_COMPRESSED_BZ2;
/* now, start over */
- test = '\0';
+ if (!--recursion_count) {
+ MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
+ break;
+ }
continue;
}

57
0060-Fix-regression-introduced-by-fixing-bug-81726.patch
View file

@ -1,57 +0,0 @@
From 432bf196d59bcb661fcf9cb7029cea9b43f490af Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 27 Sep 2022 17:43:40 +0200
Subject: [PATCH] Fix regression introduced by fixing bug 81726
When a tar phar is created, `phar_open_from_fp()` is also called, but
since the file has just been created, none of the format checks can
succeed, so we continue to loop, but must not check again for the
format. Therefore, we bring back the old `test` variable.
Closes GH-9620.
---
ext/phar/phar.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 4a761ef799..ecab9162fa 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1584,7 +1584,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
const char zip_magic[] = "PK\x03\x04";
const char gz_magic[] = "\x1f\x8b\x08";
const char bz_magic[] = "BZh";
- char *pos;
+ char *pos, test = '\0';
int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion
const int window_size = 1024;
char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */
@@ -1613,7 +1613,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)")
}
- if (recursion_count) {
+ if (!test && recursion_count) {
+ test = '\1';
pos = buffer+tokenlen;
if (!memcmp(pos, gz_magic, 3)) {
char err = 0;
@@ -1673,6 +1674,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
compression = PHAR_FILE_COMPRESSED_GZ;
/* now, start over */
+ test = '\0';
if (!--recursion_count) {
MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\"");
break;
@@ -1714,6 +1716,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char
compression = PHAR_FILE_COMPRESSED_BZ2;
/* now, start over */
+ test = '\0';
if (!--recursion_count) {
MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\"");
break;
--
2.30.2

62
0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch
View file

@ -1,62 +0,0 @@
From 0611be4e82887cee0de6c4cbae320d34eec946ca Mon Sep 17 00:00:00 2001
From: Derick Rethans <github@derickrethans.nl>
Date: Fri, 9 Sep 2022 16:54:03 +0100
Subject: [PATCH] Fix #81727: Don't mangle HTTP variable names that clash with
ones that have a specific semantic meaning.
---
NEWS | 6 ++++++
ext/standard/tests/bug81727.phpt | 15 +++++++++++++++
main/php_variables.c | 14 ++++++++++++++
3 files changed, 35 insertions(+)
create mode 100644 ext/standard/tests/bug81727.phpt
diff --git a/ext/standard/tests/bug81727.phpt b/ext/standard/tests/bug81727.phpt
new file mode 100644
index 0000000000..71a9cb46c8
--- /dev/null
+++ b/ext/standard/tests/bug81727.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #81727: $_COOKIE name starting with ..Host/..Secure should be discarded
+--COOKIE--
+..Host-test=ignore; __Host-test=correct; . Secure-test=ignore; . Elephpant=Awesome;
+--FILE--
+<?php
+var_dump($_COOKIE);
+?>
+--EXPECT--
+array(2) {
+ ["__Host-test"]=>
+ string(7) "correct"
+ ["__Elephpant"]=>
+ string(7) "Awesome"
+}
diff --git a/main/php_variables.c b/main/php_variables.c
index cbdc7cf171..18f6b65a6c 100644
--- a/main/php_variables.c
+++ b/main/php_variables.c
@@ -115,6 +115,20 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
}
var_len = p - var;
+ /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */
+ if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) {
+ zval_ptr_dtor_nogc(val);
+ free_alloca(var_orig, use_heap);
+ return;
+ }
+
+ /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */
+ if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) {
+ zval_ptr_dtor_nogc(val);
+ free_alloca(var_orig, use_heap);
+ return;
+ }
+
if (var_len==0) { /* empty variable name, or variable name with a space in it */
zval_ptr_dtor_nogc(val);
free_alloca(var_orig, use_heap);
--
2.30.2

109
0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch
View file

@ -1,109 +0,0 @@
From 248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <smalyshev@gmail.com>
Date: Thu, 20 Oct 2022 23:57:35 -0600
Subject: [PATCH] Fix bug #81738 (buffer overflow in hash_update() on long
parameter)
---
NEWS | 4 ++++
ext/hash/sha3/generic32lc/KeccakSponge.inc | 14 ++++++++------
ext/hash/sha3/generic64lc/KeccakSponge.inc | 14 ++++++++------
main/php_version.h | 10 +++++-----
4 files changed, 25 insertions(+), 17 deletions(-)
diff --git a/ext/hash/sha3/generic32lc/KeccakSponge.inc b/ext/hash/sha3/generic32lc/KeccakSponge.inc
index 42a15aac6d..f8c42ff788 100644
--- a/ext/hash/sha3/generic32lc/KeccakSponge.inc
+++ b/ext/hash/sha3/generic32lc/KeccakSponge.inc
@@ -160,7 +160,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
#ifdef SnP_FastLoop_Absorb
/* processing full blocks first */
if ((rateInBytes % (SnP_width/200)) == 0) {
@@ -186,9 +186,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
}
else {
/* normal lane: using the message queue */
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
#ifdef KeccakReference
displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
#endif
@@ -263,7 +264,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
SnP_Permute(instance->state);
SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -280,9 +281,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
SnP_Permute(instance->state);
instance->byteIOIndex = 0;
}
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
i += partialBlock;
SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);
diff --git a/ext/hash/sha3/generic64lc/KeccakSponge.inc b/ext/hash/sha3/generic64lc/KeccakSponge.inc
index 42a15aac6d..f8c42ff788 100644
--- a/ext/hash/sha3/generic64lc/KeccakSponge.inc
+++ b/ext/hash/sha3/generic64lc/KeccakSponge.inc
@@ -160,7 +160,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) {
#ifdef SnP_FastLoop_Absorb
/* processing full blocks first */
if ((rateInBytes % (SnP_width/200)) == 0) {
@@ -186,9 +186,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat
}
else {
/* normal lane: using the message queue */
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
#ifdef KeccakReference
displayBytes(1, "Block to be absorbed (part)", curData, partialBlock);
#endif
@@ -263,7 +264,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
i = 0;
curData = data;
while(i < dataByteLen) {
- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) {
+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) {
for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) {
SnP_Permute(instance->state);
SnP_ExtractBytes(instance->state, curData, 0, rateInBytes);
@@ -280,9 +281,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte
SnP_Permute(instance->state);
instance->byteIOIndex = 0;
}
- partialBlock = (unsigned int)(dataByteLen - i);
- if (partialBlock+instance->byteIOIndex > rateInBytes)
+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex)
partialBlock = rateInBytes-instance->byteIOIndex;
+ else
+ partialBlock = (unsigned int)(dataByteLen - i);
i += partialBlock;
SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock);

252
php-7.4.30-svace-fixes.patch Normal file
View file

@ -0,0 +1,252 @@
diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c
index 33dfea0..057fe96 100644
--- a/Zend/zend_builtin_functions.c
+++ b/Zend/zend_builtin_functions.c
@@ -1636,7 +1636,9 @@ ZEND_FUNCTION(set_error_handler)
zend_string *error_handler_name = zend_get_callable_name(error_handler);
zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback",
get_active_function_name(), error_handler_name?ZSTR_VAL(error_handler_name):"unknown");
- zend_string_release_ex(error_handler_name, 0);
+ if (error_handler_name) {
+ zend_string_release_ex(error_handler_name, 0);
+ }
return;
}
}
@@ -1703,7 +1705,9 @@ ZEND_FUNCTION(set_exception_handler)
zend_string *exception_handler_name = zend_get_callable_name(exception_handler);
zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback",
get_active_function_name(), exception_handler_name?ZSTR_VAL(exception_handler_name):"unknown");
- zend_string_release_ex(exception_handler_name, 0);
+ if (exception_handler_name) {
+ zend_string_release_ex(exception_handler_name, 0);
+ }
return;
}
}
diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index 2d52e4e..a1c1022 100644
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -1040,8 +1040,12 @@ ZEND_API ZEND_COLD void zend_exception_error(zend_object *ex, int severity) /* {
zend_error_va(severity, (file && ZSTR_LEN(file) > 0) ? ZSTR_VAL(file) : NULL, line,
"Uncaught %s\n thrown", ZSTR_VAL(str));
- zend_string_release_ex(str, 0);
- zend_string_release_ex(file, 0);
+ if (str) {
+ zend_string_release_ex(str, 0);
+ }
+ if (file) {
+ zend_string_release_ex(file, 0);
+ }
} else {
zend_error(severity, "Uncaught exception '%s'", ZSTR_VAL(ce_exception->name));
}
diff --git a/Zend/zend_multibyte.c b/Zend/zend_multibyte.c
index 956ffbb..0c7c65e 100644
--- a/Zend/zend_multibyte.c
+++ b/Zend/zend_multibyte.c
@@ -115,6 +115,9 @@ ZEND_API int zend_multibyte_set_functions(const zend_multibyte_functions *functi
*/
{
const char *value = zend_ini_string("zend.script_encoding", sizeof("zend.script_encoding") - 1, 0);
+ if (!value) {
+ return FAILURE;
+ }
zend_multibyte_set_script_encoding_by_string(value, strlen(value));
}
return SUCCESS;
diff --git a/ext/dom/entity.c b/ext/dom/entity.c
index b412550..34b83ee 100644
--- a/ext/dom/entity.c
+++ b/ext/dom/entity.c
@@ -106,6 +106,9 @@ int dom_entity_notation_name_read(dom_object *obj, zval *retval)
ZVAL_NULL(retval);
} else {
content = (char *) xmlNodeGetContent((xmlNodePtr) nodep);
+ if (!content) {
+ return FAILURE;
+ }
ZVAL_STRING(retval, content);
xmlFree(content);
}
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index ecab916..06bb697 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2751,8 +2751,10 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv
newentry = phar_open_jit(phar, entry, error);
if (!newentry) {
/* major problem re-opening, so we ignore this file and the error */
- efree(*error);
- *error = NULL;
+ if (error) {
+ efree(*error);
+ *error = NULL;
+ }
continue;
}
entry = newentry;
diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index 03e6dd4..52b5c5d 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -899,7 +899,7 @@ int phar_tar_setmetadata(zval *metadata, phar_entry_info *entry, char **error) /
spprintf(error, 0, "phar error: unable to create temporary file");
return -1;
}
- if (ZSTR_LEN(entry->metadata_str.s) != php_stream_write(entry->fp, ZSTR_VAL(entry->metadata_str.s), ZSTR_LEN(entry->metadata_str.s))) {
+ if (entry->metadata_str.s && ZSTR_LEN(entry->metadata_str.s) != php_stream_write(entry->fp, ZSTR_VAL(entry->metadata_str.s), ZSTR_LEN(entry->metadata_str.s))) {
spprintf(error, 0, "phar tar error: unable to write metadata to magic metadata file \"%s\"", entry->filename);
zend_hash_str_del(&(entry->phar->manifest), entry->filename, entry->filename_len);
return ZEND_HASH_APPLY_STOP;
diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
index f4d8066..9386c05 100644
--- a/ext/sqlite3/sqlite3.c
+++ b/ext/sqlite3/sqlite3.c
@@ -877,7 +877,9 @@ static int sqlite3_do_callback(struct php_sqlite3_fci *fc, zval *cb, int argc, s
if (agg_context && !Z_ISUNDEF(agg_context->zval_context)) {
zval_ptr_dtor(&agg_context->zval_context);
}
- ZVAL_COPY_VALUE(&agg_context->zval_context, &retval);
+ if (agg_context) {
+ ZVAL_COPY_VALUE(&agg_context->zval_context, &retval);
+ }
ZVAL_UNDEF(&retval);
}
diff --git a/ext/standard/filters.c b/ext/standard/filters.c
index 018270c..6acce21 100644
--- a/ext/standard/filters.c
+++ b/ext/standard/filters.c
@@ -766,7 +766,7 @@ static void php_conv_qprint_encode_dtor(php_conv_qprint_encode *inst)
}
#define NEXT_CHAR(ps, icnt, lb_ptr, lb_cnt, lbchars) \
- ((lb_ptr) < (lb_cnt) ? (lbchars)[(lb_ptr)] : *(ps))
+ ((lb_ptr) < (lb_cnt) && (lbchars) ? (lbchars)[(lb_ptr)] : ((ps) ? *(ps) : '\0'))
#define CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt) \
if ((lb_ptr) < (lb_cnt)) { \
diff --git a/ext/standard/var.c b/ext/standard/var.c
index 37a68bb..ba68cf3 100644
--- a/ext/standard/var.c
+++ b/ext/standard/var.c
@@ -1070,8 +1070,10 @@ again:
/* Mark this value in the var_hash, to avoid creating references to it. */
zval *var_idx = zend_hash_index_find(&var_hash->ht,
(zend_ulong) (zend_uintptr_t) Z_COUNTED_P(struc));
- ZVAL_LONG(var_idx, -1);
- smart_str_appendl(buf, "N;", 2);
+ if (var_idx) {
+ ZVAL_LONG(var_idx, -1);
+ smart_str_appendl(buf, "N;", 2);
+ }
}
if (serialized_data) {
efree(serialized_data);
diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c
index 7a05286..378c585 100644
--- a/sapi/fpm/fpm/fpm_conf.c
+++ b/sapi/fpm/fpm/fpm_conf.c
@@ -720,8 +720,8 @@ static int fpm_evaluate_full_path(char **path, struct fpm_worker_pool_s *wp, cha
}
if (strlen(*path) > strlen("$prefix")) {
- free(*path);
tmp = strdup((*path) + strlen("$prefix"));
+ free(*path);
*path = tmp;
} else {
free(*path);
diff --git a/sapi/fpm/fpm/zlog.c b/sapi/fpm/fpm/zlog.c
index 4808447..849370c 100644
--- a/sapi/fpm/fpm/zlog.c
+++ b/sapi/fpm/fpm/zlog.c
@@ -348,7 +348,7 @@ static ssize_t zlog_stream_direct_write(
static inline ssize_t zlog_stream_unbuffered_write(
struct zlog_stream *stream, const char *buf, size_t len) /* {{{ */
{
- const char *append;
+ const char *append = NULL;
size_t append_len = 0, required_len, reserved_len;
ssize_t written;
@@ -637,10 +637,10 @@ zlog_bool zlog_stream_set_msg_suffix(
if (suffix != NULL) {
stream->msg_suffix_len = strlen(suffix);
len = stream->msg_suffix_len + 1;
- stream->msg_suffix = malloc(len);
if (stream->msg_suffix != NULL) {
free(stream->msg_suffix);
}
+ stream->msg_suffix = malloc(len);
if (stream->msg_suffix == NULL) {
return ZLOG_FALSE;
}
@@ -652,7 +652,7 @@ zlog_bool zlog_stream_set_msg_suffix(
len = stream->msg_final_suffix_len + 1;
stream->msg_final_suffix = malloc(len);
if (stream->msg_final_suffix != NULL) {
- free(stream->msg_suffix);
+ free(stream->msg_final_suffix);
}
if (stream->msg_final_suffix == NULL) {
return ZLOG_FALSE;
diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c
index 6b0de5c..0764789 100644
--- a/sapi/phpdbg/phpdbg_prompt.c
+++ b/sapi/phpdbg/phpdbg_prompt.c
@@ -544,6 +544,9 @@ int phpdbg_compile_stdin(zend_string *code) {
/* remove trailing data after zero byte, used for avoiding conflicts in eval()'ed code snippets */
zend_string *source_path = strpprintf(0, "Standard input code%c%p", 0, PHPDBG_G(ops)->opcodes);
phpdbg_file_source *data = zend_hash_find_ptr(&PHPDBG_G(file_sources), source_path);
+ if (!data) {
+ return FAILURE;
+ }
dtor_func_t dtor = PHPDBG_G(file_sources).pDestructor;
PHPDBG_G(file_sources).pDestructor = NULL;
zend_hash_del(&PHPDBG_G(file_sources), source_path);
@@ -1349,7 +1352,7 @@ PHPDBG_API const char *phpdbg_load_module_or_extension(char **path, char **name)
module_entry->handle = handle;
if ((module_entry = zend_register_module_ex(module_entry)) == NULL) {
- phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", module_entry->name);
+ phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", "Unknown module");
goto quit;
}
diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
index 4d10e68..1acfec6 100644
--- a/main/streams/plain_wrapper.c
+++ b/main/streams/plain_wrapper.c
@@ -926,6 +926,7 @@ static int php_stdiop_set_option(php_stream *stream, int option, int value, void
}
}
+ return PHP_STREAM_OPTION_RETURN_NOTIMPL;
#ifdef PHP_WIN32
case PHP_STREAM_OPTION_PIPE_BLOCKING:
data->is_pipe_blocking = value;
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index b0de6e4..5e3adec 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -3484,12 +3484,10 @@ PHP_METHOD(Phar, copy)
RETURN_FALSE;
}
- if (zend_hash_str_exists(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) {
- if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) || !temp->is_deleted) {
- zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
- "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname);
- RETURN_FALSE;
- }
+ if (!zend_hash_str_exists(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len) || NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) {
+ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0,
+ "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname);
+ RETURN_FALSE;
}
tmp_len = newfile_len;

21
php7.spec
View file

@ -26,8 +26,8 @@
Summary: The PHP7 scripting language
Name: php
Version: 7.4.30
Release: 5
Version: 7.4.33
Release: 1
Source0: http://ch1.php.net/distributions/php-%{version}.tar.gz
Source1: macros.php
Group: Development/PHP
@ -81,15 +81,8 @@ Patch114: php-no_pam_in_c-client.diff
# Fix bugs
Patch121: php-bug43221.diff
Patch122: php-not-use-libgd-const.patch
# CVE-2022-31628
Patch123: 0059-Fix-81726-phar-wrapper-DOS-when-using-quine-gzip-fil.patch
Patch124: 0060-Fix-regression-introduced-by-fixing-bug-81726.patch
# CVE-2022-31629
Patch125: 0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch
# CVE-2022-37454
Patch126: 0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch
# Svace 11.05.23
Patch127: php-7.4.30-svace.patch
# Sauce fixes
Patch127: php-7.4.30-svace-fixes.patch
Patch200: fix-include-e2k.patch
BuildRequires: autoconf
@ -1282,14 +1275,8 @@ fi
%patch121 -p0 -b .bug43221.droplet
%patch122 -p1
%patch123 -p1
%patch124 -p1
%patch125 -p1
%patch126 -p1
%patch127 -p1
%ifarch %{e2k}
%patch200 -p1
%endif
cp %{SOURCE2} maxlifetime
cp %{SOURCE3} php.crond