From 4435b9142ff9813845d5c97ab29a5d637bedb257 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 5 Apr 2015 16:01:24 -0700
Subject: [PATCH] Fixed bug #69353 (Missing null byte checks for paths in
 various PHP extensions)

---
 ext/dom/document.c                                 | 5 ++++-
 ext/fileinfo/fileinfo.c                            | 5 +++++
 ext/fileinfo/tests/finfo_file_basic.phpt           | 4 ++++
 ext/gd/gd.c                                        | 8 ++++----
 ext/hash/hash.c                                    | 7 ++++++-
 ext/hash/tests/hash_hmac_file_error.phpt           | 7 +++++++
 ext/pgsql/pgsql.c                                  | 2 +-
 ext/standard/link.c                                | 2 +-
 ext/standard/streamsfuncs.c                        | 2 +-
 ext/xmlwriter/php_xmlwriter.c                      | 4 ++--
 ext/zlib/zlib.c                                    | 4 ++--
 12 files changed, 42 insertions(+), 13 deletions(-)

Index: php5-5.3.3.1/ext/dom/document.c
===================================================================
--- php5-5.3.3.1.orig/ext/dom/document.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/dom/document.c	2015-07-23 15:48:56.000000000 +0200
@@ -1573,6 +1573,9 @@
 	xmlInitParser();
 
 	if (mode == DOM_LOAD_FILE) {
+		if (CHECK_NULL_PATH(source, source_len)) {
+			return NULL;
+		}
 		char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN  TSRMLS_CC);
 		if (file_dest) {
 			ctxt = xmlCreateFileParserCtxt(file_dest);
@@ -1673,7 +1676,7 @@
 		id = NULL;
 	}
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/fileinfo/fileinfo.c
===================================================================
--- php5-5.3.3.1.orig/ext/fileinfo/fileinfo.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/fileinfo/fileinfo.c	2015-07-23 15:48:56.000000000 +0200
@@ -496,6 +496,11 @@
 				RETVAL_FALSE;
 				goto clean;
 			}
+			if (CHECK_NULL_PATH(buffer, buffer_len)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+				RETVAL_FALSE;
+				goto clean;
+			}
 
 			wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC);
 
Index: php5-5.3.3.1/ext/fileinfo/tests/finfo_file_basic.phpt
===================================================================
--- php5-5.3.3.1.orig/ext/fileinfo/tests/finfo_file_basic.phpt	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/fileinfo/tests/finfo_file_basic.phpt	2015-07-23 15:48:56.000000000 +0200
@@ -19,6 +19,7 @@
 var_dump( finfo_file( $finfo, __FILE__) );
 var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
 var_dump( finfo_file( $finfo, $magicFile ) );
+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );
 
 ?>
 ===DONE===
@@ -27,4 +28,7 @@
 string(28) "text/x-php; charset=us-ascii"
 string(15) "PHP script text"
 string(32) "text/plain; charset=unknown-8bit"
+
+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
+bool(false)
 ===DONE===
Index: php5-5.3.3.1/ext/gd/gd.c
===================================================================
--- php5-5.3.3.1.orig/ext/gd/gd.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/gd/gd.c	2015-07-23 15:48:56.000000000 +0200
@@ -1466,7 +1466,7 @@
 	gdFontPtr font;
 	php_stream *stream;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) {
 		return;
 	}
 
@@ -2409,7 +2409,7 @@
 	long ignore_warning;
 #endif
 	if (image_type == PHP_GDIMG_TYPE_GD2PART) {
-		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
 			return;
 		}
 		if (width < 1 || height < 1) {
@@ -2417,7 +2417,7 @@
 			RETURN_FALSE;
 		}
 	} else {
-		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
 			return;
 		}
 	}
@@ -4127,7 +4127,7 @@
 	char *enc, **enc_vector;
 	int enc_len, *f_ind;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/hash/hash.c
===================================================================
--- php5-5.3.3.1.orig/ext/hash/hash.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/hash/hash.c	2015-07-23 15:55:08.000000000 +0200
@@ -136,6 +136,10 @@
 		RETURN_FALSE;
 	}
 	if (isfilename) {
+                if (CHECK_NULL_PATH(data, data_len)) {
+                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+                        RETURN_FALSE;
+                }
 		stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS | ENFORCE_SAFE_MODE, NULL, DEFAULT_CONTEXT);
 		if (!stream) {
 			/* Stream will report errors opening file */
@@ -214,6 +218,10 @@
 		RETURN_FALSE;
 	}
 	if (isfilename) {
+                if (CHECK_NULL_PATH(data, data_len)) {
+                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+                        RETURN_FALSE;
+                }
 		stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS | ENFORCE_SAFE_MODE, NULL, DEFAULT_CONTEXT);
 		if (!stream) {
 			/* Stream will report errors opening file */
@@ -441,7 +449,7 @@
 	char *filename, buf[1024];
 	int filename_len, n;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/hash/tests/hash_hmac_file_error.phpt
===================================================================
--- php5-5.3.3.1.orig/ext/hash/tests/hash_hmac_file_error.phpt	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/hash/tests/hash_hmac_file_error.phpt	2015-07-23 15:48:56.000000000 +0200
@@ -28,6 +28,9 @@
 echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
 hash_hmac_file('foo', $file, $key, TRUE);
 
+echo "\n-- Testing hash_hmac_file() function with bad path --\n";
+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
+
 ?>
 ===Done===
 --EXPECTF--
@@ -51,4 +54,8 @@
 -- Testing hash_hmac_file() function with invalid hash algorithm --
 
 Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
+
+-- Testing hash_hmac_file() function with bad path --
+
+Warning: hash_hmac_file(): Invalid path in %s on line %d
 ===Done===
\ No newline at end of file
Index: php5-5.3.3.1/ext/pgsql/pgsql.c
===================================================================
--- php5-5.3.3.1.orig/ext/pgsql/pgsql.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/pgsql/pgsql.c	2015-07-23 15:56:38.000000000 +0200
@@ -2865,7 +2865,7 @@
 	php_stream *stream;
 	id = PGG(default_link);
 	
-	if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+	if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/standard/link.c
===================================================================
--- php5-5.3.3.1.orig/ext/standard/link.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/standard/link.c	2015-07-23 15:48:56.000000000 +0200
@@ -60,7 +60,7 @@
 	char buff[MAXPATHLEN];
 	int ret;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/standard/streamsfuncs.c
===================================================================
--- php5-5.3.3.1.orig/ext/standard/streamsfuncs.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/standard/streamsfuncs.c	2015-07-23 15:48:56.000000000 +0200
@@ -1472,7 +1472,7 @@
 	char *filename, *resolved_path;
 	int filename_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/xmlwriter/php_xmlwriter.c
===================================================================
--- php5-5.3.3.1.orig/ext/xmlwriter/php_xmlwriter.c	2015-07-23 15:48:56.000000000 +0200
+++ php5-5.3.3.1/ext/xmlwriter/php_xmlwriter.c	2015-07-23 15:48:56.000000000 +0200
@@ -1738,7 +1738,7 @@
 /* }}} */
 #endif
 
-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
+/* {{{ proto resource xmlwriter_open_uri(string source)
 Create new xmlwriter using source uri for output */
 static PHP_FUNCTION(xmlwriter_open_uri)
 {
@@ -1759,7 +1759,7 @@
 	void *ioctx;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) {
 		return;
 	}