File: CVE-2015-4598.patch

package info (click to toggle)
php5 5.3.3.1-7%2Bsqueeze29
  • links: PTS, VCS
  • area: main
  • in suites: squeeze-lts
  • size: 123,520 kB
  • ctags: 55,742
  • sloc: ansic: 633,963; php: 19,620; sh: 11,344; xml: 5,816; cpp: 2,400; yacc: 1,745; exp: 1,514; makefile: 1,019; pascal: 623; awk: 537; sql: 22
file content (119 lines) | stat: -rw-r--r-- 4,018 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
From 8fc52d77d6f66c438c98d536e2309b5fd13f90de Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 31 May 2015 22:47:52 -0700
Subject: [PATCH] Fix #69719 - more checks for nulls in paths

---
 ext/dom/document.c | 22 +++++++++++++++++-----
 ext/gd/gd.c        | 14 +++++++-------
 2 files changed, 24 insertions(+), 12 deletions(-)

Index: php5-5.3.3.1/ext/dom/document.c
===================================================================
--- php5-5.3.3.1.orig/ext/dom/document.c	2015-07-27 15:33:53.000000000 +0200
+++ php5-5.3.3.1/ext/dom/document.c	2015-07-27 15:33:53.000000000 +0200
@@ -1753,7 +1753,7 @@
 	char *file;
 	long options = 0;
 
-	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
+	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
 		return;
 	}
 
@@ -1995,6 +1995,10 @@
 
 	switch (type) {
 	case DOM_LOAD_FILE:
+		if (CHECK_NULL_PATH(source, source_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
+			RETURN_FALSE;
+		}
 		valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN  TSRMLS_CC);
 		if (!valid_file) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
@@ -2084,6 +2088,10 @@
 
 	switch (type) {
 	case DOM_LOAD_FILE:
+		if (CHECK_NULL_PATH(source, source_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
+			RETURN_FALSE;
+		}
 		valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN  TSRMLS_CC);
 		if (!valid_file) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
@@ -2173,6 +2181,10 @@
 	}
 
 	if (mode == DOM_LOAD_FILE) {
+		if (CHECK_NULL_PATH(source, source_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source");
+			RETURN_FALSE;
+		}
 		ctxt = htmlCreateFileParserCtxt(source, NULL);
 	} else {
 		source_len = xmlStrlen(source);
@@ -2257,7 +2269,7 @@
 	char *file;
 	const char *encoding;
 
-	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
+	if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
 		return;
 	}
 
Index: php5-5.3.3.1/ext/gd/gd.c
===================================================================
--- php5-5.3.3.1.orig/ext/gd/gd.c	2015-07-27 15:33:53.000000000 +0200
+++ php5-5.3.3.1/ext/gd/gd.c	2015-07-27 15:33:53.000000000 +0200
@@ -1761,7 +1761,7 @@
 	long cx, cy, w, h, ST, E, col, style;
 	gdImagePtr im;
 	int e, st;
-	
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) {
 		return;
 	}
@@ -2004,7 +2004,7 @@
 	if ( handle == 0 ) {
 		goto clean;
 	}
-	pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");  
+	pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
 
 	if ( pPrintWindow )  {
 		pPrintWindow(window, memDC, (UINT) client_area);
@@ -3933,7 +3933,7 @@
 			if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) {
 				continue;
 			}
-		
+
 			if (strcmp("linespacing", key) == 0) {
 				convert_to_double_ex(item);
 				strex.flags |= gdFTEX_LINESPACE;
@@ -4020,7 +4020,7 @@
 	struct stat st;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
 		return;
 	}
 
@@ -4360,11 +4360,11 @@
 	if (argc != 3 && argc != 6) {
 		ZEND_WRONG_PARAM_COUNT();
 	}
-	
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) {
 		return;
 	}
-	
+
 	if (argc == 6) {
 		space = sp;
 		add_width = wd;