1d1654b533
Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface GHSA-4w77-75f9-2c8w Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233 Fix Leak partial content of the heap through heap buffer over-read CVE-2024-8929 Fix libxml streams use wrong `content-type` header when requesting a redirected resource CVE-2025-1219 Fix Stream HTTP wrapper header check might omit basic auth header CVE-2025-1736 Fix Stream HTTP wrapper truncate redirect location to 1024 bytes CVE-2025-1861 Fix Streams HTTP wrapper does not fail for headers without colon CVE-2025-1734 Fix Header parser of `http` stream wrapper does not handle folded headers CVE-2025-1217 Fix pgsql extension does not check for errors during escaping CVE-2025-1735 Fix NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix CVE-2025-6491 Fix Null byte termination in hostnames CVE-2025-1220 Fix Null byte termination in dns_get_record() GHSA-www2-q4fc-65wf Fix Heap buffer overflow in array_merge() CVE-2025-14178 Fix Information Leak of Memory in getimagesize CVE-2025-14177 Resolves: RHEL-141181
120 lines
4.0 KiB
Diff
120 lines
4.0 KiB
Diff
From 97546df8d6900b115536c17af9213f1da837b82e Mon Sep 17 00:00:00 2001
|
|
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
|
|
Date: Thu, 24 Oct 2024 22:02:17 +0200
|
|
Subject: [PATCH 1/7] Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib
|
|
quoter causing OOB writes
|
|
|
|
(cherry picked from commit d9baa9fed8c3ba692a36b388c0c7762e5102e2e0)
|
|
(cherry picked from commit 5d9e54065ed18c51e4f25d8900635f90810c7394)
|
|
---
|
|
ext/pdo_dblib/dblib_driver.c | 8 ++++++-
|
|
ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt | 24 ++++++++++++++++++++
|
|
2 files changed, 31 insertions(+), 1 deletion(-)
|
|
create mode 100644 ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
|
|
|
|
diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
|
|
index f36451afeeb..1dc75a4d2e3 100644
|
|
--- a/ext/pdo_dblib/dblib_driver.c
|
|
+++ b/ext/pdo_dblib/dblib_driver.c
|
|
@@ -154,6 +154,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
|
|
|
|
size_t i;
|
|
char * q;
|
|
+ size_t extralen = 0;
|
|
*quotedlen = 0;
|
|
|
|
if (H->assume_national_character_set_strings) {
|
|
@@ -168,7 +169,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
|
|
|
|
/* Detect quoted length, adding extra char for doubled single quotes */
|
|
for (i = 0; i < unquotedlen; i++) {
|
|
- if (unquoted[i] == '\'') ++*quotedlen;
|
|
+ if (unquoted[i] == '\'') ++extralen;
|
|
++*quotedlen;
|
|
}
|
|
|
|
@@ -176,6 +177,11 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
|
|
if (use_national_character_set) {
|
|
++*quotedlen; /* N prefix */
|
|
}
|
|
+ if (UNEXPECTED(*quotedlen > ZSTR_MAX_LEN - extralen)) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ *quotedlen += extralen;
|
|
q = *quoted = emalloc(*quotedlen + 1); /* Add byte for terminal null */
|
|
if (use_national_character_set) {
|
|
*q++ = 'N';
|
|
diff --git a/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt b/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
|
|
new file mode 100644
|
|
index 00000000000..431c61951ee
|
|
--- /dev/null
|
|
+++ b/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
|
|
@@ -0,0 +1,24 @@
|
|
+--TEST--
|
|
+GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes)
|
|
+--EXTENSIONS--
|
|
+pdo_dblib
|
|
+--SKIPIF--
|
|
+<?php
|
|
+if (PHP_INT_SIZE != 4) die("skip for 32bit platforms only");
|
|
+if (PHP_OS_FAMILY === "Windows") die("skip not for Windows because the virtual address space for application is only 2GiB");
|
|
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
|
|
+require __DIR__ . '/config.inc';
|
|
+getDbConnection();
|
|
+?>
|
|
+--INI--
|
|
+memory_limit=-1
|
|
+--FILE--
|
|
+<?php
|
|
+
|
|
+require __DIR__ . '/config.inc';
|
|
+$db = getDbConnection();
|
|
+var_dump($db->quote(str_repeat("'", 2147483646)));
|
|
+
|
|
+?>
|
|
+--EXPECT--
|
|
+bool(false)
|
|
--
|
|
2.47.0
|
|
|
|
From 0530cbfe5c3044537de52d8382eba5d69dbac726 Mon Sep 17 00:00:00 2001
|
|
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
|
|
Date: Thu, 24 Oct 2024 22:02:36 +0200
|
|
Subject: [PATCH 2/7] Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird
|
|
quoter causing OOB writes
|
|
|
|
(cherry picked from commit 69c5f68fdc3deed9ebce2cc44b4bf5e0c47cd28f)
|
|
(cherry picked from commit b4f73be75dbdde970a18cc7a636898b10400fb3f)
|
|
---
|
|
ext/pdo_firebird/firebird_driver.c | 6 +++++-
|
|
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
|
|
index 3e403afd368..5b74290abcc 100644
|
|
--- a/ext/pdo_firebird/firebird_driver.c
|
|
+++ b/ext/pdo_firebird/firebird_driver.c
|
|
@@ -243,7 +243,7 @@ free_statement:
|
|
static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, /* {{{ */
|
|
char **quoted, size_t *quotedlen, enum pdo_param_type paramtype)
|
|
{
|
|
- int qcount = 0;
|
|
+ size_t qcount = 0;
|
|
char const *co, *l, *r;
|
|
char *c;
|
|
|
|
@@ -258,6 +258,10 @@ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t u
|
|
/* count the number of ' characters */
|
|
for (co = unquoted; (co = strchr(co,'\'')); qcount++, co++);
|
|
|
|
+ if (UNEXPECTED(unquotedlen + 2 > ZSTR_MAX_LEN - qcount)) {
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
*quotedlen = unquotedlen + qcount + 2;
|
|
*quoted = c = emalloc(*quotedlen+1);
|
|
*c++ = '\'';
|
|
--
|
|
2.47.0
|
|
|