Merge branch 'PHP-7.1' into PHP-7.2

smalyshev · smalyshev · commit e77c8e45bab0 · 2019-05-27T16:49:19.000-07:00
* PHP-7.1:
  Update NEWS
  Fix bug #78069 - Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
  Fix #77973: Uninitialized read in gdImageCreateFromXbm
diff --git a/ext/gd/libgd/gd_xbm.c b/ext/gd/libgd/gd_xbm.c
@@ -136,7 +136,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)
 			}
 			h[3] = ch;
 		}
-		sscanf(h, "%x", &b);
+		if (sscanf(h, "%x", &b) != 1) {
+			php_gd_error("invalid XBM");
+			gdImageDestroy(im);
+			return 0;
+		}
 		for (bit = 1; bit <= max_bit; bit = bit << 1) {
 			gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);
 			if (x == im->sx) {
diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt
@@ -0,0 +1,26 @@
+--TEST--
+Bug #77973 (Uninitialized read in gdImageCreateFromXbm)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die("skip gd extension not available");
+if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available");
+?>
+--FILE--
+<?php
+$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a");
+$filepath = __DIR__ . '/bug77973.xbm';
+file_put_contents($filepath, $contents);
+$im = imagecreatefromxbm($filepath);
+var_dump($im);
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromxbm(): invalid XBM in %s on line %d
+
+Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d
+bool(false)
+===DONE===
+--CLEAN--
+<?php
+unlink(__DIR__ . '/bug77973.xbm');
+?>
diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
@@ -1664,7 +1664,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
 							 * we can do at this point. */
 							if (*(p1 + 1) == '=') {
 								++p1;
-								--str_left;
+								if (str_left > 1) {
+									--str_left;
+								}
 							}
 
 							err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
diff --git a/ext/iconv/tests/bug78069.data b/ext/iconv/tests/bug78069.data
diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('iconv')) die('skip ext/iconv required');
+?>
+--FILE--
+<?php
+$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2);
+var_dump(count($hdr));
+?>
+DONE
+--EXPECT--
+int(1)
+DONE

Original file line number	Diff line number	Diff line change
`@@ -136,7 +136,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd)`
`136`	`136`	`}`
`137`	`137`	`h[3] = ch;`
`138`	`138`	`}`
`139`		`- sscanf(h, "%x", &b);`
	`139`	`+ if (sscanf(h, "%x", &b) != 1) {`
	`140`	`+ php_gd_error("invalid XBM");`
	`141`	`+ gdImageDestroy(im);`
	`142`	`+ return 0;`
	`143`	`+ }`
`140`	`144`	`for (bit = 1; bit <= max_bit; bit = bit << 1) {`
`141`	`145`	`gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0);`
`142`	`146`	`if (x == im->sx) {`