|
1 # Source: upstream |
|
2 # http://git.php.net/?p=php-src.git;a=patch;h=739adee1912176aacf351edc5751a02ded6ef1ec;hp=658b9b0ab26eedb3e13a583d1585f502e7da728f |
|
3 # Fixed in 5.6.9 |
|
4 # This patch also contains unnecessary whitespace changes but is left as is |
|
5 |
|
6 From 739adee1912176aacf351edc5751a02ded6ef1ec Mon Sep 17 00:00:00 2001 |
|
7 From: Stanislav Malyshev <[email protected]> |
|
8 Date: Wed, 29 Apr 2015 21:57:33 -0700 |
|
9 Subject: [PATCH 1/1] Fix bug #69545 - avoid overflow when reading list |
|
10 |
|
11 --- |
|
12 ext/ftp/ftp.c | 82 +++++++++++++++++++++++++++++------------------------------ |
|
13 1 file changed, 41 insertions(+), 41 deletions(-) |
|
14 |
|
15 diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c |
|
16 index a6e0dfd..4e1b072 100644 |
|
17 --- a/ext/ftp/ftp.c |
|
18 +++ b/ext/ftp/ftp.c |
|
19 @@ -188,9 +188,9 @@ ftp_close(ftpbuf_t *ftp) |
|
20 SSL_shutdown(ftp->ssl_handle); |
|
21 SSL_free(ftp->ssl_handle); |
|
22 } |
|
23 -#endif |
|
24 +#endif |
|
25 closesocket(ftp->fd); |
|
26 - } |
|
27 + } |
|
28 ftp_gc(ftp); |
|
29 efree(ftp); |
|
30 return NULL; |
|
31 @@ -262,7 +262,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) |
|
32 if (!ftp_getresp(ftp)) { |
|
33 return 0; |
|
34 } |
|
35 - |
|
36 + |
|
37 if (ftp->resp != 234) { |
|
38 if (!ftp_putcmd(ftp, "AUTH", "SSL")) { |
|
39 return 0; |
|
40 @@ -270,7 +270,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) |
|
41 if (!ftp_getresp(ftp)) { |
|
42 return 0; |
|
43 } |
|
44 - |
|
45 + |
|
46 if (ftp->resp != 334) { |
|
47 return 0; |
|
48 } else { |
|
49 @@ -278,7 +278,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) |
|
50 ftp->use_ssl_for_data = 1; |
|
51 } |
|
52 } |
|
53 - |
|
54 + |
|
55 ctx = SSL_CTX_new(SSLv23_client_method()); |
|
56 if (ctx == NULL) { |
|
57 php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create the SSL context"); |
|
58 @@ -325,8 +325,8 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) |
|
59 if (!ftp_getresp(ftp)) { |
|
60 return 0; |
|
61 } |
|
62 - |
|
63 - ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); |
|
64 + |
|
65 + ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); |
|
66 } |
|
67 } |
|
68 #endif |
|
69 @@ -360,7 +360,7 @@ ftp_reinit(ftpbuf_t *ftp) |
|
70 { |
|
71 if (ftp == NULL) { |
|
72 return 0; |
|
73 - } |
|
74 + } |
|
75 |
|
76 ftp_gc(ftp); |
|
77 |
|
78 @@ -395,7 +395,7 @@ ftp_syst(ftpbuf_t *ftp) |
|
79 if (!ftp_putcmd(ftp, "SYST", NULL)) { |
|
80 return NULL; |
|
81 } |
|
82 - if (!ftp_getresp(ftp) || ftp->resp != 215) { |
|
83 + if (!ftp_getresp(ftp) || ftp->resp != 215) { |
|
84 return NULL; |
|
85 } |
|
86 syst = ftp->inbuf; |
|
87 @@ -431,14 +431,14 @@ ftp_pwd(ftpbuf_t *ftp) |
|
88 if (!ftp_putcmd(ftp, "PWD", NULL)) { |
|
89 return NULL; |
|
90 } |
|
91 - if (!ftp_getresp(ftp) || ftp->resp != 257) { |
|
92 + if (!ftp_getresp(ftp) || ftp->resp != 257) { |
|
93 return NULL; |
|
94 } |
|
95 /* copy out the pwd from response */ |
|
96 - if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { |
|
97 + if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { |
|
98 return NULL; |
|
99 } |
|
100 - if ((end = strrchr(++pwd, '"')) == NULL) { |
|
101 + if ((end = strrchr(++pwd, '"')) == NULL) { |
|
102 return NULL; |
|
103 } |
|
104 ftp->pwd = estrndup(pwd, end - pwd); |
|
105 @@ -608,7 +608,7 @@ ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename, const int filenam |
|
106 if (!ftp_getresp(ftp) || ftp->resp != 200) { |
|
107 return 0; |
|
108 } |
|
109 - |
|
110 + |
|
111 return 1; |
|
112 } |
|
113 /* }}} */ |
|
114 @@ -625,7 +625,7 @@ ftp_alloc(ftpbuf_t *ftp, const long size, char **response) |
|
115 } |
|
116 |
|
117 snprintf(buffer, sizeof(buffer) - 1, "%ld", size); |
|
118 - |
|
119 + |
|
120 if (!ftp_putcmd(ftp, "ALLO", buffer)) { |
|
121 return 0; |
|
122 } |
|
123 @@ -642,7 +642,7 @@ ftp_alloc(ftpbuf_t *ftp, const long size, char **response) |
|
124 return 0; |
|
125 } |
|
126 |
|
127 - return 1; |
|
128 + return 1; |
|
129 } |
|
130 /* }}} */ |
|
131 |
|
132 @@ -674,7 +674,7 @@ ftp_type(ftpbuf_t *ftp, ftptype_t type) |
|
133 if (ftp == NULL) { |
|
134 return 0; |
|
135 } |
|
136 - if (type == ftp->type) { |
|
137 + if (type == ftp->type) { |
|
138 return 1; |
|
139 } |
|
140 if (type == FTPTYPE_ASCII) { |
|
141 @@ -765,7 +765,7 @@ ftp_pasv(ftpbuf_t *ftp, int pasv) |
|
142 if (!ftp_putcmd(ftp, "PASV", NULL)) { |
|
143 return 0; |
|
144 } |
|
145 - if (!ftp_getresp(ftp) || ftp->resp != 227) { |
|
146 + if (!ftp_getresp(ftp) || ftp->resp != 227) { |
|
147 return 0; |
|
148 } |
|
149 /* parse out the IP and port */ |
|
150 @@ -807,7 +807,7 @@ ftp_get(ftpbuf_t *ftp, php_stream *outstream, const char *path, ftptype_t type, |
|
151 if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { |
|
152 goto bail; |
|
153 } |
|
154 - |
|
155 + |
|
156 ftp->data = data; |
|
157 |
|
158 if (resumepos > 0) { |
|
159 @@ -900,7 +900,7 @@ ftp_put(ftpbuf_t *ftp, const char *path, php_stream *instream, ftptype_t type, l |
|
160 if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { |
|
161 goto bail; |
|
162 } |
|
163 - ftp->data = data; |
|
164 + ftp->data = data; |
|
165 |
|
166 if (startpos > 0) { |
|
167 snprintf(arg, sizeof(arg), "%ld", startpos); |
|
168 @@ -1101,7 +1101,7 @@ ftp_putcmd(ftpbuf_t *ftp, const char *cmd, const char *args) |
|
169 |
|
170 if (strpbrk(cmd, "\r\n")) { |
|
171 return 0; |
|
172 - } |
|
173 + } |
|
174 /* build the output buffer */ |
|
175 if (args && args[0]) { |
|
176 /* "cmd args\r\n\0" */ |
|
177 @@ -1247,7 +1247,7 @@ my_send(ftpbuf_t *ftp, php_socket_t s, void *buf, size_t len) |
|
178 #if HAVE_OPENSSL_EXT |
|
179 if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { |
|
180 sent = SSL_write(ftp->ssl_handle, buf, size); |
|
181 - } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { |
|
182 + } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { |
|
183 sent = SSL_write(ftp->data->ssl_handle, buf, size); |
|
184 } else { |
|
185 #endif |
|
186 @@ -1287,14 +1287,14 @@ my_recv(ftpbuf_t *ftp, php_socket_t s, void *buf, size_t len) |
|
187 #if HAVE_OPENSSL_EXT |
|
188 if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { |
|
189 nr_bytes = SSL_read(ftp->ssl_handle, buf, len); |
|
190 - } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { |
|
191 + } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { |
|
192 nr_bytes = SSL_read(ftp->data->ssl_handle, buf, len); |
|
193 } else { |
|
194 #endif |
|
195 nr_bytes = recv(s, buf, len, 0); |
|
196 #if HAVE_OPENSSL_EXT |
|
197 } |
|
198 -#endif |
|
199 +#endif |
|
200 return (nr_bytes); |
|
201 } |
|
202 /* }}} */ |
|
203 @@ -1511,7 +1511,7 @@ data_accept(databuf_t *data, ftpbuf_t *ftp TSRMLS_DC) |
|
204 |
|
205 data_accepted: |
|
206 #if HAVE_OPENSSL_EXT |
|
207 - |
|
208 + |
|
209 /* now enable ssl if we need to */ |
|
210 if (ftp->use_ssl && ftp->use_ssl_for_data) { |
|
211 ctx = SSL_CTX_new(SSLv23_client_method()); |
|
212 @@ -1531,23 +1531,23 @@ data_accepted: |
|
213 SSL_CTX_free(ctx); |
|
214 return 0; |
|
215 } |
|
216 - |
|
217 - |
|
218 + |
|
219 + |
|
220 SSL_set_fd(data->ssl_handle, data->fd); |
|
221 |
|
222 if (ftp->old_ssl) { |
|
223 SSL_copy_session_id(data->ssl_handle, ftp->ssl_handle); |
|
224 } |
|
225 - |
|
226 + |
|
227 if (SSL_connect(data->ssl_handle) <= 0) { |
|
228 php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_accept: SSL/TLS handshake failed"); |
|
229 SSL_shutdown(data->ssl_handle); |
|
230 SSL_free(data->ssl_handle); |
|
231 return 0; |
|
232 } |
|
233 - |
|
234 + |
|
235 data->ssl_active = 1; |
|
236 - } |
|
237 + } |
|
238 |
|
239 #endif |
|
240 |
|
241 @@ -1562,14 +1562,14 @@ data_close(ftpbuf_t *ftp, databuf_t *data) |
|
242 { |
|
243 #if HAVE_OPENSSL_EXT |
|
244 SSL_CTX *ctx; |
|
245 -#endif |
|
246 +#endif |
|
247 if (data == NULL) { |
|
248 return NULL; |
|
249 } |
|
250 if (data->listener != -1) { |
|
251 #if HAVE_OPENSSL_EXT |
|
252 if (data->ssl_active) { |
|
253 - |
|
254 + |
|
255 ctx = SSL_get_SSL_CTX(data->ssl_handle); |
|
256 SSL_CTX_free(ctx); |
|
257 |
|
258 @@ -1577,9 +1577,9 @@ data_close(ftpbuf_t *ftp, databuf_t *data) |
|
259 SSL_free(data->ssl_handle); |
|
260 data->ssl_active = 0; |
|
261 } |
|
262 -#endif |
|
263 +#endif |
|
264 closesocket(data->listener); |
|
265 - } |
|
266 + } |
|
267 if (data->fd != -1) { |
|
268 #if HAVE_OPENSSL_EXT |
|
269 if (data->ssl_active) { |
|
270 @@ -1590,9 +1590,9 @@ data_close(ftpbuf_t *ftp, databuf_t *data) |
|
271 SSL_free(data->ssl_handle); |
|
272 data->ssl_active = 0; |
|
273 } |
|
274 -#endif |
|
275 +#endif |
|
276 closesocket(data->fd); |
|
277 - } |
|
278 + } |
|
279 if (ftp) { |
|
280 ftp->data = NULL; |
|
281 } |
|
282 @@ -1610,8 +1610,8 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) |
|
283 databuf_t *data = NULL; |
|
284 char *ptr; |
|
285 int ch, lastch; |
|
286 - int size, rcvd; |
|
287 - int lines; |
|
288 + size_t size, rcvd; |
|
289 + size_t lines; |
|
290 char **ret = NULL; |
|
291 char **entry; |
|
292 char *text; |
|
293 @@ -1629,7 +1629,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) |
|
294 if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { |
|
295 goto bail; |
|
296 } |
|
297 - ftp->data = data; |
|
298 + ftp->data = data; |
|
299 |
|
300 if (!ftp_putcmd(ftp, cmd, path)) { |
|
301 goto bail; |
|
302 @@ -1653,7 +1653,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) |
|
303 lines = 0; |
|
304 lastch = 0; |
|
305 while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) { |
|
306 - if (rcvd == -1) { |
|
307 + if (rcvd == -1 || rcvd > ((size_t)(-1))-size) { |
|
308 goto bail; |
|
309 } |
|
310 |
|
311 @@ -1858,7 +1858,7 @@ ftp_nb_put(ftpbuf_t *ftp, const char *path, php_stream *instream, ftptype_t type |
|
312 if (!ftp_getresp(ftp) || (ftp->resp != 150 && ftp->resp != 125)) { |
|
313 goto bail; |
|
314 } |
|
315 - if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { |
|
316 + if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { |
|
317 goto bail; |
|
318 } |
|
319 ftp->data = data; |
|
320 @@ -1914,7 +1914,7 @@ ftp_nb_continue_write(ftpbuf_t *ftp TSRMLS_DC) |
|
321 goto bail; |
|
322 } |
|
323 ftp->data = data_close(ftp, ftp->data); |
|
324 - |
|
325 + |
|
326 if (!ftp_getresp(ftp) || (ftp->resp != 226 && ftp->resp != 250)) { |
|
327 goto bail; |
|
328 } |
|
329 -- |
|
330 2.1.4 |
|
331 |