Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:80898
Return-Path: <honey@internot.info>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 73553 invoked from network); 20 Jan 2015 20:31:08 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Jan 2015 20:31:08 -0000
Authentication-Results: pb1.pair.com smtp.mail=honey@internot.info; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=honey@internot.info; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain internot.info designates 185.57.82.47 as permitted sender)
X-PHP-List-Original-Sender: honey@internot.info
X-Host-Fingerprint: 185.57.82.47 mail.internot.info  
Received: from [185.57.82.47] ([185.57.82.47:58600] helo=mail.internot.info)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DF/C4-49046-C0BBEB45 for <internals@lists.php.net>; Tue, 20 Jan 2015 15:31:08 -0500
Message-ID: <54BEBB05.3050101@internot.info>
Date: Wed, 21 Jan 2015 07:31:01 +1100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
To: internals@lists.php.net
References: <1421785688-23331-1-git-send-email-git@internot.info>
In-Reply-To: <1421785688-23331-1-git-send-email-git@internot.info>
OpenPGP: id=296E6003;
	url=https://internot.info/docs/gpg_pubkey.asc.gpg
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="QVwosp7QjECgVr0i80EqNRHoJhARntXpC"
Subject: Re: [PHP-DEV] [PATCH] Fix uninitalized variables reads. See CWE-457
 for more info.
From: honey@internot.info (Joshua Rogers)

--QVwosp7QjECgVr0i80EqNRHoJhARntXpC
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 21/01/15 07:28, Joshua Rogers wrote:
> ---
>  ext/mbstring/mbstring.c         | 8 ++++----
>  ext/reflection/php_reflection.c | 1 +
>  main/main.c                     | 1 +
>  3 files changed, 6 insertions(+), 4 deletions(-)
>
> diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
> index 7f2209f..504a5e6 100644
> --- a/ext/mbstring/mbstring.c
> +++ b/ext/mbstring/mbstring.c
> @@ -3891,7 +3891,7 @@ static int _php_mbstr_parse_mail_headers(HashTabl=
e *ht, const char *str, size_t
>  	int state =3D 0;
>  	int crlf_state =3D -1;
>  	char *token =3D NULL;
> -	size_t token_pos;
> +	size_t token_pos =3D 0;
>  	zend_string *fld_name, *fld_val;
> =20
>  	ps =3D str;
> @@ -3917,7 +3917,7 @@ static int _php_mbstr_parse_mail_headers(HashTabl=
e *ht, const char *str, size_t
>  				}
> =20
>  				if (state =3D=3D 0 || state =3D=3D 1) {
> -					if(token) {
> +					if(token && token_pos > 0) {
>  						fld_name =3D zend_string_init(token, token_pos, 0);
>  					}
>  					state =3D 2;
> @@ -3983,7 +3983,7 @@ static int _php_mbstr_parse_mail_headers(HashTabl=
e *ht, const char *str, size_t
> =20
>  					case 3:
>  						if (crlf_state =3D=3D -1) {
> -							if(token) {
> +							if(token && token_pos > 0) {
>  								fld_val =3D zend_string_init(token, token_pos, 0);
>  							}
> =20
> @@ -4032,7 +4032,7 @@ out:
>  		state =3D 3;
>  	}
>  	if (state =3D=3D 3) {
> -		if(token) {
> +		if(token && token_pos > 0) {
>  			fld_val =3D zend_string_init(token, token_pos, 0);
>  		}
>  		if (fld_name !=3D NULL && fld_val !=3D NULL) {
> diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_refle=
ction.c
> index 3f5c7a9..1f5085c 100644
> --- a/ext/reflection/php_reflection.c
> +++ b/ext/reflection/php_reflection.c
> @@ -3978,6 +3978,7 @@ static int _adddynproperty(zval *ptr, int num_arg=
s, va_list args, zend_hash_key
>  	if (zend_get_property_info(ce, hash_key->key, 1) =3D=3D NULL) {
>  		zend_property_info property_info;
> =20
> +		property_info.doc_comment =3D NULL;
>  		property_info.flags =3D ZEND_ACC_IMPLICIT_PUBLIC;
>  		property_info.name =3D hash_key->key;
>  		property_info.ce =3D ce;
> diff --git a/main/main.c b/main/main.c
> index 3aef805..50d0161 100644
> --- a/main/main.c
> +++ b/main/main.c
> @@ -2255,6 +2255,7 @@ int php_module_startup(sapi_module_struct *sf, ze=
nd_module_entry *additional_mod
> =20
>  	zuv.html_errors =3D 1;
>  	zuv.import_use_extension =3D ".php";
> +	zuv.import_use_extension_length =3D (uint)strlen(zuv.import_use_exten=
sion);
>  	php_startup_auto_globals();
>  	zend_set_utility_values(&zuv);
>  	php_startup_sapi_content_types();
This also fixes a potential buffer overflow. (see the "&& token_pos > 0"
additions)


Thanks,

--=20
-- Joshua Rogers <https://internot.info/>


--QVwosp7QjECgVr0i80EqNRHoJhARntXpC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUvrsFAAoJEJCcj5QpbmADe5oQAIBfUFoe/Q5QiQ7B5eYsjPek
crOKRKD1q+9yz9aFBXSFmikTMtuffnPeO+NRw9OVLn1BdjvG8Vyg0mOdzB73MpI2
7DDiQyGuCd8YzJED/g33sPXJsk1mznOyJRdJsPLU6eH4oUa3zLGRDdWeYSmowk62
2rup8DXMClt9P/u6uIm0b/1K3zbCqxA2ZL9WGFqMgpaNjmctR1ZJexqAdYCozg+D
527OI7wEH/TVqLVXKuh8xE428p72l1dBv97gGcPPDgL29A1z/r1xQkwGcpvO+ixe
OZkIRJVvlDM5rC0d+P4dyQaclZ2AoGPvTzLIV47EueGv6nz+lFqeCGHtX4KXd9cd
NkOutSuF+2khN1VVdc7jU7cwai9Q6uVhuqx6BoI+SLLP/syokeeguCY61aEwTwG6
eXwOSIz9rO8KQU91fLBfbCIn7/Xm7BG6Df3fH9GOhUrwu3O5CZ3r1hirkZ2A7jvN
XPkEkRzqiCLFTGZtYWOuT4N9cz57BEowJlVMsk+qlIqiseKFP8lbyeQS2urHuhl7
V5NvUtj/J1SzWIA4Bj6/NPKJbnsIRXdSGQOrKbrs2H/68rzND4zeWUTqaXsH8pEA
wf48ZDjs2gz0DXg2mrMi2MrH//CK84vDpKemEDgFm2E1fI9S+Ji+n0oq9wKnCGX0
34xit2E7goEzw44Lbr9j
=U5p0
-----END PGP SIGNATURE-----

--QVwosp7QjECgVr0i80EqNRHoJhARntXpC--