[PATCH] Fix uninitalized variables reads. See CWE-457 for more info.

10 years ago by Joshua Rogers — view source — reply

unread

ext/mbstring/mbstring.c | 8 ++++----
ext/reflection/php_reflection.c | 1 +
main/main.c | 1 +
3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 7f2209f..504a5e6 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3891,7 +3891,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
int state = 0;
int crlf_state = -1;
char *token = NULL;

size_t token_pos;

size_t token_pos = 0;
zend_string *fld_name, *fld_val;

ps = str;
@@ -3917,7 +3917,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
}
```
		if (state == 0 || state == 1) {
```

```
  			if(token) {
```

  			if(token && token_pos > 0) {
  				fld_name = zend_string_init(token, token_pos, 0);
  			}
  			state = 2;

@@ -3983,7 +3983,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t

				case 3:
					if (crlf_state == -1) {

```
  					if(token) {
```

  					if(token && token_pos > 0) {
  						fld_val = zend_string_init(token, token_pos, 0);
  					}

@@ -4032,7 +4032,7 @@ out:
state = 3;
}
if (state == 3) {

```
  if(token) {
```

  if(token && token_pos > 0) {
  	fld_val = zend_string_init(token, token_pos, 0);
  }
  if (fld_name != `NULL` && fld_val != NULL) {

diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 3f5c7a9..1f5085c 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3978,6 +3978,7 @@ static int _adddynproperty(zval *ptr, int num_args, va_list args, zend_hash_key
if (zend_get_property_info(ce, hash_key->key, 1) == NULL) {
zend_property_info property_info;

  property_info.doc_comment = NULL;
  property_info.flags = ZEND_ACC_IMPLICIT_PUBLIC;
  property_info.name = hash_key->key;
  property_info.ce = ce;

diff --git a/main/main.c b/main/main.c
index 3aef805..50d0161 100644
--- a/main/main.c
+++ b/main/main.c
@@ -2255,6 +2255,7 @@ int php_module_startup(sapi_module_struct *sf, zend_module_entry *additional_mod

zuv.html_errors = 1;
zuv.import_use_extension = ".php";

zuv.import_use_extension_length = (uint)strlen(zuv.import_use_extension);
php_startup_auto_globals();
zend_set_utility_values(&zuv);
php_startup_sapi_content_types();
--
1.9.1

10 years ago by Joshua Rogers — view source — reply

unread

ext/mbstring/mbstring.c | 8 ++++----
ext/reflection/php_reflection.c | 1 +
main/main.c | 1 +
3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 7f2209f..504a5e6 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3891,7 +3891,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
int state = 0;
int crlf_state = -1;
char *token = NULL;

size_t token_pos;
size_t token_pos = 0;
zend_string *fld_name, *fld_val;

ps = str;
@@ -3917,7 +3917,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
}
		if (state == 0 || state == 1) {
			if(token) {
			if(token && token_pos > 0) {
				fld_name = zend_string_init(token, token_pos, 0);
			}
			state = 2;
@@ -3983,7 +3983,7 @@ static int _php_mbstr_parse_mail_headers(HashTable *ht, const char *str, size_t
  			case 3:
  				if (crlf_state == -1) {
					if(token) {
					if(token && token_pos > 0) {
						fld_val = zend_string_init(token, token_pos, 0);
					}
@@ -4032,7 +4032,7 @@ out:
state = 3;
}
if (state == 3) {
if(token) {
if(token && token_pos > 0) {
	fld_val = zend_string_init(token, token_pos, 0);
}
if (fld_name != `NULL` && fld_val != NULL) {
diff --git a/ext/reflection/php_reflection.c b/ext/reflection/php_reflection.c
index 3f5c7a9..1f5085c 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3978,6 +3978,7 @@ static int _adddynproperty(zval *ptr, int num_args, va_list args, zend_hash_key
if (zend_get_property_info(ce, hash_key->key, 1) == NULL) {
zend_property_info property_info;
property_info.doc_comment = NULL;
property_info.flags = ZEND_ACC_IMPLICIT_PUBLIC;
property_info.name = hash_key->key;
property_info.ce = ce;
diff --git a/main/main.c b/main/main.c
index 3aef805..50d0161 100644
--- a/main/main.c
+++ b/main/main.c
@@ -2255,6 +2255,7 @@ int php_module_startup(sapi_module_struct *sf, zend_module_entry *additional_mod

zuv.html_errors = 1;
zuv.import_use_extension = ".php";

zuv.import_use_extension_length = (uint)strlen(zuv.import_use_extension);
php_startup_auto_globals();
zend_set_utility_values(&zuv);
php_startup_sapi_content_types();
This also fixes a potential buffer overflow. (see the "&& token_pos > 0"
additions)

Thanks,

--
-- Joshua Rogers <https://internot.info/

10 years ago by Yasuo Ohgaki — view source — reply

unread

Hi Joshua,

ext/mbstring/mbstring.c | 8 ++++----
ext/reflection/php_reflection.c | 1 +
main/main.c | 1 +
3 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 7f2209f..504a5e6 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3891,7 +3891,7 @@ static int _php_mbstr_parse_mail_headers(HashTable
*ht, const char *str, size_t
int state = 0;
int crlf_state = -1;
char *token = NULL;
  size_t token_pos;
  size_t token_pos = 0;
  zend_string *fld_name, *fld_val;

  ps = str;
@@ -3917,7 +3917,7 @@ static int _php_mbstr_parse_mail_headers(HashTable
*ht, const char *str, size_t
}
                            if (state == 0 || state == 1) {
                                  if(token) {
                                  if(token && token_pos > 0) {
                                          fld_name =
zend_string_init(token, token_pos, 0);
}
state = 2;
@@ -3983,7 +3983,7 @@ static int _php_mbstr_parse_mail_headers(HashTable
*ht, const char *str, size_t
                                    case 3:
                                            if (crlf_state == -1) {
                                                  if(token) {
                                                  if(token &&
token_pos > 0) {
fld_val =
zend_string_init(token, token_pos, 0);
}

@@ -4032,7 +4032,7 @@ out:
state = 3;
}
if (state == 3) {
          if(token) {
          if(token && token_pos > 0) {
                  fld_val = zend_string_init(token, token_pos, 0);
          }
          if (fld_name != `NULL` && fld_val != NULL) {
diff --git a/ext/reflection/php_reflection.c
b/ext/reflection/php_reflection.c
index 3f5c7a9..1f5085c 100644
--- a/ext/reflection/php_reflection.c
+++ b/ext/reflection/php_reflection.c
@@ -3978,6 +3978,7 @@ static int _adddynproperty(zval *ptr, int num_args,
va_list args, zend_hash_key
if (zend_get_property_info(ce, hash_key->key, 1) == NULL) {
zend_property_info property_info;
          property_info.doc_comment = NULL;
          property_info.flags = ZEND_ACC_IMPLICIT_PUBLIC;
          property_info.name = hash_key->key;
          property_info.ce = ce;
diff --git a/main/main.c b/main/main.c
index 3aef805..50d0161 100644
--- a/main/main.c
+++ b/main/main.c
@@ -2255,6 +2255,7 @@ int php_module_startup(sapi_module_struct *sf,
zend_module_entry *additional_mod
    zuv.html_errors = 1;
    zuv.import_use_extension = ".php";
  zuv.import_use_extension_length =
(uint)strlen(zuv.import_use_extension);
php_startup_auto_globals();
zend_set_utility_values(&zuv);
php_startup_sapi_content_types();

Could you send pull request from github?
It's not required strictly, but if you can includes tests, it would be
great.

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net

10 years ago by Joshua Rogers — view source — reply

unread

Could you send pull request from github?
https://github.com/php/php-src/pull/1012
It's not required strictly, but if you can includes tests, it would be
great.
No tests. It is "undefined behaviour."

Thanks,

-- Joshua Rogers <https://internot.info/