Commit ba7dee5

committed

Merge branch 'PHP-8.3' into PHP-8.4

* PHP-8.3: Fix potential OOB read in zend_dirname() on Windows

2 parents ab7c3b1 + 65070bb commit ba7dee5Copy full SHA for ba7dee5

File tree

-3

lines changed

-3

lines changed

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@ PHP NEWS`
`14`	`14`	`. Fixed bug GH-16344 (setRawValueWithoutLazyInitialization() and`
`15`	`15`	`skipLazyInitialization() may change initialized proxy). (Arnaud)`
`16`	`16`	`. Fix is_zend_ptr() huge block comparison. (nielsdos)`
	`17`	`+ . Fixed potential OOB read in zend_dirname() on Windows. (cmb)`
`17`	`18`
`18`	`19`	`- Curl:`
`19`	`20`	`. Fix various memory leaks in curl mime handling. (nielsdos)`

Lines changed: 3 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -2201,7 +2201,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)`
`2201`	`2201`	`}`
`2202`	`2202`
`2203`	`2203`	`/* Strip trailing slashes */`
`2204`		`- while (end >= path && IS_SLASH_P(end)) {`
	`2204`	`+ while (end >= path && IS_SLASH_P_EX(end, end==path)) {`
`2205`	`2205`	`end--;`
`2206`	`2206`	`}`
`2207`	`2207`	`if (end < path) {`
`@@ -2212,7 +2212,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)`
`2212`	`2212`	`}`
`2213`	`2213`
`2214`	`2214`	`/* Strip filename */`
`2215`		`- while (end >= path && !IS_SLASH_P(end)) {`
	`2215`	`+ while (end >= path && !IS_SLASH_P_EX(end, end==path)) {`
`2216`	`2216`	`end--;`
`2217`	`2217`	`}`
`2218`	`2218`	`if (end < path) {`
`@@ -2223,7 +2223,7 @@ ZEND_API size_t zend_dirname(char *path, size_t len)`
`2223`	`2223`	`}`
`2224`	`2224`
`2225`	`2225`	`/* Strip slashes which came before the file name */`
`2226`		`- while (end >= path && IS_SLASH_P(end)) {`
	`2226`	`+ while (end >= path && IS_SLASH_P_EX(end, end==path)) {`
`2227`	`2227`	`end--;`
`2228`	`2228`	`}`
`2229`	`2229`	`if (end < path) {`

Lines changed: 5 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -75,8 +75,11 @@ typedef unsigned short mode_t;`
`75`	`75`	`#define DEFAULT_SLASH '\\'`
`76`	`76`	`#define DEFAULT_DIR_SEPARATOR ';'`
`77`	`77`	`#define IS_SLASH(c) ((c) == '/' \|\| (c) == '\\')`
	`78`	`+// IS_SLASH_P() may read the previous char on Windows, which may be OOB; use IS_SLASH_P_EX() instead`
`78`	`79`	`#define IS_SLASH_P(c) (*(c) == '/' \|\| \`
`79`	`80`	`((c) == '\\' && !IsDBCSLeadByte((c-1))))`
	`81`	`+#define IS_SLASH_P_EX(c, first_byte) (*(c) == '/' \|\| \`
	`82`	`+ ((c) == '\\' && ((first_byte) \|\| !IsDBCSLeadByte((c-1)))))`
`80`	`83`
`81`	`84`	`/* COPY_WHEN_ABSOLUTE is 2 under Win32 because by chance both regular absolute paths`
`82`	`85`	`in the file system and UNC paths need copying of two characters */`
`@@ -110,7 +113,9 @@ typedef unsigned short mode_t;`
`110`	`113`	`#endif`
`111`	`114`
`112`	`115`	`#define IS_SLASH(c) ((c) == '/')`
	`116`	`+// IS_SLASH_P() may read the previous char on Windows, which may be OOB; use IS_SLASH_P_EX() instead`
`113`	`117`	`#define IS_SLASH_P(c) (*(c) == '/')`
	`118`	`+#define IS_SLASH_P_EX(c, first_byte) IS_SLASH_P(c)`
`114`	`119`
`115`	`120`	`#endif`
`116`	`121`

Comments

(0)