Skip to content

Double fastcgi_end_request on max_children limit (bug #67583) #1169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Berbe wants to merge 11 commits into from
Closed

Double fastcgi_end_request on max_children limit (bug #67583) #1169

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
33f5d78
prepare for 5.5.14RC1
Jun 11, 2014
038baca
Fix potential segfault in dns_get_record()
sgolemon Jun 10, 2014
f2f0380
Fix bug #67349: Locale::parseLocale Double Free
smalyshev Jun 4, 2014
a6b7fde
Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getD…
smalyshev Jun 8, 2014
d9c5a1d
Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type…
smalyshev Jun 22, 2014
e72b732
Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
smalyshev Jun 23, 2014
2c88ae5
Better fix for bug #67072 with more BC provisions
smalyshev Jun 22, 2014
b10f657
Fix test - because of big #67397 we don't allow overlong locales anymore
smalyshev Jun 24, 2014
bd4b9f3
Update NEWS will all cherrypicked commits info
Jun 25, 2014
f444b33
Prepare 5.5.14
Jun 25, 2014
db2846d
* double fastcgi_end_request on max_children limit fixed
dmitry-saprykin Jul 7, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 22 additions & 8 deletions NEWS
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,17 +1,19 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
?? ??? 2014, PHP 5.5.14
26 Jun 2014, PHP 5.5.14

- Core:
. Fixed BC break introduced by patch for bug #67072. (Anatol)
. Fixed BC break introduced by patch for bug #67072. (Anatol, Stas)
. Fixed bug #66622 (Closures do not correctly capture the late bound class
(static::) in some cases). (Levi Morrison)
. Fixed bug #67390 (insecure temporary file use in the configure script).
(Remi) (CVE-2014-3981)
(CVE-2014-3981) (Remi)
. Fixed bug #67399 (putenv with empty variable may lead to crash). (Stas)
. Fixed bug #67498 (phpinfo() Type Confusion Information Leak Vulnerability).
(Stefan Esser)

- CLI server:
. Fixed Bug #67406i (built-in web-server segfaults on startup). (Remi)
. Fixed Bug #67406 (built-in web-server segfaults on startup). (Remi)

- Date:
. Fixed bug #67308 (Serialize of DateTime truncates fractions of second).
Expand All @@ -21,14 +23,24 @@ PHP NEWS

- Fileinfo:
. Fixed bug #67326 (fileinfo: cdf_read_short_sector insufficient boundary check).
(CVE-2014-0207)
. Fixed bug #67410 (fileinfo: mconvert incorrect handling of truncated pascal
string size). (Francisco Alonso, Jan Kaluza, Remi)
string size). (CVE-2014-3478) (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67411 (fileinfo: cdf_check_stream_offset insufficient boundary
check). (Francisco Alonso, Jan Kaluza, Remi)
check). (CVE-2014-3479) (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67412 (fileinfo: cdf_count_chain insufficient boundary check).
(Francisco Alonso, Jan Kaluza, Remi)
(CVE-2014-3480) (Francisco Alonso, Jan Kaluza, Remi)
. Fixed bug #67413 (fileinfo: cdf_read_property_info insufficient boundary
check). (Francisco Alonso, Jan Kaluza, Remi)
check). (CVE-2014-3487) (Francisco Alonso, Jan Kaluza, Remi)

- Intl:
. Fixed bug #67349 (Locale::parseLocale Double Free). (Stas)
. Fixed bug #67397 (Buffer overflow in locale_get_display_name and
uloc_getDisplayName (libicu 4.8.1)). (Stas)

- Network:
. Fixed bug #67432 (Fix potential segfault in dns_get_record()).
(CVE-2014-4049). (Sara)

- OPCache:
. Fixed issue #183 (TMP_VAR is not only used once). (Dmitry, Laruence)
Expand All @@ -49,6 +61,8 @@ PHP NEWS
. Fixed bug #66127 (Segmentation fault with ArrayObject unset). (Stas)
. Fixed bug #67359 (Segfault in recursiveDirectoryIterator). (Laruence)
. Fixed bug #67360 (Missing element after ArrayObject::getIterator). (Adam)
. Fixed bug #67492 (unserialize() SPL ArrayObject / SPLObjectStorage Type
Confusion). (CVE-2014-3515) (Stefan Esser)

29 May 2014, PHP 5.5.13

Expand Down
2 changes: 1 addition & 1 deletion configure.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=5
PHP_RELEASE_VERSION=14
PHP_EXTRA_VERSION="-dev"
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`

Expand Down
17 changes: 12 additions & 5 deletions ext/intl/locale/locale_methods.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -269,8 +269,7 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
grOffset = findOffset( LOC_GRANDFATHERED , loc_name );
if( grOffset >= 0 ){
if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
tag_value = estrdup(loc_name);
return tag_value;
return estrdup(loc_name);
} else {
/* Since Grandfathered , no value , do nothing , retutn NULL */
return NULL;
Expand All @@ -280,8 +279,8 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
if( fromParseLocale==1 ){
/* Handle singletons */
if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){
return (char *)loc_name;
if( strlen(loc_name)>1 && isIDPrefix(loc_name) ){
return estrdup(loc_name);
}
}

Expand Down Expand Up @@ -498,8 +497,16 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME
RETURN_FALSE;
}

if(loc_name_len > ULOC_FULLNAME_CAPACITY) {
/* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */
spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name );
intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, msg , 1 TSRMLS_CC );
efree(msg);
RETURN_FALSE;
}

if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
loc_name = INTL_G(default_locale);
}

if( strcmp(tag_name, DISP_NAME) != 0 ){
Expand Down
7 changes: 4 additions & 3 deletions ext/intl/tests/bug62082.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ var_dump(locale_get_display_name(str_repeat("a", 300), null));
var_dump(locale_get_display_name(str_repeat("a", 512), null));
var_dump(locale_get_display_name(str_repeat("a", 600), null));
--EXPECT--
string(300) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
string(512) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
string(600) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
bool(false)
bool(false)
bool(false)

21 changes: 21 additions & 0 deletions ext/intl/tests/bug67397.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
--TEST--
Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
--SKIPIF--
<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
--FILE--
<?php

function ut_main()
{
$ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true);
$ret .= "\n";
$ret .= var_export(intl_get_error_message(), true);
return $ret;
}

include_once( 'ut_common.inc' );
ut_run();
?>
--EXPECTF--
false
'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR'
6 changes: 5 additions & 1 deletion ext/intl/tests/locale_parse_locale2.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,8 @@ function ut_main()
//Some Invalid Tags:
'de-419-DE',
'a-DE',
'ar-a-aaa-b-bbb-a-ccc'
'ar-a-aaa-b-bbb-a-ccc',
'x-AAAAAA',
);


Expand Down Expand Up @@ -201,3 +202,6 @@ No values found from Locale parsing.
---------------------
ar-a-aaa-b-bbb-a-ccc:
language : 'ar' ,
---------------------
x-AAAAAA:
private0 : 'AAAAAA' ,
2 changes: 1 addition & 1 deletion ext/spl/spl_array.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1796,7 +1796,7 @@ SPL_METHOD(Array, unserialize)
++p;

ALLOC_INIT_ZVAL(pmembers);
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
Expand Down
2 changes: 1 addition & 1 deletion ext/spl/spl_observer.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
++p;

ALLOC_INIT_ZVAL(pmembers);
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
Expand Down
5 changes: 4 additions & 1 deletion ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ $badblobs = array(
'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
);
foreach($badblobs as $blob) {
try {
Expand All @@ -17,6 +18,7 @@ try {
echo $e->getMessage()."\n";
}
}
echo "DONE\n";
--EXPECTF--
Error at offset 6 of 34 bytes
Error at offset 46 of 89 bytes
Expand All @@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
}
}
}

Error at offset 79 of 78 bytes
DONE
4 changes: 4 additions & 0 deletions ext/standard/dns.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int

while (ll < dlen) {
n = cp[ll];
if ((ll + n) >= dlen) {
// Invalid chunk length, truncate
n = dlen - (ll + 1);
}
memcpy(tp + ll , cp + ll + 1, n);
add_next_index_stringl(entries, cp + ll + 1, n, 1);
ll = ll + n + 1;
Expand Down
8 changes: 4 additions & 4 deletions ext/standard/info.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -866,16 +866,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)

php_info_print_table_start();
php_info_print_table_header(2, "Variable", "Value");
if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
}
if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
}
if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
}
if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
}
php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
Expand Down
15 changes: 15 additions & 0 deletions ext/standard/tests/general_functions/bug67498.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
--TEST--
phpinfo() Type Confusion Information Leak Vulnerability
--FILE--
<?php
$PHP_SELF = 1;
phpinfo(INFO_VARIABLES);

?>
==DONE==
--EXPECTF--
phpinfo()

PHP Variables
%A
==DONE==
84 changes: 84 additions & 0 deletions ext/standard/tests/serialize/bug67072_2.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
--TEST--
Bug #67072 Echoing unserialized "SplFileObject" crash - BC break fixes
--FILE--
<?php
class MySplFileObject extends SplFileObject {}
class MyArrayObject extends ArrayObject{ var $a = 1; }
echo unserialize('O:15:"MySplFileObject":1:{s:9:"*filename";s:15:"/home/flag/flag";}');

function testClass($className)
{
// simulate phpunit
$object = unserialize(sprintf('O:%d:"%s":0:{}', strlen($className), $className));
return $object;
}

class MyClass {}
class MyClassSer implements Serializable {
function serialize() { return "";}
function unserialize($data) { }
}
class MyClassSer2 extends MyClassSer {
}

$classes = array('stdClass', 'MyClass', 'MyClassSer', 'MyClassSer2', 'SplFileObject', 'MySplFileObject',
'SplObjectStorage', 'FooBar', 'Closure', 'ArrayObject', 'MyArrayObject',
'Directory'
);
foreach($classes as $cl) {
var_dump(testClass($cl));
}

?>
===DONE==
--EXPECTF--
Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 4

Notice: unserialize(): Error at offset 26 of 66 bytes in %s on line 4
object(stdClass)#%d (0) {
}
object(MyClass)#%d (0) {
}
object(MyClassSer)#%d (0) {
}
object(MyClassSer2)#%d (0) {
}

Warning: Erroneous data format for unserializing 'SplFileObject' in %s on line 9

Notice: unserialize(): Error at offset 24 of 25 bytes in %s on line 9
bool(false)

Warning: Erroneous data format for unserializing 'MySplFileObject' in %s on line 9

Notice: unserialize(): Error at offset 26 of 27 bytes in %s on line 9
bool(false)
object(SplObjectStorage)#%d (1) {
["storage":"SplObjectStorage":private]=>
array(0) {
}
}
object(__PHP_Incomplete_Class)#%d (1) {
["__PHP_Incomplete_Class_Name"]=>
string(6) "FooBar"
}

Warning: Erroneous data format for unserializing 'Closure' in %s on line 9

Notice: unserialize(): Error at offset 17 of 18 bytes in %s on line 9
bool(false)
object(ArrayObject)#%d (1) {
["storage":"ArrayObject":private]=>
array(0) {
}
}
object(MyArrayObject)#1 (2) {
["a"]=>
int(1)
["storage":"ArrayObject":private]=>
array(0) {
}
}
object(Directory)#1 (0) {
}
===DONE==
Loading