head 1.2; access; symbols pkgsrc-2013Q2:1.2.0.8 pkgsrc-2013Q2-base:1.2 pkgsrc-2012Q4:1.2.0.6 pkgsrc-2012Q4-base:1.2 pkgsrc-2011Q4:1.2.0.4 pkgsrc-2011Q4-base:1.2 pkgsrc-2011Q2:1.2.0.2 pkgsrc-2011Q2-base:1.2; locks; strict; comment @# @; 1.2 date 2010.12.13.13.16.37; author taca; state dead; branches; next 1.1; 1.1 date 2010.11.25.03.43.50; author taca; state Exp; branches; next ; desc @@ 1.2 log @Update lang/php53 package to 5.3.4 (PHP 5.3.4). The PHP development team is proud to announce the immediate release of PHP 5.3.4. This is a maintenance release in the 5.3 series, which includes a large number of bug fixes. Security Enhancements and Fixes in PHP 5.3.4: * Fixed crash in zip extract method (possible CWE-170). * Paths with NULL in them (foo\0bar.txt) are now considered as invalid (CVE-2006-7243). * Fixed a possible double free in imap extension (Identified by Mateusz Kocielski). (CVE-2010-4150). * Fixed NULL pointer dereference in ZipArchive::getArchiveComment. (CVE-2010-3709). * Fixed possible flaw in open_basedir (CVE-2010-3436). * Fixed MOPS-2010-24, fix string validation. (CVE-2010-2950). * Fixed symbolic resolution support when the target is a DFS share. * Fixed bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data) (CVE-2010-3710). Key Bug Fixes in PHP 5.3.4 include: * Added stat support for zip stream. * Added follow_location (enabled by default) option for the http stream support. * Added a 3rd parameter to get_html_translation_table. It now takes a charset hint, like htmlentities et al. * Implemented FR #52348, added new constant ZEND_MULTIBYTE to detect zend multibyte at runtime. * Multiple improvements to the FPM SAPI. * Over 100 other bug fixes. For users upgrading from PHP 5.2 there is a migration guide available here, detailing the changes between those releases and PHP 5.3. For a full list of changes in PHP 5.3.4, see the ChangeLog. For source downloads please visit our downloads page, Windows binaries can be found on windows.php.net/download/. @ text @$NetBSD: patch-ao,v 1.1 2010/11/25 03:43:50 taca Exp $ Fix for CVE-2010-3870 (a part of http://secunia.com/advisories/41724/): http://svn.php.net/viewvc?view=revision&revision=304959 --- ext/xml/xml.c.orig 2010-01-05 13:03:40.000000000 +0000 +++ ext/xml/xml.c @@@@ -659,10 +659,111 @@@@ PHPAPI char *xml_utf8_encode(const char } /* }}} */ +/* copied from trunk's implementation of get_next_char in ext/standard/html.c */ +#define MB_FAILURE(pos, advance) do { \ + *cursor = pos + (advance); \ + *status = FAILURE; \ + return 0; \ +} while (0) + +#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need)) +#define utf8_lead(c) ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4)) +#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF) + +/* {{{ php_next_utf8_char + */ +static inline unsigned int php_next_utf8_char( + const unsigned char *str, + size_t str_len, + size_t *cursor, + int *status) +{ + size_t pos = *cursor; + unsigned int this_char = 0; + unsigned char c; + + *status = SUCCESS; + + if (!CHECK_LEN(pos, 1)) + MB_FAILURE(pos, 1); + + /* We'll follow strategy 2. from section 3.6.1 of UTR #36: + * "In a reported illegal byte sequence, do not include any + * non-initial byte that encodes a valid character or is a leading + * byte for a valid sequence.» */ + c = str[pos]; + if (c < 0x80) { + this_char = c; + pos++; + } else if (c < 0xc2) { + MB_FAILURE(pos, 1); + } else if (c < 0xe0) { + if (!CHECK_LEN(pos, 2)) + MB_FAILURE(pos, 1); + + if (!utf8_trail(str[pos + 1])) { + MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2); + } + this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f); + if (this_char < 0x80) { /* non-shortest form */ + MB_FAILURE(pos, 2); + } + pos += 2; + } else if (c < 0xf0) { + size_t avail = str_len - pos; + + if (avail < 3 || + !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) { + if (avail < 2 || utf8_lead(str[pos + 1])) + MB_FAILURE(pos, 1); + else if (avail < 3 || utf8_lead(str[pos + 2])) + MB_FAILURE(pos, 2); + else + MB_FAILURE(pos, 3); + } + + this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f); + if (this_char < 0x800) { /* non-shortest form */ + MB_FAILURE(pos, 3); + } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */ + MB_FAILURE(pos, 3); + } + pos += 3; + } else if (c < 0xf5) { + size_t avail = str_len - pos; + + if (avail < 4 || + !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) || + !utf8_trail(str[pos + 3])) { + if (avail < 2 || utf8_lead(str[pos + 1])) + MB_FAILURE(pos, 1); + else if (avail < 3 || utf8_lead(str[pos + 2])) + MB_FAILURE(pos, 2); + else if (avail < 4 || utf8_lead(str[pos + 3])) + MB_FAILURE(pos, 3); + else + MB_FAILURE(pos, 4); + } + + this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f); + if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */ + MB_FAILURE(pos, 4); + } + pos += 4; + } else { + MB_FAILURE(pos, 1); + } + + *cursor = pos; + return this_char; +} +/* }}} */ + + /* {{{ xml_utf8_decode */ PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding) { - int pos = len; + size_t pos = 0; char *newbuf = emalloc(len + 1); unsigned int c; char (*decoder)(unsigned short) = NULL; @@@@ -681,36 +782,15 @@@@ PHPAPI char *xml_utf8_decode(const XML_C newbuf[*newlen] = '\0'; return newbuf; } - while (pos > 0) { - c = (unsigned char)(*s); - if (c >= 0xf0) { /* four bytes encoded, 21 bits */ - if(pos-4 >= 0) { - c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63); - } else { - c = '?'; - } - s += 4; - pos -= 4; - } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */ - if(pos-3 >= 0) { - c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63); - } else { - c = '?'; - } - s += 3; - pos -= 3; - } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */ - if(pos-2 >= 0) { - c = ((s[0]&63)<<6) | (s[1]&63); - } else { - c = '?'; - } - s += 2; - pos -= 2; - } else { - s++; - pos--; + + while (pos < (size_t)len) { + int status = FAILURE; + c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status); + + if (status == FAILURE || c > 0xFFU) { + c = '?'; } + newbuf[*newlen] = decoder ? decoder(c) : c; ++*newlen; } @ 1.1 log @ - GC bug fix: http://svn.php.net/viewvc?view=revision&revision=303016 - CVE-2010-3710 (a part of SA41724) http://svn.php.net/viewvc?view=revision&revision=303779 - CVE-2010-3870 (a part of SA41724) http://svn.php.net/viewvc?view=revision&revision=304959 - CVE-2010-4150 (php-imap) http://svn.php.net/viewvc?view=revision&revision=305032 - CVE-2010-4156 (SA42135) http://svn.php.net/viewvc?view=revision&revision=305214 Bump PKGREVISION. @ text @d1 1 a1 1 $NetBSD$ @