[prev in list] [next in list] [prev in thread] [next in thread]
List: pecl-cvs
Subject: [PECL-CVS] =?utf-8?q?svn:_/pecl/dbase/trunk/_dbf=5Fhead.c_dbf=5Fndx.c_dbf=5Frec.c_package.xml_tests/
From: Christoph_Michael_Becker <cmb () php ! net>
Date: 2019-10-20 13:04:10
Message-ID: svn-cmb-1571576650-348189-1331830426 () svn ! php ! net
[Download RAW message or body]
cmb Sun, 20 Oct 2019 13:04:10 +0000
Revision: http://svn.php.net/viewvc?view=revision&revision=348189
Log:
Fix #78668: Out-of-bounds Read in dbase.c
We have to gracefully bail out whenever read() failed to read the
desired number of bytes, not only when it didn't read anything.
Bug: https://bugs.php.net/78668 (error getting bug information)
Changed paths:
U pecl/dbase/trunk/dbf_head.c
U pecl/dbase/trunk/dbf_ndx.c
U pecl/dbase/trunk/dbf_rec.c
U pecl/dbase/trunk/package.xml
A pecl/dbase/trunk/tests/bug78668.dbf
A pecl/dbase/trunk/tests/bug78668.phpt
Modified: pecl/dbase/trunk/dbf_head.c
===================================================================
--- pecl/dbase/trunk/dbf_head.c 2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/dbf_head.c 2019-10-20 13:04:10 UTC (rev 348189)
@@ -34,7 +34,7 @@
efree(dbh);
return NULL;
}
- if ((ret = read(fd, &dbhead, sizeof(dbhead))) <= 0) {
+ if ((ret = read(fd, &dbhead, sizeof(dbhead))) != sizeof(dbhead)) {
efree(dbh);
return NULL;
}
@@ -171,7 +171,7 @@
struct dbf_dfield dbfield;
int ret;
- if ((ret = read(dbh->db_fd, &dbfield, sizeof(dbfield))) <= 0) {
+ if ((ret = read(dbh->db_fd, &dbfield, sizeof(dbfield))) != sizeof(dbfield)) {
return ret;
}
Modified: pecl/dbase/trunk/dbf_ndx.c
===================================================================
--- pecl/dbase/trunk/dbf_ndx.c 2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/dbf_ndx.c 2019-10-20 13:04:10 UTC (rev 348189)
@@ -20,7 +20,7 @@
dp = (dndx_header_t *)emalloc(NDX_PAGE_SZ);
np = (ndx_header_t *)emalloc(sizeof(ndx_header_t));
- if ((lseek(fd, 0, 0) < 0) || (read(fd, dp, NDX_PAGE_SZ) < 0)) {
+ if ((lseek(fd, 0, 0) < 0) || (read(fd, dp, NDX_PAGE_SZ) != NDX_PAGE_SZ)) {
efree(dp); efree(np);
return NULL;
}
@@ -54,7 +54,7 @@
rp = (ndx_record_t *)emalloc(sizeof(ndx_record_t) * hp->ndx_keys_ppg);
fp->ndxp_page_data = dp;
if ((lseek(hp->ndx_fd, pageno * NDX_PAGE_SZ, 0) < 0) ||
- (read(hp->ndx_fd, dp, NDX_PAGE_SZ) < 0)) {
+ (read(hp->ndx_fd, dp, NDX_PAGE_SZ) != NDX_PAGE_SZ)) {
efree(fp); efree(dp);
return NULL;
}
Modified: pecl/dbase/trunk/dbf_rec.c
===================================================================
--- pecl/dbase/trunk/dbf_rec.c 2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/dbf_rec.c 2019-10-20 13:04:10 UTC (rev 348189)
@@ -126,7 +126,7 @@
new_cnt = 0;
rec_cnt = dbh->db_records;
while (rec_cnt > 0) {
- if (get_piece(dbh, in_off, cp, dbh->db_rlen) < 0) {
+ if (get_piece(dbh, in_off, cp, dbh->db_rlen) != dbh->db_rlen) {
php_error_docref(NULL, E_WARNING, "unable to read from the file");
efree(cp);
return -1;
Modified: pecl/dbase/trunk/package.xml
===================================================================
--- pecl/dbase/trunk/package.xml 2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/package.xml 2019-10-20 13:04:10 UTC (rev 348189)
@@ -118,6 +118,8 @@
<file name="bug73442.phpt" role="test" />
<file name="bug73447.phpt" role="test" />
<file name="bug78070.phpt" role="test" />
+ <file name="bug78668.phpt" role="test" />
+ <file name="bug78668.dbf" role="test" />
<file name="dbase_add_record_basic.phpt" role="test" />
<file name="dbase_add_record_error.phpt" role="test" />
<file name="dbase_add_record_variation1.phpt" role="test" />
Added: pecl/dbase/trunk/tests/bug78668.dbf
===================================================================
--- pecl/dbase/trunk/tests/bug78668.dbf (rev 0)
+++ pecl/dbase/trunk/tests/bug78668.dbf 2019-10-20 13:04:10 UTC (rev 348189)
@@ -0,0 +1 @@
+ffffffffffffffffjrh
\ No newline at end of file
Added: pecl/dbase/trunk/tests/bug78668.phpt
===================================================================
--- pecl/dbase/trunk/tests/bug78668.phpt (rev 0)
+++ pecl/dbase/trunk/tests/bug78668.phpt 2019-10-20 13:04:10 UTC (rev 348189)
@@ -0,0 +1,18 @@
+--TEST--
+Bug #78668 (Out-of-bounds Read in dbase.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('dbase')) die('skip dbase extension not available');
+?>
+--FILE--
+<?php
+$db_path = __DIR__ . "/bug78668.dbf";
+$dbh = dbase_open($db_path, 0);
+$column_info = dbase_get_header_info($dbh);
+?>
+===DONE===
+--EXPECTF--
+Warning: dbase_open(): unable to open database %s on line %d
+
+Warning: dbase_get_header_info() expects parameter 1 to be resource, bool%S given in %s on line %d
+===DONE===
--
PECL CVS Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic