'[PECL-CVS] =?utf-8?q?svn:_/pecl/dbase/trunk/_dbf=5Fhead.c_dbf=5Fndx.c_dbf=5Frec.c_package.xml_tests/'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       pecl-cvs
Subject:    [PECL-CVS] =?utf-8?q?svn:_/pecl/dbase/trunk/_dbf=5Fhead.c_dbf=5Fndx.c_dbf=5Frec.c_package.xml_tests/
From:       Christoph_Michael_Becker <cmb () php ! net>
Date:       2019-10-20 13:04:10
Message-ID: svn-cmb-1571576650-348189-1331830426 () svn ! php ! net
[Download RAW message or body]

cmb                                      Sun, 20 Oct 2019 13:04:10 +0000

Revision: http://svn.php.net/viewvc?view=revision&revision=348189

Log:
Fix #78668: Out-of-bounds Read in dbase.c

We have to gracefully bail out whenever read() failed to read the
desired number of bytes, not only when it didn't read anything.

Bug: https://bugs.php.net/78668 (error getting bug information)
      
Changed paths:
    U   pecl/dbase/trunk/dbf_head.c
    U   pecl/dbase/trunk/dbf_ndx.c
    U   pecl/dbase/trunk/dbf_rec.c
    U   pecl/dbase/trunk/package.xml
    A   pecl/dbase/trunk/tests/bug78668.dbf
    A   pecl/dbase/trunk/tests/bug78668.phpt

Modified: pecl/dbase/trunk/dbf_head.c
===================================================================
--- pecl/dbase/trunk/dbf_head.c	2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/dbf_head.c	2019-10-20 13:04:10 UTC (rev 348189)
@@ -34,7 +34,7 @@
 		efree(dbh);
 		return NULL;
 	}
-	if ((ret = read(fd, &dbhead, sizeof(dbhead))) <= 0) {
+	if ((ret = read(fd, &dbhead, sizeof(dbhead)))  != sizeof(dbhead)) {
 		efree(dbh);
 		return NULL;
 	}
@@ -171,7 +171,7 @@
 	struct dbf_dfield	dbfield;
 	int ret;

-	if ((ret = read(dbh->db_fd, &dbfield, sizeof(dbfield))) <= 0) {
+	if ((ret = read(dbh->db_fd, &dbfield, sizeof(dbfield))) != sizeof(dbfield)) {
 		return ret;
 	}


Modified: pecl/dbase/trunk/dbf_ndx.c
===================================================================
--- pecl/dbase/trunk/dbf_ndx.c	2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/dbf_ndx.c	2019-10-20 13:04:10 UTC (rev 348189)
@@ -20,7 +20,7 @@

 	dp = (dndx_header_t *)emalloc(NDX_PAGE_SZ);
 	np = (ndx_header_t *)emalloc(sizeof(ndx_header_t));
-	if ((lseek(fd, 0, 0) < 0) || (read(fd, dp, NDX_PAGE_SZ) < 0)) {
+	if ((lseek(fd, 0, 0) < 0) || (read(fd, dp, NDX_PAGE_SZ) != NDX_PAGE_SZ)) {
 		efree(dp); efree(np);
 		return NULL;
 	}
@@ -54,7 +54,7 @@
 	rp = (ndx_record_t *)emalloc(sizeof(ndx_record_t) * hp->ndx_keys_ppg);
 	fp->ndxp_page_data = dp;
 	if ((lseek(hp->ndx_fd, pageno * NDX_PAGE_SZ, 0) < 0) ||
-		(read(hp->ndx_fd, dp, NDX_PAGE_SZ) < 0)) {
+		(read(hp->ndx_fd, dp, NDX_PAGE_SZ) != NDX_PAGE_SZ)) {
 		efree(fp); efree(dp);
 		return NULL;
 	}

Modified: pecl/dbase/trunk/dbf_rec.c
===================================================================
--- pecl/dbase/trunk/dbf_rec.c	2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/dbf_rec.c	2019-10-20 13:04:10 UTC (rev 348189)
@@ -126,7 +126,7 @@
 	new_cnt = 0;
 	rec_cnt = dbh->db_records;
 	while (rec_cnt > 0) {
-		if (get_piece(dbh, in_off, cp, dbh->db_rlen) < 0) {
+		if (get_piece(dbh, in_off, cp, dbh->db_rlen) != dbh->db_rlen) {
 			php_error_docref(NULL, E_WARNING, "unable to read from the file");
 			efree(cp);
 			return -1;

Modified: pecl/dbase/trunk/package.xml
===================================================================
--- pecl/dbase/trunk/package.xml	2019-10-20 11:55:35 UTC (rev 348188)
+++ pecl/dbase/trunk/package.xml	2019-10-20 13:04:10 UTC (rev 348189)
@@ -118,6 +118,8 @@
     <file name="bug73442.phpt" role="test" />
     <file name="bug73447.phpt" role="test" />
     <file name="bug78070.phpt" role="test" />
+    <file name="bug78668.phpt" role="test" />
+    <file name="bug78668.dbf" role="test" />
     <file name="dbase_add_record_basic.phpt" role="test" />
     <file name="dbase_add_record_error.phpt" role="test" />
     <file name="dbase_add_record_variation1.phpt" role="test" />

Added: pecl/dbase/trunk/tests/bug78668.dbf
===================================================================
--- pecl/dbase/trunk/tests/bug78668.dbf	                        (rev 0)
+++ pecl/dbase/trunk/tests/bug78668.dbf	2019-10-20 13:04:10 UTC (rev 348189)
@@ -0,0 +1 @@
+ffffffffffffffffjrh
\ No newline at end of file

Added: pecl/dbase/trunk/tests/bug78668.phpt
===================================================================
--- pecl/dbase/trunk/tests/bug78668.phpt	                        (rev 0)
+++ pecl/dbase/trunk/tests/bug78668.phpt	2019-10-20 13:04:10 UTC (rev 348189)
@@ -0,0 +1,18 @@
+--TEST--
+Bug #78668 (Out-of-bounds Read in dbase.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('dbase')) die('skip dbase extension not available');
+?>
+--FILE--
+<?php
+$db_path = __DIR__ . "/bug78668.dbf";
+$dbh = dbase_open($db_path, 0);
+$column_info = dbase_get_header_info($dbh);
+?>
+===DONE===
+--EXPECTF--
+Warning: dbase_open(): unable to open database %s on line %d
+
+Warning: dbase_get_header_info() expects parameter 1 to be resource, bool%S given in %s on line %d
+===DONE===



-- 
PECL CVS Mailing List 
To unsubscribe, visit: http://www.php.net/unsub.php

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic