1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
From 2d07f00b73d8f94099850e0f5983e1cc5817c196 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sat, 30 Nov 2019 12:26:37 +0100
Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
We must not rely on `isdigit()` to detect digits, since we only support
decimal ASCII digits in the following processing.
(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
Upstream-Status: Accepted
CVE: CVE-2019-11046
Reference to upstream patch:
http://git.php.net/?p=php-src.git;a=commit;h=eb23c6008753b1cdc5359dead3a096dce46c9018
http://git.php.net/?p=php-src.git;a=commit;h=2d07f00b73d8f94099850e0f5983e1cc5817c196
---
ext/bcmath/libbcmath/src/str2num.c | 4 ++--
ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++
2 files changed, 15 insertions(+), 2 deletions(-)
create mode 100644 ext/bcmath/tests/bug78878.phpt
diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
index f38d341570..03aec15930 100644
--- a/ext/bcmath/libbcmath/src/str2num.c
+++ b/ext/bcmath/libbcmath/src/str2num.c
@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
zero_int = FALSE;
if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */
while (*ptr == '0') ptr++; /* Skip leading zeros. */
- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */
+ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */
if (*ptr == '.') ptr++; /* decimal point */
- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */
+ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */
if ((*ptr != '\0') || (digits+strscale == 0))
{
*num = bc_copy_num (BCG(_zero_));
diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
new file mode 100644
index 0000000000..2c9d72b946
--- /dev/null
+++ b/ext/bcmath/tests/bug78878.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #78878 (Buffer underflow in bc_shift_addsub)
+--SKIPIF--
+<?php
+if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
+?>
+--FILE--
+<?php
+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
+?>
+--EXPECT--
+bc math warning: non-zero scale in modulus
+0
--
2.11.0
|
