[Pkg-php-commits] [php/debian-sid] Cherry-pick fix for crashes on invalid parameters in intl extension. (CVE-2010-4409).

[Ondřej Surý]

---
 debian/patches/CVE-2010-4409.patch |   71 ++++++++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 72 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2010-4409.patch

diff --git a/debian/patches/CVE-2010-4409.patch b/debian/patches/CVE-2010-4409.patch
new file mode 100644
index 0000000..86eda13
--- /dev/null
+++ b/debian/patches/CVE-2010-4409.patch
@@ -0,0 +1,71 @@
+--- a/ext/intl/dateformat/dateformat_attr.c
++++ b/ext/intl/dateformat/dateformat_attr.c
+@@ -309,6 +309,7 @@ PHP_FUNCTION( datefmt_get_locale )
+ 	DATE_FORMAT_METHOD_FETCH_OBJECT;
+ 
+ 	loc = (char *)udat_getLocaleByType(DATE_FORMAT_OBJECT(dfo), loc_type,&INTL_DATA_ERROR_CODE(dfo));
++	INTL_METHOD_CHECK_STATUS(dfo, "Error getting locale");
+ 	RETURN_STRING(loc, 1);
+ }
+ /* }}} */
+--- a/ext/intl/tests/dateformat_get_locale.phpt
++++ b/ext/intl/tests/dateformat_get_locale.phpt
+@@ -29,6 +29,12 @@ function ut_main()
+ 		$res_str .= "\nAfter call to get_locale :  locale= $locale";
+ 		$res_str .= "\n";
+ 	}
++	$badvals = array(100, -1, 4294901761);
++	foreach($badvals as $badval) {
++		if(ut_datefmt_get_locale($fmt, $badval)) {
++			$res_str .= "datefmt_get_locale should return false for bad argument $badval\n";
++		}
++	}
+ 
+ 	return $res_str;
+ 
+--- a/ext/intl/tests/formatter_get_set_symbol.phpt
++++ b/ext/intl/tests/formatter_get_set_symbol.phpt
+@@ -73,7 +73,12 @@ function ut_main()
+         // Restore attribute's symbol.
+         ut_nfmt_set_symbol( $fmt, $symb, $orig_val );
+     }
+-
++    $badvals = array(2147483648, -2147483648, -1, 4294901761);
++    foreach($badvals as $badval) {
++	    if(ut_nfmt_get_symbol( $fmt, 2147483648 ))  {
++		$res_str .= "Bad value $badval should return false!\n";
++	    }
++    }
+     return $res_str;
+ }
+ 
+--- a/ext/intl/formatter/formatter_attr.c
++++ b/ext/intl/formatter/formatter_attr.c
+@@ -250,7 +250,7 @@ PHP_FUNCTION( numfmt_get_symbol )
+ 	long symbol;
+ 	UChar value_buf[4];
+ 	UChar *value = value_buf;
+-	int length = USIZE(value);
++	int length = USIZE(value_buf);
+ 	FORMATTER_METHOD_INIT_VARS;
+ 
+ 	/* Parse parameters. */
+@@ -262,12 +262,17 @@ PHP_FUNCTION( numfmt_get_symbol )
+ 
+ 		RETURN_FALSE;
+ 	}
++	
++	if(symbol >= UNUM_FORMAT_SYMBOL_COUNT || symbol < 0) {
++		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,	"numfmt_get_symbol: invalid symbol value", 0 TSRMLS_CC );
++		RETURN_FALSE;
++	}
+ 
+ 	/* Fetch the object. */
+ 	FORMATTER_METHOD_FETCH_OBJECT;
+ 
+ 	length = unum_getSymbol(FORMATTER_OBJECT(nfo), symbol, value_buf, length, &INTL_DATA_ERROR_CODE(nfo));
+-	if(INTL_DATA_ERROR_CODE(nfo) == U_BUFFER_OVERFLOW_ERROR && length >= USIZE( value )) {
++	if(INTL_DATA_ERROR_CODE(nfo) == U_BUFFER_OVERFLOW_ERROR && length >= USIZE( value_buf )) {
+ 		++length; /* to avoid U_STRING_NOT_TERMINATED_WARNING */
+ 		INTL_DATA_ERROR_CODE(nfo) = U_ZERO_ERROR;
+ 		value = eumalloc(length);
diff --git a/debian/patches/series b/debian/patches/series
index c164691..4fd8cea 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -71,3 +71,4 @@ bug53070.patch
 bug53323.patch
 reject-filenames-with-null-r305507.patch
 fix-open_basedir-with-separator-r305698.patch
+CVE-2010-4409.patch
-- 
1.7.1