From 1967feeb25fdc4a738637518381576d1f7c23a2c Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 29 Jun 2020 14:25:28 +0200 Subject: [PATCH 1/2] Fix #79756: finfo_file crash (FILEINFO_MIME) If `ctime` returns `NULL`, in which case we must not attempt to copy the buffer, but rather return `NULL` as well. --- ext/fileinfo/tests/bug79756.phpt | 16 ++++++++++++++++ ext/fileinfo/tests/bug79756.xls | Bin 0 -> 10752 bytes main/reentrancy.c | 6 ++++-- 3 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 ext/fileinfo/tests/bug79756.phpt create mode 100644 ext/fileinfo/tests/bug79756.xls diff --git a/ext/fileinfo/tests/bug79756.phpt b/ext/fileinfo/tests/bug79756.phpt new file mode 100644 index 0000000000000..4aeeb2a266faa --- /dev/null +++ b/ext/fileinfo/tests/bug79756.phpt @@ -0,0 +1,16 @@ +--TEST-- +Bug #79756 (finfo_file crash (FILEINFO_MIME)) +--SKIPIF-- + +--FILE-- + +--EXPECT-- +application/vnd.ms-excel; charset=binary diff --git a/ext/fileinfo/tests/bug79756.xls b/ext/fileinfo/tests/bug79756.xls new file mode 100644 index 0000000000000000000000000000000000000000..4087523cf7cfea5ccd534f2931fa1087a9e219ea GIT binary patch literal 10752 zcmeHNZ){sv6+h2*94Bd7C+$Ypvh<}{nzT*Zv>Bsp9d){fu47HNHtqN@#GLp!d9`Cl zwv%=dFb~#mR2mF*3Yr9iGQ=jq7*auE+EPGbLIK9a5U?*D64IvbL&iXCXsh}C&b8}j zCs`91f=#_I_r3ehzkANP=bn4-i=Y2Z)A>h#u;yi{DmRH=E*9z}=z&{kH<#YSA}i1) z>|&u%D1p(uQr<@%c&DhV9|IUbtwH6O*P@0{>rm@a8&H>_Hli*^<(RWJ727L|&-an( zS5$=u4oMnUPHgFu6rLHm7bCg&ay25x>&V4$dh^9%=r2cerT?-AF6S%az5cHYA(01b zVHb_>-D}IcT0YxJbzNic3C6Ofxd9x zgIvhaS&h|;Ip9iEl2U~Q!Fz{osp_}Zx<&hRWl;OyE-gZx3imxt7og5Z5mAbg?(dJl%+&23ck3J@(K)8={@f&CjlTc3lY`QaIA=&ejTenLgZ{_t4iXy)DvN zN#9VG-{h5V=v96N+#|nf0r?g5#@;5eb~RVQA2Z|L)mjDT6uk!Y;R^Z2Ug*#LqZZ?z zvixfLlAOwZJ@&SG?QK9pumtvgw$;D`jZK{IW%_Wd*Iq+!izF-QLn;U3UNycUx3}NGhK~@y^VG6<%j22n3mVhY(|F`% zYN{YpJ#moE$PDP?xC($v9Pcv}2$guTsq$2U$^byXqbx>k59?z)29Ul(lZ4>5B^Z6v;x*MCA)U*l6!P3a1z^zZ9LaVP!5kc zPHsCPN3Zrkb`bK)hdhv;FG)abT<5G1s>r}8OD@PU9*SoNNhrbDPCgJ70X%rXVg;#I zt}1MoU_H_>%ft1vm^LA~-@?HwG;Kw2k4Vewh<0wlLJ$^$8liuPgx{7ve=FcN>N=4< zeftg_9N6E#&pw>XI8I{1$v7!@*i8-FJG!^u&>_+vjgH!7@QwCu{Rix5Jmw@x)SJp3 zcQRv6>RTdv-JCs|2Erb8lChlaq!MUPq|+HY?zq_hxyKTYN0gJ=T7Pu%ct;jA$zdmD zk2oa(6Va4C=nQAlId(FcjwZ8qdJJNn;g}tx#26$^9^Z1@$qhRbBm)1SGnvj%Pz;(x zAp%6v*r=Owv$;$(=Q>+4sgCR)*w=fsuOF`3-~Y*j2M!PP^~0TgM-Cwg4>}miOd_4l zQCu{YxJD!m;|J4Df}PNqLHC$rAB#paINj#lW3lYeNXCulF!D(^M$5svjULKGhejX= z2uPT8QZY*KaA45U&v=Te4?}{J!g)BB8Bf5Y2|JohI+>AZD&}D5vg3nUH|9E7`)Cs5 zk%fnkJJ}o}69z|NAFZ>K4*K3gabx3yN!Lkahn&Yi#*;4g)MDa#vnMjZ#6 z^Gza&XetN$iq_Y6V#J(yI-TmW$Ka4j2exIqY$rFg5rIX;GLC&o5RUsJ-`H#%N;E{{i4Di(EEl<{IBfp@U%NGwP$y4^t2z9_4srXgA@ywPr9rwtKsZD_&dM5 z^t9v%Fd_Mznk~}4&X~$~a-D6|6sUL~wYawY?nmA_yR7^kV2-OTzt>=g{!*y?9z*-zG#@$k1*q8A@OFo|r?JG~zAG5;}-HqyPIU7;}M&wxC|$0ZmE0&-IYj5#(S zoA{7Ok(VF3@F}Z;E(l0Kj#t1CPIF+4j)0t3x@ikz1N{&^b70iHnvNgRs$mSffP7VL zE6L-6R1KqFs(JYlwi-rnRl^YYb6{L=0`l7mJCL~M&@m!Q@=E?=tkhTend2F%f?;~k zfgu~rfgwGkkIHddGY@QS73>}TJSoC{M4r)Dw(!QwFT~Qk)p{qEk-b_kKdAXhK(L23 zm!W5vtWh}W{h(i?m%%bd)&h!v^D(L|Y#-T65FFRSf)d=113W1hKkJmD7PPj0U^Q?b z&MxGvg|zhw=Nn_I4bntDkBk!n&vo)^ycwKN+Et>#`GKSU#4-Nbl$*FZ8?Yu8W3 z21mYcB2bBAtarliraz9yb@J0smvH1`LPDi|CUdFlp(qk3)n*@3tf z$`=QWd|U)NGBhAkR~>Y|TK%;FO9AmaaP{D-RSdm#Jun}^MX1404W^eHFd1ptD!f^E z<5i~O#HWwQ& &`l1Y>B-(#HCbBVaEhKHw0Hin9!dS!0^xqB|sY+iP=7Dw01M94U z{RQcOiG+pehY5@eE|ZR5Qx~7F$sLTh*;@g{hGUkALo+#8SBQVM8}BP5pob7k>Sh^# z)x{_E%E#`wAb#A}EN6r4JK`a|mh!IB++tz4&niv@cheuL&4Q^^N-n}lr& zGXP3)n_^yg_l}6|9T7Nc$s+=uOCzFPMD%WMIwGd2LyqQ^5xLBWbbChxtI(211U&EM zhV2?c~1+u`QWyNaBdp-yiz`x9<~eHvqq@(Hef2i&1d zI-8E??7kC2_y+W`k8T-=4&vnQXqfDA<8kwyP+69KL;RUem(Hpj7qRB>fLmP{*XK`u z{jYBw90@=1<&bRd_~9S9B8GwBj*<8=RC1m`<=XlHD(Aq1sGJ99P&pT#MCE*V8kK9_ zbEupbzeD9}cOI47;nz^Py?ql^k8efeUVTS&55YcJxS#O0$$R^~nW){HoN%&p@m|`6 z+O%T_Y6Mjxr%&DXc+j+uJoSg!)jziszHIu!O#Ym=_k4UN3rA<^gD`Na1c5i zGr%R>**|j!`({}z>;594g?^LbES7B!9gpayXLFxJFb{zC^L)orBZp-i_K)J%2mI~N ze*6k3u46(-4!?v*1F~@GEcVZQxmf$@uShYG)yQ7-Fr+#-`U|9`>9h0Su%9_Rx3Eb| U#w^wU-rwIWxwCl~{*(Uy1!!?=+5i9m literal 0 HcmV?d00001 diff --git a/main/reentrancy.c b/main/reentrancy.c index 213e82bd8c456..a38eca33d4984 100644 --- a/main/reentrancy.c +++ b/main/reentrancy.c @@ -187,11 +187,13 @@ PHPAPI char *php_ctime_r(const time_t *clock, char *buf) local_lock(CTIME_R); tmp = ctime(clock); - strcpy(buf, tmp); + if (tmp) { + strcpy(buf, tmp); + } local_unlock(CTIME_R); - return buf; + return tmp ? buf : NULL; } #endif From 352f2c1a3e99d55f3f583ff51c6300483b8322df Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Mon, 29 Jun 2020 16:10:33 +0200 Subject: [PATCH 2/2] Handle asctime() returning NULL as well While the microsoft documentation states that "there is no error return value", we're better safe than sorry. We also refactor to match the already existing `NULL` handling in `php_localtime_r()` and `php_gmtime_r()`. --- main/reentrancy.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/main/reentrancy.c b/main/reentrancy.c index a38eca33d4984..6699817510b56 100644 --- a/main/reentrancy.c +++ b/main/reentrancy.c @@ -189,11 +189,12 @@ PHPAPI char *php_ctime_r(const time_t *clock, char *buf) tmp = ctime(clock); if (tmp) { strcpy(buf, tmp); + tmp = buf; } local_unlock(CTIME_R); - return tmp ? buf : NULL; + return tmp; } #endif @@ -207,11 +208,14 @@ PHPAPI char *php_asctime_r(const struct tm *tm, char *buf) local_lock(ASCTIME_R); tmp = asctime(tm); - strcpy(buf, tmp); + if (tmp) { + strcpy(buf, tmp); + tmp = buf; + } local_unlock(ASCTIME_R); - return buf; + return tmp; } #endif