Skip to content
Permalink
Browse files

fix bug #71719 (Buffer overflow in HTTP url parsing functions)

The parser's offset was not reset when we softfail in scheme
parsing and continue to parse a path.
Thanks to hlt99 at blinkenshell dot org for the report.
  • Loading branch information...
m6w6 committed Mar 9, 2016
1 parent 60087ee commit 3724cd76a28be1d6049b5537232e97ac567ae1f5
Showing with 31 additions and 4 deletions.
  1. +1 −0 .gitattributes
  2. +5 −4 src/php_http_url.c
  3. +25 −0 tests/bug71719.phpt
  4. BIN tests/data/bug71719.bin
@@ -1,3 +1,4 @@
package.xml merge=touch
php_http.h merge=touch
.travis.yml merge=touch
/tests/data/bug71719.bin -diff -text
@@ -1467,7 +1467,7 @@ static const char *parse_scheme(struct parse_state *state)
case '7': case '8': case '9':
case '+': case '-': case '.':
if (state->ptr == tmp) {
return tmp;
goto softfail;
}
/* no break */
case 'A': case 'B': case 'C': case 'D': case 'E': case 'F': case 'G':
@@ -1484,19 +1484,20 @@ static const char *parse_scheme(struct parse_state *state)

default:
if (!(mb = parse_mb(state, PARSE_SCHEME, state->ptr, state->end, tmp, 1))) {
/* soft fail; parse path next */
return tmp;
goto softfail;
}
state->ptr += mb - 1;
}
} while (++state->ptr != state->end);

softfail:
state->offset = 0;
return state->ptr = tmp;
}

php_http_url_t *php_http_url_parse(const char *str, size_t len, unsigned flags TSRMLS_DC)
{
size_t maxlen = 3 * len;
size_t maxlen = 3 * len + 8 /* null bytes for all components */;
struct parse_state *state = ecalloc(1, sizeof(*state) + maxlen);

state->end = str + len;
@@ -0,0 +1,25 @@
--TEST--
Buffer overflow in HTTP url parsing functions
--SKIPIF--
<?php
include "skipif.inc";
?>
--FILE--
<?php
echo "Test\n";
try {
echo new http\Message(file_get_contents(__DIR__."/data/bug71719.bin"), false);
} catch (Exception $e) {
echo $e;
}
?>

===DONE===
--EXPECTF--
Test
%r(exception ')?%rhttp\Exception\BadMessageException%r(' with message '|: )%rhttp\Message::__construct(): Could not parse HTTP protocol version 'HTTP/%s.0'%r'?%r in %sbug71719.php:5
Stack trace:
#0 %sbug71719.php(5): http\Message->__construct('\x80\xACTd 5 HTTP/1.1...', false)
#1 {main}
===DONE===
BIN +256 Bytes tests/data/bug71719.bin
Binary file not shown.

0 comments on commit 3724cd7

Please sign in to comment.
You can’t perform that action at this time.