Skip to content

How can I interview Stanislav Malyshev? #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

How can I interview Stanislav Malyshev? #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
4e60e86
Fix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow
cmb69 Mar 12, 2020
ea6afe6
Fix #79283: Segfault in libmagic patch contains a buffer overflow
cmb69 Mar 2, 2020
fb198b8
Merge branch 'PHP-7.2' into PHP-7.3
smalyshev Mar 16, 2020
410d0c8
Merge branch 'PHP-7.3' into PHP-7.4
smalyshev Mar 16, 2020
7f15926
Merge branch 'PHP-7.2' into PHP-7.3
smalyshev Mar 16, 2020
00ce111
Merge branch 'PHP-7.3' into PHP-7.4
smalyshev Mar 16, 2020
624b3a5
Fix #79371: mb_strtolower (UTF-32LE): stack-buffer-overflow
cmb69 Mar 12, 2020
39f2302
Fix #79283: Segfault in libmagic patch contains a buffer overflow
cmb69 Mar 2, 2020
eede300
Fixed bug #79282
smalyshev Mar 16, 2020
13ce85a
Fix bug #79329 - get_headers should not accept \0
smalyshev Mar 16, 2020
5d8e9c6
Merge branch 'PHP-7.4'
smalyshev Mar 16, 2020
e87b2ad
How can I interview Stanislav Malyshev?
Razzwan Aug 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -426,3 +426,8 @@ New source code files should include the following header block:
```

Thank you for contributing to PHP!

## How can I interview [Stanislav Malyshev](https://github.com/smalyshev)?
Please contact me in one of the suggested ways:
[email: razvanlomov@gmail.com](mailto:razvanlomov@gmail.com)
[telegram: https://t.me/Razzwan](https://t.me/Razzwan)
12 changes: 11 additions & 1 deletion ext/exif/exif.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3642,6 +3642,16 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
unsigned exif_value_2a, offset_of_ifd;
exif_offset_info info;

if (length < 2) {
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
return;
}

if (length < 2) {
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
return;
}

/* set the thumbnail stuff to nothing so we can test to see if they get set up */
if (memcmp(CharBuf, "II", 2) == 0) {
ImageInfo->motorola_intel = 0;
Expand Down Expand Up @@ -3795,7 +3805,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo)
return FALSE;
}

sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
Data = ImageInfo->file.list[sn].data;

/* Store first two pre-read bytes. */
Expand Down
15 changes: 15 additions & 0 deletions ext/exif/tests/bug79282.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
--TEST--
Bug #79282: Use-of-uninitialized-value in exif
--FILE--
<?php

var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));

?>
--EXPECTF--
Warning: exif_read_data(): Missing TIFF alignment marker in %s on line %d

Warning: exif_read_data(): File structure corrupted in %s on line %d

Warning: exif_read_data(): Invalid JPEG file in %s on line %d
bool(false)
62 changes: 38 additions & 24 deletions ext/fileinfo/libmagic.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
--- libmagic.orig/apprentice.c 2019-02-20 03:35:27.000000000 +0100
+++ libmagic/apprentice.c 2020-03-02 15:04:23.670412600 +0100
+++ libmagic/apprentice.c 2020-02-27 11:45:38.445854000 +0100
@@ -29,6 +29,8 @@
* apprentice - make one pass through /etc/magic, learning its secrets.
*/
Expand Down Expand Up @@ -974,7 +974,7 @@ diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
}
diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
--- libmagic.orig/ascmagic.c 2019-05-07 04:27:11.000000000 +0200
+++ libmagic/ascmagic.c 2020-03-02 15:04:23.671413500 +0100
+++ libmagic/ascmagic.c 2020-02-26 23:18:22.605400700 +0100
@@ -96,7 +96,7 @@
rv = file_ascmagic_with_encoding(ms, &bb,
ubuf, ulen, code, type, text);
Expand Down Expand Up @@ -1005,7 +1005,7 @@ diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
}
diff -u libmagic.orig/buffer.c libmagic/buffer.c
--- libmagic.orig/buffer.c 2019-05-07 04:27:11.000000000 +0200
+++ libmagic/buffer.c 2020-03-02 15:04:23.672412500 +0100
+++ libmagic/buffer.c 2020-02-27 11:45:38.445854000 +0100
@@ -31,19 +31,23 @@
#endif /* lint */

Expand Down Expand Up @@ -1062,7 +1062,7 @@ diff -u libmagic.orig/buffer.c libmagic/buffer.c

diff -u libmagic.orig/cdf.c libmagic/cdf.c
--- libmagic.orig/cdf.c 2019-02-20 03:35:27.000000000 +0100
+++ libmagic/cdf.c 2020-03-02 15:04:23.674415200 +0100
+++ libmagic/cdf.c 2020-02-27 11:45:38.445854000 +0100
@@ -43,7 +43,17 @@
#include <err.h>
#endif
Expand Down Expand Up @@ -1341,7 +1341,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
#endif
diff -u libmagic.orig/cdf.h libmagic/cdf.h
--- libmagic.orig/cdf.h 2019-02-20 02:24:19.000000000 +0100
+++ libmagic/cdf.h 2020-03-02 15:04:23.675416900 +0100
+++ libmagic/cdf.h 2020-02-27 11:45:38.445854000 +0100
@@ -35,10 +35,10 @@
#ifndef _H_CDF_
#define _H_CDF_
Expand All @@ -1366,7 +1366,7 @@ diff -u libmagic.orig/cdf.h libmagic/cdf.h
#define CDF_SECID_FREE -1
diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
--- libmagic.orig/cdf_time.c 2019-03-12 21:43:05.000000000 +0100
+++ libmagic/cdf_time.c 2020-03-02 15:04:23.676413000 +0100
+++ libmagic/cdf_time.c 2020-02-26 23:18:22.611402900 +0100
@@ -23,6 +23,7 @@
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
* POSSIBILITY OF SUCH DAMAGE.
Expand Down Expand Up @@ -1395,7 +1395,7 @@ diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
diff -u libmagic.orig/compress.c libmagic/compress.c
--- libmagic.orig/compress.c 2019-05-07 04:27:11.000000000 +0200
+++ libmagic/compress.c 2020-03-02 15:04:23.676413000 +0100
+++ libmagic/compress.c 2020-02-27 11:45:38.445854000 +0100
@@ -45,13 +45,11 @@
#endif
#include <string.h>
Expand Down Expand Up @@ -1545,7 +1545,7 @@ diff -u libmagic.orig/compress.c libmagic/compress.c
+#endif
diff -u libmagic.orig/der.c libmagic/der.c
--- libmagic.orig/der.c 2019-02-20 03:35:27.000000000 +0100
+++ libmagic/der.c 2020-03-02 15:04:23.677412900 +0100
+++ libmagic/der.c 2020-02-27 11:45:38.445854000 +0100
@@ -51,7 +51,9 @@
#include "magic.h"
#include "der.h"
Expand Down Expand Up @@ -1575,7 +1575,7 @@ diff -u libmagic.orig/der.c libmagic/der.c
snprintf(buf + z, blen - z, "%.2x", d[i]);
diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
--- libmagic.orig/elfclass.h 2019-02-20 02:30:19.000000000 +0100
+++ libmagic/elfclass.h 2020-03-02 15:04:23.679414300 +0100
+++ libmagic/elfclass.h 2020-02-26 23:18:22.613401700 +0100
@@ -41,7 +41,7 @@
return toomany(ms, "program headers", phnum);
flags |= FLAGS_IS_CORE;
Expand Down Expand Up @@ -1605,7 +1605,7 @@ diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
diff -u libmagic.orig/encoding.c libmagic/encoding.c
--- libmagic.orig/encoding.c 2019-04-15 18:48:41.000000000 +0200
+++ libmagic/encoding.c 2020-03-02 15:04:23.680413600 +0100
+++ libmagic/encoding.c 2020-02-26 23:18:22.614402300 +0100
@@ -89,13 +89,13 @@
*code_mime = "binary";

Expand Down Expand Up @@ -1636,7 +1636,7 @@ diff -u libmagic.orig/encoding.c libmagic/encoding.c
}
diff -u libmagic.orig/file.h libmagic/file.h
--- libmagic.orig/file.h 2019-05-07 04:27:11.000000000 +0200
+++ libmagic/file.h 2020-03-02 15:04:23.682414300 +0100
+++ libmagic/file.h 2020-02-27 11:45:38.445854000 +0100
@@ -33,18 +33,9 @@
#ifndef __file_h__
#define __file_h__
Expand Down Expand Up @@ -1923,7 +1923,7 @@ diff -u libmagic.orig/file.h libmagic/file.h
#endif
diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
--- libmagic.orig/fsmagic.c 2019-05-07 04:26:48.000000000 +0200
+++ libmagic/fsmagic.c 2020-03-02 15:04:23.683417500 +0100
+++ libmagic/fsmagic.c 2020-02-26 23:18:22.616403500 +0100
@@ -66,26 +66,10 @@
# define minor(dev) ((dev) & 0xff)
#endif
Expand Down Expand Up @@ -2216,7 +2216,7 @@ diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
case S_IFSOCK:
diff -u libmagic.orig/funcs.c libmagic/funcs.c
--- libmagic.orig/funcs.c 2019-05-07 04:27:11.000000000 +0200
+++ libmagic/funcs.c 2020-03-02 15:04:23.684415800 +0100
+++ libmagic/funcs.c 2020-02-27 11:45:38.445854000 +0100
@@ -31,7 +31,6 @@
#endif /* lint */

Expand Down Expand Up @@ -2572,7 +2572,7 @@ diff -u libmagic.orig/funcs.c libmagic/funcs.c

diff -u libmagic.orig/magic.c libmagic/magic.c
--- libmagic.orig/magic.c 2019-05-07 04:27:11.000000000 +0200
+++ libmagic/magic.c 2020-03-02 15:04:23.686413600 +0100
+++ libmagic/magic.c 2020-02-26 23:18:22.621402800 +0100
@@ -25,11 +25,6 @@
* SUCH DAMAGE.
*/
Expand Down Expand Up @@ -3036,8 +3036,8 @@ diff -u libmagic.orig/magic.c libmagic/magic.c
public const char *
magic_error(struct magic_set *ms)
diff -u libmagic.orig/magic.h libmagic/magic.h
--- libmagic.orig/magic.h 2020-03-02 15:06:39.235737800 +0100
+++ libmagic/magic.h 2020-03-02 15:04:23.686413600 +0100
--- libmagic.orig/magic.h 2020-03-02 15:24:27.253951700 +0100
+++ libmagic/magic.h 2020-02-26 23:18:22.622402300 +0100
@@ -124,6 +124,7 @@

const char *magic_getpath(const char *, int);
Expand All @@ -3048,7 +3048,7 @@ diff -u libmagic.orig/magic.h libmagic/magic.h

diff -u libmagic.orig/print.c libmagic/print.c
--- libmagic.orig/print.c 2019-03-12 21:43:05.000000000 +0100
+++ libmagic/print.c 2020-03-02 15:04:23.688414000 +0100
+++ libmagic/print.c 2020-02-26 23:18:22.625401800 +0100
@@ -28,6 +28,7 @@
/*
* print.c - debugging printout routines
Expand Down Expand Up @@ -3122,7 +3122,7 @@ diff -u libmagic.orig/print.c libmagic/print.c
goto out;
diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
--- libmagic.orig/readcdf.c 2019-03-12 21:43:05.000000000 +0100
+++ libmagic/readcdf.c 2020-03-02 15:04:23.689414500 +0100
+++ libmagic/readcdf.c 2020-02-27 11:45:38.445854000 +0100
@@ -31,7 +31,11 @@

#include <assert.h>
Expand Down Expand Up @@ -3241,7 +3241,7 @@ diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
if (i != -1)
diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
--- libmagic.orig/softmagic.c 2019-05-17 04:24:59.000000000 +0200
+++ libmagic/softmagic.c 2020-03-02 15:04:23.690413500 +0100
+++ libmagic/softmagic.c 2020-03-02 15:23:10.176763300 +0100
@@ -43,6 +43,10 @@
#include <time.h>
#include "der.h"
Expand Down Expand Up @@ -3414,18 +3414,32 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
return rv;

case FILE_USE:
@@ -1926,6 +1904,47 @@
@@ -1926,6 +1904,61 @@
return file_strncmp(a, b, len, flags);
}

+public void
+convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
+{
+ int i, j=0;
+ int i, j;
+ zend_string *t;
+
+ t = zend_string_alloc(len * 2 + 4, 0);
+ for (i = j = 0; i < len; i++) {
+ switch (val[i]) {
+ case '~':
+ j += 2;
+ break;
+ case '\0':
+ j += 4;
+ break;
+ default:
+ j++;
+ break;
+ }
+ }
+ t = zend_string_alloc(j + 4, 0);
+
+ j = 0;
+ ZSTR_VAL(t)[j++] = '~';
+
+ for (i = 0; i < len; i++, j++) {
Expand Down Expand Up @@ -3462,7 +3476,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
private int
magiccheck(struct magic_set *ms, struct magic *m)
{
@@ -2104,65 +2123,77 @@
@@ -2104,65 +2137,77 @@
break;
}
case FILE_REGEX: {
Expand Down Expand Up @@ -3594,7 +3608,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
case FILE_INDIRECT:
diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
--- libmagic.orig/strcasestr.c 2014-09-11 17:05:33.000000000 +0200
+++ libmagic/strcasestr.c 2019-04-02 11:56:06.853152400 +0200
+++ libmagic/strcasestr.c 2019-11-29 08:49:38.434136600 +0100
@@ -39,6 +39,8 @@

#include "file.h"
Expand Down
18 changes: 16 additions & 2 deletions ext/fileinfo/libmagic/softmagic.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags)
public void
convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
{
int i, j=0;
int i, j;
zend_string *t;

t = zend_string_alloc(len * 2 + 4, 0);
for (i = j = 0; i < len; i++) {
switch (val[i]) {
case '~':
j += 2;
break;
case '\0':
j += 4;
break;
default:
j++;
break;
}
}
t = zend_string_alloc(j + 4, 0);

j = 0;
ZSTR_VAL(t)[j++] = '~';

for (i = 0; i < len; i++, j++) {
Expand Down
22 changes: 22 additions & 0 deletions ext/fileinfo/tests/bug79283.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
--TEST--
Bug #79283 (Segfault in libmagic patch contains a buffer overflow)
--SKIPIF--
<?php
if (!extension_loaded('fileinfo')) die('skip fileinfo extension not available');
?>
--FILE--
<?php
$magic_file = __DIR__ . '/bug79283.db';
file_put_contents($magic_file, "
0 regex \\0\\0\\0\\0 Test
");

$finfo = new finfo(FILEINFO_NONE, $magic_file);
var_dump($finfo->buffer("buffer\n"));
?>
--CLEAN--
<?php
unlink(__DIR__ . '/bug79283.db');
?>
--EXPECT--
string(10) "ASCII text"
2 changes: 1 addition & 1 deletion ext/mbstring/php_unicode.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,7 +313,7 @@ static int convert_case_filter(int c, void *void_data)

/* Handle invalid characters early, as we assign special meaning to
* codepoints above 0xffffff. */
if (UNEXPECTED(c > 0xffffff)) {
if (UNEXPECTED((unsigned) c > 0xffffff)) {
(*data->next_filter->filter_function)(c, data->next_filter);
return 0;
}
Expand Down
14 changes: 14 additions & 0 deletions ext/mbstring/tests/bug79371.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
--TEST--
Bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow)
--SKIPIF--
<?php
if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
?>
--FILE--
<?php
$bytes = array(0xef, 0xbf, 0xbd, 0xef);
$str = implode(array_map("chr", $bytes));
var_dump(bin2hex(mb_strtolower($str, "UTF-32LE")));
?>
--EXPECT--
string(8) "3f000000"
2 changes: 1 addition & 1 deletion ext/standard/url.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -669,7 +669,7 @@ PHP_FUNCTION(get_headers)
php_stream_context *context;

ZEND_PARSE_PARAMETERS_START(1, 3)
Z_PARAM_STRING(url, url_len)
Z_PARAM_PATH(url, url_len)
Z_PARAM_OPTIONAL
Z_PARAM_LONG(format)
Z_PARAM_RESOURCE_EX(zcontext, 1, 0)
Expand Down