ircmaxell · ircmaxell · Aug 17, 2013 · Aug 13, 2013 · Aug 13, 2013 · Aug 14, 2013
diff --git a/Zend/zend.c b/Zend/zend.c
@@ -1098,7 +1098,7 @@ ZEND_API void zend_error(int type, const char *format, ...) /* {{{ */
 	if(DTRACE_ERROR_ENABLED()) {
 		char *dtrace_error_buffer;
 		zend_vspprintf(&dtrace_error_buffer, 0, format, args);
-		DTRACE_ERROR(dtrace_error_buffer, error_filename, error_lineno);
+		DTRACE_ERROR(dtrace_error_buffer, (char *)error_filename, error_lineno);
 		efree(dtrace_error_buffer);
 	}
 #endif /* HAVE_DTRACE */

diff --git a/Zend/zend_dtrace.c b/Zend/zend_dtrace.c
@@ -24,7 +24,7 @@
 
 #ifdef HAVE_DTRACE
 /* PHP DTrace probes {{{ */
-static inline char *dtrace_get_executed_filename(TSRMLS_D)
+static inline const char *dtrace_get_executed_filename(TSRMLS_D)
 {
 	if (EG(current_execute_data) && EG(current_execute_data)->op_array) {
 		return EG(current_execute_data)->op_array->filename;
@@ -36,9 +36,9 @@ static inline char *dtrace_get_executed_filename(TSRMLS_D)
 ZEND_API zend_op_array *dtrace_compile_file(zend_file_handle *file_handle, int type TSRMLS_DC)
 {
 	zend_op_array *res;
-	DTRACE_COMPILE_FILE_ENTRY(file_handle->opened_path, file_handle->filename);
+	DTRACE_COMPILE_FILE_ENTRY(file_handle->opened_path, (char *)file_handle->filename);
 	res = compile_file(file_handle, type TSRMLS_CC);
-	DTRACE_COMPILE_FILE_RETURN(file_handle->opened_path, file_handle->filename);
+	DTRACE_COMPILE_FILE_RETURN(file_handle->opened_path, (char *)file_handle->filename);
 
 	return res;
 }
@@ -47,7 +47,7 @@ ZEND_API zend_op_array *dtrace_compile_file(zend_file_handle *file_handle, int t
 ZEND_API void dtrace_execute_ex(zend_execute_data *execute_data TSRMLS_DC)
 {
 	int lineno;
-	char *scope, *filename, *funcname, *classname;
+	const char *scope, *filename, *funcname, *classname;
 	scope = filename = funcname = classname = NULL;
 
 	/* we need filename and lineno for both execute and function probes */
@@ -65,41 +65,41 @@ ZEND_API void dtrace_execute_ex(zend_execute_data *execute_data TSRMLS_DC)
 	}
 
 	if (DTRACE_EXECUTE_ENTRY_ENABLED()) {
-		DTRACE_EXECUTE_ENTRY(filename, lineno);
+		DTRACE_EXECUTE_ENTRY((char *)filename, lineno);
 	}
 
 	if (DTRACE_FUNCTION_ENTRY_ENABLED() && funcname != NULL) {
-		DTRACE_FUNCTION_ENTRY(funcname, filename, lineno, classname, scope);
+		DTRACE_FUNCTION_ENTRY((char *)funcname, (char *)filename, lineno, (char *)classname, (char *)scope);
 	}
 
 	execute_ex(execute_data TSRMLS_CC);
 
 	if (DTRACE_FUNCTION_RETURN_ENABLED() && funcname != NULL) {
-		DTRACE_FUNCTION_RETURN(funcname, filename, lineno, classname, scope);
+		DTRACE_FUNCTION_RETURN((char *)funcname, (char *)filename, lineno, (char *)classname, (char *)scope);
 	}
 
 	if (DTRACE_EXECUTE_RETURN_ENABLED()) {
-		DTRACE_EXECUTE_RETURN(filename, lineno);
+		DTRACE_EXECUTE_RETURN((char *)filename, lineno);
 	}
 }
 
 ZEND_API void dtrace_execute_internal(zend_execute_data *execute_data_ptr, zend_fcall_info *fci, int return_value_used TSRMLS_DC)
 {
 	int lineno;
-	char *filename;
+	const char *filename;
 	if (DTRACE_EXECUTE_ENTRY_ENABLED() || DTRACE_EXECUTE_RETURN_ENABLED()) {
 		filename = dtrace_get_executed_filename(TSRMLS_C);
 		lineno = zend_get_executed_lineno(TSRMLS_C);
 	}
 
 	if (DTRACE_EXECUTE_ENTRY_ENABLED()) {
-		DTRACE_EXECUTE_ENTRY(filename, lineno);
+		DTRACE_EXECUTE_ENTRY((char *)filename, lineno);
 	}
 
 	execute_internal(execute_data_ptr, fci, return_value_used TSRMLS_CC);
 
 	if (DTRACE_EXECUTE_RETURN_ENABLED()) {
-		DTRACE_EXECUTE_RETURN(filename, lineno);
+		DTRACE_EXECUTE_RETURN((char *)filename, lineno);
 	}
 }
 

diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
@@ -85,12 +85,12 @@ void zend_throw_exception_internal(zval *exception TSRMLS_DC) /* {{{ */
 {
 #ifdef HAVE_DTRACE
 	if (DTRACE_EXCEPTION_THROWN_ENABLED()) {
-		char *classname;
-		zend_str_size name_len;
+		const char *classname;
+		zend_str_size_uint name_len;
 
 		if (exception != NULL) {
 			zend_get_object_classname(exception, &classname, &name_len TSRMLS_CC);
-			DTRACE_EXCEPTION_THROWN(classname);
+			DTRACE_EXCEPTION_THROWN((char *)classname);
 		} else {
 			DTRACE_EXCEPTION_THROWN(NULL);
 		}

diff --git a/Zend/zend_operators.h b/Zend/zend_operators.h
@@ -269,7 +269,7 @@ static inline zend_uchar is_numeric_string(const char *str, zend_str_size_int le
     return is_numeric_string_ex(str, length, lval, dval, allow_errors, NULL);
 }
 
-static inline char *
+static inline const char *
 zend_memnstr(const char *haystack, const char *needle, zend_str_size_int needle_len, char *end)
 {
 	const char *p = haystack;

diff --git a/Zend/zend_vm_def.h b/Zend/zend_vm_def.h
@@ -3015,7 +3015,7 @@ ZEND_VM_HANDLER(107, ZEND_CATCH, CONST, CV)
 
 #ifdef HAVE_DTRACE
 	if (DTRACE_EXCEPTION_CAUGHT_ENABLED()) {
-		DTRACE_EXCEPTION_CAUGHT(ce->name);
+		DTRACE_EXCEPTION_CAUGHT((char *)ce->name);
 	}
 #endif /* HAVE_DTRACE */
 

diff --git a/Zend/zend_vm_execute.h b/Zend/zend_vm_execute.h
@@ -7127,7 +7127,7 @@ static int ZEND_FASTCALL  ZEND_CATCH_SPEC_CONST_CV_HANDLER(ZEND_OPCODE_HANDLER_A
 
 #ifdef HAVE_DTRACE
 	if (DTRACE_EXCEPTION_CAUGHT_ENABLED()) {
-		DTRACE_EXCEPTION_CAUGHT(ce->name);
+		DTRACE_EXCEPTION_CAUGHT((char *)ce->name);
 	}
 #endif /* HAVE_DTRACE */
 

diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -1041,7 +1041,7 @@ char *php_date_short_day_name(timelib_sll y, timelib_sll m, timelib_sll d)
 static char *date_format(char *format, zend_str_size_int format_len, timelib_time *t, int localtime)
 {
 	smart_str            string = {0};
-	zend_str_size        i, length;
+	zend_str_size_int    i, length = 0;
 	char                 buffer[97];
 	timelib_time_offset *offset = NULL;
 	timelib_sll          isoweek, isoyear;
@@ -2539,8 +2539,8 @@ PHPAPI int php_date_initialize(php_date_obj *dateobj, /*const*/ char *time_str,
 	timelib_time   *now;
 	timelib_tzinfo *tzi = NULL;
 	timelib_error_container *err = NULL;
-	int type = TIMELIB_ZONETYPE_ID, new_dst;
-	char *new_abbr;
+	int type = TIMELIB_ZONETYPE_ID, new_dst = 0;
+	char *new_abbr = NULL;
 	timelib_sll     new_offset;
 
 	if (dateobj->time) {

diff --git a/ext/dom/xpath.c b/ext/dom/xpath.c
@@ -74,7 +74,7 @@ const zend_function_entry php_dom_xpath_class_functions[] = {
 
 static void dom_xpath_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int type) /* {{{ */
 {
-	zval **args;
+	zval **args = NULL;
 	zval *retval;
 	int result, i, ret;
 	int error = 0;

diff --git a/ext/gd/gd.c b/ext/gd/gd.c
@@ -2442,7 +2442,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 		fflush(fp);
 	}
 
-register_im:
+/* register_im: */
 	if (im) {
 		ZEND_REGISTER_RESOURCE(return_value, im, le_gd);
 		php_stream_close(stream);

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
@@ -3011,7 +3011,6 @@ void gdImageGetClip (gdImagePtr im, int *x1P, int *y1P, int *x2P, int *y2P)
 int gdImagePaletteToTrueColor(gdImagePtr src)
 {
 	unsigned int y;
-	unsigned char alloc_y = 0;
 	unsigned int yy;
 
 	if (src == NULL) {

diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
@@ -1363,7 +1363,7 @@ ZEND_FUNCTION(gmp_powm)
 	zval *base_arg, *exp_arg, *mod_arg;
 	mpz_ptr gmpnum_base, gmpnum_exp, gmpnum_mod, gmpnum_result;
 	int use_ui = 0;
-	gmp_temp_t temp_base, temp_exp, temp_mod;
+	gmp_temp_t temp_base = {0}, temp_exp = {0}, temp_mod;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "zzz", &base_arg, &exp_arg, &mod_arg) == FAILURE){
 		return;

diff --git a/ext/intl/grapheme/grapheme_util.c b/ext/intl/grapheme/grapheme_util.c
@@ -130,7 +130,7 @@ void grapheme_substr_ascii(char *str, int str_len, int f, int l, int argc, char
 /* {{{ grapheme_strpos_utf16 - strrpos using utf16*/
 int grapheme_strpos_utf16(unsigned char *haystack, int32_t haystack_len, unsigned char*needle, int32_t needle_len, int32_t offset, int32_t *puchar_pos, int f_ignore_case, int last TSRMLS_DC)
 {
-	UChar *uhaystack = NULL, *puhaystack, *uneedle = NULL;
+	UChar *uhaystack = NULL, *uneedle = NULL;
 	int32_t uhaystack_len = 0, uneedle_len = 0, char_pos, ret_pos, offset_pos = 0;
 	unsigned char u_break_iterator_buffer[U_BRK_SAFECLONE_BUFFERSIZE];
 	UBreakIterator* bi = NULL;

diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c
@@ -161,8 +161,8 @@ PHP_FUNCTION( resourcebundle_create )
 /* {{{ resourcebundle_array_fetch */
 static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_value, int fallback TSRMLS_DC) 
 {
-	int32_t     meindex;
-	char *      mekey;
+	int32_t     meindex = 0;
+	char *      mekey = NULL;
 	long        mekeylen;
     zend_bool    is_numeric = 0;
 	char         *pbuf;

diff --git a/ext/oci8/oci8_statement.c b/ext/oci8/oci8_statement.c
@@ -124,14 +124,14 @@ php_oci_statement *php_oci_statement_create(php_oci_connection *connection, char
    Fetch implicit result set statement resource */
 php_oci_statement *php_oci_get_implicit_resultset(php_oci_statement *statement TSRMLS_DC)
 {
-	void    *result;
-	ub4      rtype;
-	php_oci_statement *statement2;  /* implicit result set statement handle */
-
 #if (OCI_MAJOR_VERSION < 12)
 	php_error_docref(NULL TSRMLS_CC, E_WARNING, "Implicit results are available in Oracle Database 12c onwards");
 	return NULL;
 #else
+	void *result;
+	ub4   rtype;
+	php_oci_statement *statement2;  /* implicit result set statement handle */
+
 	PHP_OCI_CALL_RETURN(OCISTMTGETNEXTRESULT, statement->errcode, OCIStmtGetNextResult, (statement->stmt, statement->err, &result, &rtype, OCI_DEFAULT));
 	if (statement->errcode == OCI_NO_DATA) {
 		return NULL;

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
@@ -615,7 +615,7 @@ static void add_assoc_name_entry(zval * val, char * key, X509_NAME * name, int s
 
 	for (i = 0; i < X509_NAME_entry_count(name); i++) {
 		unsigned char *to_add;
-		int to_add_len;
+		int to_add_len = 0;
 
 
 		ne  = X509_NAME_get_entry(name, i);
@@ -1529,7 +1529,6 @@ PHP_FUNCTION(openssl_spki_export)
 	EVP_PKEY *pkey = NULL;
 	NETSCAPE_SPKI *spki = NULL;
 	BIO *out = BIO_new(BIO_s_mem());
-	BUF_MEM *bio_buf;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &spkstr, &spkstr_len) == FAILURE) {
 		return;
@@ -1710,6 +1709,74 @@ PHP_FUNCTION(openssl_x509_check_private_key)
 }
 /* }}} */
 
+/* Special handling of subjectAltName, see CVE-2013-4073
+ * Christian Heimes
+ */
+
+static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
+{
+	GENERAL_NAMES *names;
+	const X509V3_EXT_METHOD *method = NULL;
+	long i, length, num;
+	const unsigned char *p;
+
+	method = X509V3_EXT_get(extension);
+	if (method == NULL) {
+		return -1;
+	}
+
+	p = extension->value->data;
+	length = extension->value->length;
+	if (method->it) {
+		names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
+						       ASN1_ITEM_ptr(method->it)));
+	} else {
+		names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
+	}
+	if (names == NULL) {
+		return -1;
+	}
+
+	num = sk_GENERAL_NAME_num(names);
+	for (i = 0; i < num; i++) {
+			GENERAL_NAME *name;
+			ASN1_STRING *as;
+			name = sk_GENERAL_NAME_value(names, i);
+			switch (name->type) {
+				case GEN_EMAIL:
+					BIO_puts(bio, "email:");
+					as = name->d.rfc822Name;
+					BIO_write(bio, ASN1_STRING_data(as),
+						  ASN1_STRING_length(as));
+					break;
+				case GEN_DNS:
+					BIO_puts(bio, "DNS:");
+					as = name->d.dNSName;
+					BIO_write(bio, ASN1_STRING_data(as),
+						  ASN1_STRING_length(as));
+					break;
+				case GEN_URI:
+					BIO_puts(bio, "URI:");
+					as = name->d.uniformResourceIdentifier;
+					BIO_write(bio, ASN1_STRING_data(as),
+						  ASN1_STRING_length(as));
+					break;
+				default:
+					/* use builtin print for GEN_OTHERNAME, GEN_X400,
+					 * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
+					 */
+					GENERAL_NAME_print(bio, name);
+			}
+			/* trailing ', ' except for last element */
+			if (i < (num - 1)) {
+				BIO_puts(bio, ", ");
+			}
+	}
+	sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
+
+	return 0;
+}
+
 /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
    Returns an array of the fields/values of the CERT */
 PHP_FUNCTION(openssl_x509_parse)
@@ -1806,15 +1873,29 @@ PHP_FUNCTION(openssl_x509_parse)
 
 
 	for (i = 0; i < X509_get_ext_count(cert); i++) {
+		int nid;
 		extension = X509_get_ext(cert, i);
-		if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
+		nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
+		if (nid != NID_undef) {
 			extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
 		} else {
 			OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
 			extname = buf;
 		}
 		bio_out = BIO_new(BIO_s_mem());
-		if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+		if (nid == NID_subject_alt_name) {
+			if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
+				add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
+			} else {
+				zval_dtor(return_value);
+				if (certresource == -1 && cert) {
+					X509_free(cert);
+				}
+				BIO_free(bio_out);
+				RETURN_FALSE;
+			}
+		}
+		else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
 			BIO_get_mem_ptr(bio_out, &bio_buf);
 			add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
 		} else {

diff --git a/ext/openssl/tests/cve2013_4073.pem b/ext/openssl/tests/cve2013_4073.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE2DCCA8CgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBxTELMAkGA1UEBhMCVVMx
+DzANBgNVBAgMBk9yZWdvbjESMBAGA1UEBwwJQmVhdmVydG9uMSMwIQYDVQQKDBpQ
+eXRob24gU29mdHdhcmUgRm91bmRhdGlvbjEgMB4GA1UECwwXUHl0aG9uIENvcmUg
+RGV2ZWxvcG1lbnQxJDAiBgNVBAMMG251bGwucHl0aG9uLm9yZwBleGFtcGxlLm9y
+ZzEkMCIGCSqGSIb3DQEJARYVcHl0aG9uLWRldkBweXRob24ub3JnMB4XDTEzMDgw
+NzEzMTE1MloXDTEzMDgwNzEzMTI1MlowgcUxCzAJBgNVBAYTAlVTMQ8wDQYDVQQI
+DAZPcmVnb24xEjAQBgNVBAcMCUJlYXZlcnRvbjEjMCEGA1UECgwaUHl0aG9uIFNv
+ZnR3YXJlIEZvdW5kYXRpb24xIDAeBgNVBAsMF1B5dGhvbiBDb3JlIERldmVsb3Bt
+ZW50MSQwIgYDVQQDDBtudWxsLnB5dGhvbi5vcmcAZXhhbXBsZS5vcmcxJDAiBgkq
+hkiG9w0BCQEWFXB5dGhvbi1kZXZAcHl0aG9uLm9yZzCCASIwDQYJKoZIhvcNAQEB
+BQADggEPADCCAQoCggEBALXq7cn7Rn1vO3aA3TrzA5QLp6bb7B3f/yN0CJ2XFj+j
+pHs+Gw6WWSUDpybiiKnPec33BFawq3kyblnBMjBU61ioy5HwQqVkJ8vUVjGIUq3P
+vX/wBmQfzCe4o4uM89gpHyUL9UYGG8oCRa17dgqcv7u5rg0Wq2B1rgY+nHwx3JIv
+KRrgSwyRkGzpN8WQ1yrXlxWjgI9de0mPVDDUlywcWze1q2kwaEPTM3hLAmD1PESA
+oY/n8A/RXoeeRs9i/Pm/DGUS8ZPINXk/yOzsR/XvvkTVroIeLZqfmFpnZeF0cHzL
+08LODkVJJ9zjLdT7SA4vnne4FEbAxDbKAq5qkYzaL4UCAwEAAaOB0DCBzTAMBgNV
+HRMBAf8EAjAAMB0GA1UdDgQWBBSIWlXAUv9hzVKjNQ/qWpwkOCL3XDALBgNVHQ8E
+BAMCBeAwgZAGA1UdEQSBiDCBhYIeYWx0bnVsbC5weXRob24ub3JnAGV4YW1wbGUu
+Y29tgSBudWxsQHB5dGhvbi5vcmcAdXNlckBleGFtcGxlLm9yZ4YpaHR0cDovL251
+bGwucHl0aG9uLm9yZwBodHRwOi8vZXhhbXBsZS5vcmeHBMAAAgGHECABDbgAAAAA
+AAAAAAAAAAEwDQYJKoZIhvcNAQEFBQADggEBAKxPRe99SaghcI6IWT7UNkJw9aO9
+i9eo0Fj2MUqxpKbdb9noRDy2CnHWf7EIYZ1gznXPdwzSN4YCjV5d+Q9xtBaowT0j
+HPERs1ZuytCNNJTmhyqZ8q6uzMLoht4IqH/FBfpvgaeC5tBTnTT0rD5A/olXeimk
+kX4LxlEx5RAvpGB2zZVRGr6LobD9rVK91xuHYNIxxxfEGE8tCCWjp0+3ksri9SXx
+VHWBnbM9YaL32u3hxm8sYB/Yb8WSBavJCWJJqRStVRHM1koZlJmXNx2BX4vPo6iW
+RFEIPQsFZRLrtnCAiEhyT8bC2s/Njlu6ly9gtJZWSV46Q3ZjBL4q9sHKqZQ=
+-----END CERTIFICATE-----
diff --git a/ext/openssl/tests/cve2013_4073.phpt b/ext/openssl/tests/cve2013_4073.phpt
@@ -0,0 +1,19 @@
+--TEST--
+CVE 2013-4073: Null-byte certificate handling
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip");
+--FILE--
+<?php
+$cert = file_get_contents(__DIR__ . '/cve2013_4073.pem');
+$info = openssl_x509_parse($cert);
+var_export($info['extensions']);
+
+--EXPECTF--
+array (
+  'basicConstraints' => 'CA:FALSE',
+  'subjectKeyIdentifier' => '88:5A:55:C0:52:FF:61:CD:52:A3:35:0F:EA:5A:9C:24:38:22:F7:5C',
+  'keyUsage' => 'Digital Signature, Non Repudiation, Key Encipherment',
+  'subjectAltName' => 'DNS:altnull.python.org' . "\0" . 'example.com, email:[email protected]' . "\0" . '[email protected], URI:http://null.python.org' . "\0" . 'http://example.org, IP Address:192.0.2.1, IP Address:2001:DB8:0:0:0:0:0:1
+',
+)