Ubuntu
php7.4 package

Merge ~athos-ribeiro/ubuntu/+source/php7.4:focal-infinite-loop into ubuntu/+source/php7.4:ubuntu/focal-devel

  1. Git
  2. lp:~athos-ribeiro/ubuntu/+source/php7.4
  3. focal-infinite-loop
  4. Merge into ubuntu/focal-devel
Proposed by Athos Ribeiro
Status: Merged
Merged at revision: d02d5567777471e549839d162eb8cee87424891b
Proposed branch: ~athos-ribeiro/ubuntu/+source/php7.4:focal-infinite-loop
Merge into: ubuntu/+source/php7.4:ubuntu/focal-devel
Diff against target: 225 lines (+203/-0)
3 files modified
debian/changelog (+7/-0)
debian/patches/0047-fix-exception-infinite-loop.patch (+195/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
git-ubuntu import Pending
Review via email: mp+412418@code.launchpad.net

Description of the change

This is a proposal to fix https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/1951031 for focal.

A PPA with the proposed patch is available at https://launchpad.net/~athos-ribeiro/+archive/ubuntu/php7-lp-1951031/+packages

I also ran the dep8 test suite locally. Here is the test summary:

autopkgtest [21:16:48]: @@@@@@@@@@@@@@@@@@@@ summary
cli PASS
cgi PASS
mod-php PASS
fpm PASS

To post a comment you must log in.
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hi,
well done - changelog, patches, patch heeaders, references, PPA builds and tests that all LGTM.
I'll approve the MP, but not sponsor yet as the bug has no proper SRU description yet.
Once added anyone around can IMHO sponsor this.

P.S. you missed to add review slots for us - let us see where tha "approve" lands :-)

review: Approve
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Uploaded:

$ dput php7.4_7.4.3-4ubuntu2.8_source.changes
Trying to upload package to ubuntu
Checking signature on .changes
gpg: /home/sergio/work/php7.4/php7.4_7.4.3-4ubuntu2.8_source.changes: Valid signature from 106DA1C8C3CBBF14
Checking signature on .dsc
gpg: /home/sergio/work/php7.4/php7.4_7.4.3-4ubuntu2.8.dsc: Valid signature from 106DA1C8C3CBBF14
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading php7.4_7.4.3-4ubuntu2.8.dsc: done.
  Uploading php7.4_7.4.3-4ubuntu2.8.debian.tar.xz: done.
  Uploading php7.4_7.4.3-4ubuntu2.8_source.buildinfo: done.
  Uploading php7.4_7.4.3-4ubuntu2.8_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index cde177a..b58bcd7 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,10 @@
6+php7.4 (7.4.3-4ubuntu2.8) focal; urgency=medium
7+
8+ * d/p/0047-fix-exception-infinite-loop.patch: Fix ErrorException infinite
9+ loop (LP: #1951031)
10+
11+ -- Athos Ribeiro <athos.ribeiro@canonical.com> Thu, 25 Nov 2021 20:16:22 -0300
12+
13 php7.4 (7.4.3-4ubuntu2.7) focal-security; urgency=medium
14
15 * SECURITY UPDATE: Out of bounds read/write
16diff --git a/debian/patches/0047-fix-exception-infinite-loop.patch b/debian/patches/0047-fix-exception-infinite-loop.patch
17new file mode 100644
18index 0000000..7ebe1de
19--- /dev/null
20+++ b/debian/patches/0047-fix-exception-infinite-loop.patch
21@@ -0,0 +1,195 @@
22+From 6dd85f83f78fbafc4a90b264e577a31b59323314 Mon Sep 17 00:00:00 2001
23+From: Nikita Popov <nikita.ppv@gmail.com>
24+Date: Mon, 22 Feb 2021 09:33:23 +0100
25+Subject: [PATCH] Fixed bug #80781
26+
27+zend_find_array_dim_slow() may throw, make sure to handle this.
28+This backports the code we already use for this on PHP-8.0,
29+and also backports an exception check that makes this easier to
30+catch.
31+
32+Bug: https://bugs.php.net/bug.php?id=80781
33+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/php7.4/+bug/1951031
34+Last-Update: 2021-11-25
35+Origin: upstream, https://github.com/php/php-src/commit/6dd85f83f78fbafc4a90b264e577a31b59323314
36+---
37+ NEWS | 4 ++++
38+ Zend/tests/bug80781.phpt | 32 ++++++++++++++++++++++++++++++++
39+ Zend/zend_execute.c | 1 +
40+ Zend/zend_vm_def.h | 4 ++++
41+ Zend/zend_vm_execute.h | 36 ++++++++++++++++++++++++++++++++++++
42+ 5 files changed, 77 insertions(+)
43+ create mode 100644 Zend/tests/bug80781.phpt
44+
45+--- a/NEWS
46++++ b/NEWS
47+@@ -202,6 +202,10 @@
48+ . Fixed bug #78916 (php-fpm 7.4.0 don't send mail via mail()).
49+ (Jakub Zelenka)
50+
51++- Core:
52++ . Fixed bug #80781 (Error handler that throws ErrorException infinite loop).
53++ (Nikita)
54++
55+ - Intl:
56+ . Implemented FR #78912 (INTL Support for accounting format). (cmb)
57+
58+--- /dev/null
59++++ b/Zend/tests/bug80781.phpt
60+@@ -0,0 +1,32 @@
61++--TEST--
62++Bug #80781: Error handler that throws ErrorException infinite loop
63++--FILE--
64++<?php
65++
66++function handle(int $severity, string $message, string $file, int $line): bool {
67++ if((error_reporting() & $severity) !== 0) {
68++ throw new \ErrorException($message, 0, $severity, $file, $line);
69++ }
70++
71++ return true; // stfu operator
72++}
73++
74++set_error_handler('handle');
75++
76++function getPlugin(string $plugin) : bool{
77++ return false;
78++}
79++
80++$data = [];
81++$array = [];
82++if (isset($array[$data]) or getPlugin($data)) {
83++
84++}
85++
86++?>
87++--EXPECTF--
88++Fatal error: Uncaught ErrorException: Illegal offset type in isset or empty in %s:%d
89++Stack trace:
90++#0 %s(%d): handle(2, 'Illegal offset ...', %s, %d, Array)
91++#1 {main}
92++ thrown in %s on line %d
93+--- a/Zend/zend_execute.c
94++++ b/Zend/zend_execute.c
95+@@ -4496,6 +4496,7 @@
96+ if (check_exception) { \
97+ OPLINE = EX(opline) + (skip); \
98+ } else { \
99++ ZEND_ASSERT(!EG(exception)); \
100+ OPLINE = opline + (skip); \
101+ } \
102+ ZEND_VM_CONTINUE()
103+--- a/Zend/zend_vm_def.h
104++++ b/Zend/zend_vm_def.h
105+@@ -6908,6 +6908,10 @@
106+ ZEND_VM_C_GOTO(isset_again);
107+ } else {
108+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
109++ if (UNEXPECTED(EG(exception))) {
110++ result = 0;
111++ ZEND_VM_C_GOTO(isset_dim_obj_exit);
112++ }
113+ }
114+
115+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
116+--- a/Zend/zend_vm_execute.h
117++++ b/Zend/zend_vm_execute.h
118+@@ -6260,6 +6260,10 @@
119+ goto isset_again;
120+ } else {
121+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
122++ if (UNEXPECTED(EG(exception))) {
123++ result = 0;
124++ goto isset_dim_obj_exit;
125++ }
126+ }
127+
128+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
129+@@ -8454,6 +8458,10 @@
130+ goto isset_again;
131+ } else {
132+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
133++ if (UNEXPECTED(EG(exception))) {
134++ result = 0;
135++ goto isset_dim_obj_exit;
136++ }
137+ }
138+
139+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
140+@@ -10907,6 +10915,10 @@
141+ goto isset_again;
142+ } else {
143+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
144++ if (UNEXPECTED(EG(exception))) {
145++ result = 0;
146++ goto isset_dim_obj_exit;
147++ }
148+ }
149+
150+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
151+@@ -14943,6 +14955,10 @@
152+ goto isset_again;
153+ } else {
154+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
155++ if (UNEXPECTED(EG(exception))) {
156++ result = 0;
157++ goto isset_dim_obj_exit;
158++ }
159+ }
160+
161+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
162+@@ -16360,6 +16376,10 @@
163+ goto isset_again;
164+ } else {
165+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
166++ if (UNEXPECTED(EG(exception))) {
167++ result = 0;
168++ goto isset_dim_obj_exit;
169++ }
170+ }
171+
172+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
173+@@ -17647,6 +17667,10 @@
174+ goto isset_again;
175+ } else {
176+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
177++ if (UNEXPECTED(EG(exception))) {
178++ result = 0;
179++ goto isset_dim_obj_exit;
180++ }
181+ }
182+
183+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
184+@@ -41440,6 +41464,10 @@
185+ goto isset_again;
186+ } else {
187+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
188++ if (UNEXPECTED(EG(exception))) {
189++ result = 0;
190++ goto isset_dim_obj_exit;
191++ }
192+ }
193+
194+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
195+@@ -44892,6 +44920,10 @@
196+ goto isset_again;
197+ } else {
198+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
199++ if (UNEXPECTED(EG(exception))) {
200++ result = 0;
201++ goto isset_dim_obj_exit;
202++ }
203+ }
204+
205+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
206+@@ -50079,6 +50111,10 @@
207+ goto isset_again;
208+ } else {
209+ value = zend_find_array_dim_slow(ht, offset EXECUTE_DATA_CC);
210++ if (UNEXPECTED(EG(exception))) {
211++ result = 0;
212++ goto isset_dim_obj_exit;
213++ }
214+ }
215+
216+ if (!(opline->extended_value & ZEND_ISEMPTY)) {
217diff --git a/debian/patches/series b/debian/patches/series
218index 5dc89cf..149f3ff 100644
219--- a/debian/patches/series
220+++ b/debian/patches/series
221@@ -62,3 +62,4 @@ CVE-2021-21705-2.patch
222 lp-1939853-1-Fix-Segfault-with-get_result-and-PS-cursors.patch
223 lp-1939853-2-MySQLnd-Support-cursors-in-store-get-result.patch
224 CVE-2021-21703.patch
225+0047-fix-exception-infinite-loop.patch

Subscribers

People subscribed via source and target branches