Fix #70277: new DateTimeZone($foo) is ignoring text after null byte

cmb69 · cmb69 · commit bb057498f745 · 2015-08-17T15:58:37.000+02:00
The DateTimeZone constructors are not binary safe. They're parsing the timezone
as string, but discard the length when calling timezone_initialize(). This
patch adds a tz_len parameter and a respective check to timezone_initialize().
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
@@ -3682,12 +3682,17 @@ PHP_FUNCTION(date_diff)
 }
 /* }}} */
 
-static int timezone_initialize(php_timezone_obj *tzobj, /*const*/ char *tz TSRMLS_DC)
+static int timezone_initialize(php_timezone_obj *tzobj, /*const*/ char *tz, size_t tz_len TSRMLS_DC)
 {
 	timelib_time *dummy_t = ecalloc(1, sizeof(timelib_time));
 	int           dst, not_found;
 	char         *orig_tz = tz;
 
+	if (strlen(tz) != tz_len) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Timezone must not contain null bytes");
+		return FAILURE;
+	}
+
 	dummy_t->z = timelib_parse_zone(&tz, &dst, dummy_t, &not_found, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
 	if (not_found) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown or bad timezone (%s)", orig_tz);
@@ -3714,7 +3719,7 @@ PHP_FUNCTION(timezone_open)
 		RETURN_FALSE;
 	}
 	tzobj = zend_object_store_get_object(php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC) TSRMLS_CC);
-	if (SUCCESS != timezone_initialize(tzobj, tz TSRMLS_CC)) {
+	if (SUCCESS != timezone_initialize(tzobj, tz, tz_len TSRMLS_CC)) {
 		RETURN_FALSE;
 	}
 }
@@ -3733,7 +3738,7 @@ PHP_METHOD(DateTimeZone, __construct)
 	zend_replace_error_handling(EH_THROW, NULL, &error_handling TSRMLS_CC);
 	if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &tz, &tz_len)) {
 		tzobj = zend_object_store_get_object(getThis() TSRMLS_CC);
-		if (FAILURE == timezone_initialize(tzobj, tz TSRMLS_CC)) {
+		if (FAILURE == timezone_initialize(tzobj, tz, tz_len TSRMLS_CC)) {
 			ZVAL_NULL(getThis());
 		}
 	}
@@ -3748,7 +3753,7 @@ static int php_date_timezone_initialize_from_hash(zval **return_value, php_timez
 
 	if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
 		if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
-			if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) {
+			if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone), Z_STRLEN_PP(z_timezone) TSRMLS_CC)) {
 				return SUCCESS;
 			}
 		}
diff --git a/ext/date/tests/bug70277.phpt b/ext/date/tests/bug70277.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #70277 (new DateTimeZone($foo) is ignoring text after null byte)
+--FILE--
+<?php
+$timezone = "Europe/Zurich\0Foo";
+var_dump(timezone_open($timezone));
+var_dump(new DateTimeZone($timezone));
+?>
+--EXPECTF--
+Warning: timezone_open(): Timezone must not contain null bytes in %sbug70277.php on line %d
+bool(false)
+
+Fatal error: Uncaught exception 'Exception' with message 'DateTimeZone::__construct(): Timezone must not contain null bytes' in %sbug70277.php:%d
+Stack trace:
+#0 %sbug70277.php(%d): DateTimeZone->__construct('Europe/Zurich\x00F...')
+#1 {main}
+  thrown in %sbug70277.php on line %d

Original file line number	Diff line number	Diff line change
`@@ -3682,12 +3682,17 @@ PHP_FUNCTION(date_diff)`
`3682`	`3682`	`}`
`3683`	`3683`	`/* }}} */`
`3684`	`3684`
`3685`		`-static int timezone_initialize(php_timezone_obj tzobj, /const/ char tz TSRMLS_DC)`
	`3685`	`+static int timezone_initialize(php_timezone_obj tzobj, /const/ char tz, size_t tz_len TSRMLS_DC)`
`3686`	`3686`	`{`
`3687`	`3687`	`timelib_time *dummy_t = ecalloc(1, sizeof(timelib_time));`
`3688`	`3688`	`int dst, not_found;`
`3689`	`3689`	`char *orig_tz = tz;`
`3690`	`3690`
	`3691`	`+ if (strlen(tz) != tz_len) {`
	`3692`	`+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Timezone must not contain null bytes");`
	`3693`	`+ return FAILURE;`
	`3694`	`+ }`
	`3695`	`+`
`3691`	`3696`	`dummy_t->z = timelib_parse_zone(&tz, &dst, dummy_t, &not_found, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);`
`3692`	`3697`	`if (not_found) {`
`3693`	`3698`	`php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown or bad timezone (%s)", orig_tz);`
`@@ -3714,7 +3719,7 @@ PHP_FUNCTION(timezone_open)`
`3714`	`3719`	`RETURN_FALSE;`
`3715`	`3720`	`}`
`3716`	`3721`	`tzobj = zend_object_store_get_object(php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC) TSRMLS_CC);`
`3717`		`- if (SUCCESS != timezone_initialize(tzobj, tz TSRMLS_CC)) {`
	`3722`	`+ if (SUCCESS != timezone_initialize(tzobj, tz, tz_len TSRMLS_CC)) {`
`3718`	`3723`	`RETURN_FALSE;`
`3719`	`3724`	`}`
`3720`	`3725`	`}`
`@@ -3733,7 +3738,7 @@ PHP_METHOD(DateTimeZone, __construct)`
`3733`	`3738`	`zend_replace_error_handling(EH_THROW, NULL, &error_handling TSRMLS_CC);`
`3734`	`3739`	`if (SUCCESS == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &tz, &tz_len)) {`
`3735`	`3740`	`tzobj = zend_object_store_get_object(getThis() TSRMLS_CC);`
`3736`		`- if (FAILURE == timezone_initialize(tzobj, tz TSRMLS_CC)) {`
	`3741`	`+ if (FAILURE == timezone_initialize(tzobj, tz, tz_len TSRMLS_CC)) {`
`3737`	`3742`	`ZVAL_NULL(getThis());`
`3738`	`3743`	`}`
`3739`	`3744`	`}`
`@@ -3748,7 +3753,7 @@ static int php_date_timezone_initialize_from_hash(zval **return_value, php_timez`
`3748`	`3753`
`3749`	`3754`	`if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {`
`3750`	`3755`	`if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {`
`3751`		`- if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) {`
	`3756`	`+ if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone), Z_STRLEN_PP(z_timezone) TSRMLS_CC)) {`
`3752`	`3757`	`return SUCCESS;`
`3753`	`3758`	`}`
`3754`	`3759`	`}`