From dd791cd71742fdb9b87b7166537fbb25bd7cd8b9 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 8 Dec 2014 12:18:27 +0300
Subject: [PATCH] Fixed possible read after end of buffer and use after free.

---
 ext/mcrypt/mcrypt.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index 55302c7..7f463cf 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -619,8 +619,11 @@ PHP_FUNCTION(mcrypt_generic_init)
 
 	if (iv_len != iv_size) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Iv size incorrect; supplied length: %d, needed: %d", iv_len, iv_size);
+		if (iv_len > iv_size) {
+			iv_len = iv_size;
+		}
 	}
-	memcpy(iv_s, iv, iv_size);
+	memcpy(iv_s, iv, iv_len);
 
 	mcrypt_generic_deinit(pm->td);
 	result = mcrypt_generic_init(pm->td, key_s, key_size, iv_s);
@@ -641,8 +644,9 @@ PHP_FUNCTION(mcrypt_generic_init)
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown error");
 				break;
 		}
+	} else {
+		pm->init = 1;
 	}
-	pm->init = 1;
 	RETVAL_LONG(result);
 
 	efree(iv_s);
-- 
2.1.4