diff options
| author | Remi Collet <fedora@famillecollet.com> | 2016-06-23 15:53:37 +0200 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2016-06-23 15:53:37 +0200 |
| commit | e2958a432947f16a89f196171a572abc1c506154 (patch) | |
| tree | de3eb8998c1b54f88954a46feccd716edd83c4ea /bug72275.patch | |
| parent | 003b71973f17c66ab9544546f693f290dbfa300e (diff) | |
PHP 5.4.45 with security fix from 5.5.37
Diffstat (limited to 'bug72275.patch')
| -rw-r--r-- | bug72275.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/bug72275.patch b/bug72275.patch new file mode 100644 index 0000000..d28651e --- /dev/null +++ b/bug72275.patch @@ -0,0 +1,59 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 489fd56fe37bf40a662931c2b4d5baa918f13e37 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 13 Jun 2016 23:12:47 -0700 +Subject: [PATCH] Fix bug #72275: don't allow smart_str to overflow int + +--- + ext/standard/php_smart_str.h | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h +index 1872fa8..fc1a753 100644 +--- a/ext/standard/php_smart_str.h ++++ b/ext/standard/php_smart_str.h +@@ -63,6 +63,9 @@ + newlen = (d)->len + (n); \ + if (newlen >= (d)->a) { \ + (d)->a = newlen + SMART_STR_PREALLOC; \ ++ if (UNEXPECTED((d)->a >= INT_MAX)) { \ ++ zend_error(E_ERROR, "String size overflow"); \ ++ } \ + SMART_STR_DO_REALLOC(d, what); \ + } \ + } \ +@@ -148,17 +151,17 @@ + * for GCC compatible compilers, e.g. + * + * #define f(..) ({char *r;..;__r;}) +- */ +- ++ */ ++ + static inline char *smart_str_print_long(char *buf, long num) { +- char *r; +- smart_str_print_long4(buf, num, unsigned long, r); ++ char *r; ++ smart_str_print_long4(buf, num, unsigned long, r); + return r; + } + + static inline char *smart_str_print_unsigned(char *buf, long num) { +- char *r; +- smart_str_print_unsigned4(buf, num, unsigned long, r); ++ char *r; ++ smart_str_print_unsigned4(buf, num, unsigned long, r); + return r; + } + +@@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) { + smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t); \ + smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type)); \ + } while (0) +- ++ + #define smart_str_append_unsigned_ex(dest, num, type) \ + smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned) + |