summaryrefslogtreecommitdiffstats
path: root/bug72455.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-06-23 15:53:37 +0200
committerRemi Collet <fedora@famillecollet.com>2016-06-23 15:53:37 +0200
commite2958a432947f16a89f196171a572abc1c506154 (patch)
treede3eb8998c1b54f88954a46feccd716edd83c4ea /bug72455.patch
parent003b71973f17c66ab9544546f693f290dbfa300e (diff)
PHP 5.4.45 with security fix from 5.5.37
Diffstat (limited to 'bug72455.patch')
-rw-r--r--bug72455.patch39
1 files changed, 39 insertions, 0 deletions
diff --git a/bug72455.patch b/bug72455.patch
new file mode 100644
index 0000000..e3c3660
--- /dev/null
+++ b/bug72455.patch
@@ -0,0 +1,39 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From 6c5211a0cef0cc2854eaa387e0eb036e012904d0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 21:51:42 -0700
+Subject: [PATCH] Fix bug #72455: Heap Overflow due to integer overflows
+
+---
+ ext/mcrypt/mcrypt.c | 92 +++++++++++++++++++++++++++++------------------------
+ 1 file changed, 50 insertions(+), 42 deletions(-)
+
+diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
+index 194660d..3cbb913 100644
+--- a/ext/mcrypt/mcrypt.c
++++ b/ext/mcrypt/mcrypt.c
+@@ -681,6 +681,10 @@ PHP_FUNCTION(mcrypt_generic)
+ if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
+ block_size = mcrypt_enc_get_block_size(pm->td);
+ data_size = (((data_len - 1) / block_size) + 1) * block_size;
++ if (data_size <= 0) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
++ RETURN_FALSE;
++ }
+ data_s = emalloc(data_size + 1);
+ memset(data_s, 0, data_size);
+ memcpy(data_s, data, data_len);
+@@ -726,6 +730,10 @@ PHP_FUNCTION(mdecrypt_generic)
+ if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
+ block_size = mcrypt_enc_get_block_size(pm->td);
+ data_size = (((data_len - 1) / block_size) + 1) * block_size;
++ if (data_size <= 0) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
++ RETURN_FALSE;
++ }
+ data_s = emalloc(data_size + 1);
+ memset(data_s, 0, data_size);
+ memcpy(data_s, data, data_len);
+