From e2958a432947f16a89f196171a572abc1c506154 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 23 Jun 2016 15:53:37 +0200 Subject: PHP 5.4.45 with security fix from 5.5.37 --- bug72400.patch | 113 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 113 insertions(+) create mode 100644 bug72400.patch (limited to 'bug72400.patch') diff --git a/bug72400.patch b/bug72400.patch new file mode 100644 index 0000000..363a598 --- /dev/null +++ b/bug72400.patch @@ -0,0 +1,113 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 88746d60ab3ad51797612ee62603bb3e08d4aac4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 15 Jun 2016 21:46:46 -0700 +Subject: [PATCH] Fix bug #72400 and #72403 - prevent signed int overflows for + string lengths + +--- + ext/standard/string.c | 25 ++++++++++++-- + ext/standard/url.c | 96 +++++++++++++++++++++++++++------------------------ + 2 files changed, 72 insertions(+), 49 deletions(-) + +diff --git a/ext/standard/string.c b/ext/standard/string.c +index 63eede1..acb6a01 100644 +--- a/ext/standard/string.c ++++ b/ext/standard/string.c +@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t * + register unsigned char *result = NULL; + size_t i, j; + ++ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1); + + for (i = j = 0; i < oldlen; i++) { +@@ -2602,6 +2605,7 @@ PHP_FUNCTION(quotemeta) + char *p, *q; + char c; + int old_len; ++ size_t new_len; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) { + return; +@@ -2636,8 +2640,13 @@ PHP_FUNCTION(quotemeta) + } + } + *q = 0; ++ new_len = q - str; ++ if (UNEXPECTED(new_len > INT_MAX)) { ++ efree(str); ++ zend_error(E_ERROR, "String size overflow"); ++ } + +- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0); ++ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0); + } + /* }}} */ + +@@ -3539,7 +3548,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s + char *source, *target; + char *end; + char c; +- int newlen; ++ size_t newlen; + + if (!wlength) { + wlength = strlen(what); +@@ -3570,11 +3579,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s + } + *target = 0; + newlen = target - new_str; ++ if (UNEXPECTED(newlen > INT_MAX)) { ++ efree(new_str); ++ zend_error(E_ERROR, "String size overflow"); ++ } + if (target - new_str < length * 4) { + new_str = erealloc(new_str, newlen + 1); + } + if (new_length) { +- *new_length = newlen; ++ *new_length = (int)newlen; + } + if (should_free) { + STR_FREE((char*)str); +@@ -3626,6 +3639,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f + + *target = 0; + *new_length = target - new_str; ++ if (UNEXPECTED(*new_length < 0)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + if (should_free) { + STR_FREE(str); + } +@@ -4329,6 +4345,9 @@ PHP_FUNCTION(nl2br) + size_t repl_len = is_xhtml ? (sizeof("
") - 1) : (sizeof("
") - 1); + + new_length = str_len + repl_cnt * repl_len; ++ if (UNEXPECTED(new_length > INT_MAX)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1); + } + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 27a216a..fc3f080 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -626,6 +626,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) + if (new_length) { + *new_length = y; + } ++ if (UNEXPECTED(y > INT_MAX)) { ++ efree(str); ++ zend_error(E_ERROR, "String size overflow"); ++ } + return ((char *) str); + } + /* }}} */ + -- cgit