summaryrefslogtreecommitdiffstats
path: root/bug73189.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-10-15 10:17:16 +0200
committerRemi Collet <fedora@famillecollet.com>2016-10-15 10:17:16 +0200
commit4b420dae109ee4ca511cbbba0c209ea5c30513b1 (patch)
tree42455720cf6f84373a188131f32267996646c48f /bug73189.patch
parent661f662d2fe7ae74585367e5757bb04fbdea717b (diff)
PHP 5.5.38 with 15 security fix from 5.6.27
Diffstat (limited to 'bug73189.patch')
-rw-r--r--bug73189.patch78
1 files changed, 78 insertions, 0 deletions
diff --git a/bug73189.patch b/bug73189.patch
new file mode 100644
index 0000000..7cfc2d8
--- /dev/null
+++ b/bug73189.patch
@@ -0,0 +1,78 @@
+Backported from 5.6.27 by Remi.
+
+
+From da7e89cde880c66887caacd0a3eae7ecdacf9b2a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 28 Sep 2016 23:30:48 -0700
+Subject: [PATCH] Fix bug #73189 - Memcpy negative size parameter
+ php_resolve_path
+
+---
+ main/fopen_wrappers.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/main/fopen_wrappers.c b/main/fopen_wrappers.c
+index 74a493b..af9c558 100644
+--- a/main/fopen_wrappers.c
++++ b/main/fopen_wrappers.c
+@@ -211,7 +211,7 @@ PHPAPI int php_check_specific_open_basedir(const char *basedir, const char *path
+ if (path_len > 1 && path_tmp[path_len - 2] == ':') {
+ if (path_len != 3) {
+ return -1;
+- }
++ }
+ /* this is c:\ */
+ path_tmp[path_len] = '\0';
+ } else {
+@@ -401,7 +401,7 @@ PHPAPI int php_fopen_primary_script(zend_file_handle *file_handle TSRMLS_DC)
+ spprintf(&filename, 0, "%s%c%s%c%s", pw->pw_dir, PHP_DIR_SEPARATOR, PG(user_dir), PHP_DIR_SEPARATOR, s + 1); /* Safe */
+ } else {
+ filename = SG(request_info).path_translated;
+- }
++ }
+ #if defined(ZTS) && defined(HAVE_GETPWNAM_R) && defined(_SC_GETPW_R_SIZE_MAX)
+ efree(pwbuf);
+ #endif
+@@ -494,8 +494,8 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
+ return NULL;
+ }
+
+- if ((*filename == '.' &&
+- (IS_SLASH(filename[1]) ||
++ if ((*filename == '.' &&
++ (IS_SLASH(filename[1]) ||
+ ((filename[1] == '.') && IS_SLASH(filename[2])))) ||
+ IS_ABSOLUTE_PATH(filename, filename_length) ||
+ !path ||
+@@ -522,7 +522,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
+ }
+ end = strchr(p, DEFAULT_DIR_SEPARATOR);
+ if (end) {
+- if ((end-ptr) + 1 + filename_length + 1 >= MAXPATHLEN) {
++ if (filename_length > (MAXPATHLEN - 2) || (end-ptr) > MAXPATHLEN || (end-ptr) + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
+ ptr = end + 1;
+ continue;
+ }
+@@ -531,9 +531,9 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
+ memcpy(trypath+(end-ptr)+1, filename, filename_length+1);
+ ptr = end+1;
+ } else {
+- int len = strlen(ptr);
++ size_t len = strlen(ptr);
+
+- if (len + 1 + filename_length + 1 >= MAXPATHLEN) {
++ if (filename_length > (MAXPATHLEN - 2) || len > MAXPATHLEN || (size_t)len + 1 + (size_t)filename_length + 1 >= MAXPATHLEN) {
+ break;
+ }
+ memcpy(trypath, ptr, len);
+@@ -571,6 +571,7 @@ PHPAPI char *php_resolve_path(const char *filename, int filename_length, const c
+ while ((--exec_fname_length >= 0) && !IS_SLASH(exec_fname[exec_fname_length]));
+ if (exec_fname && exec_fname[0] != '[' &&
+ exec_fname_length > 0 &&
++ filename_length < (MAXPATHLEN - 2) &&
+ exec_fname_length + 1 + filename_length + 1 < MAXPATHLEN) {
+ memcpy(trypath, exec_fname, exec_fname_length + 1);
+ memcpy(trypath+exec_fname_length + 1, filename, filename_length+1);
+--
+2.1.4
+