From a2713f204e1202b6844c114a005c304aafb008c7 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 10 Sep 2016 10:14:22 +0200
Subject: PHP 5.5.38 + security patches from 5.6.25

---
 bug72836.patch | 56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 bug72836.patch

(limited to 'bug72836.patch')

diff --git a/bug72836.patch b/bug72836.patch
new file mode 100644
index 0000000..ad6b486
--- /dev/null
+++ b/bug72836.patch
@@ -0,0 +1,56 @@
+Backported from 5.6.25 by Remi.
+
+From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 14 Aug 2016 23:13:30 -0700
+Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused
+ heap corruption
+
+---
+ ext/standard/base64.c               |   5 +
+ sapi/cli/generate_mime_type_map.php |  76 +++++++
+ sapi/fpm/www.conf.in                | 413 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 494 insertions(+)
+ create mode 100644 sapi/cli/generate_mime_type_map.php
+ create mode 100644 sapi/fpm/www.conf.in
+
+diff --git a/ext/standard/base64.c b/ext/standard/base64.c
+index a40b866..8340ed1 100644
+--- a/ext/standard/base64.c
++++ b/ext/standard/base64.c
+@@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in
+ 		return NULL;
+ 	}
+ 
++	if (((size_t)length + 2) / 3 > INT_MAX/4 ) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4);
++		return NULL;
++	}
++
+ 	result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1);
+ 	p = result;
+ 
+
+From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:34:35 -0700
+Subject: [PATCH] Fix TSRM build
+
+---
+ ext/standard/base64.c | 1 +
+ ext/standard/url.c    | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/ext/standard/base64.c b/ext/standard/base64.c
+index 8340ed1..b30a5b7 100644
+--- a/ext/standard/base64.c
++++ b/ext/standard/base64.c
+@@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in
+ 	}
+ 
+ 	if (((size_t)length + 2) / 3 > INT_MAX/4 ) {
++		TSRMLS_FETCH();
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4);
+ 		return NULL;
+ 	}
+
-- 
cgit