Backported from 5.6.25 by Remi. From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Sun, 14 Aug 2016 23:13:30 -0700 Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused heap corruption --- ext/standard/base64.c | 5 + sapi/cli/generate_mime_type_map.php | 76 +++++++ sapi/fpm/www.conf.in | 413 ++++++++++++++++++++++++++++++++++++ 3 files changed, 494 insertions(+) create mode 100644 sapi/cli/generate_mime_type_map.php create mode 100644 sapi/fpm/www.conf.in diff --git a/ext/standard/base64.c b/ext/standard/base64.c index a40b866..8340ed1 100644 --- a/ext/standard/base64.c +++ b/ext/standard/base64.c @@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in return NULL; } + if (((size_t)length + 2) / 3 > INT_MAX/4 ) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); + return NULL; + } + result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1); p = result; From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Tue, 16 Aug 2016 16:34:35 -0700 Subject: [PATCH] Fix TSRM build --- ext/standard/base64.c | 1 + ext/standard/url.c | 1 + 2 files changed, 2 insertions(+) diff --git a/ext/standard/base64.c b/ext/standard/base64.c index 8340ed1..b30a5b7 100644 --- a/ext/standard/base64.c +++ b/ext/standard/base64.c @@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in } if (((size_t)length + 2) / 3 > INT_MAX/4 ) { + TSRMLS_FETCH(); php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); return NULL; }