summaryrefslogtreecommitdiffstats
path: root/php-bug78875.patch
blob: 2d8f900a927b24c938e853e8414507049365de2f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 13 May 2020 09:03:49 +0200
Subject: [PATCH] Backports from 7.2.31

 Fix #78875: Long filenames cause OOM and temp files are not cleaned
(from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)

 Fix #78876: Long variables cause OOM and temp files are not cleaned
(from 3c8582ca4b8e84e5647220b647914876d2c3b124)
---
 NEWS           | 8 ++++++++
 main/rfc1867.c | 9 +++++----
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 281b52fe76..b53c9e28cb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,14 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
+Backported from 7.2.31
+
+- Core:
+  . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
+    (CVE-2019-11048) (cmb)
+  . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
+    files are not cleaned). (CVE-2019-11048) (cmb)
+
 Backported from 7.2.30
 
 - Standard:
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 0ddf0ed8f0..fb3035072a 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
 }
 
 /* read until a boundary condition */
-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
+static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC)
 {
-	int len, max;
+	unsigned int len, max;
 	char *bound;
 
 	/* fill buffer if needed */
@@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i
 static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC)
 {
 	char buf[FILLUNIT], *out=NULL;
-	int total_bytes=0, read_bytes=0;
+	unsigned int total_bytes=0, read_bytes=0;
 
 	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
 		out = erealloc(out, total_bytes + read_bytes + 1);
@@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
 {
 	char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
 	char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
-	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
+	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
+	unsigned int array_len = 0;
 	int64_t total_bytes = 0, max_file_size = 0;
 	int skip_upload = 0, anonindex = 0, is_anonymous;
 	zval *http_post_files = NULL;