summaryrefslogtreecommitdiffstats
path: root/php-bug78069.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-05-28 09:44:37 +0200
committerRemi Collet <remi@remirepo.net>2019-05-28 09:44:37 +0200
commit0f167a2d74cabee751a1df1ca46c9da24f77f67e (patch)
treefffd907f1b7ea6c71261a5275e5081a626753106 /php-bug78069.patch
parent6473f47b900bb9d2c3d7ba6fb7420a2c207b1524 (diff)
- iconv:
Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() CVE-2019-11039 - exif: Fix #77988 Heap-buffer-overflow on php_jpg_get16 CVE-2019-11040 - sqlite3: Fix #77967 Bypassing open_basedir restrictions via file uris
Diffstat (limited to 'php-bug78069.patch')
-rw-r--r--php-bug78069.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/php-bug78069.patch b/php-bug78069.patch
new file mode 100644
index 0000000..2e816c9
--- /dev/null
+++ b/php-bug78069.patch
@@ -0,0 +1,36 @@
+Without test as binary patch not supported
+
+
+
+
+From 17d5e269dabc704c1cf24ebb03056142e28c9bfe Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 16:32:42 -0700
+Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in
+ iconv.c:_php_iconv_mime_decode() due to integer overflow
+
+(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac)
+---
+ ext/iconv/iconv.c | 4 +++-
+ ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes
+ ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++
+ 3 files changed, 18 insertions(+), 1 deletion(-)
+ create mode 100644 ext/iconv/tests/bug78069.data
+ create mode 100644 ext/iconv/tests/bug78069.phpt
+
+diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c
+index ea619aa227..06145348f2 100644
+--- a/ext/iconv/iconv.c
++++ b/ext/iconv/iconv.c
+@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st
+ * we can do at this point. */
+ if (*(p1 + 1) == '=') {
+ ++p1;
+- --str_left;
++ if (str_left > 1) {
++ --str_left;
++ }
+ }
+
+ err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
+