summaryrefslogtreecommitdiffstats
path: root/bug72400.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-06-21 16:18:39 +0200
committerRemi Collet <fedora@famillecollet.com>2016-06-21 16:18:39 +0200
commit436225969c85449d3352c91b972a5e31828f68f0 (patch)
tree90f72b9e60d6e6465d78003477d3f125182f5fe5 /bug72400.patch
parentd9b67ab38a64fbfc9f4e78c2ac10778a973e6e47 (diff)
php 5.4: backport patch from 5.5.37 (wip)
Diffstat (limited to 'bug72400.patch')
-rw-r--r--bug72400.patch113
1 files changed, 113 insertions, 0 deletions
diff --git a/bug72400.patch b/bug72400.patch
new file mode 100644
index 0000000..363a598
--- /dev/null
+++ b/bug72400.patch
@@ -0,0 +1,113 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From 88746d60ab3ad51797612ee62603bb3e08d4aac4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 15 Jun 2016 21:46:46 -0700
+Subject: [PATCH] Fix bug #72400 and #72403 - prevent signed int overflows for
+ string lengths
+
+---
+ ext/standard/string.c | 25 ++++++++++++--
+ ext/standard/url.c | 96 +++++++++++++++++++++++++++------------------------
+ 2 files changed, 72 insertions(+), 49 deletions(-)
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index 63eede1..acb6a01 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t *
+ register unsigned char *result = NULL;
+ size_t i, j;
+
++ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) {
++ zend_error(E_ERROR, "String size overflow");
++ }
+ result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1);
+
+ for (i = j = 0; i < oldlen; i++) {
+@@ -2602,6 +2605,7 @@ PHP_FUNCTION(quotemeta)
+ char *p, *q;
+ char c;
+ int old_len;
++ size_t new_len;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) {
+ return;
+@@ -2636,8 +2640,13 @@ PHP_FUNCTION(quotemeta)
+ }
+ }
+ *q = 0;
++ new_len = q - str;
++ if (UNEXPECTED(new_len > INT_MAX)) {
++ efree(str);
++ zend_error(E_ERROR, "String size overflow");
++ }
+
+- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0);
++ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0);
+ }
+ /* }}} */
+
+@@ -3539,7 +3548,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
+ char *source, *target;
+ char *end;
+ char c;
+- int newlen;
++ size_t newlen;
+
+ if (!wlength) {
+ wlength = strlen(what);
+@@ -3570,11 +3579,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s
+ }
+ *target = 0;
+ newlen = target - new_str;
++ if (UNEXPECTED(newlen > INT_MAX)) {
++ efree(new_str);
++ zend_error(E_ERROR, "String size overflow");
++ }
+ if (target - new_str < length * 4) {
+ new_str = erealloc(new_str, newlen + 1);
+ }
+ if (new_length) {
+- *new_length = newlen;
++ *new_length = (int)newlen;
+ }
+ if (should_free) {
+ STR_FREE((char*)str);
+@@ -3626,6 +3639,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f
+
+ *target = 0;
+ *new_length = target - new_str;
++ if (UNEXPECTED(*new_length < 0)) {
++ zend_error(E_ERROR, "String size overflow");
++ }
+ if (should_free) {
+ STR_FREE(str);
+ }
+@@ -4329,6 +4345,9 @@ PHP_FUNCTION(nl2br)
+ size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1);
+
+ new_length = str_len + repl_cnt * repl_len;
++ if (UNEXPECTED(new_length > INT_MAX)) {
++ zend_error(E_ERROR, "String size overflow");
++ }
+ tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1);
+ }
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 27a216a..fc3f080 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -626,6 +626,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
+ if (new_length) {
+ *new_length = y;
+ }
++ if (UNEXPECTED(y > INT_MAX)) {
++ efree(str);
++ zend_error(E_ERROR, "String size overflow");
++ }
+ return ((char *) str);
+ }
+ /* }}} */
+