summaryrefslogtreecommitdiffstats
path: root/bugoverflow.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-05-29 09:34:18 +0200
committerRemi Collet <fedora@famillecollet.com>2016-05-29 09:34:18 +0200
commitd9b67ab38a64fbfc9f4e78c2ac10778a973e6e47 (patch)
treea80b3783589b6f43074252cdeefe722987d48fda /bugoverflow.patch
parent513a4869326566f785a234bf584848af46e663c8 (diff)
PHP 5.4.45 + security fix from 5.5.36
Diffstat (limited to 'bugoverflow.patch')
-rw-r--r--bugoverflow.patch37
1 files changed, 37 insertions, 0 deletions
diff --git a/bugoverflow.patch b/bugoverflow.patch
new file mode 100644
index 0000000..e803c53
--- /dev/null
+++ b/bugoverflow.patch
@@ -0,0 +1,37 @@
+Backported from 5.5 for 5.4 by Remi Collet
+
+
+From 41fc3c76e97a36ff3b505da7d704ca17bb171fdf Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 9 May 2016 22:17:20 -0700
+Subject: [PATCH] Add check for string overflow to all string add operations
+
+---
+ Zend/zend_operators.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c
+index e0812fc..2f1394f 100644
+--- a/Zend/zend_operators.c
++++ b/Zend/zend_operators.c
+@@ -1199,6 +1199,10 @@ ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2)
+ int length = Z_STRLEN_P(op1) + 1;
+ char *buf;
+
++ if (UNEXPECTED(length < 0)) {
++ zend_error(E_ERROR, "String size overflow");
++ }
++
+ if (IS_INTERNED(Z_STRVAL_P(op1))) {
+ buf = (char *) emalloc(length + 1);
+ memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
+@@ -1218,6 +1222,9 @@ ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2
+ int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
+ char *buf;
+
++ if (UNEXPECTED(length < 0)) {
++ zend_error(E_ERROR, "String size overflow");
++ }
+ if (IS_INTERNED(Z_STRVAL_P(op1))) {
+ buf = (char *) emalloc(length+1);
+ memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));