From d9b67ab38a64fbfc9f4e78c2ac10778a973e6e47 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sun, 29 May 2016 09:34:18 +0200 Subject: PHP 5.4.45 + security fix from 5.5.36 --- bugoverflow.patch | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) create mode 100644 bugoverflow.patch (limited to 'bugoverflow.patch') diff --git a/bugoverflow.patch b/bugoverflow.patch new file mode 100644 index 0000000..e803c53 --- /dev/null +++ b/bugoverflow.patch @@ -0,0 +1,37 @@ +Backported from 5.5 for 5.4 by Remi Collet + + +From 41fc3c76e97a36ff3b505da7d704ca17bb171fdf Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 9 May 2016 22:17:20 -0700 +Subject: [PATCH] Add check for string overflow to all string add operations + +--- + Zend/zend_operators.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c +index e0812fc..2f1394f 100644 +--- a/Zend/zend_operators.c ++++ b/Zend/zend_operators.c +@@ -1199,6 +1199,10 @@ ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2) + int length = Z_STRLEN_P(op1) + 1; + char *buf; + ++ if (UNEXPECTED(length < 0)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } ++ + if (IS_INTERNED(Z_STRVAL_P(op1))) { + buf = (char *) emalloc(length + 1); + memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1)); +@@ -1218,6 +1222,9 @@ ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2 + int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2); + char *buf; + ++ if (UNEXPECTED(length < 0)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + if (IS_INTERNED(Z_STRVAL_P(op1))) { + buf = (char *) emalloc(length+1); + memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1)); -- cgit