summaryrefslogtreecommitdiffstats
path: root/bug72837.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-09-10 10:14:22 +0200
committerRemi Collet <fedora@famillecollet.com>2016-09-10 10:14:22 +0200
commit22b274864edbc4052b961c5d14beecf665b46c49 (patch)
tree51cade07b0ae4c8d112ceb52d0512f7f05e79d3c /bug72837.patch
parent7eeeb6e96a8354ae5c553662e96a1bfcf3bb9b65 (diff)
PHP 5.5.38 + security patches from 5.6.25
Diffstat (limited to 'bug72837.patch')
-rw-r--r--bug72837.patch45
1 files changed, 45 insertions, 0 deletions
diff --git a/bug72837.patch b/bug72837.patch
new file mode 100644
index 0000000..2dfe6f4
--- /dev/null
+++ b/bug72837.patch
@@ -0,0 +1,45 @@
+Backported from 5.6.25 by Remi.
+
+From 69236ea9793b76b778c6cd64748cfee817521118 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 15 Aug 2016 23:17:26 -0700
+Subject: [PATCH] Fix bug #72837 - integer overflow in bzdecompress caused heap
+ corruption
+
+---
+ ext/bz2/bz2.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
+index 54b59f7..79ec3ec 100644
+--- a/ext/bz2/bz2.c
++++ b/ext/bz2/bz2.c
+@@ -573,15 +573,25 @@ static PHP_FUNCTION(bzdecompress)
+ /* compression is better then 2:1, need to allocate more memory */
+ bzs.avail_out = source_len;
+ size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
++ if (size > INT_MAX) {
++ /* no reason to continue if we're going to drop it anyway */
++ break;
++ }
+ dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );
+ bzs.next_out = dest + size;
+ }
+
+ if (error == BZ_STREAM_END || error == BZ_OK) {
+ size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
+- dest = safe_erealloc(dest, 1, (size_t) size, 1);
+- dest[size] = '\0';
+- RETVAL_STRINGL(dest, (int) size, 0);
++ if (size > INT_MAX) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX);
++ efree(dest);
++ RETVAL_LONG(BZ_MEM_ERROR);
++ } else {
++ dest = safe_erealloc(dest, 1, (size_t) size, 1);
++ dest[size] = '\0';
++ RETVAL_STRINGL(dest, (int) size, 0);
++ }
+ } else { /* real error */
+ efree(dest);
+ RETVAL_LONG(error);