summaryrefslogtreecommitdiffstats
path: root/bug72849.patch
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-09-10 10:14:22 +0200
committerRemi Collet <fedora@famillecollet.com>2016-09-10 10:14:22 +0200
commit22b274864edbc4052b961c5d14beecf665b46c49 (patch)
tree51cade07b0ae4c8d112ceb52d0512f7f05e79d3c /bug72849.patch
parent7eeeb6e96a8354ae5c553662e96a1bfcf3bb9b65 (diff)
PHP 5.5.38 + security patches from 5.6.25
Diffstat (limited to 'bug72849.patch')
-rw-r--r--bug72849.patch51
1 files changed, 51 insertions, 0 deletions
diff --git a/bug72849.patch b/bug72849.patch
new file mode 100644
index 0000000..f2cd26f
--- /dev/null
+++ b/bug72849.patch
@@ -0,0 +1,51 @@
+Backported from 5.6.25 by Remi.
+
+From dc223e524d640167c0f12e942eb52cabd6f89ee4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 15:58:05 -0700
+Subject: [PATCH] Fixed bug #72849 - integer overflow in urlencode
+
+---
+ ext/standard/url.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 4b52000..8e471e1 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
+ *to++ = c;
+ }
+ }
++
++ if ((to-start) > INT_MAX) {
++ /* E_ERROR since most clients won't check for error, and this is rather rare condition */
++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
++ }
++
+ *to = 0;
+ if (new_length) {
+ *new_length = to - start;
+
+From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:34:35 -0700
+Subject: [PATCH] Fix TSRM build
+
+---
+ ext/standard/base64.c | 1 +
+ ext/standard/url.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 8e471e1..dd861a5 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -522,6 +522,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
+ }
+
+ if ((to-start) > INT_MAX) {
++ TSRMLS_FETCH();
+ /* E_ERROR since most clients won't check for error, and this is rather rare condition */
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
+ }