PHP 5.5.38 with 15 security fix from 5.6.27

author: Remi Collet <fedora@famillecollet.com> 2016-10-15 10:17:16 +0200
committer: Remi Collet <fedora@famillecollet.com> 2016-10-15 10:17:16 +0200
commit: bec6bca2de5aaf1a1b186722901dc75ec1529fea (patch)
tree: 1c6c37099f22c30b3999754d8adbe0bfba02ba8c /bug73276.patch
parent: b52e0db9c0cf11f6eda1e00f2d5292a0ac78424c (diff)
1 files changed, 42 insertions, 0 deletions
diff --git a/bug73276.patch b/bug73276.patch
new file mode 100644
index 0000000..3f5fd3c
--- /dev/null
+++ b/bug73276.patch
@@ -0,0 +1,42 @@
+Backported from 5.6.27 by Remi.
+
+
+From 85a22a0af0722ef3a8d49a056a0b2b18be1fb981 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 11 Oct 2016 13:37:47 -0700
+Subject: [PATCH] Fix bug #73276 - crash in openssl_random_pseudo_bytes
+ function
+
+---
+ ext/openssl/openssl.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
+index 33593e7..01f2a09 100644
+--- a/ext/openssl/openssl.c
++++ b/ext/openssl/openssl.c
+@@ -5145,16 +5145,16 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
+ 		return;
+ 	}
+ 
+-	if (buffer_length <= 0) {
+-		RETURN_FALSE;
+-	}
+-
+ 	if (zstrong_result_returned) {
+ 		zval_dtor(zstrong_result_returned);
+ 		ZVAL_BOOL(zstrong_result_returned, 0);
+ 	}
+ 
+-	buffer = emalloc(buffer_length + 1);
++	if (buffer_length <= 0 || buffer_length > INT_MAX) {
++		RETURN_FALSE;
++	}
++
++	buffer = safe_emalloc(buffer_length, 1, 1);
+ 
+ #ifdef PHP_WIN32
+ 	/* random/urandom equivalent on Windows */
+-- 
+2.1.4
+
author	Remi Collet <fedora@famillecollet.com>	2016-10-15 10:17:16 +0200
committer	Remi Collet <fedora@famillecollet.com>	2016-10-15 10:17:16 +0200
commit	bec6bca2de5aaf1a1b186722901dc75ec1529fea (patch)
tree	1c6c37099f22c30b3999754d8adbe0bfba02ba8c /bug73276.patch
parent	b52e0db9c0cf11f6eda1e00f2d5292a0ac78424c (diff)