From 22b274864edbc4052b961c5d14beecf665b46c49 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 10 Sep 2016 10:14:22 +0200
Subject: PHP 5.5.38 + security patches from 5.6.25

---
 bug72838.patch | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 bug72838.patch

(limited to 'bug72838.patch')

diff --git a/bug72838.patch b/bug72838.patch
new file mode 100644
index 0000000..76e8386
--- /dev/null
+++ b/bug72838.patch
@@ -0,0 +1,28 @@
+Backported from 5.6.25 by Remi.
+
+From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 15 Aug 2016 23:43:59 -0700
+Subject: [PATCH] Fix bug #72838 - 	Integer overflow lead to heap
+ corruption in sql_regcase
+
+---
+ ext/ereg/ereg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
+index 5d38d04..8eb833a 100644
+--- a/ext/ereg/ereg.c
++++ b/ext/ereg/ereg.c
+@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
+ 	
+ 	for (i = j = 0; i < string_len; i++) {
+ 		c = (unsigned char) string[i];
++		if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
++			efree(tmp);
++			RETURN_FALSE;
++		}
+ 		if (isalpha(c)) {
+ 			tmp[j++] = '[';
+ 			tmp[j++] = toupper(c);
-- 
cgit