From 22b274864edbc4052b961c5d14beecf665b46c49 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 10 Sep 2016 10:14:22 +0200
Subject: PHP 5.5.38 + security patches from 5.6.25

---
 bug72849.patch | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)
 create mode 100644 bug72849.patch

(limited to 'bug72849.patch')

diff --git a/bug72849.patch b/bug72849.patch
new file mode 100644
index 0000000..f2cd26f
--- /dev/null
+++ b/bug72849.patch
@@ -0,0 +1,51 @@
+Backported from 5.6.25 by Remi.
+
+From dc223e524d640167c0f12e942eb52cabd6f89ee4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 15:58:05 -0700
+Subject: [PATCH] Fixed bug #72849 - integer overflow in urlencode
+
+---
+ ext/standard/url.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 4b52000..8e471e1 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
+ 			*to++ = c;
+ 		}
+ 	}
++
++	if ((to-start) > INT_MAX) {
++		/* E_ERROR since most clients won't check for error, and this is rather rare condition */
++		php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
++	}
++
+ 	*to = 0;
+ 	if (new_length) {
+ 		*new_length = to - start;
+
+From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:34:35 -0700
+Subject: [PATCH] Fix TSRM build
+
+---
+ ext/standard/base64.c | 1 +
+ ext/standard/url.c    | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 8e471e1..dd861a5 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -522,6 +522,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
+ 	}
+ 
+ 	if ((to-start) > INT_MAX) {
++		TSRMLS_FETCH();
+ 		/* E_ERROR since most clients won't check for error, and this is rather rare condition */
+ 		php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
+ 	}
-- 
cgit