From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Wed, 13 May 2020 09:03:49 +0200 Subject: [PATCH] Backports from 7.2.31 Fix #78875: Long filenames cause OOM and temp files are not cleaned (from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87) Fix #78876: Long variables cause OOM and temp files are not cleaned (from 3c8582ca4b8e84e5647220b647914876d2c3b124) --- NEWS | 8 ++++++++ main/rfc1867.c | 9 +++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/NEWS b/NEWS index 281b52fe76..b53c9e28cb 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,14 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +Backported from 7.2.31 + +- Core: + . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). + (CVE-2019-11048) (cmb) + . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp + files are not cleaned). (CVE-2019-11048) (cmb) + Backported from 7.2.30 - Standard: diff --git a/main/rfc1867.c b/main/rfc1867.c index 0ddf0ed8f0..fb3035072a 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne } /* read until a boundary condition */ -static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC) +static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC) { - int len, max; + unsigned int len, max; char *bound; /* fill buffer if needed */ @@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC) { char buf[FILLUNIT], *out=NULL; - int total_bytes=0, read_bytes=0; + unsigned int total_bytes=0, read_bytes=0; while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) { out = erealloc(out, total_bytes + read_bytes + 1); @@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ { char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL; - int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; + int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; + unsigned int array_len = 0; int64_t total_bytes = 0, max_file_size = 0; int skip_upload = 0, anonindex = 0, is_anonymous; zval *http_post_files = NULL;