summaryrefslogtreecommitdiffstats
path: root/php-bug78876.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-05-12 09:39:44 +0200
committerRemi Collet <remi@remirepo.net>2020-05-12 09:39:44 +0200
commit96f0db9b53d1d623da2c16fc4c20ac81344fcaf0 (patch)
tree587fdd08549b2e2c541bb4c9b7b96ff560f3b12c /php-bug78876.patch
parent36ed7de241108565abe38ab34cbde52139f547e6 (diff)
Core:
Fix #78875 Long filenames cause OOM and temp files are not cleaned CVE-2019-11048 Fix #78876 Long variables in multipart/form-data cause OOM and temp files are not cleaned
Diffstat (limited to 'php-bug78876.patch')
-rw-r--r--php-bug78876.patch74
1 files changed, 74 insertions, 0 deletions
diff --git a/php-bug78876.patch b/php-bug78876.patch
new file mode 100644
index 0000000..d6333b5
--- /dev/null
+++ b/php-bug78876.patch
@@ -0,0 +1,74 @@
+From 07007c74a4f30407668548bfb8ab67eb48fcb2f3 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:57:42 +0100
+Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not
+ cleaned
+
+We use the proper type for size calculations, which is `size_t`.
+
+(cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124)
+---
+ main/rfc1867.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index ee07ea557d..6159284311 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -614,7 +614,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
+ {
+ size_t len, max;
+ char *bound;
+@@ -653,7 +653,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ self->buf_begin += len;
+ }
+
+- return (int)len;
++ return len;
+ }
+
+ /*
+@@ -663,7 +663,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
+ static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
+ {
+ char buf[FILLUNIT], *out=NULL;
+- int total_bytes=0, read_bytes=0;
++ size_t total_bytes=0, read_bytes=0;
+
+ while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
+ out = erealloc(out, total_bytes + read_bytes + 1);
+From c2776813404fbf5d35e3cc7b3d831f449887b0e5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 11 May 2020 14:28:51 -0700
+Subject: [PATCH] Update NEWS
+
+(cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705)
+(cherry picked from commit f1a89efe27650b62d58fceb77252480b19da6555)
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 6310d94581..e153539d98 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+
++Backported from 7.2.31
++
++- Core:
++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
++ (CVE-2019-11048) (cmb)
++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
++ files are not cleaned). (CVE-2019-11048) (cmb)
++
+ Backported from 7.2.30
+
+ - Standard: