From 96f0db9b53d1d623da2c16fc4c20ac81344fcaf0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 12 May 2020 09:39:44 +0200 Subject: Core: Fix #78875 Long filenames cause OOM and temp files are not cleaned CVE-2019-11048 Fix #78876 Long variables in multipart/form-data cause OOM and temp files are not cleaned --- php-bug78876.patch | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 74 insertions(+) create mode 100644 php-bug78876.patch (limited to 'php-bug78876.patch') diff --git a/php-bug78876.patch b/php-bug78876.patch new file mode 100644 index 0000000..d6333b5 --- /dev/null +++ b/php-bug78876.patch @@ -0,0 +1,74 @@ +From 07007c74a4f30407668548bfb8ab67eb48fcb2f3 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 18 Mar 2020 10:57:42 +0100 +Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not + cleaned + +We use the proper type for size calculations, which is `size_t`. + +(cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124) +--- + main/rfc1867.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index ee07ea557d..6159284311 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -614,7 +614,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne + } + + /* read until a boundary condition */ +-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) ++static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) + { + size_t len, max; + char *bound; +@@ -653,7 +653,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes + self->buf_begin += len; + } + +- return (int)len; ++ return len; + } + + /* +@@ -663,7 +663,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes + static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len) + { + char buf[FILLUNIT], *out=NULL; +- int total_bytes=0, read_bytes=0; ++ size_t total_bytes=0, read_bytes=0; + + while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) { + out = erealloc(out, total_bytes + read_bytes + 1); +From c2776813404fbf5d35e3cc7b3d831f449887b0e5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 11 May 2020 14:28:51 -0700 +Subject: [PATCH] Update NEWS + +(cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705) +(cherry picked from commit f1a89efe27650b62d58fceb77252480b19da6555) +--- + NEWS | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/NEWS b/NEWS +index 6310d94581..e153539d98 100644 +--- a/NEWS ++++ b/NEWS +@@ -1,6 +1,14 @@ + PHP NEWS + ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| + ++Backported from 7.2.31 ++ ++- Core: ++ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). ++ (CVE-2019-11048) (cmb) ++ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp ++ files are not cleaned). (CVE-2019-11048) (cmb) ++ + Backported from 7.2.30 + + - Standard: -- cgit