From 07007c74a4f30407668548bfb8ab67eb48fcb2f3 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 18 Mar 2020 10:57:42 +0100
Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not
 cleaned

We use the proper type for size calculations, which is `size_t`.

(cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124)
---
 main/rfc1867.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/main/rfc1867.c b/main/rfc1867.c
index ee07ea557d..6159284311 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -614,7 +614,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
 }
 
 /* read until a boundary condition */
-static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
+static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end)
 {
 	size_t len, max;
 	char *bound;
@@ -653,7 +653,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
 		self->buf_begin += len;
 	}
 
-	return (int)len;
+	return len;
 }
 
 /*
@@ -663,7 +663,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes
 static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len)
 {
 	char buf[FILLUNIT], *out=NULL;
-	int total_bytes=0, read_bytes=0;
+	size_t total_bytes=0, read_bytes=0;
 
 	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) {
 		out = erealloc(out, total_bytes + read_bytes + 1);
From c2776813404fbf5d35e3cc7b3d831f449887b0e5 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 11 May 2020 14:28:51 -0700
Subject: [PATCH] Update NEWS

(cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705)
(cherry picked from commit f1a89efe27650b62d58fceb77252480b19da6555)
---
 NEWS | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/NEWS b/NEWS
index 6310d94581..e153539d98 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,14 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 
+Backported from 7.2.31
+
+- Core:
+  . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). 
+    (CVE-2019-11048) (cmb)
+  . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp 
+    files are not cleaned). (CVE-2019-11048) (cmb)
+
 Backported from 7.2.30
 
 - Standard: