From 29b3876a0aad27a65e853fd0be4bdc7647dee444 Mon Sep 17 00:00:00 2001 From: "Christoph M. Becker" Date: Wed, 18 Mar 2020 10:57:42 +0100 Subject: [PATCH] Fix #78876: Long variables cause OOM and temp files are not cleaned We use the proper type for size calculations, which is `size_t`. (cherry picked from commit 3c8582ca4b8e84e5647220b647914876d2c3b124) --- main/rfc1867.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/main/rfc1867.c b/main/rfc1867.c index 14ffbea9f4..1742b9c0a9 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -616,7 +616,7 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne } /* read until a boundary condition */ -static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) +static size_t multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes, int *end) { size_t len, max; char *bound; @@ -655,7 +655,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes self->buf_begin += len; } - return (int)len; + return len; } /* @@ -665,7 +665,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, size_t bytes static char *multipart_buffer_read_body(multipart_buffer *self, size_t *len) { char buf[FILLUNIT], *out=NULL; - int total_bytes=0, read_bytes=0; + size_t total_bytes=0, read_bytes=0; while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL))) { out = erealloc(out, total_bytes + read_bytes + 1); From f1a89efe27650b62d58fceb77252480b19da6555 Mon Sep 17 00:00:00 2001 From: Stanislav Malyshev Date: Mon, 11 May 2020 14:28:51 -0700 Subject: [PATCH] Update NEWS (cherry picked from commit b4afd21428e09133228fd84bf048157526c2c705) --- NEWS | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/NEWS b/NEWS index cc1e992229..19fbb3adf2 100644 --- a/NEWS +++ b/NEWS @@ -1,6 +1,14 @@ PHP NEWS ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||| +Backported from 7.2.31 + +- Core: + . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). + (CVE-2019-11048) (cmb) + . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp + files are not cleaned). (CVE-2019-11048) (cmb) + Backported from 7.2.30 - Standard: