diff options
author | Remi Collet <fedora@famillecollet.com> | 2016-05-29 09:34:18 +0200 |
---|---|---|
committer | Remi Collet <fedora@famillecollet.com> | 2016-05-29 09:34:18 +0200 |
commit | 003b71973f17c66ab9544546f693f290dbfa300e (patch) | |
tree | 75b71e51c9b28406c3353f1e49b15a91692ce396 /bugoverflow.patch | |
parent | 47446838b70413bf7cc52f145c523b56a80602b3 (diff) |
PHP 5.4.45 + security fix from 5.5.36
Diffstat (limited to 'bugoverflow.patch')
-rw-r--r-- | bugoverflow.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/bugoverflow.patch b/bugoverflow.patch new file mode 100644 index 0000000..e803c53 --- /dev/null +++ b/bugoverflow.patch @@ -0,0 +1,37 @@ +Backported from 5.5 for 5.4 by Remi Collet + + +From 41fc3c76e97a36ff3b505da7d704ca17bb171fdf Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 9 May 2016 22:17:20 -0700 +Subject: [PATCH] Add check for string overflow to all string add operations + +--- + Zend/zend_operators.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/Zend/zend_operators.c b/Zend/zend_operators.c +index e0812fc..2f1394f 100644 +--- a/Zend/zend_operators.c ++++ b/Zend/zend_operators.c +@@ -1199,6 +1199,10 @@ ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2) + int length = Z_STRLEN_P(op1) + 1; + char *buf; + ++ if (UNEXPECTED(length < 0)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } ++ + if (IS_INTERNED(Z_STRVAL_P(op1))) { + buf = (char *) emalloc(length + 1); + memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1)); +@@ -1218,6 +1222,9 @@ ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2 + int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2); + char *buf; + ++ if (UNEXPECTED(length < 0)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + if (IS_INTERNED(Z_STRVAL_P(op1))) { + buf = (char *) emalloc(length+1); + memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1)); |