From a2713f204e1202b6844c114a005c304aafb008c7 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 10 Sep 2016 10:14:22 +0200 Subject: PHP 5.5.38 + security patches from 5.6.25 --- bug72807.patch | 60 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 bug72807.patch (limited to 'bug72807.patch') diff --git a/bug72807.patch b/bug72807.patch new file mode 100644 index 0000000..6350b7f --- /dev/null +++ b/bug72807.patch @@ -0,0 +1,60 @@ +Backported from 5.6.25 by Remi. + +From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 11 Aug 2016 23:36:25 -0700 +Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative + length + +--- + Zend/zend_API.h | 7 +++++-- + ext/curl/interface.c | 4 ++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/Zend/zend_API.h b/Zend/zend_API.h +index a56075e..e17be4c 100644 +--- a/Zend/zend_API.h ++++ b/Zend/zend_API.h +@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval + #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC) + #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC) + #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC) +-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) ++#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) + + + ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC); +@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache; + + /** Build zend_call_info/cache from a zval* + * +- * Caller is responsible to provide a return value, otherwise the we will crash. ++ * Caller is responsible to provide a return value, otherwise the we will crash. + * fci->retval_ptr_ptr = NULL; + * In order to pass parameters the following members need to be set: + * fci->param_count = 0; +@@ -575,6 +575,9 @@ END_EXTERN_C() + const char *__s=(s); \ + zval *__z = (z); \ + Z_STRLEN_P(__z) = strlen(__s); \ ++ if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \ ++ zend_error(E_ERROR, "String size overflow"); \ ++ } \ + Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\ + Z_TYPE_P(__z) = IS_STRING; \ + } while (0) +diff --git a/ext/curl/interface.c b/ext/curl/interface.c +index c7112a0..062f996 100644 +--- a/ext/curl/interface.c ++++ b/ext/curl/interface.c +@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape) + ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl); + + if ((res = curl_easy_escape(ch->cp, str, str_len))) { ++ if (strlen(res) > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX); ++ RETURN_FALSE; ++ } + RETVAL_STRING(res, 1); + curl_free(res); + } else { -- cgit