summaryrefslogtreecommitdiffstats
path: root/bug72836.patch
blob: ad6b4863cd5118d4f8d0784d8e18d5311d410381 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
Backported from 5.6.25 by Remi.

From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 14 Aug 2016 23:13:30 -0700
Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused
 heap corruption

---
 ext/standard/base64.c               |   5 +
 sapi/cli/generate_mime_type_map.php |  76 +++++++
 sapi/fpm/www.conf.in                | 413 ++++++++++++++++++++++++++++++++++++
 3 files changed, 494 insertions(+)
 create mode 100644 sapi/cli/generate_mime_type_map.php
 create mode 100644 sapi/fpm/www.conf.in

diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index a40b866..8340ed1 100644
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in
 		return NULL;
 	}
 
+	if (((size_t)length + 2) / 3 > INT_MAX/4 ) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4);
+		return NULL;
+	}
+
 	result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1);
 	p = result;
 

From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 16 Aug 2016 16:34:35 -0700
Subject: [PATCH] Fix TSRM build

---
 ext/standard/base64.c | 1 +
 ext/standard/url.c    | 1 +
 2 files changed, 2 insertions(+)

diff --git a/ext/standard/base64.c b/ext/standard/base64.c
index 8340ed1..b30a5b7 100644
--- a/ext/standard/base64.c
+++ b/ext/standard/base64.c
@@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in
 	}
 
 	if (((size_t)length + 2) / 3 > INT_MAX/4 ) {
+		TSRMLS_FETCH();
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4);
 		return NULL;
 	}