From 53a86c2a4f553385955475c30a25a2b0a50284f4 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Thu, 23 Jun 2016 15:53:37 +0200 Subject: PHP 5.4.45 with security fix from 5.5.37 --- bug72455.patch | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 bug72455.patch (limited to 'bug72455.patch') diff --git a/bug72455.patch b/bug72455.patch new file mode 100644 index 0000000..e3c3660 --- /dev/null +++ b/bug72455.patch @@ -0,0 +1,39 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 6c5211a0cef0cc2854eaa387e0eb036e012904d0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 20 Jun 2016 21:51:42 -0700 +Subject: [PATCH] Fix bug #72455: Heap Overflow due to integer overflows + +--- + ext/mcrypt/mcrypt.c | 92 +++++++++++++++++++++++++++++------------------------ + 1 file changed, 50 insertions(+), 42 deletions(-) + +diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c +index 194660d..3cbb913 100644 +--- a/ext/mcrypt/mcrypt.c ++++ b/ext/mcrypt/mcrypt.c +@@ -681,6 +681,10 @@ PHP_FUNCTION(mcrypt_generic) + if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ + block_size = mcrypt_enc_get_block_size(pm->td); + data_size = (((data_len - 1) / block_size) + 1) * block_size; ++ if (data_size <= 0) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); ++ RETURN_FALSE; ++ } + data_s = emalloc(data_size + 1); + memset(data_s, 0, data_size); + memcpy(data_s, data, data_len); +@@ -726,6 +730,10 @@ PHP_FUNCTION(mdecrypt_generic) + if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ + block_size = mcrypt_enc_get_block_size(pm->td); + data_size = (((data_len - 1) / block_size) + 1) * block_size; ++ if (data_size <= 0) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); ++ RETURN_FALSE; ++ } + data_s = emalloc(data_size + 1); + memset(data_s, 0, data_size); + memcpy(data_s, data, data_len); + -- cgit