summaryrefslogtreecommitdiffstats
path: root/bug72807.patch
diff options
context:
space:
mode:
Diffstat (limited to 'bug72807.patch')
-rw-r--r--bug72807.patch60
1 files changed, 60 insertions, 0 deletions
diff --git a/bug72807.patch b/bug72807.patch
new file mode 100644
index 0000000..6350b7f
--- /dev/null
+++ b/bug72807.patch
@@ -0,0 +1,60 @@
+Backported from 5.6.25 by Remi.
+
+From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 11 Aug 2016 23:36:25 -0700
+Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative
+ length
+
+---
+ Zend/zend_API.h | 7 +++++--
+ ext/curl/interface.c | 4 ++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/Zend/zend_API.h b/Zend/zend_API.h
+index a56075e..e17be4c 100644
+--- a/Zend/zend_API.h
++++ b/Zend/zend_API.h
+@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval
+ #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC)
+ #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC)
+ #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC)
+-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
++#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
+
+
+ ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC);
+@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache;
+
+ /** Build zend_call_info/cache from a zval*
+ *
+- * Caller is responsible to provide a return value, otherwise the we will crash.
++ * Caller is responsible to provide a return value, otherwise the we will crash.
+ * fci->retval_ptr_ptr = NULL;
+ * In order to pass parameters the following members need to be set:
+ * fci->param_count = 0;
+@@ -575,6 +575,9 @@ END_EXTERN_C()
+ const char *__s=(s); \
+ zval *__z = (z); \
+ Z_STRLEN_P(__z) = strlen(__s); \
++ if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
++ zend_error(E_ERROR, "String size overflow"); \
++ } \
+ Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
+ Z_TYPE_P(__z) = IS_STRING; \
+ } while (0)
+diff --git a/ext/curl/interface.c b/ext/curl/interface.c
+index c7112a0..062f996 100644
+--- a/ext/curl/interface.c
++++ b/ext/curl/interface.c
+@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape)
+ ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
+
+ if ((res = curl_easy_escape(ch->cp, str, str_len))) {
++ if (strlen(res) > INT_MAX) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX);
++ RETURN_FALSE;
++ }
+ RETVAL_STRING(res, 1);
+ curl_free(res);
+ } else {