diff options
Diffstat (limited to 'bug72836.patch')
-rw-r--r-- | bug72836.patch | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/bug72836.patch b/bug72836.patch new file mode 100644 index 0000000..ad6b486 --- /dev/null +++ b/bug72836.patch @@ -0,0 +1,56 @@ +Backported from 5.6.25 by Remi. + +From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 14 Aug 2016 23:13:30 -0700 +Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused + heap corruption + +--- + ext/standard/base64.c | 5 + + sapi/cli/generate_mime_type_map.php | 76 +++++++ + sapi/fpm/www.conf.in | 413 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 494 insertions(+) + create mode 100644 sapi/cli/generate_mime_type_map.php + create mode 100644 sapi/fpm/www.conf.in + +diff --git a/ext/standard/base64.c b/ext/standard/base64.c +index a40b866..8340ed1 100644 +--- a/ext/standard/base64.c ++++ b/ext/standard/base64.c +@@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in + return NULL; + } + ++ if (((size_t)length + 2) / 3 > INT_MAX/4 ) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); ++ return NULL; ++ } ++ + result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1); + p = result; + + +From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Tue, 16 Aug 2016 16:34:35 -0700 +Subject: [PATCH] Fix TSRM build + +--- + ext/standard/base64.c | 1 + + ext/standard/url.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ext/standard/base64.c b/ext/standard/base64.c +index 8340ed1..b30a5b7 100644 +--- a/ext/standard/base64.c ++++ b/ext/standard/base64.c +@@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in + } + + if (((size_t)length + 2) / 3 > INT_MAX/4 ) { ++ TSRMLS_FETCH(); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); + return NULL; + } + |