diff options
Diffstat (limited to 'bug72837.patch')
-rw-r--r-- | bug72837.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/bug72837.patch b/bug72837.patch new file mode 100644 index 0000000..2dfe6f4 --- /dev/null +++ b/bug72837.patch @@ -0,0 +1,45 @@ +Backported from 5.6.25 by Remi. + +From 69236ea9793b76b778c6cd64748cfee817521118 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 15 Aug 2016 23:17:26 -0700 +Subject: [PATCH] Fix bug #72837 - integer overflow in bzdecompress caused heap + corruption + +--- + ext/bz2/bz2.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c +index 54b59f7..79ec3ec 100644 +--- a/ext/bz2/bz2.c ++++ b/ext/bz2/bz2.c +@@ -573,15 +573,25 @@ static PHP_FUNCTION(bzdecompress) + /* compression is better then 2:1, need to allocate more memory */ + bzs.avail_out = source_len; + size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; ++ if (size > INT_MAX) { ++ /* no reason to continue if we're going to drop it anyway */ ++ break; ++ } + dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size ); + bzs.next_out = dest + size; + } + + if (error == BZ_STREAM_END || error == BZ_OK) { + size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; +- dest = safe_erealloc(dest, 1, (size_t) size, 1); +- dest[size] = '\0'; +- RETVAL_STRINGL(dest, (int) size, 0); ++ if (size > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX); ++ efree(dest); ++ RETVAL_LONG(BZ_MEM_ERROR); ++ } else { ++ dest = safe_erealloc(dest, 1, (size_t) size, 1); ++ dest[size] = '\0'; ++ RETVAL_STRINGL(dest, (int) size, 0); ++ } + } else { /* real error */ + efree(dest); + RETVAL_LONG(error); |