diff options
Diffstat (limited to 'bug72838.patch')
-rw-r--r-- | bug72838.patch | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/bug72838.patch b/bug72838.patch new file mode 100644 index 0000000..76e8386 --- /dev/null +++ b/bug72838.patch @@ -0,0 +1,28 @@ +Backported from 5.6.25 by Remi. + +From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 15 Aug 2016 23:43:59 -0700 +Subject: [PATCH] Fix bug #72838 - Integer overflow lead to heap + corruption in sql_regcase + +--- + ext/ereg/ereg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c +index 5d38d04..8eb833a 100644 +--- a/ext/ereg/ereg.c ++++ b/ext/ereg/ereg.c +@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase) + + for (i = j = 0; i < string_len; i++) { + c = (unsigned char) string[i]; ++ if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(tmp); ++ RETURN_FALSE; ++ } + if (isalpha(c)) { + tmp[j++] = '['; + tmp[j++] = toupper(c); |