1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 13 May 2020 09:03:49 +0200
Subject: [PATCH] Backports from 7.2.31
Fix #78875: Long filenames cause OOM and temp files are not cleaned
(from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
Fix #78876: Long variables cause OOM and temp files are not cleaned
(from 3c8582ca4b8e84e5647220b647914876d2c3b124)
---
NEWS | 8 ++++++++
main/rfc1867.c | 9 +++++----
2 files changed, 13 insertions(+), 4 deletions(-)
diff --git a/NEWS b/NEWS
index 281b52fe76..b53c9e28cb 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,14 @@
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+Backported from 7.2.31
+
+- Core:
+ . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
+ (CVE-2019-11048) (cmb)
+ . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
+ files are not cleaned). (CVE-2019-11048) (cmb)
+
Backported from 7.2.30
- Standard:
diff --git a/main/rfc1867.c b/main/rfc1867.c
index 0ddf0ed8f0..fb3035072a 100644
--- a/main/rfc1867.c
+++ b/main/rfc1867.c
@@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
}
/* read until a boundary condition */
-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
+static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC)
{
- int len, max;
+ unsigned int len, max;
char *bound;
/* fill buffer if needed */
@@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i
static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC)
{
char buf[FILLUNIT], *out=NULL;
- int total_bytes=0, read_bytes=0;
+ unsigned int total_bytes=0, read_bytes=0;
while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
out = erealloc(out, total_bytes + read_bytes + 1);
@@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
{
char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
+ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
+ unsigned int array_len = 0;
int64_t total_bytes = 0, max_file_size = 0;
int skip_upload = 0, anonindex = 0, is_anonymous;
zval *http_post_files = NULL;
|
