summaryrefslogtreecommitdiffstats
path: root/php-bug78875.patch
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2020-05-12 09:39:44 +0200
committerRemi Collet <remi@remirepo.net>2020-05-12 09:39:44 +0200
commit96f0db9b53d1d623da2c16fc4c20ac81344fcaf0 (patch)
tree587fdd08549b2e2c541bb4c9b7b96ff560f3b12c /php-bug78875.patch
parent36ed7de241108565abe38ab34cbde52139f547e6 (diff)
Core:
Fix #78875 Long filenames cause OOM and temp files are not cleaned CVE-2019-11048 Fix #78876 Long variables in multipart/form-data cause OOM and temp files are not cleaned
Diffstat (limited to 'php-bug78875.patch')
-rw-r--r--php-bug78875.patch38
1 files changed, 38 insertions, 0 deletions
diff --git a/php-bug78875.patch b/php-bug78875.patch
new file mode 100644
index 0000000..87bc103
--- /dev/null
+++ b/php-bug78875.patch
@@ -0,0 +1,38 @@
+From a8aca370e9ba4d9b402f1c6256653c683c4019a1 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:26:53 +0100
+Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not
+ cleaned
+
+We must not cast `size_t` to `int` (unless the `size_t` value is
+guaranteed to be less than or equal to `INT_MAX`). In this case we can
+declare `array_len` as `size_t` in the first place.
+
+(cherry picked from commit 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
+---
+ main/rfc1867.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 5949802d6d..ee07ea557d 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -690,7 +690,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ char *lbuf = NULL, *abuf = NULL;
+ zend_string *temp_filename = NULL;
+- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++ size_t array_len = 0;
+ int64_t total_bytes = 0, max_file_size = 0;
+ int skip_upload = 0, anonindex = 0, is_anonymous;
+ HashTable *uploaded_files = NULL;
+@@ -1124,7 +1125,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
+
+ if (is_arr_upload) {
+- array_len = (int)strlen(start_arr);
++ array_len = strlen(start_arr);
+ if (array_index) {
+ efree(array_index);
+ }