From 96f0db9b53d1d623da2c16fc4c20ac81344fcaf0 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 12 May 2020 09:39:44 +0200 Subject: Core: Fix #78875 Long filenames cause OOM and temp files are not cleaned CVE-2019-11048 Fix #78876 Long variables in multipart/form-data cause OOM and temp files are not cleaned --- php-bug78875.patch | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 php-bug78875.patch (limited to 'php-bug78875.patch') diff --git a/php-bug78875.patch b/php-bug78875.patch new file mode 100644 index 0000000..87bc103 --- /dev/null +++ b/php-bug78875.patch @@ -0,0 +1,38 @@ +From a8aca370e9ba4d9b402f1c6256653c683c4019a1 Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" +Date: Wed, 18 Mar 2020 10:26:53 +0100 +Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not + cleaned + +We must not cast `size_t` to `int` (unless the `size_t` value is +guaranteed to be less than or equal to `INT_MAX`). In this case we can +declare `array_len` as `size_t` in the first place. + +(cherry picked from commit 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87) +--- + main/rfc1867.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/main/rfc1867.c b/main/rfc1867.c +index 5949802d6d..ee07ea557d 100644 +--- a/main/rfc1867.c ++++ b/main/rfc1867.c +@@ -690,7 +690,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; + char *lbuf = NULL, *abuf = NULL; + zend_string *temp_filename = NULL; +- int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; ++ int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; ++ size_t array_len = 0; + int64_t total_bytes = 0, max_file_size = 0; + int skip_upload = 0, anonindex = 0, is_anonymous; + HashTable *uploaded_files = NULL; +@@ -1124,7 +1125,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ + is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); + + if (is_arr_upload) { +- array_len = (int)strlen(start_arr); ++ array_len = strlen(start_arr); + if (array_index) { + efree(array_index); + } -- cgit