diff options
Diffstat (limited to 'php-cve-2026-7568.patch')
| -rw-r--r-- | php-cve-2026-7568.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/php-cve-2026-7568.patch b/php-cve-2026-7568.patch new file mode 100644 index 0000000..68c1de6 --- /dev/null +++ b/php-cve-2026-7568.patch @@ -0,0 +1,101 @@ +From e4fc187a011d91f26178f6dfbccdb07041b99153 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tim=20D=C3=BCsterhus?= <tim@tideways-gmbh.com> +Date: Sun, 3 May 2026 20:02:57 +0200 +Subject: [PATCH 06/10] GHSA-96wq-48vp-hh57: [metaphone] Fix signed integer + overflow of char array offset + +Fixes GHSA-96wq-48vp-hh57 +Fixes CVE-2026-7568 + +(cherry picked from commit 47def8ce1db1fdbffcfc1f5bb11877a0e22d4b32) +--- + ext/standard/metaphone.c | 6 +++--- + ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 22 +++++++++++++++++++++ + 2 files changed, 25 insertions(+), 3 deletions(-) + create mode 100644 ext/standard/tests/GHSA-96wq-48vp-hh57.phpt + +diff --git a/ext/standard/metaphone.c b/ext/standard/metaphone.c +index 2ba7a839c88..7affde44de1 100644 +--- a/ext/standard/metaphone.c ++++ b/ext/standard/metaphone.c +@@ -117,10 +117,10 @@ static const char _codes[26] = + + /* Allows us to safely look ahead an arbitrary # of letters */ + /* I probably could have just used strlen... */ +-static char Lookahead(char *word, int how_far) ++static char Lookahead(char *word, size_t how_far) + { + char letter_ahead = '\0'; /* null by default */ +- int idx; ++ size_t idx; + for (idx = 0; word[idx] != '\0' && idx < how_far; idx++); + /* Edge forward in the string... */ + +@@ -161,7 +161,7 @@ static char Lookahead(char *word, int how_far) + /* {{{ metaphone */ + static void metaphone(unsigned char *word, size_t word_len, zend_long max_phonemes, zend_string **phoned_word, int traditional) + { +- int w_idx = 0; /* point in the phonization we're at. */ ++ size_t w_idx = 0; /* point in the phonization we're at. */ + size_t p_idx = 0; /* end of the phoned phrase */ + size_t max_buffer_len = 0; /* maximum length of the destination buffer */ + ZEND_ASSERT(word != NULL); +diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +new file mode 100644 +index 00000000000..79c6b656733 +--- /dev/null ++++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +@@ -0,0 +1,22 @@ ++--TEST-- ++GHSA-96wq-48vp-hh57: signed integer overflow of char array offset ++--CREDITS-- ++012git012 ++--INI-- ++memory_limit=3G ++--SKIPIF-- ++<?php ++if (!getenv('RUN_RESOURCE_HEAVY_TESTS')) die('skip resource-heavy test'); ++if (getenv('SKIP_SLOW_TESTS')) die('skip slow test'); ++if (PHP_INT_SIZE != 8) echo 'skip 64-bit only'; ++?> ++--FILE-- ++<?php ++ ++$str = str_repeat('0', 2 * (1024 ** 3) - 2) . 'AE'; ++metaphone($str, 1); ++ ++?> ++===DONE=== ++--EXPECT-- ++===DONE=== +-- +2.54.0 + +From 101e93900888ef43d42ec0e33866bca3824f51a8 Mon Sep 17 00:00:00 2001 +From: Ilija Tovilo <ilija.tovilo@me.com> +Date: Wed, 6 May 2026 16:33:44 +0200 +Subject: [PATCH 09/10] [skip ci] Adjust credits for GHSA-96wq-48vp-hh57.phpt + +As requested by the reporter. + +(cherry picked from commit fee84dd8c7699e4e7f9b2e864a393ee5a372f974) +--- + ext/standard/tests/GHSA-96wq-48vp-hh57.phpt | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +index 79c6b656733..cf9a40062f8 100644 +--- a/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt ++++ b/ext/standard/tests/GHSA-96wq-48vp-hh57.phpt +@@ -1,7 +1,7 @@ + --TEST-- + GHSA-96wq-48vp-hh57: signed integer overflow of char array offset + --CREDITS-- +-012git012 ++Aleksey Solovev (Positive Technologies) + --INI-- + memory_limit=3G + --SKIPIF-- +-- +2.54.0 + |