Port for for bug #68552

2 files changed, 9 insertions, 4 deletions

diff --git a/NEWS b/NEWS
index 5c22cd85fc..b8c85b2037 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,13 @@ PHP                                                                        NEWS
     buffer overflow). (Stas)
   . Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).
     (ncopa at alpinelinux dot org)  
+  . Fixed bug #68942 (Use after free vulnerability in unserialize() with
+    DateTimeZone). (Stas)
   
+- Enchant: 
+  . Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()).
+    (Antony)
+
 - SOAP:
   . Fixed bug #67427 (SoapServer cannot handle large messages)
     (brandt at docoloc dot de)
diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c
index 6de2feac80..0eb8144f76 100644
--- a/ext/enchant/enchant.c
+++ b/ext/enchant/enchant.c
@@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict)
 
 	d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
 	if (d) {
+		pos = pbroker->dictcnt++;
 		if (pbroker->dictcnt) {
 			pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
-			pos = pbroker->dictcnt++;
 		} else {
 			pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
 			pos = 0;
-			pbroker->dictcnt++;
 		}
 
 		dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
@@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict)
 
 	d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
 	if (d) {
+		pos = pbroker->dictcnt++;
 		if (pbroker->dictcnt) {
-			pos = pbroker->dictcnt++;
 			pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
 		} else {
 			pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
 			pos = 0;
-			pbroker->dictcnt++;
 		}
+
 		dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
 		dict->id = pos;
 		dict->pbroker = pbroker;