diff options
author | Stanislav Malyshev <stas@php.net> | 2015-02-16 06:50:10 +0100 |
---|---|---|
committer | Stanislav Malyshev <stas@php.net> | 2015-02-17 06:53:02 +0100 |
commit | bdfe457a2c1b47209e32783b3a6447e81baf179a (patch) | |
tree | c93f1d755649a2a8ac6294323103402676509bc5 | |
parent | 7b1898183032eeabc64a086ff040af991cebcd93 (diff) | |
download | php-git-bdfe457a2c1b47209e32783b3a6447e81baf179a.tar.gz |
Port for for bug #68552
-rw-r--r-- | NEWS | 6 | ||||
-rw-r--r-- | ext/enchant/enchant.c | 7 |
2 files changed, 9 insertions, 4 deletions
@@ -10,7 +10,13 @@ PHP NEWS buffer overflow). (Stas) . Fixed bug #67827 (broken detection of system crypt sha256/sha512 support). (ncopa at alpinelinux dot org) + . Fixed bug #68942 (Use after free vulnerability in unserialize() with + DateTimeZone). (Stas) +- Enchant: + . Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()). + (Antony) + - SOAP: . Fixed bug #67427 (SoapServer cannot handle large messages) (brandt at docoloc dot de) diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c index 6de2feac80..0eb8144f76 100644 --- a/ext/enchant/enchant.c +++ b/ext/enchant/enchant.c @@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict) d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag); if (d) { + pos = pbroker->dictcnt++; if (pbroker->dictcnt) { pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); - pos = pbroker->dictcnt++; } else { pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); pos = 0; - pbroker->dictcnt++; } dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); @@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict) d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl); if (d) { + pos = pbroker->dictcnt++; if (pbroker->dictcnt) { - pos = pbroker->dictcnt++; pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); } else { pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); pos = 0; - pbroker->dictcnt++; } + dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); dict->id = pos; dict->pbroker = pbroker; |