Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4

author: Xinchen Hui <laruence@php.net> 2015-03-25 13:05:08 +0800
committer: Xinchen Hui <laruence@php.net> 2015-03-25 13:05:08 +0800
commit: fe0ca2745f00940a27bfc8e87db534541a19af70 (patch)
tree: 9f6ecb6d7dd517f46f71bfc12cdeebd17f8fc904 /ext/ereg/regex/regcomp.c
parent: ef2db26c60537e84b502608ff404263d5f4dc5d2 (diff)
parent: 968fbc6acf0bc27be17c0209be7f966e89a55943 (diff)
download: php-git-fe0ca2745f00940a27bfc8e87db534541a19af70.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c
index 156eee9329..f4bfc1c167 100644
--- a/ext/ereg/regex/regcomp.c
+++ b/ext/ereg/regex/regcomp.c
@@ -117,7 +117,15 @@ int cflags;
 							(NC-1)*sizeof(cat_t));
 	if (g == NULL)
 		return(REG_ESPACE);
-	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
+	{
+		/* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */
+		size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
+		if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) {
+			free((char *) g);
+			return REG_INVARG;
+		}
+		p->ssize = new_ssize;
+	}
 	p->strip = (sop *)malloc(p->ssize * sizeof(sop));
 	p->slen = 0;
 	if (p->strip == NULL) {
author	Xinchen Hui <laruence@php.net>	2015-03-25 13:05:08 +0800
committer	Xinchen Hui <laruence@php.net>	2015-03-25 13:05:08 +0800
commit	fe0ca2745f00940a27bfc8e87db534541a19af70 (patch)
tree	9f6ecb6d7dd517f46f71bfc12cdeebd17f8fc904 /ext/ereg/regex/regcomp.c
parent	ef2db26c60537e84b502608ff404263d5f4dc5d2 (diff)
parent	968fbc6acf0bc27be17c0209be7f966e89a55943 (diff)
download	php-git-fe0ca2745f00940a27bfc8e87db534541a19af70.tar.gz