diff options
| author | Stanislav Malyshev <stas@php.net> | 2016-06-21 00:27:01 -0700 |
|---|---|---|
| committer | Stanislav Malyshev <stas@php.net> | 2016-06-21 00:27:01 -0700 |
| commit | 3e0397c25cd140b916a7fce8b495d5c589a710b4 (patch) | |
| tree | f862f951b98811649b28ae8ff6d610bc7117967b /ext/mcrypt | |
| parent | 89533083aef2e905e44822db227e1d0cd14952e7 (diff) | |
| parent | 8705254f2d4f73e22f150bc501fa534e7742754b (diff) | |
| download | php-git-3e0397c25cd140b916a7fce8b495d5c589a710b4.tar.gz | |
Merge branch 'PHP-7.0'
* PHP-7.0:
iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
update NEWS
fix tests
fix build
Fix bug #72455: Heap Overflow due to integer overflows
Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
Fix bug #72298 pass2_no_dither out-of-bounds access
Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
Fix bug #72262 - do not overflow int
Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
Fix bug #72275: don't allow smart_str to overflow int
Fix bug #72340: Double Free Courruption in wddx_deserialize
Fix bug #72321 - use efree() for emalloc allocation
5.6.23RC1
fix NEWS
set versions
Diffstat (limited to 'ext/mcrypt')
| -rw-r--r-- | ext/mcrypt/mcrypt.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c index 073bfec775..fb5c638c97 100644 --- a/ext/mcrypt/mcrypt.c +++ b/ext/mcrypt/mcrypt.c @@ -637,6 +637,10 @@ PHP_FUNCTION(mcrypt_generic) if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ block_size = mcrypt_enc_get_block_size(pm->td); data_size = ((((int)data_len - 1) / block_size) + 1) * block_size; + if (data_size <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); + RETURN_FALSE; + } data_str = zend_string_alloc(data_size, 0); memset(ZSTR_VAL(data_str), 0, data_size); memcpy(ZSTR_VAL(data_str), data, data_len); @@ -683,7 +687,11 @@ PHP_FUNCTION(mdecrypt_generic) if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ block_size = mcrypt_enc_get_block_size(pm->td); data_size = ((((int)data_len - 1) / block_size) + 1) * block_size; - data_s = emalloc(data_size + 1); + if (data_size <= 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); + RETURN_FALSE; + } + data_s = emalloc((size_t)data_size + 1); memset(data_s, 0, data_size); memcpy(data_s, data, data_len); } else { /* It's not a block algorithm */ |