diff options
-rw-r--r-- | NEWS | 2 | ||||
-rw-r--r-- | main/rfc1867.c | 5 |
2 files changed, 5 insertions, 2 deletions
@@ -3,6 +3,8 @@ PHP NEWS 14 May 2020, PHP 7.3.18 - Core: + . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned). + (CVE-2019-11048) (cmb) . Fixed bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant). (Nikita) . Fixed bug #79477 (casting object into array creates references). (Nikita) diff --git a/main/rfc1867.c b/main/rfc1867.c index 8a8e335ef4..617a94d0ef 100644 --- a/main/rfc1867.c +++ b/main/rfc1867.c @@ -690,7 +690,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL; char *lbuf = NULL, *abuf = NULL; zend_string *temp_filename = NULL; - int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0; + int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0; + size_t array_len = 0; int64_t total_bytes = 0, max_file_size = 0; int skip_upload = 0, anonindex = 0, is_anonymous; HashTable *uploaded_files = NULL; @@ -1124,7 +1125,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ is_arr_upload = (start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']'); if (is_arr_upload) { - array_len = (int)strlen(start_arr); + array_len = strlen(start_arr); if (array_index) { efree(array_index); } |