Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4: Fix bug #69248 - heap overflow vulnerability in regcomp.c add test for bug #68976
author: Stanislav Malyshev <stas@php.net> 2015-03-17 17:07:38 -0700
committer: Stanislav Malyshev <stas@php.net> 2015-03-17 17:10:05 -0700
commit: bf2f03ddb3be0fb54dfbe0234dc56ef37bcb01c3 (patch)
tree: cb897eff74f5e2f56049c0a9f16323fa811a124e /ext/ereg
parent: 6264f81a21f7f107f948a299d97081f7dfe0871e (diff)
parent: fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 (diff)
download: php-git-bf2f03ddb3be0fb54dfbe0234dc56ef37bcb01c3.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c
index 156eee9329..f4bfc1c167 100644
--- a/ext/ereg/regex/regcomp.c
+++ b/ext/ereg/regex/regcomp.c
@@ -117,7 +117,15 @@ int cflags;
 							(NC-1)*sizeof(cat_t));
 	if (g == NULL)
 		return(REG_ESPACE);
-	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
+	{
+		/* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */
+		size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
+		if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) {
+			free((char *) g);
+			return REG_INVARG;
+		}
+		p->ssize = new_ssize;
+	}
 	p->strip = (sop *)malloc(p->ssize * sizeof(sop));
 	p->slen = 0;
 	if (p->strip == NULL) {
author	Stanislav Malyshev <stas@php.net>	2015-03-17 17:07:38 -0700
committer	Stanislav Malyshev <stas@php.net>	2015-03-17 17:10:05 -0700
commit	bf2f03ddb3be0fb54dfbe0234dc56ef37bcb01c3 (patch)
tree	cb897eff74f5e2f56049c0a9f16323fa811a124e /ext/ereg
parent	6264f81a21f7f107f948a299d97081f7dfe0871e (diff)
parent	fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 (diff)
download	php-git-bf2f03ddb3be0fb54dfbe0234dc56ef37bcb01c3.tar.gz