File php-CVE-2016-6296.patch of Package php7

X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fxmlrpc%2Flibxmlrpc%2Fsimplestring.h;h=7e88cd0ef04a10dd7ded47c21b09c37b5e9e0bed;hp=c5d98cf1d8e014b82a4bd192898b28fd3f01f1f6;hb=e6c48213c22ed50b2b987b479fcc1ac709394caa;hpb=d1a491acf31cf6d2ba65cc7c46fe963a510cd91f

Index: php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.h
===================================================================
--- php-7.0.7.orig/ext/xmlrpc/libxmlrpc/simplestring.h	2016-05-25 15:13:51.000000000 +0200
+++ php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.h	2016-08-03 15:39:05.247789304 +0200
@@ -63,7 +63,7 @@ void simplestring_init(simplestring* str
 void simplestring_clear(simplestring* string);
 void simplestring_free(simplestring* string);
 void simplestring_add(simplestring* string, const char* add);
-void simplestring_addn(simplestring* string, const char* add, int add_len);
+void simplestring_addn(simplestring* string, const char* add, size_t add_len);
 
 #ifdef __cplusplus
 }
Index: php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.c
===================================================================
--- php-7.0.7.orig/ext/xmlrpc/libxmlrpc/simplestring.c	2016-05-25 15:13:51.000000000 +0200
+++ php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.c	2016-08-03 15:41:19.517986375 +0200
@@ -79,6 +79,7 @@ static const char rcsid[] = "#(@) $Id$";
  ******/
 
 #include <stdlib.h>
+#include <stdint.h>
 #include <string.h>
 #include "simplestring.h"
 
@@ -190,18 +191,31 @@ void simplestring_free(simplestring* str
  *   simplestring_add ()
  * SOURCE
  */
-void simplestring_addn(simplestring* target, const char* source, int add_len) {
+void simplestring_addn(simplestring* target, const char* source, size_t add_len) {
+   size_t newsize = target->size, incr = 0;
    if(target && source) {
       if(!target->str) {
          simplestring_init_str(target);
       }
+
+      if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+    	  /* check for overflows, if there's a potential overflow do nothing */
+    	  return;
+      }
+
       if(target->len + add_len + 1 > target->size) {
          /* newsize is current length + new length */
-         int newsize = target->len + add_len + 1;
-         int incr = target->size * 2;
+         newsize = target->len + add_len + 1;
+         incr = target->size * 2;
 
          /* align to SIMPLESTRING_INCR increments */
-         newsize = newsize - (newsize % incr) + incr;
+         if (incr) {
+            newsize = newsize - (newsize % incr) + incr;
+         }
+         if(newsize < (target->len + add_len + 1)) {
+        	 /* some kind of overflow happened */
+        	 return;
+         }
          target->str = (char*)realloc(target->str, newsize);
 
          target->size = target->str ? newsize : 0;
openSUSE Build Service is sponsored by