Overview

File php-CVE-2016-5769.patch of Package php7.5285

Index: php-7.0.7/ext/mcrypt/mcrypt.c
===================================================================
--- php-7.0.7.orig/ext/mcrypt/mcrypt.c	2016-05-25 15:14:12.000000000 +0200
+++ php-7.0.7/ext/mcrypt/mcrypt.c	2016-06-27 16:04:00.276188986 +0200
@@ -636,6 +636,10 @@ PHP_FUNCTION(mcrypt_generic)
 	/* Check blocksize */
 	if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
 		block_size = mcrypt_enc_get_block_size(pm->td);
+		if ((int)data_len - 1 <= 0 || data_len >= INT_MAX-block_size) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+			RETURN_FALSE;
+		}
 		data_size = ((((int)data_len - 1) / block_size) + 1) * block_size;
 		data_str = zend_string_alloc(data_size, 0);
 		memset(ZSTR_VAL(data_str), 0, data_size);
@@ -682,6 +686,10 @@ PHP_FUNCTION(mdecrypt_generic)
 	/* Check blocksize */
 	if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
 		block_size = mcrypt_enc_get_block_size(pm->td);
+		if ((int)data_len - 1 <= 0 || data_len >= INT_MAX-block_size) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+			RETURN_FALSE;
+		}
 		data_size = ((((int)data_len - 1) / block_size) + 1) * block_size;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);
openSUSE Build Service is sponsored by
Places