Overview

File php-CVE-2016-5769.patch of Package php5.11538

Index: php-5.6.1/ext/mcrypt/mcrypt.c
===================================================================
--- php-5.6.1.orig/ext/mcrypt/mcrypt.c	2016-06-27 16:25:27.029316365 +0200
+++ php-5.6.1/ext/mcrypt/mcrypt.c	2016-06-27 16:31:30.631331685 +0200
@@ -635,6 +635,10 @@ PHP_FUNCTION(mcrypt_generic)
 	/* Check blocksize */
 	if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
 		block_size = mcrypt_enc_get_block_size(pm->td);
+		if (data_len - 1 <= 0 || data_len >= INT_MAX-block_size) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+			RETURN_FALSE;
+		}
 		data_size = (((data_len - 1) / block_size) + 1) * block_size;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);
@@ -680,6 +684,10 @@ PHP_FUNCTION(mdecrypt_generic)
 	/* Check blocksize */
 	if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
 		block_size = mcrypt_enc_get_block_size(pm->td);
+                if (data_len - 1 <= 0 || data_len >= INT_MAX-block_size) {
+                        php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+                        RETURN_FALSE;
+                }
 		data_size = (((data_len - 1) / block_size) + 1) * block_size;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);
openSUSE Build Service is sponsored by
Places