File php-CVE-2015-4024.patch of Package php5.14673

-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=main%2Frfc1867.c;h=9e2fbd52ebc79ee0ea895146c58fd49e9376b9c3;hp=fab199b543aa81534728ed31598aabe76fd463f0;hb=4605d536d23b00813d11cc906bb48d39bdcf5f25;hpb=c27f012b7a447e59d4a704688971cbfa7dddaa74

Index: main/rfc1867.c
===================================================================
--- main/rfc1867.c.orig	2015-05-21 12:31:30.722080741 +0200
+++ main/rfc1867.c	2015-05-21 12:31:30.962084153 +0200
@@ -33,6 +33,7 @@
 #include "php_variables.h"
 #include "rfc1867.h"
 #include "ext/standard/php_string.h"
+#include "ext/standard/php_smart_str.h"
 
 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
 
@@ -398,8 +399,9 @@
 static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
 {
 	char *line;
-	mime_header_entry prev_entry = {0}, entry;
-	int prev_len, cur_len;
+	mime_header_entry entry = {0};
+	smart_str buf_value = {0};
+	char *key = NULL;
 
 	/* didn't find boundary, abort */
 	if (!find_boundary(self, self->boundary TSRMLS_CC)) {
@@ -411,11 +413,10 @@
 	while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' )
 	{
 		/* add header to table */
-		char *key = line;
 		char *value = NULL;
 
 		if (php_rfc1867_encoding_translation(TSRMLS_C)) {
-			self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
+			self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
 		}
 
 		/* space in the beginning means same header */
@@ -424,31 +425,33 @@
 		}
 
 		if (value) {
-			*value = 0;
-			do { value++; } while(isspace(*value));
-
-			entry.value = estrdup(value);
-			entry.key = estrdup(key);
-
-		} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
-
-			prev_len = strlen(prev_entry.value);
-			cur_len = strlen(line);
+			if(buf_value.c && key) {
+				/* new entry, add the old one to the list */
+				smart_str_0(&buf_value);
+				entry.key = key;
+				entry.value = buf_value.c;
+				zend_llist_add_element(header, &entry);
+				buf_value.c = NULL;
+				key = NULL;
+			}
 
-			entry.value = emalloc(prev_len + cur_len + 1);
-			memcpy(entry.value, prev_entry.value, prev_len);
-			memcpy(entry.value + prev_len, line, cur_len);
-			entry.value[cur_len + prev_len] = '\0';
-
-			entry.key = estrdup(prev_entry.key);
+			*value = '\0';
+			do { value++; } while(isspace(*value));
 
-			zend_llist_remove_tail(header);
+			key = estrdup(line);
+			smart_str_appends(&buf_value, value);
+		} else if (buf_value.c) { /* If no ':' on the line, add to previous line */
+			smart_str_appends(&buf_value, line);
 		} else {
 			continue;
 		}
-
+	}
+	if(buf_value.c && key) {
+		/* add the last one to the list */
+		smart_str_0(&buf_value);
+		entry.key = key;
+		entry.value = buf_value.c;
 		zend_llist_add_element(header, &entry);
-		prev_entry = entry;
 	}
 
 	return 1;