Overview

File php-5.1.2-emalloc-overflows.patch of Package php

--- ext/iconv/iconv.c
+++ ext/iconv/iconv.c
@@ -965,7 +965,7 @@
 		goto out;
 	}
 
-	buf = emalloc(max_line_len + 5);
+	buf = safe_emalloc(1, max_line_len, 5);
 
 	char_cnt = max_line_len;
 
--- ext/mhash/mhash.c
+++ ext/mhash/mhash.c
@@ -229,7 +229,7 @@
 	keystruct.salt = salt;
 	keystruct.salt_size = salt_len;
 
-	ret = emalloc(bytes + 1);
+	ret = safe_emalloc(1, bytes, 1);
 
 	if (mhash_keygen_ext(KEYGEN_S2K_SALTED, keystruct, ret, bytes, password, password_len) >= 0) {
 		ret[bytes] = '\0';
--- ext/standard/streamsfuncs.c
+++ ext/standard/streamsfuncs.c
@@ -357,7 +357,7 @@
 		RETURN_FALSE;
 	}
 	
-	read_buf = emalloc(to_read + 1);
+	read_buf = safe_emalloc(1, to_read, 1);
 	
 	recvd = php_stream_xport_recvfrom(stream, read_buf, to_read, flags, NULL, NULL,
 			zremote ? &Z_STRVAL_P(zremote) : NULL,
--- ext/standard/string.c
+++ ext/standard/string.c
@@ -3647,7 +3647,7 @@
 	/* in brief this inserts <br /> before matched regexp \n\r?|\r\n? */
 	zval	**zstr;
 	char	*tmp, *str;
-	int	new_length;
+	size_t	new_length;
 	char	*end, *target;
 	int	repl_cnt = 0;
 
@@ -3683,7 +3683,8 @@
 	}
 
 	new_length = Z_STRLEN_PP(zstr) + repl_cnt * (sizeof("<br />") - 1);
-	tmp = target = emalloc(new_length + 1);
+	tmp = target = safe_emalloc(repl_cnt, sizeof("<br />") - 1,
+			Z_STRLEN_PP(zstr) + 1);
 
 	str = Z_STRVAL_PP(zstr);
 
--- ext/sysvmsg/sysvmsg.c
+++ ext/sysvmsg/sysvmsg.c
@@ -312,7 +312,7 @@
 	
 	ZEND_FETCH_RESOURCE(mq, sysvmsg_queue_t *, &queue, -1, "sysvmsg queue", le_sysvmsg);
 
-	messagebuffer = (struct php_msgbuf *) emalloc(sizeof(struct php_msgbuf) + maxsize);
+	messagebuffer = (struct php_msgbuf *) safe_emalloc(maxsize, 1, sizeof(struct php_msgbuf));
 	
 	result = msgrcv(mq->id, messagebuffer, maxsize, desiredmsgtype, realflags);
 		
@@ -387,7 +387,7 @@
 		
 		/* NB: php_msgbuf is 1 char bigger than a long, so there is no need to
 		 * allocate the extra byte. */
-		messagebuffer = emalloc(sizeof(struct php_msgbuf) + msg_var.len);
+		messagebuffer = safe_emalloc(msg_var.len, 1, sizeof(struct php_msgbuf));
 		memcpy(messagebuffer->mtext, msg_var.c, msg_var.len + 1);
 		message_len = msg_var.len;
 		smart_str_free(&msg_var);
@@ -413,7 +413,7 @@
 				RETURN_FALSE;
 		}
 
-		messagebuffer = emalloc(sizeof(struct php_msgbuf) + message_len);
+		messagebuffer = safe_emalloc(message_len, 1, sizeof(struct php_msgbuf));
 		memcpy(messagebuffer->mtext, p, message_len + 1);
 
 		if (Z_TYPE_P(message) != IS_STRING) {
openSUSE Build Service is sponsored by
Places