File php-CVE-2015-4024.patch of Package php5.openSUSE_Leap_42.1_Update
-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=main%2Frfc1867.c;h=9e2fbd52ebc79ee0ea895146c58fd49e9376b9c3;hp=fab199b543aa81534728ed31598aabe76fd463f0;hb=4605d536d23b00813d11cc906bb48d39bdcf5f25;hpb=c27f012b7a447e59d4a704688971cbfa7dddaa74
Index: main/rfc1867.c
===================================================================
--- main/rfc1867.c.orig 2015-05-21 12:31:30.722080741 +0200
+++ main/rfc1867.c 2015-05-21 12:31:30.962084153 +0200
@@ -33,6 +33,7 @@
#include "php_variables.h"
#include "rfc1867.h"
#include "ext/standard/php_string.h"
+#include "ext/standard/php_smart_str.h"
#define DEBUG_FILE_UPLOAD ZEND_DEBUG
@@ -398,8 +399,9 @@
static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
{
char *line;
- mime_header_entry prev_entry = {0}, entry;
- int prev_len, cur_len;
+ mime_header_entry entry = {0};
+ smart_str buf_value = {0};
+ char *key = NULL;
/* didn't find boundary, abort */
if (!find_boundary(self, self->boundary TSRMLS_CC)) {
@@ -411,11 +413,10 @@
while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' )
{
/* add header to table */
- char *key = line;
char *value = NULL;
if (php_rfc1867_encoding_translation(TSRMLS_C)) {
- self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
+ self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
}
/* space in the beginning means same header */
@@ -424,31 +425,33 @@
}
if (value) {
- *value = 0;
- do { value++; } while(isspace(*value));
-
- entry.value = estrdup(value);
- entry.key = estrdup(key);
-
- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
-
- prev_len = strlen(prev_entry.value);
- cur_len = strlen(line);
+ if(buf_value.c && key) {
+ /* new entry, add the old one to the list */
+ smart_str_0(&buf_value);
+ entry.key = key;
+ entry.value = buf_value.c;
+ zend_llist_add_element(header, &entry);
+ buf_value.c = NULL;
+ key = NULL;
+ }
- entry.value = emalloc(prev_len + cur_len + 1);
- memcpy(entry.value, prev_entry.value, prev_len);
- memcpy(entry.value + prev_len, line, cur_len);
- entry.value[cur_len + prev_len] = '\0';
-
- entry.key = estrdup(prev_entry.key);
+ *value = '\0';
+ do { value++; } while(isspace(*value));
- zend_llist_remove_tail(header);
+ key = estrdup(line);
+ smart_str_appends(&buf_value, value);
+ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
+ smart_str_appends(&buf_value, line);
} else {
continue;
}
-
+ }
+ if(buf_value.c && key) {
+ /* add the last one to the list */
+ smart_str_0(&buf_value);
+ entry.key = key;
+ entry.value = buf_value.c;
zend_llist_add_element(header, &entry);
- prev_entry = entry;
}
return 1;