File php-CVE-2016-5769.patch of Package php5.openSUSE_Leap_42.1_Update
Index: php-5.6.1/ext/mcrypt/mcrypt.c
===================================================================
--- php-5.6.1.orig/ext/mcrypt/mcrypt.c 2016-06-27 16:25:27.029316365 +0200
+++ php-5.6.1/ext/mcrypt/mcrypt.c 2016-06-27 16:31:30.631331685 +0200
@@ -635,6 +635,10 @@ PHP_FUNCTION(mcrypt_generic)
/* Check blocksize */
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
+ if (data_len - 1 <= 0 || data_len >= INT_MAX-block_size) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+ RETURN_FALSE;
+ }
data_size = (((data_len - 1) / block_size) + 1) * block_size;
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
@@ -680,6 +684,10 @@ PHP_FUNCTION(mdecrypt_generic)
/* Check blocksize */
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
+ if (data_len - 1 <= 0 || data_len >= INT_MAX-block_size) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+ RETURN_FALSE;
+ }
data_size = (((data_len - 1) / block_size) + 1) * block_size;
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);