File php-CVE-2016-7134.patch of Package php5.openSUSE_Leap_42.1_Update
From 72dbb7f416160f490c4e9987040989a10ad431c7 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 3 Aug 2016 00:58:55 -0700
Subject: [PATCH] Fix bug #72674 - check both curl_escape and curl_unescape
---
ext/curl/interface.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
Index: php-5.6.1/ext/curl/interface.c
===================================================================
--- php-5.6.1.orig/ext/curl/interface.c 2014-10-01 11:17:38.000000000 +0200
+++ php-5.6.1/ext/curl/interface.c 2016-09-06 12:48:39.015449861 +0200
@@ -3457,6 +3457,8 @@ PHP_FUNCTION(curl_reset)
/* }}} */
#endif
+#define ZEND_SIZE_T_INT_OVFL(size) UNEXPECTED((size) > (size_t)INT_MAX)
+
#if LIBCURL_VERSION_NUM > 0x070f03 /* 7.15.4 */
/* {{{ proto void curl_escape(resource ch, string str)
URL encodes the given string */
@@ -3473,6 +3475,10 @@ PHP_FUNCTION(curl_escape)
ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
+ if (ZEND_SIZE_T_INT_OVFL(str_len)) {
+ RETURN_FALSE;
+ }
+
if ((res = curl_easy_escape(ch->cp, str, str_len))) {
RETVAL_STRING(res, 1);
curl_free(res);
@@ -3497,6 +3503,10 @@ PHP_FUNCTION(curl_unescape)
ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
+ if (ZEND_SIZE_T_INT_OVFL(str_len)) {
+ RETURN_FALSE;
+ }
+
if ((out = curl_easy_unescape(ch->cp, str, str_len, &out_len))) {
RETVAL_STRINGL(out, out_len, 1);
curl_free(out);