File php-CVE-2016-7412.patch of Package php5.openSUSE_Leap_42.1_Update
From 28f80baf3c53e267c9ce46a2a0fadbb981585132 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 12 Sep 2016 20:25:08 -0700
Subject: [PATCH] Fix bug #72293 - Heap overflow in mysqlnd related to BIT
fields
---
ext/mysqlnd/mysqlnd_wireprotocol.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
Index: php-5.5.14/ext/mysqlnd/mysqlnd_wireprotocol.c
===================================================================
--- php-5.5.14.orig/ext/mysqlnd/mysqlnd_wireprotocol.c 2016-09-21 14:36:50.871559019 +0200
+++ php-5.5.14/ext/mysqlnd/mysqlnd_wireprotocol.c 2016-09-21 14:37:46.848440811 +0200
@@ -1585,6 +1585,7 @@ php_mysqlnd_rowp_read_text_protocol(MYSQ
zend_uchar * p = row_buffer->ptr;
size_t data_size = row_buffer->app;
zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */
+ const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;
DBG_ENTER("php_mysqlnd_rowp_read_text_protocol");
@@ -1606,8 +1607,13 @@ php_mysqlnd_rowp_read_text_protocol(MYSQ
/* Don't reverse the order. It is significant!*/
zend_uchar *this_field_len_pos = p;
/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */
- unsigned long len = php_mysqlnd_net_field_length(&p);
+ const unsigned long len = php_mysqlnd_net_field_length(&p);
+ if (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) {
+ php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC
+ " bytes after end of packet", (p + len) - packet_end - 1);
+ DBG_RETURN(FAIL);
+ }
if (current_field > start_field && last_field_was_string) {
/*
Normal queries: