File php-CVE-2016-6296.patch of Package php5.openSUSE_Leap_42.1_Update
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fxmlrpc%2Flibxmlrpc%2Fsimplestring.h;h=7e88cd0ef04a10dd7ded47c21b09c37b5e9e0bed;hp=c5d98cf1d8e014b82a4bd192898b28fd3f01f1f6;hb=e6c48213c22ed50b2b987b479fcc1ac709394caa;hpb=d1a491acf31cf6d2ba65cc7c46fe963a510cd91f
Index: php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.h
===================================================================
--- php-7.0.7.orig/ext/xmlrpc/libxmlrpc/simplestring.h 2016-05-25 15:13:51.000000000 +0200
+++ php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.h 2016-08-03 15:39:05.247789304 +0200
@@ -63,7 +63,7 @@ void simplestring_init(simplestring* str
void simplestring_clear(simplestring* string);
void simplestring_free(simplestring* string);
void simplestring_add(simplestring* string, const char* add);
-void simplestring_addn(simplestring* string, const char* add, int add_len);
+void simplestring_addn(simplestring* string, const char* add, size_t add_len);
#ifdef __cplusplus
}
Index: php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.c
===================================================================
--- php-7.0.7.orig/ext/xmlrpc/libxmlrpc/simplestring.c 2016-05-25 15:13:51.000000000 +0200
+++ php-7.0.7/ext/xmlrpc/libxmlrpc/simplestring.c 2016-08-03 15:41:19.517986375 +0200
@@ -79,6 +79,7 @@ static const char rcsid[] = "#(@) $Id$";
******/
#include <stdlib.h>
+#include <stdint.h>
#include <string.h>
#include "simplestring.h"
@@ -190,18 +191,31 @@ void simplestring_free(simplestring* str
* simplestring_add ()
* SOURCE
*/
-void simplestring_addn(simplestring* target, const char* source, int add_len) {
+void simplestring_addn(simplestring* target, const char* source, size_t add_len) {
+ size_t newsize = target->size, incr = 0;
if(target && source) {
if(!target->str) {
simplestring_init_str(target);
}
+
+ if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+ /* check for overflows, if there's a potential overflow do nothing */
+ return;
+ }
+
if(target->len + add_len + 1 > target->size) {
/* newsize is current length + new length */
- int newsize = target->len + add_len + 1;
- int incr = target->size * 2;
+ newsize = target->len + add_len + 1;
+ incr = target->size * 2;
/* align to SIMPLESTRING_INCR increments */
- newsize = newsize - (newsize % incr) + incr;
+ if (incr) {
+ newsize = newsize - (newsize % incr) + incr;
+ }
+ if(newsize < (target->len + add_len + 1)) {
+ /* some kind of overflow happened */
+ return;
+ }
target->str = (char*)realloc(target->str, newsize);
target->size = target->str ? newsize : 0;