-
-
Save anonymous/18df0450985e5486b2af2903948f991b to your computer and use it in GitHub Desktop.
Patch for 72455
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit 6c5211a0cef0cc2854eaa387e0eb036e012904d0 | |
Author: Stanislav Malyshev <stas@php.net> | |
Date: Mon Jun 20 21:51:42 2016 -0700 | |
Fix bug #72455: Heap Overflow due to integer overflows | |
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c | |
index 194660d..3cbb913 100644 | |
--- a/ext/mcrypt/mcrypt.c | |
+++ b/ext/mcrypt/mcrypt.c | |
@@ -692,6 +692,10 @@ PHP_FUNCTION(mcrypt_generic) | |
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ | |
block_size = mcrypt_enc_get_block_size(pm->td); | |
data_size = (((data_len - 1) / block_size) + 1) * block_size; | |
+ if (data_size <= 0) { | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); | |
+ RETURN_FALSE; | |
+ } | |
data_s = emalloc(data_size + 1); | |
memset(data_s, 0, data_size); | |
memcpy(data_s, data, data_len); | |
@@ -737,6 +741,10 @@ PHP_FUNCTION(mdecrypt_generic) | |
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ | |
block_size = mcrypt_enc_get_block_size(pm->td); | |
data_size = (((data_len - 1) / block_size) + 1) * block_size; | |
+ if (data_size <= 0) { | |
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); | |
+ RETURN_FALSE; | |
+ } | |
data_s = emalloc(data_size + 1); | |
memset(data_s, 0, data_size); | |
memcpy(data_s, data, data_len); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment