Skip to content

Instantly share code, notes, and snippets.

/72455.diff Secret
Created Jun 21, 2016

Embed
What would you like to do?
Patch for 72455
commit 6c5211a0cef0cc2854eaa387e0eb036e012904d0
Author: Stanislav Malyshev <stas@php.net>
Date: Mon Jun 20 21:51:42 2016 -0700
Fix bug #72455: Heap Overflow due to integer overflows
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index 194660d..3cbb913 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -692,6 +692,10 @@ PHP_FUNCTION(mcrypt_generic)
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((data_len - 1) / block_size) + 1) * block_size;
+ if (data_size <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+ RETURN_FALSE;
+ }
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
@@ -737,6 +741,10 @@ PHP_FUNCTION(mdecrypt_generic)
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
block_size = mcrypt_enc_get_block_size(pm->td);
data_size = (((data_len - 1) / block_size) + 1) * block_size;
+ if (data_size <= 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
+ RETURN_FALSE;
+ }
data_s = emalloc(data_size + 1);
memset(data_s, 0, data_size);
memcpy(data_s, data, data_len);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.