40 lines
1.5 KiB
Diff
40 lines
1.5 KiB
Diff
Backported from 5.5.37 for 5.4 by Remi Collet
|
|
|
|
|
|
From 6c5211a0cef0cc2854eaa387e0eb036e012904d0 Mon Sep 17 00:00:00 2001
|
|
From: Stanislav Malyshev <stas@php.net>
|
|
Date: Mon, 20 Jun 2016 21:51:42 -0700
|
|
Subject: [PATCH] Fix bug #72455: Heap Overflow due to integer overflows
|
|
|
|
---
|
|
ext/mcrypt/mcrypt.c | 92 +++++++++++++++++++++++++++++------------------------
|
|
1 file changed, 50 insertions(+), 42 deletions(-)
|
|
|
|
diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
|
|
index 194660d..3cbb913 100644
|
|
--- a/ext/mcrypt/mcrypt.c
|
|
+++ b/ext/mcrypt/mcrypt.c
|
|
@@ -681,6 +681,10 @@ PHP_FUNCTION(mcrypt_generic)
|
|
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
|
|
block_size = mcrypt_enc_get_block_size(pm->td);
|
|
data_size = (((data_len - 1) / block_size) + 1) * block_size;
|
|
+ if (data_size <= 0) {
|
|
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
|
|
+ RETURN_FALSE;
|
|
+ }
|
|
data_s = emalloc(data_size + 1);
|
|
memset(data_s, 0, data_size);
|
|
memcpy(data_s, data, data_len);
|
|
@@ -726,6 +730,10 @@ PHP_FUNCTION(mdecrypt_generic)
|
|
if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
|
|
block_size = mcrypt_enc_get_block_size(pm->td);
|
|
data_size = (((data_len - 1) / block_size) + 1) * block_size;
|
|
+ if (data_size <= 0) {
|
|
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
|
|
+ RETURN_FALSE;
|
|
+ }
|
|
data_s = emalloc(data_size + 1);
|
|
memset(data_s, 0, data_size);
|
|
memcpy(data_s, data, data_len);
|
|
|
