Blame SOURCES/php-5.4.16-CVE-2014-4049.patch
|
 |
2067da |
From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
|
|
|
2067da |
From: Sara Golemon <pollita@php.net>
|
|
|
2067da |
Date: Tue, 10 Jun 2014 11:18:02 -0700
|
|
|
2067da |
Subject: [PATCH] Fix potential segfault in dns_get_record()
|
|
|
2067da |
|
|
|
2067da |
If the remote sends us a packet with a malformed TXT record,
|
|
|
2067da |
we could end up trying to over-consume the packet and wander
|
|
|
2067da |
off into overruns.
|
|
|
2067da |
---
|
|
|
2067da |
ext/standard/dns.c | 4 ++++
|
|
|
2067da |
1 file changed, 4 insertions(+)
|
|
|
2067da |
|
|
|
2067da |
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
|
|
|
2067da |
index 6a89446..214a7dc 100644
|
|
|
2067da |
--- a/ext/standard/dns.c
|
|
|
2067da |
+++ b/ext/standard/dns.c
|
|
|
2067da |
@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
|
|
|
2067da |
|
|
|
2067da |
while (ll < dlen) {
|
|
|
2067da |
n = cp[ll];
|
|
|
2067da |
+ if ((ll + n) >= dlen) {
|
|
|
2067da |
+ // Invalid chunk length, truncate
|
|
|
2067da |
+ n = dlen - (ll + 1);
|
|
|
2067da |
+ }
|
|
|
2067da |
memcpy(tp + ll , cp + ll + 1, n);
|
|
|
2067da |
add_next_index_stringl(entries, cp + ll + 1, n, 1);
|
|
|
2067da |
ll = ll + n + 1;
|
|
|
2067da |
--
|
|
|
2067da |
1.9.3
|
|
|
2067da |
|