rpms / php

Clone
Source Code
GIT

Blame SOURCES/php-5.4.16-CVE-2014-4049.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8-beta-stream-7.2 c8-beta-stream-7.3 c8-beta-stream-7.4 c8-beta-stream-8.0 c8-stream-7.2 c8-stream-7.3 c8-stream-7.4 c8-stream-8.0 c8s-stream-7.4 c8s-stream-8.0 c9 c9-beta c9-beta-stream-8.1 c9-stream-8.1
  1.   ba24df00fc248b38662d7f803c79ed6bc7adcd34
  2.   SOURCES
  3.   php-5.4.16-CVE-2014-4049.patch
Blob History Raw
b6cbd1 
From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
b6cbd1 
From: Sara Golemon <pollita@php.net>
b6cbd1 
Date: Tue, 10 Jun 2014 11:18:02 -0700
b6cbd1 
Subject: [PATCH] Fix potential segfault in dns_get_record()
b6cbd1
b6cbd1 
If the remote sends us a packet with a malformed TXT record,
b6cbd1 
we could end up trying to over-consume the packet and wander
b6cbd1 
off into overruns.
b6cbd1 
---
b6cbd1 
 ext/standard/dns.c | 4 ++++
b6cbd1 
 1 file changed, 4 insertions(+)
b6cbd1
b6cbd1 
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
b6cbd1 
index 6a89446..214a7dc 100644
b6cbd1 
--- a/ext/standard/dns.c
b6cbd1 
+++ b/ext/standard/dns.c
b6cbd1 
@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
b6cbd1
b6cbd1 
 				while (ll < dlen) {
b6cbd1 
 					n = cp[ll];
b6cbd1 
+					if ((ll + n) >= dlen) {
b6cbd1 
+						// Invalid chunk length, truncate
b6cbd1 
+						n = dlen - (ll + 1);
b6cbd1 
+					}
b6cbd1 
 					memcpy(tp + ll , cp + ll + 1, n);
b6cbd1 
 					add_next_index_stringl(entries, cp + ll + 1, n, 1);
b6cbd1 
 					ll = ll + n + 1;
b6cbd1 
--
b6cbd1 
1.9.3
b6cbd1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation