Blame SOURCES/php-5.5.21-CVE-2015-4024.patch

30ceb2
From 4605d536d23b00813d11cc906bb48d39bdcf5f25 Mon Sep 17 00:00:00 2001
30ceb2
From: Stanislav Malyshev <stas@php.net>
30ceb2
Date: Sat, 9 May 2015 23:04:25 -0700
30ceb2
Subject: [PATCH] Fixed bug #69364 - use smart_str to assemble strings
30ceb2
30ceb2
---
30ceb2
 main/rfc1867.c | 51 +++++++++++++++++++++++++++------------------------
30ceb2
 1 file changed, 27 insertions(+), 24 deletions(-)
30ceb2
30ceb2
diff --git a/main/rfc1867.c b/main/rfc1867.c
30ceb2
index fab199b..9e2fbd5 100644
30ceb2
--- a/main/rfc1867.c
30ceb2
+++ b/main/rfc1867.c
30ceb2
@@ -33,6 +33,7 @@
30ceb2
 #include "php_variables.h"
30ceb2
 #include "rfc1867.h"
30ceb2
 #include "ext/standard/php_string.h"
30ceb2
+#include "ext/standard/php_smart_str.h"
30ceb2
 
30ceb2
 #define DEBUG_FILE_UPLOAD ZEND_DEBUG
30ceb2
 
30ceb2
@@ -398,8 +399,9 @@ static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC)
30ceb2
 static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
30ceb2
 {
30ceb2
 	char *line;
30ceb2
-	mime_header_entry prev_entry = {0}, entry;
30ceb2
-	int prev_len, cur_len;
30ceb2
+	mime_header_entry entry = {0};
30ceb2
+	smart_str buf_value = {0};
30ceb2
+	char *key = NULL;
30ceb2
 
30ceb2
 	/* didn't find boundary, abort */
30ceb2
 	if (!find_boundary(self, self->boundary TSRMLS_CC)) {
30ceb2
@@ -411,11 +413,10 @@
30ceb2
 	while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' )
30ceb2
 	{
30ceb2
 		/* add header to table */
30ceb2
-		char *key = line;
30ceb2
 		char *value = NULL;
30ceb2
 
30ceb2
 		if (php_rfc1867_encoding_translation(TSRMLS_C)) {
30ceb2
-			self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
30ceb2
+			self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
30ceb2
 		}
30ceb2
 
30ceb2
 		/* space in the beginning means same header */
30ceb2
@@ -424,31 +425,33 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
30ceb2
 		}
30ceb2
 
30ceb2
 		if (value) {
30ceb2
-			*value = 0;
30ceb2
-			do { value++; } while(isspace(*value));
30ceb2
-
30ceb2
-			entry.value = estrdup(value);
30ceb2
-			entry.key = estrdup(key);
30ceb2
-
30ceb2
-		} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
30ceb2
-
30ceb2
-			prev_len = strlen(prev_entry.value);
30ceb2
-			cur_len = strlen(line);
30ceb2
-
30ceb2
-			entry.value = emalloc(prev_len + cur_len + 1);
30ceb2
-			memcpy(entry.value, prev_entry.value, prev_len);
30ceb2
-			memcpy(entry.value + prev_len, line, cur_len);
30ceb2
-			entry.value[cur_len + prev_len] = '\0';
30ceb2
+			if(buf_value.c && key) {
30ceb2
+				/* new entry, add the old one to the list */
30ceb2
+				smart_str_0(&buf_value);
30ceb2
+				entry.key = key;
30ceb2
+				entry.value = buf_value.c;
30ceb2
+				zend_llist_add_element(header, &entry);
30ceb2
+				buf_value.c = NULL;
30ceb2
+				key = NULL;
30ceb2
+			}
30ceb2
 
30ceb2
-			entry.key = estrdup(prev_entry.key);
30ceb2
+			*value = '\0';
30ceb2
+			do { value++; } while(isspace(*value));
30ceb2
 
30ceb2
-			zend_llist_remove_tail(header);
30ceb2
+			key = estrdup(line);
30ceb2
+			smart_str_appends(&buf_value, value);
30ceb2
+		} else if (buf_value.c) { /* If no ':' on the line, add to previous line */
30ceb2
+			smart_str_appends(&buf_value, line);
30ceb2
 		} else {
30ceb2
 			continue;
30ceb2
 		}
30ceb2
-
30ceb2
+	}
30ceb2
+	if(buf_value.c && key) {
30ceb2
+		/* add the last one to the list */
30ceb2
+		smart_str_0(&buf_value);
30ceb2
+		entry.key = key;
30ceb2
+		entry.value = buf_value.c;
30ceb2
 		zend_llist_add_element(header, &entry);
30ceb2
-		prev_entry = entry;
30ceb2
 	}
30ceb2
 
30ceb2
 	return 1;
30ceb2
@@ -884,7 +887,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
30ceb2
 					if (count == PG(max_input_vars) + 1) {
30ceb2
 						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
30ceb2
 					}
30ceb2
-				
30ceb2
+
30ceb2
 					if (php_rfc1867_callback != NULL) {
30ceb2
 						multipart_event_formdata event_formdata;
30ceb2
 
30ceb2
-- 
30ceb2
2.1.4
30ceb2