File php-4.3.9-CVE-2006-4486.patch of Package php4

--- php-4.3.9/Zend/zend_alloc.c.cve4486
+++ php-4.3.9/Zend/zend_alloc.c
@@ -110,7 +110,7 @@
 	p->pLast = (zend_mem_header *) NULL;
 
 #define DECLARE_CACHE_VARS()	\
-	unsigned int real_size;		\
+	size_t real_size;		\
 	unsigned int cache_index
 
 #define REAL_SIZE(size) ((size+7) & ~0x7)
@@ -125,12 +125,16 @@
 
 ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC)
 {
-	zend_mem_header *p;
+	zend_mem_header *p = NULL;
 	DECLARE_CACHE_VARS();
 	TSRMLS_FETCH();
 
 	CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
 
+	if (size > INT_MAX || SIZE < size) {
+		goto emalloc_error;
+	}
+
 	if (!ZEND_DISABLE_MEMORY_CACHE && (CACHE_INDEX < MAX_CACHED_MEMORY) && (AG(cache_count)[CACHE_INDEX] > 0)) {
 		p = AG(cache)[CACHE_INDEX][--AG(cache_count)[CACHE_INDEX]];
 #if ZEND_DEBUG
@@ -164,6 +168,8 @@
 		p  = (zend_mem_header *) ZEND_DO_MALLOC(sizeof(zend_mem_header) + MEM_HEADER_PADDING + SIZE + END_MAGIC_SIZE);
 	}
 
+emalloc_error:
+
 	HANDLE_BLOCK_INTERRUPTIONS();
 
 	if (!p) {
@@ -319,6 +325,13 @@
 	CALCULATE_REAL_SIZE_AND_CACHE_INDEX(size);
 
 	HANDLE_BLOCK_INTERRUPTIONS();
+
+	if (size > INT_MAX || SIZE < size) {
+		REMOVE_POINTER_FROM_LIST(p);
+		p = NULL;
+		goto erealloc_error;
+	}
+
 #if MEMORY_LIMIT
 	CHECK_MEMORY_LIMIT(size - p->size, SIZE - REAL_SIZE(p->size));
 	if (AG(allocated_memory) > AG(allocated_memory_peak)) {
@@ -327,6 +340,7 @@
 #endif
 	REMOVE_POINTER_FROM_LIST(p);
 	p = (zend_mem_header *) ZEND_DO_REALLOC(p, sizeof(zend_mem_header)+MEM_HEADER_PADDING+SIZE+END_MAGIC_SIZE);
+erealloc_error:
 	if (!p) {
 		if (!allow_failure) {
 			fprintf(stderr,"FATAL:  erealloc():  Unable to allocate %ld bytes\n", (long) size);