Search
j0ke.net Open Build Service
>
Projects
>
internetx
:
php5
>
php-5.2.17
> php-5.2.14-CVE-2011-1464.patch
Sign Up
|
Log In
Username
Password
Cancel
Overview
Repositories
Revisions
Requests
Users
Advanced
Attributes
Meta
File php-5.2.14-CVE-2011-1464.patch of Package php-5.2.17
http://svn.php.net/viewvc/?view=revision&revision=308525 --- main/snprintf.c 2011/02/21 06:22:00 308524 +++ main/snprintf.c 2011/02/21 06:53:24 308525 @@ -677,10 +677,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -694,6 +690,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else --- main/spprintf.c 2011/02/21 06:22:00 308524 +++ main/spprintf.c 2011/02/21 06:53:24 308525 @@ -285,10 +285,6 @@ /* * Check if a precision was specified - * - * XXX: an unreasonable amount of precision may be specified - * resulting in overflow of num_buf. Currently we - * ignore this possibility. */ if (*fmt == '.') { adjust_precision = YES; @@ -302,6 +298,10 @@ precision = 0; } else precision = 0; + + if (precision > FORMAT_CONV_MAX_PRECISION) { + precision = FORMAT_CONV_MAX_PRECISION; + } } else adjust_precision = NO; } else --- main/snprintf.h 2011/02/21 06:22:00 308524 +++ main/snprintf.h 2011/02/21 06:53:24 308525 @@ -157,6 +157,17 @@ extern char * ap_php_conv_p2(register u_wide_int num, register int nbits, char format, char *buf_end, register int *len); + +/* The maximum precision that's allowed for float conversion. Does not include + * decimal separator, exponent, sign, terminator. Currently does not affect + * the modes e/f, only g/k/H, as those have a different limit enforced at + * another level (see NDIG in php_conv_fp()). + * Applies to the formatting functions of both spprintf.c and snprintf.c, which + * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the + * call to php_gcvt(). + * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9 + * should be enough, but let's give some more space) */ +#define FORMAT_CONV_MAX_PRECISION 500 #endif /* SNPRINTF_H */