diff options
Diffstat (limited to 'meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch')
| -rw-r--r-- | meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch | 59 |
1 files changed, 0 insertions, 59 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch deleted file mode 100644 index 711b8525a4..0000000000 --- a/meta-oe/recipes-devtools/php/php/CVE-2019-11046.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 2d07f00b73d8f94099850e0f5983e1cc5817c196 Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" <cmbecker69@gmx.de> -Date: Sat, 30 Nov 2019 12:26:37 +0100 -Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub - -We must not rely on `isdigit()` to detect digits, since we only support -decimal ASCII digits in the following processing. - -(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018) - -Upstream-Status: Accepted -CVE: CVE-2019-11046 - -Reference to upstream patch: -http://git.php.net/?p=php-src.git;a=commit;h=eb23c6008753b1cdc5359dead3a096dce46c9018 -http://git.php.net/?p=php-src.git;a=commit;h=2d07f00b73d8f94099850e0f5983e1cc5817c196 ---- - ext/bcmath/libbcmath/src/str2num.c | 4 ++-- - ext/bcmath/tests/bug78878.phpt | 13 +++++++++++++ - 2 files changed, 15 insertions(+), 2 deletions(-) - create mode 100644 ext/bcmath/tests/bug78878.phpt - -diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c -index f38d341570..03aec15930 100644 ---- a/ext/bcmath/libbcmath/src/str2num.c -+++ b/ext/bcmath/libbcmath/src/str2num.c -@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale) - zero_int = FALSE; - if ( (*ptr == '+') || (*ptr == '-')) ptr++; /* Sign */ - while (*ptr == '0') ptr++; /* Skip leading zeros. */ -- while (isdigit((int)*ptr)) ptr++, digits++; /* digits */ -+ while (*ptr >= '0' && *ptr <= '9') ptr++, digits++; /* digits */ - if (*ptr == '.') ptr++; /* decimal point */ -- while (isdigit((int)*ptr)) ptr++, strscale++; /* digits */ -+ while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++; /* digits */ - if ((*ptr != '\0') || (digits+strscale == 0)) - { - *num = bc_copy_num (BCG(_zero_)); -diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt -new file mode 100644 -index 0000000000..2c9d72b946 ---- /dev/null -+++ b/ext/bcmath/tests/bug78878.phpt -@@ -0,0 +1,13 @@ -+--TEST-- -+Bug #78878 (Buffer underflow in bc_shift_addsub) -+--SKIPIF-- -+<?php -+if (!extension_loaded('bcmath')) die('skip bcmath extension not available'); -+?> -+--FILE-- -+<?php -+print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4)); -+?> -+--EXPECT-- -+bc math warning: non-zero scale in modulus -+0 --- -2.11.0 |