Fix for wordwrap() buffer overflow, per

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1396 (Patch obtained from RedHat's php-4.2.2-8.0.7.src.rpm.) Bump PKGREVISION.
author: lukem <lukem@pkgsrc.org> 2003-02-21 05:39:03 +0000
committer: lukem <lukem@pkgsrc.org> 2003-02-21 05:39:03 +0000
commit: 600b084e411a0928c244dde323cbedf2ae444d29 (patch)
tree: 4bd28feada3b39e07d7be6f14be06759c86638dd /www/php4
parent: 40116c69bf4404de5f26a76e820b0f0cff151965 (diff)
download: pkgsrc-600b084e411a0928c244dde323cbedf2ae444d29.tar.gz
3 files changed, 111 insertions, 3 deletions
diff --git a/www/php4/Makefile b/www/php4/Makefile
index 211a0d45497..8c0632b106b 100644
--- a/www/php4/Makefile
+++ b/www/php4/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.31 2003/02/03 23:53:24 jlam Exp $
+# $NetBSD: Makefile,v 1.32 2003/02/21 05:39:03 lukem Exp $
 
 PKGNAME=		php-${PHP_BASE_VERS}
-PKGREVISION=		1
+PKGREVISION=		2
 CATEGORIES+=		lang
 COMMENT=		HTML-embedded scripting language
 
diff --git a/www/php4/distinfo b/www/php4/distinfo
index fc2c7079b0d..0c704388b5a 100644
--- a/www/php4/distinfo
+++ b/www/php4/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.18 2003/02/03 23:53:24 jlam Exp $
+$NetBSD: distinfo,v 1.19 2003/02/21 05:39:03 lukem Exp $
 
 SHA1 (php-4.2.3.tar.gz) = 3e57e8c056bd2f173bba8705293cdfa15aeb93bc
 Size (php-4.2.3.tar.gz) = 3413829 bytes
@@ -11,3 +11,4 @@ SHA1 (patch-ag) = a1948af6361e898880e4598654a8ac15fd193b7d
 SHA1 (patch-ah) = 27ac564d2d378852ba328fbc0458d222a4bfdb22
 SHA1 (patch-ai) = 26cbc90ef8478e38c4d201f1dd2318c04991318e
 SHA1 (patch-aj) = 9a40719571301c093548a4dec3429a2cc36fdce4
+SHA1 (patch-ak) = 417c4ef9110d4aec717b39e1ab9a415c1557a4b4
diff --git a/www/php4/patches/patch-ak b/www/php4/patches/patch-ak
new file mode 100644
index 00000000000..3f185c5c488
--- /dev/null
+++ b/www/php4/patches/patch-ak
@@ -0,0 +1,107 @@
+$NetBSD: patch-ak,v 1.1 2003/02/21 05:39:04 lukem Exp $
+
+--- ext/standard/string.c.orig	Mon Jun 24 18:19:43 2002
++++ ext/standard/string.c
+@@ -616,7 +616,7 @@ PHP_FUNCTION(wordwrap)
+ {
+ 	const char *text, *breakchar = "\n";
+ 	char *newtext;
+-	int textlen, breakcharlen = 1, newtextlen;
++	int textlen, breakcharlen = 1, newtextlen, alloced, chk;
+ 	long current = 0, laststart = 0, lastspace = 0;
+ 	long linelength = 75;
+ 	zend_bool docut = 0;
+@@ -642,38 +642,40 @@ PHP_FUNCTION(wordwrap)
+ 		for (current = 0; current < textlen; current++) {
+ 			if (text[current] == breakchar[0]) {
+ 				laststart = lastspace = current;
+-			}
+-			else if (text[current] == ' ') {
++			} else if (text[current] == ' ') {
+ 				if (current - laststart >= linelength) {
+ 					newtext[current] = breakchar[0];
+ 					laststart = current;
+ 				}
+ 				lastspace = current;
+-			}
+-			else if (current - laststart >= linelength
+-					&& laststart != lastspace) {
++			} else if (current - laststart >= linelength && laststart != lastspace) {
+ 				newtext[lastspace] = breakchar[0];
+ 				laststart = lastspace;
+ 			}
+ 		}
+ 
+ 		RETURN_STRINGL(newtext, textlen, 0);
+-	}
+-	else {
++	} else {
+ 		/* Multiple character line break or forced cut */
+ 		if (linelength > 0) {
+-			newtextlen = textlen + (textlen/linelength + 1) * breakcharlen + 1;
+-		}
+-		else {
+-			newtextlen = textlen * (breakcharlen + 1) + 1;
++			chk = (int)(textlen/linelength + 1);
++			alloced = textlen + chk * breakcharlen + 1;
++		} else {
++			chk = textlen;
++			alloced = textlen * (breakcharlen + 1) + 1;
+ 		}
+-		newtext = emalloc(newtextlen);
++		newtext = emalloc(alloced);
+ 
+ 		/* now keep track of the actual new text length */
+ 		newtextlen = 0;
+ 
+ 		laststart = lastspace = 0;
+ 		for (current = 0; current < textlen; current++) {
++			if (chk <= 0) {
++				alloced += (int) (((textlen - current + 1)/linelength + 1) * breakcharlen) + 1;
++				newtext = erealloc(newtext, alloced);
++				chk = (int) ((textlen - current)/linelength) + 1;
++			}
+ 			/* when we hit an existing break, copy to new buffer, and
+ 			 * fix up laststart and lastspace */
+ 			if (text[current] == breakchar[0]
+@@ -683,6 +685,7 @@ PHP_FUNCTION(wordwrap)
+ 				newtextlen += current-laststart+breakcharlen;
+ 				current += breakcharlen - 1;
+ 				laststart = lastspace = current + 1;
++				chk--;
+ 			}
+ 			/* if it is a space, check if it is at the line boundary,
+ 			 * copy and insert a break, or just keep track of it */
+@@ -693,6 +696,7 @@ PHP_FUNCTION(wordwrap)
+ 					memcpy(newtext+newtextlen, breakchar, breakcharlen);
+ 					newtextlen += breakcharlen;
+ 					laststart = current + 1;
++					chk--;
+ 				}
+ 				lastspace = current;
+ 			}
+@@ -706,6 +710,7 @@ PHP_FUNCTION(wordwrap)
+ 				memcpy(newtext+newtextlen, breakchar, breakcharlen);
+ 				newtextlen += breakcharlen;
+ 				laststart = lastspace = current;
++				chk--;
+ 			}
+ 			/* if the current word puts us over the linelength, copy
+ 			 * back up until the last space, insert a break, and move
+@@ -717,6 +722,7 @@ PHP_FUNCTION(wordwrap)
+ 				memcpy(newtext+newtextlen, breakchar, breakcharlen);
+ 				newtextlen += breakcharlen;
+ 				laststart = lastspace = lastspace + 1;
++				chk--;
+ 			}
+ 		}
+ 
+@@ -727,6 +733,8 @@ PHP_FUNCTION(wordwrap)
+ 		}
+ 
+ 		newtext[newtextlen] = '\0';
++		/* free unused memory */
++		newtext = erealloc(newtext, newtextlen+1);
+ 
+ 		RETURN_STRINGL(newtext, newtextlen, 0);
+ 	}
author	lukem <lukem@pkgsrc.org>	2003-02-21 05:39:03 +0000
committer	lukem <lukem@pkgsrc.org>	2003-02-21 05:39:03 +0000
commit	600b084e411a0928c244dde323cbedf2ae444d29 (patch)
tree	4bd28feada3b39e07d7be6f14be06759c86638dd /www/php4
parent	40116c69bf4404de5f26a76e820b0f0cff151965 (diff)
download	pkgsrc-600b084e411a0928c244dde323cbedf2ae444d29.tar.gz