[CVE-2014-4049]: Fix potential segfault in dns_get_record()

2 files changed, 26 insertions, 0 deletions

diff --git a/debian/patches/CVE-2014-4049.patch b/debian/patches/CVE-2014-4049.patch
new file mode 100644
index 000000000..d8a8b9d00
--- /dev/null
+++ b/debian/patches/CVE-2014-4049.patch
@@ -0,0 +1,25 @@
+From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
+From: Sara Golemon <pollita@php.net>
+Date: Tue, 10 Jun 2014 11:18:02 -0700
+Subject: [PATCH] Fix potential segfault in dns_get_record()
+
+If the remote sends us a packet with a malformed TXT record,
+we could end up trying to over-consume the packet and wander
+off into overruns.
+---
+ ext/standard/dns.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- php5.orig/ext/standard/dns.c
++++ php5/ext/standard/dns.c
+@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, q
+ 				
+ 				while (ll < dlen) {
+ 					n = cp[ll];
++					if ((ll + n) >= dlen) {
++						// Invalid chunk length, truncate
++						n = dlen - (ll + 1);
++					}
+ 					memcpy(tp + ll , cp + ll + 1, n);
+ 					add_next_index_stringl(entries, cp + ll + 1, n, 1);
+ 					ll = ll + n + 1;
diff --git a/debian/patches/series b/debian/patches/series
index e3c343ad0..5298643f4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -37,3 +37,4 @@ php-fpm-m68k.patch
 expose_all_built_and_installed_apis.patch
 use_system_timezone.patch
 zlib-largefile-function-renaming.patch
+CVE-2014-4049.patch