Pull patch from DragonFly BSD Project to limit the pattern space to avoid a 32-bit overflow in Henry Spencer regular expressions (regex) library (Closes: #778389)

2 files changed, 35 insertions, 0 deletions

diff --git a/debian/patches/VU695940 b/debian/patches/VU695940
new file mode 100644
index 000000000..dbc286b61
--- /dev/null
+++ b/debian/patches/VU695940
@@ -0,0 +1,34 @@
+--- php5.orig/ext/ereg/regex/regcomp.c
++++ php5/ext/ereg/regex/regcomp.c
+@@ -95,6 +95,7 @@ int cflags;
+ 	register struct parse *p = &pa;
+ 	register int i;
+ 	register size_t len;
++	size_t maxlen;
+ #ifdef REDEBUG
+ #	define	GOODFLAGS(f)	(f)
+ #else
+@@ -117,7 +118,22 @@ int cflags;
+ 							(NC-1)*sizeof(cat_t));
+ 	if (g == NULL)
+ 		return(REG_ESPACE);
+-	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1;	/* ugh */
++	/*
++	 * Limit the pattern space to avoid a 32-bit overflow on buffer
++	 * extension.  Also avoid any signed overflow in case of conversion
++	 * so make the real limit based on a 31-bit overflow.
++	 *
++	 * Likely not applicable on 64-bit systems but handle the case
++	 * generically (who are we to stop people from using ~715MB+
++	 * patterns?).
++	 */
++	maxlen = ((size_t)-1 >> 1) / sizeof(sop) * 2 / 3;
++	if (len >= maxlen) {
++		free((char *)g);
++		return(REG_ESPACE);
++	}
++	p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
++	assert(p->ssize >= len);
+ 	p->strip = (sop *)malloc(p->ssize * sizeof(sop));
+ 	p->slen = 0;
+ 	if (p->strip == NULL) {
diff --git a/debian/patches/series b/debian/patches/series
index 2c9fba9c5..10cc825e4 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -46,3 +46,4 @@ hack-phpdbg-to-explicitly-link-with-libedit.patch
 php-fpm-getallheaders.patch
 0001-Fix-ZEND_MM_ALIGNMENT-on-m64k.patch
 revert-f07b8f36ae8099e29d19fbe8806bc07b21dcd4ac.patch
+VU695940