|
1 Community BUG: |
|
2 https://bugs.php.net/bug.php?id=69364 |
|
3 Patch from another source: |
|
4 https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff |
|
5 |
|
6 |
|
7 ### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg |
|
8 |
|
9 --- php-5.3.29/main/rfc1867.c_orig |
|
10 +++ php-5.3.29/main/rfc1867.c |
|
11 @@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T |
|
12 char *line; |
|
13 mime_header_entry prev_entry, entry; |
|
14 int prev_len, cur_len; |
|
15 + int newlines = 0; |
|
16 + long upload_max_newlines = 100; |
|
17 |
|
18 /* didn't find boundary, abort */ |
|
19 if (!find_boundary(self, self->boundary TSRMLS_CC)) { |
|
20 @@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T |
|
21 |
|
22 entry.value = estrdup(value); |
|
23 entry.key = estrdup(key); |
|
24 + newlines = 0; |
|
25 |
|
26 } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ |
|
27 |
|
28 @@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T |
|
29 entry.value[cur_len + prev_len] = '\0'; |
|
30 |
|
31 entry.key = estrdup(prev_entry.key); |
|
32 + newlines++; |
|
33 + if (newlines > upload_max_newlines) { |
|
34 + return 0; |
|
35 + } |
|
36 |
|
37 zend_llist_remove_tail(header); |
|
38 } else { |