1 Community BUG:

     2 https://bugs.php.net/bug.php?id=69364

     3 Patch from another source:

     4 https://github.com/80vul/phpcodz/blob/master/research/cve-2015-4024.patch.diff

     5 

     6 

     7 ### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg

     8 

     9 --- php-5.3.29/main/rfc1867.c_orig

    10 +++ php-5.3.29/main/rfc1867.c

    11 @@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T

    12  	char *line;

    13  	mime_header_entry prev_entry, entry;

    14  	int prev_len, cur_len;

    15 +	int newlines = 0;

    16 +	long upload_max_newlines = 100;

    17  

    18  	/* didn't find boundary, abort */

    19  	if (!find_boundary(self, self->boundary TSRMLS_CC)) {

    20 @@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T

    21  

    22  			entry.value = estrdup(value);

    23  			entry.key = estrdup(key);

    24 +			newlines = 0;

    25  

    26  		} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */

    27  

    28 @@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T

    29  			entry.value[cur_len + prev_len] = '\0';

    30  

    31  			entry.key = estrdup(prev_entry.key);

    32 +			newlines++;

    33 +			if (newlines > upload_max_newlines) {

    34 +				return 0;

    35 +			}

    36  

    37  			zend_llist_remove_tail(header);

    38  		} else {