[packages/php.git] / php-5.2.17-bug-323007-2.patch

this refers to svn commit: http://svn.php.net/viewvc?view=revision&revision=323007
aka CVE-2012-0830

link: https://bugzilla.redhat.com/show_bug.cgi?id=786686

diff -up php-5.2.17/main/php_variables.c.bug-323007 php-5.2.17/main/php_variables.c
--- php-5.2.17/main/php_variables.c.bug-323007	2012-02-03 12:12:09.000000000 +0700
+++ php-5.2.17/main/php_variables.c	2012-02-03 13:17:16.000000000 +0700
@@ -187,12 +187,17 @@ PHPAPI void php_register_variable_ex(cha
 				}
 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
-					if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
-						php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
-					}
+					if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
+					    if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
+						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+					    }
 					MAKE_STD_ZVAL(gpc_element);
 					array_init(gpc_element);
 					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
+					} else {
+				    efree(var_orig);
+				    return;
+					}
 				}
 				if (index != escaped_index) {
 					efree(escaped_index);
Commit	Line	Data
badd589e ER	1	this refers to svn commit: http://svn.php.net/viewvc?view=revision&revision=323007
	2	aka CVE-2012-0830
	3
	4	link: https://bugzilla.redhat.com/show_bug.cgi?id=786686
	5
82f6b657 ER	6	diff -up php-5.2.17/main/php_variables.c.bug-323007 php-5.2.17/main/php_variables.c
	7	--- php-5.2.17/main/php_variables.c.bug-323007 2012-02-03 12:12:09.000000000 +0700
	8	+++ php-5.2.17/main/php_variables.c 2012-02-03 13:17:16.000000000 +0700
	9	@@ -187,12 +187,17 @@ PHPAPI void php_register_variable_ex(cha
	10	}
	11	if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
	12	\|\| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
	13	- if (zend_hash_num_elements(symtable1) >= PG(max_input_vars)) {
	14	- php_error_docref(NULL TSRMLS_CC, E_ERROR, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
	15	- }
	16	+ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
	17	+ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
	18	+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
	19	+ }
	20	MAKE_STD_ZVAL(gpc_element);
	21	array_init(gpc_element);
	22	zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval ), (void *) &gpc_element_p);
	23	+ } else {
	24	+ efree(var_orig);
	25	+ return;
	26	+ }
	27	}
	28	if (index != escaped_index) {
	29	efree(escaped_index);