php-5.3.6-bug-54055.patch

   1 --- PHP_5_3/main/snprintf.c     2011/02/21 06:22:00     308524
   2 +++ PHP_5_3/main/snprintf.c     2011/02/21 06:53:24     308525
   3 @@ -677,10 +677,6 @@
   4
   5                                 /*
   6                                  * Check if a precision was specified
   7 -                                *
   8 -                                * XXX: an unreasonable amount of precision may be specified
   9 -                                * resulting in overflow of num_buf. Currently we
  10 -                                * ignore this possibility.
  11                                  */
  12                                 if (*fmt == '.') {
  13                                         adjust_precision = YES;
  14 @@ -694,6 +690,10 @@
  15                                                         precision = 0;
  16                                         } else
  17                                                 precision = 0;
  18 +
  19 +                                       if (precision > FORMAT_CONV_MAX_PRECISION) {
  20 +                                               precision = FORMAT_CONV_MAX_PRECISION;
  21 +                                       }
  22                                 } else
  23                                         adjust_precision = NO;
  24                         } else
  25 --- PHP_5_3/main/snprintf.h     2011/02/21 06:22:00     308524
  26 +++ PHP_5_3/main/snprintf.h     2011/02/21 06:53:24     308525
  27 @@ -12,7 +12,7 @@
  28     | obtain it through the world-wide-web, please send a note to          |
  29     | license@php.net so we can mail you a copy immediately.               |
  30     +----------------------------------------------------------------------+
  31 -   | Author: Stig Sæther Bakken <ssb@php.net>                             |
  32 +   | Author: Stig Sæther Bakken <ssb@php.net>                             |
  33     |         Marcus Boerger <helly@php.net>                               |
  34     +----------------------------------------------------------------------+
  35  */
  36 @@ -157,6 +157,17 @@
  37
  38  extern char * ap_php_conv_p2(register u_wide_int num, register int nbits,
  39                  char format, char *buf_end, register int *len);
  40 +
  41 +/* The maximum precision that's allowed for float conversion. Does not include
  42 + * decimal separator, exponent, sign, terminator. Currently does not affect
  43 + * the modes e/f, only g/k/H, as those have a different limit enforced at
  44 + * another level (see NDIG in php_conv_fp()).
  45 + * Applies to the formatting functions of both spprintf.c and snprintf.c, which
  46 + * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the
  47 + * call to php_gcvt().
  48 + * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9
  49 + * should be enough, but let's give some more space) */
  50 +#define FORMAT_CONV_MAX_PRECISION 500
  51
  52  #endif /* SNPRINTF_H */
  53
  54 --- PHP_5_3/main/spprintf.c     2011/02/21 06:22:00     308524
  55 +++ PHP_5_3/main/spprintf.c     2011/02/21 06:53:24     308525
  56 @@ -285,10 +285,6 @@
  57
  58                                 /*
  59                                  * Check if a precision was specified
  60 -                                *
  61 -                                * XXX: an unreasonable amount of precision may be specified
  62 -                                * resulting in overflow of num_buf. Currently we
  63 -                                * ignore this possibility.
  64                                  */
  65                                 if (*fmt == '.') {
  66                                         adjust_precision = YES;
  67 @@ -302,6 +298,10 @@
  68                                                         precision = 0;
  69                                         } else
  70                                                 precision = 0;
  71 +
  72 +                                       if (precision > FORMAT_CONV_MAX_PRECISION) {
  73 +                                               precision = FORMAT_CONV_MAX_PRECISION;
  74 +                                       }
  75                                 } else
  76                                         adjust_precision = NO;
  77                         } else