commit php5 for openSUSE:12.1:Update:Test
Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-03-09 17:26:54 Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) Package is php5, Maintainer is pgaj...@suse.com Changes: --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-02-17 10:41:55.0 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-03-09 17:26:55.0 +0100 @@ -1,0 +2,5 @@ +Thu Mar 8 16:54:09 UTC 2012 - pgaj...@suse.com + +- fixed regressions after fix for CVE-2012-0830 [bnc#749111] + +--- Other differences: -- ++ php-5.3.8-CVE-2011-4885.patch ++ --- /var/tmp/diff_new_pack.DRZ7OW/_old 2012-03-09 17:26:56.0 +0100 +++ /var/tmp/diff_new_pack.DRZ7OW/_new 2012-03-09 17:26:56.0 +0100 @@ -1,5 +1,6 @@ http://svn.php.net/viewvc?view=revisionrevision=321038 http://svn.php.net/viewvc?view=revisionrevision=321040 +http://svn.php.net/viewvc?view=revisionrevision=321335 Index: php.ini-development === --- php.ini-development.orig @@ -57,23 +58,37 @@ === --- main/php_variables.c.orig +++ main/php_variables.c -@@ -191,6 +191,9 @@ PHPAPI void php_register_variable_ex(cha +@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(cha } if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) gpc_element_p) == FAILURE || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) { -+ if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { -+ php_error_docref(NULL TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); +- MAKE_STD_ZVAL(gpc_element); +- array_init(gpc_element); +- zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); ++ if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { ++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); ++ } ++ MAKE_STD_ZVAL(gpc_element); ++ array_init(gpc_element); ++ zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); + } - MAKE_STD_ZVAL(gpc_element); - array_init(gpc_element); - zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); -@@ -236,6 +239,9 @@ plain_var: + } + if (index != escaped_index) { + efree(escaped_index); +@@ -236,7 +241,14 @@ plain_var: zend_symtable_exists(symtable1, escaped_index, index_len + 1)) { zval_ptr_dtor(gpc_element); } else { -+ if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { -+ php_error_docref(NULL TSRMLS_CC, E_ERROR, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); +- zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); ++ if (zend_hash_num_elements(symtable1) = PG(max_input_vars)) { ++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini., PG(max_input_vars)); ++
commit php5 for openSUSE:12.1:Update:Test
Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-02-17 10:41:54 Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) Package is php5, Maintainer is pgaj...@suse.com Changes: --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-02-03 17:05:23.0 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-02-17 10:41:55.0 +0100 @@ -1,0 +2,9 @@ +Tue Feb 7 12:44:07 UTC 2012 - pgaj...@suse.com + +- security update: + * CVE-2012-0807 [bnc#743308] + * CVE-2012-0057 [bnc#741520] + * CVE-2011-4153 [bnc#741859] + * CVE-2012-0831 [bnc#746661] + +--- New: php-5.3.8-CVE-2011-4153.patch php-5.3.8-CVE-2012-0057.patch php-5.3.8-CVE-2012-0807.patch php-5.3.8-CVE-2012-0831.patch Other differences: -- ++ php5.spec ++ --- /var/tmp/diff_new_pack.dflNDP/_old 2012-02-17 10:41:56.0 +0100 +++ /var/tmp/diff_new_pack.dflNDP/_new 2012-02-17 10:41:56.0 +0100 @@ -169,6 +169,10 @@ Patch41:php-5.3.8-memory-corruption-parse_ini_string.patch Patch42:php-5.3.8-CVE-2012-0789.patch Patch43:php-5.3.8-CVE-2012-0830.patch +Patch44:php-5.3.8-CVE-2012-0807.patch +Patch45:php-5.3.8-CVE-2012-0057.patch +Patch46:php-5.3.8-CVE-2011-4153.patch +Patch47:php-5.3.8-CVE-2012-0831.patch Url:http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary:PHP5 Core Files @@ -1288,6 +1292,10 @@ %patch41 %patch42 %patch43 -p1 +%patch44 +%patch45 +%patch46 +%patch47 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test x${vapi} != x%{apiver}; then ++ php-5.3.8-CVE-2011-4153.patch ++ http://svn.php.net/viewvc?view=revisionrevision=319442 http://svn.php.net/viewvc?view=revisionrevision=319453 #-0- Zend/zend_builtin_functions.c #-1- ext/soap/php_sdl.c #-2- ext/standard/syslog.c #-3- N/A for 5.3.8 #-4- N/A #-5- N/A #-6- ext/session/mod_files.c ext/standard/file.c Index: Zend/zend_builtin_functions.c === --- Zend/zend_builtin_functions.c.orig +++ Zend/zend_builtin_functions.c @@ -683,6 +683,9 @@ repeat: } c.flags = case_sensitive; /* non persistent */ c.name = zend_strndup(name, name_len); +if(c.name == NULL) { +RETURN_FALSE; +} c.name_len = name_len+1; c.module_number = PHP_USER_CONSTANT; if (zend_register_constant(c TSRMLS_CC) == SUCCESS) { Index: ext/standard/syslog.c === --- ext/standard/syslog.c.orig +++ ext/standard/syslog.c @@ -234,6 +234,9 @@ PHP_FUNCTION(openlog) free(BG(syslog_device)); } BG(syslog_device) = zend_strndup(ident, ident_len); + if(BG(syslog_device) == NULL) { + RETURN_FALSE; + } openlog(BG(syslog_device), option, facility); RETURN_TRUE; } Index: ext/soap/php_sdl.c === --- ext/soap/php_sdl.c.orig +++ ext/soap/php_sdl.c @@ -147,6 +147,10 @@ encodePtr get_encoder(sdlPtr sdl, const memcpy(new_enc, enc, sizeof(encode)); if (sdl-is_persistent) { new_enc-details.ns = zend_strndup(ns, ns_len); + if (new_enc-details.ns == NULL) { + efree(nscat); + return NULL; + } new_enc-details.type_str = strdup(new_enc-details.type_str); } else { new_enc-details.ns = estrndup(ns, ns_len); Index: ext/standard/file.c === --- ext/standard/file.c.orig +++ ext/standard/file.c @@ -2612,10 +2612,15 @@ PHP_FUNCTION(fnmatch) Returns directory path used for temporary files */ PHP_FUNCTION(sys_get_temp_dir) { + char *tmp_dir; if (zend_parse_parameters_none() == FAILURE) { return; } - RETURN_STRING((char *)php_get_temporary_directory(), 1); +tmp_dir = (char *)php_get_temporary_directory(); + if (tmp_dir == NULL) { + return; +} + RETURN_STRING(tmp_dir, 1); } /* }}} */ Index: ext/session/mod_files.c === ---
commit php5 for openSUSE:12.1:Update:Test
Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-02-03 17:05:21 Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) Package is php5, Maintainer is pgaj...@suse.com Changes: --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-30 20:40:47.0 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-02-03 17:05:23.0 +0100 @@ -1,0 +2,6 @@ +Fri Feb 3 08:13:16 UTC 2012 - pgaj...@suse.com + +- security update CVE-2012-0830 and other memory leaks + (fixes the fix of CVE-2011-4885) [bnc#744966] + +--- New: php-5.3.8-CVE-2012-0830.patch Other differences: -- ++ php5.spec ++ --- /var/tmp/diff_new_pack.RcXGOB/_old 2012-02-03 17:05:23.0 +0100 +++ /var/tmp/diff_new_pack.RcXGOB/_new 2012-02-03 17:05:23.0 +0100 @@ -15,6 +15,8 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # + + Name: php5 %global apiver 20090626 %global zendver 20090626 @@ -166,6 +168,7 @@ Patch40:php-5.3.8-CVE-2012-0788.patch Patch41:php-5.3.8-memory-corruption-parse_ini_string.patch Patch42:php-5.3.8-CVE-2012-0789.patch +Patch43:php-5.3.8-CVE-2012-0830.patch Url:http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary:PHP5 Core Files @@ -1284,6 +1287,7 @@ %patch40 %patch41 %patch42 +%patch43 -p1 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test x${vapi} != x%{apiver}; then ++ php-5.3.8-CVE-2012-0830.patch ++ Index: php-5.3.8/main/php_variables.c === --- php-5.3.8.orig/main/php_variables.c +++ php-5.3.8/main/php_variables.c @@ -182,7 +182,13 @@ PHPAPI void php_register_variable_ex(cha if (!index) { MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); - zend_hash_next_index_insert(symtable1, gpc_element, sizeof(zval *), (void **) gpc_element_p); +if (zend_hash_next_index_insert(symtable1, gpc_element, sizeof(zval *), (void **) gpc_element_p) == FAILURE) { +zval_ptr_dtor(gpc_element); +zval_dtor(val); +efree(var_orig); +return; +} + } else { if (PG(magic_quotes_gpc)) { escaped_index = php_addslashes(index, index_len, index_len, 0 TSRMLS_CC); @@ -197,6 +203,13 @@ PHPAPI void php_register_variable_ex(cha MAKE_STD_ZVAL(gpc_element); array_init(gpc_element); zend_symtable_update(symtable1, escaped_index, index_len + 1, gpc_element, sizeof(zval *), (void **) gpc_element_p); + } else { + if (index != escaped_index) { + efree(escaped_index); + } + zval_dtor(val); + efree(var_orig); + return; } if (index != escaped_index) { efree(escaped_index); @@ -221,7 +234,9 @@ plain_var: gpc_element-value = val-value; Z_TYPE_P(gpc_element) = Z_TYPE_P(val); if (!index) { - zend_hash_next_index_insert(symtable1, gpc_element, sizeof(zval *), (void **) gpc_element_p); +if (zend_hash_next_index_insert(symtable1, gpc_element, sizeof(zval *), (void **) gpc_element_p) == FAILURE) { +zval_ptr_dtor(gpc_element); +} } else { if (PG(magic_quotes_gpc)) { escaped_index = php_addslashes(index, index_len, index_len, 0 TSRMLS_CC); -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit php5 for openSUSE:12.1:Update:Test
Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-01-30 20:40:45 Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) Package is php5, Maintainer is pgaj...@suse.com Changes: --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-20 19:08:10.0 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-01-30 20:40:47.0 +0100 @@ -1,0 +2,9 @@ +Tue Jan 24 09:18:43 UTC 2012 - pgaj...@suse.com + +- security update: + * CVE-2012-0781 [bnc#742273] + * CVE-2012-0788 [bnc#742806] + * memory corruption in parse_ini_string() [bnc#742806] + * CVE-2012-0789 [bnc#742806] + +--- New: php-5.3.8-CVE-2012-0781.patch php-5.3.8-CVE-2012-0788.patch php-5.3.8-CVE-2012-0789.patch php-5.3.8-memory-corruption-parse_ini_string.patch Other differences: -- ++ php5.spec ++ --- /var/tmp/diff_new_pack.QBW3MA/_old 2012-01-30 20:40:48.0 +0100 +++ /var/tmp/diff_new_pack.QBW3MA/_new 2012-01-30 20:40:48.0 +0100 @@ -162,6 +162,10 @@ Patch36:php-5.3.8-CVE-2011-4566.patch Patch37:php-5.3.8-CVE-2011-1466.patch Patch38:php-5.3.8-CVE-2011-4885.patch +Patch39:php-5.3.8-CVE-2012-0781.patch +Patch40:php-5.3.8-CVE-2012-0788.patch +Patch41:php-5.3.8-memory-corruption-parse_ini_string.patch +Patch42:php-5.3.8-CVE-2012-0789.patch Url:http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary:PHP5 Core Files @@ -1276,6 +1280,10 @@ %patch36 %patch37 %patch38 +%patch39 +%patch40 +%patch41 +%patch42 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test x${vapi} != x%{apiver}; then ++ php-5.3.8-CVE-2011-1466.patch ++ --- /var/tmp/diff_new_pack.QBW3MA/_old 2012-01-30 20:40:48.0 +0100 +++ /var/tmp/diff_new_pack.QBW3MA/_new 2012-01-30 20:40:48.0 +0100 @@ -39,10 +39,11 @@ /* Calculate the century (year/100). */ century = temp / DAYS_PER_400_YEARS; -@@ -190,6 +182,10 @@ void SdnToGregorian( +@@ -190,6 +182,11 @@ void SdnToGregorian( *pYear = year; *pMonth = month; *pDay = day; ++ return; +fail: + *pYear = 0; + *pMonth = 0; ++ php-5.3.8-CVE-2012-0781.patch ++ http://svn.php.net/viewvc?view=revisionrevision=319254 --- ext/tidy/tidy.c 2011/11/15 14:20:13 319253 +++ ext/tidy/tidy.c 2011/11/15 15:16:20 319254 @@ -1288,7 +1288,7 @@ { TIDY_FETCH_OBJECT; - if (tidyRunDiagnostics(obj-ptdoc-doc) = 0) { + if (tidyStatus(obj-ptdoc-doc) != 0 tidyRunDiagnostics(obj-ptdoc-doc) = 0) { tidy_doc_update_properties(obj TSRMLS_CC); RETURN_TRUE; } ++ php-5.3.8-CVE-2012-0788.patch ++ http://svn.php.net/viewvc/?view=revisionamp;revision=317272 --- ext/pdo/pdo_stmt.c 2011/09/25 12:14:09 317271 +++ ext/pdo/pdo_stmt.c 2011/09/25 12:39:05 317272 @@ -2351,6 +2351,7 @@ } zend_object_handlers pdo_dbstmt_object_handlers; +static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC); void pdo_stmt_init(TSRMLS_D) { @@ -2374,6 +2375,7 @@ pdo_row_ce = zend_register_internal_class(ce TSRMLS_CC); pdo_row_ce-ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */ pdo_row_ce-create_object = pdo_row_new; + pdo_row_ce-serialize = pdo_row_serialize; } static void free_statement(pdo_stmt_t *stmt TSRMLS_DC) @@ -2796,6 +2798,12 @@ retval.handlers = pdo_row_object_handlers; return retval; +} + +static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC) +{ + php_error_docref(NULL TSRMLS_CC, E_WARNING, PDORow instances may not be serialized); + return FAILURE; } /* }}} */ ++ php-5.3.8-CVE-2012-0789.patch ++ http://svn.php.net/viewvc/?view=revisionamp;revision=320481 Modified: ext/date/lib/parse_date.re === Index: ext/date/lib/parse_date.re === --- ext/date/lib/parse_date.re.orig +++ ext/date/lib/parse_date.re @@ -775,7 +775,7 @@ static long timelib_lookup_zone(char **p return value; } -static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb) +static long timelib_get_zone(char **ptr,
commit php5 for openSUSE:12.1:Update:Test
Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-01-20 19:08:09 Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) Package is php5, Maintainer is pgaj...@suse.com Changes: --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-05 17:06:41.0 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-01-20 19:08:10.0 +0100 @@ -11 +11,2 @@ -- apache module conflicts with apache2-worker [bnc#728671] +- amend README.SUSE to discourage using apache module with + apache2-worker [bnc#728671] Other differences: -- ++ php5.spec ++ 712 lines (skipped) between /work/SRC/openSUSE:12.1:Update:Test/php5/php5.spec and /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.spec ++ php-suse-addons.tar.bz2 ++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/php-suse-addons/README.SUSE new/php-suse-addons/README.SUSE --- old/php-suse-addons/README.SUSE 2005-02-09 15:40:33.0 +0100 +++ new/php-suse-addons/README.SUSE 2012-01-18 10:01:25.0 +0100 @@ -41,6 +41,11 @@ Enabling/disabling the PHP5 module for Apache = + - PHP.net does not recommend to use PHP with Apache Worker, as some of the + libraries PHP relies on are not thread safe; see +http://php.net/manual/en/install.unix.apache2.php + http://www.php.net/manual/en/faq.installation.php#faq.installation.apache2 + for details - in /etc/sysconfig/apache2, add php5 to APACHE_MODULES, or remove it to disable - possibly include /etc/apache2/conf.d/mod_php5.conf in individual virtual -- To unsubscribe, e-mail: opensuse-commit+unsubscr...@opensuse.org For additional commands, e-mail: opensuse-commit+h...@opensuse.org
commit php5 for openSUSE:12.1:Update:Test
Hello community, here is the log from the commit of package php5 for openSUSE:12.1:Update:Test checked in at 2012-01-05 17:06:35 Comparing /work/SRC/openSUSE:12.1:Update:Test/php5 (Old) and /work/SRC/openSUSE:12.1:Update:Test/.php5.new (New) Package is php5, Maintainer is pgaj...@suse.com Changes: --- /work/SRC/openSUSE:12.1:Update:Test/php5/php5.changes 2012-01-05 17:06:40.0 +0100 +++ /work/SRC/openSUSE:12.1:Update:Test/.php5.new/php5.changes 2012-01-05 17:06:41.0 +0100 @@ -1,0 +2,19 @@ +Mon Jan 2 14:36:39 UTC 2012 - pgaj...@suse.com + +- security update: + * CVE-2011-4885 [bnc#738221] -- added max_input_vars directive +to prevent attacks based on hash collisions + +--- +Tue Dec 20 12:58:50 UTC 2011 - pgaj...@suse.com + +- apache module conflicts with apache2-worker [bnc#728671] + +--- +Fri Dec 9 11:35:56 UTC 2011 - pgaj...@suse.com + +- security update: + * CVE-2011-4566 [bnc#733590] + * CVE-2011-1466 [bnc#736169] + +--- New: php-5.3.8-CVE-2011-1466.patch php-5.3.8-CVE-2011-4566.patch php-5.3.8-CVE-2011-4885.patch Other differences: -- ++ php5.spec ++ --- /var/tmp/diff_new_pack.00es7w/_old 2012-01-05 17:06:41.0 +0100 +++ /var/tmp/diff_new_pack.00es7w/_new 2012-01-05 17:06:41.0 +0100 @@ -1,7 +1,7 @@ # # spec file for package php5 # -# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2012 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -137,6 +137,9 @@ %endif Patch34:php5-2g-crash.patch Patch35:php-5.3.8-CVE-2011-3379.patch +Patch36:php-5.3.8-CVE-2011-4566.patch +Patch37:php-5.3.8-CVE-2011-1466.patch +Patch38:php-5.3.8-CVE-2011-4885.patch Url:http://www.php.net BuildRoot: %{_tmppath}/%{name}-%{version}-build Summary:PHP5 Core Files @@ -219,6 +222,7 @@ Requires: apache2-prefork %{apache2_mmn} %{name} = %{version} PreReq: apache2 Conflicts: apache2-mod_php4 +Conflicts: apache2-worker Provides: mod_php_any php-xml php-spl php-simplexml php-session php-pcre php-date php-reflection php-filter %description -n apache2-mod_php5 @@ -1246,6 +1250,9 @@ %endif %patch34 %patch35 +%patch36 +%patch37 +%patch38 # Safety check for API version change. vapi=`sed -n '/#define PHP_API_VERSION/{s/.* //;p}' main/php.h` if test x${vapi} != x%{apiver}; then ++ php-5.3.8-CVE-2011-1466.patch ++ http://svn.php.net/viewvc/?view=revisionamp;revision=306475 http://svn.php.net/viewvc/?view=revisionamp;revision=317360 http://svn.php.net/viewvc/?view=revisionamp;revision=317387 Index: ext/calendar/gregor.c === --- ext/calendar/gregor.c.orig +++ ext/calendar/gregor.c @@ -127,6 +127,7 @@ **/ #include sdncal.h +#include limits.h #define GREGOR_SDN_OFFSET 32045 #define DAYS_PER_5_MONTHS 153 @@ -146,21 +147,12 @@ void SdnToGregorian( long int temp; int dayOfYear; - if (sdn = 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; + if (sdn = 0 || + sdn (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) { + goto fail; } temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1; - if (temp 0) { - *pYear = 0; - *pMonth = 0; - *pDay = 0; - return; - } - /* Calculate the century (year/100). */ century = temp / DAYS_PER_400_YEARS; @@ -190,6 +182,10 @@ void SdnToGregorian( *pYear = year; *pMonth = month; *pDay = day; +fail: + *pYear = 0; + *pMonth = 0; + *pDay = 0; } long int GregorianToSdn( ++ php-5.3.8-CVE-2011-4566.patch ++ http://svn.php.net/viewvc/?view=revisionamp;revision=319535 --- ext/exif/exif.c 2011/11/19 04:41:03 319534 +++ ext/exif/exif.c 2011/11/19 04:49:36 319535 @@ -2874,11 +2874,11 @@ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo-motorola_intel); /* If its bigger than 4 bytes, the dir entry contains an offset. */ value_ptr = offset_base+offset_val; - if (offset_val+byte_count IFDlength || value_ptr dir_entry) { +