Subject: Fixed bug #54193 (Integer overflow in shmop_read())
Origin: http://svn.php.net/viewvc/?view=revision&revision=309018

CVE-2011-1092

Patch differs from upstream commit in that the change to the NEWS file
was removed to reduce conflicts.

--- a/ext/shmop/shmop.c
+++ b/ext/shmop/shmop.c
@@ -256,7 +256,7 @@ PHP_FUNCTION(shmop_read)
 		RETURN_FALSE;
 	}
 
-	if (start + count > shmop->size || count < 0) {
+	if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
 		RETURN_FALSE;
 	}