File: 119-CVE-2007-1889-MOPB-44.patch

package info (click to toggle)
php5 5.2.0%2Bdfsg-8%2Betch16
  • links: PTS
  • area: main
  • in suites: etch
  • size: 58,940 kB
  • ctags: 45,388
  • sloc: ansic: 533,605; sh: 17,835; php: 11,336; cpp: 4,289; xml: 3,809; yacc: 2,446; lex: 2,174; makefile: 1,150; tcl: 1,128; awk: 693; perl: 71; sql: 22; pascal: 15
file content (93 lines) | stat: -rw-r--r-- 4,581 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
Index: php5-5.2.0/Zend/zend_alloc.c
===================================================================
--- php5-5.2.0.orig/Zend/zend_alloc.c	2007-04-22 19:57:23.000000000 +0200
+++ php5-5.2.0/Zend/zend_alloc.c	2007-04-22 20:47:08.000000000 +0200
@@ -383,11 +383,11 @@
 #define ZEND_MM_ALIGNED_MIN_HEADER_SIZE		(sizeof(zend_mm_block)+END_MAGIC_SIZE>sizeof(zend_mm_free_block)?ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_block)+END_MAGIC_SIZE):ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_free_block)))
 #define ZEND_MM_ALIGNED_SEGMENT_SIZE		ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_segment))
 
-#define ZEND_MM_MIN_SIZE					(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))
+#define ZEND_MM_MIN_SIZE					((ZEND_MM_ALIGNED_MIN_HEADER_SIZE>(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)):0)
 
 #define ZEND_MM_MAX_SMALL_SIZE				(((ZEND_MM_NUM_BUCKETS-1)<<ZEND_MM_ALIGNMENT_LOG2)+ZEND_MM_ALIGNED_MIN_HEADER_SIZE)
 
-#define ZEND_MM_TRUE_SIZE(size)				(((long)size<(long)ZEND_MM_MIN_SIZE)?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE):(ZEND_MM_ALIGNED_SIZE(size+ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)))
+#define ZEND_MM_TRUE_SIZE(size)				((size<ZEND_MM_MIN_SIZE)?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE):(ZEND_MM_ALIGNED_SIZE(size+ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)))
 
 #define ZEND_MM_BUCKET_INDEX(true_size)		((true_size>>ZEND_MM_ALIGNMENT_LOG2)-(ZEND_MM_ALIGNED_MIN_HEADER_SIZE>>ZEND_MM_ALIGNMENT_LOG2)+1)
 
@@ -1086,6 +1086,9 @@
 	zend_mm_free_block *p, *end, *best_fit = NULL;
 	size_t true_size = ZEND_MM_TRUE_SIZE(size);
 
+	if (true_size < size) {
+		goto out_of_memory;
+	}
 	if (ZEND_MM_SMALL_SIZE(true_size)) {
 		size_t index = ZEND_MM_BUCKET_INDEX(true_size);
 		unsigned int bitmap;
@@ -1181,7 +1184,7 @@
 		size_t remaining_size;
 		zend_mm_segment *segment;
 
-		if (true_size + ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE > heap->block_size) {
+		if (true_size > heap->block_size - (ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE)) {
 			/* Make sure we add a memory block which is big enough,
 			   segment must have header "size" and trailer "guard" block */
 			segment_size = true_size + ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE;
@@ -1192,7 +1195,8 @@
 
 
 #if MEMORY_LIMIT
-		if (heap->real_size + segment_size > heap->limit) {
+		if (segment_size < true_size || 
+		    heap->real_size + segment_size > heap->limit) {
 			/* Memory limit overflow */
 #if ZEND_DEBUG
 			zend_mm_safe_error(heap, "Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes)", heap->limit, __zend_filename, __zend_lineno, size);
@@ -1212,6 +1216,7 @@
 			zend_mm_free_cache(heap);
 #endif
 			HANDLE_UNBLOCK_INTERRUPTIONS();
+out_of_memory:
 #if ZEND_DEBUG
 			zend_mm_safe_error(heap, "Out of memory (allocated %d) at %s:%d (tried to allocate %d bytes)", heap->real_size, __zend_filename, __zend_lineno, size);
 #else
@@ -1394,6 +1399,10 @@
 	}
 #endif
 	
+	if (true_size < size) {
+		goto out_of_memory;
+	}
+
 	if (true_size <= ZEND_MM_BLOCK_SIZE(mm_block)) {
 		size_t remaining_size = ZEND_MM_BLOCK_SIZE(mm_block) - true_size;
 
@@ -1477,7 +1486,7 @@
 		HANDLE_BLOCK_INTERRUPTIONS();
 realloc_segment:
 		/* segment size, size of block and size of guard block */
-		if (true_size+ZEND_MM_ALIGNED_SEGMENT_SIZE+ZEND_MM_ALIGNED_HEADER_SIZE > heap->block_size) {
+		if (true_size > heap->block_size - (ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE)) {
 			segment_size = true_size+ZEND_MM_ALIGNED_SEGMENT_SIZE+ZEND_MM_ALIGNED_HEADER_SIZE;
 			segment_size = ((segment_size + (heap->block_size-1)) / heap->block_size) * heap->block_size;
 		} else {
@@ -1486,7 +1495,8 @@
 
 		segment_copy = (zend_mm_segment *) ((char *)mm_block - ZEND_MM_ALIGNED_SEGMENT_SIZE);
 #if MEMORY_LIMIT
-		if (heap->real_size + segment_size - segment_copy->size > heap->limit) {
+		if (segment_size < true_size ||
+		    heap->real_size + segment_size - segment_copy->size > heap->limit) {
 			HANDLE_UNBLOCK_INTERRUPTIONS();
 #if ZEND_DEBUG
 			zend_mm_safe_error(heap, "Allowed memory size of %d bytes exhausted at %s:%d (tried to allocate %d bytes)", heap->limit, __zend_filename, __zend_lineno, size);
@@ -1499,6 +1509,7 @@
 		segment = ZEND_MM_STORAGE_REALLOC(segment_copy, segment_size);
 		if (!segment) {
 			HANDLE_UNBLOCK_INTERRUPTIONS();
+out_of_memory:
 #if ZEND_DEBUG
 			zend_mm_safe_error(heap, "Out of memory (allocated %d) at %s:%d (tried to allocate %d bytes)", heap->real_size, __zend_filename, __zend_lineno, size);
 #else