Sean Finney
2007-Apr-22 18:52 UTC
[Secure-testing-commits] r5703 - in data: . patches/MOPB
Author: seanius
Date: 2007-04-22 18:52:49 +0000 (Sun, 22 Apr 2007)
New Revision: 5703
Added:
data/patches/MOPB/MOPB-44-php5.diff
Modified:
data/mopb.txt
Log:
applied php5 patches for everything but 18,19,and 23
Modified: data/mopb.txt
==================================================================---
data/mopb.txt 2007-04-22 17:06:25 UTC (rev 5702)
+++ data/mopb.txt 2007-04-22 18:52:49 UTC (rev 5703)
@@ -182,7 +182,7 @@
34 / t
32 T T
30 / /
-26 / /
+26 a a
22 t t
10 T T <- seemed already fixed but this completes the patch
04 T T
@@ -197,24 +197,24 @@
# PHP5 checklist....
MOPB Etch, Unstable Dapper, Edgy, Feisty PATCH
-10 X X X X X *
-14 X X X X X *
-15 i i X X X *
-16 X X - - -
-17 X X - - -
+10 p p[3] X X X *
+14 X T X X X *
+15 i T X X X *
+16 p p - - -
+17 - - - - -
18 X X - - -
19 X X - - -
-22 X X X X X *
+22 X T X X X *
23 X X X X X ?
24 i i X X X *
-26 X X X X X ?
+26 X T X X X ?
29 - - - - X *
-30 X X X X X ?
-34 X X X X X *
-41 X X X X X [1] !
-42 X X X X - *
-44 X X - - -
-45 X X - - X [2] !
+30 - a[4] X X X ?
+34 X a X X X *
+41 X a X X X [1] !
+42 X a X X - *
+44 X a - - -
+45 X a - - X [2] !
* = patch extracted from upstream
? = no upstream patch found
@@ -222,6 +222,7 @@
X = fixed desired
a = patch applied
+p = previously fixed
T = code tested
- = fix n/a
i = fix skipped
@@ -230,4 +231,6 @@
to be changed. For references, here is the upstream "fix":
http://cvs.php.net/viewvc.cgi/php-src/ext/sqlite/libsqlite/src/encode.c?r1=1.5.4.1&r2=1.5.4.1.2.1&pathrev=PHP_5_2
[2] this needs a CVE assigned
+[3] previously fixed, but the patch adds another check we should have too.
+[4] could not reproduce this problem
Added: data/patches/MOPB/MOPB-44-php5.diff
==================================================================---
data/patches/MOPB/MOPB-44-php5.diff 2007-04-22 17:06:25 UTC (rev 5702)
+++ data/patches/MOPB/MOPB-44-php5.diff 2007-04-22 18:52:49 UTC (rev 5703)
@@ -0,0 +1,91 @@
+--- old/Zend/zend_alloc.c 2006/12/20 10:49:32 1.144.2.3.2.27
++++ new/Zend/zend_alloc.c 2006/12/25 12:16:33 1.144.2.3.2.28
+@@ -454,11 +454,11 @@
+ #define ZEND_MM_ALIGNED_MIN_HEADER_SIZE
(ZEND_MM_MIN_ALLOC_BLOCK_SIZE>ZEND_MM_ALIGNED_FREE_HEADER_SIZE?ZEND_MM_MIN_ALLOC_BLOCK_SIZE:ZEND_MM_ALIGNED_FREE_HEADER_SIZE)
+ #define ZEND_MM_ALIGNED_SEGMENT_SIZE
ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_segment))
+
+-#define ZEND_MM_MIN_SIZE
(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))
++#define ZEND_MM_MIN_SIZE
((ZEND_MM_ALIGNED_MIN_HEADER_SIZE>(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)):0)
+
+ #define ZEND_MM_MAX_SMALL_SIZE
(((ZEND_MM_NUM_BUCKETS-1)<<ZEND_MM_ALIGNMENT_LOG2)+ZEND_MM_ALIGNED_MIN_HEADER_SIZE)
+
+-#define ZEND_MM_TRUE_SIZE(size)
(((long)size<(long)ZEND_MM_MIN_SIZE)?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE):(ZEND_MM_ALIGNED_SIZE(size+ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)))
++#define ZEND_MM_TRUE_SIZE(size)
((size<ZEND_MM_MIN_SIZE)?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE):(ZEND_MM_ALIGNED_SIZE(size+ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)))
+
+ #define ZEND_MM_BUCKET_INDEX(true_size)
((true_size>>ZEND_MM_ALIGNMENT_LOG2)-(ZEND_MM_ALIGNED_MIN_HEADER_SIZE>>ZEND_MM_ALIGNMENT_LOG2)+1)
+
+@@ -1332,6 +1332,9 @@
+ zend_mm_free_block *p, *end, *best_fit = NULL;
+ size_t true_size = ZEND_MM_TRUE_SIZE(size);
+
++ if (true_size < size) {
++ goto out_of_memory;
++ }
+ if (ZEND_MM_SMALL_SIZE(true_size)) {
+ size_t index = ZEND_MM_BUCKET_INDEX(true_size);
+ unsigned int bitmap;
+@@ -1422,7 +1425,7 @@
+ size_t remaining_size;
+ zend_mm_segment *segment;
+
+- if (true_size + ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE
> heap->block_size) {
++ if (true_size > heap->block_size - (ZEND_MM_ALIGNED_SEGMENT_SIZE +
ZEND_MM_ALIGNED_HEADER_SIZE)) {
+ /* Make sure we add a memory block which is big enough,
+ segment must have header "size" and trailer "guard"
block */
+ segment_size = true_size + ZEND_MM_ALIGNED_SEGMENT_SIZE +
ZEND_MM_ALIGNED_HEADER_SIZE;
+@@ -1433,7 +1436,8 @@
+
+ HANDLE_BLOCK_INTERRUPTIONS();
+
+- if (heap->real_size + segment_size > heap->limit) {
++ if (segment_size < true_size ||
++ heap->real_size + segment_size > heap->limit) {
+ /* Memory limit overflow */
+ #if ZEND_MM_CACHE
+ zend_mm_free_cache(heap);
+@@ -1454,6 +1458,7 @@
+ zend_mm_free_cache(heap);
+ #endif
+ HANDLE_UNBLOCK_INTERRUPTIONS();
++out_of_memory:
+ #if ZEND_DEBUG
+ zend_mm_safe_error(heap, "Out of memory (allocated %d) at %s:%d (tried
to allocate %d bytes)", heap->real_size, __zend_filename, __zend_lineno,
size);
+ #else
+@@ -1617,6 +1622,10 @@
+ orig_size = ZEND_MM_BLOCK_SIZE(mm_block);
+ ZEND_MM_CHECK_PROTECTION(mm_block);
+
++ if (true_size < size) {
++ goto out_of_memory;
++ }
++
+ if (true_size <= orig_size) {
+ size_t remaining_size = orig_size - true_size;
+
+@@ -1694,7 +1703,7 @@
+ HANDLE_BLOCK_INTERRUPTIONS();
+ realloc_segment:
+ /* segment size, size of block and size of guard block */
+- if (true_size+ZEND_MM_ALIGNED_SEGMENT_SIZE+ZEND_MM_ALIGNED_HEADER_SIZE >
heap->block_size) {
++ if (true_size > heap->block_size - (ZEND_MM_ALIGNED_SEGMENT_SIZE +
ZEND_MM_ALIGNED_HEADER_SIZE)) {
+ segment_size =
true_size+ZEND_MM_ALIGNED_SEGMENT_SIZE+ZEND_MM_ALIGNED_HEADER_SIZE;
+ segment_size = ((segment_size + (heap->block_size-1)) /
heap->block_size) * heap->block_size;
+ } else {
+@@ -1702,7 +1711,8 @@
+ }
+
+ segment_copy = (zend_mm_segment *) ((char *)mm_block -
ZEND_MM_ALIGNED_SEGMENT_SIZE);
+- if (heap->real_size + segment_size - segment_copy->size >
heap->limit) {
++ if (segment_size < true_size ||
++ heap->real_size + segment_size - segment_copy->size >
heap->limit) {
+ #if ZEND_MM_CACHE
+ zend_mm_free_cache(heap);
+ #endif
+@@ -1721,6 +1731,7 @@
+ zend_mm_free_cache(heap);
+ #endif
+ HANDLE_UNBLOCK_INTERRUPTIONS();
++out_of_memory:
+ #if ZEND_DEBUG
+ zend_mm_safe_error(heap, "Out of memory (allocated %d) at %s:%d (tried
to allocate %d bytes)", heap->real_size, __zend_filename, __zend_lineno,
size);
+ #else