[oe-commits] [meta-openembedded] 10/10: php: fix CVE-2017-9120
git at git.openembedded.org
git at git.openembedded.org
Tue Aug 21 17:40:52 UTC 2018
This is an automated email from the git hooks/post-receive script.
khem pushed a commit to branch master-next
in repository meta-openembedded.
commit 0d59551c9515e1dafea2af84a77246f06f8b50c3
Author: Changqing Li <changqing.li at windriver.com>
AuthorDate: Tue Aug 21 14:01:20 2018 +0800
php: fix CVE-2017-9120
Signed-off-by: Changqing Li <changqing.li at windriver.com>
Signed-off-by: Khem Raj <raj.khem at gmail.com>
---
.../recipes-devtools/php/php/CVE-2017-9120.patch | 21 +++++++++++++++++++++
meta-oe/recipes-devtools/php/php_7.2.8.bb | 1 +
2 files changed, 22 insertions(+)
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2017-9120.patch b/meta-oe/recipes-devtools/php/php/CVE-2017-9120.patch
new file mode 100644
index 0000000..728f25b
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2017-9120.patch
@@ -0,0 +1,21 @@
+php: patch for CVE-2017-9120
+
+Upstream-Status: Backport [https://bugs.php.net/bug.php?id=74544]
+
+CVE: CVE-2017-9120
+
+Signed-off-by: Changqing Li <changqing.li at windriver.com>
+
+diff --git a/ext/mysqli/mysqli_api.c b/ext/mysqli/mysqli_api.c
+index 03a39d7..7b88731 100644
+--- a/ext/mysqli/mysqli_api.c
++++ b/ext/mysqli/mysqli_api.c
+@@ -1965,7 +1965,7 @@ PHP_FUNCTION(mysqli_real_escape_string) {
+ }
+ MYSQLI_FETCH_RESOURCE_CONN(mysql, mysql_link, MYSQLI_STATUS_VALID);
+
+- newstr = zend_string_alloc(2 * escapestr_len, 0);
++ newstr = zend_string_safe_alloc(2, escapestr_len, 0, 0);
+ ZSTR_LEN(newstr) = mysql_real_escape_string(mysql->mysql, ZSTR_VAL(newstr), escapestr, escapestr_len);
+ newstr = zend_string_truncate(newstr, ZSTR_LEN(newstr), 0);
+
diff --git a/meta-oe/recipes-devtools/php/php_7.2.8.bb b/meta-oe/recipes-devtools/php/php_7.2.8.bb
index e8cb7fd..2a7937e 100644
--- a/meta-oe/recipes-devtools/php/php_7.2.8.bb
+++ b/meta-oe/recipes-devtools/php/php_7.2.8.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=67e369bc8d1f2e641236b8002039a6a2"
SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
file://0001-acinclude.m4-skip-binconfig-check-for-libxml.patch \
file://0001-fix-error-caused-by-a-new-variable-is-declared-after.patch \
+ file://CVE-2017-9120.patch \
"
SRC_URI_append_class-target = " \
file://pear-makefile.patch \
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Openembedded-commits
mailing list