[Pkg-php-commits] [php/debian-squeeze] Fix a NULL pointer dereference in grapheme_extract function (CVE-2011-0420)

[Ondřej Surý]

---
 debian/patches/CVE-2011-0420.patch |   31 +++++++++++++++++++++++++++++++
 debian/patches/series              |    1 +
 2 files changed, 32 insertions(+), 0 deletions(-)
 create mode 100644 debian/patches/CVE-2011-0420.patch

diff --git a/debian/patches/CVE-2011-0420.patch b/debian/patches/CVE-2011-0420.patch
new file mode 100644
index 0000000..de7c46a
--- /dev/null
+++ b/debian/patches/CVE-2011-0420.patch
@@ -0,0 +1,31 @@
+--- a/ext/intl/grapheme/grapheme_string.c
++++ b/ext/intl/grapheme/grapheme_string.c
+@@ -799,7 +799,7 @@ PHP_FUNCTION(grapheme_extract)
+ 
+ 	if ( NULL != next ) {
+ 		if ( !PZVAL_IS_REF(next) ) {
+-			intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,
++			intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, 
+ 				 "grapheme_extract: 'next' was not passed by reference", 0 TSRMLS_CC );
+ 			 
+ 			RETURN_FALSE;
+@@ -819,11 +819,17 @@ PHP_FUNCTION(grapheme_extract)
+ 	}
+ 
+ 	if ( lstart > INT32_MAX || lstart < 0 || lstart >= str_len ) {
++		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: start not contained in string", 0 TSRMLS_CC );
++		RETURN_FALSE;
++	}
+ 
+-		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: start not contained in string", 1 TSRMLS_CC );
+-
++	if ( size > INT32_MAX || size < 0) {
++		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR, "grapheme_extract: size is invalid", 0 TSRMLS_CC );
+ 		RETURN_FALSE;
+ 	}
++	if (size == 0) {
++		RETURN_EMPTY_STRING();
++	}
+ 
+ 	/* we checked that it will fit: */
+ 	start = (int32_t) lstart;
diff --git a/debian/patches/series b/debian/patches/series
index d552732..10110d0 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -92,3 +92,4 @@ CVE-2011-0421.patch
 CVE-2011-1153.patch
 CVE-2011-0708.patch
 CVE-2011-1471.patch
+CVE-2011-0420.patch
-- 
1.7.1