Conflicts:

	main/streams/memory.c

diff --git a/NEWS b/NEWS
index 50f36ba68a94ea46f968865f119fbe341033a23d..dd20fa9bd7254ae144f1c8ba23e09eee7ffe55a2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 5.5.22
 
 - Core:
+  . Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file
+    not validated in memory.c). (nayana at ddproperty dot com)
   . Fixed bug #67068 (getClosure returns somethings that's not a closure). 
     (Danack at basereality dot com)
   . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname

diff --git a/main/streams/memory.c b/main/streams/memory.c
index 0d005056647b53549b0e2eb06f1140bc4c846657..d0f2511aa709a6066a53256a51f2dddb969c5707 100644 (file)
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -374,6 +374,10 @@ static size_t php_stream_temp_write(php_stream *stream, const char *buf, size_t
 
                if (memsize + count >= ts->smax) {
                        php_stream *file = php_stream_fopen_tmpfile();
+                       if (file == NULL) {
+                               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to create temporary file, Check permissions in temporary files directory.");
+                               return 0;
+                       }
                        php_stream_write(file, membuf, memsize);
                        php_stream_free_enclosed(ts->innerstream, PHP_STREAM_FREE_CLOSE);
                        ts->innerstream = file;