]> granicus.if.org Git - php/commitdiff
projects / php / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 7b18981)
Port for for bug #68552
authorStanislav Malyshev <stas@php.net>
Mon, 16 Feb 2015 05:50:10 +0000 (06:50 +0100)
committerStanislav Malyshev <stas@php.net>
Tue, 17 Feb 2015 05:53:02 +0000 (06:53 +0100)
NEWS patch | blob | history
ext/enchant/enchant.c patch | blob | history

diff --git a/NEWS b/NEWS
index 5c22cd85fcb9e78b5f86e9097e391e7d097774ad..b8c85b2037734a17f997c5e89338f1948c338107 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,13 @@ PHP                                                                        NEWS
     buffer overflow). (Stas)
   . Fixed bug #67827 (broken detection of system crypt sha256/sha512 support).
     (ncopa at alpinelinux dot org)  
+  . Fixed bug #68942 (Use after free vulnerability in unserialize() with
+    DateTimeZone). (Stas)
   
+- Enchant: 
+  . Fixed bug #6855 (heap buffer overflow in enchant_broker_request_dict()).
+    (Antony)
+
 - SOAP:
   . Fixed bug #67427 (SoapServer cannot handle large messages)
     (brandt at docoloc dot de)
diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c
index 6de2feac8047059326b85565067ecdba8fb4f363..0eb8144f76f6744a423c3c05eb51932caa4ca17e 100644 (file)
--- a/ext/enchant/enchant.c
+++ b/ext/enchant/enchant.c
@@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict)
 
        d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
        if (d) {
+               pos = pbroker->dictcnt++;
                if (pbroker->dictcnt) {
                        pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
-                       pos = pbroker->dictcnt++;
                } else {
                        pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
                        pos = 0;
-                       pbroker->dictcnt++;
                }
 
                dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
@@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict)
 
        d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
        if (d) {
+               pos = pbroker->dictcnt++;
                if (pbroker->dictcnt) {
-                       pos = pbroker->dictcnt++;
                        pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
                } else {
                        pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
                        pos = 0;
-                       pbroker->dictcnt++;
                }
+
                dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
                dict->id = pos;
                dict->pbroker = pbroker;
Unnamed repository; edit this file 'description' to name the repository.