Fix bug #71629: sync php_url_decode definition

diff --git a/NEWS b/NEWS
index 0cd6c4bc7f1b475cb1bddd87b34613645e0d4cd7..4688f14641d1a63e4f602f3d53cd049cc02c361f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,8 @@ PHP                                                                        NEWS
 ?? ??? 2016 PHP 7.0.5
 
 - Core:
+  . Fixed bug #71629 (Out-of-bounds access in php_url_decode in context
+    php_stream_url_wrap_rfc2397). (mt at debian dot org)
   . Fixed bug #71622 (Strings used in pass-as-reference cannot be used to
     invoke C::$callable()). (Bob)
   . Fixed bug #71596 (Segmentation fault on ZTS with date function

diff --git a/main/streams/memory.c b/main/streams/memory.c
index 09da047d86d6b246f692c4c5c7755a9440747a5b..56ffe344aa8feb90e588446c1e9d7c45b3b969bd 100644 (file)
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -22,7 +22,7 @@
 #include "php.h"
 #include "ext/standard/base64.h"
 
-PHPAPI int php_url_decode(char *str, int len);
+PHPAPI size_t php_url_decode(char *str, size_t len);
 
 /* Memory streams use a dynamic memory buffer to emulate a stream.
  * You can use php_stream_memory_open to create a readonly stream
@@ -730,7 +730,7 @@ static php_stream * php_stream_url_wrap_rfc2397(php_stream_wrapper *wrapper, con
                ilen = (int)ZSTR_LEN(base64_comma);
        } else {
                comma = estrndup(comma, dlen);
-               dlen = php_url_decode(comma, (int)dlen);
+               dlen = php_url_decode(comma, dlen);
                ilen = (int)dlen;
        }