From 022d4fc0b63ad64a18332ac736de50a6f067d5fd Mon Sep 17 00:00:00 2001
From: Ilia Alshanetsky <iliaa@php.net>
Date: Fri, 7 Sep 2007 02:28:42 +0000
Subject: [PATCH] Added missing safety checks for 2nd parameter of setlocale()
 function

---
 NEWS                  | 7 ++++---
 ext/standard/string.c | 6 +++++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 6f6a28effd..f7eeb4c259 100644
--- a/NEWS
+++ b/NEWS
@@ -2,10 +2,11 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 20??, PHP 5.2.5
 - Fixed leaks with mulitple connects on one mysqli object. (Andrey)
-- Fixed endianness detection on MacOS when building universal binary. 
+'- Fixed endianness detection on MacOS when building universal binary. 
   (Uwe Schindler, Christian Speich, Tony)
-- Fixed possible buffer overflows inside the fnmatch() and glob() functions 
-  reported by Laurent gaffie (Ilia)
+- Fixed possible triggering of buffer overflows inside glibc
+  imlplementations of the fnmatch(), setlocale() and glob() functions reported 
+  by Laurent gaffie (Ilia)
 
 - Upgraded PCRE to version 7.3 (Nuno)
 - Added optional parameter $provide_object to debug_backtrace(). (Sebastian)
diff --git a/ext/standard/string.c b/ext/standard/string.c
index e7b36a27ac..71e70af42a 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -4000,8 +4000,12 @@ PHP_FUNCTION(setlocale)
 			loc = NULL;
 		} else {
 			loc = Z_STRVAL_PP(plocale);
+			if (Z_STRLEN_PP(plocale) >= 255) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Specified locale name is too long");
+				break;
+			}
 		}
-		
+
 		retval = setlocale (cat, loc);
 		zend_update_current_locale();
 		if (retval) {
-- 
2.50.1