[Secure-testing-commits] r5703 - in data: . patches/MOPB

Sun Apr 22 18:52:49 UTC 2007

Author: seanius
Date: 2007-04-22 18:52:49 +0000 (Sun, 22 Apr 2007)
New Revision: 5703

Added:
   data/patches/MOPB/MOPB-44-php5.diff
Modified:
   data/mopb.txt
Log:
applied php5 patches for everything but 18,19,and 23

Modified: data/mopb.txt
===================================================================

--- data/mopb.txt	2007-04-22 17:06:25 UTC (rev 5702)
+++ data/mopb.txt	2007-04-22 18:52:49 UTC (rev 5703)
@@ -182,7 +182,7 @@
 34   /    t
 32   T    T 
 30   /    /
-26   /    /
+26   a    a
 22   t    t 
 10   T    T <- seemed already fixed but this completes the patch
 04   T    T
@@ -197,24 +197,24 @@
 
 # PHP5 checklist....
 MOPB   Etch, Unstable  Dapper, Edgy, Feisty       PATCH
-10      X     X         X       X     X             *
-14      X     X         X       X     X             *
-15      i     i         X       X     X             *
-16      X     X         -       -     -
-17      X     X         -       -     -
+10      p     p[3]      X       X     X             *
+14      X     T         X       X     X             *
+15      i     T         X       X     X             *
+16      p     p         -       -     -
+17      -     -         -       -     -
 18      X     X         -       -     -
 19      X     X         -       -     -
-22      X     X         X       X     X             *
+22      X     T         X       X     X             *
 23      X     X         X       X     X             ?
 24      i     i         X       X     X             *
-26      X     X         X       X     X             ?
+26      X     T         X       X     X             ?
 29      -     -         -       -     X             *
-30      X     X         X       X     X             ?
-34      X     X         X       X     X             *
-41      X     X         X       X     X  [1]        !
-42      X     X         X       X     -             *
-44      X     X         -       -     -
-45      X     X         -       -     X  [2]        !
+30      -     a[4]      X       X     X             ?
+34      X     a         X       X     X             *
+41      X     a         X       X     X  [1]        !
+42      X     a         X       X     -             *
+44      X     a         -       -     -
+45      X     a         -       -     X  [2]        !
 
 * = patch extracted from upstream
 ? = no upstream patch found
@@ -222,6 +222,7 @@
 
 X = fixed desired
 a = patch applied
+p = previously fixed
 T = code tested
 - = fix n/a
 i = fix skipped
@@ -230,4 +231,6 @@
     to be changed.  For references, here is the upstream "fix":
     http://cvs.php.net/viewvc.cgi/php-src/ext/sqlite/libsqlite/src/encode.c?r1=1.5.4.1&r2=1.5.4.1.2.1&pathrev=PHP_5_2
 [2] this needs a CVE assigned
+[3] previously fixed, but the patch adds another check we should have too.
+[4] could not reproduce this problem
 

Added: data/patches/MOPB/MOPB-44-php5.diff
===================================================================
--- data/patches/MOPB/MOPB-44-php5.diff	2007-04-22 17:06:25 UTC (rev 5702)
+++ data/patches/MOPB/MOPB-44-php5.diff	2007-04-22 18:52:49 UTC (rev 5703)
@@ -0,0 +1,91 @@
+--- old/Zend/zend_alloc.c	2006/12/20 10:49:32	1.144.2.3.2.27
++++ new/Zend/zend_alloc.c	2006/12/25 12:16:33	1.144.2.3.2.28
+@@ -454,11 +454,11 @@
+ #define ZEND_MM_ALIGNED_MIN_HEADER_SIZE		(ZEND_MM_MIN_ALLOC_BLOCK_SIZE>ZEND_MM_ALIGNED_FREE_HEADER_SIZE?ZEND_MM_MIN_ALLOC_BLOCK_SIZE:ZEND_MM_ALIGNED_FREE_HEADER_SIZE)
+ #define ZEND_MM_ALIGNED_SEGMENT_SIZE		ZEND_MM_ALIGNED_SIZE(sizeof(zend_mm_segment))
+ 
+-#define ZEND_MM_MIN_SIZE					(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))
++#define ZEND_MM_MIN_SIZE					((ZEND_MM_ALIGNED_MIN_HEADER_SIZE>(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE))?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE-(ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)):0)
+ 
+ #define ZEND_MM_MAX_SMALL_SIZE				(((ZEND_MM_NUM_BUCKETS-1)<<ZEND_MM_ALIGNMENT_LOG2)+ZEND_MM_ALIGNED_MIN_HEADER_SIZE)
+ 
+-#define ZEND_MM_TRUE_SIZE(size)				(((long)size<(long)ZEND_MM_MIN_SIZE)?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE):(ZEND_MM_ALIGNED_SIZE(size+ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)))
++#define ZEND_MM_TRUE_SIZE(size)				((size<ZEND_MM_MIN_SIZE)?(ZEND_MM_ALIGNED_MIN_HEADER_SIZE):(ZEND_MM_ALIGNED_SIZE(size+ZEND_MM_ALIGNED_HEADER_SIZE+END_MAGIC_SIZE)))
+ 
+ #define ZEND_MM_BUCKET_INDEX(true_size)		((true_size>>ZEND_MM_ALIGNMENT_LOG2)-(ZEND_MM_ALIGNED_MIN_HEADER_SIZE>>ZEND_MM_ALIGNMENT_LOG2)+1)
+ 
+@@ -1332,6 +1332,9 @@
+ 	zend_mm_free_block *p, *end, *best_fit = NULL;
+ 	size_t true_size = ZEND_MM_TRUE_SIZE(size);
+ 
++	if (true_size < size) {
++		goto out_of_memory;
++	}
+ 	if (ZEND_MM_SMALL_SIZE(true_size)) {
+ 		size_t index = ZEND_MM_BUCKET_INDEX(true_size);
+ 		unsigned int bitmap;
+@@ -1422,7 +1425,7 @@
+ 		size_t remaining_size;
+ 		zend_mm_segment *segment;
+ 
+-		if (true_size + ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE > heap->block_size) {
++		if (true_size > heap->block_size - (ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE)) {
+ 			/* Make sure we add a memory block which is big enough,
+ 			   segment must have header "size" and trailer "guard" block */
+ 			segment_size = true_size + ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE;
+@@ -1433,7 +1436,8 @@
+ 
+ 		HANDLE_BLOCK_INTERRUPTIONS();
+ 
+-		if (heap->real_size + segment_size > heap->limit) {
++		if (segment_size < true_size || 
++		    heap->real_size + segment_size > heap->limit) {
+ 			/* Memory limit overflow */
+ #if ZEND_MM_CACHE
+ 			zend_mm_free_cache(heap);
+@@ -1454,6 +1458,7 @@
+ 			zend_mm_free_cache(heap);
+ #endif
+ 			HANDLE_UNBLOCK_INTERRUPTIONS();
++out_of_memory:
+ #if ZEND_DEBUG
+ 			zend_mm_safe_error(heap, "Out of memory (allocated %d) at %s:%d (tried to allocate %d bytes)", heap->real_size, __zend_filename, __zend_lineno, size);
+ #else
+@@ -1617,6 +1622,10 @@
+ 	orig_size = ZEND_MM_BLOCK_SIZE(mm_block);
+ 	ZEND_MM_CHECK_PROTECTION(mm_block);
+ 
++	if (true_size < size) {
++		goto out_of_memory;
++	}
++
+ 	if (true_size <= orig_size) {
+ 		size_t remaining_size = orig_size - true_size;
+ 
+@@ -1694,7 +1703,7 @@
+ 		HANDLE_BLOCK_INTERRUPTIONS();
+ realloc_segment:
+ 		/* segment size, size of block and size of guard block */
+-		if (true_size+ZEND_MM_ALIGNED_SEGMENT_SIZE+ZEND_MM_ALIGNED_HEADER_SIZE > heap->block_size) {
++		if (true_size > heap->block_size - (ZEND_MM_ALIGNED_SEGMENT_SIZE + ZEND_MM_ALIGNED_HEADER_SIZE)) {
+ 			segment_size = true_size+ZEND_MM_ALIGNED_SEGMENT_SIZE+ZEND_MM_ALIGNED_HEADER_SIZE;
+ 			segment_size = ((segment_size + (heap->block_size-1)) / heap->block_size) * heap->block_size;
+ 		} else {
+@@ -1702,7 +1711,8 @@
+ 		}
+ 
+ 		segment_copy = (zend_mm_segment *) ((char *)mm_block - ZEND_MM_ALIGNED_SEGMENT_SIZE);
+-		if (heap->real_size + segment_size - segment_copy->size > heap->limit) {
++		if (segment_size < true_size ||
++		    heap->real_size + segment_size - segment_copy->size > heap->limit) {
+ #if ZEND_MM_CACHE
+ 			zend_mm_free_cache(heap);
+ #endif
+@@ -1721,6 +1731,7 @@
+ 			zend_mm_free_cache(heap);
+ #endif
+ 			HANDLE_UNBLOCK_INTERRUPTIONS();
++out_of_memory:
+ #if ZEND_DEBUG
+ 			zend_mm_safe_error(heap, "Out of memory (allocated %d) at %s:%d (tried to allocate %d bytes)", heap->real_size, __zend_filename, __zend_lineno, size);
+ #else


