php-sapi/patches/290_php_20804061.patch

CVE-2014-9705
Community BUG:
https://bugs.php.net/bug.php?id=68552
Community CODE:
http://svn.php.net/viewvc/pecl/enchant/trunk/enchant.c?r1=317600&r2=335803
Below is the community patch.


--- a/ext/enchant/enchant.c 2011/10/01 13:13:13 317600
+++ b/ext/enchant/enchant.c 2015/01/26 11:49:40 335803
@@ -549,13 +549,12 @@

    d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
    if (d) {
+       pos = pbroker->dictcnt++;
        if (pbroker->dictcnt) {
            pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
-           pos = pbroker->dictcnt++;
        } else {
            pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
            pos = 0;
-           pbroker->dictcnt++;
        }

        dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
@@ -606,14 +605,14 @@

    d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
    if (d) {
+       pos = pbroker->dictcnt++;
        if (pbroker->dictcnt) {
-           pos = pbroker->dictcnt++;
            pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
        } else {
            pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
            pos = 0;
-           pbroker->dictcnt++;
        }
+
        dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
        dict->id = pos;
        dict->pbroker = pbroker;