Community BUG:
Patch from another source:
### fix CVE-2015-4024 patch for PHP 5.2/5.3 series @chtg
@@ -464,6 +464,8 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
char *line;
mime_header_entry prev_entry, entry;
int prev_len, cur_len;
+ int newlines = 0;
+ long upload_max_newlines = 100;
/* didn't find boundary, abort */
if (!find_boundary(self, self->boundary TSRMLS_CC)) {
@@ -489,6 +491,7 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
entry.value = estrdup(value);
entry.key = estrdup(key);
+ newlines = 0;
} else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
@@ -501,6 +504,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
entry.value[cur_len + prev_len] = '\0';
entry.key = estrdup(prev_entry.key);
+ newlines++;
+ if (newlines > upload_max_newlines) {
+ return 0;
+ }
zend_llist_remove_tail(header);
} else {