alpine-pkg/php/php5.4/d06-u011-CVE-2016-7412.patch

Index: php5-5.4.45/ext/mysqlnd/mysqlnd_wireprotocol.c
===================================================================
--- php5-5.4.45.orig/ext/mysqlnd/mysqlnd_wireprotocol.c	2016-12-09 16:00:51.114490615 +0100
+++ php5-5.4.45/ext/mysqlnd/mysqlnd_wireprotocol.c	2016-12-09 16:00:51.110490725 +0100
@@ -1523,6 +1523,7 @@
 	zend_uchar * p = row_buffer->ptr;
 	size_t data_size = row_buffer->app;
 	zend_uchar * bit_area = (zend_uchar*) row_buffer->ptr + data_size + 1; /* we allocate from here */
+	const zend_uchar * const packet_end = (zend_uchar*) row_buffer->ptr + data_size;
 
 	DBG_ENTER("php_mysqlnd_rowp_read_text_protocol");
 
@@ -1544,8 +1545,13 @@
 		/* Don't reverse the order. It is significant!*/
 		zend_uchar *this_field_len_pos = p;
 		/* php_mysqlnd_net_field_length() call should be after *this_field_len_pos = p; */
-		unsigned long len = php_mysqlnd_net_field_length(&p);
+		const unsigned long len = php_mysqlnd_net_field_length(&p);
 
+		if (len != MYSQLND_NULL_LENGTH && ((p + len) > packet_end)) {
+			php_error_docref(NULL, E_WARNING, "Malformed server packet. Field length pointing "MYSQLND_SZ_T_SPEC
+											  " bytes after end of packet", (p + len) - packet_end - 1);
+			DBG_RETURN(FAIL);
+		}
 		if (current_field > start_field && last_field_was_string) {
 			/*
 			  Normal queries: