Add mitigation for CVE-2015-0235 (bug #68925)

NEWS

@@ -2,6 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2015, PHP 5.5.22
 
+- Core:
+  . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
+    buffer overflow). (Stas)
 
 - Date:
   . Fixed bug #45081 (strtotime incorrectly interprets SGT time zone). (Derick)

ext/sockets/sockaddr_conv.c

@@ -9,6 +9,10 @@
 #include <arpa/inet.h>
 #endif
 
+#ifndef MAXHOSTNAMELEN
+#define MAXHOSTNAMELEN 255
+#endif
+
 extern int php_string_to_if_index(const char *val, unsigned *out TSRMLS_DC);
 
 #if HAVE_IPV6
@@ -90,7 +94,7 @@ int php_set_inet_addr(struct sockaddr_in *sin, char *string, php_socket *php_soc
 	if (inet_aton(string, &tmp)) {
 		sin->sin_addr.s_addr = tmp.s_addr;
 	} else {
-		if (! (host_entry = gethostbyname(string))) {
+		if (strlen(string) > MAXHOSTNAMELEN || ! (host_entry = gethostbyname(string))) {
 			/* Note: < -10000 indicates a host lookup error */
 #ifdef PHP_WIN32
 			PHP_SOCKET_ERROR(php_sock, "Host lookup failed", WSAGetLastError());

ext/standard/string.c

@@ -3940,7 +3940,7 @@ static void php_str_replace_in_subject(zval *search, zval *replace, zval **subje
 														   replace_value, replace_len, &Z_STRLEN(temp_result), case_sensitivity, replace_count);
 			}
 
-           str_efree(Z_STRVAL_P(result));
+			str_efree(Z_STRVAL_P(result));
 			Z_STRVAL_P(result) = Z_STRVAL(temp_result);
 			Z_STRLEN_P(result) = Z_STRLEN(temp_result);
 

main/network.c

@@ -27,7 +27,6 @@
 #include <errno.h>
 
 
-
 #ifdef PHP_WIN32
 # include <Ws2tcpip.h>
 # include "win32/inet.h"