There are 2 integers wraparound flaws in php-src/main/rfc1867.c that allow a malicious user to crash PHP during a multipart/form-data file upload. A large multipart/form-data variable, or filename, may cause an integer overflow that leads to a subsequent crash.
Temporary files are not cleaned up, and could ultimately fill up the file system containing PHP temporary data.
Created php tracking bugs for this issue:
Affects: fedora-all [bug 1837843]
Upstream fixes :
* Fix #78876: Long variables cause OOM and temp files are not cleaned
* Fix #78875: Long filenames cause OOM and temp files are not cleaned
For php-7.4 : https://github.com/php/php-src/commit/a3924ab6542a358a3099de992b63b932a9570add
For php-7.3 : https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266
For php-7.2 : https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266 https://github.com/php/php-src/commit/1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87
Note that this issue requires a pathological configuration to trigger; post_max_size must be set to 2GB or higher. Such a configuration allows an effective Denial of Service attack against any server and should never be used in production.
The severity of this issue is considered Moderate because it requires an unlikely large `post_max_size` to be configured.
Ensure that `post_max_size` is set to a value less than 2GB, or remains default.