--- rpms/php/sme8/php-5.3.3-CVE-2011-4885.patch	2012/02/03 15:48:14	1.1
+++ rpms/php/sme8/php-5.3.3-CVE-2011-4885.patch	2012/02/03 15:48:14	1.1.2.1
@@ -0,0 +1,112 @@
+From 6517ac845b4ed91cd8762d3aa22de5f3c9b0e067 Mon Sep 17 00:00:00 2001
+From: "Vojtech Vitek (V-Teq)" <vvitek@redhat.com>
+Date: Tue, 3 Jan 2012 02:04:09 +0100
+Subject: [PATCH] Add max_input_vars directive to prevent attacks based on
+ hash collisions
+
+Based on:
+http://svn.php.net/viewvc?view=revision&revision=321038
+http://svn.php.net/viewvc?view=revision&revision=321040
+http://svn.php.net/viewvc?view=revision&revision=321335
+---
+ main/main.c          |    1 +
+ main/php_globals.h   |    2 ++
+ main/php_variables.c |   20 ++++++++++++++++----
+ php.ini-development  |    3 +++
+ php.ini-production   |    3 +++
+ 5 files changed, 25 insertions(+), 4 deletions(-)
+
+diff --git a/main/main.c b/main/main.c
+index 45751ad..708e772 100644
+--- a/main/main.c
++++ b/main/main.c
+@@ -496,6 +496,7 @@ PHP_INI_BEGIN()
+ 	STD_PHP_INI_ENTRY("post_max_size",			"8M",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLong,			post_max_size,			sapi_globals_struct,sapi_globals)
+ 	STD_PHP_INI_ENTRY("upload_tmp_dir",			NULL,		PHP_INI_SYSTEM,		OnUpdateStringUnempty,	upload_tmp_dir,			php_core_globals,	core_globals)
+ 	STD_PHP_INI_ENTRY("max_input_nesting_level", "64",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_nesting_level,			php_core_globals,	core_globals)
++	STD_PHP_INI_ENTRY("max_input_vars",			"1000",		PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateLongGEZero,	max_input_vars,						php_core_globals,	core_globals)
+ 
+ 	STD_PHP_INI_ENTRY("user_dir",				NULL,		PHP_INI_SYSTEM,		OnUpdateString,			user_dir,				php_core_globals,	core_globals)
+ 	STD_PHP_INI_ENTRY("variables_order",		"EGPCS",	PHP_INI_SYSTEM|PHP_INI_PERDIR,		OnUpdateStringUnempty,	variables_order,		php_core_globals,	core_globals)
+diff --git a/main/php_globals.h b/main/php_globals.h
+index dda28f2..5d898fa 100644
+--- a/main/php_globals.h
++++ b/main/php_globals.h
+@@ -170,6 +170,8 @@ struct _php_core_globals {
+ 	char *mail_log;
+ 
+ 	zend_bool in_error_log;
++
++	long max_input_vars;
+ };
+ 
+ 
+diff --git a/main/php_variables.c b/main/php_variables.c
+index de80b09..9b05793 100644
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -191,9 +191,14 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars
+ 				}
+ 				if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ 					|| Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+-					MAKE_STD_ZVAL(gpc_element);
+-					array_init(gpc_element);
+-					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++					if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++						if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++							php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++						}
++						MAKE_STD_ZVAL(gpc_element);
++						array_init(gpc_element);
++						zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++					}
+ 				}
+ 				if (index != escaped_index) {
+ 					efree(escaped_index);
+@@ -236,7 +241,14 @@ plain_var:
+ 				zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ 				zval_ptr_dtor(&gpc_element);
+ 			} else {
+-				zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++				if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++					if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++					}
++					zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++				} else {
++					zval_ptr_dtor(&gpc_element);
++				}
+ 			}
+ 			if (escaped_index != index) {
+ 				efree(escaped_index);
+diff --git a/php.ini-development b/php.ini-development
+index 60d1000..12a8783 100644
+--- a/php.ini-development
++++ b/php.ini-development
+@@ -453,6 +453,9 @@ max_input_time = 60
+ ; http://php.net/max-input-nesting-level
+ ;max_input_nesting_level = 64
+ 
++; How many GET/POST/COOKIE input variables may be accepted
++; max_input_vars = 1000
++
+ ; Maximum amount of memory a script may consume (128MB)
+ ; http://php.net/memory-limit
+ memory_limit = 128M
+diff --git a/php.ini-production b/php.ini-production
+index 5ace330..487f823 100644
+--- a/php.ini-production
++++ b/php.ini-production
+@@ -453,6 +453,9 @@ max_input_time = 60
+ ; http://php.net/max-input-nesting-level
+ ;max_input_nesting_level = 64
+ 
++; How many GET/POST/COOKIE input variables may be accepted
++; max_input_vars = 1000
++
+ ; Maximum amount of memory a script may consume (128MB)
+ ; http://php.net/memory-limit
+ memory_limit = 128M
+-- 
+1.7.6.2
+