[gentoo-commits] proj/php-patches:php5.6 commit in: /

[gentoo-commits] proj/php-patches:php5.6 commit in: /

[Brian Evans]

commit:     61e682ea2f4a7084235b814159f1db1b23878abe
Author:     Brian Evans <grknight <AT> gentoo <DOT> org>
AuthorDate: Thu May  2 12:53:54 2019 +0000
Commit:     Brian Evans <grknight <AT> gentoo <DOT> org>
CommitDate: Thu May  2 12:53:54 2019 +0000
URL:        https://gitweb.gentoo.org/proj/php-patches.git/commit/?id=61e682ea

Add backports from php 7.1.29

Signed-off-by: Brian Evans <grknight <AT> gentoo.org>

 00170_May2019-backports.patch |  52 ++++++++++++++++++++++++++++++++++++++++++
 bug77950.tiff                 | Bin 0 -> 1267 bytes
 2 files changed, 52 insertions(+)

diff --git a/00170_May2019-backports.patch b/00170_May2019-backports.patch
new file mode 100644
index 0000000..463768f
--- /dev/null
+++ b/00170_May2019-backports.patch
@@ -0,0 +1,52 @@
+From 7cbf6a0ca98a187be1b31b1e85935319430d9e61 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 29 Apr 2019 23:38:12 -0700
+Subject: [PATCH] Fix bug #77950 - Heap-buffer-overflow in _estrndup via
+ exif_process_IFD_TAG
+
+I do not completely understand what is going on there, but I am pretty
+sure dir_entry <= offset_base if not a normal situation, so we better not
+to rely on such dir_entry.
+
+(cherry picked from commit f80ad18afae2230c2c1802c7d829100af646874e)
+---
+ NEWS                         |  12 ++++++++++--
+ ext/exif/exif.c              |   2 +-
+ ext/exif/tests/bug77950.phpt |  12 ++++++++++++
+ ext/exif/tests/bug77950.tiff | Bin 0 -> 1267 bytes
+ 4 files changed, 23 insertions(+), 3 deletions(-)
+ create mode 100644 ext/exif/tests/bug77950.phpt
+ create mode 100644 ext/exif/tests/bug77950.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 81cf438a8e..15e091b6c5 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2901,7 +2901,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+             offset_base is ImageInfo->file.list[sn].data-dir_offset
+             dir_entry - offset_base is dir_offset+2+i*12
+         */
+-		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
++		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) {
+ 			/* It is important to check for IMAGE_FILETYPE_TIFF
+ 			 * JPEG does not use absolute pointers instead its pointers are
+ 			 * relative to the start of the TIFF header in APP1 section. */
+diff --git a/ext/exif/tests/bug77950.phpt b/ext/exif/tests/bug77950.phpt
+new file mode 100644
+index 0000000000..dc0f3549cb
+--- /dev/null
++++ b/ext/exif/tests/bug77950.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #77950 (Heap-buffer-overflow in _estrndup via exif_process_IFD_TAG)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++exif_read_data(__DIR__."/bug77950.tiff");
++?>
++DONE
++--EXPECTF--
++%A
++DONE
+\ No newline at end of file

diff --git a/bug77950.tiff b/bug77950.tiff
new file mode 100644
index 0000000..5c8250a
Binary files /dev/null and b/bug77950.tiff differ

[gentoo-commits] proj/php-patches:php5.6 commit in: /

[Thomas Deutschmann]

commit:     ecf6ddfb4f0450fa626d15e2f771e4cc3f044fac
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 19 10:28:57 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Nov 19 10:28:57 2019 +0000
URL:        https://gitweb.gentoo.org/proj/php-patches.git/commit/?id=ecf6ddfb

Add backports from 7.1.33

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 00210_October2019-backports.patch | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/00210_October2019-backports.patch b/00210_October2019-backports.patch
new file mode 100644
index 0000000..8d3612e
--- /dev/null
+++ b/00210_October2019-backports.patch
@@ -0,0 +1,28 @@
+From af6607e207005b4757f7679d34f060b674da08c6 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sat, 12 Oct 2019 15:56:16 +0100
+Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE)
+ (CVE-2019-11043)
+
+cheery-picked from ab061f95ca966731b1c84cf5b7b20155c0a1c06a
+without the test as tester not available
+---
+ sapi/fpm/fpm/fpm_main.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index d12ac018..22b889c1 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1245,8 +1245,8 @@ static void init_request_info(TSRMLS_D)
+ 								path_info = script_path_translated + ptlen;
+ 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
+ 							} else {
+-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
+-								tflag = (orig_path_info != path_info);
++								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
++								tflag = path_info && (orig_path_info != path_info);
+ 							}
+ 
+ 							if (tflag) {
+

[gentoo-commits] proj/php-patches:php5.6 commit in: /

[Thomas Deutschmann]

commit:     c8318763d6cb2e41173ff8813e4fdc2874b9e55e
Author:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 19 10:28:16 2019 +0000
Commit:     Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Tue Nov 19 10:28:16 2019 +0000
URL:        https://gitweb.gentoo.org/proj/php-patches.git/commit/?id=c8318763

Add backports from 7.1.32

Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>

 00200_September2019-backports.patch | 223 ++++++++++++++++++++++++++++++++++++
 1 file changed, 223 insertions(+)

diff --git a/00200_September2019-backports.patch b/00200_September2019-backports.patch
new file mode 100644
index 0000000..47cd57c
--- /dev/null
+++ b/00200_September2019-backports.patch
@@ -0,0 +1,223 @@
+From 127c34f2e5f9d6045971e79bdb191bc3e0519384 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 24 Aug 2019 23:11:45 -0700
+Subject: [PATCH 1/6] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+Backport from https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
+
+(cherry picked from commit 1258303e66d8dede4f02347334b9f6576e98a21b)
+---
+ ext/mbstring/oniguruma/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/mbstring/oniguruma/regext.c b/ext/mbstring/oniguruma/regext.c
+index b1b957b4..b108e638 100644
+--- a/ext/mbstring/oniguruma/regext.c
++++ b/ext/mbstring/oniguruma/regext.c
+@@ -29,6 +29,7 @@
+ 
+ #include "regint.h"
+ 
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+ 
+   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+ 
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+ 
+   if (ci->pattern_enc != ci->target_enc) {
+-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+-                      &cpat, &cpat_end);
+-    if (r) return r;
++    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+   }
+   else {
+     cpat     = (UChar* )pattern;
+
+From 94445c3a85f38ffc4a3952d3fdad0fc184f92a5b Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 16 Aug 2019 14:29:19 +0200
+Subject: [PATCH 2/6] Fix #75457: heap-use-after-free in php7.0.25
+
+Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.
+
+(cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9)
+---
+ ext/pcre/pcrelib/pcre_compile.c | 11 ++++++++++-
+ ext/pcre/tests/bug75457.phpt    | 10 ++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pcre/tests/bug75457.phpt
+
+diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
+index c9171cbe..1d376716 100644
+--- a/ext/pcre/pcrelib/pcre_compile.c
++++ b/ext/pcre/pcrelib/pcre_compile.c
+@@ -485,7 +485,7 @@ static const char error_texts[] =
+   "lookbehind assertion is not fixed length\0"
+   "malformed number or name after (?(\0"
+   "conditional group contains more than two branches\0"
+-  "assertion expected after (?(\0"
++  "assertion expected after (?( or (?(?C)\0"
+   "(?R or (?[+-]digits must be followed by )\0"
+   /* 30 */
+   "unknown POSIX class name\0"
+@@ -6734,6 +6734,15 @@ for (;; ptr++)
+           for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
+           if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
+             tempptr += i + 1;
++
++          /* tempptr should now be pointing to the opening parenthesis of the
++          assertion condition. */
++
++          if (*tempptr != CHAR_LEFT_PARENTHESIS)
++            {
++            *errorcodeptr = ERR28;
++            goto FAILED;
++            }
+           }
+ 
+         /* For conditions that are assertions, check the syntax, and then exit
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+new file mode 100644
+index 00000000..c7ce9ed0
+--- /dev/null
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #75457 (heap-use-after-free in php7.0.25)
++--FILE--
++<?php
++$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
++var_dump(preg_match($pattern, "hello"));
++?>
++--EXPECTF--
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++bool(false)
+
+From c5279f8c37ae91697f5a60e395d901394ff9e4aa Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:34:48 +0200
+Subject: [PATCH 3/6] relax test, offset may be different on various system lib
+ versions
+
+---
+ ext/pcre/tests/bug75457.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+index c7ce9ed0..571a4bde 100644
+--- a/ext/pcre/tests/bug75457.phpt
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -6,5 +6,5 @@ $pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
+ var_dump(preg_match($pattern, "hello"));
+ ?>
+ --EXPECTF--
+-Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset %d in %sbug75457.php on line %d
+ bool(false)
+
+From ca1431fe5eb5f11b20f576f8501fa60eccee0b1e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Fri, 18 May 2018 18:36:39 +0200
+Subject: [PATCH 4/6] Fix Opcache test fails regarding to AppVeyor image update
+
+(cherry picked from php/php-src@6043a2d6f74bf5125573fde198070ac9804d5e6e)
+---
+ ext/opcache/tests/php_cli_server.inc | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+diff --git a/ext/opcache/tests/php_cli_server.inc b/ext/opcache/tests/php_cli_server.inc
+index 0878bfaf..e5e72c41 100644
+--- a/ext/opcache/tests/php_cli_server.inc
++++ b/ext/opcache/tests/php_cli_server.inc
+@@ -7,16 +7,22 @@ function php_cli_server_start($ini = "") {
+ 	$php_executable = getenv('TEST_PHP_EXECUTABLE');
+ 	$doc_root = __DIR__;
+ 
+-	$descriptorspec = array(
+-		0 => STDIN,
+-		1 => STDOUT,
+-		2 => STDERR,
+-	);
+-
+ 	if (substr(PHP_OS, 0, 3) == 'WIN') {
++		$descriptorspec = array(
++			0 => STDIN,
++			1 => STDOUT,
++			2 => array("pipe", "w"),
++		);
++
+ 		$cmd = "{$php_executable} -t {$doc_root} $ini -S " . PHP_CLI_SERVER_ADDRESS;
+ 		$handle = proc_open(addslashes($cmd), $descriptorspec, $pipes, $doc_root, NULL, array("bypass_shell" => true,  "suppress_errors" => true));
+ 	} else {
++		$descriptorspec = array(
++			0 => STDIN,
++			1 => STDOUT,
++			2 => STDERR,
++		);
++
+ 		$cmd = "exec {$php_executable} -t {$doc_root} $ini -S " . PHP_CLI_SERVER_ADDRESS . " 2>/dev/null";
+ 		$handle = proc_open($cmd, $descriptorspec, $pipes, $doc_root);
+ 	}
+
+From 3df6c9a8acda8fc9437dd7a6b6123ab6715ef040 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Wed, 23 Dec 2015 03:52:01 +0300
+Subject: [PATCH 5/6] Fixed test on 32-bit systems
+
+(cherry picked from php/php-src@1e3ab158432f8d97c3561fdfc17b7e4aa3dbdd60)
+---
+ ext/opcache/tests/bug71127.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/opcache/tests/bug71127.phpt b/ext/opcache/tests/bug71127.phpt
+index 5770aea1..0c606097 100644
+--- a/ext/opcache/tests/bug71127.phpt
++++ b/ext/opcache/tests/bug71127.phpt
+@@ -3,7 +3,7 @@ Bug #71127 (Define in auto_prepend_file is overwrite)
+ --INI--
+ opcache.enable=1
+ opcache.enable_cli=1
+-opcache.optimization_level=0xFFFFBFFF
++opcache.optimization_level=0x7FFFBFFF
+ --SKIPIF--
+ <?php if (!extension_loaded('Zend OPcache')) die("skip"); ?>
+ --FILE--
+
+From 03d9cf265a1febe21175b4cc856104e9fc9d4cdb Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 21 May 2019 11:17:28 +0200
+Subject: [PATCH 6/6] Prevent test case failure
+
+If opcache.log_verbosity_level is greater than 1, opcache will raise
+warnings, which will be written to stderr in the default case.  These
+warnings are actually to be expected, but would break the test, so we
+make sure that the log_verbosity_level is 1 when running this test.
+
+(cherry picked from php/php-src@e6a191de1b73c902b631cb8f0f70ed58b81005d4)
+---
+ ext/opcache/tests/bug66461.phpt | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ext/opcache/tests/bug66461.phpt b/ext/opcache/tests/bug66461.phpt
+index 33132abe..2d09feff 100644
+--- a/ext/opcache/tests/bug66461.phpt
++++ b/ext/opcache/tests/bug66461.phpt
+@@ -4,6 +4,7 @@ Bug #66461 (PHP crashes if opcache.interned_strings_buffer=0)
+ opcache.enable=1
+ opcache.enable_cli=1
+ opcache.optimization_level=-1
++opcache.log_verbosity_level=1
+ opcache.file_update_protection=0
+ opcache.interned_strings_buffer=0
+ --SKIPIF--
+