summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--php-bug67392.patch27
-rw-r--r--php-bug67410.patch41
-rw-r--r--php-bug67411.patch37
-rw-r--r--php-bug67412.patch40
-rw-r--r--php-bug67413.patch34
-rw-r--r--php56.spec16
6 files changed, 194 insertions, 1 deletions
diff --git a/php-bug67392.patch b/php-bug67392.patch
new file mode 100644
index 0000000..ab9e1f8
--- /dev/null
+++ b/php-bug67392.patch
@@ -0,0 +1,27 @@
+From 6d1885342c1504a8697b41e075844b082f7b335f Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikic@php.net>
+Date: Fri, 6 Jun 2014 17:09:49 +0200
+Subject: [PATCH] Fix bug #67392: dtrace breaks argument unpack
+
+---
+ NEWS | 3 +++
+ Zend/zend_execute.c | 3 ++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
+index bdf8b6e..ad92c5f 100644
+--- a/Zend/zend_execute.c
++++ b/Zend/zend_execute.c
+@@ -1490,7 +1490,8 @@ ZEND_API void execute_internal(zend_execute_data *execute_data_ptr, zend_fcall_i
+ } else {
+ zval **return_value_ptr = &EX_TMP_VAR(execute_data_ptr, execute_data_ptr->opline->result.var)->var.ptr;
+ execute_data_ptr->function_state.function->internal_function.handler(
+- execute_data_ptr->opline->extended_value, *return_value_ptr, return_value_ptr,
++ execute_data_ptr->opline->extended_value + execute_data_ptr->call->num_additional_args,
++ *return_value_ptr, return_value_ptr,
+ execute_data_ptr->object, return_value_used TSRMLS_CC
+ );
+ }
+--
+1.9.2
+
diff --git a/php-bug67410.patch b/php-bug67410.patch
new file mode 100644
index 0000000..9e09d3a
--- /dev/null
+++ b/php-bug67410.patch
@@ -0,0 +1,41 @@
+From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:02:36 +0200
+Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of
+ truncated pascal string size
+
+Upstream
+https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08
+---
+ ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 21fea6b..01e4977 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ return 1;
+ }
+ case FILE_PSTRING: {
+- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
++ size_t sz = file_pstring_length_size(m);
++ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ size_t len = file_pstring_get_length(m, ptr1);
+- if (len >= sizeof(p->s))
+- len = sizeof(p->s) - 1;
++ if (len >= sizeof(p->s)) {
++ /*
++ * The size of the pascal string length (sz)
++ * is 1, 2, or 4. We need at least 1 byte for NUL
++ * termination, but we've already truncated the
++ * string by p->s, so we need to deduct sz.
++ */
++ len = sizeof(p->s) - sz;
++ }
+ while (len--)
+ *ptr1++ = *ptr2++;
+ *ptr1 = '\0';
+--
+1.9.2
+
diff --git a/php-bug67411.patch b/php-bug67411.patch
new file mode 100644
index 0000000..27c0204
--- /dev/null
+++ b/php-bug67411.patch
@@ -0,0 +1,37 @@
+From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:13:14 +0200
+Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset
+ insufficient boundary check
+
+Upstream:
+https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
+---
+ ext/fileinfo/libmagic/cdf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 16649f1..c9a5d50 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
+ {
+ const char *b = (const char *)sst->sst_tab;
+ const char *e = ((const char *)p) + tail;
++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
+ (void)&line;
+- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len)
++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
+ return 0;
+ DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u"
+ " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
+ SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
+- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
++ ss * sst->sst_len, ss, sst->sst_len));
+ errno = EFTYPE;
+ return -1;
+ }
+--
+1.9.2
+
diff --git a/php-bug67412.patch b/php-bug67412.patch
new file mode 100644
index 0000000..8380dee
--- /dev/null
+++ b/php-bug67412.patch
@@ -0,0 +1,40 @@
+From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:22:04 +0200
+Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient
+ boundary check
+
+Upstream:
+https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+---
+ ext/fileinfo/libmagic/cdf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index c9a5d50..ee467a6 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -470,7 +470,8 @@ size_t
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ size_t i, j;
+- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++ / sizeof(maxsector));
+
+ DPRINTF(("Chain:"));
+ for (j = i = 0; sid >= 0; i++, j++) {
+@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+- if (sid > maxsector) {
+- DPRINTF(("Sector %d > %d\n", sid, maxsector));
++ if (sid >= maxsector) {
++ DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ errno = EFTYPE;
+ return (size_t)-1;
+ }
+--
+1.9.2
+
diff --git a/php-bug67413.patch b/php-bug67413.patch
new file mode 100644
index 0000000..3751e8d
--- /dev/null
+++ b/php-bug67413.patch
@@ -0,0 +1,34 @@
+From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:33:37 +0200
+Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info
+ insufficient boundary chec
+
+Upstream:
+https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
+
+Adapted for C standard.
+---
+ ext/fileinfo/libmagic/cdf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index ee467a6..429f3b9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+ goto out;
+ for (i = 0; i < sh.sh_properties; i++) {
+- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
++ size_t ofs, tail = (i << 1) + 1;
++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
++ __LINE__) == -1)
++ goto out;
++ ofs = CDF_GETUINT32(p, tail);
+ q = (const uint8_t *)(const void *)
+ ((const char *)(const void *)p + ofs
+ - 2 * sizeof(uint32_t));
+--
+1.9.2
+
diff --git a/php56.spec b/php56.spec
index 303bfd5..308d3f1 100644
--- a/php56.spec
+++ b/php56.spec
@@ -124,7 +124,7 @@ Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.6.0
%if 0%{?snapdate:1}%{?rcver:1}
-Release: 0.10.%{?snapdate}%{?rcver}%{?dist}
+Release: 0.11.%{?snapdate}%{?rcver}%{?dist}
%else
Release: 1%{?dist}
%endif
@@ -186,6 +186,11 @@ Patch91: php-5.3.7-oci8conf.patch
# Upstream fixes (100+)
Patch100: php-reg67118.patch
+Patch101: php-bug67392.patch
+Patch102: php-bug67410.patch
+Patch103: php-bug67411.patch
+Patch104: php-bug67412.patch
+Patch105: php-bug67413.patch
# Security fixes (200+)
@@ -909,6 +914,11 @@ rm -rf ext/json
# upstream patches
%patch100 -p1 -b .reg67118
+%patch101 -p1 -b .bug67392
+%patch102 -p1 -b .bug67410
+%patch103 -p1 -b .bug67411
+%patch104 -p1 -b .bug67412
+%patch105 -p1 -b .bug67413
# security patches
@@ -1911,6 +1921,10 @@ fi
%changelog
+* Tue Jun 10 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.11.beta4
+- test build for bug 67410, 67411, 67412, 67413
+- fix 67392, dtrace breaks argument unpack
+
* Thu Jun 5 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.10.beta4
- fix regression introduce in fix for #67118