diff options
-rw-r--r-- | php-bug67392.patch | 27 | ||||
-rw-r--r-- | php-bug67410.patch | 41 | ||||
-rw-r--r-- | php-bug67411.patch | 37 | ||||
-rw-r--r-- | php-bug67412.patch | 40 | ||||
-rw-r--r-- | php-bug67413.patch | 34 | ||||
-rw-r--r-- | php56.spec | 16 |
6 files changed, 194 insertions, 1 deletions
diff --git a/php-bug67392.patch b/php-bug67392.patch new file mode 100644 index 0000000..ab9e1f8 --- /dev/null +++ b/php-bug67392.patch @@ -0,0 +1,27 @@ +From 6d1885342c1504a8697b41e075844b082f7b335f Mon Sep 17 00:00:00 2001 +From: Nikita Popov <nikic@php.net> +Date: Fri, 6 Jun 2014 17:09:49 +0200 +Subject: [PATCH] Fix bug #67392: dtrace breaks argument unpack + +--- + NEWS | 3 +++ + Zend/zend_execute.c | 3 ++- + 2 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c +index bdf8b6e..ad92c5f 100644 +--- a/Zend/zend_execute.c ++++ b/Zend/zend_execute.c +@@ -1490,7 +1490,8 @@ ZEND_API void execute_internal(zend_execute_data *execute_data_ptr, zend_fcall_i + } else { + zval **return_value_ptr = &EX_TMP_VAR(execute_data_ptr, execute_data_ptr->opline->result.var)->var.ptr; + execute_data_ptr->function_state.function->internal_function.handler( +- execute_data_ptr->opline->extended_value, *return_value_ptr, return_value_ptr, ++ execute_data_ptr->opline->extended_value + execute_data_ptr->call->num_additional_args, ++ *return_value_ptr, return_value_ptr, + execute_data_ptr->object, return_value_used TSRMLS_CC + ); + } +-- +1.9.2 + diff --git a/php-bug67410.patch b/php-bug67410.patch new file mode 100644 index 0000000..9e09d3a --- /dev/null +++ b/php-bug67410.patch @@ -0,0 +1,41 @@ +From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:02:36 +0200 +Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of + truncated pascal string size + +Upstream +https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08 +--- + ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c +index 21fea6b..01e4977 100644 +--- a/ext/fileinfo/libmagic/softmagic.c ++++ b/ext/fileinfo/libmagic/softmagic.c +@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip) + return 1; + } + case FILE_PSTRING: { +- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m); ++ size_t sz = file_pstring_length_size(m); ++ char *ptr1 = p->s, *ptr2 = ptr1 + sz; + size_t len = file_pstring_get_length(m, ptr1); +- if (len >= sizeof(p->s)) +- len = sizeof(p->s) - 1; ++ if (len >= sizeof(p->s)) { ++ /* ++ * The size of the pascal string length (sz) ++ * is 1, 2, or 4. We need at least 1 byte for NUL ++ * termination, but we've already truncated the ++ * string by p->s, so we need to deduct sz. ++ */ ++ len = sizeof(p->s) - sz; ++ } + while (len--) + *ptr1++ = *ptr2++; + *ptr1 = '\0'; +-- +1.9.2 + diff --git a/php-bug67411.patch b/php-bug67411.patch new file mode 100644 index 0000000..27c0204 --- /dev/null +++ b/php-bug67411.patch @@ -0,0 +1,37 @@ +From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:13:14 +0200 +Subject: [PATCH] Fixed Bug #67411 fileinfo: cdf_check_stream_offset + insufficient boundary check + +Upstream: +https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67 +--- + ext/fileinfo/libmagic/cdf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index 16649f1..c9a5d50 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h, + { + const char *b = (const char *)sst->sst_tab; + const char *e = ((const char *)p) + tail; ++ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ? ++ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h); + (void)&line; +- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len) ++ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len) + return 0; + DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u" + " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %" + SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b), +- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len)); ++ ss * sst->sst_len, ss, sst->sst_len)); + errno = EFTYPE; + return -1; + } +-- +1.9.2 + diff --git a/php-bug67412.patch b/php-bug67412.patch new file mode 100644 index 0000000..8380dee --- /dev/null +++ b/php-bug67412.patch @@ -0,0 +1,40 @@ +From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:22:04 +0200 +Subject: [PATCH] Bug #67412 fileinfo: cdf_count_chain insufficient + boundary check + +Upstream: +https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382 +--- + ext/fileinfo/libmagic/cdf.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index c9a5d50..ee467a6 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -470,7 +470,8 @@ size_t + cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + { + size_t i, j; +- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size); ++ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size) ++ / sizeof(maxsector)); + + DPRINTF(("Chain:")); + for (j = i = 0; sid >= 0; i++, j++) { +@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size) + errno = EFTYPE; + return (size_t)-1; + } +- if (sid > maxsector) { +- DPRINTF(("Sector %d > %d\n", sid, maxsector)); ++ if (sid >= maxsector) { ++ DPRINTF(("Sector %d >= %d\n", sid, maxsector)); + errno = EFTYPE; + return (size_t)-1; + } +-- +1.9.2 + diff --git a/php-bug67413.patch b/php-bug67413.patch new file mode 100644 index 0000000..3751e8d --- /dev/null +++ b/php-bug67413.patch @@ -0,0 +1,34 @@ +From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001 +From: Remi Collet <remi@php.net> +Date: Tue, 10 Jun 2014 14:33:37 +0200 +Subject: [PATCH] Fixed Bug #67413 fileinfo: cdf_read_property_info + insufficient boundary chec + +Upstream: +https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d + +Adapted for C standard. +--- + ext/fileinfo/libmagic/cdf.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c +index ee467a6..429f3b9 100644 +--- a/ext/fileinfo/libmagic/cdf.c ++++ b/ext/fileinfo/libmagic/cdf.c +@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h, + if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1) + goto out; + for (i = 0; i < sh.sh_properties; i++) { +- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1); ++ size_t ofs, tail = (i << 1) + 1; ++ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t), ++ __LINE__) == -1) ++ goto out; ++ ofs = CDF_GETUINT32(p, tail); + q = (const uint8_t *)(const void *) + ((const char *)(const void *)p + ofs + - 2 * sizeof(uint32_t)); +-- +1.9.2 + @@ -124,7 +124,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.6.0 %if 0%{?snapdate:1}%{?rcver:1} -Release: 0.10.%{?snapdate}%{?rcver}%{?dist} +Release: 0.11.%{?snapdate}%{?rcver}%{?dist} %else Release: 1%{?dist} %endif @@ -186,6 +186,11 @@ Patch91: php-5.3.7-oci8conf.patch # Upstream fixes (100+) Patch100: php-reg67118.patch +Patch101: php-bug67392.patch +Patch102: php-bug67410.patch +Patch103: php-bug67411.patch +Patch104: php-bug67412.patch +Patch105: php-bug67413.patch # Security fixes (200+) @@ -909,6 +914,11 @@ rm -rf ext/json # upstream patches %patch100 -p1 -b .reg67118 +%patch101 -p1 -b .bug67392 +%patch102 -p1 -b .bug67410 +%patch103 -p1 -b .bug67411 +%patch104 -p1 -b .bug67412 +%patch105 -p1 -b .bug67413 # security patches @@ -1911,6 +1921,10 @@ fi %changelog +* Tue Jun 10 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.11.beta4 +- test build for bug 67410, 67411, 67412, 67413 +- fix 67392, dtrace breaks argument unpack + * Thu Jun 5 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.10.beta4 - fix regression introduce in fix for #67118 |