From 0f167a2d74cabee751a1df1ca46c9da24f77f67e Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Tue, 28 May 2019 09:44:37 +0200 Subject: - iconv: Fix #78069 Out-of-bounds read in iconv.c:_php_iconv_mime_decode() CVE-2019-11039 - exif: Fix #77988 Heap-buffer-overflow on php_jpg_get16 CVE-2019-11040 - sqlite3: Fix #77967 Bypassing open_basedir restrictions via file uris --- php-bug78069.patch | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 php-bug78069.patch (limited to 'php-bug78069.patch') diff --git a/php-bug78069.patch b/php-bug78069.patch new file mode 100644 index 0000000..2e816c9 --- /dev/null +++ b/php-bug78069.patch @@ -0,0 +1,36 @@ +Without test as binary patch not supported + + + + +From 17d5e269dabc704c1cf24ebb03056142e28c9bfe Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 27 May 2019 16:32:42 -0700 +Subject: [PATCH] Fix bug #78069 - Out-of-bounds read in + iconv.c:_php_iconv_mime_decode() due to integer overflow + +(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac) +--- + ext/iconv/iconv.c | 4 +++- + ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes + ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++ + 3 files changed, 18 insertions(+), 1 deletion(-) + create mode 100644 ext/iconv/tests/bug78069.data + create mode 100644 ext/iconv/tests/bug78069.phpt + +diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c +index ea619aa227..06145348f2 100644 +--- a/ext/iconv/iconv.c ++++ b/ext/iconv/iconv.c +@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st + * we can do at this point. */ + if (*(p1 + 1) == '=') { + ++p1; +- --str_left; ++ if (str_left > 1) { ++ --str_left; ++ } + } + + err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); + -- cgit