From 22b274864edbc4052b961c5d14beecf665b46c49 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 10 Sep 2016 10:14:22 +0200 Subject: PHP 5.5.38 + security patches from 5.6.25 --- bug70436.patch | 97 +++++++++++++++++++++++++++ bug72627.patch | 34 ++++++++++ bug72663.patch | 206 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ bug72681.patch | 129 ++++++++++++++++++++++++++++++++++++ bug72697.patch | 94 ++++++++++++++++++++++++++ bug72708.patch | 25 +++++++ bug72716.patch | 24 +++++++ bug72730.patch | 52 +++++++++++++++ bug72749.patch | 90 +++++++++++++++++++++++++ bug72750.patch | 72 ++++++++++++++++++++ bug72771.patch | 26 ++++++++ bug72790.patch | 134 +++++++++++++++++++++++++++++++++++++ bug72807.patch | 60 +++++++++++++++++ bug72836.patch | 56 ++++++++++++++++ bug72837.patch | 45 +++++++++++++ bug72838.patch | 28 ++++++++ bug72848.patch | 83 +++++++++++++++++++++++ bug72849.patch | 51 ++++++++++++++ bug72850.patch | 54 +++++++++++++++ failed.txt | 2 +- php.spec | 84 ++++++++++++++++++++++- 21 files changed, 1444 insertions(+), 2 deletions(-) create mode 100644 bug70436.patch create mode 100644 bug72627.patch create mode 100644 bug72663.patch create mode 100644 bug72681.patch create mode 100644 bug72697.patch create mode 100644 bug72708.patch create mode 100644 bug72716.patch create mode 100644 bug72730.patch create mode 100644 bug72749.patch create mode 100644 bug72750.patch create mode 100644 bug72771.patch create mode 100644 bug72790.patch create mode 100644 bug72807.patch create mode 100644 bug72836.patch create mode 100644 bug72837.patch create mode 100644 bug72838.patch create mode 100644 bug72848.patch create mode 100644 bug72849.patch create mode 100644 bug72850.patch diff --git a/bug70436.patch b/bug70436.patch new file mode 100644 index 0000000..c3dc139 --- /dev/null +++ b/bug70436.patch @@ -0,0 +1,97 @@ +Backported from 5.6.25 by Remi. + +From 27fe2b42fc4a0e82b30dba11e177611ac6a88bf5 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Aug 2016 15:16:28 -0700 +Subject: [PATCH] Fix bug #70436: Use After Free Vulnerability in unserialize() + +--- + ext/standard/tests/strings/bug70436.phpt | 65 ++++++++++++++++++++++++++++++++ + ext/standard/var.c | 1 + + 2 files changed, 66 insertions(+) + create mode 100644 ext/standard/tests/strings/bug70436.phpt + +diff --git a/ext/standard/tests/strings/bug70436.phpt b/ext/standard/tests/strings/bug70436.phpt +new file mode 100644 +index 0000000..c62e468 +--- /dev/null ++++ b/ext/standard/tests/strings/bug70436.phpt +@@ -0,0 +1,65 @@ ++--TEST-- ++Bug #70436: Use After Free Vulnerability in unserialize() ++--FILE-- ++data); ++ } ++ ++ function unserialize($data) ++ { ++ $this->data = unserialize($data); ++ } ++} ++ ++$fakezval = ptr2str(1122334455); ++$fakezval .= ptr2str(0); ++$fakezval .= "\x00\x00\x00\x00"; ++$fakezval .= "\x01"; ++$fakezval .= "\x00"; ++$fakezval .= "\x00\x00"; ++ ++$inner = 'C:3:"obj":3:{ryat'; ++$exploit = 'a:4:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:2;s:'.strlen($fakezval).':"'.$fakezval.'";i:3;R:5;}'; ++ ++$data = unserialize($exploit); ++ ++var_dump($data); ++ ++function ptr2str($ptr) ++{ ++ $out = ''; ++ ++ for ($i = 0; $i < 8; $i++) { ++ $out .= chr($ptr & 0xff); ++ $ptr >>= 8; ++ } ++ ++ return $out; ++} ++?> ++DONE ++--EXPECTF-- ++Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d ++ ++Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d ++array(4) { ++ [0]=> ++ int(1) ++ [1]=> ++ object(obj)#%d (1) { ++ ["data"]=> ++ bool(false) ++ } ++ [2]=> ++ string(24) "%s" ++ [3]=> ++ bool(false) ++} ++DONE +\ No newline at end of file +diff --git a/ext/standard/var.c b/ext/standard/var.c +index f0efef2..137e794 100644 +--- a/ext/standard/var.c ++++ b/ext/standard/var.c +@@ -965,6 +965,7 @@ PHP_FUNCTION(unserialize) + p = (const unsigned char*) buf; + PHP_VAR_UNSERIALIZE_INIT(var_hash); + if (!php_var_unserialize(&return_value, &p, p + buf_len, &var_hash TSRMLS_CC)) { ++ var_push_dtor(&var_hash, &return_value); + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + zval_dtor(return_value); + if (!EG(exception)) { diff --git a/bug72627.patch b/bug72627.patch new file mode 100644 index 0000000..410e40e --- /dev/null +++ b/bug72627.patch @@ -0,0 +1,34 @@ +Backported from 5.6.25 by Remi. +Binary patch dropped + +From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 8 Aug 2016 00:49:34 -0700 +Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF + +--- + ext/exif/exif.c | 5 ++- + ext/exif/tests/bug72627.phpt | 71 +++++++++++++++++++++++++++++++++++++++++++ + ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes + 3 files changed, 75 insertions(+), 1 deletion(-) + create mode 100644 ext/exif/tests/bug72627.phpt + create mode 100644 ext/exif/tests/bug72627.tiff + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index f95de3a..657a2cc1 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); + if (fgot < ImageInfo->Thumbnail.size) { + EXIF_ERRLOG_THUMBEOF(ImageInfo) ++ efree(ImageInfo->Thumbnail.data); ++ ImageInfo->Thumbnail.data = NULL; ++ } else { ++ exif_thumbnail_build(ImageInfo TSRMLS_CC); + } +- exif_thumbnail_build(ImageInfo TSRMLS_CC); + } + #ifdef EXIF_DEBUG + exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done"); + diff --git a/bug72663.patch b/bug72663.patch new file mode 100644 index 0000000..498a58e --- /dev/null +++ b/bug72663.patch @@ -0,0 +1,206 @@ +Backported from 5.6.25 by Remi. + +From c1cfd6a9fe23765191ea2f654790c7b127d4b797 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 2 Aug 2016 01:08:42 -0700 +Subject: [PATCH] Fix bug #72663 - destroy broken object when unserializing + +--- + ext/standard/tests/strings/bug72663.phpt | 26 +++++++++++ + ext/standard/tests/strings/bug72663_2.phpt | 17 ++++++++ + ext/standard/var_unserializer.c | 70 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 5 ++- + 4 files changed, 84 insertions(+), 34 deletions(-) + create mode 100644 ext/standard/tests/strings/bug72663.phpt + create mode 100644 ext/standard/tests/strings/bug72663_2.phpt + +diff --git a/ext/standard/tests/strings/bug72663.phpt b/ext/standard/tests/strings/bug72663.phpt +new file mode 100644 +index 0000000..e61f939 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72663.phpt +@@ -0,0 +1,26 @@ ++--TEST-- ++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization ++--FILE-- ++data); ++ } ++ function unserialize($data) { ++ $this->data = unserialize($data); ++ } ++} ++ ++$inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}'; ++$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; ++ ++$data = unserialize($exploit); ++echo $data[1]; ++?> ++DONE ++--EXPECTF-- ++Notice: unserialize(): Unexpected end of serialized data in %sbug72663.php on line %d ++ ++Notice: unserialize(): Error at offset 46 of 47 bytes in %sbug72663.php on line %d ++DONE +\ No newline at end of file +diff --git a/ext/standard/tests/strings/bug72663_2.phpt b/ext/standard/tests/strings/bug72663_2.phpt +new file mode 100644 +index 0000000..ac605e9 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72663_2.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization ++--FILE-- ++ ++DONE ++--EXPECTF-- ++Notice: session_decode(): Unexpected end of serialized data in %sbug72663_2.php on line %d ++array(0) { ++} ++DONE +\ No newline at end of file +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 1e45b03..e4ddecf 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -437,6 +437,9 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + } + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { ++ /* We've got partially constructed object on our hands here. Wipe it */ ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ ZVAL_NULL(*rval); + return 0; + } + +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index d1d4ef9..c1c18c9 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -443,6 +443,9 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + } + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { ++ /* We've got partially constructed object on our hands here. Wipe it. */ ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ ZVAL_NULL(*rval); + return 0; + } + +From b25f44098fdc8cecfd62d0fc5422c23d8747dcd2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 4 Aug 2016 00:03:31 -0700 +Subject: [PATCH] Update comment + +--- + ext/standard/var_unserializer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index e4ddecf..1d459ae 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -437,7 +437,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + } + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { +- /* We've got partially constructed object on our hands here. Wipe it */ ++ /* We've got partially constructed object on our hands here. Wipe it. */ + zend_hash_clean(Z_OBJPROP_PP(rval)); + ZVAL_NULL(*rval); + return 0; +From 75c0dbdd028ffa20eae5cf3a2fae194961464b8b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Aug 2016 15:33:29 -0700 +Subject: [PATCH] Improve fix for #72663 + +--- + ext/standard/tests/strings/bug72663_3.phpt | 18 ++++++++ + ext/standard/var_unserializer.c | 68 ++++++++++++++++-------------- + ext/standard/var_unserializer.re | 8 +++- + 3 files changed, 62 insertions(+), 32 deletions(-) + create mode 100644 ext/standard/tests/strings/bug72663_3.phpt + +diff --git a/ext/standard/tests/strings/bug72663_3.phpt b/ext/standard/tests/strings/bug72663_3.phpt +new file mode 100644 +index 0000000..e336bc8 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72663_3.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization ++--FILE-- ++ryat = str_repeat('A', 0x112); ++ } ++} ++ ++$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;'; ++unserialize($poc); ++?> ++DONE ++--EXPECTF-- ++Notice: unserialize(): Error at offset 51 of 50 bytes in %sbug72663_3.php on line %d ++DONE +\ No newline at end of file +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index 1d459ae..c8e6f8a 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -438,11 +438,17 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { + /* We've got partially constructed object on our hands here. Wipe it. */ +- zend_hash_clean(Z_OBJPROP_PP(rval)); ++ if(Z_TYPE_PP(rval) == IS_OBJECT) { ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ } + ZVAL_NULL(*rval); + return 0; + } + ++ if (Z_TYPE_PP(rval) != IS_OBJECT) { ++ return 0; ++ } ++ + if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY && + zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) { + INIT_PZVAL(&fname); +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index c1c18c9..11b93c5 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -444,11 +444,17 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + + if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) { + /* We've got partially constructed object on our hands here. Wipe it. */ +- zend_hash_clean(Z_OBJPROP_PP(rval)); ++ if(Z_TYPE_PP(rval) == IS_OBJECT) { ++ zend_hash_clean(Z_OBJPROP_PP(rval)); ++ } + ZVAL_NULL(*rval); + return 0; + } + ++ if (Z_TYPE_PP(rval) != IS_OBJECT) { ++ return 0; ++ } ++ + if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY && + zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) { + INIT_PZVAL(&fname); diff --git a/bug72681.patch b/bug72681.patch new file mode 100644 index 0000000..23a741d --- /dev/null +++ b/bug72681.patch @@ -0,0 +1,129 @@ +Backported from 5.6.25 by Remi. + +From 61156f0d68704df748b5cbf08c77582c208db8c9 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 3 Aug 2016 00:30:12 -0700 +Subject: [PATCH] Fix bug #72681 - consume data even if we're not storing them + +--- + ext/session/session.c | 25 ++++++++++++++++++------- + ext/session/tests/bug72681.phpt | 16 ++++++++++++++++ + 2 files changed, 34 insertions(+), 7 deletions(-) + create mode 100644 ext/session/tests/bug72681.phpt + +diff --git a/ext/session/session.c b/ext/session/session.c +index c668bb7..b2d0236 100644 +--- a/ext/session/session.c ++++ b/ext/session/session.c +@@ -923,11 +923,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ + int namelen; + int has_value; + php_unserialize_data_t var_hash; ++ int skip = 0; + + PHP_VAR_UNSERIALIZE_INIT(var_hash); + + for (p = val; p < endptr; ) { + zval **tmp; ++ skip = 0; + namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF); + + if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) { +@@ -943,22 +945,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ + + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { + if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { +- efree(name); +- continue; ++ skip = 1; + } + } + + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { +- php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ if (!skip) { ++ php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ } + } else { + PHP_VAR_UNSERIALIZE_DESTROY(var_hash); + return FAILURE; + } + var_push_dtor_no_addref(&var_hash, ¤t); + } +- PS_ADD_VARL(name, namelen); ++ if (!skip) { ++ PS_ADD_VARL(name, namelen); ++ } + efree(name); + } + +@@ -1015,6 +1020,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + int namelen; + int has_value; + php_unserialize_data_t var_hash; ++ int skip = 0; + + PHP_VAR_UNSERIALIZE_INIT(var_hash); + +@@ -1023,6 +1029,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + while (p < endptr) { + zval **tmp; + q = p; ++ skip = 0; + while (*q != PS_DELIMITER) { + if (++q >= endptr) goto break_outer_loop; + } +@@ -1039,14 +1046,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + + if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) { + if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) { +- goto skip; ++ skip = 1; + } + } + + if (has_value) { + ALLOC_INIT_ZVAL(current); + if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { +- php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ if (!skip) { ++ php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); ++ } + } else { + var_push_dtor_no_addref(&var_hash, ¤t); + efree(name); +@@ -1055,7 +1064,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ + } + var_push_dtor_no_addref(&var_hash, ¤t); + } +- PS_ADD_VARL(name, namelen); ++ if (!skip) { ++ PS_ADD_VARL(name, namelen); ++ } + skip: + efree(name); + +diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt +new file mode 100644 +index 0000000..ca38b07 +--- /dev/null ++++ b/ext/session/tests/bug72681.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #72681: PHP Session Data Injection Vulnerability ++--SKIPIF-- ++ ++--FILE-- ++ ++--EXPECT-- ++array(0) { ++} diff --git a/bug72697.patch b/bug72697.patch new file mode 100644 index 0000000..a29ff7a --- /dev/null +++ b/bug72697.patch @@ -0,0 +1,94 @@ +Backported from 5.6.25 by Remi. + +From 4d76676101f8814520ea988e42b3bda54eb9e255 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 10 Aug 2016 00:00:14 -0700 +Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds + +--- + ext/gd/gd.c | 16 ++++++++-------- + ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++ + 2 files changed, 25 insertions(+), 8 deletions(-) + create mode 100644 ext/gd/tests/bug72697.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index b96f901..5c604b7 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -1615,11 +1615,11 @@ PHP_FUNCTION(imagetruecolortopalette) + + ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + +- if (ncolors <= 0) { +- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero"); ++ if (ncolors <= 0 || ncolors > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX); + RETURN_FALSE; + } +- gdImageTrueColorToPalette(im, dither, ncolors); ++ gdImageTrueColorToPalette(im, dither, (int)ncolors); + + RETURN_TRUE; + } +diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt +new file mode 100644 +index 0000000..6110385 +--- /dev/null ++++ b/ext/gd/tests/bug72697.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72697: select_colors write out-of-bounds ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d ++DONE +\ No newline at end of file + +From 64e4b276bda8bfa504df8acb40d07369b8d124b3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 16:47:53 -0700 +Subject: [PATCH] fix tests + +--- + ext/gd/tests/imagetruecolortopalette_error3.phpt | 2 +- + ext/gd/tests/imagetruecolortopalette_error4.phpt | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/ext/gd/tests/imagetruecolortopalette_error3.phpt b/ext/gd/tests/imagetruecolortopalette_error3.phpt +index d65a995..dbbdb08 100644 +--- a/ext/gd/tests/imagetruecolortopalette_error3.phpt ++++ b/ext/gd/tests/imagetruecolortopalette_error3.phpt +@@ -25,4 +25,4 @@ Warning: imagetruecolortopalette() expects parameter 3 to be long, resource give + + Warning: imagetruecolortopalette() expects parameter 3 to be long, array given in %s on line %d + +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d +\ No newline at end of file ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d +\ No newline at end of file +diff --git a/ext/gd/tests/imagetruecolortopalette_error4.phpt b/ext/gd/tests/imagetruecolortopalette_error4.phpt +index b9661e3..1d56bfc 100644 +--- a/ext/gd/tests/imagetruecolortopalette_error4.phpt ++++ b/ext/gd/tests/imagetruecolortopalette_error4.phpt +@@ -16,6 +16,6 @@ imagetruecolortopalette($image, true, -1); + + ?> + --EXPECTF-- +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d + +-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d +\ No newline at end of file ++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d +\ No newline at end of file diff --git a/bug72708.patch b/bug72708.patch new file mode 100644 index 0000000..2d1c01e --- /dev/null +++ b/bug72708.patch @@ -0,0 +1,25 @@ +Backported from 5.6.25 by Remi. + +From b9ab6e14ffd602d2020da53be44bf2e77aae7b55 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 3 Aug 2016 22:37:57 -0700 +Subject: [PATCH] Fix bug #72708 - php_snmp_parse_oid integer overflow in + memory allocation + +--- + ext/snmp/snmp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c +index b88cdcd..d2c1b94 100644 +--- a/ext/snmp/snmp.c ++++ b/ext/snmp/snmp.c +@@ -1034,7 +1034,7 @@ static int php_snmp_parse_oid(zval *object, int st, struct objid_query *objid_qu + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Got empty OID array"); + return FALSE; + } +- objid_query->vars = (snmpobjarg *)emalloc(sizeof(snmpobjarg) * zend_hash_num_elements(Z_ARRVAL_PP(oid))); ++ objid_query->vars = (snmpobjarg *)safe_emalloc(sizeof(snmpobjarg), zend_hash_num_elements(Z_ARRVAL_PP(oid)), 0); + if (objid_query->vars == NULL) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "emalloc() failed while parsing oid array: %s", strerror(errno)); + efree(objid_query->vars); diff --git a/bug72716.patch b/bug72716.patch new file mode 100644 index 0000000..3a6f94a --- /dev/null +++ b/bug72716.patch @@ -0,0 +1,24 @@ +Backported from 5.6.25 by Remi. + +From 9c291f0fa0c8b8c6994f521f5863c407494eb1dc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 3 Aug 2016 22:59:01 -0700 +Subject: [PATCH] Fix bug #72716 - initialize buffer before read + +--- + ext/standard/ftp_fopen_wrapper.c | 81 ++++++++++++++++++++-------------------- + 1 file changed, 41 insertions(+), 40 deletions(-) + +diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c +index b7eeb56..0d5384e 100644 +--- a/ext/standard/ftp_fopen_wrapper.c ++++ b/ext/standard/ftp_fopen_wrapper.c +@@ -82,6 +82,7 @@ typedef struct _php_ftp_dirstream_data { + */ + static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC) + { ++ buffer[0] = '\0'; /* in case read fails to read anything */ + while (php_stream_gets(stream, buffer, buffer_size-1) && + !(isdigit((int) buffer[0]) && isdigit((int) buffer[1]) && + isdigit((int) buffer[2]) && buffer[3] == ' ')); + diff --git a/bug72730.patch b/bug72730.patch new file mode 100644 index 0000000..a23f63d --- /dev/null +++ b/bug72730.patch @@ -0,0 +1,52 @@ +Backported from 5.6.25 by Remi. + +From 229782c0ada4d7e72dba6327cc7dff889ce7d92f Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 10 Aug 2016 00:14:58 -0700 +Subject: [PATCH] Fix bug #72730 - imagegammacorrect allows arbitrary write + access + +--- + ext/gd/gd.c | 5 +++++ + ext/gd/tests/bug72730.phpt | 15 +++++++++++++++ + 2 files changed, 20 insertions(+) + create mode 100644 ext/gd/tests/bug72730.phpt + +diff --git a/ext/gd/gd.c b/ext/gd/gd.c +index 5c604b7..0fb9604 100644 +--- a/ext/gd/gd.c ++++ b/ext/gd/gd.c +@@ -3036,6 +3036,11 @@ PHP_FUNCTION(imagegammacorrect) + return; + } + ++ if ( input <= 0.0 || output <= 0.0 ) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Gamma values should be positive"); ++ RETURN_FALSE; ++ } ++ + ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd); + + if (gdImageTrueColor(im)) { +diff --git a/ext/gd/tests/bug72730.phpt b/ext/gd/tests/bug72730.phpt +new file mode 100644 +index 0000000..e7c13cb +--- /dev/null ++++ b/ext/gd/tests/bug72730.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72730: imagegammacorrect allows arbitrary write access ++--SKIPIF-- ++ ++--FILE-- ++ ++DONE ++--EXPECTF-- ++Warning: imagegammacorrect(): Gamma values should be positive in %sbug72730.php on line %d ++DONE +\ No newline at end of file diff --git a/bug72749.patch b/bug72749.patch new file mode 100644 index 0000000..4ea74bb --- /dev/null +++ b/bug72749.patch @@ -0,0 +1,90 @@ +Backported from 5.6.25 by Remi. + +From db38282f421a5d552840aeac807efc2f584162d2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 4 Aug 2016 00:17:42 -0700 +Subject: [PATCH] Fix bug #72749: wddx_deserialize allows illegal memory access + +--- + ext/wddx/tests/bug72749.phpt | 34 ++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 20 ++++++++++++++------ + 2 files changed, 48 insertions(+), 6 deletions(-) + create mode 100644 ext/wddx/tests/bug72749.phpt + +diff --git a/ext/wddx/tests/bug72749.phpt b/ext/wddx/tests/bug72749.phpt +new file mode 100644 +index 0000000..ee17d0f +--- /dev/null ++++ b/ext/wddx/tests/bug72749.phpt +@@ -0,0 +1,34 @@ ++--TEST-- ++Bug #72749: wddx_deserialize allows illegal memory access ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++
++ ++ ++ ++ 2\r2004-09-10T05:52:49+00 ++ ++ ++ ++ ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(1) { ++ ["aDateTime3"]=> ++ string(24) "2 ++2004-09-10T05:52:49+00" ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index cde3e07..faadbfe1 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1116,18 +1116,26 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + case ST_DATETIME: { + char *tmp; + +- tmp = emalloc(len + 1); +- memcpy(tmp, s, len); ++ if (Z_TYPE_P(ent->data) == IS_STRING) { ++ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1); ++ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data)); ++ memcpy(tmp + Z_STRLEN_P(ent->data), s, len); ++ len += Z_STRLEN_P(ent->data); ++ efree(Z_STRVAL_P(ent->data)); ++ Z_TYPE_P(ent->data) = IS_LONG; ++ } else { ++ tmp = emalloc(len + 1); ++ memcpy(tmp, s, len); ++ } + tmp[len] = '\0'; + + Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL); + /* date out of range < 1969 or > 2038 */ + if (Z_LVAL_P(ent->data) == -1) { +- Z_TYPE_P(ent->data) = IS_STRING; +- Z_STRLEN_P(ent->data) = len; +- Z_STRVAL_P(ent->data) = estrndup(s, len); ++ ZVAL_STRINGL(ent->data, tmp, len, 0); ++ } else { ++ efree(tmp); + } +- efree(tmp); + } + break; + diff --git a/bug72750.patch b/bug72750.patch new file mode 100644 index 0000000..5af5a9b --- /dev/null +++ b/bug72750.patch @@ -0,0 +1,72 @@ +Backported from 5.6.25 by Remi. + +From 82b95bb758ac707a2372f2edaed70589b6f374d3 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Aug 2016 16:26:52 -0700 +Subject: [PATCH] Fix bug #72750: wddx_deserialize null dereference + +--- + ext/wddx/tests/bug72750.phpt | 34 ++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 8 ++++++-- + 2 files changed, 40 insertions(+), 2 deletions(-) + create mode 100644 ext/wddx/tests/bug72750.phpt + +diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt +new file mode 100644 +index 0000000..3a6794d +--- /dev/null ++++ b/ext/wddx/tests/bug72750.phpt +@@ -0,0 +1,34 @@ ++--TEST-- ++Bug #72750: wddx_deserialize null dereference ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++
++ ++ ++ ++ \\tYmluYXJRhdGE= ++ ++ ++ ++ ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(1) { ++ ["aBinary"]=> ++ string(0) "" ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index faadbfe1..1b2d103 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -952,8 +952,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + + new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len); + STR_FREE(Z_STRVAL_P(ent1->data)); +- Z_STRVAL_P(ent1->data) = new_str; +- Z_STRLEN_P(ent1->data) = new_len; ++ if (new_str) { ++ Z_STRVAL_P(ent1->data) = new_str; ++ Z_STRLEN_P(ent1->data) = new_len; ++ } else { ++ ZVAL_EMPTY_STRING(ent1->data); ++ } + } + + /* Call __wakeup() method on the object. */ diff --git a/bug72771.patch b/bug72771.patch new file mode 100644 index 0000000..db77d0a --- /dev/null +++ b/bug72771.patch @@ -0,0 +1,26 @@ +Backported from 5.6.25 by Remi. + +From 7d5ca3b28d3c8f8cae6cd874740f18fd3eb5100e Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 7 Aug 2016 16:17:54 -0700 +Subject: [PATCH] Fix bug #72771: ftps:// opendir wrapper is vulnerable to + protocol downgrade attack + +--- + ext/standard/ftp_fopen_wrapper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c +index bfb1631..5bffa47 100644 +--- a/ext/standard/ftp_fopen_wrapper.c ++++ b/ext/standard/ftp_fopen_wrapper.c +@@ -187,7 +187,8 @@ static php_stream *php_ftp_fopen_connect(php_stream_wrapper *wrapper, const char + /* get the response */ + result = GET_FTP_RESULT(stream); + if (result != 334) { +- use_ssl = 0; ++ php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Server doesn't support FTPS."); ++ goto connect_errexit; + } else { + /* we must reuse the old SSL session id */ + /* if we talk to an old ftpd-ssl */ diff --git a/bug72790.patch b/bug72790.patch new file mode 100644 index 0000000..fa571b7 --- /dev/null +++ b/bug72790.patch @@ -0,0 +1,134 @@ +Backported from 5.6.25 by Remi. + +From 1f6078e4a5c67733bfdbd20bb2706501ac56a344 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Wed, 10 Aug 2016 23:43:56 -0700 +Subject: [PATCH] Fix for bug #72790 and bug #72799 + +--- + ext/wddx/tests/bug72790.phpt | 35 +++++++++++++++++++++++++++++++++++ + ext/wddx/tests/bug72799.phpt | 28 ++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 14 +++++++++----- + 3 files changed, 72 insertions(+), 5 deletions(-) + create mode 100644 ext/wddx/tests/bug72790.phpt + create mode 100644 ext/wddx/tests/bug72799.phpt + +diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt +new file mode 100644 +index 0000000..a60524b +--- /dev/null ++++ b/ext/wddx/tests/bug72790.phpt +@@ -0,0 +1,35 @@ ++--TEST-- ++Bug 72790: wddx_deserialize null dereference with invalid xml ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ |array> ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file +diff --git a/ext/wddx/tests/bug72799.phpt b/ext/wddx/tests/bug72799.phpt +new file mode 100644 +index 0000000..5861d55 +--- /dev/null ++++ b/ext/wddx/tests/bug72799.phpt +@@ -0,0 +1,28 @@ ++--TEST-- ++Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ 1998-06-12T04:32:12+00 ++ ++ ++ ++XML; ++ ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++NULL +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index 1b2d103..d7bd295 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -939,10 +939,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + if (!ent1->data) { + if (stack->top > 1) { + stack->top--; ++ efree(ent1); + } else { + stack->done = 1; + } +- efree(ent1); + return; + } + +@@ -981,7 +981,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name) + wddx_stack_top(stack, (void**)&ent2); + + /* if non-existent field */ +- if (ent2->type == ST_FIELD && ent2->data == NULL) { ++ if (ent2->data == NULL) { + zval_ptr_dtor(&ent1->data); + efree(ent1); + return; +@@ -1172,9 +1172,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value) + + if (stack.top == 1) { + wddx_stack_top(&stack, (void**)&ent); +- *return_value = *(ent->data); +- zval_copy_ctor(return_value); +- retval = SUCCESS; ++ if(ent->data == NULL) { ++ retval = FAILURE; ++ } else { ++ *return_value = *(ent->data); ++ zval_copy_ctor(return_value); ++ retval = SUCCESS; ++ } + } else { + retval = FAILURE; + } diff --git a/bug72807.patch b/bug72807.patch new file mode 100644 index 0000000..6350b7f --- /dev/null +++ b/bug72807.patch @@ -0,0 +1,60 @@ +Backported from 5.6.25 by Remi. + +From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 11 Aug 2016 23:36:25 -0700 +Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative + length + +--- + Zend/zend_API.h | 7 +++++-- + ext/curl/interface.c | 4 ++++ + 2 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/Zend/zend_API.h b/Zend/zend_API.h +index a56075e..e17be4c 100644 +--- a/Zend/zend_API.h ++++ b/Zend/zend_API.h +@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval + #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC) + #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC) + #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC) +-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) ++#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC) + + + ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC); +@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache; + + /** Build zend_call_info/cache from a zval* + * +- * Caller is responsible to provide a return value, otherwise the we will crash. ++ * Caller is responsible to provide a return value, otherwise the we will crash. + * fci->retval_ptr_ptr = NULL; + * In order to pass parameters the following members need to be set: + * fci->param_count = 0; +@@ -575,6 +575,9 @@ END_EXTERN_C() + const char *__s=(s); \ + zval *__z = (z); \ + Z_STRLEN_P(__z) = strlen(__s); \ ++ if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \ ++ zend_error(E_ERROR, "String size overflow"); \ ++ } \ + Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\ + Z_TYPE_P(__z) = IS_STRING; \ + } while (0) +diff --git a/ext/curl/interface.c b/ext/curl/interface.c +index c7112a0..062f996 100644 +--- a/ext/curl/interface.c ++++ b/ext/curl/interface.c +@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape) + ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl); + + if ((res = curl_easy_escape(ch->cp, str, str_len))) { ++ if (strlen(res) > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX); ++ RETURN_FALSE; ++ } + RETVAL_STRING(res, 1); + curl_free(res); + } else { diff --git a/bug72836.patch b/bug72836.patch new file mode 100644 index 0000000..ad6b486 --- /dev/null +++ b/bug72836.patch @@ -0,0 +1,56 @@ +Backported from 5.6.25 by Remi. + +From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 14 Aug 2016 23:13:30 -0700 +Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused + heap corruption + +--- + ext/standard/base64.c | 5 + + sapi/cli/generate_mime_type_map.php | 76 +++++++ + sapi/fpm/www.conf.in | 413 ++++++++++++++++++++++++++++++++++++ + 3 files changed, 494 insertions(+) + create mode 100644 sapi/cli/generate_mime_type_map.php + create mode 100644 sapi/fpm/www.conf.in + +diff --git a/ext/standard/base64.c b/ext/standard/base64.c +index a40b866..8340ed1 100644 +--- a/ext/standard/base64.c ++++ b/ext/standard/base64.c +@@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in + return NULL; + } + ++ if (((size_t)length + 2) / 3 > INT_MAX/4 ) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); ++ return NULL; ++ } ++ + result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1); + p = result; + + +From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 16:34:35 -0700 +Subject: [PATCH] Fix TSRM build + +--- + ext/standard/base64.c | 1 + + ext/standard/url.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ext/standard/base64.c b/ext/standard/base64.c +index 8340ed1..b30a5b7 100644 +--- a/ext/standard/base64.c ++++ b/ext/standard/base64.c +@@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in + } + + if (((size_t)length + 2) / 3 > INT_MAX/4 ) { ++ TSRMLS_FETCH(); + php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4); + return NULL; + } + diff --git a/bug72837.patch b/bug72837.patch new file mode 100644 index 0000000..2dfe6f4 --- /dev/null +++ b/bug72837.patch @@ -0,0 +1,45 @@ +Backported from 5.6.25 by Remi. + +From 69236ea9793b76b778c6cd64748cfee817521118 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 15 Aug 2016 23:17:26 -0700 +Subject: [PATCH] Fix bug #72837 - integer overflow in bzdecompress caused heap + corruption + +--- + ext/bz2/bz2.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c +index 54b59f7..79ec3ec 100644 +--- a/ext/bz2/bz2.c ++++ b/ext/bz2/bz2.c +@@ -573,15 +573,25 @@ static PHP_FUNCTION(bzdecompress) + /* compression is better then 2:1, need to allocate more memory */ + bzs.avail_out = source_len; + size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; ++ if (size > INT_MAX) { ++ /* no reason to continue if we're going to drop it anyway */ ++ break; ++ } + dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size ); + bzs.next_out = dest + size; + } + + if (error == BZ_STREAM_END || error == BZ_OK) { + size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32; +- dest = safe_erealloc(dest, 1, (size_t) size, 1); +- dest[size] = '\0'; +- RETVAL_STRINGL(dest, (int) size, 0); ++ if (size > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX); ++ efree(dest); ++ RETVAL_LONG(BZ_MEM_ERROR); ++ } else { ++ dest = safe_erealloc(dest, 1, (size_t) size, 1); ++ dest[size] = '\0'; ++ RETVAL_STRINGL(dest, (int) size, 0); ++ } + } else { /* real error */ + efree(dest); + RETVAL_LONG(error); diff --git a/bug72838.patch b/bug72838.patch new file mode 100644 index 0000000..76e8386 --- /dev/null +++ b/bug72838.patch @@ -0,0 +1,28 @@ +Backported from 5.6.25 by Remi. + +From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 15 Aug 2016 23:43:59 -0700 +Subject: [PATCH] Fix bug #72838 - Integer overflow lead to heap + corruption in sql_regcase + +--- + ext/ereg/ereg.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c +index 5d38d04..8eb833a 100644 +--- a/ext/ereg/ereg.c ++++ b/ext/ereg/ereg.c +@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase) + + for (i = j = 0; i < string_len; i++) { + c = (unsigned char) string[i]; ++ if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(tmp); ++ RETURN_FALSE; ++ } + if (isalpha(c)) { + tmp[j++] = '['; + tmp[j++] = toupper(c); diff --git a/bug72848.patch b/bug72848.patch new file mode 100644 index 0000000..bdf4bcc --- /dev/null +++ b/bug72848.patch @@ -0,0 +1,83 @@ +Backported from 5.6.25 by Remi. + +From 444314a2919587674c24777e56d29b4040b4fed4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 15:48:31 -0700 +Subject: [PATCH] Fix bug #72848 - integer overflow in quoted_printable_encode + caused heap corruption + +--- + ext/standard/quot_print.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c +index 3b8c0ec..6d5835e 100644 +--- a/ext/standard/quot_print.c ++++ b/ext/standard/quot_print.c +@@ -144,7 +144,7 @@ PHPAPI unsigned char *php_quot_print_decode(const unsigned char *str, size_t len + /* }}} */ + + #define PHP_QPRINT_MAXL 75 +- ++ + PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t length, size_t *ret_length) /* {{{ */ + { + unsigned long lp = 0; +@@ -162,9 +162,9 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len + lp = 0; + } else { + if (iscntrl (c) || (c == 0x7f) || (c & 0x80) || (c == '=') || ((c == ' ') && (*str == '\015'))) { +- if ((((lp+= 3) > PHP_QPRINT_MAXL) && (c <= 0x7f)) +- || ((c > 0x7f) && (c <= 0xdf) && ((lp + 3) > PHP_QPRINT_MAXL)) +- || ((c > 0xdf) && (c <= 0xef) && ((lp + 6) > PHP_QPRINT_MAXL)) ++ if ((((lp+= 3) > PHP_QPRINT_MAXL) && (c <= 0x7f)) ++ || ((c > 0x7f) && (c <= 0xdf) && ((lp + 3) > PHP_QPRINT_MAXL)) ++ || ((c > 0xdf) && (c <= 0xef) && ((lp + 6) > PHP_QPRINT_MAXL)) + || ((c > 0xef) && (c <= 0xf4) && ((lp + 9) > PHP_QPRINT_MAXL))) { + *d++ = '='; + *d++ = '\015'; +@@ -208,7 +208,7 @@ PHP_FUNCTION(quoted_printable_decode) + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg1, &arg1_len) == FAILURE) { + return; + } +- ++ + if (arg1_len == 0) { + /* shortcut */ + RETURN_EMPTY_STRING(); +@@ -219,11 +219,11 @@ PHP_FUNCTION(quoted_printable_decode) + while (str_in[i]) { + switch (str_in[i]) { + case '=': +- if (str_in[i + 1] && str_in[i + 2] && +- isxdigit((int) str_in[i + 1]) && ++ if (str_in[i + 1] && str_in[i + 2] && ++ isxdigit((int) str_in[i + 1]) && + isxdigit((int) str_in[i + 2])) + { +- str_out[j++] = (php_hex2int((int) str_in[i + 1]) << 4) ++ str_out[j++] = (php_hex2int((int) str_in[i + 1]) << 4) + + php_hex2int((int) str_in[i + 2]); + i += 3; + } else /* check for soft line break according to RFC 2045*/ { +@@ -254,7 +254,7 @@ PHP_FUNCTION(quoted_printable_decode) + } + } + str_out[j] = '\0'; +- ++ + RETVAL_STRINGL(str_out, j, 0); + } + /* }}} */ +@@ -275,6 +275,11 @@ PHP_FUNCTION(quoted_printable_encode) + } + + new_str = (char *)php_quot_print_encode((unsigned char *)str, (size_t)str_len, &new_str_len); ++ if (new_str_len > INT_MAX) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(new_str); ++ RETURN_FALSE; ++ } + RETURN_STRINGL(new_str, new_str_len, 0); + } + /* }}} */ diff --git a/bug72849.patch b/bug72849.patch new file mode 100644 index 0000000..f2cd26f --- /dev/null +++ b/bug72849.patch @@ -0,0 +1,51 @@ +Backported from 5.6.25 by Remi. + +From dc223e524d640167c0f12e942eb52cabd6f89ee4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 15:58:05 -0700 +Subject: [PATCH] Fixed bug #72849 - integer overflow in urlencode + +--- + ext/standard/url.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 4b52000..8e471e1 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length) + *to++ = c; + } + } ++ ++ if ((to-start) > INT_MAX) { ++ /* E_ERROR since most clients won't check for error, and this is rather rare condition */ ++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX); ++ } ++ + *to = 0; + if (new_length) { + *new_length = to - start; + +From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 16:34:35 -0700 +Subject: [PATCH] Fix TSRM build + +--- + ext/standard/base64.c | 1 + + ext/standard/url.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 8e471e1..dd861a5 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -522,6 +522,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length) + } + + if ((to-start) > INT_MAX) { ++ TSRMLS_FETCH(); + /* E_ERROR since most clients won't check for error, and this is rather rare condition */ + php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX); + } diff --git a/bug72850.patch b/bug72850.patch new file mode 100644 index 0000000..0637e84 --- /dev/null +++ b/bug72850.patch @@ -0,0 +1,54 @@ +Backported from 5.6.25 by Remi. + +From c35e4cb20cdeb02d9d362c57edce11c2948effcd Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Tue, 16 Aug 2016 16:03:44 -0700 +Subject: [PATCH] Fix bug #72850 - integer overflow in uuencode + +--- + ext/standard/uuencode.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c +index cd35c28..a31f14d 100644 +--- a/ext/standard/uuencode.c ++++ b/ext/standard/uuencode.c +@@ -153,7 +153,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ + while (s < ee) { + if(s+4 > e) { + goto err; +- } ++ } + *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; + *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; + *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3)); +@@ -168,7 +168,7 @@ + s++; + } + +- if ((len = total_len > (p - *dest))) { ++ if ((len = total_len) > (p - *dest)) { + *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4; + if (len > 1) { + *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2; +@@ -188,7 +188,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */ + } + /* }}} */ + +-/* {{{ proto string convert_uuencode(string data) ++/* {{{ proto string convert_uuencode(string data) + uuencode a string */ + PHP_FUNCTION(convert_uuencode) + { +@@ -200,6 +200,11 @@ PHP_FUNCTION(convert_uuencode) + } + + dst_len = php_uuencode(src, src_len, &dst); ++ if (dst_len < 0) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX); ++ efree(dst); ++ RETURN_FALSE; ++ } + + RETURN_STRINGL(dst, dst_len, 0); + } diff --git a/failed.txt b/failed.txt index 31f3cd7..76407cf 100644 --- a/failed.txt +++ b/failed.txt @@ -1,4 +1,4 @@ -==== PHP 5.5.38 (2016-07-21) +==== PHP 5.5.38-2 (2016-09-10) $ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log diff --git a/php.spec b/php.spec index d047521..ab7de2d 100644 --- a/php.spec +++ b/php.spec @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 1%{?dist}.1 +Release: 2%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -193,6 +193,25 @@ Patch91: php-5.3.7-oci8conf.patch # Upstream fixes (100+) Patch100: bug72735.patch +Patch101: bug72716.patch +Patch102: bug72663.patch +Patch103: bug72681.patch +Patch104: bug72708.patch +Patch105: bug72749.patch +Patch106: bug70436.patch +Patch107: bug72771.patch +Patch108: bug72750.patch +Patch109: bug72627.patch +Patch110: bug72697.patch +Patch111: bug72730.patch +Patch112: bug72790.patch +Patch113: bug72807.patch +Patch114: bug72836.patch +Patch115: bug72837.patch +Patch116: bug72838.patch +Patch117: bug72848.patch +Patch118: bug72849.patch +Patch119: bug72850.patch # Security fixes (200+) @@ -884,6 +903,25 @@ support for using the enchant library to PHP. # security patches %patch100 -p1 -b .bug72735 +%patch101 -p1 -b .bug72716 +%patch102 -p1 -b .bug72663 +%patch103 -p1 -b .bug72681 +%patch104 -p1 -b .bug72708 +%patch105 -p1 -b .bug72749 +%patch106 -p1 -b .bug70436 +%patch107 -p1 -b .bug72771 +%patch108 -p1 -b .bug72750 +%patch109 -p1 -b .bug72627 +%patch110 -p1 -b .bug72697 +%patch111 -p1 -b .bug72730 +%patch112 -p1 -b .bug72790 +%patch113 -p1 -b .bug72807 +%patch114 -p1 -b .bug72836 +%patch115 -p1 -b .bug72837 +%patch116 -p1 -b .bug72838 +%patch117 -p1 -b .bug72848 +%patch118 -p1 -b .bug72849 +%patch119 -p1 -b .bug72850 # Fixes for tests %patch300 -p1 -b .datetests @@ -1612,6 +1650,16 @@ fi %endif +%posttrans common +cat << EOF + +WARNING : PHP 5.5 have reached its "End of Life" in July 2016. +Even, if this package includes some security fix, backported from 5.6, +The upgrade to a maintained version is very strongly recommended. + +EOF + + %{!?_licensedir:%global license %%doc} %files @@ -1778,6 +1826,40 @@ fi %changelog +* Mon Sep 5 2016 Remi Collet 5.5.38-2 +- fix #72716: initialize buffer before read (ftp) +- fix #72663: destroy broken object when unserializing + CVE-2016-7124 +- fix #72681: consume data even if we're not storing them + CVE-2016-7125 +- fix #72708: php_snmp_parse_oid integer overflow in memory allocation +- fix #72749: wddx_deserialize allows illegal memory access + CVE-2016-7129 +- fix #70436: Use After Free Vulnerability in unserialize() + CVE-2016-7129 +- fix #72771: ftps:// opendir wrapper is vulnerable to protocol + downgrade attack +- fix #72750: wddx_deserialize null dereference + CVE-2016-7130 +- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF + CVE-2016-7128 +- fix #72697: select_colors write out-of-bounds + CVE-2016-7126 +- fix #72730: imagegammacorrect allows arbitrary write access + CVE-2016-7127 +- fix #72790: wddx_deserialize null dereference with invalid xml + CVE-2016-7131 +- fix #72799: wddx_deserialize null dereference in php_wddx_pop_element + CVE-2016-7132 +- fix #72807: do not produce strings with negative length +- fix #72836: integer overflow in base64_decode caused heap corruption +- fix #72837: integer overflow in bzdecompress caused heap corruption +- fix #72838: Integer overflow lead to heap corruption in sql_regcase +- fix #72848: integer overflow in quoted_printable_encode caused + heap corruption +- fix #72849: integer overflow in urlencode +- fix #72850: integer overflow in uuencode + * Fri Aug 5 2016 Remi Collet 5.5.38-1.1 - fix #72735 regression in exif maker note parser -- cgit