5 files changed, 441 insertions, 24 deletions

diff --git a/failed.txt b/failed.txt
index 28fb7af..9834657 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,33 +1,25 @@
-===== 5.6.40-5 (2019-03-12)
+===== 5.6.40-7 (2019-04-02)
 
 $ grep -r 'Tests failed' /var/lib/mock/scl56*/build.log
 
-/var/lib/mock/scl56el6x/build.log:Tests failed    :     7
-/var/lib/mock/scl56el7x/build.log:Tests failed    :     4
-/var/lib/mock/scl56el7x/build.log:Tests failed    :    34
-/var/lib/mock/scl56fc26x/build.log:Tests failed    :    3
-/var/lib/mock/scl56fc27x/build.log:Tests failed    :    7
-/var/lib/mock/scl56fc28x/build.log:Tests failed    :    6
-/var/lib/mock/scl56fc29x/build.log:Tests failed    :    8
-/var/lib/mock/scl56fc30x/build.log:Tests failed    :   11
+/var/lib/mock/scl56el6x/build.log:Tests failed    :     3
+/var/lib/mock/scl56el7x/build.log:Tests failed    :     0
+/var/lib/mock/scl56el8x/build.log:Tests failed    :    28
+/var/lib/mock/scl56fc27x/build.log:Tests failed    :    6
+/var/lib/mock/scl56fc28x/build.log:Tests failed    :    1
+/var/lib/mock/scl56fc29x/build.log:Tests failed    :    3
+/var/lib/mock/scl56fc30x/build.log:Tests failed    :    3
 
 
-el6x, el7x:
-	4	Bug #33414 [2] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-2.phpt]
-el6x, el7x, fc25x, fc26x, fc27x, fc28x, fc29x, fc30x:
-	4	Bug #33415 [2] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-2.phpt]
-el6xn el7x, fc26x, fc27x, fc28x, fc29x, fc30x:
-	4	Bug #51819 (Case discrepancy in timezone names cause Uncaught exception and fatal error) [ext/date/tests/bug51819.phpt]
-	4	Test date_sunset() function : usage variation - Passing high positive and negative float values to time argument. [ext/date/tests/date_sunset_variation9.phpt]
-el6x, fc25x, fc27x, fc29x:
+fc27x:
+	4	Bug #32086 (strtotime don't work in DST) [ext/date/tests/bug32086.phpt]
+	4	Bug #33415 [1] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-1.phpt]
+el6x, fc27x:
 	3	Bug #65538: SSL context "cafile" disallows URL stream wrappers [ext/openssl/tests/bug65538_002.phpt]
 	3	gethostbyname() function - basic return valid ip address test [ext/standard/tests/network/gethostbyname_error004.phpt]
 	3	getmxrr() test [ext/standard/tests/network/getmxrr.phpt]
 fc27x, fc28x, fc29x, fc30x:
 	2	substr_compare() [ext/standard/tests/strings/substr_compare.phpt]
-fc28x, fc29x, fc30x:
-		Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
-		date_modify() function [1] [ext/date/tests/date_modify-1.phpt]
 fc29x, fc30x:
 		openssl_error_string() tests [ext/openssl/tests/openssl_error_string_basic.phpt]
 		TLS server rate-limits client-initiated renegotiation [ext/openssl/tests/stream_server_reneg_limit.phpt]
diff --git a/php-bug77753.patch b/php-bug77753.patch
new file mode 100644
index 0000000..bcb324d
--- /dev/null
+++ b/php-bug77753.patch
@@ -0,0 +1,34 @@
+Without test as binary patch not supported
+
+
+
+
+From 1e7511f2476380f9eb523f60817610c8eab6b116 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 17 Mar 2019 22:54:46 -0700
+Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
+
+(cherry picked from commit f3aefc6d071b807ddacae0a0bc49f09c38e18490)
+---
+ ext/exif/exif.c              |   4 ++++
+ ext/exif/tests/bug77753.phpt |  16 ++++++++++++++++
+ ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes
+ 3 files changed, 20 insertions(+)
+ create mode 100644 ext/exif/tests/bug77753.phpt
+ create mode 100644 ext/exif/tests/bug77753.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index ce8db170c7..4350124305 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2812,6 +2812,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ 		return FALSE;
+ 	}
++	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
++		return FALSE;
++	}
+ 
+ 	for (de=0;de<NumDirEntries;de++) {
+ 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
diff --git a/php-bug77831.patch b/php-bug77831.patch
new file mode 100644
index 0000000..840fbfd
--- /dev/null
+++ b/php-bug77831.patch
@@ -0,0 +1,211 @@
+Without test as binary patch not supported
+
+
+
+
+From 1f2fdcd9a2471e6fac220ec2e7a2ca56b7879113 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Apr 2019 00:12:26 -0700
+Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value
+ in EXIF
+
+(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4)
+---
+ NEWS                         |   4 ++++
+ ext/exif/exif.c              |  43 +++++++++++++++++++++++------------
+ ext/exif/tests/bug77831.phpt |  13 +++++++++++
+ ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes
+ 4 files changed, 45 insertions(+), 15 deletions(-)
+ create mode 100644 ext/exif/tests/bug77831.phpt
+ create mode 100644 ext/exif/tests/bug77831.tiff
+
+diff --git a/NEWS b/NEWS
+index 0bff457d2b..0dde9880d5 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP                                                                        NEWS
+ 
+ Backported from 7.1.28
+ 
++- EXIF:
++  . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
++  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
++
+ - SQLite3:
+   . Added sqlite3.defensive INI directive. (BohwaZ)
+ 
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 4350124305..547bd58dfb 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1660,10 +1660,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
+ /* {{{ exif_iif_add_value
+  Add a value to image_info
+ */
+-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel TSRMLS_DC)
++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel TSRMLS_DC)
+ {
+ 	size_t idex;
+-	void *vptr;
++	void *vptr, *vptr_end;
+ 	image_info_value *info_value;
+ 	image_info_data  *info_data;
+ 	image_info_data  *list;
+@@ -1685,8 +1685,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 
+ 	switch (format) {
+ 		case TAG_FMT_STRING:
++			if (length > value_len) {
++				exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++				value = NULL;
++			}
+ 			if (value) {
+-				length = php_strnlen(value, length);
++				length = (int)php_strnlen(value, length);
+ 				info_value->s = estrndup(value, length);
+ 				info_data->length = length;
+ 			} else {
+@@ -1708,6 +1712,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			if (!length)
+ 				break;
+ 		case TAG_FMT_UNDEFINED:
++			if (length > value_len) {
++				exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++				value = NULL;
++			}
+ 			if (value) {
+ 				if (tag == TAG_MAKER_NOTE) {
+ 					length = (int) php_strnlen(value, length);
+@@ -1738,7 +1746,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			} else {
+ 				info_value = &info_data->value;
+ 			}
++			vptr_end = value+value_len;
+ 			for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
++				if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++					exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
++					break;
++				}
+ 				if (length>1) {
+ 					info_value = &info_data->value.list[idex];
+ 				}
+@@ -1774,7 +1787,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type single");
+ #endif
+ 						info_value->f = *(float *)value;
+-
++						break;
+ 					case TAG_FMT_DOUBLE:
+ #ifdef EXIF_DEBUG
+ 						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type double");
+@@ -1792,9 +1805,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ /* {{{ exif_iif_add_tag
+  Add a tag from IFD to image_info
+ */
+-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC)
++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len TSRMLS_DC)
+ {
+-	exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel TSRMLS_CC);
++	exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel TSRMLS_CC);
+ }
+ /* }}} */
+ 
+@@ -2218,7 +2231,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
+ */
+ static void exif_process_COM (image_info_type *image_info, char *value, size_t length TSRMLS_DC)
+ {
+-	exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC);
++	exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2 TSRMLS_CC);
+ }
+ /* }}} */
+ 
+@@ -2233,17 +2246,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ 	if (length>3) {
+ 		switch(value[2]) {
+ 			case 0:
+-				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC);
++				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length TSRMLS_CC);
+ 				break;
+ 			case 1:
+-				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
++				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+ 				break;
+ 			default:
+ 				php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Undefined JPEG2000 comment encoding");
+ 				break;
+ 		}
+ 	} else {
+-		exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
++		exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0 TSRMLS_CC);
+ 		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "JPEG2000 comment section too small");
+ 	}
+ }
+@@ -2837,7 +2850,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table TSRMLS_DC)
+ {
+ 	size_t length;
+-	int tag, format, components;
++	unsigned int tag, format, components;
+ 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ 	size_t byte_count, offset_val, fpos, fgot;
+ 	int64_t byte_count_signed;
+@@ -3148,7 +3161,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ 				}
+ 		}
+ 	}
+-	exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC);
++	exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr, byte_count TSRMLS_CC);
+ 	EFREE_IF(outside);
+ 	return TRUE;
+ }
+@@ -3306,10 +3319,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
+ 	size_t l1, l2=0;
+ 
+ 	if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
+-		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
++		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1 TSRMLS_CC);
+ 		if (length > 2+l1+1) {
+ 			l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
+-			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
++			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2 TSRMLS_CC);
+ 		}
+ 	}
+ #ifdef EXIF_DEBUG
+@@ -4107,7 +4120,7 @@ PHP_FUNCTION(exif_read_data)
+ 	if (ImageInfo.Thumbnail.size) {
+ 		if (read_thumbnail) {
+ 			/* not exif_iif_add_str : this is a buffer */
+-			exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC);
++			exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size TSRMLS_CC);
+ 		}
+ 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+ 			/* try to evaluate if thumbnail data is present */
+From 8b4b035dcd3f382e9de4e2f661df2dc0797fc478 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 2 Apr 2019 10:37:40 +0200
+Subject: [PATCH] Pointer arithmetic on void pointers is illegal
+
+We quick-fix this by casting to char*; it might be more appropriate to
+use char pointers in the first place.
+
+(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
+---
+ ext/exif/exif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 547bd58dfb..81cf438a8e 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1746,9 +1746,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			} else {
+ 				info_value = &info_data->value;
+ 			}
+-			vptr_end = value+value_len;
++			vptr_end = (char *) value + value_len;
+ 			for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+-				if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++				if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {
+ 					exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ 					break;
+ 				}
diff --git a/php-sqlite3-defensive.patch b/php-sqlite3-defensive.patch
new file mode 100644
index 0000000..c2e87ca
--- /dev/null
+++ b/php-sqlite3-defensive.patch
@@ -0,0 +1,167 @@
+From 467239f10a6021d3eabe237ad0508b12d5d7d19e Mon Sep 17 00:00:00 2001
+From: bohwaz <github.bohwaz@miam.kd2.org>
+Date: Sun, 16 Dec 2018 22:52:37 +0100
+Subject: [PATCH] SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a
+ mitigation strategy against potential security flaws
+
+(cherry picked from commit 58c25bf679125a2da354db58ddc6b0cf6d10ee00)
+---
+ NEWS                                     |  5 +++
+ ext/sqlite3/php_sqlite3.h                |  1 +
+ ext/sqlite3/sqlite3.c                    |  9 ++++++
+ ext/sqlite3/tests/sqlite3_defensive.phpt | 40 ++++++++++++++++++++++++
+ php.ini-development                      | 11 +++++++
+ php.ini-production                       | 11 +++++++
+ 6 files changed, 77 insertions(+)
+ create mode 100644 ext/sqlite3/tests/sqlite3_defensive.phpt
+
+diff --git a/NEWS b/NEWS
+index 16da63bbb2..0bff457d2b 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,11 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.1.28
++
++- SQLite3:
++  . Added sqlite3.defensive INI directive. (BohwaZ)
++
+ Backported from 7.1.27
+ 
+ - Core:
+diff --git a/ext/sqlite3/php_sqlite3.h b/ext/sqlite3/php_sqlite3.h
+index 88da39e75c..5304f00dbf 100644
+--- a/ext/sqlite3/php_sqlite3.h
++++ b/ext/sqlite3/php_sqlite3.h
+@@ -28,6 +28,7 @@ extern zend_module_entry sqlite3_module_entry;
+ 
+ ZEND_BEGIN_MODULE_GLOBALS(sqlite3)
+ 	char *extension_dir;
++	int dbconfig_defensive;
+ ZEND_END_MODULE_GLOBALS(sqlite3)
+ 
+ #ifdef ZTS
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
+index 80d6b897f1..761b777d06 100644
+--- a/ext/sqlite3/sqlite3.c
++++ b/ext/sqlite3/sqlite3.c
+@@ -82,6 +82,9 @@ static void php_sqlite3_error(php_sqlite3_db_object *db_obj, char *format, ...)
+ */
+ PHP_INI_BEGIN()
+ 	STD_PHP_INI_ENTRY("sqlite3.extension_dir",  NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals)
++#if SQLITE_VERSION_NUMBER >= 3026000
++	STD_PHP_INI_ENTRY("sqlite3.defensive",  "1", PHP_INI_SYSTEM, OnUpdateBool, dbconfig_defensive, zend_sqlite3_globals, sqlite3_globals)
++#endif
+ PHP_INI_END()
+ /* }}} */
+ 
+@@ -177,6 +180,12 @@ PHP_METHOD(sqlite3, open)
+ 		sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL);
+ 	}
+ 
++#if SQLITE_VERSION_NUMBER >= 3026000
++	if (SQLITE3G(dbconfig_defensive)) {
++		sqlite3_db_config(db_obj->db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL);
++	}
++#endif
++
+ 	if (fullpath != filename) {
+ 		efree(fullpath);
+ 	}
+diff --git a/ext/sqlite3/tests/sqlite3_defensive.phpt b/ext/sqlite3/tests/sqlite3_defensive.phpt
+new file mode 100644
+index 0000000000..064d87b50a
+--- /dev/null
++++ b/ext/sqlite3/tests/sqlite3_defensive.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++SQLite3 defensive mode ini setting
++--SKIPIF--
++<?php require_once(__DIR__ . '/skipif.inc');
++
++if (SQLite3::version()['versionNumber'] < 3026000) {
++	die("skip: sqlite3 library version < 3.26: no support for defensive mode");
++}
++
++?>
++--INI--
++sqlite3.defensive=On
++--FILE--
++<?php
++
++$db = new SQLite3(':memory:');
++var_dump($db->exec('CREATE TABLE test (a, b);'));
++
++// This does not generate an error!
++var_dump($db->exec('PRAGMA writable_schema = ON;'));
++var_dump($db->querySingle('PRAGMA writable_schema;'));
++
++// Should be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++
++// Should generate an error!
++var_dump($db->querySingle('DELETE FROM sqlite_master;'));
++
++// Should still be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++?>
++--EXPECTF--
++bool(true)
++bool(true)
++int(1)
++int(1)
++
++Warning: SQLite3::querySingle(): Unable to prepare statement: 1, table sqlite_master may not be modified in %s on line %d
++bool(false)
++int(1)
+\ No newline at end of file
+diff --git a/php.ini-development b/php.ini-development
+index 752f601436..27cc55b75b 100644
+--- a/php.ini-development
++++ b/php.ini-development
+@@ -981,8 +981,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+ 
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+ 
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
+diff --git a/php.ini-production b/php.ini-production
+index 97b5043ce9..d7e9420a72 100644
+--- a/php.ini-production
++++ b/php.ini-production
+@@ -981,8 +981,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+ 
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+ 
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
diff --git a/php.spec b/php.spec
index 66bf8cb..7247d65 100644
--- a/php.spec
+++ b/php.spec
@@ -136,7 +136,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.6.40
-Release: 6%{?dist}
+Release: 7%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -203,8 +203,11 @@ Patch210: php-bug77540.patch
 Patch211: php-bug77563.patch
 Patch212: php-bug77586.patch
 Patch213: php-bug77630.patch
-# update NEWS file with backport information
-Patch299: php-news.patch
+Patch214: php-news.patch
+Patch215: php-sqlite3-defensive.patch
+Patch216: php-bug77753.patch
+Patch217: php-bug77831.patch
+
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -939,7 +942,10 @@ support for using the enchant library to PHP.
 %patch211 -p1 -b .bug77563
 %patch212 -p1 -b .bug77586
 %patch213 -p1 -b .bug77630
-%patch299 -p1 -b .backport
+%patch214 -p1 -b .backport
+%patch215 -p1 -b .sqlite3.defensive
+%patch216 -p1 -b .bug77753
+%patch217 -p1 -b .bug77831
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1885,6 +1891,13 @@ EOF
 
 
 %changelog
+* Tue Apr  2 2019 Remi Collet <remi@remirepo.net> - 5.6.40-7
+- exif:
+  Fix #77753 Heap-buffer-overflow in php_ifd_get32s
+  Fix #77831 Heap-buffer-overflow in exif_iif_add_value
+- sqlite3:
+  Added sqlite3.defensive INI directive
+
 * Fri Mar 15 2019 Remi Collet <remi@remirepo.net> - 5.6.40-6
 - Fix #76846 Segfault in shutdown function after memory limit error