summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-01-09 14:51:03 +0100
committerRemi Collet <remi@remirepo.net>2019-01-09 14:51:03 +0100
commit8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch)
tree9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a
parent022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff)
- core:
Fix #77369 memcpy with negative length via crafted DNS response - mbstring: Fix #77370 buffer overflow on mb regex functions - fetch_token Fix #77371 heap buffer overflow in mb regex functions compile_string_node Fix #77381 heap buffer overflow in multibyte match_at Fix #77382 heap buffer overflow in expand_case_fold_string Fix #77385 buffer overflow in fetch_token Fix #77394 buffer overflow in multibyte case folding - unicode Fix #77418 heap overflow in utf32be_mbc_to_code - phar: Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc: Fix #77242 heap out of bounds read in xmlrpc_decode Fix #77380 global out of bounds read in xmlrpc base64 code
-rw-r--r--failed.txt6
-rw-r--r--php-bug77242.patch45
-rw-r--r--php-bug77247.patch49
-rw-r--r--php-bug77369.patch42
-rw-r--r--php-bug77370.patch66
-rw-r--r--php-bug77371.patch41
-rw-r--r--php-bug77380.patch57
-rw-r--r--php-bug77381.patch158
-rw-r--r--php-bug77418.patch103
-rw-r--r--php.spec39
10 files changed, 603 insertions, 3 deletions
diff --git a/failed.txt b/failed.txt
index 4e81e54..240ccda 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.0.33 (2018-12-06)
+===== 7.0.33-2 (2019-01-10)
$ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
@@ -8,9 +8,11 @@ $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
/var/lib/mock/scl70fc26x/build.log:Tests failed : 0
/var/lib/mock/scl70fc27x/build.log:Tests failed : 0
/var/lib/mock/scl70fc28x/build.log:Tests failed : 0
-/var/lib/mock/scl70fc29x/build.log:Tests failed : 0
+/var/lib/mock/scl70fc29x/build.log:Tests failed : 1
+fc29x:
+ 1 Bug #64438 proc_open hangs with stdin/out with 4097+ bytes [ext/standard/tests/streams/proc_open_bug64438.phpt]
1 proc_open give erratic test results :(
diff --git a/php-bug77242.patch b/php-bug77242.patch
new file mode 100644
index 0000000..b6afc78
--- /dev/null
+++ b/php-bug77242.patch
@@ -0,0 +1,45 @@
+Backported for 7.0 by Remi
+
+
+From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 17:56:36 -0800
+Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
+
+---
+ ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++
+ ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 ext/xmlrpc/tests/bug77242.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
+index 56642d46142e..eeec5379bf68 100644
+--- a/ext/xmlrpc/libxmlrpc/xml_element.c
++++ b/ext/xmlrpc/libxmlrpc/xml_element.c
+@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
+ long byte_idx = XML_GetCurrentByteIndex(parser);
+ /* int byte_total = XML_GetCurrentByteCount(parser); */
+ const char * error_str = XML_ErrorString(err_code);
++ if(byte_idx > len) {
++ byte_idx = len;
++ }
+ if(byte_idx >= 0) {
+ snprintf(buf,
+ sizeof(buf),
+diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
+new file mode 100644
+index 000000000000..542c06311f74
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77242.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77242 (heap out of bounds read in xmlrpc_decode())
++--SKIPIF--
++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
++?>
++--EXPECT--
++NULL
+\ No newline at end of file
diff --git a/php-bug77247.patch b/php-bug77247.patch
new file mode 100644
index 0000000..6a2c8b4
--- /dev/null
+++ b/php-bug77247.patch
@@ -0,0 +1,49 @@
+Backported for 7.0 by Remi
+
+
+From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 18:25:37 -0800
+Subject: [PATCH] Fix bug #77247 (heap buffer overflow in
+ phar_detect_phar_fname_ext)
+
+---
+ ext/phar/phar.c | 2 +-
+ ext/phar/tests/bug77247.phpt | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug77247.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 82a9ef31943a..0d2173195c32 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha
+ }
+
+ while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
+- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
++ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
+ if (!pos) {
+ return FAILURE;
+ }
+diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
+new file mode 100644
+index 000000000000..588975f9f2f8
+--- /dev/null
++++ b/ext/phar/tests/bug77247.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++var_dump(new Phar('a/.b', 0,'test.phar'));
++} catch(UnexpectedValueException $e) {
++ echo "OK";
++}
++?>
++--EXPECT--
++OK
+\ No newline at end of file
diff --git a/php-bug77369.patch b/php-bug77369.patch
new file mode 100644
index 0000000..21fb348
--- /dev/null
+++ b/php-bug77369.patch
@@ -0,0 +1,42 @@
+Backported for 7.0 by Remi
+
+
+From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:39:08 -0800
+Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS
+ response
+
+---
+ ext/standard/dns.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 8e102f816f6e..b5fbcb96f968 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u
+ GETLONG(ttl, cp);
+ GETSHORT(dlen, cp);
+ CHECKCP(dlen);
++ if (dlen == 0) {
++ /* No data in the response - nothing to do */
++ return NULL;
++ }
+ if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ cp += dlen;
+ return cp;
+@@ -549,7 +553,12 @@ static u_char *php_parserr(u_char *cp, u
+ CHECKCP(n);
+ add_assoc_stringl(subarray, "tag", (char*)cp, n);
+ cp += n;
+- add_assoc_string(subarray, "value", (char*)cp);
++ if ( (size_t) dlen < ((size_t)n) + 2 ) {
++ return NULL;
++ }
++ n = dlen - n - 2;
++ CHECKCP(n);
++ add_assoc_stringl(subarray, "value", (char*)cp, n);
+ break;
+ case DNS_T_TXT:
+ {
diff --git a/php-bug77370.patch b/php-bug77370.patch
new file mode 100644
index 0000000..b85944a
--- /dev/null
+++ b/php-bug77370.patch
@@ -0,0 +1,66 @@
+From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 19:51:24 -0800
+Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end
+ when parsing multibytes
+
+---
+ ext/mbstring/oniguruma/regparse.c | 9 +++++++++
+ ext/mbstring/tests/bug77370.phpt | 13 +++++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77370.phpt
+
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index d2925f1e81b0..252ca1871202 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
+ /* scan pattern methods */
+ #define PEND_VALUE 0
+
+@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+ pfetch_prev = p; \
+ p += ONIGENC_MBC_ENC_LEN(enc, p); \
++ if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+
+ #define PINC_S do { \
+ p += ONIGENC_MBC_ENC_LEN(enc, p); \
++ if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ #define PFETCH_S(c) do { \
+ c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+ p += ONIGENC_MBC_ENC_LEN(enc, p); \
++ if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+
+ #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
+diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
+new file mode 100644
+index 000000000000..c4d25582fe3b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77370.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_split(" \xfd",""));
++?>
++--EXPECT--
++array(1) {
++ [0]=>
++ string(0) ""
++}
diff --git a/php-bug77371.patch b/php-bug77371.patch
new file mode 100644
index 0000000..e574827
--- /dev/null
+++ b/php-bug77371.patch
@@ -0,0 +1,41 @@
+From c6e34d91b88638966662caac62c4d0e90538e317 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:06:08 -0800
+Subject: [PATCH] Fix bug #77371 (heap buffer overflow in mb regex functions -
+ compile_string_node)
+
+---
+ ext/mbstring/oniguruma/regcomp.c | 1 +
+ ext/mbstring/tests/bug77371.phpt | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77371.phpt
+
+diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
+index b93ca948a773..c72d65d6942f 100644
+--- a/ext/mbstring/oniguruma/regcomp.c
++++ b/ext/mbstring/oniguruma/regcomp.c
+@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
+
+ for (; p < end; ) {
+ len = enclen(enc, p);
++ if (p + len > end) len = end - p;
+ if (len == prev_len) {
+ slen++;
+ }
+diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
+new file mode 100644
+index 000000000000..f23445bd0917
+--- /dev/null
++++ b/ext/mbstring/tests/bug77371.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
++?>
++--EXPECT--
++bool(false)
+\ No newline at end of file
diff --git a/php-bug77380.patch b/php-bug77380.patch
new file mode 100644
index 0000000..4aea7b5
--- /dev/null
+++ b/php-bug77380.patch
@@ -0,0 +1,57 @@
+From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 1 Jan 2019 17:15:20 -0800
+Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64
+ code)
+
+---
+ ext/xmlrpc/libxmlrpc/base64.c | 4 ++--
+ ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug77380.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
+index 5ebdf31f7ade..a4fa19327b76 100644
+--- a/ext/xmlrpc/libxmlrpc/base64.c
++++ b/ext/xmlrpc/libxmlrpc/base64.c
+@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
+
+ while (!hiteof) {
+ unsigned char igroup[3], ogroup[4];
+- int c, n;
++ int c, n;
+
+ igroup[0] = igroup[1] = igroup[2] = 0;
+ for (n = 0; n < 3; n++) {
+@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
+ return;
+ }
+
+- if (dtable[c] & 0x80) {
++ if (dtable[(unsigned char)c] & 0x80) {
+ /*
+ fprintf(stderr, "Offset %i length %i\n", offset, length);
+ fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
+diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt
+new file mode 100644
+index 000000000000..8559c07a5aea
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77380.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #77380 (Global out of bounds read in xmlrpc base64 code)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo=")));
++?>
++--EXPECT--
++object(stdClass)#1 (2) {
++ ["scalar"]=>
++ string(0) ""
++ ["xmlrpc_type"]=>
++ string(6) "base64"
++}
diff --git a/php-bug77381.patch b/php-bug77381.patch
new file mode 100644
index 0000000..7494049
--- /dev/null
+++ b/php-bug77381.patch
@@ -0,0 +1,158 @@
+From 31f59e1f3074ab344b473dde6077a6844ca87264 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 2 Jan 2019 00:36:30 -0800
+Subject: [PATCH] Fix more issues with encodilng length
+
+Should fix bug #77381, bug #77382, bug #77385, bug #77394.
+---
+ ext/mbstring/oniguruma/enc/unicode.c | 1 +
+ ext/mbstring/oniguruma/regcomp.c | 11 +++++------
+ ext/mbstring/oniguruma/regparse.c | 10 +++-------
+ ext/mbstring/oniguruma/regparse.h | 12 ++++++++++++
+ ext/mbstring/tests/bug77371.phpt | 2 +-
+ ext/mbstring/tests/bug77381.phpt | 16 ++++++++++++++++
+ 6 files changed, 38 insertions(+), 14 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug77381.phpt
+
+diff --git a/ext/mbstring/oniguruma/enc/unicode.c b/ext/mbstring/oniguruma/enc/unicode.c
+index e13429f51e9c..9f86095896b6 100644
+--- a/ext/mbstring/oniguruma/enc/unicode.c
++++ b/ext/mbstring/oniguruma/enc/unicode.c
+@@ -10989,6 +10989,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc,
+
+ code = ONIGENC_MBC_TO_CODE(enc, p, end);
+ len = enclen(enc, p);
++ if (*pp + len > end) len = end - *pp;
+ *pp += len;
+
+ #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
+diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
+index c72d65d6942f..820257341f54 100644
+--- a/ext/mbstring/oniguruma/regcomp.c
++++ b/ext/mbstring/oniguruma/regcomp.c
+@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, regex_t* reg)
+ ambig = NSTRING_IS_AMBIG(node);
+
+ p = prev = sn->s;
+- prev_len = enclen(enc, p);
++ SAFE_ENC_LEN(enc, p, sn->end, prev_len);
+ p += prev_len;
+ slen = 1;
+ rlen = 0;
+
+ for (; p < sn->end; ) {
+- len = enclen(enc, p);
++ SAFE_ENC_LEN(enc, p, sn->end, len);
+ if (len == prev_len) {
+ slen++;
+ }
+@@ -518,13 +518,12 @@ compile_string_node(Node* node, regex_t* reg)
+ ambig = NSTRING_IS_AMBIG(node);
+
+ p = prev = sn->s;
+- prev_len = enclen(enc, p);
++ SAFE_ENC_LEN(enc, p, end, prev_len);
+ p += prev_len;
+ slen = 1;
+
+ for (; p < end; ) {
+- len = enclen(enc, p);
+- if (p + len > end) len = end - p;
++ SAFE_ENC_LEN(enc, p, end, len);
+ if (len == prev_len) {
+ slen++;
+ }
+@@ -3391,7 +3390,7 @@ expand_case_fold_string(Node* node, regex_t* reg)
+ goto err;
+ }
+
+- len = enclen(reg->enc, p);
++ SAFE_ENC_LEN(reg->enc, p, end, len);
+
+ if (n == 0) {
+ if (IS_NULL(snode)) {
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index 252ca1871202..fcfaf4378c06 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,12 +246,6 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+
+-#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+-# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+-#else
+-# define UNEXPECTED(condition) (condition)
+-#endif
+-
+ /* scan pattern methods */
+ #define PEND_VALUE 0
+
+@@ -3589,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
+ tok->u.code = (OnigCodePoint )num;
+ }
+ else { /* string */
+- p = tok->backp + enclen(enc, tok->backp);
++ int len;
++ SAFE_ENC_LEN(enc, tok->backp, end, len);
++ p = tok->backp + len;
+ }
+ break;
+ }
+diff --git a/ext/mbstring/oniguruma/regparse.h b/ext/mbstring/oniguruma/regparse.h
+index 0c5c2c936c04..bcab03ed5892 100644
+--- a/ext/mbstring/oniguruma/regparse.h
++++ b/ext/mbstring/oniguruma/regparse.h
+@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex_t*);
+ #endif
+ #endif
+
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
++#define SAFE_ENC_LEN(enc, p, end, res) do { \
++ int __res = enclen(enc, p); \
++ if (UNEXPECTED(p + __res > end)) __res = end - p; \
++ res = __res; \
++} while(0);
++
+ #endif /* REGPARSE_H */
+diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
+index f23445bd0917..33e5fc115c96 100644
+--- a/ext/mbstring/tests/bug77371.phpt
++++ b/ext/mbstring/tests/bug77371.phpt
+@@ -4,7 +4,7 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+ <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+ --FILE--
+ <?php
+-var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));
+ ?>
+ --EXPECT--
+ bool(false)
+\ No newline at end of file
+diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt
+new file mode 100644
+index 000000000000..cb83759fc09b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77381.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #77381 (heap buffer overflow in multibyte match_at)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_ereg("000||0\xfa","0"));
++var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));
++var_dump(mb_ereg("0000\\"."\xf5","0"));
++var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));
++?>
++--EXPECT--
++int(1)
++bool(false)
++bool(false)
++bool(false)
diff --git a/php-bug77418.patch b/php-bug77418.patch
new file mode 100644
index 0000000..7810cf6
--- /dev/null
+++ b/php-bug77418.patch
@@ -0,0 +1,103 @@
+From 9d6c59eeea88a3e9d7039cb4fed5126ef704593a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 6 Jan 2019 23:31:15 -0800
+Subject: [PATCH] Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
+
+---
+ NEWS | 7 ++++---
+ ext/mbstring/oniguruma/enc/utf16_be.c | 4 +++-
+ ext/mbstring/oniguruma/enc/utf16_le.c | 3 ++-
+ ext/mbstring/oniguruma/enc/utf32_be.c | 1 +
+ ext/mbstring/oniguruma/enc/utf32_le.c | 1 +
+ ext/mbstring/tests/bug77418.phpt | 14 ++++++++++++++
+ 6 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug77418.phpt
+
+diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c
+index 1e909ebbf293..9e2f73b0735e 100644
+--- a/ext/mbstring/oniguruma/enc/utf16_be.c
++++ b/ext/mbstring/oniguruma/enc/utf16_be.c
+@@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+
+ static OnigCodePoint
+-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf16be_mbc_to_code(const UChar* p, const UChar* end)
+ {
+ OnigCodePoint code;
+
+ if (UTF16_IS_SURROGATE_FIRST(*p)) {
++ if (end - p < 4) return 0;
+ code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
+ + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
+ + p[3];
+ }
+ else {
++ if (end - p < 2) return 0;
+ code = p[0] * 256 + p[1];
+ }
+ return code;
+diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c
+index 5cc07591173a..580f8dffa2f4 100644
+--- a/ext/mbstring/oniguruma/enc/utf16_le.c
++++ b/ext/mbstring/oniguruma/enc/utf16_le.c
+@@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+
+ static OnigCodePoint
+-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf16le_mbc_to_code(const UChar* p, const UChar* end)
+ {
+ OnigCodePoint code;
+ UChar c0 = *p;
+ UChar c1 = *(p+1);
+
+ if (UTF16_IS_SURROGATE_FIRST(c1)) {
++ if (end - p < 4) return 0;
+ code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16)
+ + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
+ + p[2];
+diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c
+index b4f822607c89..5295f26b1e59 100644
+--- a/ext/mbstring/oniguruma/enc/utf32_be.c
++++ b/ext/mbstring/oniguruma/enc/utf32_be.c
+@@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
+ static OnigCodePoint
+ utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ {
++ if (end - p < 4) return 0;
+ return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
+ }
+
+diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c
+index 8f413bfc74e1..a78c4d0abcc7 100644
+--- a/ext/mbstring/oniguruma/enc/utf32_le.c
++++ b/ext/mbstring/oniguruma/enc/utf32_le.c
+@@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end)
+ static OnigCodePoint
+ utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ {
++ if (end - p < 4) return 0;
+ return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
+ }
+
+diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt
+new file mode 100644
+index 000000000000..b4acc45c2117
+--- /dev/null
++++ b/ext/mbstring/tests/bug77418.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #77371 (Heap overflow in utf32be_mbc_to_code)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++mb_regex_encoding("UTF-32");
++var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
++?>
++--EXPECT--
++array(1) {
++ [0]=>
++ string(30) "000000000000000000000000000000"
++}
diff --git a/php.spec b/php.spec
index 42de827..aa82877 100644
--- a/php.spec
+++ b/php.spec
@@ -126,7 +126,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 1%{?dist}
+Release: 2%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -187,8 +187,17 @@ Patch91: php-5.6.3-oci8conf.patch
# Upstream fixes (100+)
Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch
Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch
+Patch102: php-openssl-cert.patch
# Security fixes (200+)
+Patch200: php-bug77242.patch
+Patch201: php-bug77247.patch
+Patch202: php-bug77370.patch
+Patch203: php-bug77371.patch
+Patch204: php-bug77380.patch
+Patch205: php-bug77381.patch
+Patch206: php-bug77369.patch
+Patch207: php-bug77418.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -919,8 +928,19 @@ support for JavaScript Object Notation (JSON) to PHP.
# upstream patches
%patch100 -p1 -b .up1
%patch101 -p1 -b .up2
+%patch102 -p1 -b .up3
# security patches
+%patch200 -p1 -b .bug77242
+%patch201 -p1 -b .bug77247
+%patch202 -p1 -b .bug77370
+%patch203 -p1 -b .bug77371
+%patch204 -p1 -b .bug77380
+%patch205 -p1 -b .bug77381
+%patch206 -p1 -b .bug77369
+%patch207 -p1 -b .bug77418
+: ---------------------------
+#exit 1
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1854,6 +1874,23 @@ fi
%changelog
+* Wed Jan 9 2019 Remi Collet <remi@remirepo.net> - 7.0.33-2
+- core:
+ Fix #77369 memcpy with negative length via crafted DNS response
+- mbstring:
+ Fix #77370 buffer overflow on mb regex functions - fetch_token
+ Fix #77371 heap buffer overflow in mb regex functions compile_string_node
+ Fix #77381 heap buffer overflow in multibyte match_at
+ Fix #77382 heap buffer overflow in expand_case_fold_string
+ Fix #77385 buffer overflow in fetch_token
+ Fix #77394 buffer overflow in multibyte case folding - unicode
+ Fix #77418 heap overflow in utf32be_mbc_to_code
+- phar:
+ Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
+- xmlrpc:
+ Fix #77242 heap out of bounds read in xmlrpc_decode
+ Fix #77380 global out of bounds read in xmlrpc base64 code
+
* Wed Dec 5 2018 Remi Collet <remi@remirepo.net> - 7.0.33-1
- Update to 7.0.33 - http://www.php.net/releases/7_0_33.php
- use oracle client library version 18.3