diff options
| author | Remi Collet <fedora@famillecollet.com> | 2016-06-23 15:53:37 +0200 |
|---|---|---|
| committer | Remi Collet <fedora@famillecollet.com> | 2016-06-23 15:53:37 +0200 |
| commit | e2958a432947f16a89f196171a572abc1c506154 (patch) | |
| tree | de3eb8998c1b54f88954a46feccd716edd83c4ea | |
| parent | 003b71973f17c66ab9544546f693f290dbfa300e (diff) | |
PHP 5.4.45 with security fix from 5.5.37
| -rw-r--r-- | bug66387.patch | 57 | ||||
| -rw-r--r-- | bug72275.patch | 59 | ||||
| -rw-r--r-- | bug72298.patch | 93 | ||||
| -rw-r--r-- | bug72339.patch | 127 | ||||
| -rw-r--r-- | bug72340.patch | 66 | ||||
| -rw-r--r-- | bug72400.patch | 113 | ||||
| -rw-r--r-- | bug72402.patch | 284 | ||||
| -rw-r--r-- | bug72433.patch | 113 | ||||
| -rw-r--r-- | bug72434.patch | 78 | ||||
| -rw-r--r-- | bug72446.patch | 30 | ||||
| -rw-r--r-- | bug72455.patch | 39 | ||||
| -rw-r--r-- | failed.txt | 7 | ||||
| -rw-r--r-- | php54.spec | 47 |
13 files changed, 1109 insertions, 4 deletions
diff --git a/bug66387.patch b/bug66387.patch new file mode 100644 index 0000000..51291ab --- /dev/null +++ b/bug66387.patch @@ -0,0 +1,57 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From f96ebb098697908641c6d37e1149cde1f90417fd Mon Sep 17 00:00:00 2001 +From: "Christoph M. Becker" <cmb@php.net> +Date: Mon, 20 Jul 2015 23:24:55 +0200 +Subject: [PATCH] Fix #66387: Stack overflow with imagefilltoborder + +The stack overflow is caused by the recursive algorithm in combination with a +very large negative coordinate passed to gdImageFillToBorder(). As there is +already a clipping for large positive coordinates to the width and height of +the image, it seems to be consequent to clip to zero also. +--- + ext/gd/libgd/gd.c | 4 ++++ + ext/gd/tests/bug66387.phpt | 15 +++++++++++++++ + 2 files changed, 19 insertions(+) + create mode 100644 ext/gd/tests/bug66387.phpt + +diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c +index d73f094..2c63aac 100644 +--- a/ext/gd/libgd/gd.c ++++ b/ext/gd/libgd/gd.c +@@ -1770,9 +1770,13 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color) + + if (x >= im->sx) { + x = im->sx - 1; ++ } else if (x < 0) { ++ x = 0; + } + if (y >= im->sy) { + y = im->sy - 1; ++ } else if (y < 0) { ++ y = 0; + } + + for (i = x; i >= 0; i--) { +diff --git a/ext/gd/tests/bug66387.phpt b/ext/gd/tests/bug66387.phpt +new file mode 100644 +index 0000000..79c49a5 +--- /dev/null ++++ b/ext/gd/tests/bug66387.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #66387 (Stack overflow with imagefilltoborder) ++--SKIPIF-- ++<?php ++if (!extension_loaded('gd')) die('skip gd extension not available!'); ++?> ++--FILE-- ++<?php ++$im = imagecreatetruecolor(20, 20); ++$c = imagecolorallocate($im, 255, 0, 0); ++imagefilltoborder($im, 0, -999355, $c, $c); ++echo "ready\n"; ++?> ++--EXPECT-- ++ready diff --git a/bug72275.patch b/bug72275.patch new file mode 100644 index 0000000..d28651e --- /dev/null +++ b/bug72275.patch @@ -0,0 +1,59 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 489fd56fe37bf40a662931c2b4d5baa918f13e37 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 13 Jun 2016 23:12:47 -0700 +Subject: [PATCH] Fix bug #72275: don't allow smart_str to overflow int + +--- + ext/standard/php_smart_str.h | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ext/standard/php_smart_str.h b/ext/standard/php_smart_str.h +index 1872fa8..fc1a753 100644 +--- a/ext/standard/php_smart_str.h ++++ b/ext/standard/php_smart_str.h +@@ -63,6 +63,9 @@ + newlen = (d)->len + (n); \ + if (newlen >= (d)->a) { \ + (d)->a = newlen + SMART_STR_PREALLOC; \ ++ if (UNEXPECTED((d)->a >= INT_MAX)) { \ ++ zend_error(E_ERROR, "String size overflow"); \ ++ } \ + SMART_STR_DO_REALLOC(d, what); \ + } \ + } \ +@@ -148,17 +151,17 @@ + * for GCC compatible compilers, e.g. + * + * #define f(..) ({char *r;..;__r;}) +- */ +- ++ */ ++ + static inline char *smart_str_print_long(char *buf, long num) { +- char *r; +- smart_str_print_long4(buf, num, unsigned long, r); ++ char *r; ++ smart_str_print_long4(buf, num, unsigned long, r); + return r; + } + + static inline char *smart_str_print_unsigned(char *buf, long num) { +- char *r; +- smart_str_print_unsigned4(buf, num, unsigned long, r); ++ char *r; ++ smart_str_print_unsigned4(buf, num, unsigned long, r); + return r; + } + +@@ -168,7 +171,7 @@ static inline char *smart_str_print_unsigned(char *buf, long num) { + smart_str_print##func##4 (__b + sizeof(__b) - 1, (num), vartype, __t); \ + smart_str_appendl_ex((dest), __t, __b + sizeof(__b) - 1 - __t, (type)); \ + } while (0) +- ++ + #define smart_str_append_unsigned_ex(dest, num, type) \ + smart_str_append_generic_ex((dest), (num), (type), unsigned long, _unsigned) + diff --git a/bug72298.patch b/bug72298.patch new file mode 100644 index 0000000..206578e --- /dev/null +++ b/bug72298.patch @@ -0,0 +1,93 @@ +From e9ac8954be9f7d988189df44578d759ffdea3512 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 18 Jun 2016 21:04:33 -0700 +Subject: [PATCH] Fix bug #72298 pass2_no_dither out-of-bounds access + +--- + ext/gd/libgd/gd_topal.c | 14 +++++++------- + ext/gd/tests/bug72298.phpt | 15 +++++++++++++++ + 2 files changed, 22 insertions(+), 7 deletions(-) + create mode 100644 ext/gd/tests/bug72298.phpt + +diff --git a/ext/gd/libgd/gd_topal.c b/ext/gd/libgd/gd_topal.c +index b9cb928..d8dda45 100644 +--- a/ext/gd/libgd/gd_topal.c ++++ b/ext/gd/libgd/gd_topal.c +@@ -43,7 +43,7 @@ + * If it is not working, it's not Thomas G. Lane's fault. + */ + +-/* ++/* + SETTING THIS ONE CAUSES STRIPED IMAGE + to be done: solve this + #define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS +@@ -152,7 +152,7 @@ + * color space, and repeatedly splits the "largest" remaining box until we + * have as many boxes as desired colors. Then the mean color in each + * remaining box becomes one of the possible output colors. +- * ++ * + * The second pass over the image maps each input pixel to the closest output + * color (optionally after applying a Floyd-Steinberg dithering correction). + * This mapping is logically trivial, but making it go fast enough requires +@@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo, + #else + r = gdTrueColorGetRed (*inptr); + g = gdTrueColorGetGreen (*inptr); +- /* ++ /* + 2.0.24: inptr must not be incremented until after +- transparency check, if any. Thanks to "Super Pikeman." ++ transparency check, if any. Thanks to "Super Pikeman." + */ + b = gdTrueColorGetBlue (*inptr); + + /* If the pixel is transparent, we assign it the palette index that + * will later be added at the end of the palette as the transparent + * index. */ +- if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1))) ++ if ((oim->transparent >= 0) && (oim->transparent == *inptr)) + { + *outptr++ = nim->colorsTotal; + inptr++; +@@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color + } + } else { + nim = oim; +- } ++ } + if (!oim->trueColor) + { + /* (Almost) nothing to do! */ +@@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color + } + + /* Success! Get rid of the truecolor image data. */ +- if (!cimP) { ++ if (!cimP) { + oim->trueColor = 0; + /* Junk the truecolor pixels */ + for (i = 0; i < oim->sy; i++) +diff --git a/ext/gd/tests/bug72298.phpt b/ext/gd/tests/bug72298.phpt +new file mode 100644 +index 0000000..7fba241 +--- /dev/null ++++ b/ext/gd/tests/bug72298.phpt +@@ -0,0 +1,15 @@ ++--TEST-- ++Bug #72298: pass2_no_dither out-of-bounds access ++--SKIPIF-- ++<?php ++ if (!extension_loaded('gd')) die("skip gd extension not available\n"); ++?> ++--FILE-- ++<?php ++$img = imagecreatetruecolor (1 , 1); ++imagecolortransparent($img, 0); ++imagetruecolortopalette($img, false, 4); ++?> ++DONE ++--EXPECT-- ++DONE +\ No newline at end of file diff --git a/bug72339.patch b/bug72339.patch new file mode 100644 index 0000000..da385e8 --- /dev/null +++ b/bug72339.patch @@ -0,0 +1,127 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001 +From: Pierre Joye <pajoye@php.net> +Date: Sat, 18 Jun 2016 20:15:10 +0200 +Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in + heap overflow + +--- + ext/gd/libgd/gd_gd2.c | 7 +++++++ + ext/gd/tests/bug72339.gd | Bin 0 -> 67108882 bytes + ext/gd/tests/bug72339.phpt | 11 +++++++++++ + 3 files changed, 18 insertions(+) + create mode 100644 ext/gd/tests/bug72339.gd + create mode 100644 ext/gd/tests/bug72339.phpt + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 6726fee..63e3aef 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + if (gd2_compressed(*fmt)) { + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); ++ if (overflow2(sidx, nc)) { ++ goto fail1; ++ } + sidx = sizeof(t_chunk_info) * nc; + if (sidx <= 0) { + goto fail1; + } + cidx = gdCalloc(sidx, 1); ++ if (cidx == NULL) { ++ goto fail1; ++ } ++ + for (i = 0; i < nc; i++) { + if (gdGetInt(&cidx[i].offset, in) != 1) { + gdFree(cidx); +diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt +new file mode 100644 +index 0000000..763ae71 +--- /dev/null ++++ b/ext/gd/tests/bug72339.phpt +@@ -0,0 +1,11 @@ ++--TEST-- ++Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow ++--SKIPIF-- ++<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> ++--FILE-- ++<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?> ++--EXPECTF-- ++Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully ++ in %sbug72339.php on line %d ++ ++Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d + +From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 22:54:55 -0700 +Subject: [PATCH] fix tests + +--- + ext/gd/libgd/gd_gd2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c +index 63e3aef..e954aaf 100644 +--- a/ext/gd/libgd/gd_gd2.c ++++ b/ext/gd/libgd/gd_gd2.c +@@ -138,7 +138,7 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in + if (gd2_compressed(*fmt)) { + nc = (*ncx) * (*ncy); + GD2_DBG(php_gd_error("Reading %d chunk index entries", nc)); +- if (overflow2(sidx, nc)) { ++ if (overflow2(sizeof(t_chunk_info), nc)) { + goto fail1; + } + sidx = sizeof(t_chunk_info) * nc; + +From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001 +From: Anatol Belski <ab@php.net> +Date: Tue, 21 Jun 2016 09:42:38 +0200 +Subject: [PATCH] remove the huge test file, generate it on the fly instead + +--- + ext/gd/tests/bug72339.gd | Bin 67108882 -> 0 bytes + ext/gd/tests/bug72339.phpt | 24 +++++++++++++++++++++++- + 2 files changed, 23 insertions(+), 1 deletion(-) + delete mode 100644 ext/gd/tests/bug72339.gd + +diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt +index 763ae71..2c30ee8 100644 +--- a/ext/gd/tests/bug72339.phpt ++++ b/ext/gd/tests/bug72339.phpt +@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow + --SKIPIF-- + <?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?> + --FILE-- +-<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?> ++<?php ++$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"; ++ ++$fh = fopen($fname, "w"); ++fwrite($fh, "gd2\x00"); ++fwrite($fh, pack("n", 2)); ++fwrite($fh, pack("n", 1)); ++fwrite($fh, pack("n", 1)); ++fwrite($fh, pack("n", 0x40)); ++fwrite($fh, pack("n", 2)); ++fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide ++fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically ++fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data ++fclose($fh); ++ ++$im = imagecreatefromgd2($fname); ++ ++if ($im) { ++ imagedestroy($im); ++} ++unlink($fname); ++ ++?> + --EXPECTF-- + Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully + in %sbug72339.php on line %d diff --git a/bug72340.patch b/bug72340.patch new file mode 100644 index 0000000..39646e5 --- /dev/null +++ b/bug72340.patch @@ -0,0 +1,66 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From a44c89e8af7c2410f4bfc5e097be2a5d0639a60c Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sun, 12 Jun 2016 23:18:23 -0700 +Subject: [PATCH] Fix bug #72340: Double Free Courruption in wddx_deserialize + +--- + ext/wddx/tests/bug72340.phpt | 24 ++++++++++++++++++++++++ + ext/wddx/wddx.c | 4 ++++ + 2 files changed, 28 insertions(+) + create mode 100644 ext/wddx/tests/bug72340.phpt + +diff --git a/ext/wddx/tests/bug72340.phpt b/ext/wddx/tests/bug72340.phpt +new file mode 100644 +index 0000000..8d694ca +--- /dev/null ++++ b/ext/wddx/tests/bug72340.phpt +@@ -0,0 +1,24 @@ ++--TEST-- ++Bug #72340: Double Free Courruption in wddx_deserialize ++--SKIPIF-- ++<?php ++if (!extension_loaded("wddx")) print "skip"; ++?> ++--FILE-- ++<?php ++$xml = <<<EOF ++<?xml version='1.0' ?> ++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'> ++<wddxPacket version='1.0'> ++ <array><var name="XXXXXXXX"><boolean value="none">TEST</boolean></var> ++ <var name="YYYYYYYY"><var name="ZZZZZZZZ"><var name="EZEZEZEZ"> ++ </var></var></var> ++ </array> ++</wddxPacket> ++EOF; ++$array = wddx_deserialize($xml); ++var_dump($array); ++?> ++--EXPECT-- ++array(0) { ++} +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index da34246..311d6aa 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -1096,6 +1096,9 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + break; + + case ST_BOOLEAN: ++ if(!ent->data) { ++ break; ++ } + if (!strcmp(s, "true")) { + Z_LVAL_P(ent->data) = 1; + } else if (!strcmp(s, "false")) { +@@ -1104,6 +1107,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len) + zval_ptr_dtor(&ent->data); + if (ent->varname) { + efree(ent->varname); ++ ent->varname = NULL; + } + ent->data = NULL; + } diff --git a/bug72400.patch b/bug72400.patch new file mode 100644 index 0000000..363a598 --- /dev/null +++ b/bug72400.patch @@ -0,0 +1,113 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 88746d60ab3ad51797612ee62603bb3e08d4aac4 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Wed, 15 Jun 2016 21:46:46 -0700 +Subject: [PATCH] Fix bug #72400 and #72403 - prevent signed int overflows for + string lengths + +--- + ext/standard/string.c | 25 ++++++++++++-- + ext/standard/url.c | 96 +++++++++++++++++++++++++++------------------------ + 2 files changed, 72 insertions(+), 49 deletions(-) + +diff --git a/ext/standard/string.c b/ext/standard/string.c +index 63eede1..acb6a01 100644 +--- a/ext/standard/string.c ++++ b/ext/standard/string.c +@@ -137,6 +137,9 @@ static char *php_bin2hex(const unsigned char *old, const size_t oldlen, size_t * + register unsigned char *result = NULL; + size_t i, j; + ++ if (UNEXPECTED(oldlen * 2 * sizeof(char) > INT_MAX)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + result = (unsigned char *) safe_emalloc(oldlen, 2 * sizeof(char), 1); + + for (i = j = 0; i < oldlen; i++) { +@@ -2602,6 +2605,7 @@ PHP_FUNCTION(quotemeta) + char *p, *q; + char c; + int old_len; ++ size_t new_len; + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &old, &old_len) == FAILURE) { + return; +@@ -2636,8 +2640,13 @@ PHP_FUNCTION(quotemeta) + } + } + *q = 0; ++ new_len = q - str; ++ if (UNEXPECTED(new_len > INT_MAX)) { ++ efree(str); ++ zend_error(E_ERROR, "String size overflow"); ++ } + +- RETURN_STRINGL(erealloc(str, q - str + 1), q - str, 0); ++ RETURN_STRINGL(erealloc(str, new_len + 1), new_len, 0); + } + /* }}} */ + +@@ -3539,7 +3548,7 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s + char *source, *target; + char *end; + char c; +- int newlen; ++ size_t newlen; + + if (!wlength) { + wlength = strlen(what); +@@ -3570,11 +3579,15 @@ PHPAPI char *php_addcslashes(const char *str, int length, int *new_length, int s + } + *target = 0; + newlen = target - new_str; ++ if (UNEXPECTED(newlen > INT_MAX)) { ++ efree(new_str); ++ zend_error(E_ERROR, "String size overflow"); ++ } + if (target - new_str < length * 4) { + new_str = erealloc(new_str, newlen + 1); + } + if (new_length) { +- *new_length = newlen; ++ *new_length = (int)newlen; + } + if (should_free) { + STR_FREE((char*)str); +@@ -3626,6 +3639,9 @@ PHPAPI char *php_addslashes(char *str, int length, int *new_length, int should_f + + *target = 0; + *new_length = target - new_str; ++ if (UNEXPECTED(*new_length < 0)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + if (should_free) { + STR_FREE(str); + } +@@ -4329,6 +4345,9 @@ PHP_FUNCTION(nl2br) + size_t repl_len = is_xhtml ? (sizeof("<br />") - 1) : (sizeof("<br>") - 1); + + new_length = str_len + repl_cnt * repl_len; ++ if (UNEXPECTED(new_length > INT_MAX)) { ++ zend_error(E_ERROR, "String size overflow"); ++ } + tmp = target = safe_emalloc(repl_cnt, repl_len, str_len + 1); + } + +diff --git a/ext/standard/url.c b/ext/standard/url.c +index 27a216a..fc3f080 100644 +--- a/ext/standard/url.c ++++ b/ext/standard/url.c +@@ -626,6 +626,10 @@ PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length) + if (new_length) { + *new_length = y; + } ++ if (UNEXPECTED(y > INT_MAX)) { ++ efree(str); ++ zend_error(E_ERROR, "String size overflow"); ++ } + return ((char *) str); + } + /* }}} */ + diff --git a/bug72402.patch b/bug72402.patch new file mode 100644 index 0000000..5e7243f --- /dev/null +++ b/bug72402.patch @@ -0,0 +1,284 @@ +From 5b597a2e5b28e2d5a52fc1be13f425f08f47cb62 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Sat, 18 Jun 2016 21:48:39 -0700 +Subject: [PATCH] Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free + +--- + ext/mbstring/php_mbregex.c | 65 ++++++++++++++++++++-------------------- + ext/mbstring/tests/bug72402.phpt | 17 +++++++++++ + 2 files changed, 49 insertions(+), 33 deletions(-) + create mode 100644 ext/mbstring/tests/bug72402.phpt + +diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c +index d73c848..6cdee23 100644 +--- a/ext/mbstring/php_mbregex.c ++++ b/ext/mbstring/php_mbregex.c +@@ -32,7 +32,7 @@ + #include "ext/standard/info.h" + #include "php_mbregex.h" + #include "mbstring.h" +- ++ + #include "php_onig_compat.h" /* must come prior to the oniguruma header */ + #include <oniguruma.h> + #undef UChar +@@ -55,7 +55,7 @@ struct _zend_mb_regex_globals { + #define MBREX(g) (MBSTRG(mb_regex_globals)->g) + + /* {{{ static void php_mb_regex_free_cache() */ +-static void php_mb_regex_free_cache(php_mb_regex_t **pre) ++static void php_mb_regex_free_cache(php_mb_regex_t **pre) + { + onig_free(*pre); + } +@@ -78,7 +78,7 @@ static int _php_mb_regex_globals_ctor(zend_mb_regex_globals *pglobals TSRMLS_DC) + /* }}} */ + + /* {{{ _php_mb_regex_globals_dtor */ +-static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC) ++static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC) + { + zend_hash_destroy(&pglobals->ht_rc); + } +@@ -466,7 +466,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl + retval = *rc; + } + out: +- return retval; ++ return retval; + } + /* }}} */ + +@@ -483,7 +483,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 'i'; + } +- ++len_req; ++ ++len_req; + } + + if ((option & ONIG_OPTION_EXTEND) != 0) { +@@ -491,7 +491,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 'x'; + } +- ++len_req; ++ ++len_req; + } + + if ((option & (ONIG_OPTION_MULTILINE | ONIG_OPTION_SINGLELINE)) == +@@ -500,14 +500,14 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 'p'; + } +- ++len_req; ++ ++len_req; + } else { + if ((option & ONIG_OPTION_MULTILINE) != 0) { + if (len_left > 0) { + --len_left; + *(p++) = 'm'; + } +- ++len_req; ++ ++len_req; + } + + if ((option & ONIG_OPTION_SINGLELINE) != 0) { +@@ -515,22 +515,22 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = 's'; + } +- ++len_req; ++ ++len_req; + } +- } ++ } + if ((option & ONIG_OPTION_FIND_LONGEST) != 0) { + if (len_left > 0) { + --len_left; + *(p++) = 'l'; + } +- ++len_req; ++ ++len_req; + } + if ((option & ONIG_OPTION_FIND_NOT_EMPTY) != 0) { + if (len_left > 0) { + --len_left; + *(p++) = 'n'; + } +- ++len_req; ++ ++len_req; + } + + c = 0; +@@ -566,7 +566,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + --len_left; + *(p++) = '\0'; + } +- ++len_req; ++ ++len_req; + if (len < len_req) { + return len_req; + } +@@ -577,11 +577,11 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT + + /* {{{ _php_mb_regex_init_options */ + static void +-_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval) ++_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval) + { + int n; + char c; +- int optm = 0; ++ int optm = 0; + + *syntax = ONIG_SYNTAX_RUBY; + +@@ -636,13 +636,13 @@ _php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, O + *syntax = ONIG_SYNTAX_POSIX_EXTENDED; + break; + case 'e': +- if (eval != NULL) *eval = 1; ++ if (eval != NULL) *eval = 1; + break; + default: + break; + } + } +- if (option != NULL) *option|=optm; ++ if (option != NULL) *option|=optm; + } + } + /* }}} */ +@@ -860,11 +860,11 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + } else { + /* FIXME: this code is not multibyte aware! */ + convert_to_long_ex(arg_pattern_zval); +- pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval); ++ pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval); + pat_buf[1] = '\0'; + + arg_pattern = pat_buf; +- arg_pattern_len = 1; ++ arg_pattern_len = 1; + } + /* create regex pattern buffer */ + re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, options, MBREX(current_mbctype), syntax TSRMLS_CC); +@@ -934,7 +934,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + } + } + } +- ++ + if (eval) { + zval v; + /* null terminate buffer */ +@@ -953,32 +953,31 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + eval_buf.len = 0; + zval_dtor(&v); + } else if (is_callable) { +- zval *retval_ptr; ++ zval *retval_ptr = NULL; + zval **args[1]; + zval *subpats; + int i; +- ++ + MAKE_STD_ZVAL(subpats); + array_init(subpats); +- ++ + for (i = 0; i < regs->num_regs; i++) { + add_next_index_stringl(subpats, string + regs->beg[i], regs->end[i] - regs->beg[i], 1); +- } +- ++ } ++ + args[0] = &subpats; + /* null terminate buffer */ + smart_str_0(&eval_buf); +- ++ + arg_replace_fci.param_count = 1; + arg_replace_fci.params = args; + arg_replace_fci.retval_ptr_ptr = &retval_ptr; +- if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) { ++ if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) { + convert_to_string_ex(&retval_ptr); + smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr)); + eval_buf.len = 0; + zval_ptr_dtor(&retval_ptr); + } else { +- efree(description); + if (!EG(exception)) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function"); + } +@@ -991,7 +990,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + pos = (OnigUChar *)string + n; + } else { + if (pos < string_lim) { +- smart_str_appendl(&out_buf, pos, 1); ++ smart_str_appendl(&out_buf, pos, 1); + } + pos++; + } +@@ -1013,7 +1012,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp + smart_str_free(&eval_buf); + + if (err <= -2) { +- smart_str_free(&out_buf); ++ smart_str_free(&out_buf); + RETVAL_FALSE; + } else { + smart_str_appendc(&out_buf, '\0'); +@@ -1063,7 +1062,7 @@ PHP_FUNCTION(mb_split) + + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) { + RETURN_FALSE; +- } ++ } + + if (count > 0) { + count--; +@@ -1317,7 +1316,7 @@ PHP_FUNCTION(mb_ereg_search_init) + if (zend_parse_parameters(argc TSRMLS_CC, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) { + return; + } +- ++ + if (argc > 1 && arg_pattern_len == 0) { + php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty pattern"); + RETURN_FALSE; +@@ -1416,7 +1415,7 @@ PHP_FUNCTION(mb_ereg_search_setpos) + /* }}} */ + + /* {{{ php_mb_regex_set_options */ +-static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC) ++static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC) + { + if (prev_options != NULL) { + *prev_options = MBREX(regex_default_options); +diff --git a/ext/mbstring/tests/bug72402.phpt b/ext/mbstring/tests/bug72402.phpt +new file mode 100644 +index 0000000..abb290b +--- /dev/null ++++ b/ext/mbstring/tests/bug72402.phpt +@@ -0,0 +1,17 @@ ++--TEST-- ++Bug #72402: _php_mb_regex_ereg_replace_exec - double free ++--SKIPIF-- ++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?> ++--FILE-- ++<?php ++function throwit() { ++ throw new Exception('it'); ++} ++$var10 = "throwit"; ++try { ++ $var14 = mb_ereg_replace_callback("", $var10, ""); ++} catch(Exception $e) {} ++?> ++DONE ++--EXPECT-- ++DONE +\ No newline at end of file diff --git a/bug72433.patch b/bug72433.patch new file mode 100644 index 0000000..79b7265 --- /dev/null +++ b/bug72433.patch @@ -0,0 +1,113 @@ +From 3f627e580acfdaf0595ae3b115b8bec677f203ee Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 21:26:33 -0700 +Subject: [PATCH] Fixed ##72433: Use After Free Vulnerability in PHP's GC + algorithm and unserialize + +--- + Zend/tests/gc_024.phpt | 2 +- + ext/spl/spl_array.c | 11 +++++++++++ + ext/standard/tests/strings/bug72433.phpt | 32 ++++++++++++++++++++++++++++++++ + 3 files changed, 44 insertions(+), 1 deletion(-) + create mode 100644 ext/standard/tests/strings/bug72433.phpt + +diff --git a/Zend/tests/gc_024.phpt b/Zend/tests/gc_024.phpt +index 9a2ceb8..ca78da6 100644 +--- a/Zend/tests/gc_024.phpt ++++ b/Zend/tests/gc_024.phpt +@@ -13,5 +13,5 @@ var_dump(gc_collect_cycles()); + echo "ok\n"; + ?> + --EXPECT-- +-int(1) ++int(2) + ok +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index c89cf49..4e03c40 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -831,6 +831,16 @@ static HashTable* spl_array_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /* + } + /* }}} */ + ++static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */ ++{ ++ spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); ++ ++ *gc_data = &intern->array; ++ *gc_data_count = 1; ++ return zend_std_get_properties(object); ++} ++/* }}} */ ++ + static zval *spl_array_read_property(zval *object, zval *member, int type, const zend_literal *key TSRMLS_DC) /* {{{ */ + { + spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC); +@@ -1973,6 +1983,7 @@ PHP_MINIT_FUNCTION(spl_array) + + spl_handler_ArrayObject.get_properties = spl_array_get_properties; + spl_handler_ArrayObject.get_debug_info = spl_array_get_debug_info; ++ spl_handler_ArrayObject.get_gc = spl_array_get_gc; + spl_handler_ArrayObject.read_property = spl_array_read_property; + spl_handler_ArrayObject.write_property = spl_array_write_property; + spl_handler_ArrayObject.get_property_ptr_ptr = spl_array_get_property_ptr_ptr; +diff --git a/ext/standard/tests/strings/bug72433.phpt b/ext/standard/tests/strings/bug72433.phpt +new file mode 100644 +index 0000000..3a2c897 +--- /dev/null ++++ b/ext/standard/tests/strings/bug72433.phpt +@@ -0,0 +1,32 @@ ++--TEST-- ++Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize ++--FILE-- ++<?php ++// Fill any potential freed spaces until now. ++$filler = array(); ++for($i = 0; $i < 100; $i++) ++ $filler[] = ""; ++// Create our payload and unserialize it. ++$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}'; ++$free_me = unserialize($serialized_payload); ++// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0. ++$inc_ref_by_one = $free_me[2]; ++// The call to gc_collect_cycles will free '$free_me'. ++gc_collect_cycles(); ++// We now have multiple freed spaces. Fill all of them. ++$fill_freed_space_1 = "filler_zval_1"; ++$fill_freed_space_2 = "filler_zval_2"; ++var_dump($free_me); ++?> ++--EXPECTF-- ++array(3) { ++ [0]=> ++ *RECURSION* ++ [1]=> ++ *RECURSION* ++ [2]=> ++ object(ArrayObject)#%d (1) { ++ ["storage":"ArrayObject":private]=> ++ *RECURSION* ++ } ++} +From 7f428cae88f1294052087e6729f1ecb924b8a18d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 22:13:31 -0700 +Subject: [PATCH] fix build + +--- + ext/spl/spl_array.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 4e03c40..5cb7d34 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -837,7 +837,7 @@ static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_c + + *gc_data = &intern->array; + *gc_data_count = 1; +- return zend_std_get_properties(object); ++ return zend_std_get_properties(object TSRMLS_CC); + } + /* }}} */ + diff --git a/bug72434.patch b/bug72434.patch new file mode 100644 index 0000000..2e9294d --- /dev/null +++ b/bug72434.patch @@ -0,0 +1,78 @@ +From f6aef68089221c5ea047d4a74224ee3deead99a6 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 21:35:22 -0700 +Subject: [PATCH] Fix bug #72434: ZipArchive class Use After Free Vulnerability + in PHP's GC algorithm and unserialize + +--- + ext/standard/tests/strings/bug72434.phpt | 33 ++++++++++++++++++++++++++++++++ + ext/zip/php_zip.c | 9 +++++++++ + 2 files changed, 42 insertions(+) + create mode 100644 ext/standard/tests/strings/bug72434.phpt + +diff --git a/ext/standard/tests/strings/bug72434.phpt b/ext/standard/tests/strings/bug72434.phpt +new file mode 100644 +index 0000000..1408b8f +--- /dev/null ++++ b/ext/standard/tests/strings/bug72434.phpt +@@ -0,0 +1,33 @@ ++--TEST-- ++Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize ++--SKIPIF-- ++<?php ++if(!class_exists('zip')) die('ZipArchive'); ++?> ++--FILE-- ++<?php ++// The following array will be serialized and this representation will be freed later on. ++$free_me = array(new StdClass()); ++// Create our payload and unserialize it. ++$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}'; ++$unserialized_payload = unserialize($serialized_payload); ++gc_collect_cycles(); ++// The reference counter for $free_me is at -1 for PHP 7 right now. ++// Increment the reference counter by 1 -> rc is 0 ++$a = $unserialized_payload[1]; ++// Increment the reference counter by 1 again -> rc is 1 ++$b = $a; ++// Trigger free of $free_me (referenced by $m[1]). ++unset($b); ++$fill_freed_space_1 = "filler_zval_1"; ++$fill_freed_space_2 = "filler_zval_2"; ++$fill_freed_space_3 = "filler_zval_3"; ++$fill_freed_space_4 = "filler_zval_4"; ++debug_zval_dump($unserialized_payload[1]); ++?> ++--EXPECTF-- ++array(1) refcount(1){ ++ [0]=> ++ object(stdClass)#%d (0) refcount(3){ ++ } ++} +diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c +index 99c293c..57d060f 100644 +--- a/ext/zip/php_zip.c ++++ b/ext/zip/php_zip.c +@@ -1015,6 +1015,14 @@ static int php_zip_has_property(zval *object, zval *member, int type, const zend + } + /* }}} */ + ++static HashTable *php_zip_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */ ++{ ++ *gc_data = NULL; ++ *gc_data_count = 0; ++ return zend_std_get_properties(object TSRMLS_CC); ++} ++/* }}} */ ++ + static HashTable *php_zip_get_properties(zval *object TSRMLS_DC)/* {{{ */ + { + ze_zip_object *obj; +@@ -2777,6 +2785,7 @@ static PHP_MINIT_FUNCTION(zip) + zip_object_handlers.clone_obj = NULL; + zip_object_handlers.get_property_ptr_ptr = php_zip_get_property_ptr_ptr; + ++ zip_object_handlers.get_gc = php_zip_get_gc; + zip_object_handlers.get_properties = php_zip_get_properties; + zip_object_handlers.read_property = php_zip_read_property; + zip_object_handlers.has_property = php_zip_has_property; diff --git a/bug72446.patch b/bug72446.patch new file mode 100644 index 0000000..1990705 --- /dev/null +++ b/bug72446.patch @@ -0,0 +1,30 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 23:58:26 -0700 +Subject: [PATCH] iFixed bug #72446 - Integer Overflow in + gdImagePaletteToTrueColor() resulting in heap overflow + +--- + NEWS | 2 ++ + ext/gd/libgd/gd.c | 22 +++++++++++++--------- + 2 files changed, 15 insertions(+), 9 deletions(-) + +diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c +index 2c63aac..4dad95a 100644 +--- a/ext/gd/libgd/gd.c ++++ b/ext/gd/libgd/gd.c +@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy) + return NULL; + } + ++ if (overflow2(sizeof(unsigned char *), sx)) { ++ return NULL; ++ } ++ + im = (gdImage *) gdCalloc(1, sizeof(gdImage)); + + /* Row-major ever since gd 1.3 */ + diff --git a/bug72455.patch b/bug72455.patch new file mode 100644 index 0000000..e3c3660 --- /dev/null +++ b/bug72455.patch @@ -0,0 +1,39 @@ +Backported from 5.5.37 for 5.4 by Remi Collet + + +From 6c5211a0cef0cc2854eaa387e0eb036e012904d0 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev <stas@php.net> +Date: Mon, 20 Jun 2016 21:51:42 -0700 +Subject: [PATCH] Fix bug #72455: Heap Overflow due to integer overflows + +--- + ext/mcrypt/mcrypt.c | 92 +++++++++++++++++++++++++++++------------------------ + 1 file changed, 50 insertions(+), 42 deletions(-) + +diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c +index 194660d..3cbb913 100644 +--- a/ext/mcrypt/mcrypt.c ++++ b/ext/mcrypt/mcrypt.c +@@ -681,6 +681,10 @@ PHP_FUNCTION(mcrypt_generic) + if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ + block_size = mcrypt_enc_get_block_size(pm->td); + data_size = (((data_len - 1) / block_size) + 1) * block_size; ++ if (data_size <= 0) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); ++ RETURN_FALSE; ++ } + data_s = emalloc(data_size + 1); + memset(data_s, 0, data_size); + memcpy(data_s, data, data_len); +@@ -726,6 +730,10 @@ PHP_FUNCTION(mdecrypt_generic) + if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */ + block_size = mcrypt_enc_get_block_size(pm->td); + data_size = (((data_len - 1) / block_size) + 1) * block_size; ++ if (data_size <= 0) { ++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size"); ++ RETURN_FALSE; ++ } + data_s = emalloc(data_size + 1); + memset(data_s, 0, data_size); + memcpy(data_s, data, data_len); + @@ -1,14 +1,15 @@ -===== 5.5.45-9 (2016-05-29) +===== 5.5.45-10 (2016-06-23) $ grep -r 'Tests failed' /var/lib/mock/*/build.log -/var/lib/mock/el5i/build.log:Tests failed : 6 -/var/lib/mock/el5x/build.log:Tests failed : 2 +/var/lib/mock/el5i/build.log:Tests failed : 7 +/var/lib/mock/el5x/build.log:Tests failed : 3 /var/lib/mock/el6i/build.log:Tests failed : 5 /var/lib/mock/el6x/build.log:Tests failed : 1 /var/lib/mock/el7x/build.log:Tests failed : 0 el5i, el5x + Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt] Bug #66501: EC private key support in openssl_sign [ext/openssl/tests/bug66501.phpt] Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt] el5i, el6i @@ -98,7 +98,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: php Version: 5.4.45 -Release: 9%{?dist} +Release: 10%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -188,6 +188,18 @@ Patch228: bug72114.patch Patch229: bugoverflow.patch Patch230: bug72135.patch Patch231: bug72241.patch +Patch232: bug66387.patch +Patch233: bug72340.patch +Patch234: bug72275.patch +# For #72400, #72403, #72268 +Patch235: bug72400.patch +Patch236: bug72339.patch +Patch237: bug72298.patch +Patch238: bug72402.patch +Patch239: bug72433.patch +Patch240: bug72434.patch +Patch241: bug72455.patch +Patch242: bug72446.patch # Fixes for tests # no_NO issue @@ -927,6 +939,17 @@ rm -f ext/json/utf8_to_utf16.* %patch229 -p1 -b .bugoverflow %patch230 -p1 -b .bug72135 %patch231 -p1 -b .bug72241 +%patch232 -p1 -b .bug66387 +%patch233 -p1 -b .bug72340 +%patch234 -p1 -b .bug72275 +%patch235 -p1 -b .bug72400 +%patch236 -p1 -b .bug72339 +%patch237 -p1 -b .bug72298 +%patch238 -p1 -b .bug72402 +%patch239 -p1 -b .bug72433 +%patch240 -p1 -b .bug72434 +%patch241 -p1 -b .bug72455 +%patch242 -p1 -b .bug72446 # Fixes for tests %patch301 -p1 -b .datetests2 @@ -1816,6 +1839,28 @@ fi %changelog +* Tue Jun 21 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-10 +- Fix #66387: Stack overflow with imagefilltoborder +- Fix #72340: Double Free Courruption in wddx_deserialize + CVE-2016-5772 +- Fix #72275: don't allow smart_str to overflow int +- Fix #72400: prevent signed int overflows for string lengths +- Fix #72403: prevent signed int overflows for string lengths +- Fix #72268: Integer Overflow in nl2br(). (Stas) +- Fix #72339: Integer Overflow in _gd2GetHeader() resulting in heap overflow + CVE-2016-5766 +- Fix #72298: pass2_no_dither out-of-bounds access +- Fix #72402: _php_mb_regex_ereg_replace_exec - double free + CVE-2016-5768 +- Fix #72433: SPL use After Free Vulnerability in PHP's GC + CVE-2016-5771 +- Fix #72434: ZipArchive class use After Free Vulnerability in PHP's GC + CVE-2016-5773 +- Fix #72455: Heap Overflow due to integer overflows + CVE-2016-5769 +- Fix #72446: Integer Overflow in gdImagePaletteToTrueColor() + CVE-2016-5767 + * Sun May 29 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-9 - Fix #71331: Uninitialized pointer in phar_make_dirstream CVE-2016-4343 |