summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2016-09-10 10:14:22 +0200
committerRemi Collet <fedora@famillecollet.com>2016-09-10 10:14:22 +0200
commita2713f204e1202b6844c114a005c304aafb008c7 (patch)
treee0c8478be0d2726e338961b37f393bf7b6f50482
parent13f5bfce61ab5fbc1f00236ce3bfb6948054f8db (diff)
PHP 5.5.38 + security patches from 5.6.25
-rw-r--r--bug70436.patch97
-rw-r--r--bug72627.patch34
-rw-r--r--bug72663.patch206
-rw-r--r--bug72681.patch129
-rw-r--r--bug72697.patch94
-rw-r--r--bug72708.patch25
-rw-r--r--bug72716.patch24
-rw-r--r--bug72730.patch52
-rw-r--r--bug72749.patch90
-rw-r--r--bug72750.patch72
-rw-r--r--bug72771.patch26
-rw-r--r--bug72790.patch134
-rw-r--r--bug72807.patch60
-rw-r--r--bug72836.patch56
-rw-r--r--bug72837.patch45
-rw-r--r--bug72838.patch28
-rw-r--r--bug72848.patch83
-rw-r--r--bug72849.patch51
-rw-r--r--bug72850.patch54
-rw-r--r--failed.txt2
-rw-r--r--php55.spec84
21 files changed, 1444 insertions, 2 deletions
diff --git a/bug70436.patch b/bug70436.patch
new file mode 100644
index 0000000..c3dc139
--- /dev/null
+++ b/bug70436.patch
@@ -0,0 +1,97 @@
+Backported from 5.6.25 by Remi.
+
+From 27fe2b42fc4a0e82b30dba11e177611ac6a88bf5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Aug 2016 15:16:28 -0700
+Subject: [PATCH] Fix bug #70436: Use After Free Vulnerability in unserialize()
+
+---
+ ext/standard/tests/strings/bug70436.phpt | 65 ++++++++++++++++++++++++++++++++
+ ext/standard/var.c | 1 +
+ 2 files changed, 66 insertions(+)
+ create mode 100644 ext/standard/tests/strings/bug70436.phpt
+
+diff --git a/ext/standard/tests/strings/bug70436.phpt b/ext/standard/tests/strings/bug70436.phpt
+new file mode 100644
+index 0000000..c62e468
+--- /dev/null
++++ b/ext/standard/tests/strings/bug70436.phpt
+@@ -0,0 +1,65 @@
++--TEST--
++Bug #70436: Use After Free Vulnerability in unserialize()
++--FILE--
++<?php
++
++class obj implements Serializable
++{
++ var $data;
++
++ function serialize()
++ {
++ return serialize($this->data);
++ }
++
++ function unserialize($data)
++ {
++ $this->data = unserialize($data);
++ }
++}
++
++$fakezval = ptr2str(1122334455);
++$fakezval .= ptr2str(0);
++$fakezval .= "\x00\x00\x00\x00";
++$fakezval .= "\x01";
++$fakezval .= "\x00";
++$fakezval .= "\x00\x00";
++
++$inner = 'C:3:"obj":3:{ryat';
++$exploit = 'a:4:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:2;s:'.strlen($fakezval).':"'.$fakezval.'";i:3;R:5;}';
++
++$data = unserialize($exploit);
++
++var_dump($data);
++
++function ptr2str($ptr)
++{
++ $out = '';
++
++ for ($i = 0; $i < 8; $i++) {
++ $out .= chr($ptr & 0xff);
++ $ptr >>= 8;
++ }
++
++ return $out;
++}
++?>
++DONE
++--EXPECTF--
++Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d
++
++Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d
++array(4) {
++ [0]=>
++ int(1)
++ [1]=>
++ object(obj)#%d (1) {
++ ["data"]=>
++ bool(false)
++ }
++ [2]=>
++ string(24) "%s"
++ [3]=>
++ bool(false)
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/standard/var.c b/ext/standard/var.c
+index f0efef2..137e794 100644
+--- a/ext/standard/var.c
++++ b/ext/standard/var.c
+@@ -965,6 +965,7 @@ PHP_FUNCTION(unserialize)
+ p = (const unsigned char*) buf;
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+ if (!php_var_unserialize(&return_value, &p, p + buf_len, &var_hash TSRMLS_CC)) {
++ var_push_dtor(&var_hash, &return_value);
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ zval_dtor(return_value);
+ if (!EG(exception)) {
diff --git a/bug72627.patch b/bug72627.patch
new file mode 100644
index 0000000..410e40e
--- /dev/null
+++ b/bug72627.patch
@@ -0,0 +1,34 @@
+Backported from 5.6.25 by Remi.
+Binary patch dropped
+
+From 32a629ef2cff754c3dd6cc24eb1e25aeaf439891 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 8 Aug 2016 00:49:34 -0700
+Subject: [PATCH] Fixed bug #72627: Memory Leakage In exif_process_IFD_in_TIFF
+
+---
+ ext/exif/exif.c | 5 ++-
+ ext/exif/tests/bug72627.phpt | 71 +++++++++++++++++++++++++++++++++++++++++++
+ ext/exif/tests/bug72627.tiff | Bin 0 -> 1250 bytes
+ 3 files changed, 75 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug72627.phpt
+ create mode 100644 ext/exif/tests/bug72627.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f95de3a..657a2cc1 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3778,8 +3778,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ if (fgot < ImageInfo->Thumbnail.size) {
+ EXIF_ERRLOG_THUMBEOF(ImageInfo)
++ efree(ImageInfo->Thumbnail.data);
++ ImageInfo->Thumbnail.data = NULL;
++ } else {
++ exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+- exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+ #ifdef EXIF_DEBUG
+ exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read next IFD (THUMBNAIL) done");
+
diff --git a/bug72663.patch b/bug72663.patch
new file mode 100644
index 0000000..498a58e
--- /dev/null
+++ b/bug72663.patch
@@ -0,0 +1,206 @@
+Backported from 5.6.25 by Remi.
+
+From c1cfd6a9fe23765191ea2f654790c7b127d4b797 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Aug 2016 01:08:42 -0700
+Subject: [PATCH] Fix bug #72663 - destroy broken object when unserializing
+
+---
+ ext/standard/tests/strings/bug72663.phpt | 26 +++++++++++
+ ext/standard/tests/strings/bug72663_2.phpt | 17 ++++++++
+ ext/standard/var_unserializer.c | 70 ++++++++++++++++--------------
+ ext/standard/var_unserializer.re | 5 ++-
+ 4 files changed, 84 insertions(+), 34 deletions(-)
+ create mode 100644 ext/standard/tests/strings/bug72663.phpt
+ create mode 100644 ext/standard/tests/strings/bug72663_2.phpt
+
+diff --git a/ext/standard/tests/strings/bug72663.phpt b/ext/standard/tests/strings/bug72663.phpt
+new file mode 100644
+index 0000000..e61f939
+--- /dev/null
++++ b/ext/standard/tests/strings/bug72663.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
++--FILE--
++<?php
++class obj implements Serializable {
++ var $data;
++ function serialize() {
++ return serialize($this->data);
++ }
++ function unserialize($data) {
++ $this->data = unserialize($data);
++ }
++}
++
++$inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}';
++$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
++
++$data = unserialize($exploit);
++echo $data[1];
++?>
++DONE
++--EXPECTF--
++Notice: unserialize(): Unexpected end of serialized data in %sbug72663.php on line %d
++
++Notice: unserialize(): Error at offset 46 of 47 bytes in %sbug72663.php on line %d
++DONE
+\ No newline at end of file
+diff --git a/ext/standard/tests/strings/bug72663_2.phpt b/ext/standard/tests/strings/bug72663_2.phpt
+new file mode 100644
+index 0000000..ac605e9
+--- /dev/null
++++ b/ext/standard/tests/strings/bug72663_2.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
++--FILE--
++<?php
++
++ini_set('session.serialize_handler', 'php_serialize');
++session_start();
++$sess = 'O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:1;}';
++session_decode($sess);
++var_dump($_SESSION);
++?>
++DONE
++--EXPECTF--
++Notice: session_decode(): Unexpected end of serialized data in %sbug72663_2.php on line %d
++array(0) {
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 1e45b03..e4ddecf 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -437,6 +437,9 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ }
+
+ if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
++ /* We've got partially constructed object on our hands here. Wipe it */
++ zend_hash_clean(Z_OBJPROP_PP(rval));
++ ZVAL_NULL(*rval);
+ return 0;
+ }
+
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index d1d4ef9..c1c18c9 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -443,6 +443,9 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ }
+
+ if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
++ /* We've got partially constructed object on our hands here. Wipe it. */
++ zend_hash_clean(Z_OBJPROP_PP(rval));
++ ZVAL_NULL(*rval);
+ return 0;
+ }
+
+From b25f44098fdc8cecfd62d0fc5422c23d8747dcd2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 4 Aug 2016 00:03:31 -0700
+Subject: [PATCH] Update comment
+
+---
+ ext/standard/var_unserializer.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index e4ddecf..1d459ae 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -437,7 +437,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ }
+
+ if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
+- /* We've got partially constructed object on our hands here. Wipe it */
++ /* We've got partially constructed object on our hands here. Wipe it. */
+ zend_hash_clean(Z_OBJPROP_PP(rval));
+ ZVAL_NULL(*rval);
+ return 0;
+From 75c0dbdd028ffa20eae5cf3a2fae194961464b8b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Aug 2016 15:33:29 -0700
+Subject: [PATCH] Improve fix for #72663
+
+---
+ ext/standard/tests/strings/bug72663_3.phpt | 18 ++++++++
+ ext/standard/var_unserializer.c | 68 ++++++++++++++++--------------
+ ext/standard/var_unserializer.re | 8 +++-
+ 3 files changed, 62 insertions(+), 32 deletions(-)
+ create mode 100644 ext/standard/tests/strings/bug72663_3.phpt
+
+diff --git a/ext/standard/tests/strings/bug72663_3.phpt b/ext/standard/tests/strings/bug72663_3.phpt
+new file mode 100644
+index 0000000..e336bc8
+--- /dev/null
++++ b/ext/standard/tests/strings/bug72663_3.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #72663: Create an Unexpected Object and Don't Invoke __wakeup() in Deserialization
++--FILE--
++<?php
++class obj {
++ var $ryat;
++ function __wakeup() {
++ $this->ryat = str_repeat('A', 0x112);
++ }
++}
++
++$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;';
++unserialize($poc);
++?>
++DONE
++--EXPECTF--
++Notice: unserialize(): Error at offset 51 of 50 bytes in %sbug72663_3.php on line %d
++DONE
+\ No newline at end of file
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index 1d459ae..c8e6f8a 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -438,11 +438,17 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+
+ if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
+ /* We've got partially constructed object on our hands here. Wipe it. */
+- zend_hash_clean(Z_OBJPROP_PP(rval));
++ if(Z_TYPE_PP(rval) == IS_OBJECT) {
++ zend_hash_clean(Z_OBJPROP_PP(rval));
++ }
+ ZVAL_NULL(*rval);
+ return 0;
+ }
+
++ if (Z_TYPE_PP(rval) != IS_OBJECT) {
++ return 0;
++ }
++
+ if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY &&
+ zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) {
+ INIT_PZVAL(&fname);
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index c1c18c9..11b93c5 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -444,11 +444,17 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+
+ if (!process_nested_data(UNSERIALIZE_PASSTHRU, Z_OBJPROP_PP(rval), elements, 1)) {
+ /* We've got partially constructed object on our hands here. Wipe it. */
+- zend_hash_clean(Z_OBJPROP_PP(rval));
++ if(Z_TYPE_PP(rval) == IS_OBJECT) {
++ zend_hash_clean(Z_OBJPROP_PP(rval));
++ }
+ ZVAL_NULL(*rval);
+ return 0;
+ }
+
++ if (Z_TYPE_PP(rval) != IS_OBJECT) {
++ return 0;
++ }
++
+ if (Z_OBJCE_PP(rval) != PHP_IC_ENTRY &&
+ zend_hash_exists(&Z_OBJCE_PP(rval)->function_table, "__wakeup", sizeof("__wakeup"))) {
+ INIT_PZVAL(&fname);
diff --git a/bug72681.patch b/bug72681.patch
new file mode 100644
index 0000000..23a741d
--- /dev/null
+++ b/bug72681.patch
@@ -0,0 +1,129 @@
+Backported from 5.6.25 by Remi.
+
+From 61156f0d68704df748b5cbf08c77582c208db8c9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 3 Aug 2016 00:30:12 -0700
+Subject: [PATCH] Fix bug #72681 - consume data even if we're not storing them
+
+---
+ ext/session/session.c | 25 ++++++++++++++++++-------
+ ext/session/tests/bug72681.phpt | 16 ++++++++++++++++
+ 2 files changed, 34 insertions(+), 7 deletions(-)
+ create mode 100644 ext/session/tests/bug72681.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index c668bb7..b2d0236 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -923,11 +923,13 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
+ int namelen;
+ int has_value;
+ php_unserialize_data_t var_hash;
++ int skip = 0;
+
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+ for (p = val; p < endptr; ) {
+ zval **tmp;
++ skip = 0;
+ namelen = ((unsigned char)(*p)) & (~PS_BIN_UNDEF);
+
+ if (namelen < 0 || namelen > PS_BIN_MAX || (p + namelen) >= endptr) {
+@@ -943,22 +945,25 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
+
+ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+- efree(name);
+- continue;
++ skip = 1;
+ }
+ }
+
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(&current, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+- php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
++ if (!skip) {
++ php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
++ }
+ } else {
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ return FAILURE;
+ }
+ var_push_dtor_no_addref(&var_hash, &current);
+ }
+- PS_ADD_VARL(name, namelen);
++ if (!skip) {
++ PS_ADD_VARL(name, namelen);
++ }
+ efree(name);
+ }
+
+@@ -1015,6 +1020,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
+ int namelen;
+ int has_value;
+ php_unserialize_data_t var_hash;
++ int skip = 0;
+
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+@@ -1023,6 +1029,7 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
+ while (p < endptr) {
+ zval **tmp;
+ q = p;
++ skip = 0;
+ while (*q != PS_DELIMITER) {
+ if (++q >= endptr) goto break_outer_loop;
+ }
+@@ -1039,14 +1046,16 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
+
+ if (zend_hash_find(&EG(symbol_table), name, namelen + 1, (void **) &tmp) == SUCCESS) {
+ if ((Z_TYPE_PP(tmp) == IS_ARRAY && Z_ARRVAL_PP(tmp) == &EG(symbol_table)) || *tmp == PS(http_session_vars)) {
+- goto skip;
++ skip = 1;
+ }
+ }
+
+ if (has_value) {
+ ALLOC_INIT_ZVAL(current);
+ if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
+- php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
++ if (!skip) {
++ php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
++ }
+ } else {
+ var_push_dtor_no_addref(&var_hash, &current);
+ efree(name);
+@@ -1055,7 +1064,9 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
+ }
+ var_push_dtor_no_addref(&var_hash, &current);
+ }
+- PS_ADD_VARL(name, namelen);
++ if (!skip) {
++ PS_ADD_VARL(name, namelen);
++ }
+ skip:
+ efree(name);
+
+diff --git a/ext/session/tests/bug72681.phpt b/ext/session/tests/bug72681.phpt
+new file mode 100644
+index 0000000..ca38b07
+--- /dev/null
++++ b/ext/session/tests/bug72681.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #72681: PHP Session Data Injection Vulnerability
++--SKIPIF--
++<?php include('skipif.inc'); ?>
++--FILE--
++<?php
++ini_set('session.serialize_handler', 'php');
++session_start();
++$_SESSION['_SESSION'] = 'ryat|O:8:"stdClass":0:{}';
++session_write_close();
++session_start();
++var_dump($_SESSION);
++?>
++--EXPECT--
++array(0) {
++}
diff --git a/bug72697.patch b/bug72697.patch
new file mode 100644
index 0000000..a29ff7a
--- /dev/null
+++ b/bug72697.patch
@@ -0,0 +1,94 @@
+Backported from 5.6.25 by Remi.
+
+From 4d76676101f8814520ea988e42b3bda54eb9e255 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 10 Aug 2016 00:00:14 -0700
+Subject: [PATCH] Fix bug#72697 - select_colors write out-of-bounds
+
+---
+ ext/gd/gd.c | 16 ++++++++--------
+ ext/gd/tests/bug72697.phpt | 17 +++++++++++++++++
+ 2 files changed, 25 insertions(+), 8 deletions(-)
+ create mode 100644 ext/gd/tests/bug72697.phpt
+
+diff --git a/ext/gd/gd.c b/ext/gd/gd.c
+index b96f901..5c604b7 100644
+--- a/ext/gd/gd.c
++++ b/ext/gd/gd.c
+@@ -1615,11 +1615,11 @@ PHP_FUNCTION(imagetruecolortopalette)
+
+ ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
+
+- if (ncolors <= 0) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero");
++ if (ncolors <= 0 || ncolors > INT_MAX) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Number of colors has to be greater than zero and no more than %d", INT_MAX);
+ RETURN_FALSE;
+ }
+- gdImageTrueColorToPalette(im, dither, ncolors);
++ gdImageTrueColorToPalette(im, dither, (int)ncolors);
+
+ RETURN_TRUE;
+ }
+diff --git a/ext/gd/tests/bug72697.phpt b/ext/gd/tests/bug72697.phpt
+new file mode 100644
+index 0000000..6110385
+--- /dev/null
++++ b/ext/gd/tests/bug72697.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #72697: select_colors write out-of-bounds
++--SKIPIF--
++<?php
++if (!function_exists("imagecreatetruecolor")) die("skip");
++if (PHP_INT_MAX !== 9223372036854775807) die("skip for 64-bit long systems only");
++?>
++--FILE--
++<?php
++
++$img=imagecreatetruecolor(10, 10);
++imagetruecolortopalette($img, false, PHP_INT_MAX / 8);
++?>
++DONE
++--EXPECTF--
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than 2147483647 in %sbug72697.php on line %d
++DONE
+\ No newline at end of file
+
+From 64e4b276bda8bfa504df8acb40d07369b8d124b3 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:47:53 -0700
+Subject: [PATCH] fix tests
+
+---
+ ext/gd/tests/imagetruecolortopalette_error3.phpt | 2 +-
+ ext/gd/tests/imagetruecolortopalette_error4.phpt | 4 ++--
+ 2 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/gd/tests/imagetruecolortopalette_error3.phpt b/ext/gd/tests/imagetruecolortopalette_error3.phpt
+index d65a995..dbbdb08 100644
+--- a/ext/gd/tests/imagetruecolortopalette_error3.phpt
++++ b/ext/gd/tests/imagetruecolortopalette_error3.phpt
+@@ -25,4 +25,4 @@ Warning: imagetruecolortopalette() expects parameter 3 to be long, resource give
+
+ Warning: imagetruecolortopalette() expects parameter 3 to be long, array given in %s on line %d
+
+-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
+\ No newline at end of file
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
+\ No newline at end of file
+diff --git a/ext/gd/tests/imagetruecolortopalette_error4.phpt b/ext/gd/tests/imagetruecolortopalette_error4.phpt
+index b9661e3..1d56bfc 100644
+--- a/ext/gd/tests/imagetruecolortopalette_error4.phpt
++++ b/ext/gd/tests/imagetruecolortopalette_error4.phpt
+@@ -16,6 +16,6 @@ imagetruecolortopalette($image, true, -1);
+
+ ?>
+ --EXPECTF--
+-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
+
+-Warning: imagetruecolortopalette(): Number of colors has to be greater than zero in %s on line %d
+\ No newline at end of file
++Warning: imagetruecolortopalette(): Number of colors has to be greater than zero and no more than %d in %s on line %d
+\ No newline at end of file
diff --git a/bug72708.patch b/bug72708.patch
new file mode 100644
index 0000000..2d1c01e
--- /dev/null
+++ b/bug72708.patch
@@ -0,0 +1,25 @@
+Backported from 5.6.25 by Remi.
+
+From b9ab6e14ffd602d2020da53be44bf2e77aae7b55 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 3 Aug 2016 22:37:57 -0700
+Subject: [PATCH] Fix bug #72708 - php_snmp_parse_oid integer overflow in
+ memory allocation
+
+---
+ ext/snmp/snmp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
+index b88cdcd..d2c1b94 100644
+--- a/ext/snmp/snmp.c
++++ b/ext/snmp/snmp.c
+@@ -1034,7 +1034,7 @@ static int php_snmp_parse_oid(zval *object, int st, struct objid_query *objid_qu
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Got empty OID array");
+ return FALSE;
+ }
+- objid_query->vars = (snmpobjarg *)emalloc(sizeof(snmpobjarg) * zend_hash_num_elements(Z_ARRVAL_PP(oid)));
++ objid_query->vars = (snmpobjarg *)safe_emalloc(sizeof(snmpobjarg), zend_hash_num_elements(Z_ARRVAL_PP(oid)), 0);
+ if (objid_query->vars == NULL) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "emalloc() failed while parsing oid array: %s", strerror(errno));
+ efree(objid_query->vars);
diff --git a/bug72716.patch b/bug72716.patch
new file mode 100644
index 0000000..3a6f94a
--- /dev/null
+++ b/bug72716.patch
@@ -0,0 +1,24 @@
+Backported from 5.6.25 by Remi.
+
+From 9c291f0fa0c8b8c6994f521f5863c407494eb1dc Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 3 Aug 2016 22:59:01 -0700
+Subject: [PATCH] Fix bug #72716 - initialize buffer before read
+
+---
+ ext/standard/ftp_fopen_wrapper.c | 81 ++++++++++++++++++++--------------------
+ 1 file changed, 41 insertions(+), 40 deletions(-)
+
+diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c
+index b7eeb56..0d5384e 100644
+--- a/ext/standard/ftp_fopen_wrapper.c
++++ b/ext/standard/ftp_fopen_wrapper.c
+@@ -82,6 +82,7 @@ typedef struct _php_ftp_dirstream_data {
+ */
+ static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC)
+ {
++ buffer[0] = '\0'; /* in case read fails to read anything */
+ while (php_stream_gets(stream, buffer, buffer_size-1) &&
+ !(isdigit((int) buffer[0]) && isdigit((int) buffer[1]) &&
+ isdigit((int) buffer[2]) && buffer[3] == ' '));
+
diff --git a/bug72730.patch b/bug72730.patch
new file mode 100644
index 0000000..a23f63d
--- /dev/null
+++ b/bug72730.patch
@@ -0,0 +1,52 @@
+Backported from 5.6.25 by Remi.
+
+From 229782c0ada4d7e72dba6327cc7dff889ce7d92f Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 10 Aug 2016 00:14:58 -0700
+Subject: [PATCH] Fix bug #72730 - imagegammacorrect allows arbitrary write
+ access
+
+---
+ ext/gd/gd.c | 5 +++++
+ ext/gd/tests/bug72730.phpt | 15 +++++++++++++++
+ 2 files changed, 20 insertions(+)
+ create mode 100644 ext/gd/tests/bug72730.phpt
+
+diff --git a/ext/gd/gd.c b/ext/gd/gd.c
+index 5c604b7..0fb9604 100644
+--- a/ext/gd/gd.c
++++ b/ext/gd/gd.c
+@@ -3036,6 +3036,11 @@ PHP_FUNCTION(imagegammacorrect)
+ return;
+ }
+
++ if ( input <= 0.0 || output <= 0.0 ) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Gamma values should be positive");
++ RETURN_FALSE;
++ }
++
+ ZEND_FETCH_RESOURCE(im, gdImagePtr, &IM, -1, "Image", le_gd);
+
+ if (gdImageTrueColor(im)) {
+diff --git a/ext/gd/tests/bug72730.phpt b/ext/gd/tests/bug72730.phpt
+new file mode 100644
+index 0000000..e7c13cb
+--- /dev/null
++++ b/ext/gd/tests/bug72730.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #72730: imagegammacorrect allows arbitrary write access
++--SKIPIF--
++<?php
++if (!function_exists("imagecreatetruecolor")) die("skip");
++?>
++--FILE--
++<?php
++$img = imagecreatetruecolor(1, 1);
++imagegammacorrect($img, -1, 1337);
++?>
++DONE
++--EXPECTF--
++Warning: imagegammacorrect(): Gamma values should be positive in %sbug72730.php on line %d
++DONE
+\ No newline at end of file
diff --git a/bug72749.patch b/bug72749.patch
new file mode 100644
index 0000000..4ea74bb
--- /dev/null
+++ b/bug72749.patch
@@ -0,0 +1,90 @@
+Backported from 5.6.25 by Remi.
+
+From db38282f421a5d552840aeac807efc2f584162d2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 4 Aug 2016 00:17:42 -0700
+Subject: [PATCH] Fix bug #72749: wddx_deserialize allows illegal memory access
+
+---
+ ext/wddx/tests/bug72749.phpt | 34 ++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 20 ++++++++++++++------
+ 2 files changed, 48 insertions(+), 6 deletions(-)
+ create mode 100644 ext/wddx/tests/bug72749.phpt
+
+diff --git a/ext/wddx/tests/bug72749.phpt b/ext/wddx/tests/bug72749.phpt
+new file mode 100644
+index 0000000..ee17d0f
+--- /dev/null
++++ b/ext/wddx/tests/bug72749.phpt
+@@ -0,0 +1,34 @@
++--TEST--
++Bug #72749: wddx_deserialize allows illegal memory access
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++$xml = <<<XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++<header/>
++ <data>
++ <struct>
++ <var name='aDateTime3'>
++ <dateTime>2\r2004-09-10T05:52:49+00</dateTime>
++ </var>
++ </struct>
++ </data>
++</wddxPacket>
++XML;
++
++$array = wddx_deserialize($xml);
++var_dump($array);
++?>
++--EXPECT--
++array(1) {
++ ["aDateTime3"]=>
++ string(24) "2
++2004-09-10T05:52:49+00"
++}
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index cde3e07..faadbfe1 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -1116,18 +1116,26 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
+ case ST_DATETIME: {
+ char *tmp;
+
+- tmp = emalloc(len + 1);
+- memcpy(tmp, s, len);
++ if (Z_TYPE_P(ent->data) == IS_STRING) {
++ tmp = safe_emalloc(Z_STRLEN_P(ent->data), 1, (size_t)len + 1);
++ memcpy(tmp, Z_STRVAL_P(ent->data), Z_STRLEN_P(ent->data));
++ memcpy(tmp + Z_STRLEN_P(ent->data), s, len);
++ len += Z_STRLEN_P(ent->data);
++ efree(Z_STRVAL_P(ent->data));
++ Z_TYPE_P(ent->data) = IS_LONG;
++ } else {
++ tmp = emalloc(len + 1);
++ memcpy(tmp, s, len);
++ }
+ tmp[len] = '\0';
+
+ Z_LVAL_P(ent->data) = php_parse_date(tmp, NULL);
+ /* date out of range < 1969 or > 2038 */
+ if (Z_LVAL_P(ent->data) == -1) {
+- Z_TYPE_P(ent->data) = IS_STRING;
+- Z_STRLEN_P(ent->data) = len;
+- Z_STRVAL_P(ent->data) = estrndup(s, len);
++ ZVAL_STRINGL(ent->data, tmp, len, 0);
++ } else {
++ efree(tmp);
+ }
+- efree(tmp);
+ }
+ break;
+
diff --git a/bug72750.patch b/bug72750.patch
new file mode 100644
index 0000000..5af5a9b
--- /dev/null
+++ b/bug72750.patch
@@ -0,0 +1,72 @@
+Backported from 5.6.25 by Remi.
+
+From 82b95bb758ac707a2372f2edaed70589b6f374d3 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Aug 2016 16:26:52 -0700
+Subject: [PATCH] Fix bug #72750: wddx_deserialize null dereference
+
+---
+ ext/wddx/tests/bug72750.phpt | 34 ++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 8 ++++++--
+ 2 files changed, 40 insertions(+), 2 deletions(-)
+ create mode 100644 ext/wddx/tests/bug72750.phpt
+
+diff --git a/ext/wddx/tests/bug72750.phpt b/ext/wddx/tests/bug72750.phpt
+new file mode 100644
+index 0000000..3a6794d
+--- /dev/null
++++ b/ext/wddx/tests/bug72750.phpt
+@@ -0,0 +1,34 @@
++--TEST--
++Bug #72750: wddx_deserialize null dereference
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml = <<< XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++<header/>
++ <data>
++ <struct>
++ <var name='aBinary'>
++ <binary length='11'>\\tYmluYXJRhdGE=</binary>
++ </var>
++ </struct>
++ </data>
++</wddxPacket>
++XML;
++
++$array = wddx_deserialize($xml);
++var_dump($array);
++?>
++--EXPECT--
++array(1) {
++ ["aBinary"]=>
++ string(0) ""
++}
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index faadbfe1..1b2d103 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -952,8 +952,12 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+
+ new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
+ STR_FREE(Z_STRVAL_P(ent1->data));
+- Z_STRVAL_P(ent1->data) = new_str;
+- Z_STRLEN_P(ent1->data) = new_len;
++ if (new_str) {
++ Z_STRVAL_P(ent1->data) = new_str;
++ Z_STRLEN_P(ent1->data) = new_len;
++ } else {
++ ZVAL_EMPTY_STRING(ent1->data);
++ }
+ }
+
+ /* Call __wakeup() method on the object. */
diff --git a/bug72771.patch b/bug72771.patch
new file mode 100644
index 0000000..db77d0a
--- /dev/null
+++ b/bug72771.patch
@@ -0,0 +1,26 @@
+Backported from 5.6.25 by Remi.
+
+From 7d5ca3b28d3c8f8cae6cd874740f18fd3eb5100e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Aug 2016 16:17:54 -0700
+Subject: [PATCH] Fix bug #72771: ftps:// opendir wrapper is vulnerable to
+ protocol downgrade attack
+
+---
+ ext/standard/ftp_fopen_wrapper.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ext/standard/ftp_fopen_wrapper.c b/ext/standard/ftp_fopen_wrapper.c
+index bfb1631..5bffa47 100644
+--- a/ext/standard/ftp_fopen_wrapper.c
++++ b/ext/standard/ftp_fopen_wrapper.c
+@@ -187,7 +187,8 @@ static php_stream *php_ftp_fopen_connect(php_stream_wrapper *wrapper, const char
+ /* get the response */
+ result = GET_FTP_RESULT(stream);
+ if (result != 334) {
+- use_ssl = 0;
++ php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Server doesn't support FTPS.");
++ goto connect_errexit;
+ } else {
+ /* we must reuse the old SSL session id */
+ /* if we talk to an old ftpd-ssl */
diff --git a/bug72790.patch b/bug72790.patch
new file mode 100644
index 0000000..fa571b7
--- /dev/null
+++ b/bug72790.patch
@@ -0,0 +1,134 @@
+Backported from 5.6.25 by Remi.
+
+From 1f6078e4a5c67733bfdbd20bb2706501ac56a344 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 10 Aug 2016 23:43:56 -0700
+Subject: [PATCH] Fix for bug #72790 and bug #72799
+
+---
+ ext/wddx/tests/bug72790.phpt | 35 +++++++++++++++++++++++++++++++++++
+ ext/wddx/tests/bug72799.phpt | 28 ++++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 14 +++++++++-----
+ 3 files changed, 72 insertions(+), 5 deletions(-)
+ create mode 100644 ext/wddx/tests/bug72790.phpt
+ create mode 100644 ext/wddx/tests/bug72799.phpt
+
+diff --git a/ext/wddx/tests/bug72790.phpt b/ext/wddx/tests/bug72790.phpt
+new file mode 100644
+index 0000000..a60524b
+--- /dev/null
++++ b/ext/wddx/tests/bug72790.phpt
+@@ -0,0 +1,35 @@
++--TEST--
++Bug 72790: wddx_deserialize null dereference with invalid xml
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml = <<< XML
++<?xml version='1.0' ?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++ |array>
++ <var name="XXXX">
++ <boolean value="this">
++ </boolean>
++ </var>
++ <var name="YYYY">
++ <var name="UUUU">
++ <var name="EZEZ">
++ </var>
++ </var>
++ </var>
++ </array>
++</wddxPacket>
++XML;
++
++$array = wddx_deserialize($xml);
++var_dump($array);
++?>
++--EXPECT--
++NULL
+\ No newline at end of file
+diff --git a/ext/wddx/tests/bug72799.phpt b/ext/wddx/tests/bug72799.phpt
+new file mode 100644
+index 0000000..5861d55
+--- /dev/null
++++ b/ext/wddx/tests/bug72799.phpt
+@@ -0,0 +1,28 @@
++--TEST--
++Bug #72799: wddx_deserialize null dereference in php_wddx_pop_element
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml = <<<XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version="1.0">
++ <var name="XXXX">
++ <boolean value="1">
++ <dateTime>1998-06-12T04:32:12+00</dateTime>
++ </boolean>
++ </var>
++</wddxPacket>
++XML;
++
++$array = wddx_deserialize($xml);
++var_dump($array);
++?>
++--EXPECT--
++NULL
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 1b2d103..d7bd295 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -939,10 +939,10 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ if (!ent1->data) {
+ if (stack->top > 1) {
+ stack->top--;
++ efree(ent1);
+ } else {
+ stack->done = 1;
+ }
+- efree(ent1);
+ return;
+ }
+
+@@ -981,7 +981,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ wddx_stack_top(stack, (void**)&ent2);
+
+ /* if non-existent field */
+- if (ent2->type == ST_FIELD && ent2->data == NULL) {
++ if (ent2->data == NULL) {
+ zval_ptr_dtor(&ent1->data);
+ efree(ent1);
+ return;
+@@ -1172,9 +1172,13 @@ int php_wddx_deserialize_ex(char *value, int vallen, zval *return_value)
+
+ if (stack.top == 1) {
+ wddx_stack_top(&stack, (void**)&ent);
+- *return_value = *(ent->data);
+- zval_copy_ctor(return_value);
+- retval = SUCCESS;
++ if(ent->data == NULL) {
++ retval = FAILURE;
++ } else {
++ *return_value = *(ent->data);
++ zval_copy_ctor(return_value);
++ retval = SUCCESS;
++ }
+ } else {
+ retval = FAILURE;
+ }
diff --git a/bug72807.patch b/bug72807.patch
new file mode 100644
index 0000000..6350b7f
--- /dev/null
+++ b/bug72807.patch
@@ -0,0 +1,60 @@
+Backported from 5.6.25 by Remi.
+
+From 791a98eb1c66d2340b4e897ab60e4a6700435b5b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 11 Aug 2016 23:36:25 -0700
+Subject: [PATCH] Fix for bug #72807 - do not produce strings with negative
+ length
+
+---
+ Zend/zend_API.h | 7 +++++--
+ ext/curl/interface.c | 4 ++++
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/Zend/zend_API.h b/Zend/zend_API.h
+index a56075e..e17be4c 100644
+--- a/Zend/zend_API.h
++++ b/Zend/zend_API.h
+@@ -444,7 +444,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval
+ #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC)
+ #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC)
+ #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC)
+-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
++#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
+
+
+ ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC);
+@@ -455,7 +455,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache;
+
+ /** Build zend_call_info/cache from a zval*
+ *
+- * Caller is responsible to provide a return value, otherwise the we will crash.
++ * Caller is responsible to provide a return value, otherwise the we will crash.
+ * fci->retval_ptr_ptr = NULL;
+ * In order to pass parameters the following members need to be set:
+ * fci->param_count = 0;
+@@ -575,6 +575,9 @@ END_EXTERN_C()
+ const char *__s=(s); \
+ zval *__z = (z); \
+ Z_STRLEN_P(__z) = strlen(__s); \
++ if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
++ zend_error(E_ERROR, "String size overflow"); \
++ } \
+ Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
+ Z_TYPE_P(__z) = IS_STRING; \
+ } while (0)
+diff --git a/ext/curl/interface.c b/ext/curl/interface.c
+index c7112a0..062f996 100644
+--- a/ext/curl/interface.c
++++ b/ext/curl/interface.c
+@@ -3506,6 +3506,10 @@ PHP_FUNCTION(curl_escape)
+ ZEND_FETCH_RESOURCE(ch, php_curl *, &zid, -1, le_curl_name, le_curl);
+
+ if ((res = curl_easy_escape(ch->cp, str, str_len))) {
++ if (strlen(res) > INT_MAX) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Escaped string is too long, maximum is %d", INT_MAX);
++ RETURN_FALSE;
++ }
+ RETVAL_STRING(res, 1);
+ curl_free(res);
+ } else {
diff --git a/bug72836.patch b/bug72836.patch
new file mode 100644
index 0000000..ad6b486
--- /dev/null
+++ b/bug72836.patch
@@ -0,0 +1,56 @@
+Backported from 5.6.25 by Remi.
+
+From f973877a2f8d58b857f0f02b8a88a2ee05a1cbb0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 14 Aug 2016 23:13:30 -0700
+Subject: [PATCH] Fix bug #72836 - integer overflow in base64_decode caused
+ heap corruption
+
+---
+ ext/standard/base64.c | 5 +
+ sapi/cli/generate_mime_type_map.php | 76 +++++++
+ sapi/fpm/www.conf.in | 413 ++++++++++++++++++++++++++++++++++++
+ 3 files changed, 494 insertions(+)
+ create mode 100644 sapi/cli/generate_mime_type_map.php
+ create mode 100644 sapi/fpm/www.conf.in
+
+diff --git a/ext/standard/base64.c b/ext/standard/base64.c
+index a40b866..8340ed1 100644
+--- a/ext/standard/base64.c
++++ b/ext/standard/base64.c
+@@ -66,6 +66,11 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in
+ return NULL;
+ }
+
++ if (((size_t)length + 2) / 3 > INT_MAX/4 ) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4);
++ return NULL;
++ }
++
+ result = (unsigned char *) safe_emalloc((length + 2) / 3, 4 * sizeof(char), 1);
+ p = result;
+
+
+From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:34:35 -0700
+Subject: [PATCH] Fix TSRM build
+
+---
+ ext/standard/base64.c | 1 +
+ ext/standard/url.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/ext/standard/base64.c b/ext/standard/base64.c
+index 8340ed1..b30a5b7 100644
+--- a/ext/standard/base64.c
++++ b/ext/standard/base64.c
+@@ -67,6 +67,7 @@ PHPAPI unsigned char *php_base64_encode(const unsigned char *str, int length, in
+ }
+
+ if (((size_t)length + 2) / 3 > INT_MAX/4 ) {
++ TSRMLS_FETCH();
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, maximum is %d", INT_MAX/4);
+ return NULL;
+ }
+
diff --git a/bug72837.patch b/bug72837.patch
new file mode 100644
index 0000000..2dfe6f4
--- /dev/null
+++ b/bug72837.patch
@@ -0,0 +1,45 @@
+Backported from 5.6.25 by Remi.
+
+From 69236ea9793b76b778c6cd64748cfee817521118 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 15 Aug 2016 23:17:26 -0700
+Subject: [PATCH] Fix bug #72837 - integer overflow in bzdecompress caused heap
+ corruption
+
+---
+ ext/bz2/bz2.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+diff --git a/ext/bz2/bz2.c b/ext/bz2/bz2.c
+index 54b59f7..79ec3ec 100644
+--- a/ext/bz2/bz2.c
++++ b/ext/bz2/bz2.c
+@@ -573,15 +573,25 @@ static PHP_FUNCTION(bzdecompress)
+ /* compression is better then 2:1, need to allocate more memory */
+ bzs.avail_out = source_len;
+ size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
++ if (size > INT_MAX) {
++ /* no reason to continue if we're going to drop it anyway */
++ break;
++ }
+ dest = safe_erealloc(dest, 1, bzs.avail_out+1, (size_t) size );
+ bzs.next_out = dest + size;
+ }
+
+ if (error == BZ_STREAM_END || error == BZ_OK) {
+ size = (bzs.total_out_hi32 * (unsigned int) -1) + bzs.total_out_lo32;
+- dest = safe_erealloc(dest, 1, (size_t) size, 1);
+- dest[size] = '\0';
+- RETVAL_STRINGL(dest, (int) size, 0);
++ if (size > INT_MAX) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Decompressed size too big, max is %d", INT_MAX);
++ efree(dest);
++ RETVAL_LONG(BZ_MEM_ERROR);
++ } else {
++ dest = safe_erealloc(dest, 1, (size_t) size, 1);
++ dest[size] = '\0';
++ RETVAL_STRINGL(dest, (int) size, 0);
++ }
+ } else { /* real error */
+ efree(dest);
+ RETVAL_LONG(error);
diff --git a/bug72838.patch b/bug72838.patch
new file mode 100644
index 0000000..76e8386
--- /dev/null
+++ b/bug72838.patch
@@ -0,0 +1,28 @@
+Backported from 5.6.25 by Remi.
+
+From 6ba48cff6c31094bc1a6233e023c3a2fcd91ab7a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 15 Aug 2016 23:43:59 -0700
+Subject: [PATCH] Fix bug #72838 - Integer overflow lead to heap
+ corruption in sql_regcase
+
+---
+ ext/ereg/ereg.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ext/ereg/ereg.c b/ext/ereg/ereg.c
+index 5d38d04..8eb833a 100644
+--- a/ext/ereg/ereg.c
++++ b/ext/ereg/ereg.c
+@@ -743,6 +743,11 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
+
+ for (i = j = 0; i < string_len; i++) {
+ c = (unsigned char) string[i];
++ if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
++ efree(tmp);
++ RETURN_FALSE;
++ }
+ if (isalpha(c)) {
+ tmp[j++] = '[';
+ tmp[j++] = toupper(c);
diff --git a/bug72848.patch b/bug72848.patch
new file mode 100644
index 0000000..bdf4bcc
--- /dev/null
+++ b/bug72848.patch
@@ -0,0 +1,83 @@
+Backported from 5.6.25 by Remi.
+
+From 444314a2919587674c24777e56d29b4040b4fed4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 15:48:31 -0700
+Subject: [PATCH] Fix bug #72848 - integer overflow in quoted_printable_encode
+ caused heap corruption
+
+---
+ ext/standard/quot_print.c | 23 ++++++++++++++---------
+ 1 file changed, 14 insertions(+), 9 deletions(-)
+
+diff --git a/ext/standard/quot_print.c b/ext/standard/quot_print.c
+index 3b8c0ec..6d5835e 100644
+--- a/ext/standard/quot_print.c
++++ b/ext/standard/quot_print.c
+@@ -144,7 +144,7 @@ PHPAPI unsigned char *php_quot_print_decode(const unsigned char *str, size_t len
+ /* }}} */
+
+ #define PHP_QPRINT_MAXL 75
+-
++
+ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t length, size_t *ret_length) /* {{{ */
+ {
+ unsigned long lp = 0;
+@@ -162,9 +162,9 @@ PHPAPI unsigned char *php_quot_print_encode(const unsigned char *str, size_t len
+ lp = 0;
+ } else {
+ if (iscntrl (c) || (c == 0x7f) || (c & 0x80) || (c == '=') || ((c == ' ') && (*str == '\015'))) {
+- if ((((lp+= 3) > PHP_QPRINT_MAXL) && (c <= 0x7f))
+- || ((c > 0x7f) && (c <= 0xdf) && ((lp + 3) > PHP_QPRINT_MAXL))
+- || ((c > 0xdf) && (c <= 0xef) && ((lp + 6) > PHP_QPRINT_MAXL))
++ if ((((lp+= 3) > PHP_QPRINT_MAXL) && (c <= 0x7f))
++ || ((c > 0x7f) && (c <= 0xdf) && ((lp + 3) > PHP_QPRINT_MAXL))
++ || ((c > 0xdf) && (c <= 0xef) && ((lp + 6) > PHP_QPRINT_MAXL))
+ || ((c > 0xef) && (c <= 0xf4) && ((lp + 9) > PHP_QPRINT_MAXL))) {
+ *d++ = '=';
+ *d++ = '\015';
+@@ -208,7 +208,7 @@ PHP_FUNCTION(quoted_printable_decode)
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &arg1, &arg1_len) == FAILURE) {
+ return;
+ }
+-
++
+ if (arg1_len == 0) {
+ /* shortcut */
+ RETURN_EMPTY_STRING();
+@@ -219,11 +219,11 @@ PHP_FUNCTION(quoted_printable_decode)
+ while (str_in[i]) {
+ switch (str_in[i]) {
+ case '=':
+- if (str_in[i + 1] && str_in[i + 2] &&
+- isxdigit((int) str_in[i + 1]) &&
++ if (str_in[i + 1] && str_in[i + 2] &&
++ isxdigit((int) str_in[i + 1]) &&
+ isxdigit((int) str_in[i + 2]))
+ {
+- str_out[j++] = (php_hex2int((int) str_in[i + 1]) << 4)
++ str_out[j++] = (php_hex2int((int) str_in[i + 1]) << 4)
+ + php_hex2int((int) str_in[i + 2]);
+ i += 3;
+ } else /* check for soft line break according to RFC 2045*/ {
+@@ -254,7 +254,7 @@ PHP_FUNCTION(quoted_printable_decode)
+ }
+ }
+ str_out[j] = '\0';
+-
++
+ RETVAL_STRINGL(str_out, j, 0);
+ }
+ /* }}} */
+@@ -275,6 +275,11 @@ PHP_FUNCTION(quoted_printable_encode)
+ }
+
+ new_str = (char *)php_quot_print_encode((unsigned char *)str, (size_t)str_len, &new_str_len);
++ if (new_str_len > INT_MAX) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
++ efree(new_str);
++ RETURN_FALSE;
++ }
+ RETURN_STRINGL(new_str, new_str_len, 0);
+ }
+ /* }}} */
diff --git a/bug72849.patch b/bug72849.patch
new file mode 100644
index 0000000..f2cd26f
--- /dev/null
+++ b/bug72849.patch
@@ -0,0 +1,51 @@
+Backported from 5.6.25 by Remi.
+
+From dc223e524d640167c0f12e942eb52cabd6f89ee4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 15:58:05 -0700
+Subject: [PATCH] Fixed bug #72849 - integer overflow in urlencode
+
+---
+ ext/standard/url.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 4b52000..8e471e1 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -520,6 +520,12 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
+ *to++ = c;
+ }
+ }
++
++ if ((to-start) > INT_MAX) {
++ /* E_ERROR since most clients won't check for error, and this is rather rare condition */
++ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
++ }
++
+ *to = 0;
+ if (new_length) {
+ *new_length = to - start;
+
+From f01446dacf3eeab888b500115f0d71df7918c353 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:34:35 -0700
+Subject: [PATCH] Fix TSRM build
+
+---
+ ext/standard/base64.c | 1 +
+ ext/standard/url.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 8e471e1..dd861a5 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -522,6 +522,7 @@ PHPAPI char *php_url_encode(char const *s, int len, int *new_length)
+ }
+
+ if ((to-start) > INT_MAX) {
++ TSRMLS_FETCH();
+ /* E_ERROR since most clients won't check for error, and this is rather rare condition */
+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "String overflow, max length is %d", INT_MAX);
+ }
diff --git a/bug72850.patch b/bug72850.patch
new file mode 100644
index 0000000..0637e84
--- /dev/null
+++ b/bug72850.patch
@@ -0,0 +1,54 @@
+Backported from 5.6.25 by Remi.
+
+From c35e4cb20cdeb02d9d362c57edce11c2948effcd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 16 Aug 2016 16:03:44 -0700
+Subject: [PATCH] Fix bug #72850 - integer overflow in uuencode
+
+---
+ ext/standard/uuencode.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/uuencode.c b/ext/standard/uuencode.c
+index cd35c28..a31f14d 100644
+--- a/ext/standard/uuencode.c
++++ b/ext/standard/uuencode.c
+@@ -153,7 +153,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
+ while (s < ee) {
+ if(s+4 > e) {
+ goto err;
+- }
++ }
+ *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
+ *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
+ *p++ = PHP_UU_DEC(*(s + 2)) << 6 | PHP_UU_DEC(*(s + 3));
+@@ -168,7 +168,7 @@
+ s++;
+ }
+
+- if ((len = total_len > (p - *dest))) {
++ if ((len = total_len) > (p - *dest)) {
+ *p++ = PHP_UU_DEC(*s) << 2 | PHP_UU_DEC(*(s + 1)) >> 4;
+ if (len > 1) {
+ *p++ = PHP_UU_DEC(*(s + 1)) << 4 | PHP_UU_DEC(*(s + 2)) >> 2;
+@@ -188,7 +188,7 @@ PHPAPI int php_uudecode(char *src, int src_len, char **dest) /* {{{ */
+ }
+ /* }}} */
+
+-/* {{{ proto string convert_uuencode(string data)
++/* {{{ proto string convert_uuencode(string data)
+ uuencode a string */
+ PHP_FUNCTION(convert_uuencode)
+ {
+@@ -200,6 +200,11 @@ PHP_FUNCTION(convert_uuencode)
+ }
+
+ dst_len = php_uuencode(src, src_len, &dst);
++ if (dst_len < 0) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "String too long, max length is %d", INT_MAX);
++ efree(dst);
++ RETURN_FALSE;
++ }
+
+ RETURN_STRINGL(dst, dst_len, 0);
+ }
diff --git a/failed.txt b/failed.txt
index 88f2623..28ff29b 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-==== PHP 5.5.38 (2016-07-21)
+==== PHP 5.5.38-2 (2016-09-10)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
diff --git a/php55.spec b/php55.spec
index cedf22b..54d4e56 100644
--- a/php55.spec
+++ b/php55.spec
@@ -141,7 +141,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.5.38
-Release: 1%{?dist}.1
+Release: 2%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -203,6 +203,25 @@ Patch91: php-5.3.7-oci8conf.patch
# Upstream fixes (100+)
Patch100: bug72735.patch
+Patch101: bug72716.patch
+Patch102: bug72663.patch
+Patch103: bug72681.patch
+Patch104: bug72708.patch
+Patch105: bug72749.patch
+Patch106: bug70436.patch
+Patch107: bug72771.patch
+Patch108: bug72750.patch
+Patch109: bug72627.patch
+Patch110: bug72697.patch
+Patch111: bug72730.patch
+Patch112: bug72790.patch
+Patch113: bug72807.patch
+Patch114: bug72836.patch
+Patch115: bug72837.patch
+Patch116: bug72838.patch
+Patch117: bug72848.patch
+Patch118: bug72849.patch
+Patch119: bug72850.patch
# Security fixes (200+)
@@ -969,6 +988,25 @@ rm -rf ext/json
# security patches
%patch100 -p1 -b .bug72735
+%patch101 -p1 -b .bug72716
+%patch102 -p1 -b .bug72663
+%patch103 -p1 -b .bug72681
+%patch104 -p1 -b .bug72708
+%patch105 -p1 -b .bug72749
+%patch106 -p1 -b .bug70436
+%patch107 -p1 -b .bug72771
+%patch108 -p1 -b .bug72750
+%patch109 -p1 -b .bug72627
+%patch110 -p1 -b .bug72697
+%patch111 -p1 -b .bug72730
+%patch112 -p1 -b .bug72790
+%patch113 -p1 -b .bug72807
+%patch114 -p1 -b .bug72836
+%patch115 -p1 -b .bug72837
+%patch116 -p1 -b .bug72838
+%patch117 -p1 -b .bug72848
+%patch118 -p1 -b .bug72849
+%patch119 -p1 -b .bug72850
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1830,6 +1868,16 @@ fi
%post embedded -p /sbin/ldconfig
%postun embedded -p /sbin/ldconfig
+%posttrans common
+cat << EOF
+
+WARNING : PHP 5.5 have reached its "End of Life" in July 2016.
+Even, if this package includes some security fix, backported from 5.6,
+The upgrade to a maintained version is very strongly recommended.
+
+EOF
+
+
%files
%defattr(-,root,root)
%{_httpd_moddir}/libphp5.so
@@ -1981,6 +2029,40 @@ fi
%changelog
+* Mon Sep 5 2016 Remi Collet <remi@remirepo.net> 5.5.38-2
+- fix #72716: initialize buffer before read (ftp)
+- fix #72663: destroy broken object when unserializing
+ CVE-2016-7124
+- fix #72681: consume data even if we're not storing them
+ CVE-2016-7125
+- fix #72708: php_snmp_parse_oid integer overflow in memory allocation
+- fix #72749: wddx_deserialize allows illegal memory access
+ CVE-2016-7129
+- fix #70436: Use After Free Vulnerability in unserialize()
+ CVE-2016-7129
+- fix #72771: ftps:// opendir wrapper is vulnerable to protocol
+ downgrade attack
+- fix #72750: wddx_deserialize null dereference
+ CVE-2016-7130
+- fix #72627: Memory Leakage In exif_process_IFD_in_TIFF
+ CVE-2016-7128
+- fix #72697: select_colors write out-of-bounds
+ CVE-2016-7126
+- fix #72730: imagegammacorrect allows arbitrary write access
+ CVE-2016-7127
+- fix #72790: wddx_deserialize null dereference with invalid xml
+ CVE-2016-7131
+- fix #72799: wddx_deserialize null dereference in php_wddx_pop_element
+ CVE-2016-7132
+- fix #72807: do not produce strings with negative length
+- fix #72836: integer overflow in base64_decode caused heap corruption
+- fix #72837: integer overflow in bzdecompress caused heap corruption
+- fix #72838: Integer overflow lead to heap corruption in sql_regcase
+- fix #72848: integer overflow in quoted_printable_encode caused
+ heap corruption
+- fix #72849: integer overflow in urlencode
+- fix #72850: integer overflow in uuencode
+
* Fri Aug 5 2016 Remi Collet <remi@fedoraproject.org> 5.5.38-1.1
- fix #72735 regression in exif maker note parser