From 95899ed7c0cd80537182cf0273e1675a2814756d Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Sat, 10 Dec 2016 19:49:27 +0100
Subject: PHP 5.5.38 with 1 minor security fix from 5.6.29

---
 bug73631.patch | 142 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php55.spec     |  13 ++++--
 2 files changed, 151 insertions(+), 4 deletions(-)
 create mode 100644 bug73631.patch

diff --git a/bug73631.patch b/bug73631.patch
new file mode 100644
index 0000000..98f5cc4
--- /dev/null
+++ b/bug73631.patch
@@ -0,0 +1,142 @@
+Backported from 5.6.29 by Remi.
+
+
+From 66fd44209d5ffcb9b3d1bc1b9fd8e35b485040c0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Dec 2016 21:40:55 -0800
+Subject: [PATCH] Fix bug #73631 - Invalid read when wddx decodes empty boolean
+ element
+
+---
+ ext/wddx/tests/bug73631.phpt | 19 +++++++++++++++++++
+ ext/wddx/wddx.c              |  5 +++++
+ 2 files changed, 24 insertions(+)
+ create mode 100644 ext/wddx/tests/bug73631.phpt
+
+diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
+new file mode 100644
+index 0000000..5e37ae8
+--- /dev/null
++++ b/ext/wddx/tests/bug73631.phpt
+@@ -0,0 +1,19 @@
++--TEST--
++Bug #73631 (Memory leak due to invalid wddx stack processing)
++--SKIPIF--
++<?php if (!extension_loaded("wddx")) print "skip"; ?>
++--FILE--
++<?php
++$xml = <<<EOF
++<?xml version="1.0" ?>
++<wddxPacket version="1.0">
++<number>1234</number>
++<binary><boolean/></binary>
++</wddxPacket>
++EOF;
++$wddx = wddx_deserialize($xml);
++var_dump($wddx);
++?>
++--EXPECTF--
++int(1234)
++
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 069ea12..0cee16b 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -805,6 +805,11 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ 				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
+ 				break;
+ 			}
++		} else {
++			ent.type = ST_BOOLEAN;
++			SET_STACK_VARNAME;
++			ZVAL_FALSE(&ent.data);
++			wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
+ 		}
+ 	} else if (!strcmp(name, EL_NULL)) {
+ 		ent.type = ST_NULL;
+From 331db73eab1008b30069137f27ebd1e7a42de28a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Dec 2016 22:32:59 -0800
+Subject: [PATCH] This still leaks memory, I don't have enough knowledge in
+ WDDX code to fix them :(
+
+---
+ ext/wddx/tests/bug73631.phpt | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
+index 5e37ae8..880ada5 100644
+--- a/ext/wddx/tests/bug73631.phpt
++++ b/ext/wddx/tests/bug73631.phpt
+@@ -2,6 +2,8 @@
+ Bug #73631 (Memory leak due to invalid wddx stack processing)
+ --SKIPIF--
+ <?php if (!extension_loaded("wddx")) print "skip"; ?>
++--XFAIL--
++Still has memory leaks, not sure how to fix them.
+ --FILE--
+ <?php
+ $xml = <<<EOF
+@@ -16,4 +18,3 @@ var_dump($wddx);
+ ?>
+ --EXPECTF--
+ int(1234)
+-
+From e64d104a9b43bd48da5260b4a91d42f4a71fd1c4 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Tue, 6 Dec 2016 14:34:27 +0100
+Subject: [PATCH] fix leak, take on 5.6
+
+---
+ ext/wddx/tests/bug73631.phpt | 2 --
+ ext/wddx/wddx.c              | 2 ++
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/wddx/tests/bug73631.phpt b/ext/wddx/tests/bug73631.phpt
+index 880ada5..1fcde72d 100644
+--- a/ext/wddx/tests/bug73631.phpt
++++ b/ext/wddx/tests/bug73631.phpt
+@@ -2,8 +2,6 @@
+ Bug #73631 (Memory leak due to invalid wddx stack processing)
+ --SKIPIF--
+ <?php if (!extension_loaded("wddx")) print "skip"; ?>
+---XFAIL--
+-Still has memory leaks, not sure how to fix them.
+ --FILE--
+ <?php
+ $xml = <<<EOF
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 0cee16b..9394a59 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -1050,6 +1050,8 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ 				} else	{
+ 					zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL);
+ 				}
++			} else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) {
++				zval_ptr_dtor(&ent1->data);
+ 			}
+ 			efree(ent1);
+ 		} else {
+From 864f3bda5aba2c1982e9bf77ecfd6901eb404a7e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Tue, 6 Dec 2016 16:12:39 +0100
+Subject: [PATCH] fix leak, take 2
+
+---
+ ext/wddx/wddx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 9394a59..72d2408 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -1050,7 +1050,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ 				} else	{
+ 					zend_hash_next_index_insert(target_hash, &ent1->data, sizeof(zval *), NULL);
+ 				}
+-			} else if (!strcmp(name, EL_BINARY) && STR_EMPTY_ALLOC() == Z_STRVAL_P(ent1->data)) {
++			} else if (!strcmp(name, EL_BINARY) && Z_STRLEN_P(ent1->data) < 1) {
+ 				zval_ptr_dtor(&ent1->data);
+ 			}
+ 			efree(ent1);
diff --git a/php55.spec b/php55.spec
index 58e0997..e73cde6 100644
--- a/php55.spec
+++ b/php55.spec
@@ -141,7 +141,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.5.38
-Release: 5%{?dist}
+Release: 6%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -251,6 +251,7 @@ Patch145: bug73331.patch
 Patch146: bug73144.patch
 Patch147: bug73418.patch
 Patch148: bug73356.patch
+Patch149: bug73631.patch
 
 # Security fixes (200+)
 
@@ -1065,6 +1066,7 @@ rm -rf ext/json
 %patch146 -p1 -b .bug73144
 %patch147 -p1 -b .bug73418
 %patch148 -p1 -b .bug73356
+%patch149 -p1 -b .bug73631
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -2087,16 +2089,20 @@ EOF
 
 
 %changelog
-* Wed Nov  9 2016 Remi Collet <remi@remirepo.net> 5.5.38-5
+* Sat Dec 10 2016 Remi Collet <remi@remirepo.net> - 5.5.38-6
+- fix #73631: Invalid read when wddx decodes empty boolean element
+
+* Wed Nov  9 2016 Remi Collet <remi@remirepo.net> - 5.5.38-5
 - fix #73418: Integer Overflow in "_php_imap_mail" leads Heap Overflow
 - fix #73144: Use-after-free in ArrayObject Deserialization
 - fix #73356: crash in bzcompress function
 - fix #73331: NULL Pointer Deref. in WDDX Packet Deserialization with PDORow
 
-* Sat Oct 15 2016 Remi Collet <remi@remirepo.net> 5.5.38-4
+* Sat Oct 15 2016 Remi Collet <remi@remirepo.net> - 5.5.38-4
 - fix #73189: Memcpy negative size parameter php_resolve_path
 - fix #72581: previous property undefined in Exception after deserialization
 - fix #73147: Use After Free in unserialize
+  CVE-2016-9137
 - fix #73190: memcpy negative parameter _bc_new_num_ex
 - fix #73150: missing NULL check in dom_document_save_html
 - fix #73284: heap overflow in php_ereg_replace function
@@ -2106,7 +2112,6 @@ EOF
 - fix #73082: string length overflow in mb_encode_* function
 - fix #73174: heap overflow in php_pcre_replace_impl
 - fix #73275: crash in openssl_encrypt function
-- fix #73275: crash in openssl_encrypt function
 - fix #73293: NULL pointer dereference in SimpleXMLElement::asXML
 - fix #73240: Write out of bounds at number_format
 - fix #73017: memory corruption in wordwrap function
-- 
cgit