From eb6361698e878ab5473a395d5056cf682e14e704 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Fri, 12 Jul 2013 18:19:23 +0200
Subject: php 5.5.0 with fix for CVE-2013-4113

---
 php-5.5.0-CVE-2013-4013.patch | 181 ++++++++++++++++++++++++++++++++++++++++++
 php55.spec                    |  22 +++--
 2 files changed, 197 insertions(+), 6 deletions(-)
 create mode 100644 php-5.5.0-CVE-2013-4013.patch

diff --git a/php-5.5.0-CVE-2013-4013.patch b/php-5.5.0-CVE-2013-4013.patch
new file mode 100644
index 0000000..dfa2c86
--- /dev/null
+++ b/php-5.5.0-CVE-2013-4013.patch
@@ -0,0 +1,181 @@
+From 7d163e8a0880ae8af2dd869071393e5dc07ef271 Mon Sep 17 00:00:00 2001
+From: Rob Richards <rrichards@php.net>
+Date: Sat, 6 Jul 2013 07:53:07 -0400
+Subject: [PATCH] truncate results at depth of 255 to prevent corruption
+
+---
+ ext/xml/xml.c | 90 +++++++++++++++++++++++++++++++++--------------------------
+ 1 file changed, 50 insertions(+), 40 deletions(-)
+
+diff --git a/ext/xml/xml.c b/ext/xml/xml.c
+index 1f0480b..9f0bc30 100644
+--- a/ext/xml/xml.c
++++ b/ext/xml/xml.c
+@@ -428,7 +428,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
+ 	}
+ 	if (parser->ltags) {
+ 		int inx;
+-		for (inx = 0; inx < parser->level; inx++)
++		for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
+ 			efree(parser->ltags[ inx ]);
+ 		efree(parser->ltags);
+ 	}
+@@ -805,45 +805,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
+ 		} 
+ 
+ 		if (parser->data) {
+-			zval *tag, *atr;
+-			int atcnt = 0;
++			if (parser->level <= XML_MAXLEVEL)  {
++				zval *tag, *atr;
++				int atcnt = 0;
+ 
+-			MAKE_STD_ZVAL(tag);
+-			MAKE_STD_ZVAL(atr);
++				MAKE_STD_ZVAL(tag);
++				MAKE_STD_ZVAL(atr);
+ 
+-			array_init(tag);
+-			array_init(atr);
++				array_init(tag);
++				array_init(atr);
+ 
+-			_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
++				_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
+ 
+-			add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
+-			add_assoc_string(tag,"type","open",1);
+-			add_assoc_long(tag,"level",parser->level);
++				add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
++				add_assoc_string(tag,"type","open",1);
++				add_assoc_long(tag,"level",parser->level);
+ 
+-			parser->ltags[parser->level-1] = estrdup(tag_name);
+-			parser->lastwasopen = 1;
++				parser->ltags[parser->level-1] = estrdup(tag_name);
++				parser->lastwasopen = 1;
+ 
+-			attributes = (const XML_Char **) attrs;
++				attributes = (const XML_Char **) attrs;
+ 
+-			while (attributes && *attributes) {
+-				att = _xml_decode_tag(parser, attributes[0]);
+-				val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
+-				
+-				add_assoc_stringl(atr,att,val,val_len,0);
++				while (attributes && *attributes) {
++					att = _xml_decode_tag(parser, attributes[0]);
++					val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
+ 
+-				atcnt++;
+-				attributes += 2;
++					add_assoc_stringl(atr,att,val,val_len,0);
+ 
+-				efree(att);
+-			}
++					atcnt++;
++					attributes += 2;
+ 
+-			if (atcnt) {
+-				zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
+-			} else {
+-				zval_ptr_dtor(&atr);
+-			}
++					efree(att);
++				}
++
++				if (atcnt) {
++					zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
++				} else {
++					zval_ptr_dtor(&atr);
++				}
+ 
+-			zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
++				zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
++			} else if (parser->level == (XML_MAXLEVEL + 1)) {
++				TSRMLS_FETCH();
++				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
++			}
+ 		}
+ 
+ 		efree(tag_name);
+@@ -895,7 +900,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
+ 
+ 		efree(tag_name);
+ 
+-		if (parser->ltags) {
++		if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
+ 			efree(parser->ltags[parser->level-1]);
+ 		}
+ 
+@@ -979,18 +984,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
+ 						}
+ 					}
+ 
+-					MAKE_STD_ZVAL(tag);
+-					
+-					array_init(tag);
+-					
+-					_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
++					if (parser->level <= XML_MAXLEVEL) {
++						MAKE_STD_ZVAL(tag);
+ 
+-					add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
+-					add_assoc_string(tag,"value",decoded_value,0);
+-					add_assoc_string(tag,"type","cdata",1);
+-					add_assoc_long(tag,"level",parser->level);
++						array_init(tag);
+ 
+-					zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
++						_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
++
++						add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
++						add_assoc_string(tag,"value",decoded_value,0);
++						add_assoc_string(tag,"type","cdata",1);
++						add_assoc_long(tag,"level",parser->level);
++
++						zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
++					} else if (parser->level == (XML_MAXLEVEL + 1)) {
++						TSRMLS_FETCH();
++						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
++					}
+ 				}
+ 			} else {
+ 				efree(decoded_value);
+-- 
+1.7.11.5
+
+From 710eee5555bc5c95692bd3c84f5d2b5d687349b6 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?Johannes=20Schl=C3=BCter?= <johannes@php.net>
+Date: Wed, 10 Jul 2013 19:35:18 +0200
+Subject: [PATCH] add test for bug #65236
+
+---
+ ext/xml/tests/bug65236.phpt | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+ create mode 100644 ext/xml/tests/bug65236.phpt
+
+diff --git a/ext/xml/tests/bug65236.phpt b/ext/xml/tests/bug65236.phpt
+new file mode 100644
+index 0000000..67b26d6
+--- /dev/null
++++ b/ext/xml/tests/bug65236.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #65236 (heap corruption in xml parser)
++--SKIPIF--
++<?php
++require_once("skipif.inc");
++?>
++--FILE--
++<?php
++xml_parse_into_struct(xml_parser_create_ns(), str_repeat("<blah>", 1000), $a);
++
++echo "Done\n";
++?>
++--EXPECTF--
++Warning: xml_parse_into_struct(): Maximum depth exceeded - Results truncated in %s on line %d
++Done
+-- 
+1.7.11.5
+
diff --git a/php55.spec b/php55.spec
index f4107e1..baa63fb 100644
--- a/php55.spec
+++ b/php55.spec
@@ -61,7 +61,7 @@
 %else
 %global with_dtrace 0
 %endif
-%if 0%{?fedora} < 20 && 0%{?rhel} < 5
+%if 0%{?fedora} < 17 && 0%{?rhel} < 5
 %global with_libgd   0
 %else
 %global with_libgd   1
@@ -80,16 +80,16 @@
 %global db_devel  libdb-devel
 %endif
 
-%global snapdate      201306240630
+#global snapdate      201306240630
 #global rcver         RC3
 
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
-Version: 5.5.1
+Version: 5.5.0
 %if 0%{?snapdate:1}%{?rcver:1}
 Release: 0.1.%{?snapdate}%{?rcver}%{?dist}
 %else
-Release: 1%{?dist}
+Release: 2%{?dist}
 %endif
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
@@ -146,6 +146,9 @@ Patch46: php-5.4.9-fixheader.patch
 # drop "Configure command" from phpinfo output
 Patch47: php-5.4.9-phpinfo.patch
 
+# Security fixes
+Patch60: php-5.5.0-CVE-2013-4013.patch
+
 # Fixes for tests
 
 # RC Patch
@@ -847,6 +850,8 @@ httpd -V  | grep -q 'threaded:.*yes' && exit 1
 %patch46 -p1 -b .fixheader
 %patch47 -p1 -b .phpinfo
 
+%patch60 -p1 -b .cve4113
+
 %patch91 -p1 -b .remi-oci8
 
 # wip patches
@@ -1301,7 +1306,7 @@ popd
 %if %runselftest
 cd build-apache
 
-# Double stack size (required by bug54268.phpt)
+# Increase stack size (required by bug54268.phpt)
 ulimit -s 32712
 
 # Run tests, using the CLI SAPI
@@ -1802,7 +1807,12 @@ fi
 
 
 %changelog
-* Mon Jun 24 2013 Remi Collet <rcollet@redhat.com> 5.5.0-0.1.201306240630
+* Fri Jul 12 2013 Remi Collet <rcollet@redhat.com> - 5.5.0-2
+- add security fix for CVE-2013-4113
+- add missing ASL 1.0 license
+- 32k stack size seems ok for tests on both 32/64bits build
+
+* Mon Jun 24 2013 Remi Collet <rcollet@redhat.com> 5.5.1-0.1.201306240630
 - test build (bundled libgd)
 
 * Thu Jun 20 2013 Remi Collet <rcollet@redhat.com> 5.5.0-1
-- 
cgit