From 474971c0b5e4ce5b004b726ece8ee41c57181ea7 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 10 Dec 2018 18:15:14 +0100
Subject: Fix #77231 Segfault when using convert.quoted-printable-encode filter
 Fix #77020 null pointer dereference in imap_mail CVE-2018-19935 Fix #77153
 imap_open allows to run arbitrary shell commands via mailbox parameter
 CVE-2018-19158

---
 bug77231.patch | 46 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 bug77231.patch

(limited to 'bug77231.patch')

diff --git a/bug77231.patch b/bug77231.patch
new file mode 100644
index 0000000..e805ade
--- /dev/null
+++ b/bug77231.patch
@@ -0,0 +1,46 @@
+Backported for 5.4/5.5, from 5.6, by Remi
+
+
+From 78bffa72c1ad8936eae51270f93be17a9c58cfc1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 3 Dec 2018 02:12:11 -0800
+Subject: [PATCH] Fix null pointer deref in qprint-encode filter (bug #77231)
+
+---
+ NEWS                                     |  4 ++++
+ ext/standard/filters.c                   |  2 +-
+ ext/standard/tests/filters/bug77231.phpt | 11 +++++++++++
+ 3 files changed, 16 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/filters/bug77231.phpt
+
+diff --git a/ext/standard/filters.c b/ext/standard/filters.c
+index dc7b0d86dcd3..9718a45be25e 100644
+--- a/ext/standard/filters.c
++++ b/ext/standard/filters.c
+@@ -928,7 +928,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
+ 			line_ccnt--;
+ 			CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt);
+ 		} else {
+-			if (line_ccnt < 4) {
++			if (line_ccnt < 4 && inst->lbchars != NULL) {
+ 				if (ocnt < inst->lbchars_len + 1) {
+ 					err = PHP_CONV_ERR_TOO_BIG;
+ 					break;
+diff --git a/ext/standard/tests/filters/bug77231.phpt b/ext/standard/tests/filters/bug77231.phpt
+new file mode 100644
+index 000000000000..17967ee80fc5
+--- /dev/null
++++ b/ext/standard/tests/filters/bug77231.phpt
+@@ -0,0 +1,11 @@
++--TEST--
++Bug #77231 (Segfault when using convert.quoted-printable-encode filter)
++--FILE--
++<?php
++var_dump(file(urldecode('php://filter/convert.quoted-printable-encode/resource=data://,%bfAAAAAAAAFAAAAAAAAAAAAAA%ff%ff%ff%ff%ff%ff%ff%ffAAAAAAAAAAAAAAAAAAAAAAAA')));
++?>
++--EXPECT--
++array(1) {
++  [0]=>
++  string(74) "=BFAAAAAAAAFAAAAAAAAAAAAAA=FF=FF=FF=FF=FF=FF=FF=FFAAAAAAAAAAAAAAAAAAAAAAAA"
++}
+\ No newline at end of file
-- 
cgit