PHP 5.6: add some upstream patches

6 files changed, 194 insertions, 1 deletions

diff --git a/php-bug67392.patch b/php-bug67392.patch
new file mode 100644
index 0000000..ab9e1f8
--- /dev/null
+++ b/php-bug67392.patch
@@ -0,0 +1,27 @@
+From 6d1885342c1504a8697b41e075844b082f7b335f Mon Sep 17 00:00:00 2001
+From: Nikita Popov <nikic@php.net>
+Date: Fri, 6 Jun 2014 17:09:49 +0200
+Subject: [PATCH] Fix bug #67392: dtrace breaks argument unpack
+
+---
+ NEWS                | 3 +++
+ Zend/zend_execute.c | 3 ++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/Zend/zend_execute.c b/Zend/zend_execute.c
+index bdf8b6e..ad92c5f 100644
+--- a/Zend/zend_execute.c
++++ b/Zend/zend_execute.c
+@@ -1490,7 +1490,8 @@ ZEND_API void execute_internal(zend_execute_data *execute_data_ptr, zend_fcall_i
+ 	} else {
+ 		zval **return_value_ptr = &EX_TMP_VAR(execute_data_ptr, execute_data_ptr->opline->result.var)->var.ptr;
+ 		execute_data_ptr->function_state.function->internal_function.handler(
+-			execute_data_ptr->opline->extended_value, *return_value_ptr, return_value_ptr,
++			execute_data_ptr->opline->extended_value + execute_data_ptr->call->num_additional_args,
++			*return_value_ptr, return_value_ptr,
+ 			execute_data_ptr->object, return_value_used TSRMLS_CC
+ 		);
+ 	}
+-- 
+1.9.2
+
diff --git a/php-bug67410.patch b/php-bug67410.patch
new file mode 100644
index 0000000..9e09d3a
--- /dev/null
+++ b/php-bug67410.patch
@@ -0,0 +1,41 @@
+From e77659a8c87272e5061738a31430d2111482c426 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:02:36 +0200
+Subject: [PATCH] Fixed Bug #67410 fileinfo: mconvert incorrect handling of
+ truncated pascal string size
+
+Upstream
+https://github.com/file/file/commit/27a14bc7ba285a0a5ebfdb55e54001aa11932b08
+---
+ ext/fileinfo/libmagic/softmagic.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 21fea6b..01e4977 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ 		return 1;
+ 	}
+ 	case FILE_PSTRING: {
+-		char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
++		size_t sz = file_pstring_length_size(m);
++		char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ 		size_t len = file_pstring_get_length(m, ptr1);
+-		if (len >= sizeof(p->s))
+-			len = sizeof(p->s) - 1;
++		if (len >= sizeof(p->s)) {
++			/*
++			 * The size of the pascal string length (sz)
++			 * is 1, 2, or 4. We need at least 1 byte for NUL
++			 * termination, but we've already truncated the
++			 * string by p->s, so we need to deduct sz.
++			 */ 
++			len = sizeof(p->s) - sz;
++		}
+ 		while (len--)
+ 			*ptr1++ = *ptr2++;
+ 		*ptr1 = '\0';
+-- 
+1.9.2
+
diff --git a/php-bug67411.patch b/php-bug67411.patch
new file mode 100644
index 0000000..27c0204
--- /dev/null
+++ b/php-bug67411.patch
@@ -0,0 +1,37 @@
+From 5c9f96799961818944d43b22c241cc56c215c2e4 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:13:14 +0200
+Subject: [PATCH] Fixed Bug #67411 	fileinfo: cdf_check_stream_offset
+ insufficient boundary check
+
+Upstream:
+https://github.com/file/file/commit/36fadd29849b8087af9f4586f89dbf74ea45be67
+---
+ ext/fileinfo/libmagic/cdf.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 16649f1..c9a5d50 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
+ {
+ 	const char *b = (const char *)sst->sst_tab;
+ 	const char *e = ((const char *)p) + tail;
++	size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
++	    CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
+ 	(void)&line;
+-	if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len)
++	if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
+ 		return 0;
+ 	DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u"
+ 	    " > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
+ 	    SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
+-	    CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
++	    ss * sst->sst_len, ss, sst->sst_len));
+ 	errno = EFTYPE;
+ 	return -1;
+ }
+-- 
+1.9.2
+
diff --git a/php-bug67412.patch b/php-bug67412.patch
new file mode 100644
index 0000000..8380dee
--- /dev/null
+++ b/php-bug67412.patch
@@ -0,0 +1,40 @@
+From 40ef6e07e0b2cdced57c506e08cf18f47122292d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:22:04 +0200
+Subject: [PATCH] Bug #67412 	fileinfo: cdf_count_chain insufficient
+ boundary check
+
+Upstream:
+https://github.com/file/file/commit/40bade80cbe2af1d0b2cd0420cebd5d5905a2382
+---
+ ext/fileinfo/libmagic/cdf.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index c9a5d50..ee467a6 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -470,7 +470,8 @@ size_t
+ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ {
+ 	size_t i, j;
+-	cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
++	cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
++	    / sizeof(maxsector));
+ 
+ 	DPRINTF(("Chain:"));
+ 	for (j = i = 0; sid >= 0; i++, j++) {
+@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}
+-		if (sid > maxsector) {
+-			DPRINTF(("Sector %d > %d\n", sid, maxsector));
++		if (sid >= maxsector) {
++			DPRINTF(("Sector %d >= %d\n", sid, maxsector));
+ 			errno = EFTYPE;
+ 			return (size_t)-1;
+ 		}
+-- 
+1.9.2
+
diff --git a/php-bug67413.patch b/php-bug67413.patch
new file mode 100644
index 0000000..3751e8d
--- /dev/null
+++ b/php-bug67413.patch
@@ -0,0 +1,34 @@
+From 25b1dc917a53787dbb2532721ca22f3f36eb13c0 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 14:33:37 +0200
+Subject: [PATCH] Fixed Bug #67413 	fileinfo: cdf_read_property_info
+ insufficient boundary chec
+
+Upstream:
+https://github.com/file/file/commit/93e063ee374b6a75729df9e7201fb511e47e259d
+
+Adapted for C standard.
+---
+ ext/fileinfo/libmagic/cdf.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index ee467a6..429f3b9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ 	if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
+ 		goto out;
+ 	for (i = 0; i < sh.sh_properties; i++) {
+-		size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
++		size_t ofs, tail = (i << 1) + 1;
++		if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
++		    __LINE__) == -1)
++			goto out;
++		ofs = CDF_GETUINT32(p, tail);
+ 		q = (const uint8_t *)(const void *)
+ 		    ((const char *)(const void *)p + ofs
+ 		    - 2 * sizeof(uint32_t));
+-- 
+1.9.2
+
diff --git a/php56.spec b/php56.spec
index 303bfd5..308d3f1 100644
--- a/php56.spec
+++ b/php56.spec
@@ -124,7 +124,7 @@ Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.0
 %if 0%{?snapdate:1}%{?rcver:1}
-Release: 0.10.%{?snapdate}%{?rcver}%{?dist}
+Release: 0.11.%{?snapdate}%{?rcver}%{?dist}
 %else
 Release: 1%{?dist}
 %endif
@@ -186,6 +186,11 @@ Patch91: php-5.3.7-oci8conf.patch
 
 # Upstream fixes (100+)
 Patch100: php-reg67118.patch
+Patch101: php-bug67392.patch
+Patch102: php-bug67410.patch
+Patch103: php-bug67411.patch
+Patch104: php-bug67412.patch
+Patch105: php-bug67413.patch
 
 # Security fixes (200+)
 
@@ -909,6 +914,11 @@ rm -rf ext/json
 
 # upstream patches
 %patch100 -p1 -b .reg67118
+%patch101 -p1 -b .bug67392
+%patch102 -p1 -b .bug67410
+%patch103 -p1 -b .bug67411
+%patch104 -p1 -b .bug67412
+%patch105 -p1 -b .bug67413
 
 # security patches
 
@@ -1911,6 +1921,10 @@ fi
 
 
 %changelog
+* Tue Jun 10 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.11.beta4
+- test build for bug 67410, 67411, 67412, 67413
+- fix 67392, dtrace breaks argument unpack
+
 * Thu Jun  5 2014 Remi Collet <rcollet@redhat.com> 5.6.0-0.10.beta4
 - fix regression introduce in fix for #67118