From 725130ba0bb06a3954b3e81c385bea0bca36324e Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 28 Aug 2019 15:33:56 +0200
Subject: From 7.1.32

- mbstring:
  Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe
- pcre:
  Fix #75457 heap use-after-free in pcrelib
---
 failed.txt         | 16 +++++-----
 php-bug75457.patch | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug78380.patch | 78 +++++++++++++++++++++++++++++++++++++++++++++++++
 php56.spec         | 12 +++++++-
 4 files changed, 183 insertions(+), 9 deletions(-)
 create mode 100644 php-bug75457.patch
 create mode 100644 php-bug78380.patch

diff --git a/failed.txt b/failed.txt
index 70bd2b4..5020e80 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,21 +1,21 @@
-===== 5.6.40-12 (2019-07-30)
+===== 5.6.40-13 (2019-08-28)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
-/var/lib/mock/el6i/build.log:Tests failed    :     4
-/var/lib/mock/el6x/build.log:Tests failed    :     1
-/var/lib/mock/el7x/build.log:Tests failed    :     0
+/var/lib/mock/el6i/build.log:Tests failed    :     2
+/var/lib/mock/el6x/build.log:Tests failed    :     0
+/var/lib/mock/el7x/build.log:Tests failed    :     2
 
 
 el6i:
 	4	Test date_sunrise() function : usage variation -  Passing high positive and negative float values to time argument. [ext/date/tests/date_sunrise_variation9.phpt]
 	4	Test getdate() function : usage variation - Passing high positive and negative float values to timestamp. [ext/date/tests/getdate_variation7.phpt]
-		Peer verification enabled for client streams [ext/openssl/tests/peer_verification.phpt]
-		Peer verification matches SAN names [ext/openssl/tests/san_peer_matching.phpt]
-el6x:
-		Test disk_free_space and its alias diskfreespace() functions : basic functionality [ext/standard/tests/file/disk_free_space_basic.phpt]
+el7x:
+		TLSv1.1 and TLSv1.2 bitwise stream crypto flag assignment [ext/openssl/tests/stream_crypto_flags_002.phpt]
+	2	Bug #75457 (heap-use-after-free in php7.0.25) [ext/pcre/tests/bug75457.phpt]
 
 
 1	proc_open have erratic results... :(
+2	test fixed upstream
 3	online test
 4	tzdata are no more updated upstream in security branch
diff --git a/php-bug75457.patch b/php-bug75457.patch
new file mode 100644
index 0000000..88a1061
--- /dev/null
+++ b/php-bug75457.patch
@@ -0,0 +1,86 @@
+From 582128d6b5acdef94752cc4ea4a049497067bb38 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 16 Aug 2019 14:29:19 +0200
+Subject: [PATCH 1/3] Fix #75457: heap-use-after-free in php7.0.25
+
+Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.
+
+(cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9)
+---
+ ext/pcre/pcrelib/pcre_compile.c | 11 ++++++++++-
+ ext/pcre/tests/bug75457.phpt    | 10 ++++++++++
+ 2 files changed, 20 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pcre/tests/bug75457.phpt
+
+diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
+index c9171cbee9..1d37671635 100644
+--- a/ext/pcre/pcrelib/pcre_compile.c
++++ b/ext/pcre/pcrelib/pcre_compile.c
+@@ -485,7 +485,7 @@ static const char error_texts[] =
+   "lookbehind assertion is not fixed length\0"
+   "malformed number or name after (?(\0"
+   "conditional group contains more than two branches\0"
+-  "assertion expected after (?(\0"
++  "assertion expected after (?( or (?(?C)\0"
+   "(?R or (?[+-]digits must be followed by )\0"
+   /* 30 */
+   "unknown POSIX class name\0"
+@@ -6734,6 +6734,15 @@ for (;; ptr++)
+           for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
+           if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
+             tempptr += i + 1;
++
++          /* tempptr should now be pointing to the opening parenthesis of the
++          assertion condition. */
++
++          if (*tempptr != CHAR_LEFT_PARENTHESIS)
++            {
++            *errorcodeptr = ERR28;
++            goto FAILED;
++            }
+           }
+ 
+         /* For conditions that are assertions, check the syntax, and then exit
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+new file mode 100644
+index 0000000000..c7ce9ed0f9
+--- /dev/null
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #75457 (heap-use-after-free in php7.0.25)
++--FILE--
++<?php
++$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
++var_dump(preg_match($pattern, "hello"));
++?>
++--EXPECTF--
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++bool(false)
+-- 
+2.20.1
+
+From b781eb2900cc0d74e385e704711a0002a9ecc8cb Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:34:48 +0200
+Subject: [PATCH] relax test, offset may be different on various system lib
+ versions
+
+---
+ ext/pcre/tests/bug75457.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
+index c7ce9ed0f9..571a4bde77 100644
+--- a/ext/pcre/tests/bug75457.phpt
++++ b/ext/pcre/tests/bug75457.phpt
+@@ -6,5 +6,5 @@ $pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
+ var_dump(preg_match($pattern, "hello"));
+ ?>
+ --EXPECTF--
+-Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
++Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset %d in %sbug75457.php on line %d
+ bool(false)
+-- 
+2.20.1
+
diff --git a/php-bug78380.patch b/php-bug78380.patch
new file mode 100644
index 0000000..4d7db35
--- /dev/null
+++ b/php-bug78380.patch
@@ -0,0 +1,78 @@
+From 8cc1b123b05c51442b9a4fc4ea61d7719ee96e0e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 24 Aug 2019 23:11:45 -0700
+Subject: [PATCH 2/3] Fix CVE-2019-13224: don't allow different encodings for
+ onig_new_deluxe()
+
+Backport from https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55
+
+(cherry picked from commit 1258303e66d8dede4f02347334b9f6576e98a21b)
+---
+ ext/mbstring/oniguruma/regext.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/mbstring/oniguruma/regext.c b/ext/mbstring/oniguruma/regext.c
+index b1b957b40c..b108e638c6 100644
+--- a/ext/mbstring/oniguruma/regext.c
++++ b/ext/mbstring/oniguruma/regext.c
+@@ -29,6 +29,7 @@
+ 
+ #include "regint.h"
+ 
++#if 0
+ static void
+ conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
+ {
+@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
+ 
+   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+ }
++#endif
+ 
+ extern int
+ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
+   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
+ 
+   if (ci->pattern_enc != ci->target_enc) {
+-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
+-                      &cpat, &cpat_end);
+-    if (r) return r;
++    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
+   }
+   else {
+     cpat     = (UChar* )pattern;
+-- 
+2.20.1
+
+From b0aa68eade0d15274465136a6d6b84edd8ab6e4b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 28 Aug 2019 14:06:50 +0200
+Subject: [PATCH 3/3] NEWS
+
+---
+ NEWS | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 5039cdf59d..cb7919bafc 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.1.32
++
++- mbstring:
++  . Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe) (stas)
++
++- pcre:
++  . Fixed bug #75457 (heap use-after-free in pcrelib) (cmb)
++
+ Backported from 7.1.31
+ 
+ - EXIF:
+-- 
+2.20.1
+
diff --git a/php56.spec b/php56.spec
index e582328..4a50987 100644
--- a/php56.spec
+++ b/php56.spec
@@ -148,7 +148,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.40
-Release: 12%{?dist}
+Release: 13%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -228,6 +228,8 @@ Patch221: php-bug77967.patch
 Patch222: php-bug78222.patch
 Patch223: php-bug78256.patch
 Patch224: php-bug77919.patch
+Patch225: php-bug75457.patch
+Patch226: php-bug78380.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1011,6 +1013,8 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
 %patch222 -p1 -b .bug78222
 %patch223 -p1 -b .bug78256
 %patch224 -p1 -b .bug77919
+%patch225 -p1 -b .bug75457
+%patch226 -p1 -b .bug78380
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -2063,6 +2067,12 @@ EOF
 
 
 %changelog
+* Wed Aug 28 2019 Remi Collet <remi@remirepo.net> - 5.6.40-13
+- mbstring:
+  Fix CVE-2019-13224 don't allow different encodings for onig_new_deluxe
+- pcre:
+  Fix #75457 heap use-after-free in pcrelib
+
 * Tue Jul 30 2019 Remi Collet <remi@remirepo.net> - 5.6.40-12
 - exif:
   Fix #78256 heap-buffer-overflow on exif_process_user_comment
-- 
cgit