From db1b2c1c19abcc4f498a6a7ee65cea2279ae505d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 13 May 2020 09:34:27 +0200
Subject: Core:   Fix #78875 Long filenames cause OOM and temp files are not
 cleaned   CVE-2019-11048   Fix #78876 Long variables in multipart/form-data
 cause OOM and temp   files are not cleaned

---
 php-bug78875.patch | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php56.spec         | 11 ++++++++-
 2 files changed, 79 insertions(+), 1 deletion(-)
 create mode 100644 php-bug78875.patch

diff --git a/php-bug78875.patch b/php-bug78875.patch
new file mode 100644
index 0000000..2d8f900
--- /dev/null
+++ b/php-bug78875.patch
@@ -0,0 +1,69 @@
+From a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Wed, 13 May 2020 09:03:49 +0200
+Subject: [PATCH] Backports from 7.2.31
+
+ Fix #78875: Long filenames cause OOM and temp files are not cleaned
+(from 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87)
+
+ Fix #78876: Long variables cause OOM and temp files are not cleaned
+(from 3c8582ca4b8e84e5647220b647914876d2c3b124)
+---
+ NEWS           | 8 ++++++++
+ main/rfc1867.c | 9 +++++----
+ 2 files changed, 13 insertions(+), 4 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index 281b52fe76..b53c9e28cb 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,14 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.31
++
++- Core:
++  . Fixed bug #78875 (Long filenames cause OOM and temp files are not cleaned).
++    (CVE-2019-11048) (cmb)
++  . Fixed bug #78876 (Long variables in multipart/form-data cause OOM and temp
++    files are not cleaned). (CVE-2019-11048) (cmb)
++
+ Backported from 7.2.30
+ 
+ - Standard:
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index 0ddf0ed8f0..fb3035072a 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -609,9 +609,9 @@ static void *php_ap_memstr(char *haystack, int haystacklen, char *needle, int ne
+ }
+ 
+ /* read until a boundary condition */
+-static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, int *end TSRMLS_DC)
++static unsigned int multipart_buffer_read(multipart_buffer *self, char *buf, unsigned int bytes, int *end TSRMLS_DC)
+ {
+-	int len, max;
++	unsigned int len, max;
+ 	char *bound;
+ 
+ 	/* fill buffer if needed */
+@@ -658,7 +658,7 @@ static int multipart_buffer_read(multipart_buffer *self, char *buf, int bytes, i
+ static char *multipart_buffer_read_body(multipart_buffer *self, unsigned int *len TSRMLS_DC)
+ {
+ 	char buf[FILLUNIT], *out=NULL;
+-	int total_bytes=0, read_bytes=0;
++	unsigned int total_bytes=0, read_bytes=0;
+ 
+ 	while((read_bytes = multipart_buffer_read(self, buf, sizeof(buf), NULL TSRMLS_CC))) {
+ 		out = erealloc(out, total_bytes + read_bytes + 1);
+@@ -684,7 +684,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ {
+ 	char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ 	char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
+-	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++	unsigned int array_len = 0;
+ 	int64_t total_bytes = 0, max_file_size = 0;
+ 	int skip_upload = 0, anonindex = 0, is_anonymous;
+ 	zval *http_post_files = NULL;
diff --git a/php56.spec b/php56.spec
index f04259c..44749bd 100644
--- a/php56.spec
+++ b/php56.spec
@@ -152,7 +152,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.6.40
-Release: 20%{?dist}
+Release: 21%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -248,6 +248,7 @@ Patch238: php-bug79282.patch
 Patch239: php-bug79329.patch
 Patch240: php-bug79330.patch
 Patch241: php-bug79465.patch
+Patch242: php-bug78875.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1049,6 +1050,7 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
 %patch239 -p1 -b .bug79329
 %patch240 -p1 -b .bug79330
 %patch241 -p1 -b .bug79465
+%patch242 -p1 -b .bug78875
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -2105,6 +2107,13 @@ EOF
 
 
 %changelog
+* Wed May 13 2020 Remi Collet <remi@remirepo.net> - 5.6.40-21
+- Core:
+  Fix #78875 Long filenames cause OOM and temp files are not cleaned
+  CVE-2019-11048
+  Fix #78876 Long variables in multipart/form-data cause OOM and temp
+  files are not cleaned
+
 * Tue Apr 14 2020 Remi Collet <remi@remirepo.net> - 5.6.40-20
 - standard:
   Fix #79330 shell_exec silently truncates after a null byte
-- 
cgit