From 0c1009e782676a99d57a5e1584ea3cbfb5e7476c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 28 May 2019 11:01:40 +0200
Subject: - iconv:   Fix #78069 Out-of-bounds read in
 iconv.c:_php_iconv_mime_decode()   CVE-2019-11039 - exif:   Fix #77988
 Heap-buffer-overflow on php_jpg_get16   CVE-2019-11040 - sqlite3:   Fix
 #77967 Bypassing open_basedir restrictions via file uris

---
 php-bug77988.patch | 59 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 php-bug77988.patch

(limited to 'php-bug77988.patch')

diff --git a/php-bug77988.patch b/php-bug77988.patch
new file mode 100644
index 0000000..bd7fa14
--- /dev/null
+++ b/php-bug77988.patch
@@ -0,0 +1,59 @@
+Without test as binary patch not supported
+
+
+
+
+From 9e0574adfd9566ed6308291e4917b095a238fa79 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 27 May 2019 17:16:29 -0700
+Subject: [PATCH] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16
+
+(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb)
+---
+ NEWS                         |  14 ++++++++++++++
+ ext/exif/exif.c              |   2 ++
+ ext/exif/tests/bug77988.jpg  | Bin 0 -> 1202 bytes
+ ext/exif/tests/bug77988.phpt |  11 +++++++++++
+ 4 files changed, 27 insertions(+)
+ create mode 100644 ext/exif/tests/bug77988.jpg
+ create mode 100644 ext/exif/tests/bug77988.phpt
+
+diff --git a/NEWS b/NEWS
+index 1bb6b57584..9345c039a2 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,20 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.1.30
++
++- EXIF:
++  . Fixed bug #77988 (heap-buffer-overflow on php_jpg_get16). 
++    (CVE-2019-11040) (Stas)
++
++- GD:
++  . Fixed bug #77973 (Uninitialized read in gdImageCreateFromXbm).
++    (CVE-2019-11038) (cmb)
++
++- Iconv:
++  . Fixed bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode()
++    due to integer overflow). (CVE-2019-11039). (maris dot adam)
++
+ Backported from 7.1.29
+ 
+ - EXIF
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 15e091b6c5..b6c31773ab 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3536,6 +3536,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC)
+ 		if (c == 0xFF)
+ 			return FALSE;
+ 		marker = c;
++		if (pos>=ImageInfo->Thumbnail.size)
++			return FALSE;
+ 		length = php_jpg_get16(data+pos);
+ 		if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
+ 			return FALSE;
+
-- 
cgit