From 592e9e89151448589e301fa28ecc94df1240214a Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Dec 2019 17:51:08 +0100
Subject: - bcmath:   Fix #78878 Buffer underflow in bc_shift_addsub  
 CVE-2019-11046 - core:   Fix #78862 link() silently truncates after a null
 byte on Windows   CVE-2019-11044   Fix #78863 DirectoryIterator class
 silently truncates after a null byte   CVE-2019-11045 - exif   Fix #78793
 Use-after-free in exif parsing under memory sanitizer   CVE-2019-11050   Fix
 #78910 Heap-buffer-overflow READ in exif   CVE-2019-11047 - use oracle client
 library version 19.5 (18.5 on EL-6)

---
 php-bug78863.patch | 85 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 85 insertions(+)
 create mode 100644 php-bug78863.patch

(limited to 'php-bug78863.patch')

diff --git a/php-bug78863.patch b/php-bug78863.patch
new file mode 100644
index 0000000..eda23aa
--- /dev/null
+++ b/php-bug78863.patch
@@ -0,0 +1,85 @@
+From 4fe7ea95d92de389bbfa46e155f7dd97b0d4d320 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 25 Nov 2019 16:56:34 +0100
+Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
+ a null byte
+
+Since the constructor of DirectoryIterator and friends is supposed to
+accepts paths (i.e. strings without NUL bytes), we must not accept
+arbitrary strings.
+
+(cherry picked from commit a5a15965da23c8e97657278fc8dfbf1dfb20c016)
+---
+ NEWS                        |  2 ++
+ ext/spl/spl_directory.c     |  4 ++--
+ ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++
+ 3 files changed, 35 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug78863.phpt
+
+diff --git a/NEWS b/NEWS
+index d7f67ea976..5bf9b6a5ee 100644
+--- a/NEWS
++++ b/NEWS
+@@ -10,6 +10,8 @@ Backported from 7.2.26
+ - Core:
+   . Fixed bug #78862 (link() silently truncates after a null byte on Windows).
+     (CVE-2019-11044). (cmb)
++  . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
++    byte). (CVE-2019-11045). (cmb)
+ 
+ Backported from 7.1.33
+ 
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index fbcf892c3d..3a22357a26 100644
+--- a/ext/spl/spl_directory.c
++++ b/ext/spl/spl_directory.c
+@@ -691,10 +691,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, long ctor_fla
+ 
+ 	if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
+ 		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
+-		parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &path, &len, &flags);
++		parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &path, &len, &flags);
+ 	} else {
+ 		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
+-		parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &path, &len);
++		parsed = zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &path, &len);
+ 	}
+ 	if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
+ 		flags |= SPL_FILE_DIR_SKIPDOTS;
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+new file mode 100644
+index 0000000000..dc88d98dee
+--- /dev/null
++++ b/ext/spl/tests/bug78863.phpt
+@@ -0,0 +1,31 @@
++--TEST--
++Bug #78863 (DirectoryIterator class silently truncates after a null byte)
++--FILE--
++<?php
++$dir = __DIR__ . '/bug78863';
++mkdir($dir);
++touch("$dir/bad");
++mkdir("$dir/sub");
++touch("$dir/sub/good");
++
++$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
++foreach ($it as $fileinfo) {
++    if (!$fileinfo->isDot()) {
++        var_dump($fileinfo->getFilename());
++    }
++}
++?>
++--EXPECTF--
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Stack trace:
++#0 %s(%d): DirectoryIterator->__construct('%s')
++#1 {main}
++  thrown in %s on line %d
++--CLEAN--
++<?php
++$dir = __DIR__ . '/bug78863';
++unlink("$dir/sub/good");
++rmdir("$dir/sub");
++unlink("$dir/bad");
++rmdir($dir);
++?>
-- 
cgit