summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <remi@remirepo.net>2019-01-09 15:17:00 +0100
committerRemi Collet <remi@remirepo.net>2019-01-09 15:17:00 +0100
commite78f08a5c94a4e0c2b77cb8a545e333068ebbe95 (patch)
tree07370caff60d7f8f7579b990b97af5b1e9040380
parent1d31eea35b790572b09169fd3953755e92786cd2 (diff)
- core:HEADmaster
Fix #77369 memcpy with negative length via crafted DNS response - mbstring: Fix #77370 buffer overflow on mb regex functions - fetch_token Fix #77371 heap buffer overflow in mb regex functions compile_string_node Fix #77381 heap buffer overflow in multibyte match_at Fix #77382 heap buffer overflow in expand_case_fold_string Fix #77385 buffer overflow in fetch_token Fix #77394 buffer overflow in multibyte case folding - unicode Fix #77418 heap overflow in utf32be_mbc_to_code - phar: Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc: Fix #77242 heap out of bounds read in xmlrpc_decode Fix #77380 global out of bounds read in xmlrpc base64 code
-rw-r--r--failed.txt2
-rw-r--r--php-bug77242.patch45
-rw-r--r--php-bug77247.patch49
-rw-r--r--php-bug77369.patch42
-rw-r--r--php-bug77370.patch66
-rw-r--r--php-bug77371.patch41
-rw-r--r--php-bug77380.patch57
-rw-r--r--php-bug77381.patch158
-rw-r--r--php-bug77418.patch103
-rw-r--r--php-openssl-cert.patch203
-rw-r--r--php70.spec37
11 files changed, 801 insertions, 2 deletions
diff --git a/failed.txt b/failed.txt
index 969bdf0..702c1d2 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.0.33 (2018-12-06)
+===== 7.0.33-2 (2019-01-10)
$ grep -r 'Tests failed' /var/lib/mock/*/build.log
diff --git a/php-bug77242.patch b/php-bug77242.patch
new file mode 100644
index 0000000..b6afc78
--- /dev/null
+++ b/php-bug77242.patch
@@ -0,0 +1,45 @@
+Backported for 7.0 by Remi
+
+
+From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 17:56:36 -0800
+Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
+
+---
+ ext/xmlrpc/libxmlrpc/xml_element.c | 3 +++
+ ext/xmlrpc/tests/bug77242.phpt | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 ext/xmlrpc/tests/bug77242.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
+index 56642d46142e..eeec5379bf68 100644
+--- a/ext/xmlrpc/libxmlrpc/xml_element.c
++++ b/ext/xmlrpc/libxmlrpc/xml_element.c
+@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
+ long byte_idx = XML_GetCurrentByteIndex(parser);
+ /* int byte_total = XML_GetCurrentByteCount(parser); */
+ const char * error_str = XML_ErrorString(err_code);
++ if(byte_idx > len) {
++ byte_idx = len;
++ }
+ if(byte_idx >= 0) {
+ snprintf(buf,
+ sizeof(buf),
+diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
+new file mode 100644
+index 000000000000..542c06311f74
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77242.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77242 (heap out of bounds read in xmlrpc_decode())
++--SKIPIF--
++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
++?>
++--EXPECT--
++NULL
+\ No newline at end of file
diff --git a/php-bug77247.patch b/php-bug77247.patch
new file mode 100644
index 0000000..6a2c8b4
--- /dev/null
+++ b/php-bug77247.patch
@@ -0,0 +1,49 @@
+Backported for 7.0 by Remi
+
+
+From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 18:25:37 -0800
+Subject: [PATCH] Fix bug #77247 (heap buffer overflow in
+ phar_detect_phar_fname_ext)
+
+---
+ ext/phar/phar.c | 2 +-
+ ext/phar/tests/bug77247.phpt | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug77247.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 82a9ef31943a..0d2173195c32 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha
+ }
+
+ while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
+- pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
++ pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
+ if (!pos) {
+ return FAILURE;
+ }
+diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
+new file mode 100644
+index 000000000000..588975f9f2f8
+--- /dev/null
++++ b/ext/phar/tests/bug77247.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++var_dump(new Phar('a/.b', 0,'test.phar'));
++} catch(UnexpectedValueException $e) {
++ echo "OK";
++}
++?>
++--EXPECT--
++OK
+\ No newline at end of file
diff --git a/php-bug77369.patch b/php-bug77369.patch
new file mode 100644
index 0000000..21fb348
--- /dev/null
+++ b/php-bug77369.patch
@@ -0,0 +1,42 @@
+Backported for 7.0 by Remi
+
+
+From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:39:08 -0800
+Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS
+ response
+
+---
+ ext/standard/dns.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 8e102f816f6e..b5fbcb96f968 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u
+ GETLONG(ttl, cp);
+ GETSHORT(dlen, cp);
+ CHECKCP(dlen);
++ if (dlen == 0) {
++ /* No data in the response - nothing to do */
++ return NULL;
++ }
+ if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ cp += dlen;
+ return cp;
+@@ -549,7 +553,12 @@ static u_char *php_parserr(u_char *cp, u
+ CHECKCP(n);
+ add_assoc_stringl(subarray, "tag", (char*)cp, n);
+ cp += n;
+- add_assoc_string(subarray, "value", (char*)cp);
++ if ( (size_t) dlen < ((size_t)n) + 2 ) {
++ return NULL;
++ }
++ n = dlen - n - 2;
++ CHECKCP(n);
++ add_assoc_stringl(subarray, "value", (char*)cp, n);
+ break;
+ case DNS_T_TXT:
+ {
diff --git a/php-bug77370.patch b/php-bug77370.patch
new file mode 100644
index 0000000..b85944a
--- /dev/null
+++ b/php-bug77370.patch
@@ -0,0 +1,66 @@
+From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 19:51:24 -0800
+Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end
+ when parsing multibytes
+
+---
+ ext/mbstring/oniguruma/regparse.c | 9 +++++++++
+ ext/mbstring/tests/bug77370.phpt | 13 +++++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77370.phpt
+
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index d2925f1e81b0..252ca1871202 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
+ /* scan pattern methods */
+ #define PEND_VALUE 0
+
+@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+ pfetch_prev = p; \
+ p += ONIGENC_MBC_ENC_LEN(enc, p); \
++ if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+
+ #define PINC_S do { \
+ p += ONIGENC_MBC_ENC_LEN(enc, p); \
++ if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ #define PFETCH_S(c) do { \
+ c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+ p += ONIGENC_MBC_ENC_LEN(enc, p); \
++ if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+
+ #define PPEEK (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
+diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
+new file mode 100644
+index 000000000000..c4d25582fe3b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77370.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_split(" \xfd",""));
++?>
++--EXPECT--
++array(1) {
++ [0]=>
++ string(0) ""
++}
diff --git a/php-bug77371.patch b/php-bug77371.patch
new file mode 100644
index 0000000..e574827
--- /dev/null
+++ b/php-bug77371.patch
@@ -0,0 +1,41 @@
+From c6e34d91b88638966662caac62c4d0e90538e317 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:06:08 -0800
+Subject: [PATCH] Fix bug #77371 (heap buffer overflow in mb regex functions -
+ compile_string_node)
+
+---
+ ext/mbstring/oniguruma/regcomp.c | 1 +
+ ext/mbstring/tests/bug77371.phpt | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77371.phpt
+
+diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
+index b93ca948a773..c72d65d6942f 100644
+--- a/ext/mbstring/oniguruma/regcomp.c
++++ b/ext/mbstring/oniguruma/regcomp.c
+@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
+
+ for (; p < end; ) {
+ len = enclen(enc, p);
++ if (p + len > end) len = end - p;
+ if (len == prev_len) {
+ slen++;
+ }
+diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
+new file mode 100644
+index 000000000000..f23445bd0917
+--- /dev/null
++++ b/ext/mbstring/tests/bug77371.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
++?>
++--EXPECT--
++bool(false)
+\ No newline at end of file
diff --git a/php-bug77380.patch b/php-bug77380.patch
new file mode 100644
index 0000000..4aea7b5
--- /dev/null
+++ b/php-bug77380.patch
@@ -0,0 +1,57 @@
+From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 1 Jan 2019 17:15:20 -0800
+Subject: [PATCH] Fix bug #77380 (Global out of bounds read in xmlrpc base64
+ code)
+
+---
+ ext/xmlrpc/libxmlrpc/base64.c | 4 ++--
+ ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug77380.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
+index 5ebdf31f7ade..a4fa19327b76 100644
+--- a/ext/xmlrpc/libxmlrpc/base64.c
++++ b/ext/xmlrpc/libxmlrpc/base64.c
+@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
+
+ while (!hiteof) {
+ unsigned char igroup[3], ogroup[4];
+- int c, n;
++ int c, n;
+
+ igroup[0] = igroup[1] = igroup[2] = 0;
+ for (n = 0; n < 3; n++) {
+@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
+ return;
+ }
+
+- if (dtable[c] & 0x80) {
++ if (dtable[(unsigned char)c] & 0x80) {
+ /*
+ fprintf(stderr, "Offset %i length %i\n", offset, length);
+ fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
+diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt
+new file mode 100644
+index 000000000000..8559c07a5aea
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77380.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #77380 (Global out of bounds read in xmlrpc base64 code)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo=")));
++?>
++--EXPECT--
++object(stdClass)#1 (2) {
++ ["scalar"]=>
++ string(0) ""
++ ["xmlrpc_type"]=>
++ string(6) "base64"
++}
diff --git a/php-bug77381.patch b/php-bug77381.patch
new file mode 100644
index 0000000..7494049
--- /dev/null
+++ b/php-bug77381.patch
@@ -0,0 +1,158 @@
+From 31f59e1f3074ab344b473dde6077a6844ca87264 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 2 Jan 2019 00:36:30 -0800
+Subject: [PATCH] Fix more issues with encodilng length
+
+Should fix bug #77381, bug #77382, bug #77385, bug #77394.
+---
+ ext/mbstring/oniguruma/enc/unicode.c | 1 +
+ ext/mbstring/oniguruma/regcomp.c | 11 +++++------
+ ext/mbstring/oniguruma/regparse.c | 10 +++-------
+ ext/mbstring/oniguruma/regparse.h | 12 ++++++++++++
+ ext/mbstring/tests/bug77371.phpt | 2 +-
+ ext/mbstring/tests/bug77381.phpt | 16 ++++++++++++++++
+ 6 files changed, 38 insertions(+), 14 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug77381.phpt
+
+diff --git a/ext/mbstring/oniguruma/enc/unicode.c b/ext/mbstring/oniguruma/enc/unicode.c
+index e13429f51e9c..9f86095896b6 100644
+--- a/ext/mbstring/oniguruma/enc/unicode.c
++++ b/ext/mbstring/oniguruma/enc/unicode.c
+@@ -10989,6 +10989,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc,
+
+ code = ONIGENC_MBC_TO_CODE(enc, p, end);
+ len = enclen(enc, p);
++ if (*pp + len > end) len = end - *pp;
+ *pp += len;
+
+ #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
+diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
+index c72d65d6942f..820257341f54 100644
+--- a/ext/mbstring/oniguruma/regcomp.c
++++ b/ext/mbstring/oniguruma/regcomp.c
+@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, regex_t* reg)
+ ambig = NSTRING_IS_AMBIG(node);
+
+ p = prev = sn->s;
+- prev_len = enclen(enc, p);
++ SAFE_ENC_LEN(enc, p, sn->end, prev_len);
+ p += prev_len;
+ slen = 1;
+ rlen = 0;
+
+ for (; p < sn->end; ) {
+- len = enclen(enc, p);
++ SAFE_ENC_LEN(enc, p, sn->end, len);
+ if (len == prev_len) {
+ slen++;
+ }
+@@ -518,13 +518,12 @@ compile_string_node(Node* node, regex_t* reg)
+ ambig = NSTRING_IS_AMBIG(node);
+
+ p = prev = sn->s;
+- prev_len = enclen(enc, p);
++ SAFE_ENC_LEN(enc, p, end, prev_len);
+ p += prev_len;
+ slen = 1;
+
+ for (; p < end; ) {
+- len = enclen(enc, p);
+- if (p + len > end) len = end - p;
++ SAFE_ENC_LEN(enc, p, end, len);
+ if (len == prev_len) {
+ slen++;
+ }
+@@ -3391,7 +3390,7 @@ expand_case_fold_string(Node* node, regex_t* reg)
+ goto err;
+ }
+
+- len = enclen(reg->enc, p);
++ SAFE_ENC_LEN(reg->enc, p, end, len);
+
+ if (n == 0) {
+ if (IS_NULL(snode)) {
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index 252ca1871202..fcfaf4378c06 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,12 +246,6 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+
+-#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+-# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+-#else
+-# define UNEXPECTED(condition) (condition)
+-#endif
+-
+ /* scan pattern methods */
+ #define PEND_VALUE 0
+
+@@ -3589,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
+ tok->u.code = (OnigCodePoint )num;
+ }
+ else { /* string */
+- p = tok->backp + enclen(enc, tok->backp);
++ int len;
++ SAFE_ENC_LEN(enc, tok->backp, end, len);
++ p = tok->backp + len;
+ }
+ break;
+ }
+diff --git a/ext/mbstring/oniguruma/regparse.h b/ext/mbstring/oniguruma/regparse.h
+index 0c5c2c936c04..bcab03ed5892 100644
+--- a/ext/mbstring/oniguruma/regparse.h
++++ b/ext/mbstring/oniguruma/regparse.h
+@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex_t*);
+ #endif
+ #endif
+
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
++#define SAFE_ENC_LEN(enc, p, end, res) do { \
++ int __res = enclen(enc, p); \
++ if (UNEXPECTED(p + __res > end)) __res = end - p; \
++ res = __res; \
++} while(0);
++
+ #endif /* REGPARSE_H */
+diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
+index f23445bd0917..33e5fc115c96 100644
+--- a/ext/mbstring/tests/bug77371.phpt
++++ b/ext/mbstring/tests/bug77371.phpt
+@@ -4,7 +4,7 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+ <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+ --FILE--
+ <?php
+-var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));
+ ?>
+ --EXPECT--
+ bool(false)
+\ No newline at end of file
+diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt
+new file mode 100644
+index 000000000000..cb83759fc09b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77381.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #77381 (heap buffer overflow in multibyte match_at)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_ereg("000||0\xfa","0"));
++var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));
++var_dump(mb_ereg("0000\\"."\xf5","0"));
++var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));
++?>
++--EXPECT--
++int(1)
++bool(false)
++bool(false)
++bool(false)
diff --git a/php-bug77418.patch b/php-bug77418.patch
new file mode 100644
index 0000000..7810cf6
--- /dev/null
+++ b/php-bug77418.patch
@@ -0,0 +1,103 @@
+From 9d6c59eeea88a3e9d7039cb4fed5126ef704593a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 6 Jan 2019 23:31:15 -0800
+Subject: [PATCH] Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
+
+---
+ NEWS | 7 ++++---
+ ext/mbstring/oniguruma/enc/utf16_be.c | 4 +++-
+ ext/mbstring/oniguruma/enc/utf16_le.c | 3 ++-
+ ext/mbstring/oniguruma/enc/utf32_be.c | 1 +
+ ext/mbstring/oniguruma/enc/utf32_le.c | 1 +
+ ext/mbstring/tests/bug77418.phpt | 14 ++++++++++++++
+ 6 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug77418.phpt
+
+diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c
+index 1e909ebbf293..9e2f73b0735e 100644
+--- a/ext/mbstring/oniguruma/enc/utf16_be.c
++++ b/ext/mbstring/oniguruma/enc/utf16_be.c
+@@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+
+ static OnigCodePoint
+-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf16be_mbc_to_code(const UChar* p, const UChar* end)
+ {
+ OnigCodePoint code;
+
+ if (UTF16_IS_SURROGATE_FIRST(*p)) {
++ if (end - p < 4) return 0;
+ code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
+ + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
+ + p[3];
+ }
+ else {
++ if (end - p < 2) return 0;
+ code = p[0] * 256 + p[1];
+ }
+ return code;
+diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c
+index 5cc07591173a..580f8dffa2f4 100644
+--- a/ext/mbstring/oniguruma/enc/utf16_le.c
++++ b/ext/mbstring/oniguruma/enc/utf16_le.c
+@@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+
+ static OnigCodePoint
+-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf16le_mbc_to_code(const UChar* p, const UChar* end)
+ {
+ OnigCodePoint code;
+ UChar c0 = *p;
+ UChar c1 = *(p+1);
+
+ if (UTF16_IS_SURROGATE_FIRST(c1)) {
++ if (end - p < 4) return 0;
+ code = ((((c1 - 0xd8) << 2) + ((c0 & 0xc0) >> 6) + 1) << 16)
+ + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
+ + p[2];
+diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c
+index b4f822607c89..5295f26b1e59 100644
+--- a/ext/mbstring/oniguruma/enc/utf32_be.c
++++ b/ext/mbstring/oniguruma/enc/utf32_be.c
+@@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
+ static OnigCodePoint
+ utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ {
++ if (end - p < 4) return 0;
+ return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
+ }
+
+diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c
+index 8f413bfc74e1..a78c4d0abcc7 100644
+--- a/ext/mbstring/oniguruma/enc/utf32_le.c
++++ b/ext/mbstring/oniguruma/enc/utf32_le.c
+@@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end)
+ static OnigCodePoint
+ utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ {
++ if (end - p < 4) return 0;
+ return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
+ }
+
+diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt
+new file mode 100644
+index 000000000000..b4acc45c2117
+--- /dev/null
++++ b/ext/mbstring/tests/bug77418.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #77371 (Heap overflow in utf32be_mbc_to_code)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++mb_regex_encoding("UTF-32");
++var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
++?>
++--EXPECT--
++array(1) {
++ [0]=>
++ string(30) "000000000000000000000000000000"
++}
diff --git a/php-openssl-cert.patch b/php-openssl-cert.patch
new file mode 100644
index 0000000..adea20c
--- /dev/null
+++ b/php-openssl-cert.patch
@@ -0,0 +1,203 @@
+From f51062523d03911cc141507112e3ce14b41f73a2 Mon Sep 17 00:00:00 2001
+From: Alexander Kurilo <alex@kurilo.me>
+Date: Mon, 31 Dec 2018 12:19:36 +0300
+Subject: [PATCH] Regenerate certs for openssl tests
+
+---
+ ext/openssl/tests/bug54992-ca.pem | 54 +++++++++---------
+ ext/openssl/tests/bug54992.pem | 28 ++++-----
+ ext/openssl/tests/bug54992.phpt | 42 ++++++++++++++
+ ext/openssl/tests/bug65538.phar | Bin 11278 -> 11278 bytes
+ .../tests/openssl_peer_fingerprint_basic.phpt | 11 +++-
+ 5 files changed, 91 insertions(+), 44 deletions(-)
+
+diff --git a/ext/openssl/tests/bug54992-ca.pem b/ext/openssl/tests/bug54992-ca.pem
+index ac139176aa53..743a11e8fde6 100644
+--- a/ext/openssl/tests/bug54992-ca.pem
++++ b/ext/openssl/tests/bug54992-ca.pem
+@@ -1,35 +1,35 @@
+ -----BEGIN CERTIFICATE-----
+-MIIGAzCCA+ugAwIBAgIUVL06vQzqQ1uRdJ7NAAZyylsKOpYwDQYJKoZIhvcNAQEL
++MIIGAzCCA+ugAwIBAgIUZ7ZvvfVqSEf1EswMT9LfMIPc/U8wDQYJKoZIhvcNAQEL
+ BQAwgZAxCzAJBgNVBAYTAlBUMQ8wDQYDVQQIDAZMaXNib2ExDzANBgNVBAcMBkxp
+ c2JvYTEXMBUGA1UECgwOUEhQIEZvdW5kYXRpb24xHjAcBgNVBAMMFVJvb3QgQ0Eg
+ Zm9yIFBIUCBUZXN0czEmMCQGCSqGSIb3DQEJARYXaW50ZXJuYWxzQGxpc3RzLnBo
+-cC5uZXQwHhcNMTgxMjAxMjEzNTUwWhcNMTgxMjMxMjEzNTUwWjCBkDELMAkGA1UE
++cC5uZXQwHhcNMTgxMjMxMDg0NDU3WhcNMjAwMjA0MDg0NDU3WjCBkDELMAkGA1UE
+ BhMCUFQxDzANBgNVBAgMBkxpc2JvYTEPMA0GA1UEBwwGTGlzYm9hMRcwFQYDVQQK
+ DA5QSFAgRm91bmRhdGlvbjEeMBwGA1UEAwwVUm9vdCBDQSBmb3IgUEhQIFRlc3Rz
+ MSYwJAYJKoZIhvcNAQkBFhdpbnRlcm5hbHNAbGlzdHMucGhwLm5ldDCCAiIwDQYJ
+-KoZIhvcNAQEBBQADggIPADCCAgoCggIBANVgTLlHH3bNkxx+XA1xhr842rf+lP5A
+-XDhM5N9vRCXs/6FAB6iFAfnR+YVgcHD/ppgrrOlAIf6QF2J9EOA4h9oOtCrbhC9y
+-3uKT/dnPWpa39NAdHDJMl2GndulhfyNzXoPmHR+UmVl8RIwJa2yzq8kfI28VZOdG
+-4oW+L8hybO1r+7kewnI/3TQme+yxRMtI/RDAneBPUu4yx+VTy6gP1R7PMwEnMgLC
+-msdBEJh2FR2rjboejZiBAHRG5cWbmRlYV0ApDZAgaKbKGCgken7FF9mImduv7c9H
+-pHkSKAFdt5hYaeJJy48lh5wC7gMjBo62WKUnBqnV1gBBniWSfsgfNJKPV5a3EO32
+-7KinHzzCH4V1C8tCU26om0CoRI+Bm/dpnwuDZWELzMnnyAeCmGWnPi2s/+QaWwKC
+-sMXn0+3CFYtlZ+zEZm0KB10RMypRLhn9md9/TfxJNNjDIHCMCLJkxyxFnYOWqtCd
+-zAA09r117AgM3tbRYY9NYvNzLw5hnPs2W3gB4vrUzqBcgdfIdVaE1QUyy8rWjMNI
+-fIVJVFeyN2mcg3JQw2WmKINDQJWZxXFJR9BPgISpR93BF5zIfGZSSRPuBXaXQ6j/
+-9aw+fnA8asietOL2wGa60zqX1WKopNYvRlt6CCIYkFcfRRkoEjcMRpyVsSn2U9Dd
+-pFlDHq9iE6SLAgMBAAGjUzBRMB0GA1UdDgQWBBQKZYIWtrUo8Iv5zBWfBn40D7p9
+-1DAfBgNVHSMEGDAWgBQKZYIWtrUo8Iv5zBWfBn40D7p91DAPBgNVHRMBAf8EBTAD
+-AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAEJhZ6mMgRUJGF4dM5r+SfrwCTbNGDJkFz
+-DSbeb6WMTtvzL1g2P5zHQ0OvlX+mvmqCRXM40sUFMHDLCQzIgKLpgd44yZM6k4wL
+-hReX2okQ8tEwB73ahy/H3TaRr3B2l6s16kx4obDpyTsbrBZgiks515ru5EM2pv7x
+-31Ya2sUlXBWt+Kc+Z/6UI2Eot7G4M11oeRGpWnFBqPFAIByEbnCR4NCPbAKl2t2q
+-vhsQh0zAo9qB4uUyc/XblKKRtdupDnRceSCLg18ZwnBxrVZBuSK5oUCAwAFtE4BZ
+-G793gbwIUeR0pFgNMKkfPnXy3Ii8OmPDc9CsxO0Qg4Xh2VXWpVI+N5xL5L/M3O1i
+-UDDO2PeoaEVfz3htOCYo1U6BSQqMzg5JD2JifzKEscy3rFkpH21EHLg07Fv4ZSFo
+-HG22zt00dJpNatyAzzaYHlMel4K1fwNrGrUH5M2OeRtvkUMlDKwp8qrKIDpTi6vT
+-GW0woBoRlR1+qGGG9RHBqm937uhHJsLw8lFJmvO0ObqbdpdfW4nWugL8x1LZC9oz
+-uaH7hwj5i0SKK/StuLxAPP6cl4RqQhXO5rxEz2iFjl4nwwtRH3KPEDEAvQcnNXpi
+-2YV5z8C78j1amzbSJBlGpu3aoJNn+WPgjePmeBe7oE9t1/5kvIVIAj8kg6CaKfHz
+-6hiK1Erl8g==
++KoZIhvcNAQEBBQADggIPADCCAgoCggIBAPVThsunmhda5hbNi+pXD3WF9ijryB9H
++JDnIbPW/vMffWcQgtiRzc+6aCykBygnhnN91NNRpxOsoLCb7OjUMM0TjhSE9DxKD
++aVLRoDcs5VSaddQjq3AwdkU6ek9InUOeDuZ8gatrpWlEyuQPwwnMAfR9NkcTajuF
++hGO0BlqkHg98GckQD0N5x6CrrDJt6RE6hf9gUZSGSWdPTiETBQUN8LTuxo/ybFSN
++hcpVNCF+r3eozATbSU8YvQU52RmPIZWHHmYb7KtMO3TEX4LnLJUOefUK4qk+ZJ0s
++f4JfnY7RhBlZGh2kIyE5jwqz8/KzKtxrutNaupdTFZO8nX09QSgmDCxVWVclrPaG
++q2ZFYpeauTy71pTm8DjF7PwQI/+PUrBdFIX0V6uxqUEG0pvPdb8zenVbaK4Jh39u
++w0V5tH/rbtd7zZX4vl3bmKo1Wk0SQxd83iXitxLiJnWNOsmrJcM/Hx91kE10+/ly
++zgL/w5A9HSA616kfPdNzny0laH1TXVLJsnyyV3DyfnU4O6VI0JG3WjhgRdMkgobn
++GvGJ2ZsZAxds9lBtT2y+gw5BU+jkSilPk3jM9MA7Kmyci93U9xxMuDNzyUzfcnXR
++UIq99dZWeMMy1LT3buZXrAWu1WRgPdQtDKcQHDIQaIkxlWsT8q2q/wIirb6fwxlw
++vXkFp+aEP35BAgMBAAGjUzBRMB0GA1UdDgQWBBR37F1+W1gcCp8bhZaFFi9JKQhu
++tTAfBgNVHSMEGDAWgBR37F1+W1gcCp8bhZaFFi9JKQhutTAPBgNVHRMBAf8EBTAD
++AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAYHqpISUI/x8UW33i35rYkFYNvXBMQDc8J
++v4G2eqEBNCOVmHg6P//lq1F2jrtAEr/saESN1uS1Q80sUsthlVsceV1z1isdpugG
++kMbfHxLe0QpthnP3PEChQw30TPB22BThuGVkteNSZKTCPGdzjSTPq2kOR6PCBZRd
++r0r/TW3lT/Ng3KgjT6g7E3ZUpAeFEQMlmNYr/eEOL7K+1jzQrbCLmXbs6rmtffr7
++n4p+wMPMPaSRqQoQ86ff9GPzxWuAQGlytVoiS5Xt3jotd/RWlOy0YQ2QSzOQvFUW
++4te5lwdOvOFnJTo43U3DqASqMcaazvIsN41zVlOyOyKEr9oZERju6FU1aZmuZtHQ
++wMCmXVj/Swj67Zp9tG+vVQenbEk314+8c2nenuOIFP1F2C/NG3vMLIpENRGxpmAm
++s5gIT6mXvJ4JCwWYc75zucOr2KVkDmEziJh/pARuOrOAPdc6NjKku8HBC9UI96+x
++Db4hG2SqXUzShkFX/px7vlCADvgO3FDk2aiyW02PFsItob2O6OB98VGsU26hgRO/
++Czz/jbjWTPHNOt6/fcL0m7XLwlJ+K9gRArY15DeJGumcHEq/Vd/Z8iPQKKdzgF4O
++9XFZvu+VHP82AS5TeiYHCddFJyzktQYcNu5/OBuxzO83d7rpqrLFETTEOL4cN8O7
++LJ7Q89hYAQ==
+ -----END CERTIFICATE-----
+diff --git a/ext/openssl/tests/bug54992.pem b/ext/openssl/tests/bug54992.pem
+index 1a64a4e5b8a1..f207c3044810 100644
+--- a/ext/openssl/tests/bug54992.pem
++++ b/ext/openssl/tests/bug54992.pem
+@@ -1,26 +1,26 @@
+ -----BEGIN CERTIFICATE-----
+-MIID7jCCAdYCFBDKe4ra5M5zJIb81D7zwFRmyHQGMA0GCSqGSIb3DQEBCwUAMIGQ
++MIID7jCCAdYCFDw0rvm7q8y5HfispK5A2I2+RBqHMA0GCSqGSIb3DQEBCwUAMIGQ
+ MQswCQYDVQQGEwJQVDEPMA0GA1UECAwGTGlzYm9hMQ8wDQYDVQQHDAZMaXNib2Ex
+ FzAVBgNVBAoMDlBIUCBGb3VuZGF0aW9uMR4wHAYDVQQDDBVSb290IENBIGZvciBQ
+ SFAgVGVzdHMxJjAkBgkqhkiG9w0BCQEWF2ludGVybmFsc0BsaXN0cy5waHAubmV0
+-MB4XDTE4MTIwMTIxNDU0MloXDTE4MTIzMTIxNDU0MlowWjEXMBUGA1UEAxMOYnVn
++MB4XDTE4MTIzMTA4NDY0M1oXDTIwMDIwNDA4NDY0M1owWjEXMBUGA1UEAxMOYnVn
+ NTQ5OTIubG9jYWwxCzAJBgNVBAYTAlBUMQ8wDQYDVQQHEwZMaXNib2ExDzANBgNV
+ BAgTBkxpc2JvYTEQMA4GA1UEChMHcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOB
+ jQAwgYkCgYEAtUAVQKTgpUPgtFOJ3w3kDJETS45tWeT96kUg1NeYLKW+jNbFhxPo
+ PJv7XhfemCaqh2tbq1cdYW906Wp1L+eNQvdTYA2IQG4EQBUlmfyIakOIMsN/RizV
+ kF09vlNQwTpaMpqTv7wB8vvwbxb9jbC2ZhQUBEg6PIn18dSstbM9FZ0CAwEAATAN
+-BgkqhkiG9w0BAQsFAAOCAgEAid90+ulRK+4ifB2tKnt2MyuqXZexv2yQ4u15EYmE
+-NLOpP5ZWN8vSvRI3IGruNA00dX/F2EOT+u82ApOxzYyxceAx29Ytpt7PSd2nUqkN
+-TbDAsDTUZdoDLUa6dGPe5Faaai00nfNJ3lqmC9xPbBPKyJ3hjz0Uj6gi51Lfi410
+-4GZa4oIL3NEIKVtaK942EAYCjeWx1VT8AnsvK4Nqufo97sbZNHJhgY+ApM168kox
+-kFA/RNYp/pNS0FCc8b9DwMnu38n2n33iDl3P54chpAcyuWJE5wL/kN2gnS6iMsLP
+-14NtBg2mm++4XqBpt9glmWr56HZtvyFW0IhpDwQgRe4GSIwPES2g1s7iUs3T4VdJ
+-aHkF4v8Bdl6DWXSVdbqIq8CpVZLhf7vt6pV/22YpVCjQFmiLtc8a4gWaYvpn6j+L
+-nAajb9JpdkNeqNiBxmtfQwL7xtY+1goLd9OKtIO1b2517ZRgU9NkUfLKCTl2W2L8
+-sMY7FPVs6Z1jfaXw+vIWKCJKe0thf0HMV4q11ptsqpzyIzAAjAfma1b/MM5ATHsa
+-6h7Poh0yg+WMSdXurjhDWogOWrzPXSe0izUYpREkTVl1oLhzorxlEDh7vBLB2TS3
+-TPAEdNxEbsIutMjoz5ql5dYxgZQGW7HARXrXhMbk6cBU8khNcGGqz1uzX1x7Vb2d
+-hKs=
++BgkqhkiG9w0BAQsFAAOCAgEAKtSMguV5ZQ2KpdZ9MAFa+GiHL0APb58OrvwNK4BF
++6032UZLOWnsBZlo85WGLNnIT/GNzKKr7n9jHeuZcBVOFQLsebahSlfJZs9FPatlI
++9Md1tRzVoTKohjG86HeFhhL+gZQ69SdIcK40wpH1qNv7KyMGA8gnx6rRKbOxZqsx
++pkA/wS7CTqP9/DeOxh/MZPg7N/GZXW1QOz+SE537E9iyiRsbldNYFtwn5iaVfjpr
++xz09wYYW3HJpR+QKPCfJ79JxDhuMHMoUOpIy8vGFnt5zVTcFLa378Sy3vCT1Qwvt
++tTavFGHby4A7OqT6xu+9GTW37OaiV91UelLLV0+MoR4XiMVMX76mvqzmKCp6L9ae
++7RYHrrCtNxkYUKUSkOEc2VHnT+sENkJIZu7zzN7/QNlc0yE9Rtsmgy4QAxo2m9u0
++pUZLAulZ1lS7g/sr7/8Pp17RDvJiJh+oAPyVYZ7OoLF1IoHDHcZI0bqcqhDhiHZs
++PXYqyMCxyYzHFOAOgvbrEkmp8z/E8ATVwdUbAYN1dMrYHre1P4HFEtJh2QiGG2KE
++4jheuNhH1R25AizbwYbD33Kdp7ltCgBlfYqjl771SlgY45QYs0mUdc1Pv39SGIwf
++ZUm7mOWjaTBdYANrkvGM5NNT9kESjKkWykyTg4UF5rHV6nlyexR4b3fjabroi4BS
++v6w=
+ -----END CERTIFICATE-----
+ -----BEGIN RSA PRIVATE KEY-----
+ MIICXgIBAAKBgQC1QBVApOClQ+C0U4nfDeQMkRNLjm1Z5P3qRSDU15gspb6M1sWH
+diff --git a/ext/openssl/tests/bug54992.phpt b/ext/openssl/tests/bug54992.phpt
+index 878cb4a8725b..a3cb36deecbe 100644
+--- a/ext/openssl/tests/bug54992.phpt
++++ b/ext/openssl/tests/bug54992.phpt
+@@ -6,6 +6,48 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded");
+ if (!function_exists("proc_open")) die("skip no proc_open");
+ --FILE--
+ <?php
++/*
++ How to generate bug54992.pem and bug54992-ca.pem and all dependants:
++
++ All the commands below assume you're in the root of php sources
++
++ Generate new key for CA:
++ $ openssl genrsa -out ./ext/openssl/tests/bug54992-ca.key 4096
++
++ Create new CA:
++ $ openssl req -new -x509 -key ./ext/openssl/tests/bug54992-ca.key \
++ -out ext/openssl/tests/bug54992-ca.pem \
++ -subj '/C=PT/ST=Lisboa/L=Lisboa/O=PHP Foundation/CN=Root CA for PHP Tests/emailAddress=internals@lists.php.net' \
++ -days 400
++
++ Extract private key from the bundle:
++ $ openssl rsa -in ext/openssl/tests/bug54992.pem > ext/openssl/tests/bug54992.key
++
++ Extract CSR from existing certificate:
++ $ openssl x509 -x509toreq -in ext/openssl/tests/bug54992.pem -out ext/openssl/tests/bug54992.csr -signkey ext/openssl/tests/bug54992.key
++
++ Sign the CSR:
++ $ openssl x509 -CA ext/openssl/tests/bug54992-ca.pem \
++ -CAcreateserial \
++ -CAkey ./ext/openssl/tests/bug54992-ca.key \
++ -req \
++ -in ext/openssl/tests/bug54992.csr \
++ -sha256 \
++ -days 400 \
++ -out ./ext/openssl/tests/bug54992.pem
++
++ Bundle certificate's private key with the certificate:
++ $ cat ext/openssl/tests/bug54992.key >> ext/openssl/tests/bug54992.pem\
++
++
++ Dependants:
++
++ 1. ext/openssl/tests/bug65538_003.phpt
++ Run the following to generate required phar:
++ php -d phar.readonly=Off -r '$phar = new Phar("ext/openssl/tests/bug65538.phar"); $phar->addFile("ext/openssl/tests/bug54992.pem", "bug54992.pem"); $phar->addFile("ext/openssl/tests/bug54992-ca.pem", "bug54992-ca.pem");'
++
++ 2. Update ext/openssl/tests/openssl_peer_fingerprint_basic.phpt (see instructions in there)
++ */
+ $serverCode = <<<'CODE'
+ $serverUri = "ssl://127.0.0.1:64321";
+ $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
+diff --git a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+index 39d62b29c901..3bca7cb640c6 100644
+--- a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
++++ b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+@@ -32,12 +32,17 @@ $clientCode = <<<'CODE'
+
+ phpt_wait();
+
+- // should be: 3610606deda596b3ae3859d33c4ce1d9
+- stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '3610606deda596b3ae3859d33c4ce1da');
++ // Run the following to get actual md5 (from sources root):
++ // openssl x509 -noout -fingerprint -md5 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
++ // Currently it's 4edbbaf40a6a4b6af22b6d6d9818378f
++ // One below is intentionally broken (compare the last character):
++ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '4edbbaf40a6a4b6af22b6d6d98183780');
+ var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
+
++ // Run the following to get actual sha256 (from sources root):
++ // openssl x509 -noout -fingerprint -sha256 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
+ stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
+- 'sha256' => 'dffa72247ab7e44d94b2858528e3f67015925782148d2cf0b15cd82d1c931215',
++ 'sha256' => 'b1d480a2f83594fa243d26378cf611f334d369e59558d87e3de1abe8f36cb997',
+ ]);
+ var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
+ CODE;
diff --git a/php70.spec b/php70.spec
index 260af42..0d14216 100644
--- a/php70.spec
+++ b/php70.spec
@@ -112,7 +112,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: %{upver}%{?rcver:~%{rcver}}
-Release: 1%{?dist}
+Release: 2%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -167,8 +167,17 @@ Patch47: php-5.6.3-phpinfo.patch
Patch91: php-5.6.3-oci8conf.patch
# Upstream fixes (100+)
+Patch102: php-openssl-cert.patch
# Security fixes (200+)
+Patch200: php-bug77242.patch
+Patch201: php-bug77247.patch
+Patch202: php-bug77370.patch
+Patch203: php-bug77371.patch
+Patch204: php-bug77380.patch
+Patch205: php-bug77381.patch
+Patch206: php-bug77369.patch
+Patch207: php-bug77418.patch
# Fixes for tests (300+)
# Factory is droped from system tzdata
@@ -1011,8 +1020,17 @@ echo CIBLE = %{name}-%{version}-%{release} oci8=%{with_oci8} libzip=%{with_libzi
%patch91 -p1 -b .remi-oci8
# upstream patches
+%patch102 -p1 -b .up3
# security patches
+%patch200 -p1 -b .bug77242
+%patch201 -p1 -b .bug77247
+%patch202 -p1 -b .bug77370
+%patch203 -p1 -b .bug77371
+%patch204 -p1 -b .bug77380
+%patch205 -p1 -b .bug77381
+%patch206 -p1 -b .bug77369
+%patch207 -p1 -b .bug77418
# Fixes for tests
%if 0%{?fedora} >= 21 || 0%{?rhel} >= 5
@@ -2026,6 +2044,23 @@ fi
%changelog
+* Wed Jan 9 2019 Remi Collet <remi@remirepo.net> - 7.0.33-2
+- core:
+ Fix #77369 memcpy with negative length via crafted DNS response
+- mbstring:
+ Fix #77370 buffer overflow on mb regex functions - fetch_token
+ Fix #77371 heap buffer overflow in mb regex functions compile_string_node
+ Fix #77381 heap buffer overflow in multibyte match_at
+ Fix #77382 heap buffer overflow in expand_case_fold_string
+ Fix #77385 buffer overflow in fetch_token
+ Fix #77394 buffer overflow in multibyte case folding - unicode
+ Fix #77418 heap overflow in utf32be_mbc_to_code
+- phar:
+ Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
+- xmlrpc:
+ Fix #77242 heap out of bounds read in xmlrpc_decode
+ Fix #77380 global out of bounds read in xmlrpc base64 code
+
* Wed Dec 5 2018 Remi Collet <remi@remirepo.net> - 7.0.33-1
- Update to 7.0.33 - http://www.php.net/releases/7_0_33.php
- use oracle client library version 18.3