From 9fd633180dddf5573aa49084454a9357b29b06bb Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 21 Jan 2020 09:46:37 +0100
Subject: mbstring:   Fix #79037 global buffer-overflow in
 mbfl_filt_conv_big5_wchar   CVE-2020-7060 session:   Fix #79091 heap
 use-after-free in session_create_id standard:   Fix #79099 OOB read in
 php_strip_tags_ex   CVE-2020-7059

---
 failed.txt         |  6 ++--
 php-bug79037.patch | 96 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug79091.patch | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug79099.patch | 81 ++++++++++++++++++++++++++++++++++++++++++++
 php71.spec         | 28 ++++++++++++++-
 5 files changed, 307 insertions(+), 3 deletions(-)
 create mode 100644 php-bug79037.patch
 create mode 100644 php-bug79091.patch
 create mode 100644 php-bug79099.patch

diff --git a/failed.txt b/failed.txt
index b381d02..490e22b 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,12 +1,14 @@
-===== 7.1.33 (2019-10-24)
+===== 7.1.33-3 (2020-01-21)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
 /var/lib/mock/el6i/build.log:Tests failed    :     0
-/var/lib/mock/el6x/build.log:Tests failed    :     0
+/var/lib/mock/el6x/build.log:Tests failed    :     1
 /var/lib/mock/el7x/build.log:Tests failed    :     3
 
 
+el6x:
+	1	Bug #69521      Segfault in gc_collect_cycles() [ext/standard/tests/streams/bug69521.phpt]
 el7x
 	4	Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
 	4	Bug #33415 [2] (Possibly invalid non-one-hour DST or timezone shifts) [ext/date/tests/bug33415-2.phpt]
diff --git a/php-bug79037.patch b/php-bug79037.patch
new file mode 100644
index 0000000..d488065
--- /dev/null
+++ b/php-bug79037.patch
@@ -0,0 +1,96 @@
+From 6639124e6e1fbfe81a6afe5ee9f0a1fee24d0856 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:42:44 -0800
+Subject: [PATCH] Fix bug #79037 (global buffer-overflow in
+ `mbfl_filt_conv_big5_wchar`)
+
+(cherry picked from commit 2bcbc95f033c31b00595ed39f79c3a99b4ed0501)
+---
+ ext/mbstring/libmbfl/filters/mbfilter_big5.c | 17 ++++++++++++-----
+ ext/mbstring/tests/bug79037.phpt             | 10 ++++++++++
+ 2 files changed, 22 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug79037.phpt
+
+diff --git a/ext/mbstring/libmbfl/filters/mbfilter_big5.c b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+index f5ab8809ce..5e1ca815da 100644
+--- a/ext/mbstring/libmbfl/filters/mbfilter_big5.c
++++ b/ext/mbstring/libmbfl/filters/mbfilter_big5.c
+@@ -138,6 +138,17 @@ static unsigned short cp950_pua_tbl[][4] = {
+ 	{0xf70f,0xf848,0xc740,0xc8fe},
+ };
+ 
++static inline int is_in_cp950_pua(int c1, int c) {
++	if ((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
++			(c1 >= 0x81 && c1 <= 0x8d) || (c1 >= 0xc7 && c1 <= 0xc8)) {
++		return (c >=0x40 && c <= 0x7e) || (c >= 0xa1 && c <= 0xfe);
++	}
++	if (c1 == 0xc6) {
++		return c >= 0xa1 && c <= 0xfe;
++	}
++	return 0;
++}
++
+ /*
+  * Big5 => wchar
+  */
+@@ -186,11 +197,7 @@ mbfl_filt_conv_big5_wchar(int c, mbfl_convert_filter *filter)
+ 
+ 			if (filter->from->no_encoding == mbfl_no_encoding_cp950) {
+ 				/* PUA for CP950 */
+-				if (w <= 0 &&
+-					(((c1 >= 0xfa && c1 <= 0xfe) || (c1 >= 0x8e && c1 <= 0xa0) ||
+-					  (c1 >= 0x81 && c1 <= 0x8d) ||(c1 >= 0xc7 && c1 <= 0xc8))
+-					 && ((c > 0x39 && c < 0x7f) || (c > 0xa0 && c < 0xff))) ||
+-					((c1 == 0xc6) && (c > 0xa0 && c < 0xff))) {
++				if (w <= 0 && is_in_cp950_pua(c1, c)) {
+ 					c2 = c1 << 8 | c;
+ 					for (k = 0; k < sizeof(cp950_pua_tbl)/(sizeof(unsigned short)*4); k++) {
+ 						if (c2 >= cp950_pua_tbl[k][2] && c2 <= cp950_pua_tbl[k][3]) {
+diff --git a/ext/mbstring/tests/bug79037.phpt b/ext/mbstring/tests/bug79037.phpt
+new file mode 100644
+index 0000000000..94ff01a4a1
+--- /dev/null
++++ b/ext/mbstring/tests/bug79037.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar`
++--FILE--
++<?php
++
++var_dump(mb_convert_encoding("\x81\x3a", "UTF-8", "CP950"));
++
++?>
++--EXPECT--
++string(1) "?"
+From 18d8f6f9033a35b33e4bbf8590cd6e653b45b6d7 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Tue, 21 Jan 2020 09:06:34 +0100
+Subject: [PATCH] update NEWS
+
+---
+ NEWS | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 25d352f784..e311fc78cc 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,18 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.27
++
++- Mbstring:
++  . Fixed bug #79037 (global buffer-overflow in `mbfl_filt_conv_big5_wchar`).
++    (CVE-2020-7060) (Nikita)
++
++- Session:
++  . Fixed bug #79091 (heap use-after-free in session_create_id()). (cmb, Nikita)
++
++- Standard:
++  . Fixed bug #79099 (OOB read in php_strip_tags_ex). (CVE-2020-7059). (cmb)
++
+ Backported from 7.2.26
+ 
+ - Bcmath:
diff --git a/php-bug79091.patch b/php-bug79091.patch
new file mode 100644
index 0000000..ad3a5cc
--- /dev/null
+++ b/php-bug79091.patch
@@ -0,0 +1,99 @@
+From 35c8a53c098cd828413a80ed7964146d50161c6c Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 20 Jan 2020 18:05:00 +0100
+Subject: [PATCH] Fix #79091: heap use-after-free in session_create_id()
+
+If the `new_id` is released, we must not use it again.
+
+(cherry picked from commit f79c7742746907d676989cb7f97fb4f7cd26789f)
+---
+ ext/session/session.c           |  1 +
+ ext/session/tests/bug79091.phpt | 67 +++++++++++++++++++++++++++++++++
+ 2 files changed, 68 insertions(+)
+ create mode 100644 ext/session/tests/bug79091.phpt
+
+diff --git a/ext/session/session.c b/ext/session/session.c
+index 8d60ac249a..44ecb85f74 100644
+--- a/ext/session/session.c
++++ b/ext/session/session.c
+@@ -2049,6 +2049,7 @@ static PHP_FUNCTION(session_create_id)
+ 				/* Detect collision and retry */
+ 				if (PS(mod)->s_validate_sid(&PS(mod_data), new_id) == FAILURE) {
+ 					zend_string_release(new_id);
++					new_id = NULL;
+ 					continue;
+ 				}
+ 				break;
+diff --git a/ext/session/tests/bug79091.phpt b/ext/session/tests/bug79091.phpt
+new file mode 100644
+index 0000000000..1d14427159
+--- /dev/null
++++ b/ext/session/tests/bug79091.phpt
+@@ -0,0 +1,67 @@
++--TEST--
++Bug #79091 (heap use-after-free in session_create_id())
++--SKIPIF--
++<?php
++if (!extension_loaded('session')) die('skip session extension not available');
++?>
++--FILE--
++<?php
++class MySessionHandler implements SessionHandlerInterface, SessionIdInterface, SessionUpdateTimestampHandlerInterface
++{
++    public function close()
++    {
++        return true;
++    }
++
++    public function destroy($session_id)
++    {
++        return true;
++    }
++
++    public function gc($maxlifetime)
++    {
++        return true;
++    }
++
++    public function open($save_path, $session_name)
++    {
++        return true;
++    }
++
++    public function read($session_id)
++    {
++        return '';
++    }
++
++    public function write($session_id, $session_data)
++    {
++        return true;
++    }
++
++    public function create_sid()
++    {
++        return uniqid();
++    }
++
++    public function updateTimestamp($key, $val)
++    {
++        return true;
++    }
++
++    public function validateId($key)
++    {
++        return false;
++    }
++}
++
++ob_start();
++var_dump(session_set_save_handler(new MySessionHandler()));
++var_dump(session_start());
++ob_flush();
++session_create_id();
++?>
++--EXPECTF--
++bool(true)
++bool(true)
++
++Warning: session_create_id(): Failed to create new ID in %s on line %d
diff --git a/php-bug79099.patch b/php-bug79099.patch
new file mode 100644
index 0000000..2e42a70
--- /dev/null
+++ b/php-bug79099.patch
@@ -0,0 +1,81 @@
+From f18f20c032482e34d5f94d747da16f8ae029a017 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jan 2020 21:33:17 -0800
+Subject: [PATCH] Fix #79099: OOB read in php_strip_tags_ex
+
+(cherry picked from commit 0f79b1bf301f455967676b5129240140c5c45b09)
+---
+ ext/standard/string.c                 |  6 ++---
+ ext/standard/tests/file/bug79099.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 35 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/file/bug79099.phpt
+
+diff --git a/ext/standard/string.c b/ext/standard/string.c
+index 922d4fceaf..c88135da6f 100644
+--- a/ext/standard/string.c
++++ b/ext/standard/string.c
+@@ -4781,7 +4781,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ 				if (state == 4) {
+ 					/* Inside <!-- comment --> */
+ 					break;
+-				} else if (state == 2 && *(p-1) != '\\') {
++				} else if (state == 2 && p >= buf + 1 && *(p-1) != '\\') {
+ 					if (lc == c) {
+ 						lc = '\0';
+ 					} else if (lc != '\\') {
+@@ -4808,7 +4808,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ 
+ 			case '!':
+ 				/* JavaScript & Other HTML scripting languages */
+-				if (state == 1 && *(p-1) == '<') {
++				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ 					state = 3;
+ 					lc = c;
+ 				} else {
+@@ -4835,7 +4835,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, size_t len, int *stateptr, const cha
+ 
+ 			case '?':
+ 
+-				if (state == 1 && *(p-1) == '<') {
++				if (state == 1 && p >= buf + 1 && *(p-1) == '<') {
+ 					br=0;
+ 					state=2;
+ 					break;
+diff --git a/ext/standard/tests/file/bug79099.phpt b/ext/standard/tests/file/bug79099.phpt
+new file mode 100644
+index 0000000000..7c842f4654
+--- /dev/null
++++ b/ext/standard/tests/file/bug79099.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #79099 (OOB read in php_strip_tags_ex)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<?\n\"\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n!\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++
++$stream = fopen('php://memory', 'w+');
++fputs($stream, "<\0\n?\n");
++rewind($stream);
++var_dump(fgetss($stream));
++var_dump(fgetss($stream));
++fclose($stream);
++?>
++--EXPECT--
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
++string(0) ""
diff --git a/php71.spec b/php71.spec
index bfc90b4..37a4fa1 100644
--- a/php71.spec
+++ b/php71.spec
@@ -118,7 +118,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 2%{?dist}
+Release: 3%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -178,6 +178,14 @@ Patch91: php-5.6.3-oci8conf.patch
 # Upstream fixes (100+)
 
 # Security fixes (200+)
+Patch201: php-bug78878.patch
+Patch202: php-bug78862.patch
+Patch203: php-bug78863.patch
+Patch204: php-bug78793.patch
+Patch205: php-bug78910.patch
+Patch206: php-bug79091.patch
+Patch207: php-bug79099.patch
+Patch208: php-bug79037.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1032,6 +1040,14 @@ support for JavaScript Object Notation (JSON) to PHP.
 # upstream patches
 
 # security patches
+%patch201 -p1 -b .bug78878
+%patch202 -p1 -b .bug78862
+%patch203 -p1 -b .bug78863
+%patch204 -p1 -b .bug78793
+%patch205 -p1 -b .bug78910
+%patch206 -p1 -b .bug79091
+%patch207 -p1 -b .bug79099
+%patch208 -p1 -b .bug79037
 
 # Fixes for tests
 %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2102,6 +2118,16 @@ EOF
 
 
 %changelog
+* Tue Jan 21 2020 Remi Collet <remi@remirepo.net> - 7.1.33-3
+- mbstring:
+  Fix #79037 global buffer-overflow in mbfl_filt_conv_big5_wchar
+  CVE-2020-7060
+- session:
+  Fix #79091 heap use-after-free in session_create_id
+- standard:
+  Fix #79099 OOB read in php_strip_tags_ex
+  CVE-2020-7059
+
 * Tue Dec 17 2019 Remi Collet <remi@remirepo.net> - 7.1.33-2
 - bcmath:
   Fix #78878 Buffer underflow in bc_shift_addsub
-- 
cgit