Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI InterfaceHEAD master

GHSA-4w77-75f9-2c8w Fix OOB access in ldap_escape CVE-2024-8932 Fix Integer overflow in the dblib/firebird quoter causing OOB writes CVE-2024-11236 Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs CVE-2024-11234 Fix Single byte overread with convert.quoted-printable-decode filter CVE-2024-11233
author: Remi Collet <remi@remirepo.net> 2024-11-26 08:46:40 +0100
committer: Remi Collet <remi@php.net> 2024-11-26 08:46:40 +0100
commit: 91c8e7e3b1573d64222ecc3c2dfceabaa667f86f (patch)
tree: e71886ecf73e23e5cf1f96ddbaeac7b0509f926e
parent: a0a70a22d639fa152b53ad1e90a43cd2544a5537 (diff)
7 files changed, 710 insertions, 4 deletions
diff --git a/failed.txt b/failed.txt
index a6d6dd1..e36292e 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.2.34-24 (2024-04-27)
+===== 7.2.34-25 (2024-11-26)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
diff --git a/php-cve-2024-11233.patch b/php-cve-2024-11233.patch
new file mode 100644
index 0000000..119dc2e
--- /dev/null
+++ b/php-cve-2024-11233.patch
@@ -0,0 +1,158 @@
+From 0a651c02701268532a9754542f629af85e28ae02 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Fri, 8 Nov 2024 22:04:21 +0100
+Subject: [PATCH 6/9] Fix GHSA-r977-prxv-hc43
+
+Move the bound check upwards. Since this doesn't generate output we can
+check the bound first.
+
+(cherry picked from commit 81030c9bbb5cd2e740b8398bb7212df9709f0274)
+(cherry picked from commit 2cee10a1206f5bc7724232d3988be2cfcb0bc9df)
+(cherry picked from commit 44a5975f83a02eb8169d12af912e6222b28216d0)
+(cherry picked from commit 7065fa31a468139f07b40f7036ce4761037dafd2)
+---
+ ext/standard/filters.c                              |  7 ++++---
+ ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt | 12 ++++++++++++
+ 2 files changed, 16 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt
+
+diff --git a/ext/standard/filters.c b/ext/standard/filters.c
+index 03e5e11df8..26850c46a8 100644
+--- a/ext/standard/filters.c
++++ b/ext/standard/filters.c
+@@ -1122,6 +1122,9 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
+ 			} break;
+ 
+ 			case 5: {
++				if (icnt == 0) {
++					goto out;
++				}
+ 				if (!inst->lbchars && lb_cnt == 1 && *ps == '\n') {
+ 					/* auto-detect soft line breaks, found network line break */
+ 					lb_cnt = lb_ptr = 0;
+@@ -1135,15 +1138,13 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
+ 					/* soft line break */
+ 					lb_cnt = lb_ptr = 0;
+ 					scan_stat = 0;
+-				} else if (icnt > 0) {
++				} else {
+ 					if (*ps == (unsigned char)inst->lbchars[lb_cnt]) {
+ 						lb_cnt++;
+ 						ps++, icnt--;
+ 					} else {
+ 						scan_stat = 6; /* no break for short-cut */
+ 					}
+-				} else {
+-					goto out;
+ 				}
+ 			} break;
+ 
+diff --git a/ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt b/ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt
+new file mode 100644
+index 0000000000..8fdcce8ff2
+--- /dev/null
++++ b/ext/standard/tests/filters/ghsa-r977-prxv-hc43.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++GHSA-r977-prxv-hc43: Single byte overread with convert.quoted-printable-decode filter
++--FILE--
++<?php
++
++$input_data = str_repeat('A', 8189)."X=\r";
++$filter_url = "php://filter/convert.quoted-printable-decode/resource=data:," . urlencode($input_data);
++var_dump(file_get_contents($filter_url));
++
++?>
++--EXPECT--
++string(8190) "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAX"
+-- 
+2.47.0
+
+From d149a44b005e0d24208b0bd0f7179dfbbfffefb1 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 8 Jun 2020 23:19:43 +0200
+Subject: [PATCH 7/9] Fix #74267: segfault with streams and invalid data
+
+If the current character is a line break character, it cannot be a tab
+or space character, so we would always fail with an invalid sequence
+error.  Obviously, these `scan_stat == 4` conditions are meant to be
+exclusive.
+
+Furthermore, if `in_pp == NULL || in_left_p == NULL` is true, we hit a
+segfault if we are not returning right away.  Obviously, the additional
+constraints don't make sense, so we remove them.
+
+(cherry picked from commit 12c59f6660706321f9d42c55421ff6864439c8b7)
+---
+ ext/standard/filters.c                   |  7 +++----
+ ext/standard/tests/filters/bug74267.phpt | 26 ++++++++++++++++++++++++
+ 2 files changed, 29 insertions(+), 4 deletions(-)
+ create mode 100644 ext/standard/tests/filters/bug74267.phpt
+
+diff --git a/ext/standard/filters.c b/ext/standard/filters.c
+index 26850c46a8..2b58c65ea5 100644
+--- a/ext/standard/filters.c
++++ b/ext/standard/filters.c
+@@ -788,7 +788,7 @@ static php_conv_err_t php_conv_qprint_encode_convert(php_conv_qprint_encode *ins
+ 	lb_ptr = inst->lb_ptr;
+ 	lb_cnt = inst->lb_cnt;
+ 
+-	if ((in_pp == NULL || in_left_p == NULL) && (lb_ptr >=lb_cnt)) {
++	if (in_pp == NULL || in_left_p == NULL) {
+ 		return PHP_CONV_ERR_SUCCESS;
+ 	}
+ 
+@@ -1016,7 +1016,7 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
+ 	lb_ptr = inst->lb_ptr;
+ 	lb_cnt = inst->lb_cnt;
+ 
+-	if ((in_pp == NULL || in_left_p == NULL) && lb_cnt == lb_ptr) {
++	if (in_pp == NULL || in_left_p == NULL) {
+ 		if (inst->scan_stat != 0) {
+ 			return PHP_CONV_ERR_UNEXPECTED_EOS;
+ 		}
+@@ -1113,8 +1113,7 @@ static php_conv_err_t php_conv_qprint_decode_convert(php_conv_qprint_decode *ins
+ 					*ps == (unsigned char)inst->lbchars[lb_cnt]) {
+ 					lb_cnt++;
+ 					scan_stat = 5;
+-				}
+-				if (*ps != '\t' && *ps != ' ') {
++				} else if (*ps != '\t' && *ps != ' ') {
+ 					err = PHP_CONV_ERR_INVALID_SEQ;
+ 					goto out;
+ 				}
+diff --git a/ext/standard/tests/filters/bug74267.phpt b/ext/standard/tests/filters/bug74267.phpt
+new file mode 100644
+index 0000000000..17d7996b7f
+--- /dev/null
++++ b/ext/standard/tests/filters/bug74267.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #74267 (segfault with streams and invalid data)
++--FILE--
++<?php
++$stream = fopen('php://memory', 'w');
++stream_filter_append($stream, 'convert.quoted-printable-decode', STREAM_FILTER_WRITE, ['line-break-chars' => "\r\n"]);
++
++$lines = [
++	"\r\n",
++	" -=()\r\n",
++	" -=\r\n",
++	"\r\n"
++	];
++
++foreach ($lines as $line) {
++	fwrite($stream, $line);
++}
++
++fclose($stream);
++echo "done\n";
++?>
++--EXPECTF--
++Warning: fwrite(): stream filter (convert.quoted-printable-decode): invalid byte sequence in %s on line %d
++
++Warning: fwrite(): stream filter (convert.quoted-printable-decode): invalid byte sequence in %s on line %d
++done
+-- 
+2.47.0
+
diff --git a/php-cve-2024-11234.patch b/php-cve-2024-11234.patch
new file mode 100644
index 0000000..7106136
--- /dev/null
+++ b/php-cve-2024-11234.patch
@@ -0,0 +1,97 @@
+From 11787051a17d2fcea427cd66c3fcc5e99ab94a03 Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Fri, 8 Nov 2024 23:43:47 +0100
+Subject: [PATCH 4/9] Fix GHSA-c5f2-jwm7-mmq2: stream HTTP fulluri CRLF
+ injection
+
+(cherry picked from commit 426a6d4539ebee34879ac5de857036bb6ff0e732)
+(cherry picked from commit bc1f192102dd8cbda028e40aa31604c4885d387c)
+(cherry picked from commit 8d130e16fbfda7d154fedfa0f1ff1d5ad5e26815)
+(cherry picked from commit 494de65139592da0e5e5b6fdf198c2f9c762f4d6)
+(cherry picked from commit dcb89ed9d0217510f3906ce0c517f704e6bd80dc)
+---
+ ext/standard/http_fopen_wrapper.c             | 18 ++++++++----
+ .../tests/http/ghsa-c5f2-jwm7-mmq2.phpt       | 28 +++++++++++++++++++
+ 2 files changed, 40 insertions(+), 6 deletions(-)
+ create mode 100644 ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+
+diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
+index be23679d2d..e125364923 100644
+--- a/ext/standard/http_fopen_wrapper.c
++++ b/ext/standard/http_fopen_wrapper.c
+@@ -176,6 +176,11 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
+ 			return NULL;
+ 		}
+ 
++		/* Should we send the entire path in the request line, default to no. */
++		if (context && (tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
++			request_fulluri = zend_is_true(tmpzval);
++		}
++
+ 		use_ssl = resource->scheme && (strlen(resource->scheme) > 4) && resource->scheme[4] == 's';
+ 		/* choose default ports */
+ 		if (use_ssl && resource->port == 0)
+@@ -195,6 +200,13 @@ static php_stream *php_stream_url_wrap_http_ex(php_stream_wrapper *wrapper,
+ 		}
+ 	}
+ 
++	if (request_fulluri && (strchr(path, '\n') != NULL || strchr(path, '\r') != NULL)) {
++		php_stream_wrapper_log_error(wrapper, options, "HTTP wrapper full URI path does not allow CR or LF characters");
++		php_url_free(resource);
++		efree(transport_string);
++		return NULL;
++	}
++
+ 	if (context && (tmpzval = php_stream_context_get_option(context, wrapper->wops->label, "timeout")) != NULL) {
+ 		double d = zval_get_double(tmpzval);
+ #ifndef PHP_WIN32
+@@ -375,12 +387,6 @@ finish:
+ 		smart_str_appends(&req_buf, "GET ");
+ 	}
+ 
+-	/* Should we send the entire path in the request line, default to no. */
+-	if (!request_fulluri && context &&
+-		(tmpzval = php_stream_context_get_option(context, "http", "request_fulluri")) != NULL) {
+-		request_fulluri = zend_is_true(tmpzval);
+-	}
+-
+ 	if (request_fulluri) {
+ 		/* Ask for everything */
+ 		smart_str_appends(&req_buf, path);
+diff --git a/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+new file mode 100644
+index 0000000000..6e68f67654
+--- /dev/null
++++ b/ext/standard/tests/http/ghsa-c5f2-jwm7-mmq2.phpt
+@@ -0,0 +1,28 @@
++--TEST--
++GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context might allow for CRLF injection in URIs)
++--INI--
++allow_url_fopen=1
++--CONFLICTS--
++server
++--FILE--
++<?php
++$serverCode = <<<'CODE'
++echo $_SERVER['REQUEST_URI'];
++CODE;
++
++include __DIR__."/../../../../sapi/cli/tests/php_cli_server.inc";
++php_cli_server_start($serverCode, null);
++
++$host = PHP_CLI_SERVER_ADDRESS;
++$userinput = "index.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index2.php HTTP/1.1\r\nHost: $host\r\n\r\nGET /index.php";
++$context = stream_context_create(['http' => ['proxy' => 'tcp://' . $host, 'request_fulluri' => true]]);
++echo file_get_contents("http://$host/$userinput", false, $context);
++?>
++--EXPECTF--
++Warning: file_get_contents(http://localhost:%d/index.php HTTP/1.1
++Host: localhost:%d
++
++GET /index2.php HTTP/1.1
++Host: localhost:%d
++
++GET /index.php): failed to open stream: HTTP wrapper full URI path does not allow CR or LF characters in %s on line %d
+-- 
+2.47.0
+
diff --git a/php-cve-2024-11236.patch b/php-cve-2024-11236.patch
new file mode 100644
index 0000000..1122989
--- /dev/null
+++ b/php-cve-2024-11236.patch
@@ -0,0 +1,150 @@
+From c6ee9a7d0385e4cd6cf9dcd0104dd6714e2a968d Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Thu, 24 Oct 2024 22:02:17 +0200
+Subject: [PATCH 1/9] Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the dblib
+ quoter causing OOB writes
+
+(cherry picked from commit d9baa9fed8c3ba692a36b388c0c7762e5102e2e0)
+(cherry picked from commit 5d9e54065ed18c51e4f25d8900635f90810c7394)
+(cherry picked from commit 97546df8d6900b115536c17af9213f1da837b82e)
+(cherry picked from commit 5e7cd3e7ed7c894550ca35514708ffe1874a31ad)
+---
+ ext/pdo_dblib/dblib_driver.c                 |  8 ++++++-
+ ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt | 24 ++++++++++++++++++++
+ 2 files changed, 31 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
+
+diff --git a/ext/pdo_dblib/dblib_driver.c b/ext/pdo_dblib/dblib_driver.c
+index 13526092ea..6fa650e4da 100644
+--- a/ext/pdo_dblib/dblib_driver.c
++++ b/ext/pdo_dblib/dblib_driver.c
+@@ -156,6 +156,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
+ 
+ 	size_t i;
+ 	char * q;
++	size_t extralen = 0;
+ 	*quotedlen = 0;
+ 
+ 	if (H->assume_national_character_set_strings) {
+@@ -170,7 +171,7 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
+ 
+ 	/* Detect quoted length, adding extra char for doubled single quotes */
+ 	for (i = 0; i < unquotedlen; i++) {
+-		if (unquoted[i] == '\'') ++*quotedlen;
++		if (unquoted[i] == '\'') ++extralen;
+ 		++*quotedlen;
+ 	}
+ 
+@@ -178,6 +179,11 @@ static int dblib_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unqu
+ 	if (use_national_character_set) {
+ 		++*quotedlen; /* N prefix */
+ 	}
++	if (UNEXPECTED(*quotedlen > ZSTR_MAX_LEN - extralen)) {
++		return 0;
++	}
++
++	*quotedlen += extralen;
+ 	q = *quoted = emalloc(*quotedlen + 1); /* Add byte for terminal null */
+ 	if (use_national_character_set) {
+ 		*q++ = 'N';
+diff --git a/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt b/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
+new file mode 100644
+index 0000000000..431c61951e
+--- /dev/null
++++ b/ext/pdo_dblib/tests/GHSA-5hqh-c84r-qjcv.phpt
+@@ -0,0 +1,24 @@
++--TEST--
++GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing OOB writes)
++--EXTENSIONS--
++pdo_dblib
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE != 4) die("skip for 32bit platforms only");
++if (PHP_OS_FAMILY === "Windows") die("skip not for Windows because the virtual address space for application is only 2GiB");
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++require __DIR__ . '/config.inc';
++getDbConnection();
++?>
++--INI--
++memory_limit=-1
++--FILE--
++<?php
++
++require __DIR__ . '/config.inc';
++$db = getDbConnection();
++var_dump($db->quote(str_repeat("'", 2147483646)));
++
++?>
++--EXPECT--
++bool(false)
+-- 
+2.47.0
+
+From 8a4f389396493a43f9de9ba48920b6a82b6d1370 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Thu, 24 Oct 2024 22:02:36 +0200
+Subject: [PATCH 2/9] Fix GHSA-5hqh-c84r-qjcv: Integer overflow in the firebird
+ quoter causing OOB writes
+
+(cherry picked from commit 69c5f68fdc3deed9ebce2cc44b4bf5e0c47cd28f)
+(cherry picked from commit b4f73be75dbdde970a18cc7a636898b10400fb3f)
+(cherry picked from commit 0530cbfe5c3044537de52d8382eba5d69dbac726)
+(cherry picked from commit 72d4c4e435544c2d87d634188d480099345b601b)
+---
+ ext/pdo_firebird/firebird_driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
+index 1e2e7746fa..b238ea630e 100644
+--- a/ext/pdo_firebird/firebird_driver.c
++++ b/ext/pdo_firebird/firebird_driver.c
+@@ -243,7 +243,7 @@ free_statement:
+ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t unquotedlen, /* {{{ */
+ 	char **quoted, size_t *quotedlen, enum pdo_param_type paramtype)
+ {
+-	int qcount = 0;
++	size_t qcount = 0;
+ 	char const *co, *l, *r;
+ 	char *c;
+ 
+@@ -258,6 +258,10 @@ static int firebird_handle_quoter(pdo_dbh_t *dbh, const char *unquoted, size_t u
+ 	/* count the number of ' characters */
+ 	for (co = unquoted; (co = strchr(co,'\'')); qcount++, co++);
+ 
++	if (UNEXPECTED(unquotedlen + 2 > ZSTR_MAX_LEN - qcount)) {
++		return 0;
++	}
++
+ 	*quotedlen = unquotedlen + qcount + 2;
+ 	*quoted = c = emalloc(*quotedlen+1);
+ 	*c++ = '\'';
+-- 
+2.47.0
+
+From ff868946218d6d1661a0c35757e2058cb3ed23ec Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 22 Nov 2024 15:24:16 +0100
+Subject: [PATCH 3/9] backport ZSTR_MAX_LEN
+
+(cherry picked from commit 37056ad634d9c44bac0d6c8e730eafaec1344840)
+---
+ Zend/zend_string.h | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/Zend/zend_string.h b/Zend/zend_string.h
+index 784b88ea6a..5f7a9ea2b3 100644
+--- a/Zend/zend_string.h
++++ b/Zend/zend_string.h
+@@ -74,6 +74,9 @@ END_EXTERN_C()
+ 
+ #define _ZSTR_STRUCT_SIZE(len) (_ZSTR_HEADER_SIZE + len + 1)
+ 
++#define ZSTR_MAX_OVERHEAD (ZEND_MM_ALIGNED_SIZE(_ZSTR_HEADER_SIZE + 1))
++#define ZSTR_MAX_LEN (SIZE_MAX - ZSTR_MAX_OVERHEAD)
++
+ #define ZSTR_ALLOCA_ALLOC(str, _len, use_heap) do { \
+ 	(str) = (zend_string *)do_alloca(ZEND_MM_ALIGNED_SIZE_EX(_ZSTR_STRUCT_SIZE(_len), 8), (use_heap)); \
+ 	GC_REFCOUNT(str) = 1; \
+-- 
+2.47.0
+
diff --git a/php-cve-2024-8932.patch b/php-cve-2024-8932.patch
new file mode 100644
index 0000000..2737c79
--- /dev/null
+++ b/php-cve-2024-8932.patch
@@ -0,0 +1,141 @@
+From f8756a7a1d185727a5bfd212b1442a6d153a9471 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Thu, 26 Sep 2024 22:22:27 +0200
+Subject: [PATCH 5/9] Fix GHSA-g665-fm4p-vhff: OOB access in ldap_escape
+
+(cherry picked from commit f9ecf90070a11dad09ca7671a712f81cc2a7d52f)
+(cherry picked from commit 9f367d847989b339c33369737daf573e30bab5f1)
+(cherry picked from commit 50e9e72530a4805980384b8ea6672877af816145)
+(cherry picked from commit 9822bfae85607dffc13848d40a2340daf090f39b)
+---
+ ext/ldap/ldap.c                           | 21 ++++++++++++++--
+ ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt | 28 ++++++++++++++++++++++
+ ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt | 29 +++++++++++++++++++++++
+ 3 files changed, 76 insertions(+), 2 deletions(-)
+ create mode 100644 ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt
+ create mode 100644 ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt
+
+diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
+index 3839f871a9..533c78138d 100644
+--- a/ext/ldap/ldap.c
++++ b/ext/ldap/ldap.c
+@@ -54,6 +54,7 @@
+ 
+ #include "ext/standard/php_string.h"
+ #include "ext/standard/info.h"
++#include "Zend/zend_exceptions.h"
+ 
+ #ifdef HAVE_LDAP_SASL_H
+ #include <sasl.h>
+@@ -3005,13 +3006,23 @@ static zend_string* php_ldap_do_escape(const zend_bool *map, const char *value,
+ 	zend_string *ret;
+ 
+ 	for (i = 0; i < valuelen; i++) {
+-		len += (map[(unsigned char) value[i]]) ? 3 : 1;
++		size_t addend = (map[(unsigned char) value[i]]) ? 3 : 1;
++		if (len > ZSTR_MAX_LEN - addend) {
++			return NULL;
++		}
++		len += addend;
+ 	}
+ 	/* Per RFC 4514, a leading and trailing space must be escaped */
+ 	if ((flags & PHP_LDAP_ESCAPE_DN) && (value[0] == ' ')) {
++		if (len > ZSTR_MAX_LEN - 2) {
++			return NULL;
++		}
+ 		len += 2;
+ 	}
+ 	if ((flags & PHP_LDAP_ESCAPE_DN) && ((valuelen > 1) && (value[valuelen - 1] == ' '))) {
++		if (len > ZSTR_MAX_LEN - 2) {
++			return NULL;
++		}
+ 		len += 2;
+ 	}
+ 
+@@ -3078,7 +3089,13 @@ PHP_FUNCTION(ldap_escape)
+ 		php_ldap_escape_map_set_chars(map, ignores, ignoreslen, 0);
+ 	}
+ 
+-	RETURN_NEW_STR(php_ldap_do_escape(map, value, valuelen, flags));
++	zend_string *result = php_ldap_do_escape(map, value, valuelen, flags);
++	if (UNEXPECTED(!result)) {
++		zend_throw_exception(NULL, "Argument #1 ($value) is too long", 0);
++		return;
++	}
++
++	RETURN_NEW_STR(result);
+ }
+ 
+ #ifdef STR_TRANSLATION
+diff --git a/ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt b/ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt
+new file mode 100644
+index 0000000000..734bbe91d4
+--- /dev/null
++++ b/ext/ldap/tests/GHSA-g665-fm4p-vhff-1.phpt
+@@ -0,0 +1,28 @@
++--TEST--
++GHSA-g665-fm4p-vhff (OOB access in ldap_escape)
++--EXTENSIONS--
++ldap
++--INI--
++memory_limit=-1
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE !== 4) die("skip only for 32-bit");
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--FILE--
++<?php
++try {
++    ldap_escape(' '.str_repeat("#", 1431655758), "", LDAP_ESCAPE_DN);
++} catch (Exception $e) {
++    echo $e->getMessage(), "\n";
++}
++
++try {
++    ldap_escape(str_repeat("#", 1431655758).' ', "", LDAP_ESCAPE_DN);
++} catch (Exception $e) {
++    echo $e->getMessage(), "\n";
++}
++?>
++--EXPECT--
++ldap_escape(): Argument #1 ($value) is too long
++ldap_escape(): Argument #1 ($value) is too long
+diff --git a/ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt b/ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt
+new file mode 100644
+index 0000000000..5c1b0fb661
+--- /dev/null
++++ b/ext/ldap/tests/GHSA-g665-fm4p-vhff-2.phpt
+@@ -0,0 +1,29 @@
++--TEST--
++GHSA-g665-fm4p-vhff (OOB access in ldap_escape)
++--EXTENSIONS--
++ldap
++--INI--
++memory_limit=-1
++--SKIPIF--
++<?php
++if (PHP_INT_SIZE !== 4) die("skip only for 32-bit");
++if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
++?>
++--FILE--
++<?php
++try {
++    ldap_escape(str_repeat("*", 1431655759), "", LDAP_ESCAPE_FILTER);
++} catch (Exception $e) {
++    echo $e->getMessage(), "\n";
++}
++
++// would allocate a string of length 2
++try {
++    ldap_escape(str_repeat("*", 1431655766), "", LDAP_ESCAPE_FILTER);
++} catch (Exception $e) {
++    echo $e->getMessage(), "\n";
++}
++?>
++--EXPECT--
++ldap_escape(): Argument #1 ($value) is too long
++ldap_escape(): Argument #1 ($value) is too long
+-- 
+2.47.0
+
diff --git a/php-ghsa-4w77-75f9-2c8w.patch b/php-ghsa-4w77-75f9-2c8w.patch
new file mode 100644
index 0000000..a93a3b3
--- /dev/null
+++ b/php-ghsa-4w77-75f9-2c8w.patch
@@ -0,0 +1,139 @@
+From b7c951d47acae54aab5ce896b8ec151d661c8fd0 Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
+Date: Sat, 9 Nov 2024 15:29:52 +0100
+Subject: [PATCH 8/9] Fix GHSA-4w77-75f9-2c8w
+
+(cherry picked from commit 7dd336ae838bbf2c62dc47e3c900d657d3534c02)
+(cherry picked from commit 462092a48aa0dbad24d9fa8a4a9d418faa14d309)
+(cherry picked from commit 56488a8a4ec68e58eecc9e78dd75e41adf56984c)
+(cherry picked from commit 6b8357c22f83a93104c2682d5cba9104c8de636d)
+---
+ sapi/cli/php_cli_server.c               |  6 +---
+ sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt | 41 +++++++++++++++++++++++++
+ 2 files changed, 42 insertions(+), 5 deletions(-)
+ create mode 100644 sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+
+diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
+index cdcd93ac72..5de98ad1c7 100644
+--- a/sapi/cli/php_cli_server.c
++++ b/sapi/cli/php_cli_server.c
+@@ -1801,8 +1801,6 @@ static size_t php_cli_server_client_send_through(php_cli_server_client *client,
+ 
+ static void php_cli_server_client_populate_request_info(const php_cli_server_client *client, sapi_request_info *request_info) /* {{{ */
+ {
+-	char *val;
+-
+ 	request_info->request_method = php_http_method_str(client->request.request_method);
+ 	request_info->proto_num = client->request.protocol_version;
+ 	request_info->request_uri = client->request.request_uri;
+@@ -1810,9 +1808,7 @@ static void php_cli_server_client_populate_request_info(const php_cli_server_cli
+ 	request_info->query_string = client->request.query_string;
+ 	request_info->content_length = client->request.content_len;
+ 	request_info->auth_user = request_info->auth_password = request_info->auth_digest = NULL;
+-	if (NULL != (val = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1))) {
+-		request_info->content_type = val;
+-	}
++	request_info->content_type = zend_hash_str_find_ptr(&client->request.headers, "content-type", sizeof("content-type")-1);
+ } /* }}} */
+ 
+ static void destroy_request_info(sapi_request_info *request_info) /* {{{ */
+diff --git a/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+new file mode 100644
+index 0000000000..44667e8389
+--- /dev/null
++++ b/sapi/cli/tests/ghsa-4w77-75f9-2c8w.phpt
+@@ -0,0 +1,41 @@
++--TEST--
++GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface)
++--INI--
++allow_url_fopen=1
++--SKIPIF--
++<?php
++include "skipif.inc";
++?>
++--FILE--
++<?php
++include "php_cli_server.inc";
++
++$serverCode = <<<'CODE'
++var_dump(file_get_contents('php://input'));
++CODE;
++
++php_cli_server_start($serverCode, null);
++
++$options = [
++    "http" => [
++        "method" => "POST",
++        "header" => "Content-Type: application/x-www-form-urlencoded",
++        "content" => "AAAAA",
++    ],
++];
++$context = stream_context_create($options);
++
++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
++
++$options = [
++    "http" => [
++        "method" => "POST",
++    ],
++];
++$context = stream_context_create($options);
++
++echo file_get_contents("http://" . PHP_CLI_SERVER_ADDRESS . "/", false, $context);
++?>
++--EXPECT--
++string(5) "AAAAA"
++string(0) ""
+-- 
+2.47.0
+
+From 46f3d442aae8d8caca33a4d4ff9c9470568aee80 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Fri, 22 Nov 2024 08:58:10 +0100
+Subject: [PATCH 9/9] NEWS for 8.1.31 backports
+
+(cherry picked from commit 22bdb43da0ecd6e72d63b63aa6c1f3a25d1bca3a)
+(cherry picked from commit d8d682d3d6a4d027771806c8fc77128cae078d29)
+(cherry picked from commit b97a41a47f77df92771b3c01fbf7cf445c0e7a1b)
+---
+ NEWS | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index ced91f9577..cc2d877d94 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,30 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 8.1.31
++
++- CLI:
++  . Fixed bug GHSA-4w77-75f9-2c8w (Heap-Use-After-Free in sapi_read_post_data
++    Processing in CLI SAPI Interface). (nielsdos)
++
++- LDAP:
++  . Fixed bug GHSA-g665-fm4p-vhff (OOB access in ldap_escape). (CVE-2024-8932)
++    (nielsdos)
++
++- PDO DBLIB:
++  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the dblib quoter causing
++    OOB writes). (CVE-2024-11236) (nielsdos)
++
++- PDO Firebird:
++  . Fixed bug GHSA-5hqh-c84r-qjcv (Integer overflow in the firebird quoter
++    causing OOB writes). (CVE-2024-11236) (nielsdos)
++
++- Streams:
++  . Fixed bug GHSA-c5f2-jwm7-mmq2 (Configuring a proxy in a stream context
++    might allow for CRLF injection in URIs). (CVE-2024-11234) (Jakub Zelenka)
++  . Fixed bug GHSA-r977-prxv-hc43 (Single byte overread with
++    convert.quoted-printable-decode filter). (CVE-2024-11233) (nielsdos)
++
+ Backported from 8.1.30
+ 
+ - CGI:
+-- 
+2.47.0
+
diff --git a/php72.spec b/php72.spec
index adaef8e..7822248 100644
--- a/php72.spec
+++ b/php72.spec
@@ -31,7 +31,7 @@
 %global oraclelib 19.1
 %global oracledir 19.24
 %else
-%global oraclever 23.5
+%global oraclever 23.6
 %global oraclemax 24
 %global oraclelib 23.1
 %global oracledir 23
@@ -123,7 +123,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 24%{?dist}
+Release: 25%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -216,6 +216,11 @@ Patch222: php-cve-2024-5458.patch
 Patch223: php-cve-2024-8925.patch
 Patch224: php-cve-2024-8926.patch
 Patch225: php-cve-2024-8927.patch
+Patch226: php-cve-2024-11236.patch
+Patch227: php-cve-2024-11234.patch
+Patch228: php-cve-2024-8932.patch
+Patch229: php-cve-2024-11233.patch
+Patch230: php-ghsa-4w77-75f9-2c8w.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1177,6 +1182,11 @@ low-level PHP extension for the libsodium cryptographic library.
 %patch -P223 -p1 -b .cve8925
 %patch -P224 -p1 -b .cve8926
 %patch -P225 -p1 -b .cve8927
+%patch -P226 -p1 -b .cve11236
+%patch -P227 -p1 -b .cve11234
+%patch -P228 -p1 -b .cve8932
+%patch -P229 -p1 -b .cve11233
+%patch -P230 -p1 -b .ghsa4w77
 
 # Fixes for tests
 %if 0%{?fedora} >= 25 || 0%{?rhel} >= 6
@@ -2284,7 +2294,18 @@ EOF
 
 
 %changelog
-%changelog
+* Tue Nov 26 2024 Remi Collet <remi@remirepo.net> - 7.2.34-25
+- Fix Heap-Use-After-Free in sapi_read_post_data Processing in CLI SAPI Interface
+  GHSA-4w77-75f9-2c8w
+- Fix OOB access in ldap_escape
+  CVE-2024-8932
+- Fix Integer overflow in the dblib/firebird quoter causing OOB writes
+  CVE-2024-11236
+- Fix Configuring a proxy in a stream context might allow for CRLF injection in URIs
+  CVE-2024-11234
+- Fix Single byte overread with convert.quoted-printable-decode filter
+  CVE-2024-11233
+
 * Thu Sep 26 2024 Remi Collet <remi@remirepo.net> - 7.2.34-24
 - Fix Bypass of CVE-2012-1823, Argument Injection in PHP-CGI
   CVE-2024-4577
author	Remi Collet <remi@remirepo.net>	2024-11-26 08:46:40 +0100
committer	Remi Collet <remi@php.net>	2024-11-26 08:46:40 +0100
commit	91c8e7e3b1573d64222ecc3c2dfceabaa667f86f (patch)
tree	e71886ecf73e23e5cf1f96ddbaeac7b0509f926e
parent	a0a70a22d639fa152b53ad1e90a43cd2544a5537 (diff)