From 2aeb356c75e3a25967de6a68c263bcf77185126d Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Thu, 18 Dec 2025 09:25:40 +0100
Subject: Fix Null byte termination in dns_get_record()

  GHSA-www2-q4fc-65wf
Fix Heap buffer overflow in array_merge()
  CVE-2025-14178
Fix Information Leak of Memory in getimagesize
  CVE-2025-14177
---
 php-cve-2025-14177.patch | 107 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 107 insertions(+)
 create mode 100644 php-cve-2025-14177.patch

(limited to 'php-cve-2025-14177.patch')

diff --git a/php-cve-2025-14177.patch b/php-cve-2025-14177.patch
new file mode 100644
index 0000000..036dcb0
--- /dev/null
+++ b/php-cve-2025-14177.patch
@@ -0,0 +1,107 @@
+From 6cf0fb3c48fda6a236359304e4db663ae77d858c Mon Sep 17 00:00:00 2001
+From: Niels Dossche <7771979+ndossche@users.noreply.github.com>
+Date: Tue, 25 Nov 2025 23:11:38 +0100
+Subject: [PATCH 1/5] Fix GH-20584: Information Leak of Memory
+
+The string added had uninitialized memory due to
+php_read_stream_all_chunks() not moving the buffer position, resulting
+in the same data always being overwritten instead of new data being
+added to the end of the buffer.
+
+This is backport as there is a security impact as described in
+GHSA-3237-qqm7-mfv7 .
+
+(cherry picked from commit c5f28c7cf0a052f48e47877c7aa5c5bcc54f1cfc)
+(cherry picked from commit ed665eb1903737d2b52b27368b155f6208604ed9)
+---
+ ext/standard/image.c                  | 20 +++++++++++---
+ ext/standard/tests/image/gh20584.phpt | 39 +++++++++++++++++++++++++++
+ 2 files changed, 56 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/image/gh20584.phpt
+
+diff --git a/ext/standard/image.c b/ext/standard/image.c
+index 4f2c5a505b4..800c5de8da3 100644
+--- a/ext/standard/image.c
++++ b/ext/standard/image.c
+@@ -434,8 +434,22 @@ static int php_skip_variable(php_stream * stream)
+ }
+ /* }}} */
+ 
+-/* {{{ php_read_APP
+- */
++static size_t php_read_stream_all_chunks(php_stream *stream, char *buffer, size_t length)
++{
++	size_t read_total = 0;
++	do {
++		ssize_t read_now = php_stream_read(stream, buffer, length - read_total);
++		read_total += read_now;
++		if (read_now < stream->chunk_size && read_total != length) {
++			return 0;
++		}
++		buffer += read_now;
++	} while (read_total < length);
++
++	return read_total;
++}
++
++/* {{{ php_read_APP */
+ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info)
+ {
+ 	unsigned short length;
+@@ -451,7 +465,7 @@ static int php_read_APP(php_stream * stream, unsigned int marker, zval *info)
+ 
+ 	buffer = emalloc((size_t)length);
+ 
+-	if (php_stream_read(stream, buffer, (size_t) length) != length) {
++	if (php_read_stream_all_chunks(stream, buffer, length) != length) {
+ 		efree(buffer);
+ 		return 0;
+ 	}
+diff --git a/ext/standard/tests/image/gh20584.phpt b/ext/standard/tests/image/gh20584.phpt
+new file mode 100644
+index 00000000000..d117f218202
+--- /dev/null
++++ b/ext/standard/tests/image/gh20584.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++GH-20584 (Information Leak of Memory)
++--CREDITS--
++Nikita Sveshnikov (Positive Technologies)
++--FILE--
++<?php
++// Minimal PoC: corruption/uninitialized memory leak when reading APP1 via php://filter
++$file = __DIR__ . '/gh20584.jpg';
++
++// Make APP1 large enough so it is read in multiple chunks
++$chunk = 8192;
++$tail = 123;
++$payload = str_repeat('A', $chunk) . str_repeat('B', $chunk) . str_repeat('Z',
++$tail);
++$app1Len = 2 + strlen($payload);
++
++// Minimal JPEG: SOI + APP1 + SOF0(1x1) + EOI
++$sof = "\xFF\xC0" . pack('n', 11) . "\x08" . pack('n',1) . pack('n',1) .
++"\x01\x11\x00";
++$jpeg = "\xFF\xD8" . "\xFF\xE1" . pack('n', $app1Len) . $payload . $sof .
++"\xFF\xD9";
++file_put_contents($file, $jpeg);
++
++// Read through a filter to enforce multiple reads
++$src = 'php://filter/read=string.rot13|string.rot13/resource=' . $file;
++$info = null;
++@getimagesize($src, $info);
++$exp = $payload;
++$ret = $info['APP1'];
++
++var_dump($ret === $exp);
++
++?>
++--CLEAN--
++<?php
++@unlink(__DIR__ . '/gh20584.jpg');
++?>
++--EXPECT--
++bool(true)
+-- 
+2.52.0
+
-- 
cgit