PHP 5.4.45 with security patches from 5.5.33

4 files changed, 158 insertions, 2 deletions

diff --git a/bug71498.patch b/bug71498.patch
new file mode 100644
index 0000000..d4977e7
--- /dev/null
+++ b/bug71498.patch
@@ -0,0 +1,31 @@
+Backported from 5.5 for 5.4 by Remi Collet
+binary patch dropped
+
+From a6fdc5bb27b20d889de0cd29318b3968aabb57bd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 21 Feb 2016 16:51:05 -0800
+Subject: [PATCH] Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()
+
+---
+ ext/phar/tests/bug71488.phpt |   1 +
+ ext/phar/tests/bug71498.phpt |  17 +++++++++++++++++
+ ext/phar/tests/bug71498.zip  | Bin 0 -> 65677 bytes
+ ext/phar/zip.c               |   6 +++---
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 ext/phar/tests/bug71498.phpt
+ create mode 100644 ext/phar/tests/bug71498.zip
+
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index e4883d3..7f294c2 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -199,7 +199,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ 	}
+ 
+ 	while ((p=(char *) memchr(p + 1, 'P', (size_t) (size - (p + 1 - buf)))) != NULL) {
+-		if (!memcmp(p + 1, "K\5\6", 3)) {
++		if ((p - buf) + sizeof(locator) <= size && !memcmp(p + 1, "K\5\6", 3)) {
+ 			memcpy((void *)&locator, (void *) p, sizeof(locator));
+ 			if (PHAR_GET_16(locator.centraldisk) != 0 || PHAR_GET_16(locator.disknumber) != 0) {
+ 				/* split archives not handled */
+
diff --git a/bug71587.patch b/bug71587.patch
new file mode 100644
index 0000000..cd1c16b
--- /dev/null
+++ b/bug71587.patch
@@ -0,0 +1,117 @@
+Backported from 5.5 for 5.4 by Remi Collet
+Backported from 5.5 for 5.4 by Remi Collet
+
+From b1bd4119bcafab6f9a8f84d92cd65eec3afeface Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 14 Feb 2016 22:34:39 -0800
+Subject: [PATCH] Fixed bug #71587 - Use-After-Free / Double-Free in WDDX
+ Deserialize
+
+---
+ ext/wddx/tests/bug71587.phpt | 43 +++++++++++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c              | 19 +++++++++++++++----
+ 2 files changed, 58 insertions(+), 4 deletions(-)
+ create mode 100644 ext/wddx/tests/bug71587.phpt
+
+diff --git a/ext/wddx/tests/bug71587.phpt b/ext/wddx/tests/bug71587.phpt
+new file mode 100644
+index 0000000..3fdfc35
+--- /dev/null
++++ b/ext/wddx/tests/bug71587.phpt
+@@ -0,0 +1,43 @@
++--TEST--
++Bug #71587 (Use-After-Free / Double-Free in WDDX Deserialize)
++--SKIPIF--
++<?php
++if (!extension_loaded("wddx")) print "skip";
++?>
++--FILE--
++<?php
++
++$xml = <<<EOF
++<?xml version='1.0' ?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++    <array>
++         <var name='ML'></var>
++            <string>manhluat</string>
++         <var name='ML2'></var>
++         	<boolean value='a'/>
++         <boolean value='true'/>
++    </array>
++</wddxPacket>
++EOF;
++
++$wddx = wddx_deserialize($xml);
++var_dump($wddx);
++// Print mem leak
++foreach($wddx as $k=>$v)
++	printf("Key: %s\nValue: %s\n",bin2hex($k),bin2hex($v));
++
++?>
++DONE
++--EXPECTF--
++array(2) {
++  [0]=>
++  string(8) "manhluat"
++  [1]=>
++  bool(true)
++}
++Key: 30
++Value: 6d616e686c756174
++Key: 31
++Value: 31
++DONE
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index 7267ee1..da34246 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -936,6 +936,16 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ 		!strcmp(name, EL_DATETIME)) {
+ 		wddx_stack_top(stack, (void**)&ent1);
+ 
++		if (!ent1->data) {
++			if (stack->top > 1) {
++				stack->top--;
++			} else {
++				stack->done = 1;
++			}
++			efree(ent1);
++			return;
++		}
++
+ 		if (!strcmp(name, EL_BINARY)) {
+ 			int new_len=0;
+ 			unsigned char *new_str;
+@@ -1032,6 +1042,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
+ 		}
+ 	} else if (!strcmp(name, EL_VAR) && stack->varname) {
+ 		efree(stack->varname);
++		stack->varname = NULL;
+ 	} else if (!strcmp(name, EL_FIELD)) {
+ 		st_entry *ent;
+ 		wddx_stack_top(stack, (void **)&ent);
+@@ -1051,7 +1062,7 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
+ 
+ 	if (!wddx_stack_is_empty(stack) && !stack->done) {
+ 		wddx_stack_top(stack, (void**)&ent);
+-		switch (Z_TYPE_P(ent)) {
++		switch (ent->type) {
+ 			case ST_STRING: 
+ 				if (Z_STRLEN_P(ent->data) == 0) {
+ 					STR_FREE(Z_STRVAL_P(ent->data));
+@@ -1090,11 +1101,11 @@ static void php_wddx_process_data(void *user_data, const XML_Char *s, int len)
+ 				} else if (!strcmp(s, "false")) {
+ 					Z_LVAL_P(ent->data) = 0;
+ 				} else {
+-					stack->top--;
+ 					zval_ptr_dtor(&ent->data);
+-					if (ent->varname)
++					if (ent->varname) {
+ 						efree(ent->varname);
+-					efree(ent);
++					}
++					ent->data = NULL;
+ 				}
+ 				break;
+ 
diff --git a/failed.txt b/failed.txt
index 5e03425..124e172 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 5.5.45-4 (2016-02-16)
+===== 5.5.45-5 (2016-03-02)
 
 $ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log
 
diff --git a/php.spec b/php.spec
index f461b9f..394cdc7 100644
--- a/php.spec
+++ b/php.spec
@@ -119,7 +119,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: 5.4.45
-Release: 4%{?dist}
+Release: 5%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -193,6 +193,8 @@ Patch210: bug71459.patch
 Patch211: bug71039.patch
 Patch212: bug71488.patch
 Patch213: pcre838.patch
+Patch214: bug71498.patch
+Patch215: bug71587.patch
 
 # Fixes for tests (300+)
 # Backported from 5.5
@@ -844,6 +846,8 @@ support for using the enchant library to PHP.
 %patch211 -p1 -b .bug71039
 %patch212 -p1 -b .bug71488
 %patch213 -p1 -b .pcre838
+%patch214 -p1 -b .bug71498
+%patch215 -p1 -b .bug71587
 
 # Fixes for tests
 %patch300 -p1 -b .datetests1
@@ -1658,6 +1662,10 @@ EOF
 
 
 %changelog
+* Wed Mar  2 2016 Remi Collet <remi@remirepo.net> 5.4.45-5
+- Fix #71498: Out-of-Bound Read in phar_parse_zipfile()
+- Fix #71587: Use-After-Free / Double-Free in WDDX Deserialize
+
 * Tue Feb 16 2016 Remi Collet <remi@remirepo.net> 5.4.45-4
 - Fix #71354: phar, remove UMR when size is 0
 - Fix #71335: type confusion in WDDX packet deserialization