From 53a86c2a4f553385955475c30a25a2b0a50284f4 Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Thu, 23 Jun 2016 15:53:37 +0200
Subject: PHP 5.4.45 with security fix from 5.5.37

---
 bug72298.patch |  93 +++++++++++++++++++
 bug72339.patch | 127 ++++++++++++++++++++++++++
 bug72402.patch | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 bug72433.patch | 113 +++++++++++++++++++++++
 bug72434.patch |  78 ++++++++++++++++
 bug72446.patch |  30 ++++++
 bug72455.patch |  39 ++++++++
 failed.txt     |  13 +--
 php.spec       |  33 ++++++-
 9 files changed, 803 insertions(+), 7 deletions(-)
 create mode 100644 bug72298.patch
 create mode 100644 bug72339.patch
 create mode 100644 bug72402.patch
 create mode 100644 bug72433.patch
 create mode 100644 bug72434.patch
 create mode 100644 bug72446.patch
 create mode 100644 bug72455.patch

diff --git a/bug72298.patch b/bug72298.patch
new file mode 100644
index 0000000..206578e
--- /dev/null
+++ b/bug72298.patch
@@ -0,0 +1,93 @@
+From e9ac8954be9f7d988189df44578d759ffdea3512 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 18 Jun 2016 21:04:33 -0700
+Subject: [PATCH] Fix bug #72298	pass2_no_dither out-of-bounds access
+
+---
+ ext/gd/libgd/gd_topal.c    | 14 +++++++-------
+ ext/gd/tests/bug72298.phpt | 15 +++++++++++++++
+ 2 files changed, 22 insertions(+), 7 deletions(-)
+ create mode 100644 ext/gd/tests/bug72298.phpt
+
+diff --git a/ext/gd/libgd/gd_topal.c b/ext/gd/libgd/gd_topal.c
+index b9cb928..d8dda45 100644
+--- a/ext/gd/libgd/gd_topal.c
++++ b/ext/gd/libgd/gd_topal.c
+@@ -43,7 +43,7 @@
+  * If it is not working, it's not Thomas G. Lane's fault.
+  */
+ 
+-/* 
++/*
+   SETTING THIS ONE CAUSES STRIPED IMAGE
+   to be done: solve this
+   #define ORIGINAL_LIB_JPEG_REVERSE_ODD_ROWS
+@@ -152,7 +152,7 @@
+  * color space, and repeatedly splits the "largest" remaining box until we
+  * have as many boxes as desired colors.  Then the mean color in each
+  * remaining box becomes one of the possible output colors.
+- * 
++ *
+  * The second pass over the image maps each input pixel to the closest output
+  * color (optionally after applying a Floyd-Steinberg dithering correction).
+  * This mapping is logically trivial, but making it go fast enough requires
+@@ -1320,16 +1320,16 @@ pass2_no_dither (j_decompress_ptr cinfo,
+ #else
+ 	  r = gdTrueColorGetRed (*inptr);
+ 	  g = gdTrueColorGetGreen (*inptr);
+-	  /* 
++	  /*
+ 	     2.0.24: inptr must not be incremented until after
+-	     transparency check, if any. Thanks to "Super Pikeman." 
++	     transparency check, if any. Thanks to "Super Pikeman."
+ 	   */
+ 	  b = gdTrueColorGetBlue (*inptr);
+ 
+ 	  /* If the pixel is transparent, we assign it the palette index that
+ 	   * will later be added at the end of the palette as the transparent
+ 	   * index. */
+-	  if ((oim->transparent >= 0) && (oim->transparent == *(inptr - 1)))
++	  if ((oim->transparent >= 0) && (oim->transparent == *inptr))
+ 	    {
+ 	      *outptr++ = nim->colorsTotal;
+ 	      inptr++;
+@@ -1795,7 +1795,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
+     }
+   } else {
+     nim = oim;
+-  }     
++  }
+   if (!oim->trueColor)
+     {
+       /* (Almost) nothing to do! */
+@@ -2004,7 +2004,7 @@ static void gdImageTrueColorToPaletteBody (gdImagePtr oim, int dither, int color
+     }
+ 
+   /* Success! Get rid of the truecolor image data. */
+-  if (!cimP) { 
++  if (!cimP) {
+     oim->trueColor = 0;
+     /* Junk the truecolor pixels */
+     for (i = 0; i < oim->sy; i++)
+diff --git a/ext/gd/tests/bug72298.phpt b/ext/gd/tests/bug72298.phpt
+new file mode 100644
+index 0000000..7fba241
+--- /dev/null
++++ b/ext/gd/tests/bug72298.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #72298: pass2_no_dither out-of-bounds access
++--SKIPIF--
++<?php
++	if (!extension_loaded('gd')) die("skip gd extension not available\n");
++?>
++--FILE--
++<?php
++$img = imagecreatetruecolor (1 , 1); 
++imagecolortransparent($img, 0);
++imagetruecolortopalette($img, false, 4);
++?>
++DONE
++--EXPECT--
++DONE
+\ No newline at end of file
diff --git a/bug72339.patch b/bug72339.patch
new file mode 100644
index 0000000..da385e8
--- /dev/null
+++ b/bug72339.patch
@@ -0,0 +1,127 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From 7722455726bec8c53458a32851d2a87982cf0eac Mon Sep 17 00:00:00 2001
+From: Pierre Joye <pajoye@php.net>
+Date: Sat, 18 Jun 2016 20:15:10 +0200
+Subject: [PATCH] Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in
+ heap overflow
+
+---
+ ext/gd/libgd/gd_gd2.c      |   7 +++++++
+ ext/gd/tests/bug72339.gd   | Bin 0 -> 67108882 bytes
+ ext/gd/tests/bug72339.phpt |  11 +++++++++++
+ 3 files changed, 18 insertions(+)
+ create mode 100644 ext/gd/tests/bug72339.gd
+ create mode 100644 ext/gd/tests/bug72339.phpt
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 6726fee..63e3aef 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -138,11 +138,18 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
+ 	if (gd2_compressed(*fmt)) {
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
++		if (overflow2(sidx, nc)) {
++			goto fail1;
++		}
+ 		sidx = sizeof(t_chunk_info) * nc;
+ 		if (sidx <= 0) {
+ 			goto fail1;
+ 		}
+ 		cidx = gdCalloc(sidx, 1);
++		if (cidx == NULL) {
++			goto fail1;
++		}
++
+ 		for (i = 0; i < nc; i++) {
+ 			if (gdGetInt(&cidx[i].offset, in) != 1) {
+ 				gdFree(cidx);
+diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
+new file mode 100644
+index 0000000..763ae71
+--- /dev/null
++++ b/ext/gd/tests/bug72339.phpt
+@@ -0,0 +1,11 @@
++--TEST--
++Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow 
++--SKIPIF--
++<?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
++--FILE--
++<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
++--EXPECTF--	
++Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
++ in %sbug72339.php on line %d
++
++Warning: imagecreatefromgd2(): '%sbug72339.gd' is not a valid GD2 file in %sbug72339.php on line %d
+
+From 5f107ab8a66f8b36ac0c0b32e0231bf94e083c94 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 22:54:55 -0700
+Subject: [PATCH] fix tests
+
+---
+ ext/gd/libgd/gd_gd2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
+index 63e3aef..e954aaf 100644
+--- a/ext/gd/libgd/gd_gd2.c
++++ b/ext/gd/libgd/gd_gd2.c
+@@ -138,7 +138,7 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
+ 	if (gd2_compressed(*fmt)) {
+ 		nc = (*ncx) * (*ncy);
+ 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
+-		if (overflow2(sidx, nc)) {
++		if (overflow2(sizeof(t_chunk_info), nc)) {
+ 			goto fail1;
+ 		}
+ 		sidx = sizeof(t_chunk_info) * nc;
+
+From 0c7250f260303061425d0d8a348d1a80fa0cc12e Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Tue, 21 Jun 2016 09:42:38 +0200
+Subject: [PATCH] remove the huge test file, generate it on the fly instead
+
+---
+ ext/gd/tests/bug72339.gd   | Bin 67108882 -> 0 bytes
+ ext/gd/tests/bug72339.phpt |  24 +++++++++++++++++++++++-
+ 2 files changed, 23 insertions(+), 1 deletion(-)
+ delete mode 100644 ext/gd/tests/bug72339.gd
+
+diff --git a/ext/gd/tests/bug72339.phpt b/ext/gd/tests/bug72339.phpt
+index 763ae71..2c30ee8 100644
+--- a/ext/gd/tests/bug72339.phpt
++++ b/ext/gd/tests/bug72339.phpt
+@@ -3,7 +3,29 @@ Bug #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
+ --SKIPIF--
+ <?php if (!function_exists("imagecreatefromgd2")) print "skip"; ?>
+ --FILE--
+-<?php imagecreatefromgd2(dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd"); ?>
++<?php
++$fname = dirname(__FILE__) . DIRECTORY_SEPARATOR . "bug72339.gd";
++
++$fh = fopen($fname, "w");
++fwrite($fh, "gd2\x00");
++fwrite($fh, pack("n", 2));
++fwrite($fh, pack("n", 1));
++fwrite($fh, pack("n", 1));
++fwrite($fh, pack("n", 0x40));
++fwrite($fh, pack("n", 2));
++fwrite($fh, pack("n", 0x5AA0)); // Chunks Wide
++fwrite($fh, pack("n", 0x5B00)); // Chunks Vertically
++fwrite($fh, str_repeat("\x41\x41\x41\x41", 0x1000000)); // overflow data
++fclose($fh);
++
++$im = imagecreatefromgd2($fname);
++
++if ($im) {
++	imagedestroy($im);
++}
++unlink($fname);
++
++?>
+ --EXPECTF--	
+ Warning: imagecreatefromgd2(): gd warning: product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+  in %sbug72339.php on line %d
diff --git a/bug72402.patch b/bug72402.patch
new file mode 100644
index 0000000..5e7243f
--- /dev/null
+++ b/bug72402.patch
@@ -0,0 +1,284 @@
+From 5b597a2e5b28e2d5a52fc1be13f425f08f47cb62 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 18 Jun 2016 21:48:39 -0700
+Subject: [PATCH] Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
+
+---
+ ext/mbstring/php_mbregex.c       | 65 ++++++++++++++++++++--------------------
+ ext/mbstring/tests/bug72402.phpt | 17 +++++++++++
+ 2 files changed, 49 insertions(+), 33 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug72402.phpt
+
+diff --git a/ext/mbstring/php_mbregex.c b/ext/mbstring/php_mbregex.c
+index d73c848..6cdee23 100644
+--- a/ext/mbstring/php_mbregex.c
++++ b/ext/mbstring/php_mbregex.c
+@@ -32,7 +32,7 @@
+ #include "ext/standard/info.h"
+ #include "php_mbregex.h"
+ #include "mbstring.h"
+- 
++
+ #include "php_onig_compat.h" /* must come prior to the oniguruma header */
+ #include <oniguruma.h>
+ #undef UChar
+@@ -55,7 +55,7 @@ struct _zend_mb_regex_globals {
+ #define MBREX(g) (MBSTRG(mb_regex_globals)->g)
+ 
+ /* {{{ static void php_mb_regex_free_cache() */
+-static void php_mb_regex_free_cache(php_mb_regex_t **pre) 
++static void php_mb_regex_free_cache(php_mb_regex_t **pre)
+ {
+ 	onig_free(*pre);
+ }
+@@ -78,7 +78,7 @@ static int _php_mb_regex_globals_ctor(zend_mb_regex_globals *pglobals TSRMLS_DC)
+ /* }}} */
+ 
+ /* {{{ _php_mb_regex_globals_dtor */
+-static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC) 
++static void _php_mb_regex_globals_dtor(zend_mb_regex_globals *pglobals TSRMLS_DC)
+ {
+ 	zend_hash_destroy(&pglobals->ht_rc);
+ }
+@@ -466,7 +466,7 @@ static php_mb_regex_t *php_mbregex_compile_pattern(const char *pattern, int patl
+ 		retval = *rc;
+ 	}
+ out:
+-	return retval; 
++	return retval;
+ }
+ /* }}} */
+ 
+@@ -483,7 +483,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ 			--len_left;
+ 			*(p++) = 'i';
+ 		}
+-		++len_req;	
++		++len_req;
+ 	}
+ 
+ 	if ((option & ONIG_OPTION_EXTEND) != 0) {
+@@ -491,7 +491,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ 			--len_left;
+ 			*(p++) = 'x';
+ 		}
+-		++len_req;	
++		++len_req;
+ 	}
+ 
+ 	if ((option & (ONIG_OPTION_MULTILINE | ONIG_OPTION_SINGLELINE)) ==
+@@ -500,14 +500,14 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ 			--len_left;
+ 			*(p++) = 'p';
+ 		}
+-		++len_req;	
++		++len_req;
+ 	} else {
+ 		if ((option & ONIG_OPTION_MULTILINE) != 0) {
+ 			if (len_left > 0) {
+ 				--len_left;
+ 				*(p++) = 'm';
+ 			}
+-			++len_req;	
++			++len_req;
+ 		}
+ 
+ 		if ((option & ONIG_OPTION_SINGLELINE) != 0) {
+@@ -515,22 +515,22 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ 				--len_left;
+ 				*(p++) = 's';
+ 			}
+-			++len_req;	
++			++len_req;
+ 		}
+-	}	
++	}
+ 	if ((option & ONIG_OPTION_FIND_LONGEST) != 0) {
+ 		if (len_left > 0) {
+ 			--len_left;
+ 			*(p++) = 'l';
+ 		}
+-		++len_req;	
++		++len_req;
+ 	}
+ 	if ((option & ONIG_OPTION_FIND_NOT_EMPTY) != 0) {
+ 		if (len_left > 0) {
+ 			--len_left;
+ 			*(p++) = 'n';
+ 		}
+-		++len_req;	
++		++len_req;
+ 	}
+ 
+ 	c = 0;
+@@ -566,7 +566,7 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ 		--len_left;
+ 		*(p++) = '\0';
+ 	}
+-	++len_req;	
++	++len_req;
+ 	if (len < len_req) {
+ 		return len_req;
+ 	}
+@@ -577,11 +577,11 @@ static size_t _php_mb_regex_get_option_string(char *str, size_t len, OnigOptionT
+ 
+ /* {{{ _php_mb_regex_init_options */
+ static void
+-_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval) 
++_php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, OnigSyntaxType **syntax, int *eval)
+ {
+ 	int n;
+ 	char c;
+-	int optm = 0; 
++	int optm = 0;
+ 
+ 	*syntax = ONIG_SYNTAX_RUBY;
+ 
+@@ -636,13 +636,13 @@ _php_mb_regex_init_options(const char *parg, int narg, OnigOptionType *option, O
+ 					*syntax = ONIG_SYNTAX_POSIX_EXTENDED;
+ 					break;
+ 				case 'e':
+-					if (eval != NULL) *eval = 1; 
++					if (eval != NULL) *eval = 1;
+ 					break;
+ 				default:
+ 					break;
+ 			}
+ 		}
+-		if (option != NULL) *option|=optm; 
++		if (option != NULL) *option|=optm;
+ 	}
+ }
+ /* }}} */
+@@ -860,11 +860,11 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ 	} else {
+ 		/* FIXME: this code is not multibyte aware! */
+ 		convert_to_long_ex(arg_pattern_zval);
+-		pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);	
++		pat_buf[0] = (char)Z_LVAL_PP(arg_pattern_zval);
+ 		pat_buf[1] = '\0';
+ 
+ 		arg_pattern = pat_buf;
+-		arg_pattern_len = 1;	
++		arg_pattern_len = 1;
+ 	}
+ 	/* create regex pattern buffer */
+ 	re = php_mbregex_compile_pattern(arg_pattern, arg_pattern_len, options, MBREX(current_mbctype), syntax TSRMLS_CC);
+@@ -934,7 +934,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ 					}
+ 				}
+ 			}
+-				
++
+ 			if (eval) {
+ 				zval v;
+ 				/* null terminate buffer */
+@@ -953,32 +953,31 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ 				eval_buf.len = 0;
+ 				zval_dtor(&v);
+ 			} else if (is_callable) {
+-				zval *retval_ptr;
++				zval *retval_ptr = NULL;
+ 				zval **args[1];
+ 				zval *subpats;
+ 				int i;
+-				
++
+ 				MAKE_STD_ZVAL(subpats);
+ 				array_init(subpats);
+-				
++
+ 				for (i = 0; i < regs->num_regs; i++) {
+ 					add_next_index_stringl(subpats, string + regs->beg[i], regs->end[i] - regs->beg[i], 1);
+-				}				
+-				
++				}
++
+ 				args[0] = &subpats;
+ 				/* null terminate buffer */
+ 				smart_str_0(&eval_buf);
+-				
++
+ 				arg_replace_fci.param_count = 1;
+ 				arg_replace_fci.params = args;
+ 				arg_replace_fci.retval_ptr_ptr = &retval_ptr;
+-				if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr) {
++				if (zend_call_function(&arg_replace_fci, &arg_replace_fci_cache TSRMLS_CC) == SUCCESS && arg_replace_fci.retval_ptr_ptr && retval_ptr) {
+ 					convert_to_string_ex(&retval_ptr);
+ 					smart_str_appendl(&out_buf, Z_STRVAL_P(retval_ptr), Z_STRLEN_P(retval_ptr));
+ 					eval_buf.len = 0;
+ 					zval_ptr_dtor(&retval_ptr);
+ 				} else {
+-					efree(description);
+ 					if (!EG(exception)) {
+ 						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to call custom replacement function");
+ 					}
+@@ -991,7 +990,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ 				pos = (OnigUChar *)string + n;
+ 			} else {
+ 				if (pos < string_lim) {
+-					smart_str_appendl(&out_buf, pos, 1); 
++					smart_str_appendl(&out_buf, pos, 1);
+ 				}
+ 				pos++;
+ 			}
+@@ -1013,7 +1012,7 @@ static void _php_mb_regex_ereg_replace_exec(INTERNAL_FUNCTION_PARAMETERS, OnigOp
+ 	smart_str_free(&eval_buf);
+ 
+ 	if (err <= -2) {
+-		smart_str_free(&out_buf);	
++		smart_str_free(&out_buf);
+ 		RETVAL_FALSE;
+ 	} else {
+ 		smart_str_appendc(&out_buf, '\0');
+@@ -1063,7 +1062,7 @@ PHP_FUNCTION(mb_split)
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &arg_pattern, &arg_pattern_len, &string, &string_len, &count) == FAILURE) {
+ 		RETURN_FALSE;
+-	} 
++	}
+ 
+ 	if (count > 0) {
+ 		count--;
+@@ -1317,7 +1316,7 @@ PHP_FUNCTION(mb_ereg_search_init)
+ 	if (zend_parse_parameters(argc TSRMLS_CC, "z|ss", &arg_str, &arg_pattern, &arg_pattern_len, &arg_options, &arg_options_len) == FAILURE) {
+ 		return;
+ 	}
+-	
++
+ 	if (argc > 1 && arg_pattern_len == 0) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Empty pattern");
+ 		RETURN_FALSE;
+@@ -1416,7 +1415,7 @@ PHP_FUNCTION(mb_ereg_search_setpos)
+ /* }}} */
+ 
+ /* {{{ php_mb_regex_set_options */
+-static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC) 
++static void _php_mb_regex_set_options(OnigOptionType options, OnigSyntaxType *syntax, OnigOptionType *prev_options, OnigSyntaxType **prev_syntax TSRMLS_DC)
+ {
+ 	if (prev_options != NULL) {
+ 		*prev_options = MBREX(regex_default_options);
+diff --git a/ext/mbstring/tests/bug72402.phpt b/ext/mbstring/tests/bug72402.phpt
+new file mode 100644
+index 0000000..abb290b
+--- /dev/null
++++ b/ext/mbstring/tests/bug72402.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #72402: _php_mb_regex_ereg_replace_exec - double free
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++function throwit() {
++	throw new Exception('it');
++}
++$var10 = "throwit";
++try {
++	$var14 = mb_ereg_replace_callback("", $var10, "");
++} catch(Exception $e) {}
++?>
++DONE
++--EXPECT--
++DONE
+\ No newline at end of file
diff --git a/bug72433.patch b/bug72433.patch
new file mode 100644
index 0000000..79b7265
--- /dev/null
+++ b/bug72433.patch
@@ -0,0 +1,113 @@
+From 3f627e580acfdaf0595ae3b115b8bec677f203ee Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 21:26:33 -0700
+Subject: [PATCH] Fixed ##72433: Use After Free Vulnerability in PHP's GC
+ algorithm and unserialize
+
+---
+ Zend/tests/gc_024.phpt                   |  2 +-
+ ext/spl/spl_array.c                      | 11 +++++++++++
+ ext/standard/tests/strings/bug72433.phpt | 32 ++++++++++++++++++++++++++++++++
+ 3 files changed, 44 insertions(+), 1 deletion(-)
+ create mode 100644 ext/standard/tests/strings/bug72433.phpt
+
+diff --git a/Zend/tests/gc_024.phpt b/Zend/tests/gc_024.phpt
+index 9a2ceb8..ca78da6 100644
+--- a/Zend/tests/gc_024.phpt
++++ b/Zend/tests/gc_024.phpt
+@@ -13,5 +13,5 @@ var_dump(gc_collect_cycles());
+ echo "ok\n";
+ ?>
+ --EXPECT--
+-int(1)
++int(2)
+ ok
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index c89cf49..4e03c40 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -831,6 +831,16 @@ static HashTable* spl_array_get_debug_info(zval *obj, int *is_temp TSRMLS_DC) /*
+ }
+ /* }}} */
+ 
++static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
++{
++	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
++
++	*gc_data = &intern->array;
++	*gc_data_count = 1;
++	return zend_std_get_properties(object);
++}
++/* }}} */
++
+ static zval *spl_array_read_property(zval *object, zval *member, int type, const zend_literal *key TSRMLS_DC) /* {{{ */
+ {
+ 	spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(object TSRMLS_CC);
+@@ -1973,6 +1983,7 @@ PHP_MINIT_FUNCTION(spl_array)
+ 
+ 	spl_handler_ArrayObject.get_properties = spl_array_get_properties;
+ 	spl_handler_ArrayObject.get_debug_info = spl_array_get_debug_info;
++	spl_handler_ArrayObject.get_gc = spl_array_get_gc;
+ 	spl_handler_ArrayObject.read_property = spl_array_read_property;
+ 	spl_handler_ArrayObject.write_property = spl_array_write_property;
+ 	spl_handler_ArrayObject.get_property_ptr_ptr = spl_array_get_property_ptr_ptr;
+diff --git a/ext/standard/tests/strings/bug72433.phpt b/ext/standard/tests/strings/bug72433.phpt
+new file mode 100644
+index 0000000..3a2c897
+--- /dev/null
++++ b/ext/standard/tests/strings/bug72433.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
++--FILE--
++<?php
++// Fill any potential freed spaces until now.
++$filler = array();
++for($i = 0; $i < 100; $i++)
++	$filler[] = "";
++// Create our payload and unserialize it.
++$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
++$free_me = unserialize($serialized_payload);
++// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
++$inc_ref_by_one = $free_me[2];
++// The call to gc_collect_cycles will free '$free_me'.
++gc_collect_cycles();
++// We now have multiple freed spaces. Fill all of them.
++$fill_freed_space_1 = "filler_zval_1";
++$fill_freed_space_2 = "filler_zval_2";
++var_dump($free_me);
++?>
++--EXPECTF--
++array(3) {
++  [0]=>
++  *RECURSION*
++  [1]=>
++  *RECURSION*
++  [2]=>
++  object(ArrayObject)#%d (1) {
++    ["storage":"ArrayObject":private]=>
++    *RECURSION*
++  }
++}
+From 7f428cae88f1294052087e6729f1ecb924b8a18d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 22:13:31 -0700
+Subject: [PATCH] fix build
+
+---
+ ext/spl/spl_array.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index 4e03c40..5cb7d34 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -837,7 +837,7 @@ static HashTable *spl_array_get_gc(zval *object, zval ***gc_data, int *gc_data_c
+ 
+ 	*gc_data = &intern->array;
+ 	*gc_data_count = 1;
+-	return zend_std_get_properties(object);
++	return zend_std_get_properties(object TSRMLS_CC);
+ }
+ /* }}} */
+ 
diff --git a/bug72434.patch b/bug72434.patch
new file mode 100644
index 0000000..2e9294d
--- /dev/null
+++ b/bug72434.patch
@@ -0,0 +1,78 @@
+From f6aef68089221c5ea047d4a74224ee3deead99a6 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 21:35:22 -0700
+Subject: [PATCH] Fix bug #72434: ZipArchive class Use After Free Vulnerability
+ in PHP's GC algorithm and unserialize
+
+---
+ ext/standard/tests/strings/bug72434.phpt | 33 ++++++++++++++++++++++++++++++++
+ ext/zip/php_zip.c                        |  9 +++++++++
+ 2 files changed, 42 insertions(+)
+ create mode 100644 ext/standard/tests/strings/bug72434.phpt
+
+diff --git a/ext/standard/tests/strings/bug72434.phpt b/ext/standard/tests/strings/bug72434.phpt
+new file mode 100644
+index 0000000..1408b8f
+--- /dev/null
++++ b/ext/standard/tests/strings/bug72434.phpt
+@@ -0,0 +1,33 @@
++--TEST--
++Bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
++--SKIPIF--
++<?php
++if(!class_exists('zip')) die('ZipArchive');
++?>
++--FILE--
++<?php
++// The following array will be serialized and this representation will be freed later on.
++$free_me = array(new StdClass());
++// Create our payload and unserialize it.
++$serialized_payload = 'a:3:{i:1;N;i:2;O:10:"ZipArchive":1:{s:8:"filename";'.serialize($free_me).'}i:1;R:4;}';
++$unserialized_payload = unserialize($serialized_payload);
++gc_collect_cycles();
++// The reference counter for $free_me is at -1 for PHP 7 right now.
++// Increment the reference counter by 1 -> rc is 0
++$a = $unserialized_payload[1];
++// Increment the reference counter by 1 again -> rc is 1
++$b = $a;
++// Trigger free of $free_me (referenced by $m[1]).
++unset($b);
++$fill_freed_space_1 = "filler_zval_1";
++$fill_freed_space_2 = "filler_zval_2";
++$fill_freed_space_3 = "filler_zval_3";
++$fill_freed_space_4 = "filler_zval_4";
++debug_zval_dump($unserialized_payload[1]);
++?>
++--EXPECTF--
++array(1) refcount(1){
++  [0]=>
++  object(stdClass)#%d (0) refcount(3){
++  }
++}
+diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
+index 99c293c..57d060f 100644
+--- a/ext/zip/php_zip.c
++++ b/ext/zip/php_zip.c
+@@ -1015,6 +1015,14 @@ static int php_zip_has_property(zval *object, zval *member, int type, const zend
+ }
+ /* }}} */
+ 
++static HashTable *php_zip_get_gc(zval *object, zval ***gc_data, int *gc_data_count TSRMLS_DC) /* {{{ */
++{
++	*gc_data = NULL;
++	*gc_data_count = 0;
++	return zend_std_get_properties(object TSRMLS_CC);
++}
++/* }}} */
++
+ static HashTable *php_zip_get_properties(zval *object TSRMLS_DC)/* {{{ */
+ {
+ 	ze_zip_object *obj;
+@@ -2777,6 +2785,7 @@ static PHP_MINIT_FUNCTION(zip)
+ 	zip_object_handlers.clone_obj		= NULL;
+ 	zip_object_handlers.get_property_ptr_ptr = php_zip_get_property_ptr_ptr;
+ 
++	zip_object_handlers.get_gc          = php_zip_get_gc;
+ 	zip_object_handlers.get_properties = php_zip_get_properties;
+ 	zip_object_handlers.read_property	= php_zip_read_property;
+ 	zip_object_handlers.has_property	= php_zip_has_property;
diff --git a/bug72446.patch b/bug72446.patch
new file mode 100644
index 0000000..1990705
--- /dev/null
+++ b/bug72446.patch
@@ -0,0 +1,30 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From c395c6e5d7e8df37a21265ff76e48fe75ceb5ae6 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 23:58:26 -0700
+Subject: [PATCH] iFixed bug #72446 - Integer Overflow in
+ gdImagePaletteToTrueColor() resulting in heap overflow
+
+---
+ NEWS              |  2 ++
+ ext/gd/libgd/gd.c | 22 +++++++++++++---------
+ 2 files changed, 15 insertions(+), 9 deletions(-)
+
+diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
+index 2c63aac..4dad95a 100644
+--- a/ext/gd/libgd/gd.c
++++ b/ext/gd/libgd/gd.c
+@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
+ 		return NULL;
+ 	}
+ 
++	if (overflow2(sizeof(unsigned char *), sx)) {
++		return NULL;
++	}
++
+ 	im = (gdImage *) gdCalloc(1, sizeof(gdImage));
+ 
+ 	/* Row-major ever since gd 1.3 */
+
diff --git a/bug72455.patch b/bug72455.patch
new file mode 100644
index 0000000..e3c3660
--- /dev/null
+++ b/bug72455.patch
@@ -0,0 +1,39 @@
+Backported from 5.5.37 for 5.4 by Remi Collet
+
+
+From 6c5211a0cef0cc2854eaa387e0eb036e012904d0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 20 Jun 2016 21:51:42 -0700
+Subject: [PATCH] Fix bug #72455:  Heap Overflow due to integer overflows
+
+---
+ ext/mcrypt/mcrypt.c | 92 +++++++++++++++++++++++++++++------------------------
+ 1 file changed, 50 insertions(+), 42 deletions(-)
+
+diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
+index 194660d..3cbb913 100644
+--- a/ext/mcrypt/mcrypt.c
++++ b/ext/mcrypt/mcrypt.c
+@@ -681,6 +681,10 @@ PHP_FUNCTION(mcrypt_generic)
+ 	if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
+ 		block_size = mcrypt_enc_get_block_size(pm->td);
+ 		data_size = (((data_len - 1) / block_size) + 1) * block_size;
++		if (data_size <= 0) {
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
++			RETURN_FALSE;
++		}
+ 		data_s = emalloc(data_size + 1);
+ 		memset(data_s, 0, data_size);
+ 		memcpy(data_s, data, data_len);
+@@ -726,6 +730,10 @@ PHP_FUNCTION(mdecrypt_generic)
+ 	if (mcrypt_enc_is_block_mode(pm->td) == 1) { /* It's a block algorithm */
+ 		block_size = mcrypt_enc_get_block_size(pm->td);
+ 		data_size = (((data_len - 1) / block_size) + 1) * block_size;
++		if (data_size <= 0) {
++			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Integer overflow in data size");
++			RETURN_FALSE;
++		}
+ 		data_s = emalloc(data_size + 1);
+ 		memset(data_s, 0, data_size);
+ 		memcpy(data_s, data, data_len);
+
diff --git a/failed.txt b/failed.txt
index 2e625d6..899fc52 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,20 +1,21 @@
-===== 5.5.45-9 (2016-05-29)
+===== 5.5.45-10 (2016-06-23)
 
 $ grep -r 'Tests failed' /var/lib/mock/scl54*/build.log
 
 /var/lib/mock/scl54el6x/build.log:Tests failed    :    1
 /var/lib/mock/scl54el7x/build.log:Tests failed    :    0
 /var/lib/mock/scl54fc21x/build.log:Tests failed    :    1
-/var/lib/mock/scl54fc22x/build.log:Tests failed    :    2
-/var/lib/mock/scl54fc23x/build.log:Tests failed    :    2
-/var/lib/mock/scl54fc24x/build.log:Tests failed    :    2
+/var/lib/mock/scl54fc22x/build.log:Tests failed    :    1
+/var/lib/mock/scl54fc23x/build.log:Tests failed    :    3
+/var/lib/mock/scl54fc24x/build.log:Tests failed    :    3
 
 f23, f24
     Bug #64802: openssl_x509_parse fails to parse subject properly in some cases [ext/openssl/tests/bug64802.phpt]
+	Bug #33414 [1] (Comprehensive list of incorrect days returned after strotime() / date() tests) [ext/date/tests/bug33414-1.phpt]
 f21, f22, f23, f24
     Test strptime() function : basic functionality [ext/standard/tests/time/strptime_basic.phpt]
-f22
-	file_get_contents() test using offset parameter out of range [ext/standard/tests/file/file_get_contents_error001.phpt]
 el6
     Bug #32001 (xml_parse*() goes into infinite loop when autodetection in effect), using UTF-* [ext/xml/tests/bug32001.phpt]
 
+* bug33414-1.phpt fails with tzdata-2016e
+
diff --git a/php.spec b/php.spec
index cbb96a3..9811056 100644
--- a/php.spec
+++ b/php.spec
@@ -214,7 +214,15 @@ Patch231: bug72241.patch
 Patch232: bug66387.patch
 Patch233: bug72340.patch
 Patch234: bug72275.patch
+# For #72400, #72403, #72268
 Patch235: bug72400.patch
+Patch236: bug72339.patch
+Patch237: bug72298.patch
+Patch238: bug72402.patch
+Patch239: bug72433.patch
+Patch240: bug72434.patch
+Patch241: bug72455.patch
+Patch242: bug72446.patch
 
 # Fixes for tests (300+)
 # Backported from 5.5
@@ -888,6 +896,13 @@ support for using the enchant library to PHP.
 %patch233 -p1 -b .bug72340
 %patch234 -p1 -b .bug72275
 %patch235 -p1 -b .bug72400
+%patch236 -p1 -b .bug72339
+%patch237 -p1 -b .bug72298
+%patch238 -p1 -b .bug72402
+%patch239 -p1 -b .bug72433
+%patch240 -p1 -b .bug72434
+%patch241 -p1 -b .bug72455
+%patch242 -p1 -b .bug72446
 
 # Fixes for tests
 %patch300 -p1 -b .datetests1
@@ -1714,8 +1729,24 @@ EOF
 * Tue Jun 21 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-10
 - Fix #66387: Stack overflow with imagefilltoborder
 - Fix #72340: Double Free Courruption in wddx_deserialize
+  CVE-2016-5772
 - Fix #72275: don't allow smart_str to overflow int
-- Fix #72400 and #72403: prevent signed int overflows for string lengths
+- Fix #72400: prevent signed int overflows for string lengths
+- Fix #72403: prevent signed int overflows for string lengths
+- Fix #72268: Integer Overflow in nl2br(). (Stas)
+- Fix #72339: Integer Overflow in _gd2GetHeader() resulting in heap overflow
+  CVE-2016-5766
+- Fix #72298: pass2_no_dither out-of-bounds access
+- Fix #72402: _php_mb_regex_ereg_replace_exec - double free
+  CVE-2016-5768
+- Fix #72433: SPL use After Free Vulnerability in PHP's GC
+  CVE-2016-5771
+- Fix #72434: ZipArchive class use After Free Vulnerability in PHP's GC
+  CVE-2016-5773
+- Fix #72455: Heap Overflow due to integer overflows
+  CVE-2016-5769
+- Fix #72446: Integer Overflow in gdImagePaletteToTrueColor()
+  CVE-2016-5767
 
 * Sun May 29 2016 Remi Collet <remi@fedoraproject.org> 5.4.45-9
 - Fix #71331: Uninitialized pointer in phar_make_dirstream
-- 
cgit