summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--bug72860.patch62
-rw-r--r--bug72910.patch61
-rw-r--r--bug72926.patch29
-rw-r--r--bug72928.patch92
-rw-r--r--bug73007.patch25
-rw-r--r--bug73029.patch89
-rw-r--r--bug73035.patch32
-rw-r--r--bug73052.patch65
-rw-r--r--bug73065.patch196
-rw-r--r--failed.txt3
-rw-r--r--php.spec38
11 files changed, 689 insertions, 3 deletions
diff --git a/bug72860.patch b/bug72860.patch
new file mode 100644
index 0000000..e26cae0
--- /dev/null
+++ b/bug72860.patch
@@ -0,0 +1,62 @@
+Backported from 5.6.26 by Remi.
+
+
+From 780daee62b55995a10f8e849159eff0a25bacb9d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Sep 2016 23:42:31 -0700
+Subject: [PATCH] Fix bug #72860: wddx_deserialize use-after-free
+
+---
+ ext/wddx/tests/bug72860.phpt | 27 +++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 3 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 ext/wddx/tests/bug72860.phpt
+
+diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
+new file mode 100644
+index 0000000..6385457
+--- /dev/null
++++ b/ext/wddx/tests/bug72860.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++Bug #72860: wddx_deserialize use-after-free
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml=<<<XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++ <recordset fieldNames='F'>
++ <field name='F'>
++ </recordset>
++</wddxPacket>
++XML;
++
++var_dump(wddx_deserialize($xml));
++?>
++DONE
++--EXPECT--
++NULL
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index d7bd295..b02d2f0 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -232,7 +232,8 @@ static int wddx_stack_destroy(wddx_stack *stack)
+
+ if (stack->elements) {
+ for (i = 0; i < stack->top; i++) {
+- if (((st_entry *)stack->elements[i])->data) {
++ if (((st_entry *)stack->elements[i])->data
++ && ((st_entry *)stack->elements[i])->type != ST_FIELD) {
+ zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
+ }
+ if (((st_entry *)stack->elements[i])->varname) {
diff --git a/bug72910.patch b/bug72910.patch
new file mode 100644
index 0000000..2556b69
--- /dev/null
+++ b/bug72910.patch
@@ -0,0 +1,61 @@
+Backported from 5.6.26 by Remi.
+
+
+From 486056b2153f7177cd8a7c78d93968726ee8fa65 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 1 Sep 2016 23:27:06 -0700
+Subject: [PATCH] Fix bug #72910
+
+Merge upstream patch from https://github.com/kkos/oniguruma/commit/65bdf2a0d160d06556415e5f396a75f6b11bad5c
+---
+ ext/mbstring/oniguruma/enc/utf8.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c
+index 5e2c172..74122e1 100644
+--- a/ext/mbstring/oniguruma/enc/utf8.c
++++ b/ext/mbstring/oniguruma/enc/utf8.c
+@@ -98,7 +98,7 @@ mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+
+ len = enclen(ONIG_ENCODING_UTF8, p);
+ c = *p++;
+- if (len > 1) {
++ if (len > 1 && p < end) {
+ len--;
+ n = c & ((1 << (6 - len)) - 1);
+ while (len--) {
+
+From b570c506815212c7702bfb0046e87d541e171eb7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 19:13:22 -0700
+Subject: [PATCH] Sync fix for bug #72910 with current upstream
+
+---
+ ext/mbstring/oniguruma/enc/utf8.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c
+index 74122e1..9e8478f 100644
+--- a/ext/mbstring/oniguruma/enc/utf8.c
++++ b/ext/mbstring/oniguruma/enc/utf8.c
+@@ -91,14 +91,16 @@ is_mbc_newline(const UChar* p, const UChar* end)
+ }
+
+ static OnigCodePoint
+-mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++mbc_to_code(const UChar* p, const UChar* end)
+ {
+ int c, len;
+ OnigCodePoint n;
+
+- len = enclen(ONIG_ENCODING_UTF8, p);
++ len = mbc_enc_len(p);
++ if (len > end - p) len = end - p;
++
+ c = *p++;
+- if (len > 1 && p < end) {
++ if (len > 1) {
+ len--;
+ n = c & ((1 << (6 - len)) - 1);
+ while (len--) {
+
diff --git a/bug72926.patch b/bug72926.patch
new file mode 100644
index 0000000..044ed2b
--- /dev/null
+++ b/bug72926.patch
@@ -0,0 +1,29 @@
+Backported from 5.6.26 by Remi.
+
+
+From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 20:49:34 -0700
+Subject: [PATCH] Same issue as #72926 in another place.
+
+---
+ ext/exif/exif.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 657a2cc1..8b0e34c 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ if (fgot < ImageInfo->Thumbnail.size) {
+ EXIF_ERRLOG_THUMBEOF(ImageInfo)
++ efree(ImageInfo->Thumbnail.data);
++ ImageInfo->Thumbnail.data = NULL;
++ } else {
++ exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+- exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ }
+ }
+ }
diff --git a/bug72928.patch b/bug72928.patch
new file mode 100644
index 0000000..82189ae
--- /dev/null
+++ b/bug72928.patch
@@ -0,0 +1,92 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 22:07:35 -0700
+Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip
+ phar in phar_parse_zipfile
+
+---
+ ext/phar/tests/bug72928.phpt | 18 ++++++++++++++++++
+ ext/phar/tests/bug72928.zip | Bin 0 -> 140 bytes
+ ext/phar/util.c | 28 ++++++++++++++++++++++++++++
+ ext/phar/zip.c | 2 +-
+ 4 files changed, 47 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug72928.phpt
+ create mode 100644 ext/phar/tests/bug72928.zip
+
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 4bbd867..828be8f 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -1657,6 +1657,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[64];
+ PHP_SHA512_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA512Init(&context);
+ read_len = end_of_phar;
+
+@@ -1690,6 +1697,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[32];
+ PHP_SHA256_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA256Init(&context);
+ read_len = end_of_phar;
+
+@@ -1731,6 +1745,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[20];
+ PHP_SHA1_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_SHA1Init(&context);
+ read_len = end_of_phar;
+
+@@ -1764,6 +1785,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ unsigned char digest[16];
+ PHP_MD5_CTX context;
+
++ if (sig_len < sizeof(digest)) {
++ if (error) {
++ spprintf(error, 0, "broken signature");
++ }
++ return FAILURE;
++ }
++
+ PHP_MD5Init(&context);
+ read_len = end_of_phar;
+
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index bf895e7..ed156a2 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
+ sig = (char *) emalloc(entry.uncompressed_filesize);
+ read = php_stream_read(fp, sig, entry.uncompressed_filesize);
+- if (read != entry.uncompressed_filesize) {
++ if (read != entry.uncompressed_filesize || read <= 8) {
+ php_stream_close(sigfile);
+ efree(sig);
+ PHAR_ZIP_FAIL("signature cannot be read");
diff --git a/bug73007.patch b/bug73007.patch
new file mode 100644
index 0000000..e707c22
--- /dev/null
+++ b/bug73007.patch
@@ -0,0 +1,25 @@
+Backported from 5.6.26 by Remi.
+
+
+From 20fa323d53257a776bd7551ce7bdb2261cfe5420 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Sep 2016 18:01:35 -0700
+Subject: [PATCH] Fix bug #73007: add locale length check
+
+---
+ ext/intl/msgformat/msgformat_format.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/intl/msgformat/msgformat_format.c b/ext/intl/msgformat/msgformat_format.c
+index 25c9619..9b6df38 100644
+--- a/ext/intl/msgformat/msgformat_format.c
++++ b/ext/intl/msgformat/msgformat_format.c
+@@ -118,6 +118,8 @@ PHP_FUNCTION( msgfmt_format_message )
+ RETURN_FALSE;
+ }
+
++ INTL_CHECK_LOCALE_LEN(slocale_len);
++
+ msgformat_data_init(&mfo->mf_data TSRMLS_CC);
+
+ if(pattern && pattern_len) {
diff --git a/bug73029.patch b/bug73029.patch
new file mode 100644
index 0000000..9e52054
--- /dev/null
+++ b/bug73029.patch
@@ -0,0 +1,89 @@
+Backported from 5.6.26 by Remi.
+
+
+From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 20:24:13 -0700
+Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing
+ SplArray
+
+---
+ ext/spl/spl_array.c | 10 ++++++----
+ ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+ create mode 100644 ext/spl/tests/bug73029.phpt
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index 42a8e7a..700d609 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
+ long index;
+ HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+
+- if (!offset) {
++ if (!offset || !ht) {
+ return &EG(uninitialized_zval_ptr);
+ }
+
+@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize)
+ intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
+ zval_ptr_dtor(&intern->array);
+ ALLOC_INIT_ZVAL(intern->array);
+- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
++ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
++ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
++ zval_ptr_dtor(&intern->array);
+ goto outexcept;
+ }
+ var_push_dtor(&var_hash, &intern->array);
+diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
+new file mode 100644
+index 0000000..a379f80
+--- /dev/null
++++ b/ext/spl/tests/bug73029.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #73029: Missing type check when unserializing SplArray
++--FILE--
++<?php
++try {
++$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
++$m = unserialize($a);
++$x = $m[2];
++} catch(UnexpectedValueException $e) {
++ print $e->getMessage() . "\n";
++}
++?>
++DONE
++--EXPECTF--
++Error at offset 10 of 19 bytes
++DONE
+From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 12 Sep 2016 20:12:41 -0700
+Subject: [PATCH] Fix test
+
+---
+ ext/spl/tests/bug70068.phpt | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
+index 92a38df..96b2fa8 100644
+--- a/ext/spl/tests/bug70068.phpt
++++ b/ext/spl/tests/bug70068.phpt
+@@ -2,8 +2,13 @@
+ Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
+ --FILE--
+ <?php
++try {
+ $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
++} catch(Exception $e) {
++ print $e->getMessage()."\n";
++}
+ ?>
+ OK
+ --EXPECT--
++Error at offset 10 of 20 bytes
+ OK
+\ No newline at end of file
diff --git a/bug73035.patch b/bug73035.patch
new file mode 100644
index 0000000..4cb7a8e
--- /dev/null
+++ b/bug73035.patch
@@ -0,0 +1,32 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:37:44 -0700
+Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar
+ phar in phar_parse_tarfile)
+
+---
+ ext/phar/tar.c | 2 +-
+ ext/phar/tests/bug73035.phpt | 18 ++++++++++++++++++
+ ext/phar/tests/bug73035.tar | Bin 0 -> 10240 bytes
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug73035.phpt
+ create mode 100644 ext/phar/tests/bug73035.tar
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 62edcb5..898ff85 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -286,7 +286,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
+ }
+ curloc = php_stream_tell(fp);
+ read = php_stream_read(fp, buf, size);
+- if (read != size) {
++ if (read != size || read <= 8) {
+ if (error) {
+ spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname);
+ }
+
diff --git a/bug73052.patch b/bug73052.patch
new file mode 100644
index 0000000..a94e98b
--- /dev/null
+++ b/bug73052.patch
@@ -0,0 +1,65 @@
+Backported from 5.6.26 by Remi.
+
+
+From ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:19:29 -0700
+Subject: [PATCH] Fix bug #73052 - Memory Corruption in During
+ Deserialized-object Destruction
+
+---
+ Zend/zend_objects_API.c | 6 +--
+ ext/standard/tests/serialize/bug73052.phpt | 18 +++++++++
+ ext/standard/var_unserializer.c | 61 +++++++++++++++---------------
+ ext/standard/var_unserializer.re | 1 +
+ 4 files changed, 53 insertions(+), 33 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug73052.phpt
+
+diff --git a/ext/standard/tests/serialize/bug73052.phpt b/ext/standard/tests/serialize/bug73052.phpt
+new file mode 100644
+index 0000000..63b484b
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug73052.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #73052: Memory Corruption in During Deserialized-object Destruction
++--FILE--
++<?php
++
++class obj {
++ var $ryat;
++ public function __destruct() {
++ $this->ryat = null;
++ }
++}
++
++$poc = 'O:3:"obj":1:{';
++var_dump(unserialize($poc));
++?>
++--EXPECTF--
++Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d
++bool(false)
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index c8e6f8a..5491492 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -440,6 +440,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ /* We've got partially constructed object on our hands here. Wipe it. */
+ if(Z_TYPE_PP(rval) == IS_OBJECT) {
+ zend_hash_clean(Z_OBJPROP_PP(rval));
++ zend_object_store_ctor_failed(*rval TSRMLS_CC);
+ }
+ ZVAL_NULL(*rval);
+ return 0;
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 11b93c5..ce84bf5 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -446,6 +446,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ /* We've got partially constructed object on our hands here. Wipe it. */
+ if(Z_TYPE_PP(rval) == IS_OBJECT) {
+ zend_hash_clean(Z_OBJPROP_PP(rval));
++ zend_object_store_ctor_failed(*rval TSRMLS_CC);
+ }
+ ZVAL_NULL(*rval);
+ return 0;
diff --git a/bug73065.patch b/bug73065.patch
new file mode 100644
index 0000000..1fc4a1e
--- /dev/null
+++ b/bug73065.patch
@@ -0,0 +1,196 @@
+Backported from 5.6.26 by Remi.
+
+
+From 7d011b6f59a3f5a59a9835f9ad40d9b40c266bec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 12 Sep 2016 00:35:01 -0700
+Subject: [PATCH] Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element
+ of wddx.c
+
+---
+ ext/wddx/tests/bug73065.phpt | 98 ++++++++++++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c | 19 +++++----
+ 2 files changed, 108 insertions(+), 9 deletions(-)
+ create mode 100644 ext/wddx/tests/bug73065.phpt
+
+diff --git a/ext/wddx/tests/bug73065.phpt b/ext/wddx/tests/bug73065.phpt
+new file mode 100644
+index 0000000..aa301aa
+--- /dev/null
++++ b/ext/wddx/tests/bug73065.phpt
+@@ -0,0 +1,98 @@
++--TEST--
++Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++ die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml1 = <<<XML
++<?xml version='1.0' ?>
++ <!DOCTYPE et SYSTEM 'w'>
++ <wddxPacket ven='1.0'>
++ <array>
++ <var Name="name">
++ <boolean value="keliu"></boolean>
++ </var>
++ <var name="1111">
++ <var name="2222">
++ <var name="3333"></var>
++ </var>
++ </var>
++ </array>
++ </wddxPacket>
++XML;
++
++$xml2 = <<<XML
++<?xml version='1.0' ?>
++ <!DOCTYPE et SYSTEM 'w'>
++ <wddxPacket ven='1.0'>
++ <array>
++ <char Name="code">
++ <boolean value="keliu"></boolean>
++ </char>
++ </array>
++ </wddxPacket>
++XML;
++
++$xml3 = <<<XML
++<?xml version='1.0' ?>
++ <!DOCTYPE et SYSTEM 'w'>
++ <wddxPacket ven='1.0'>
++ <array>
++ <boolean Name="value">
++ <boolean value="keliu"></boolean>
++ </boolean>
++ </array>
++ </wddxPacket>
++XML;
++
++$xml4 = <<<XML
++<?xml version='1.0' ?>
++ <!DOCTYPE et SYSTEM 'w'>
++ <wddxPacket ven='1.0'>
++ <array>
++ <recordset Name="fieldNames">
++ <boolean value="keliu"></boolean>
++ </recordset>
++ </array>
++ </wddxPacket>
++XML;
++
++$xml5 = <<<XML
++<?xml version='1.0' ?>
++ <!DOCTYPE et SYSTEM 'w'>
++ <wddxPacket ven='1.0'>
++ <array>
++ <field Name="name">
++ <boolean value="keliu"></boolean>
++ </field>
++ </array>
++ </wddxPacket>
++XML;
++
++for($i=1;$i<=5;$i++) {
++ $xmlvar = "xml$i";
++ $array = wddx_deserialize($$xmlvar);
++ var_dump($array);
++}
++?>
++DONE
++--EXPECTF--
++array(0) {
++}
++array(0) {
++}
++array(0) {
++}
++array(1) {
++ [0]=>
++ array(0) {
++ }
++}
++array(0) {
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index b02d2f0..0e77826 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -774,10 +774,10 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ int i;
+
+ if (atts) for (i = 0; atts[i]; i++) {
+- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
++ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
+ char tmp_buf[2];
+
+- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16));
++ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16));
+ php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf));
+ break;
+ }
+@@ -795,7 +795,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ int i;
+
+ if (atts) for (i = 0; atts[i]; i++) {
+- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
++ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
+ ent.type = ST_BOOLEAN;
+ SET_STACK_VARNAME;
+
+@@ -803,7 +803,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ INIT_PZVAL(ent.data);
+ Z_TYPE_P(ent.data) = IS_BOOL;
+ wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
+- php_wddx_process_data(user_data, atts[i], strlen(atts[i]));
++ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
+ break;
+ }
+ }
+@@ -836,8 +836,8 @@ static void php_wddx_push_element(void *
+ int i;
+
+ if (atts) for (i = 0; atts[i]; i++) {
+- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+- stack->varname = estrdup(atts[i]);
++ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
++ stack->varname = estrdup(atts[i+1]);
+ break;
+ }
+ }
+@@ -850,11 +850,12 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ array_init(ent.data);
+
+ if (atts) for (i = 0; atts[i]; i++) {
+- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
++ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
+ zval *tmp;
+ char *key;
+ char *p1, *p2, *endp;
+
++ i++;
+ endp = (char *)atts[i] + strlen(atts[i]);
+ p1 = (char *)atts[i];
+ while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
+@@ -886,13 +887,13 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ ent.data = NULL;
+
+ if (atts) for (i = 0; atts[i]; i++) {
+- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
++ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+ st_entry *recordset;
+ zval **field;
+
+ if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
+ recordset->type == ST_RECORDSET &&
+- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
++ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) {
+ ent.data = *field;
+ }
+
diff --git a/failed.txt b/failed.txt
index 973db97..4be1206 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,10 +1,9 @@
-==== PHP 5.5.38-2 (2016-09-10)
+==== PHP 5.5.38-3 (2016-09-19)
$ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log
/var/lib/mock/scl55el6x/build.log: Tests failed : 0
/var/lib/mock/scl55el7x/build.log: Tests failed : 0
-/var/lib/mock/scl55fc21x/build.log:Tests failed : 0
/var/lib/mock/scl55fc22x/build.log:Tests failed : 0
/var/lib/mock/scl55fc23x/build.log:Tests failed : 2
/var/lib/mock/scl55fc24x/build.log:Tests failed : 2
diff --git a/php.spec b/php.spec
index ab7de2d..4ff8a48 100644
--- a/php.spec
+++ b/php.spec
@@ -140,7 +140,7 @@
Summary: PHP scripting language for creating dynamic web sites
Name: %{?scl_prefix}php
Version: 5.5.38
-Release: 2%{?dist}
+Release: 3%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -212,6 +212,15 @@ Patch116: bug72838.patch
Patch117: bug72848.patch
Patch118: bug72849.patch
Patch119: bug72850.patch
+Patch120: bug72910.patch
+Patch121: bug72926.patch
+Patch122: bug72928.patch
+Patch123: bug73007.patch
+Patch124: bug72860.patch
+Patch125: bug73029.patch
+Patch126: bug73052.patch
+Patch127: bug73035.patch
+Patch128: bug73065.patch
# Security fixes (200+)
@@ -922,6 +931,15 @@ support for using the enchant library to PHP.
%patch117 -p1 -b .bug72848
%patch118 -p1 -b .bug72849
%patch119 -p1 -b .bug72850
+%patch120 -p1 -b .bug72910
+%patch121 -p1 -b .bug72926
+%patch122 -p1 -b .bug72928
+%patch123 -p1 -b .bug73007
+%patch124 -p1 -b .bug72860
+%patch125 -p1 -b .bug73029
+%patch126 -p1 -b .bug73052
+%patch127 -p1 -b .bug73035
+%patch128 -p1 -b .bug73065
# Fixes for tests
%patch300 -p1 -b .datetests
@@ -1826,6 +1844,24 @@ EOF
%changelog
+* Mon Sep 19 2016 Remi Collet <remi@remirepo.net> 5.5.38-3
+- fix #72910: Out of bounds heap read in mbc_to_code()
+- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage
+ in exif_process_IFD_in_TIFF
+- fix #72928: Out of bound when verify signature of zip phar
+ CVE-2016-7414
+- fix #73007: add locale length check
+ CVE-2016-7416
+- fix #72860: wddx_deserialize use-after-free
+ CVE-2016-7413
+- fix #73029: Missing type check when unserializing SplArray
+ CVE-2016-7417
+- fix #73052: Memory Corruption in During Deserialized-object Destruction
+ CVE-2016-7411
+- fix #73035: Out of bound when verify signature of tar phar
+- fix #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
+ CVE-2016-7418
+
* Mon Sep 5 2016 Remi Collet <remi@remirepo.net> 5.5.38-2
- fix #72716: initialize buffer before read (ftp)
- fix #72663: destroy broken object when unserializing