From b52e0db9c0cf11f6eda1e00f2d5292a0ac78424c Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Mon, 19 Sep 2016 14:11:20 +0200 Subject: PHP 5.5.38 with backports from 5.6.26 --- bug72860.patch | 62 ++++++++++++++++++ bug72910.patch | 61 ++++++++++++++++++ bug72926.patch | 29 +++++++++ bug72928.patch | 92 +++++++++++++++++++++++++++ bug73007.patch | 25 ++++++++ bug73029.patch | 89 ++++++++++++++++++++++++++ bug73035.patch | 32 ++++++++++ bug73052.patch | 65 +++++++++++++++++++ bug73065.patch | 196 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ failed.txt | 3 +- php.spec | 38 ++++++++++- 11 files changed, 689 insertions(+), 3 deletions(-) create mode 100644 bug72860.patch create mode 100644 bug72910.patch create mode 100644 bug72926.patch create mode 100644 bug72928.patch create mode 100644 bug73007.patch create mode 100644 bug73029.patch create mode 100644 bug73035.patch create mode 100644 bug73052.patch create mode 100644 bug73065.patch diff --git a/bug72860.patch b/bug72860.patch new file mode 100644 index 0000000..e26cae0 --- /dev/null +++ b/bug72860.patch @@ -0,0 +1,62 @@ +Backported from 5.6.26 by Remi. + + +From 780daee62b55995a10f8e849159eff0a25bacb9d Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 5 Sep 2016 23:42:31 -0700 +Subject: [PATCH] Fix bug #72860: wddx_deserialize use-after-free + +--- + ext/wddx/tests/bug72860.phpt | 27 +++++++++++++++++++++++++++ + ext/wddx/wddx.c | 3 ++- + 2 files changed, 29 insertions(+), 1 deletion(-) + create mode 100644 ext/wddx/tests/bug72860.phpt + +diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt +new file mode 100644 +index 0000000..6385457 +--- /dev/null ++++ b/ext/wddx/tests/bug72860.phpt +@@ -0,0 +1,27 @@ ++--TEST-- ++Bug #72860: wddx_deserialize use-after-free ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++var_dump(wddx_deserialize($xml)); ++?> ++DONE ++--EXPECT-- ++NULL ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index d7bd295..b02d2f0 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -232,7 +232,8 @@ static int wddx_stack_destroy(wddx_stack *stack) + + if (stack->elements) { + for (i = 0; i < stack->top; i++) { +- if (((st_entry *)stack->elements[i])->data) { ++ if (((st_entry *)stack->elements[i])->data ++ && ((st_entry *)stack->elements[i])->type != ST_FIELD) { + zval_ptr_dtor(&((st_entry *)stack->elements[i])->data); + } + if (((st_entry *)stack->elements[i])->varname) { diff --git a/bug72910.patch b/bug72910.patch new file mode 100644 index 0000000..2556b69 --- /dev/null +++ b/bug72910.patch @@ -0,0 +1,61 @@ +Backported from 5.6.26 by Remi. + + +From 486056b2153f7177cd8a7c78d93968726ee8fa65 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Thu, 1 Sep 2016 23:27:06 -0700 +Subject: [PATCH] Fix bug #72910 + +Merge upstream patch from https://github.com/kkos/oniguruma/commit/65bdf2a0d160d06556415e5f396a75f6b11bad5c +--- + ext/mbstring/oniguruma/enc/utf8.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c +index 5e2c172..74122e1 100644 +--- a/ext/mbstring/oniguruma/enc/utf8.c ++++ b/ext/mbstring/oniguruma/enc/utf8.c +@@ -98,7 +98,7 @@ mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) + + len = enclen(ONIG_ENCODING_UTF8, p); + c = *p++; +- if (len > 1) { ++ if (len > 1 && p < end) { + len--; + n = c & ((1 << (6 - len)) - 1); + while (len--) { + +From b570c506815212c7702bfb0046e87d541e171eb7 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 4 Sep 2016 19:13:22 -0700 +Subject: [PATCH] Sync fix for bug #72910 with current upstream + +--- + ext/mbstring/oniguruma/enc/utf8.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c +index 74122e1..9e8478f 100644 +--- a/ext/mbstring/oniguruma/enc/utf8.c ++++ b/ext/mbstring/oniguruma/enc/utf8.c +@@ -91,14 +91,16 @@ is_mbc_newline(const UChar* p, const UChar* end) + } + + static OnigCodePoint +-mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED) ++mbc_to_code(const UChar* p, const UChar* end) + { + int c, len; + OnigCodePoint n; + +- len = enclen(ONIG_ENCODING_UTF8, p); ++ len = mbc_enc_len(p); ++ if (len > end - p) len = end - p; ++ + c = *p++; +- if (len > 1 && p < end) { ++ if (len > 1) { + len--; + n = c & ((1 << (6 - len)) - 1); + while (len--) { + diff --git a/bug72926.patch b/bug72926.patch new file mode 100644 index 0000000..044ed2b --- /dev/null +++ b/bug72926.patch @@ -0,0 +1,29 @@ +Backported from 5.6.26 by Remi. + + +From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 4 Sep 2016 20:49:34 -0700 +Subject: [PATCH] Same issue as #72926 in another place. + +--- + ext/exif/exif.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/ext/exif/exif.c b/ext/exif/exif.c +index 657a2cc1..8b0e34c 100644 +--- a/ext/exif/exif.c ++++ b/ext/exif/exif.c +@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse + fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size); + if (fgot < ImageInfo->Thumbnail.size) { + EXIF_ERRLOG_THUMBEOF(ImageInfo) ++ efree(ImageInfo->Thumbnail.data); ++ ImageInfo->Thumbnail.data = NULL; ++ } else { ++ exif_thumbnail_build(ImageInfo TSRMLS_CC); + } +- exif_thumbnail_build(ImageInfo TSRMLS_CC); + } + } + } diff --git a/bug72928.patch b/bug72928.patch new file mode 100644 index 0000000..82189ae --- /dev/null +++ b/bug72928.patch @@ -0,0 +1,92 @@ +Backported from 5.6.26 by Remi. +Binary diff dropped. + + +From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 4 Sep 2016 22:07:35 -0700 +Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip + phar in phar_parse_zipfile + +--- + ext/phar/tests/bug72928.phpt | 18 ++++++++++++++++++ + ext/phar/tests/bug72928.zip | Bin 0 -> 140 bytes + ext/phar/util.c | 28 ++++++++++++++++++++++++++++ + ext/phar/zip.c | 2 +- + 4 files changed, 47 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug72928.phpt + create mode 100644 ext/phar/tests/bug72928.zip + +diff --git a/ext/phar/util.c b/ext/phar/util.c +index 4bbd867..828be8f 100644 +--- a/ext/phar/util.c ++++ b/ext/phar/util.c +@@ -1657,6 +1657,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[64]; + PHP_SHA512_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA512Init(&context); + read_len = end_of_phar; + +@@ -1690,6 +1697,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[32]; + PHP_SHA256_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA256Init(&context); + read_len = end_of_phar; + +@@ -1731,6 +1745,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[20]; + PHP_SHA1_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_SHA1Init(&context); + read_len = end_of_phar; + +@@ -1764,6 +1785,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ + unsigned char digest[16]; + PHP_MD5_CTX context; + ++ if (sig_len < sizeof(digest)) { ++ if (error) { ++ spprintf(error, 0, "broken signature"); ++ } ++ return FAILURE; ++ } ++ + PHP_MD5Init(&context); + read_len = end_of_phar; + +diff --git a/ext/phar/zip.c b/ext/phar/zip.c +index bf895e7..ed156a2 100644 +--- a/ext/phar/zip.c ++++ b/ext/phar/zip.c +@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, + php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET); + sig = (char *) emalloc(entry.uncompressed_filesize); + read = php_stream_read(fp, sig, entry.uncompressed_filesize); +- if (read != entry.uncompressed_filesize) { ++ if (read != entry.uncompressed_filesize || read <= 8) { + php_stream_close(sigfile); + efree(sig); + PHAR_ZIP_FAIL("signature cannot be read"); diff --git a/bug73007.patch b/bug73007.patch new file mode 100644 index 0000000..e707c22 --- /dev/null +++ b/bug73007.patch @@ -0,0 +1,25 @@ +Backported from 5.6.26 by Remi. + + +From 20fa323d53257a776bd7551ce7bdb2261cfe5420 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 5 Sep 2016 18:01:35 -0700 +Subject: [PATCH] Fix bug #73007: add locale length check + +--- + ext/intl/msgformat/msgformat_format.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ext/intl/msgformat/msgformat_format.c b/ext/intl/msgformat/msgformat_format.c +index 25c9619..9b6df38 100644 +--- a/ext/intl/msgformat/msgformat_format.c ++++ b/ext/intl/msgformat/msgformat_format.c +@@ -118,6 +118,8 @@ PHP_FUNCTION( msgfmt_format_message ) + RETURN_FALSE; + } + ++ INTL_CHECK_LOCALE_LEN(slocale_len); ++ + msgformat_data_init(&mfo->mf_data TSRMLS_CC); + + if(pattern && pattern_len) { diff --git a/bug73029.patch b/bug73029.patch new file mode 100644 index 0000000..9e52054 --- /dev/null +++ b/bug73029.patch @@ -0,0 +1,89 @@ +Backported from 5.6.26 by Remi. + + +From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 11 Sep 2016 20:24:13 -0700 +Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing + SplArray + +--- + ext/spl/spl_array.c | 10 ++++++---- + ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++ + 2 files changed, 22 insertions(+), 4 deletions(-) + create mode 100644 ext/spl/tests/bug73029.phpt + +diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c +index 42a8e7a..700d609 100644 +--- a/ext/spl/spl_array.c ++++ b/ext/spl/spl_array.c +@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object, + long index; + HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC); + +- if (!offset) { ++ if (!offset || !ht) { + return &EG(uninitialized_zval_ptr); + } + +@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize) + intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK; + zval_ptr_dtor(&intern->array); + ALLOC_INIT_ZVAL(intern->array); +- if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { ++ if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC) ++ || (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) { ++ zval_ptr_dtor(&intern->array); + goto outexcept; + } + var_push_dtor(&var_hash, &intern->array); +diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt +new file mode 100644 +index 0000000..a379f80 +--- /dev/null ++++ b/ext/spl/tests/bug73029.phpt +@@ -0,0 +1,16 @@ ++--TEST-- ++Bug #73029: Missing type check when unserializing SplArray ++--FILE-- ++getMessage() . "\n"; ++} ++?> ++DONE ++--EXPECTF-- ++Error at offset 10 of 19 bytes ++DONE +From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 12 Sep 2016 20:12:41 -0700 +Subject: [PATCH] Fix test + +--- + ext/spl/tests/bug70068.phpt | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt +index 92a38df..96b2fa8 100644 +--- a/ext/spl/tests/bug70068.phpt ++++ b/ext/spl/tests/bug70068.phpt +@@ -2,8 +2,13 @@ + Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) + --FILE-- + getMessage()."\n"; ++} + ?> + OK + --EXPECT-- ++Error at offset 10 of 20 bytes + OK +\ No newline at end of file diff --git a/bug73035.patch b/bug73035.patch new file mode 100644 index 0000000..4cb7a8e --- /dev/null +++ b/bug73035.patch @@ -0,0 +1,32 @@ +Backported from 5.6.26 by Remi. +Binary diff dropped. + + +From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 11 Sep 2016 21:37:44 -0700 +Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar + phar in phar_parse_tarfile) + +--- + ext/phar/tar.c | 2 +- + ext/phar/tests/bug73035.phpt | 18 ++++++++++++++++++ + ext/phar/tests/bug73035.tar | Bin 0 -> 10240 bytes + 3 files changed, 19 insertions(+), 1 deletion(-) + create mode 100644 ext/phar/tests/bug73035.phpt + create mode 100644 ext/phar/tests/bug73035.tar + +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 62edcb5..898ff85 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -286,7 +286,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias, + } + curloc = php_stream_tell(fp); + read = php_stream_read(fp, buf, size); +- if (read != size) { ++ if (read != size || read <= 8) { + if (error) { + spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname); + } + diff --git a/bug73052.patch b/bug73052.patch new file mode 100644 index 0000000..a94e98b --- /dev/null +++ b/bug73052.patch @@ -0,0 +1,65 @@ +Backported from 5.6.26 by Remi. + + +From ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2 Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Sun, 11 Sep 2016 21:19:29 -0700 +Subject: [PATCH] Fix bug #73052 - Memory Corruption in During + Deserialized-object Destruction + +--- + Zend/zend_objects_API.c | 6 +-- + ext/standard/tests/serialize/bug73052.phpt | 18 +++++++++ + ext/standard/var_unserializer.c | 61 +++++++++++++++--------------- + ext/standard/var_unserializer.re | 1 + + 4 files changed, 53 insertions(+), 33 deletions(-) + create mode 100644 ext/standard/tests/serialize/bug73052.phpt + +diff --git a/ext/standard/tests/serialize/bug73052.phpt b/ext/standard/tests/serialize/bug73052.phpt +new file mode 100644 +index 0000000..63b484b +--- /dev/null ++++ b/ext/standard/tests/serialize/bug73052.phpt +@@ -0,0 +1,18 @@ ++--TEST-- ++Bug #73052: Memory Corruption in During Deserialized-object Destruction ++--FILE-- ++ryat = null; ++ } ++} ++ ++$poc = 'O:3:"obj":1:{'; ++var_dump(unserialize($poc)); ++?> ++--EXPECTF-- ++Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d ++bool(false) +diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c +index c8e6f8a..5491492 100644 +--- a/ext/standard/var_unserializer.c ++++ b/ext/standard/var_unserializer.c +@@ -440,6 +440,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + /* We've got partially constructed object on our hands here. Wipe it. */ + if(Z_TYPE_PP(rval) == IS_OBJECT) { + zend_hash_clean(Z_OBJPROP_PP(rval)); ++ zend_object_store_ctor_failed(*rval TSRMLS_CC); + } + ZVAL_NULL(*rval); + return 0; +diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re +index 11b93c5..ce84bf5 100644 +--- a/ext/standard/var_unserializer.re ++++ b/ext/standard/var_unserializer.re +@@ -446,6 +446,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements) + /* We've got partially constructed object on our hands here. Wipe it. */ + if(Z_TYPE_PP(rval) == IS_OBJECT) { + zend_hash_clean(Z_OBJPROP_PP(rval)); ++ zend_object_store_ctor_failed(*rval TSRMLS_CC); + } + ZVAL_NULL(*rval); + return 0; diff --git a/bug73065.patch b/bug73065.patch new file mode 100644 index 0000000..1fc4a1e --- /dev/null +++ b/bug73065.patch @@ -0,0 +1,196 @@ +Backported from 5.6.26 by Remi. + + +From 7d011b6f59a3f5a59a9835f9ad40d9b40c266bec Mon Sep 17 00:00:00 2001 +From: Stanislav Malyshev +Date: Mon, 12 Sep 2016 00:35:01 -0700 +Subject: [PATCH] Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element + of wddx.c + +--- + ext/wddx/tests/bug73065.phpt | 98 ++++++++++++++++++++++++++++++++++++++++++++ + ext/wddx/wddx.c | 19 +++++---- + 2 files changed, 108 insertions(+), 9 deletions(-) + create mode 100644 ext/wddx/tests/bug73065.phpt + +diff --git a/ext/wddx/tests/bug73065.phpt b/ext/wddx/tests/bug73065.phpt +new file mode 100644 +index 0000000..aa301aa +--- /dev/null ++++ b/ext/wddx/tests/bug73065.phpt +@@ -0,0 +1,98 @@ ++--TEST-- ++Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c ++--SKIPIF-- ++ ++--FILE-- ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++$xml2 = << ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++$xml3 = << ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++$xml4 = << ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++$xml5 = << ++ ++ ++ ++ ++ ++ ++ ++ ++XML; ++ ++for($i=1;$i<=5;$i++) { ++ $xmlvar = "xml$i"; ++ $array = wddx_deserialize($$xmlvar); ++ var_dump($array); ++} ++?> ++DONE ++--EXPECTF-- ++array(0) { ++} ++array(0) { ++} ++array(0) { ++} ++array(1) { ++ [0]=> ++ array(0) { ++ } ++} ++array(0) { ++} ++DONE +\ No newline at end of file +diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c +index b02d2f0..0e77826 100644 +--- a/ext/wddx/wddx.c ++++ b/ext/wddx/wddx.c +@@ -774,10 +774,10 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + int i; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) { + char tmp_buf[2]; + +- snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16)); ++ snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16)); + php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf)); + break; + } +@@ -795,7 +795,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + int i; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) { + ent.type = ST_BOOLEAN; + SET_STACK_VARNAME; + +@@ -803,7 +803,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + INIT_PZVAL(ent.data); + Z_TYPE_P(ent.data) = IS_BOOL; + wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry)); +- php_wddx_process_data(user_data, atts[i], strlen(atts[i])); ++ php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1])); + break; + } + } +@@ -836,8 +836,8 @@ static void php_wddx_push_element(void * + int i; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { +- stack->varname = estrdup(atts[i]); ++ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) { ++ stack->varname = estrdup(atts[i+1]); + break; + } + } +@@ -850,11 +850,12 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + array_init(ent.data); + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) { + zval *tmp; + char *key; + char *p1, *p2, *endp; + ++ i++; + endp = (char *)atts[i] + strlen(atts[i]); + p1 = (char *)atts[i]; + while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) { +@@ -886,13 +887,13 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X + ent.data = NULL; + + if (atts) for (i = 0; atts[i]; i++) { +- if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) { ++ if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) { + st_entry *recordset; + zval **field; + + if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS && + recordset->type == ST_RECORDSET && +- zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) { ++ zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) { + ent.data = *field; + } + diff --git a/failed.txt b/failed.txt index 973db97..4be1206 100644 --- a/failed.txt +++ b/failed.txt @@ -1,10 +1,9 @@ -==== PHP 5.5.38-2 (2016-09-10) +==== PHP 5.5.38-3 (2016-09-19) $ grep -r 'Tests failed' /var/lib/mock/scl55*/build.log /var/lib/mock/scl55el6x/build.log: Tests failed : 0 /var/lib/mock/scl55el7x/build.log: Tests failed : 0 -/var/lib/mock/scl55fc21x/build.log:Tests failed : 0 /var/lib/mock/scl55fc22x/build.log:Tests failed : 0 /var/lib/mock/scl55fc23x/build.log:Tests failed : 2 /var/lib/mock/scl55fc24x/build.log:Tests failed : 2 diff --git a/php.spec b/php.spec index ab7de2d..4ff8a48 100644 --- a/php.spec +++ b/php.spec @@ -140,7 +140,7 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php Version: 5.5.38 -Release: 2%{?dist} +Release: 3%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -212,6 +212,15 @@ Patch116: bug72838.patch Patch117: bug72848.patch Patch118: bug72849.patch Patch119: bug72850.patch +Patch120: bug72910.patch +Patch121: bug72926.patch +Patch122: bug72928.patch +Patch123: bug73007.patch +Patch124: bug72860.patch +Patch125: bug73029.patch +Patch126: bug73052.patch +Patch127: bug73035.patch +Patch128: bug73065.patch # Security fixes (200+) @@ -922,6 +931,15 @@ support for using the enchant library to PHP. %patch117 -p1 -b .bug72848 %patch118 -p1 -b .bug72849 %patch119 -p1 -b .bug72850 +%patch120 -p1 -b .bug72910 +%patch121 -p1 -b .bug72926 +%patch122 -p1 -b .bug72928 +%patch123 -p1 -b .bug73007 +%patch124 -p1 -b .bug72860 +%patch125 -p1 -b .bug73029 +%patch126 -p1 -b .bug73052 +%patch127 -p1 -b .bug73035 +%patch128 -p1 -b .bug73065 # Fixes for tests %patch300 -p1 -b .datetests @@ -1826,6 +1844,24 @@ EOF %changelog +* Mon Sep 19 2016 Remi Collet 5.5.38-3 +- fix #72910: Out of bounds heap read in mbc_to_code() +- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage + in exif_process_IFD_in_TIFF +- fix #72928: Out of bound when verify signature of zip phar + CVE-2016-7414 +- fix #73007: add locale length check + CVE-2016-7416 +- fix #72860: wddx_deserialize use-after-free + CVE-2016-7413 +- fix #73029: Missing type check when unserializing SplArray + CVE-2016-7417 +- fix #73052: Memory Corruption in During Deserialized-object Destruction + CVE-2016-7411 +- fix #73035: Out of bound when verify signature of tar phar +- fix #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c + CVE-2016-7418 + * Mon Sep 5 2016 Remi Collet 5.5.38-2 - fix #72716: initialize buffer before read (ftp) - fix #72663: destroy broken object when unserializing -- cgit