From 81d085a88766fd8917eb3a1b1afc8e95049b4822 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Dec 2019 17:23:58 +0100
Subject: - bcmath:   Fix #78878 Buffer underflow in bc_shift_addsub  
 CVE-2019-11046 - core:   Fix #78862 link() silently truncates after a null
 byte on Windows   CVE-2019-11044   Fix #78863 DirectoryIterator class
 silently truncates after a null byte   CVE-2019-11045 - exif   Fix #78793
 Use-after-free in exif parsing under memory sanitizer   CVE-2019-11050   Fix
 #78910 Heap-buffer-overflow READ in exif   CVE-2019-11047 - use oracle client
 library version 19.5 (18.5 on EL-6)

---
 php-bug78878.patch | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 php-bug78878.patch

(limited to 'php-bug78878.patch')

diff --git a/php-bug78878.patch b/php-bug78878.patch
new file mode 100644
index 0000000..7d54bda
--- /dev/null
+++ b/php-bug78878.patch
@@ -0,0 +1,68 @@
+From e6614bec92634d91d2406bf9e997675b52971769 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 30 Nov 2019 12:26:37 +0100
+Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
+
+We must not rely on `isdigit()` to detect digits, since we only support
+decimal ASCII digits in the following processing.
+
+(cherry picked from commit eb23c6008753b1cdc5359dead3a096dce46c9018)
+---
+ NEWS                               |  6 ++++++
+ ext/bcmath/libbcmath/src/str2num.c |  4 ++--
+ ext/bcmath/tests/bug78878.phpt     | 13 +++++++++++++
+ 3 files changed, 21 insertions(+), 2 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug78878.phpt
+
+diff --git a/NEWS b/NEWS
+index 9d7b600cf0..5102c97629 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,12 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.2.26
++
++- Bcmath:
++  . Fixed bug #78878 (Buffer underflow in bc_shift_addsub). (CVE-2019-11046).
++    (cmb)
++
+ Backported from 7.1.33
+ 
+ - FPM:
+diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
+index c484c158e5..a5e7850160 100644
+--- a/ext/bcmath/libbcmath/src/str2num.c
++++ b/ext/bcmath/libbcmath/src/str2num.c
+@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale TSRMLS_DC)
+   zero_int = FALSE;
+   if ( (*ptr == '+') || (*ptr == '-'))  ptr++;  /* Sign */
+   while (*ptr == '0') ptr++;			/* Skip leading zeros. */
+-  while (isdigit((int)*ptr)) ptr++, digits++;	/* digits */
++  while (*ptr >= '0' && *ptr <= '9') ptr++, digits++;	/* digits */
+   if (*ptr == '.') ptr++;			/* decimal point */
+-  while (isdigit((int)*ptr)) ptr++, strscale++;	/* digits */
++  while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++;	/* digits */
+   if ((*ptr != '\0') || (digits+strscale == 0))
+     {
+       *num = bc_copy_num (BCG(_zero_));
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+new file mode 100644
+index 0000000000..2c9d72b946
+--- /dev/null
++++ b/ext/bcmath/tests/bug78878.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #78878 (Buffer underflow in bc_shift_addsub)
++--SKIPIF--
++<?php
++if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
++?>
++--FILE--
++<?php
++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
++?>
++--EXPECT--
++bc math warning: non-zero scale in modulus
++0
-- 
cgit