- core:

Fix #77369 memcpy with negative length via crafted DNS response - mbstring: Fix #77370 buffer overflow on mb regex functions - fetch_token Fix #77371 heap buffer overflow in mb regex functions compile_string_node Fix #77381 heap buffer overflow in multibyte match_at Fix #77382 heap buffer overflow in expand_case_fold_string Fix #77385 buffer overflow in fetch_token Fix #77394 buffer overflow in multibyte case folding - unicode Fix #77418 heap overflow in utf32be_mbc_to_code - phar: Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc: Fix #77242 heap out of bounds read in xmlrpc_decode Fix #77380 global out of bounds read in xmlrpc base64 code
author: Remi Collet <remi@remirepo.net> 2019-01-09 14:51:03 +0100
committer: Remi Collet <remi@remirepo.net> 2019-01-09 14:51:03 +0100
commit: 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch)
tree: 9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a
parent: 022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff)
10 files changed, 603 insertions, 3 deletions
diff --git a/failed.txt b/failed.txt
index 4e81e54..240ccda 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-===== 7.0.33 (2018-12-06)
+===== 7.0.33-2 (2019-01-10)
 
 $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
 
@@ -8,9 +8,11 @@ $ grep -r 'Tests failed' /var/lib/mock/scl70*/build.log
 /var/lib/mock/scl70fc26x/build.log:Tests failed    :    0
 /var/lib/mock/scl70fc27x/build.log:Tests failed    :    0
 /var/lib/mock/scl70fc28x/build.log:Tests failed    :    0
-/var/lib/mock/scl70fc29x/build.log:Tests failed    :    0
+/var/lib/mock/scl70fc29x/build.log:Tests failed    :    1
 
 
+fc29x:
+	1	Bug #64438 proc_open hangs with stdin/out with 4097+ bytes [ext/standard/tests/streams/proc_open_bug64438.phpt]
 
 
 1	proc_open give erratic test results :(
diff --git a/php-bug77242.patch b/php-bug77242.patch
new file mode 100644
index 0000000..b6afc78
--- /dev/null
+++ b/php-bug77242.patch
@@ -0,0 +1,45 @@
+Backported for 7.0 by Remi
+
+
+From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 17:56:36 -0800
+Subject: [PATCH] Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
+
+---
+ ext/xmlrpc/libxmlrpc/xml_element.c |  3 +++
+ ext/xmlrpc/tests/bug77242.phpt     | 10 ++++++++++
+ 2 files changed, 13 insertions(+)
+ create mode 100644 ext/xmlrpc/tests/bug77242.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
+index 56642d46142e..eeec5379bf68 100644
+--- a/ext/xmlrpc/libxmlrpc/xml_element.c
++++ b/ext/xmlrpc/libxmlrpc/xml_element.c
+@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
+          long byte_idx = XML_GetCurrentByteIndex(parser);
+ /*         int byte_total = XML_GetCurrentByteCount(parser); */
+          const char * error_str = XML_ErrorString(err_code);
++         if(byte_idx > len) {
++             byte_idx = len;
++         }
+          if(byte_idx >= 0) {
+              snprintf(buf,
+                       sizeof(buf),
+diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
+new file mode 100644
+index 000000000000..542c06311f74
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77242.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77242 (heap out of bounds read in xmlrpc_decode())
++--SKIPIF--
++<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
++?>
++--EXPECT--
++NULL
+\ No newline at end of file
diff --git a/php-bug77247.patch b/php-bug77247.patch
new file mode 100644
index 0000000..6a2c8b4
--- /dev/null
+++ b/php-bug77247.patch
@@ -0,0 +1,49 @@
+Backported for 7.0 by Remi
+
+
+From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 18:25:37 -0800
+Subject: [PATCH] Fix bug #77247 (heap buffer overflow in
+ phar_detect_phar_fname_ext)
+
+---
+ ext/phar/phar.c              |  2 +-
+ ext/phar/tests/bug77247.phpt | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug77247.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 82a9ef31943a..0d2173195c32 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha
+ 	}
+ 
+ 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
+-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
++		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
+ 		if (!pos) {
+ 			return FAILURE;
+ 		}
+diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
+new file mode 100644
+index 000000000000..588975f9f2f8
+--- /dev/null
++++ b/ext/phar/tests/bug77247.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++var_dump(new Phar('a/.b', 0,'test.phar'));
++} catch(UnexpectedValueException $e) {
++	echo "OK";
++}
++?>
++--EXPECT--
++OK
+\ No newline at end of file
diff --git a/php-bug77369.patch b/php-bug77369.patch
new file mode 100644
index 0000000..21fb348
--- /dev/null
+++ b/php-bug77369.patch
@@ -0,0 +1,42 @@
+Backported for 7.0 by Remi
+
+
+From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:39:08 -0800
+Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS
+ response
+
+---
+ ext/standard/dns.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 8e102f816f6e..b5fbcb96f968 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u
+ 	GETLONG(ttl, cp);
+ 	GETSHORT(dlen, cp);
+ 	CHECKCP(dlen);
++	if (dlen == 0) {
++		/* No data in the response - nothing to do */
++		return NULL;
++	}
+ 	if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ 		cp += dlen;
+ 		return cp;
+@@ -549,7 +553,12 @@ static u_char *php_parserr(u_char *cp, u
+ 			CHECKCP(n);
+ 			add_assoc_stringl(subarray, "tag", (char*)cp, n);
+ 			cp += n;
+-			add_assoc_string(subarray, "value", (char*)cp);
++			if ( (size_t) dlen < ((size_t)n) + 2 ) {
++				return NULL;
++			}
++ 			n = dlen - n - 2;
++ 			CHECKCP(n);
++ 			add_assoc_stringl(subarray, "value", (char*)cp, n);
+ 			break;
+ 		case DNS_T_TXT:
+ 			{
diff --git a/php-bug77370.patch b/php-bug77370.patch
new file mode 100644
index 0000000..b85944a
--- /dev/null
+++ b/php-bug77370.patch
@@ -0,0 +1,66 @@
+From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 19:51:24 -0800
+Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end
+ when parsing multibytes
+
+---
+ ext/mbstring/oniguruma/regparse.c |  9 +++++++++
+ ext/mbstring/tests/bug77370.phpt  | 13 +++++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77370.phpt
+
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index d2925f1e81b0..252ca1871202 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+ 
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
+ /* scan pattern methods */
+ #define PEND_VALUE   0
+ 
+@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+   pfetch_prev = p; \
+   p += ONIGENC_MBC_ENC_LEN(enc, p); \
++  if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ 
+ #define PINC_S     do { \
+   p += ONIGENC_MBC_ENC_LEN(enc, p); \
++  if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ #define PFETCH_S(c) do { \
+   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+   p += ONIGENC_MBC_ENC_LEN(enc, p); \
++  if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ 
+ #define PPEEK        (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
+diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
+new file mode 100644
+index 000000000000..c4d25582fe3b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77370.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_split("   \xfd",""));
++?>
++--EXPECT--
++array(1) {
++  [0]=>
++  string(0) ""
++}
diff --git a/php-bug77371.patch b/php-bug77371.patch
new file mode 100644
index 0000000..e574827
--- /dev/null
+++ b/php-bug77371.patch
@@ -0,0 +1,41 @@
+From c6e34d91b88638966662caac62c4d0e90538e317 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:06:08 -0800
+Subject: [PATCH] Fix bug #77371 (heap buffer overflow in mb regex functions -
+ compile_string_node)
+
+---
+ ext/mbstring/oniguruma/regcomp.c |  1 +
+ ext/mbstring/tests/bug77371.phpt | 10 ++++++++++
+ 2 files changed, 11 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77371.phpt
+
+diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
+index b93ca948a773..c72d65d6942f 100644
+--- a/ext/mbstring/oniguruma/regcomp.c
++++ b/ext/mbstring/oniguruma/regcomp.c
+@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
+ 
+   for (; p < end; ) {
+     len = enclen(enc, p);
++    if (p + len > end) len = end - p;
+     if (len == prev_len) {
+       slen++;
+     }
+diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
+new file mode 100644
+index 000000000000..f23445bd0917
+--- /dev/null
++++ b/ext/mbstring/tests/bug77371.phpt
+@@ -0,0 +1,10 @@
++--TEST--
++Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
++?>
++--EXPECT--
++bool(false)
+\ No newline at end of file
diff --git a/php-bug77380.patch b/php-bug77380.patch
new file mode 100644
index 0000000..4aea7b5
--- /dev/null
+++ b/php-bug77380.patch
@@ -0,0 +1,57 @@
+From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 1 Jan 2019 17:15:20 -0800
+Subject: [PATCH] Fix bug #77380  (Global out of bounds read in xmlrpc base64
+ code)
+
+---
+ ext/xmlrpc/libxmlrpc/base64.c  |  4 ++--
+ ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug77380.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
+index 5ebdf31f7ade..a4fa19327b76 100644
+--- a/ext/xmlrpc/libxmlrpc/base64.c
++++ b/ext/xmlrpc/libxmlrpc/base64.c
+@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
+ 
+   while (!hiteof) {
+     unsigned char igroup[3], ogroup[4];
+-    int c, n;
++	int c, n;
+ 
+     igroup[0] = igroup[1] = igroup[2] = 0;
+     for (n = 0; n < 3; n++) {
+@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
+ 		return;
+ 	    }
+ 
+-	    if (dtable[c] & 0x80) {
++	    if (dtable[(unsigned char)c] & 0x80) {
+ 	      /*
+ 	      fprintf(stderr, "Offset %i length %i\n", offset, length);
+ 	      fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
+diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt
+new file mode 100644
+index 000000000000..8559c07a5aea
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77380.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #77380 (Global out of bounds read in xmlrpc base64 code)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo=")));
++?>
++--EXPECT--
++object(stdClass)#1 (2) {
++  ["scalar"]=>
++  string(0) ""
++  ["xmlrpc_type"]=>
++  string(6) "base64"
++}
diff --git a/php-bug77381.patch b/php-bug77381.patch
new file mode 100644
index 0000000..7494049
--- /dev/null
+++ b/php-bug77381.patch
@@ -0,0 +1,158 @@
+From 31f59e1f3074ab344b473dde6077a6844ca87264 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 2 Jan 2019 00:36:30 -0800
+Subject: [PATCH] Fix more issues with encodilng length
+
+Should fix bug #77381, bug #77382, bug #77385, bug #77394.
+---
+ ext/mbstring/oniguruma/enc/unicode.c |  1 +
+ ext/mbstring/oniguruma/regcomp.c     | 11 +++++------
+ ext/mbstring/oniguruma/regparse.c    | 10 +++-------
+ ext/mbstring/oniguruma/regparse.h    | 12 ++++++++++++
+ ext/mbstring/tests/bug77371.phpt     |  2 +-
+ ext/mbstring/tests/bug77381.phpt     | 16 ++++++++++++++++
+ 6 files changed, 38 insertions(+), 14 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug77381.phpt
+
+diff --git a/ext/mbstring/oniguruma/enc/unicode.c b/ext/mbstring/oniguruma/enc/unicode.c
+index e13429f51e9c..9f86095896b6 100644
+--- a/ext/mbstring/oniguruma/enc/unicode.c
++++ b/ext/mbstring/oniguruma/enc/unicode.c
+@@ -10989,6 +10989,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc,
+ 
+   code = ONIGENC_MBC_TO_CODE(enc, p, end);
+   len = enclen(enc, p);
++  if (*pp + len > end) len = end - *pp;
+   *pp += len;
+ 
+ #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
+diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
+index c72d65d6942f..820257341f54 100644
+--- a/ext/mbstring/oniguruma/regcomp.c
++++ b/ext/mbstring/oniguruma/regcomp.c
+@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, regex_t* reg)
+   ambig = NSTRING_IS_AMBIG(node);
+ 
+   p = prev = sn->s;
+-  prev_len = enclen(enc, p);
++  SAFE_ENC_LEN(enc, p, sn->end, prev_len);
+   p += prev_len;
+   slen = 1;
+   rlen = 0;
+ 
+   for (; p < sn->end; ) {
+-    len = enclen(enc, p);
++    SAFE_ENC_LEN(enc, p, sn->end, len);
+     if (len == prev_len) {
+       slen++;
+     }
+@@ -518,13 +518,12 @@ compile_string_node(Node* node, regex_t* reg)
+   ambig = NSTRING_IS_AMBIG(node);
+ 
+   p = prev = sn->s;
+-  prev_len = enclen(enc, p);
++  SAFE_ENC_LEN(enc, p, end, prev_len);
+   p += prev_len;
+   slen = 1;
+ 
+   for (; p < end; ) {
+-    len = enclen(enc, p);
+-    if (p + len > end) len = end - p;
++    SAFE_ENC_LEN(enc, p, end, len);
+     if (len == prev_len) {
+       slen++;
+     }
+@@ -3391,7 +3390,7 @@ expand_case_fold_string(Node* node, regex_t* reg)
+       goto err;
+     }
+ 
+-    len = enclen(reg->enc, p);
++	SAFE_ENC_LEN(reg->enc, p, end, len);
+ 
+     if (n == 0) {
+       if (IS_NULL(snode)) {
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index 252ca1871202..fcfaf4378c06 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,12 +246,6 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+ 
+-#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+-# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+-#else
+-# define UNEXPECTED(condition) (condition)
+-#endif
+-
+ /* scan pattern methods */
+ #define PEND_VALUE   0
+ 
+@@ -3589,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
+ 	tok->u.code = (OnigCodePoint )num;
+       }
+       else { /* string */
+-	p = tok->backp + enclen(enc, tok->backp);
++          int len;
++          SAFE_ENC_LEN(enc, tok->backp, end, len);
++          p = tok->backp + len;
+       }
+       break;
+     }
+diff --git a/ext/mbstring/oniguruma/regparse.h b/ext/mbstring/oniguruma/regparse.h
+index 0c5c2c936c04..bcab03ed5892 100644
+--- a/ext/mbstring/oniguruma/regparse.h
++++ b/ext/mbstring/oniguruma/regparse.h
+@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex_t*);
+ #endif
+ #endif
+ 
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
++#define SAFE_ENC_LEN(enc, p, end, res) do {  \
++    int __res = enclen(enc, p);              \
++    if (UNEXPECTED(p + __res > end)) __res = end - p;    \
++	res = __res;                             \
++} while(0);
++
+ #endif /* REGPARSE_H */
+diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
+index f23445bd0917..33e5fc115c96 100644
+--- a/ext/mbstring/tests/bug77371.phpt
++++ b/ext/mbstring/tests/bug77371.phpt
+@@ -4,7 +4,7 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+ <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+ --FILE--
+ <?php
+-var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
++var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));
+ ?>
+ --EXPECT--
+ bool(false)
+\ No newline at end of file
+diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt
+new file mode 100644
+index 000000000000..cb83759fc09b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77381.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #77381 (heap buffer overflow in multibyte match_at)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_ereg("000||0\xfa","0"));
++var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));
++var_dump(mb_ereg("0000\\"."\xf5","0"));
++var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));
++?>
++--EXPECT--
++int(1)
++bool(false)
++bool(false)
++bool(false)
diff --git a/php-bug77418.patch b/php-bug77418.patch
new file mode 100644
index 0000000..7810cf6
--- /dev/null
+++ b/php-bug77418.patch
@@ -0,0 +1,103 @@
+From 9d6c59eeea88a3e9d7039cb4fed5126ef704593a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 6 Jan 2019 23:31:15 -0800
+Subject: [PATCH] Fix bug #77418 - Heap overflow in utf32be_mbc_to_code
+
+---
+ NEWS                                  |  7 ++++---
+ ext/mbstring/oniguruma/enc/utf16_be.c |  4 +++-
+ ext/mbstring/oniguruma/enc/utf16_le.c |  3 ++-
+ ext/mbstring/oniguruma/enc/utf32_be.c |  1 +
+ ext/mbstring/oniguruma/enc/utf32_le.c |  1 +
+ ext/mbstring/tests/bug77418.phpt      | 14 ++++++++++++++
+ 6 files changed, 25 insertions(+), 5 deletions(-)
+ create mode 100644 ext/mbstring/tests/bug77418.phpt
+
+diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c
+index 1e909ebbf293..9e2f73b0735e 100644
+--- a/ext/mbstring/oniguruma/enc/utf16_be.c
++++ b/ext/mbstring/oniguruma/enc/utf16_be.c
+@@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+ 
+ static OnigCodePoint
+-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf16be_mbc_to_code(const UChar* p, const UChar* end)
+ {
+   OnigCodePoint code;
+ 
+   if (UTF16_IS_SURROGATE_FIRST(*p)) {
++    if (end - p < 4) return 0;
+     code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
+          + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
+          + p[3];
+   }
+   else {
++    if (end - p < 2) return 0;
+     code = p[0] * 256 + p[1];
+   }
+   return code;
+diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c
+index 5cc07591173a..580f8dffa2f4 100644
+--- a/ext/mbstring/oniguruma/enc/utf16_le.c
++++ b/ext/mbstring/oniguruma/enc/utf16_le.c
+@@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+ 
+ static OnigCodePoint
+-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf16le_mbc_to_code(const UChar* p, const UChar* end)
+ {
+   OnigCodePoint code;
+   UChar c0 = *p;
+   UChar c1 = *(p+1);
+ 
+   if (UTF16_IS_SURROGATE_FIRST(c1)) {
++    if (end - p < 4) return 0;
+     code = ((((c1 - 0xd8) << 2) + ((c0  & 0xc0) >> 6) + 1) << 16)
+          + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
+          + p[2];
+diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c
+index b4f822607c89..5295f26b1e59 100644
+--- a/ext/mbstring/oniguruma/enc/utf32_be.c
++++ b/ext/mbstring/oniguruma/enc/utf32_be.c
+@@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
+ static OnigCodePoint
+ utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ {
++  if (end - p < 4) return 0;
+   return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
+ }
+ 
+diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c
+index 8f413bfc74e1..a78c4d0abcc7 100644
+--- a/ext/mbstring/oniguruma/enc/utf32_le.c
++++ b/ext/mbstring/oniguruma/enc/utf32_le.c
+@@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end)
+ static OnigCodePoint
+ utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ {
++  if (end - p < 4) return 0;
+   return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
+ }
+ 
+diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt
+new file mode 100644
+index 000000000000..b4acc45c2117
+--- /dev/null
++++ b/ext/mbstring/tests/bug77418.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #77371 (Heap overflow in utf32be_mbc_to_code)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++mb_regex_encoding("UTF-32");
++var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
++?>
++--EXPECT--
++array(1) {
++  [0]=>
++  string(30) "000000000000000000000000000000"
++}
diff --git a/php.spec b/php.spec
index 42de827..aa82877 100644
--- a/php.spec
+++ b/php.spec
@@ -126,7 +126,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 1%{?dist}
+Release: 2%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -187,8 +187,17 @@ Patch91: php-5.6.3-oci8conf.patch
 # Upstream fixes (100+)
 Patch100: https://github.com/php/php-src/commit/be50a72715c141befe6f34ece660745da894aaf3.patch
 Patch101: https://github.com/php/php-src/commit/2ef8809ef3beb5f58b81dcff49bdcde4d2cb8426.patch
+Patch102: php-openssl-cert.patch
 
 # Security fixes (200+)
+Patch200: php-bug77242.patch
+Patch201: php-bug77247.patch
+Patch202: php-bug77370.patch
+Patch203: php-bug77371.patch
+Patch204: php-bug77380.patch
+Patch205: php-bug77381.patch
+Patch206: php-bug77369.patch
+Patch207: php-bug77418.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -919,8 +928,19 @@ support for JavaScript Object Notation (JSON) to PHP.
 # upstream patches
 %patch100 -p1 -b .up1
 %patch101 -p1 -b .up2
+%patch102 -p1 -b .up3
 
 # security patches
+%patch200 -p1 -b .bug77242
+%patch201 -p1 -b .bug77247
+%patch202 -p1 -b .bug77370
+%patch203 -p1 -b .bug77371
+%patch204 -p1 -b .bug77380
+%patch205 -p1 -b .bug77381
+%patch206 -p1 -b .bug77369
+%patch207 -p1 -b .bug77418
+: ---------------------------
+#exit 1
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -1854,6 +1874,23 @@ fi
 
 
 %changelog
+* Wed Jan  9 2019 Remi Collet <remi@remirepo.net> - 7.0.33-2
+- core:
+  Fix #77369 memcpy with negative length via crafted DNS response
+- mbstring:
+  Fix #77370 buffer overflow on mb regex functions - fetch_token
+  Fix #77371 heap buffer overflow in mb regex functions compile_string_node
+  Fix #77381 heap buffer overflow in multibyte match_at
+  Fix #77382 heap buffer overflow in expand_case_fold_string
+  Fix #77385 buffer overflow in fetch_token
+  Fix #77394 buffer overflow in multibyte case folding - unicode
+  Fix #77418 heap overflow in utf32be_mbc_to_code
+- phar:
+  Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext
+- xmlrpc:
+  Fix #77242 heap out of bounds read in xmlrpc_decode
+  Fix #77380 global out of bounds read in xmlrpc base64 code
+
 * Wed Dec  5 2018 Remi Collet <remi@remirepo.net> - 7.0.33-1
 - Update to 7.0.33 - http://www.php.net/releases/7_0_33.php
 - use oracle client library version 18.3
author	Remi Collet <remi@remirepo.net>	2019-01-09 14:51:03 +0100
committer	Remi Collet <remi@remirepo.net>	2019-01-09 14:51:03 +0100
commit	8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f (patch)
tree	9dc37c9e8dd266acfd5d3c5a01907c10b34f7e9a
parent	022c16b4244a74cae83e8895cf88d32eaa5fde0e (diff)