From f1e91ce7ba0eb5df6b73823e9fb9130c489d9b0c Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Mon, 28 Jun 2021 13:51:57 +0200
Subject: Fix #81122 SSRF bypass in FILTER_VALIDATE_URL   CVE-2021-21705 Fix
 #76448 Stack buffer overflow in firebird_info_cb Fix #76449 SIGSEGV in
 firebird_handle_doer Fix #76450 SIGSEGV in firebird_stmt_execute Fix #76452
 Crash while parsing blob data in firebird_fetch_blob   CVE-2021-21704

---
 .gitignore         |   1 +
 php-bug76450.patch | 278 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 php-bug81122.patch |  88 +++++++++++++++++
 php.spec           |  19 +++-
 4 files changed, 383 insertions(+), 3 deletions(-)
 create mode 100644 php-bug76450.patch
 create mode 100644 php-bug81122.patch

diff --git a/.gitignore b/.gitignore
index df4c9dc..73e1878 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
+clog
 php-*.tar.xz
 php70-php-*src.rpm
diff --git a/php-bug76450.patch b/php-bug76450.patch
new file mode 100644
index 0000000..e745e42
--- /dev/null
+++ b/php-bug76450.patch
@@ -0,0 +1,278 @@
+From b671a8dd887ae7f661f6233e734179e8bca3daf6 Mon Sep 17 00:00:00 2001
+From: sim1984 <sim-mail@list.ru>
+Date: Mon, 25 Jun 2018 21:35:51 +0300
+Subject: [PATCH 3/8] Fix bug #76488 Memory leak when fetching a BLOB field
+
+Add a phpt test
+
+(cherry picked from commit 3847a6fcb63c362548e9434b195232f2dcf7a6c7)
+---
+ ext/pdo_firebird/firebird_statement.c |  2 +-
+ ext/pdo_firebird/tests/bug_76488.phpt | 32 +++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 1 deletion(-)
+ create mode 100644 ext/pdo_firebird/tests/bug_76488.phpt
+
+diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
+index 3feeedf39f..88be6da369 100644
+--- a/ext/pdo_firebird/firebird_statement.c
++++ b/ext/pdo_firebird/firebird_statement.c
+@@ -294,7 +294,7 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
+ 		unsigned short seg_len;
+ 		ISC_STATUS stat;
+ 
+-		*ptr = S->fetch_buf[colno] = erealloc(*ptr, *len+1);
++		*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);
+ 
+ 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
+ 
+diff --git a/ext/pdo_firebird/tests/bug_76488.phpt b/ext/pdo_firebird/tests/bug_76488.phpt
+new file mode 100644
+index 0000000000..dba6734c28
+--- /dev/null
++++ b/ext/pdo_firebird/tests/bug_76488.phpt
+@@ -0,0 +1,32 @@
++--TEST--
++PDO_Firebird: Bug #76488 Memory leak when fetching a BLOB field
++--SKIPIF--
++<?php if (!extension_loaded('interbase') || !extension_loaded('pdo_firebird')) die('skip'); ?>
++--FILE--
++<?php
++require 'testdb.inc';
++$dbh = new PDO('firebird:dbname='.$test_base, $user, $password) or die;
++
++$sql = '
++with recursive r(n) as (
++  select 1 from rdb$database
++  union all
++  select n+1 from r where n < 1000
++)
++select n,
++       cast(lpad(\'A\', 8000, \'A\') as BLOB sub_type TEXT) as SRC
++from r 
++';
++
++    for ($i = 0; $i < 10; $i++) {
++        $sth = $dbh->prepare($sql);
++        $sth->execute();          
++        $rows = $sth->fetchAll();
++	    unset($rows);
++	    unset($sth);
++    }
++    unset($dbh);
++    echo "OK";
++?>
++--EXPECT--
++OK
+\ No newline at end of file
+-- 
+2.31.1
+
+From 9a58cd2ba3d99f5312966566a3632b197b676830 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 5 May 2021 12:42:17 +0200
+Subject: [PATCH 4/8] Fix #76452: Crash while parsing blob data in
+ firebird_fetch_blob
+
+We need to prevent integer overflow when calling `erealloc()` with
+`len+1`.
+
+(cherry picked from commit 286162e9b03071c4308e7e92597bca4239f49d89)
+---
+ ext/pdo_firebird/firebird_statement.c |   5 +++++
+ ext/pdo_firebird/tests/bug_76452.data | Bin 0 -> 856 bytes
+ ext/pdo_firebird/tests/bug_76452.phpt |  31 ++++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+ create mode 100644 ext/pdo_firebird/tests/bug_76452.data
+ create mode 100644 ext/pdo_firebird/tests/bug_76452.phpt
+
+diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
+index 88be6da369..fde897186d 100644
+--- a/ext/pdo_firebird/firebird_statement.c
++++ b/ext/pdo_firebird/firebird_statement.c
+@@ -294,6 +294,11 @@ static int firebird_fetch_blob(pdo_stmt_t *stmt, int colno, char **ptr, /* {{{ *
+ 		unsigned short seg_len;
+ 		ISC_STATUS stat;
+ 
++		/* prevent overflow */
++		if (*len == ZEND_ULONG_MAX) {
++			result = 0;
++			goto fetch_blob_end;
++		}
+ 		*ptr = S->fetch_buf[colno] = erealloc(S->fetch_buf[colno], *len+1);
+ 
+ 		for (cur_len = stat = 0; (!stat || stat == isc_segment) && cur_len < *len; cur_len += seg_len) {
+
+From 7b11e10fa679a575ca61e5bcd66db68193a3b2fb Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 30 Apr 2021 14:10:50 +0200
+Subject: [PATCH 5/8] Fix #76450: SIGSEGV in firebird_stmt_execute
+
+We need to verify that the `result_size` is not larger than our buffer,
+and also should make sure that the `len` which is passed to
+`isc_vax_integer()` has a permissible value; otherwise we bail out.
+
+(cherry picked from commit bcbf8aa0c96d8d9e81ec3428232485555fae0b37)
+---
+ ext/pdo_firebird/firebird_statement.c |   7 +++++++
+ ext/pdo_firebird/tests/bug_76450.data | Bin 0 -> 464 bytes
+ ext/pdo_firebird/tests/bug_76450.phpt |  29 ++++++++++++++++++++++++++
+ 3 files changed, 36 insertions(+)
+ create mode 100644 ext/pdo_firebird/tests/bug_76450.data
+ create mode 100644 ext/pdo_firebird/tests/bug_76450.phpt
+
+diff --git a/ext/pdo_firebird/firebird_statement.c b/ext/pdo_firebird/firebird_statement.c
+index fde897186d..537f6f4038 100644
+--- a/ext/pdo_firebird/firebird_statement.c
++++ b/ext/pdo_firebird/firebird_statement.c
+@@ -133,8 +133,14 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
+ 				}
+ 				if (result[0] == isc_info_sql_records) {
+ 					unsigned i = 3, result_size = isc_vax_integer(&result[1], 2);
++					if (result_size > sizeof(result)) {
++						goto error;
++					}
+ 					while (result[i] != isc_info_end && i < result_size) {
+ 						short len = (short) isc_vax_integer(&result[i + 1], 2);
++						if (len != 1 && len != 2 && len != 4) {
++							goto error;
++						}
+ 						if (result[i] != isc_info_req_select_count) {
+ 							affected_rows += isc_vax_integer(&result[i + 3], len);
+ 						}
+@@ -158,6 +164,7 @@ static int firebird_stmt_execute(pdo_stmt_t *stmt) /* {{{ */
+ 		return 1;
+ 	} while (0);
+ 
++error:
+ 	RECORD_ERROR(stmt);
+ 
+ 	return 0;
+
+From 5952ac3d2e87d5f00a32f28d6f66209955e6e777 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 30 Apr 2021 13:53:21 +0200
+Subject: [PATCH 6/8] Fix #76449: SIGSEGV in firebird_handle_doer
+
+We need to verify that the `result_size` is not larger than our buffer,
+and also should make sure that the `len` which is passed to
+`isc_vax_integer()` has a permissible value; otherwise we bail out.
+
+(cherry picked from commit 08da7c73726f7b86b67d6f0ff87c73c585a7834a)
+---
+ ext/pdo_firebird/firebird_driver.c    |   9 +++++++++
+ ext/pdo_firebird/tests/bug_76449.data | Bin 0 -> 464 bytes
+ ext/pdo_firebird/tests/bug_76449.phpt |  23 +++++++++++++++++++++++
+ 3 files changed, 32 insertions(+)
+ create mode 100644 ext/pdo_firebird/tests/bug_76449.data
+ create mode 100644 ext/pdo_firebird/tests/bug_76449.phpt
+
+diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
+index 166fb13d43..46699d51d4 100644
+--- a/ext/pdo_firebird/firebird_driver.c
++++ b/ext/pdo_firebird/firebird_driver.c
+@@ -253,8 +253,17 @@ static zend_long firebird_handle_doer(pdo_dbh_t *dbh, const char *sql, size_t sq
+ 	if (result[0] == isc_info_sql_records) {
+ 		unsigned i = 3, result_size = isc_vax_integer(&result[1],2);
+ 
++		if (result_size > sizeof(result)) {
++			ret = -1;
++			goto free_statement;
++		}
+ 		while (result[i] != isc_info_end && i < result_size) {
+ 			short len = (short)isc_vax_integer(&result[i+1],2);
++			/* bail out on bad len */
++			if (len != 1 && len != 2 && len != 4) {
++				ret = -1;
++				goto free_statement;
++			}
+ 			if (result[i] != isc_info_req_select_count) {
+ 				ret += isc_vax_integer(&result[i+3],len);
+ 			}
+
+From a1793d85e89a0c33b5496beec204ef3491af4bdc Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Thu, 29 Apr 2021 15:26:22 +0200
+Subject: [PATCH 7/8] Fix #76448: Stack buffer overflow in firebird_info_cb
+
+We ensure not to overflow the stack allocated buffer by using `strlcat`.
+
+(cherry picked from commit 67afa32541ebc4abbf633cb1e7e879b2fbb616ad)
+---
+ ext/pdo_firebird/firebird_driver.c    |   8 +++++---
+ ext/pdo_firebird/tests/bug_76448.data | Bin 0 -> 749 bytes
+ ext/pdo_firebird/tests/bug_76448.phpt |  23 +++++++++++++++++++++++
+ 3 files changed, 28 insertions(+), 3 deletions(-)
+ create mode 100644 ext/pdo_firebird/tests/bug_76448.data
+ create mode 100644 ext/pdo_firebird/tests/bug_76448.phpt
+
+diff --git a/ext/pdo_firebird/firebird_driver.c b/ext/pdo_firebird/firebird_driver.c
+index 46699d51d4..48808d6f3d 100644
+--- a/ext/pdo_firebird/firebird_driver.c
++++ b/ext/pdo_firebird/firebird_driver.c
+@@ -556,14 +556,16 @@ static int firebird_handle_set_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
+ }
+ /* }}} */
+ 
++#define INFO_BUF_LEN 512
++
+ /* callback to used to report database server info */
+ static void firebird_info_cb(void *arg, char const *s) /* {{{ */
+ {
+ 	if (arg) {
+ 		if (*(char*)arg) { /* second call */
+-			strcat(arg, " ");
++			strlcat(arg, " ", INFO_BUF_LEN);
+ 		}
+-		strcat(arg, s);
++		strlcat(arg, s, INFO_BUF_LEN);
+ 	}
+ }
+ /* }}} */
+@@ -574,7 +576,7 @@ static int firebird_handle_get_attribute(pdo_dbh_t *dbh, zend_long attr, zval *v
+ 	pdo_firebird_db_handle *H = (pdo_firebird_db_handle *)dbh->driver_data;
+ 
+ 	switch (attr) {
+-		char tmp[512];
++		char tmp[INFO_BUF_LEN];
+ 
+ 		case PDO_ATTR_AUTOCOMMIT:
+ 			ZVAL_LONG(val,dbh->auto_commit);
+
+From 4faea6cc54c742245639ba2736b199c711f2a77b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 20 Jun 2021 22:20:38 -0700
+Subject: [PATCH 8/8] Update NEWS
+
+(cherry picked from commit c68a687566591e2268f35d124a90c7d556ce968b)
+(cherry picked from commit 7598733c51af30611aa64e456c9a777069d2efb9)
+---
+ NEWS | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/NEWS b/NEWS
+index 9eff4bd7ae..861dbd7dd5 100644
+--- a/NEWS
++++ b/NEWS
+@@ -1,6 +1,19 @@
+ PHP                                                                        NEWS
+ |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+ 
++Backported from 7.3.29
++
++- Core:
++  . Fixed #81122: SSRF bypass in FILTER_VALIDATE_URL. (CVE-2021-21705) (cmb)
++
++- PDO_Firebird:
++  . Fixed #76448: Stack buffer overflow in firebird_info_cb. (CVE-2021-21704)
++    (cmb)
++  . Fixed #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704) (cmb)
++  . Fixed #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704) (cmb)
++  . Fixed #76452: Crash while parsing blob data in firebird_fetch_blob.
++    (CVE-2021-21704) (cmb)
++
+ Backported from 7.3.28
+ 
+ - Imap:
+-- 
+2.31.1
+
diff --git a/php-bug81122.patch b/php-bug81122.patch
new file mode 100644
index 0000000..3d200d6
--- /dev/null
+++ b/php-bug81122.patch
@@ -0,0 +1,88 @@
+From bb524cfbd498cebedd9f866c51cef97b69f59644 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 14 Jun 2021 13:22:27 +0200
+Subject: [PATCH 1/8] Fix #81122: SSRF bypass in FILTER_VALIDATE_URL
+
+We need to ensure that the password detected by parse_url() is actually
+a valid password; we can re-use is_userinfo_valid() for that.
+
+(cherry picked from commit a5538c62293fa782fcc382d0635cfc0c8b9190e3)
+---
+ ext/filter/logical_filters.c   |  4 +++-
+ ext/filter/tests/bug81122.phpt | 21 +++++++++++++++++++++
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+ create mode 100644 ext/filter/tests/bug81122.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 22868fd8c1..357f7f2f43 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -587,7 +587,9 @@ bad_url:
+ 		RETURN_VALIDATION_FAILED
+ 	}
+ 
+-	if (url->user != NULL && !is_userinfo_valid(url->user)) {
++	if (url->user != NULL && !is_userinfo_valid(url->user)
++		|| url->pass != NULL && !is_userinfo_valid(url->pass)
++	) {
+ 		php_url_free(url);
+ 		RETURN_VALIDATION_FAILED
+ 
+diff --git a/ext/filter/tests/bug81122.phpt b/ext/filter/tests/bug81122.phpt
+new file mode 100644
+index 0000000000..d89d4114a5
+--- /dev/null
++++ b/ext/filter/tests/bug81122.phpt
+@@ -0,0 +1,21 @@
++--TEST--
++Bug #81122 (SSRF bypass in FILTER_VALIDATE_URL)
++--SKIPIF--
++<?php
++if (!extension_loaded('filter')) die("skip filter extension not available");
++?>
++--FILE--
++<?php
++$urls = [
++    "https://example.com:\\@test.com/",
++    "https://user:\\epass@test.com",
++    "https://user:\\@test.com",
++];
++foreach ($urls as $url) {
++    var_dump(filter_var($url, FILTER_VALIDATE_URL));
++}
++?>
++--EXPECT--
++bool(false)
++bool(false)
++bool(false)
+-- 
+2.31.1
+
+From db917b17e82344db82a67c4c68f627246b484ac4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 27 Jun 2021 21:57:58 -0700
+Subject: [PATCH 2/8] Fix warning
+
+(cherry picked from commit 190013787bbc424c240413d914e3a038f974ccef)
+---
+ ext/filter/logical_filters.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 357f7f2f43..7a37f80e46 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -587,8 +587,8 @@ bad_url:
+ 		RETURN_VALIDATION_FAILED
+ 	}
+ 
+-	if (url->user != NULL && !is_userinfo_valid(url->user)
+-		|| url->pass != NULL && !is_userinfo_valid(url->pass)
++	if ((url->user != NULL && !is_userinfo_valid(url->user))
++		|| (url->pass != NULL && !is_userinfo_valid(url->pass))
+ 	) {
+ 		php_url_free(url);
+ 		RETURN_VALIDATION_FAILED
+-- 
+2.31.1
+
diff --git a/php.spec b/php.spec
index 5097586..cdbde56 100644
--- a/php.spec
+++ b/php.spec
@@ -127,7 +127,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: %{?scl_prefix}php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 27%{?dist}
+Release: 28%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -243,6 +243,8 @@ Patch246: php-bug79699.patch
 Patch247: php-bug77423.patch
 Patch248: php-bug80672.patch
 Patch249: php-bug80710.patch
+Patch250: php-bug81122.patch
+Patch251: php-bug76450.patch
 
 # Fixes for tests (300+)
 # Factory is droped from system tzdata
@@ -1038,6 +1040,8 @@ sed -e 's/php-devel/%{?scl_prefix}php-devel/' -i scripts/phpize.in
 %patch247 -p1 -b .bug77423
 %patch248 -p1 -b .bug80672
 %patch249 -p1 -b .bug80710
+%patch250 -p1 -b .bug81122
+%patch251 -p1 -b .bug76450
 : ---------------------------
 #exit 1
 
@@ -1056,7 +1060,7 @@ rm ext/openssl/tests/bug65538_003.phpt
 # WIP patch
 
 # Prevent %%doc confusion over LICENSE files
-cp Zend/LICENSE Zend/ZEND_LICENSE
+cp Zend/LICENSE ZEND_LICENSE
 cp TSRM/LICENSE TSRM_LICENSE
 %if ! %{with_libgd}
 cp ext/gd/libgd/README libgd_README
@@ -1839,7 +1843,7 @@ EOF
 
 %files common -f files.common
 %doc CODING_STANDARDS CREDITS EXTENSIONS NEWS README*
-%license LICENSE TSRM_LICENSE
+%license LICENSE TSRM_LICENSE ZEND_LICENSE
 %license libmagic_LICENSE
 %license phar_LICENSE
 %license timelib_LICENSE
@@ -1996,6 +2000,15 @@ EOF
 
 
 %changelog
+* Mon Jun 28 2021 Remi Collet <remi@remirepo.net> - 7.0.33-28
+- Fix #81122 SSRF bypass in FILTER_VALIDATE_URL
+  CVE-2021-21705
+- Fix #76448 Stack buffer overflow in firebird_info_cb
+- Fix #76449 SIGSEGV in firebird_handle_doer
+- Fix #76450 SIGSEGV in firebird_stmt_execute
+- Fix #76452 Crash while parsing blob data in firebird_fetch_blob
+  CVE-2021-21704
+
 * Thu May 27 2021 Remi Collet <remi@remirepo.net> - 7.0.33-27
 - fix snmp extension build with net-snmp without DES
 
-- 
cgit