From 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 9 Jan 2019 14:51:03 +0100
Subject: - core:   Fix #77369 memcpy with negative length via crafted DNS
 response - mbstring:   Fix #77370 buffer overflow on mb regex functions -
 fetch_token   Fix #77371 heap buffer overflow in mb regex functions
 compile_string_node   Fix #77381 heap buffer overflow in multibyte match_at  
 Fix #77382 heap buffer overflow in expand_case_fold_string   Fix #77385
 buffer overflow in fetch_token   Fix #77394 buffer overflow in multibyte case
 folding - unicode   Fix #77418 heap overflow in utf32be_mbc_to_code - phar:  
 Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc:   Fix
 #77242 heap out of bounds read in xmlrpc_decode   Fix #77380 global out of
 bounds read in xmlrpc base64 code

---
 php-bug77370.patch | 66 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 php-bug77370.patch

(limited to 'php-bug77370.patch')

diff --git a/php-bug77370.patch b/php-bug77370.patch
new file mode 100644
index 0000000..b85944a
--- /dev/null
+++ b/php-bug77370.patch
@@ -0,0 +1,66 @@
+From deb06bbb9cbb31292fc219501614a8c3ff25bb11 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 19:51:24 -0800
+Subject: [PATCH] Fix bug #77370 - check that we do not read past buffer end
+ when parsing multibytes
+
+---
+ ext/mbstring/oniguruma/regparse.c |  9 +++++++++
+ ext/mbstring/tests/bug77370.phpt  | 13 +++++++++++++
+ 2 files changed, 22 insertions(+)
+ create mode 100644 ext/mbstring/tests/bug77370.phpt
+
+diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
+index d2925f1e81b0..252ca1871202 100644
+--- a/ext/mbstring/oniguruma/regparse.c
++++ b/ext/mbstring/oniguruma/regparse.c
+@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+ }
+ #endif
+ 
++#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
++# define UNEXPECTED(condition) __builtin_expect(condition, 0)
++#else
++# define UNEXPECTED(condition) (condition)
++#endif
++
+ /* scan pattern methods */
+ #define PEND_VALUE   0
+ 
+@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
+   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+   pfetch_prev = p; \
+   p += ONIGENC_MBC_ENC_LEN(enc, p); \
++  if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ 
+ #define PINC_S     do { \
+   p += ONIGENC_MBC_ENC_LEN(enc, p); \
++  if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ #define PFETCH_S(c) do { \
+   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
+   p += ONIGENC_MBC_ENC_LEN(enc, p); \
++  if(UNEXPECTED(p > end)) p = end; \
+ } while (0)
+ 
+ #define PPEEK        (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
+diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
+new file mode 100644
+index 000000000000..c4d25582fe3b
+--- /dev/null
++++ b/ext/mbstring/tests/bug77370.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
++--SKIPIF--
++<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
++--FILE--
++<?php
++var_dump(mb_split("   \xfd",""));
++?>
++--EXPECT--
++array(1) {
++  [0]=>
++  string(0) ""
++}
-- 
cgit