From 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 9 Jan 2019 14:51:03 +0100
Subject: - core:   Fix #77369 memcpy with negative length via crafted DNS
 response - mbstring:   Fix #77370 buffer overflow on mb regex functions -
 fetch_token   Fix #77371 heap buffer overflow in mb regex functions
 compile_string_node   Fix #77381 heap buffer overflow in multibyte match_at  
 Fix #77382 heap buffer overflow in expand_case_fold_string   Fix #77385
 buffer overflow in fetch_token   Fix #77394 buffer overflow in multibyte case
 folding - unicode   Fix #77418 heap overflow in utf32be_mbc_to_code - phar:  
 Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc:   Fix
 #77242 heap out of bounds read in xmlrpc_decode   Fix #77380 global out of
 bounds read in xmlrpc base64 code

---
 php-bug77380.patch | 57 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 57 insertions(+)
 create mode 100644 php-bug77380.patch

(limited to 'php-bug77380.patch')

diff --git a/php-bug77380.patch b/php-bug77380.patch
new file mode 100644
index 0000000..4aea7b5
--- /dev/null
+++ b/php-bug77380.patch
@@ -0,0 +1,57 @@
+From 4feb9e66ff9636ad44bc23a91b7ebd37d83ddf1d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 1 Jan 2019 17:15:20 -0800
+Subject: [PATCH] Fix bug #77380  (Global out of bounds read in xmlrpc base64
+ code)
+
+---
+ ext/xmlrpc/libxmlrpc/base64.c  |  4 ++--
+ ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/xmlrpc/tests/bug77380.phpt
+
+diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
+index 5ebdf31f7ade..a4fa19327b76 100644
+--- a/ext/xmlrpc/libxmlrpc/base64.c
++++ b/ext/xmlrpc/libxmlrpc/base64.c
+@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
+ 
+   while (!hiteof) {
+     unsigned char igroup[3], ogroup[4];
+-    int c, n;
++	int c, n;
+ 
+     igroup[0] = igroup[1] = igroup[2] = 0;
+     for (n = 0; n < 3; n++) {
+@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
+ 		return;
+ 	    }
+ 
+-	    if (dtable[c] & 0x80) {
++	    if (dtable[(unsigned char)c] & 0x80) {
+ 	      /*
+ 	      fprintf(stderr, "Offset %i length %i\n", offset, length);
+ 	      fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
+diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt
+new file mode 100644
+index 000000000000..8559c07a5aea
+--- /dev/null
++++ b/ext/xmlrpc/tests/bug77380.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #77380 (Global out of bounds read in xmlrpc base64 code)
++--SKIPIF--
++<?php
++if (!extension_loaded("xmlrpc")) print "skip";
++?>
++--FILE--
++<?php
++var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo=")));
++?>
++--EXPECT--
++object(stdClass)#1 (2) {
++  ["scalar"]=>
++  string(0) ""
++  ["xmlrpc_type"]=>
++  string(6) "base64"
++}
-- 
cgit