From 2708c128c5462b69ba61c88f5ff770d492944192 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Dec 2019 17:27:17 +0100
Subject: - bcmath   Fix #78878 Buffer underflow in bc_shift_addsub  
 CVE-2019-11046 - core:   Fix #78862 link() silently truncates after a null
 byte on Windows   CVE-2019-11044   Fix #78863 DirectoryIterator class
 silently truncates after a null byte   CVE-2019-11045 - exif   Fix #78793
 Use-after-free in exif parsing under memory sanitizer   CVE-2019-11050   Fix
 #78910 Heap-buffer-overflow READ in exif   CVE-2019-11047 - use oracle client
 library version 19.5 (18.5 on EL-6)

---
 php-bug78793.patch | 62 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 php-bug78793.patch

(limited to 'php-bug78793.patch')

diff --git a/php-bug78793.patch b/php-bug78793.patch
new file mode 100644
index 0000000..21d7a1d
--- /dev/null
+++ b/php-bug78793.patch
@@ -0,0 +1,62 @@
+From f71d4343a205d820e35a815d298a9bb3e92d49cd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 01:14:38 -0800
+Subject: [PATCH] Fix bug #78793
+
+(cherry picked from commit c14eb8de974fc8a4d74f3515424c293bc7a40fba)
+---
+ NEWS                         |  4 ++++
+ ext/exif/exif.c              |  5 +++--
+ ext/exif/tests/bug78793.phpt | 12 ++++++++++++
+ 3 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78793.phpt
+
+diff --git a/NEWS b/NEWS
+index 39a2f43818..723cc69be6 100644
+--- a/NEWS
++++ b/NEWS
+@@ -13,6 +13,10 @@ Backported from 7.2.26
+   . Fixed bug #78863 (DirectoryIterator class silently truncates after a null
+     byte). (CVE-2019-11045). (cmb)
+ 
++- EXIF:
++  . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
++    (CVE-2019-11050). (Nikita)
++
+ Backported from 7.1.33
+ 
+ - FPM:
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 3f8dd907dc..a7da928800 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2820,8 +2820,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 	}
+ 
+ 	for (de=0;de<NumDirEntries;de++) {
+-		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+-								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
++		size_t offset = 2 + 12 * de;
++		if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
++								  offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
+ 			return FALSE;
+ 		}
+ 	}
+diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
+new file mode 100644
+index 0000000000..033f255ace
+--- /dev/null
++++ b/ext/exif/tests/bug78793.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #78793: Use-after-free in exif parsing under memory sanitizer
++--FILE--
++<?php
++$f = "ext/exif/tests/bug77950.tiff";
++for ($i = 0; $i < 10; $i++) {
++    @exif_read_data($f);
++}
++?>
++===DONE===
++--EXPECT--
++===DONE===
-- 
cgit