From 2708c128c5462b69ba61c88f5ff770d492944192 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Tue, 17 Dec 2019 17:27:17 +0100
Subject: - bcmath   Fix #78878 Buffer underflow in bc_shift_addsub  
 CVE-2019-11046 - core:   Fix #78862 link() silently truncates after a null
 byte on Windows   CVE-2019-11044   Fix #78863 DirectoryIterator class
 silently truncates after a null byte   CVE-2019-11045 - exif   Fix #78793
 Use-after-free in exif parsing under memory sanitizer   CVE-2019-11050   Fix
 #78910 Heap-buffer-overflow READ in exif   CVE-2019-11047 - use oracle client
 library version 19.5 (18.5 on EL-6)

---
 php-bug78910.patch | 148 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 148 insertions(+)
 create mode 100644 php-bug78910.patch

(limited to 'php-bug78910.patch')

diff --git a/php-bug78910.patch b/php-bug78910.patch
new file mode 100644
index 0000000..f164d0a
--- /dev/null
+++ b/php-bug78910.patch
@@ -0,0 +1,148 @@
+From 75149a9a02d3bc44411a6e7ab35aee7110d053f3 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 00:10:39 -0800
+Subject: [PATCH] Fixed bug #78910
+
+(cherry picked from commit d348cfb96f2543565691010ade5e0346338be5a7)
+---
+ NEWS                         |  2 ++
+ ext/exif/exif.c              |  3 ++-
+ ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
+ 3 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78910.phpt
+
+diff --git a/NEWS b/NEWS
+index 723cc69be6..ba237b8e33 100644
+--- a/NEWS
++++ b/NEWS
+@@ -16,6 +16,8 @@ Backported from 7.2.26
+ - EXIF:
+   . Fixed bug #78793 (Use-after-free in exif parsing under memory sanitizer).
+     (CVE-2019-11050). (Nikita)
++  . Fixed bug #78910 (Heap-buffer-overflow READ in exif). (CVE-2019-11047).
++    (Nikita)
+ 
+ Backported from 7.1.33
+ 
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a7da928800..9e42a62812 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2748,7 +2748,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 			continue;
+ 		if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
+ 			continue;
+-		if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
++		if (maker_note->id_string && value_len >= maker_note->id_string_len
++				&& strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+ 			continue;
+ 		break;
+ 	}
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+new file mode 100644
+index 0000000000..f5b1c32c1b
+--- /dev/null
++++ b/ext/exif/tests/bug78910.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
++--FILE--
++<?php
++
++var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
++
++?>
++--EXPECTF--
++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote  ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++
++Warning: exif_read_data(): Process tag(x927C=MakerNote  ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++
++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++
++Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++bool(false)
+From ec1dc05c2415f55507b5710dbeed9f0623c9b44d Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 17 Dec 2019 15:26:04 +0100
+Subject: [PATCH] Fix tests
+
+---
+ ext/bcmath/tests/bug72093-win32.phpt | 2 +-
+ ext/bcmath/tests/bug75178-win32.phpt | 4 ++--
+ ext/exif/tests/bug76557.phpt         | 2 +-
+ ext/exif/tests/bug78910.phpt         | 8 ++++----
+ ext/spl/tests/bug54291.phpt          | 2 +-
+ 5 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/ext/bcmath/tests/bug72093-win32.phpt b/ext/bcmath/tests/bug72093-win32.phpt
+index a9b2077823..bcea8740b5 100644
+--- a/ext/bcmath/tests/bug72093-win32.phpt
++++ b/ext/bcmath/tests/bug72093-win32.phpt
+@@ -14,5 +14,5 @@ var_dump(bcpowmod(1, 1.2, 1, 1));
+ ?>
+ --EXPECTF--
+ string(1) "1"
+-string(3) "0.0"
+ bc math warning: non-zero scale in exponent
++string(3) "0.0"
+diff --git a/ext/bcmath/tests/bug75178-win32.phpt b/ext/bcmath/tests/bug75178-win32.phpt
+index bae590fb5b..c70e3aa810 100644
+--- a/ext/bcmath/tests/bug75178-win32.phpt
++++ b/ext/bcmath/tests/bug75178-win32.phpt
+@@ -14,8 +14,8 @@ var_dump(bcpowmod('4', '4', '3.1', 3));
+ ?>
+ ===DONE===
+ --EXPECT--
++bc math warning: non-zero scale in base
+ string(5) "1.000"
++bc math warning: non-zero scale in modulus
+ string(5) "1.000"
+ ===DONE===
+-bc math warning: non-zero scale in base
+-bc math warning: non-zero scale in modulus
+diff --git a/ext/exif/tests/bug76557.phpt b/ext/exif/tests/bug76557.phpt
+index 4553b62772..8920de658a 100644
+--- a/ext/exif/tests/bug76557.phpt
++++ b/ext/exif/tests/bug76557.phpt
+@@ -70,7 +70,7 @@ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal f
+ 
+ Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %sbug76557.php on line %d
+ 
+-Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > x00EE) in %sbug76557.php on line %d
++Warning: exif_read_data(bug76557.jpg): Process tag(x3030=UndefinedTa): Illegal pointer offset(x30303030 + x30303030 = x60606060 > %s) in %sbug76557.php on line %d
+ 
+ Warning: exif_read_data(bug76557.jpg): File structure corrupted in %sbug76557.php on line %d
+ 
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+index f5b1c32c1b..7e40b82389 100644
+--- a/ext/exif/tests/bug78910.phpt
++++ b/ext/exif/tests/bug78910.phpt
+@@ -7,11 +7,11 @@ var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAA
+ 
+ ?>
+ --EXPECTF--
+-Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote  ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++Notice: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Read from TIFF: tag(0x927C, MakerNote  ): Illegal format code 0x2020, switching to BYTE in %s on line %d
+ 
+-Warning: exif_read_data(): Process tag(x927C=MakerNote  ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Process tag(x927C=MakerNote  ): Illegal format code 0x2020, suppose BYTE in %s on line %d
+ 
+-Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): IFD data too short: 0x0000 offset 0x000C in %s on line %d
+ 
+-Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++Warning: exif_read_data(jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN): Invalid TIFF file in %s on line %d
+ bool(false)
+diff --git a/ext/spl/tests/bug54291.phpt b/ext/spl/tests/bug54291.phpt
+index c0119c4360..5e4a5a0607 100644
+--- a/ext/spl/tests/bug54291.phpt
++++ b/ext/spl/tests/bug54291.phpt
+@@ -5,7 +5,7 @@ Bug #54291 (Crash iterating DirectoryIterator for dir name starting with \0)
+ $dir = new DirectoryIterator("\x00/abc");
+ $dir->isFile();
+ --EXPECTF--
+-Fatal error: Uncaught UnexpectedValueException: Failed to open directory "" in %s:%d
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
+ Stack trace:
+ #0 %s(%d): DirectoryIterator->__construct('\x00/abc')
+ #1 {main}
-- 
cgit