From 8b6a473e92cb71c2b5d5289c050dec5b83b5fd6f Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 9 Jan 2019 14:51:03 +0100
Subject: - core:   Fix #77369 memcpy with negative length via crafted DNS
 response - mbstring:   Fix #77370 buffer overflow on mb regex functions -
 fetch_token   Fix #77371 heap buffer overflow in mb regex functions
 compile_string_node   Fix #77381 heap buffer overflow in multibyte match_at  
 Fix #77382 heap buffer overflow in expand_case_fold_string   Fix #77385
 buffer overflow in fetch_token   Fix #77394 buffer overflow in multibyte case
 folding - unicode   Fix #77418 heap overflow in utf32be_mbc_to_code - phar:  
 Fix #77247 heap buffer overflow in phar_detect_phar_fname_ext - xmlrpc:   Fix
 #77242 heap out of bounds read in xmlrpc_decode   Fix #77380 global out of
 bounds read in xmlrpc base64 code

---
 php-bug77247.patch | 49 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)
 create mode 100644 php-bug77247.patch

(limited to 'php-bug77247.patch')

diff --git a/php-bug77247.patch b/php-bug77247.patch
new file mode 100644
index 0000000..6a2c8b4
--- /dev/null
+++ b/php-bug77247.patch
@@ -0,0 +1,49 @@
+Backported for 7.0 by Remi
+
+
+From 78bd3477745f1ada9578a79f61edb41886bec1cb Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 18:25:37 -0800
+Subject: [PATCH] Fix bug #77247 (heap buffer overflow in
+ phar_detect_phar_fname_ext)
+
+---
+ ext/phar/phar.c              |  2 +-
+ ext/phar/tests/bug77247.phpt | 14 ++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug77247.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 82a9ef31943a..0d2173195c32 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -2021,7 +2021,7 @@ int phar_detect_phar_fname_ext(const char *filename, int filename_len, const cha
+ 	}
+ 
+ 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
+-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
++		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
+ 		if (!pos) {
+ 			return FAILURE;
+ 		}
+diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
+new file mode 100644
+index 000000000000..588975f9f2f8
+--- /dev/null
++++ b/ext/phar/tests/bug77247.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++try {
++var_dump(new Phar('a/.b', 0,'test.phar'));
++} catch(UnexpectedValueException $e) {
++	echo "OK";
++}
++?>
++--EXPECT--
++OK
+\ No newline at end of file
-- 
cgit