25 Sep
2015
25 Sep
'15
08:19
Hello community,
here is the log from the commit of package php5.4029 for openSUSE:13.1:Update checked in at 2015-09-25 10:19:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:13.1:Update/php5.4029 (Old)
and /work/SRC/openSUSE:13.1:Update/.php5.4029.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "php5.4029"
Changes:
--------
New Changes file:
--- /dev/null 2015-09-24 09:51:01.260026505 +0200
+++ /work/SRC/openSUSE:13.1:Update/.php5.4029.new/php5.changes 2015-09-25 10:19:12.000000000 +0200
@@ -0,0 +1,3194 @@
+-------------------------------------------------------------------
+Fri Sep 11 06:57:41 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-6831 [bnc#942291] [bnc#942294] [bnc#942295]
+ + php-CVE-2015-6831.patch
+ * CVE-2015-6832 [bnc#942293]
+ + php-CVE-2015-6832.patch
+ * CVE-2015-6833 [bnc#942296]
+ + php-CVE-2015-6833.patch
+ * CVE-2015-6834 [bnc#945403]
+ + php-CVE-2015-6834.patch
+ * CVE-2015-6835 [bnc#945402]
+ + php-CVE-2015-6835.patch
+ * CVE-2015-6836 [bnc#945428]
+ + php-CVE-2015-6836.patch
+ * CVE-2015-6837 CVE-2015-6838 [bnc#945412]
+ + php-CVE-2015-6837,6838.patch
+
+-------------------------------------------------------------------
+Tue Jul 28 08:53:35 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-5590 [bnc#938719]
+ + php-CVE-2015-5590.patch
+ * CVE-2015-5589 [bnc#938721]
+ + php-CVE-2015-5589.patch
+
+-------------------------------------------------------------------
+Thu Jun 18 12:26:46 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-4602 [bnc#935224]
+ php-CVE-2015-4602.patch
+ * CVE-2015-4599, CVE-2015-4600, CVE-2015-4601 [bnc#935226]
+ + php-CVE-2015-4599,4600,4601.patch
+ * CVE-2015-4603 [bnc#935234]
+ + php-CVE-2015-4603.patch
+ * CVE-2015-4603 [bnc#935234]
+ + php-CVE-2015-4603.patch
+ * CVE-2015-4644 [bnc#935274]
+ + php-CVE-2015-4644.patch
+ * CVE-2015-4643 [bnc#935275]
+ + php-CVE-2015-4643.patch
+ * CVE-2015-3411, CVE-2015-3412, CVE-2015-4598 [bnc#935227],
+ [bnc#935232], [bnc#935234]
+ + php-CVE-2015-3411,3412,4598.patch
+
+-------------------------------------------------------------------
+Thu Jun 4 08:10:15 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-4148 [bnc#933227]
+
+-------------------------------------------------------------------
+Fri May 22 10:01:11 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-4024 [bnc#931421]
+ + php-CVE-2015-4024.patch
+ * CVE-2015-4026 [bnc#931776]
+ + php-CVE-2015-4026.patch
+ * CVE-2015-4022 [bnc#931772]
+ + php-CVE-2015-4022.patch
+ * CVE-2015-4021 [bnc#931769]
+ + php-CVE-2015-4021.patch
+
+-------------------------------------------------------------------
+Fri Apr 24 07:29:57 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-3330 [bnc#928408]
+ + php-CVE-2015-3330.patch
+ * CVE-2015-3329 [bnc#928506]
+ + php-CVE-2015-3329.patch
+ * CVE-2015-2783 [bnc#928511]
+ + php-CVE-2015-2783.patch
+
+-------------------------------------------------------------------
+Wed Apr 1 11:43:24 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-2787 [bnc#924972]
+ + php-CVE-2015-2787.patch
+ * unserialize SoapClient type confusion [bnc#925109]
+ + php-unserialize-soap-type-confusion.patch
+ * CVE-2015-2348 [bnc#924970]
+ + php-CVE-2015-2348.patch
+
+-------------------------------------------------------------------
+Tue Mar 24 15:39:39 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2014-9709 [bnc#923946]
+ + php-CVE-2014-9709.patch
+ * CVE-2015-2301 [bnc#922022]
+ + php-CVE-2015-2301.patch
+ * CVE-2015-2305 [bnc#922452]
+ + php-CVE-2015-2305.patch
+ * CVE-2014-9705 [bnc#922451]
+ + php-CVE-2014-9705.patch
+
+-------------------------------------------------------------------
+Wed Feb 25 12:49:52 UTC 2015 - pgajdos@suse.com
+
+- security update:
+ * CVE-2015-0273 [bnc#918768]
+ + php-CVE-2015-0273.patch
+ * CVE-2014-9652 [bnc#917150]
+ + php-CVE-2014-9652.patch
+
+-------------------------------------------------------------------
+Tue Dec 30 15:39:08 UTC 2014 - pgajdos@suse.com
+
+- security update:
+ * CVE-2014-8142 [bnc#910659]
+ + php-CVE-2014-8142.patch
+ * CVE-2015-0231 [bnc#910659]
+ + php-CVE-2015-0231.patch
+ * null ptr deref [bnc#910659]
+ + php-unserialize-null-ptr-deref.patch
+ * CVE-2014-9427 [bnc#911664]
+ + php-CVE-2014-9427.patch
+ * CVE-2015-0232 [bnc#914690]
+ + php-CVE-2015-0232.patch
+- added added README.default_socket_timeout [bnc#907519]
+
+-------------------------------------------------------------------
+Mon Oct 27 11:25:38 UTC 2014 - pgajdos@suse.com
+
+- security update:
+ * CVE-2014-3670 [bnc#902357]
+ * CVE-2014-3669 [bnc#902360]
+ * CVE-2014-3668 [bnc#902368]
+- added patches:
+ * php-CVE-2014-3670.patch
+ * php-CVE-2014-3669.patch
+ * php-CVE-2014-3668.patch
+
+-------------------------------------------------------------------
+Wed Sep 10 08:51:03 UTC 2014 - pgajdos@suse.com
+
+- security update:
+ * CVE-2014-5459 [bnc#893849]
+ * CVE-2014-3597 [bnc#893853]
+ * CVE-2014-5120 [bnc#893855]
+- fixed suhosin crash if used with php session_set_save_handler()
+ [bnc#895658]
+- added patches:
+ * php-CVE-2014-3597.patch
+ * php-CVE-2014-5120.patch
+ * php5-suhosin-crash.patch
+
+-------------------------------------------------------------------
+Thu Jul 17 14:32:29 UTC 2014 - pgajdos@suse.com
+
+- security update:
+ * php-CVE-2014-4670.patch [bnc#886059]
+ * php-CVE-2014-4698.patch [bnc#886060]
+ * php-CVE-2014-4721.patch [bnc#885961]
+
+-------------------------------------------------------------------
+Mon Jun 30 15:27:29 UTC 2014 - pgajdos@suse.cz
+
+- security update [bnc#884986], [bnc#884987], [bnc#884989],
+ [bnc#884990], [bnc#884991], [bnc#884992]
+- added patches:
+ * php-5.4.20-CVE-2014-0207.patch
+ * php-5.4.20-CVE-2014-3478.patch
+ * php-5.4.20-CVE-2014-3479.patch
+ * php-5.4.20-CVE-2014-3480.patch
+ * php-5.4.20-CVE-2014-3487.patch
+ * php-5.4.20-CVE-2014-3515.patch
+
+-------------------------------------------------------------------
+Tue Jun 17 14:58:48 UTC 2014 - pgajdos@suse.com
+
+- security update:
+ * php-5.4.20-CVE-2014-4049.patch [bnc#882992]
+
+-------------------------------------------------------------------
+Tue Jun 3 08:37:20 UTC 2014 - pgajdos@suse.com
+
+- security update
+ * CVE-2014-0237 [bnc#880905]
+ * CVE-2014-0238 [bnc#880904]
+
+-------------------------------------------------------------------
+Fri May 9 07:28:56 UTC 2014 - pgajdos@suse.com
+
+- security update
+ * CVE-2014-2497.patch [bnc#868624]
+ * CVE-2014-0185.patch [bnc#875826]
+
+-------------------------------------------------------------------
+Fri Dec 13 10:32:11 UTC 2013 - pgajdos@suse.com
+
++++ 2997 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:13.1:Update/.php5.4029.new/php5.changes
New:
----
README.SUSE-pear
README.default_socket_timeout
README.macros
install-pear-nozlib.phar
macros.php
php-5.4.20-CVE-2013-6420.patch
php-5.4.20-CVE-2013-6712.patch
php-5.4.20-CVE-2014-0185.patch
php-5.4.20-CVE-2014-0207.patch
php-5.4.20-CVE-2014-0237.patch
php-5.4.20-CVE-2014-0238.patch
php-5.4.20-CVE-2014-2497.patch
php-5.4.20-CVE-2014-3478.patch
php-5.4.20-CVE-2014-3479.patch
php-5.4.20-CVE-2014-3480.patch
php-5.4.20-CVE-2014-3487.patch
php-5.4.20-CVE-2014-3515.patch
php-5.4.20-CVE-2014-4049.patch
php-5.4.20.tar.bz2
php-CVE-2014-3597.patch
php-CVE-2014-3668.patch
php-CVE-2014-3669.patch
php-CVE-2014-3670.patch
php-CVE-2014-4670.patch
php-CVE-2014-4698.patch
php-CVE-2014-4721.patch
php-CVE-2014-5120.patch
php-CVE-2014-8142.patch
php-CVE-2014-9427.patch
php-CVE-2014-9652.patch
php-CVE-2014-9705.patch
php-CVE-2014-9709.patch
php-CVE-2015-0231.patch
php-CVE-2015-0232.patch
php-CVE-2015-2301.patch
php-CVE-2015-2305.patch
php-CVE-2015-2348.patch
php-CVE-2015-2783.patch
php-CVE-2015-2787.patch
php-CVE-2015-3329.patch
php-CVE-2015-3330.patch
php-CVE-2015-3411,3412,4598.patch
php-CVE-2015-4021.patch
php-CVE-2015-4022.patch
php-CVE-2015-4024.patch
php-CVE-2015-4026.patch
php-CVE-2015-4148.patch
php-CVE-2015-4599,4600,4601.patch
php-CVE-2015-4602.patch
php-CVE-2015-4603.patch
php-CVE-2015-4643.patch
php-CVE-2015-4644.patch
php-CVE-2015-5589.patch
php-CVE-2015-5590.patch
php-CVE-2015-6831.patch
php-CVE-2015-6832.patch
php-CVE-2015-6833.patch
php-CVE-2015-6834.patch
php-CVE-2015-6835.patch
php-CVE-2015-6836.patch
php-CVE-2015-6837,6838.patch
php-fpm.init
php-suse-addons.tar.bz2
php-unserialize-null-ptr-deref.patch
php-unserialize-soap-type-confusion.patch
php5-64-bit-post-large-files.patch
php5-BNC-457056.patch
php5-CVE-2015-0273.patch
php5-apache24-updates.patch
php5-apache_sapi_install.patch
php5-cloexec.patch
php5-crypt-tests.patch
php5-format-string-issues.patch
php5-gcc_builtins.patch
php5-ini.patch
php5-mbstring-missing-return.patch
php5-missing-extdeps.patch
php5-no-build-date.patch
php5-no-reentrant-crypt.patch
php5-openssl.patch
php5-per-mod-log.patch
php5-php-config.patch
php5-phpize.patch
php5-pts.patch
php5-suhosin-crash.patch
php5-suhosin-php54.patch
php5-systzdata-v7.patch
php5-wrong-fail-stack_push.patch
php5.changes
php5.spec
suhosin-0.9.33.tgz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ php5.spec ++++++
++++ 2120 lines (skipped)
++++++ README.SUSE-pear ++++++
Package php5-pear does not include Pear DB support
==================================================
Php5-pear package comes without Pear DB database
support, which was obsoleted by MDB2.
If you need Pear DB, please install it with:
#pear install --onlyreqdeps DB
This is the case of Squirrelmail which requires
Pear DB support. More information can be found
at bugzilla.novell.com, bug #178982.
++++++ README.default_socket_timeout ++++++
Scope of default_socket_timeout Directive
=========================================
default_socket_timeout do not work for SSL connections. This is long
standing feature request in PHP upstream bugzilla, see PHP bug #41631.
To sum up,
ini_set("default_socket_timeout", $time);
fopen($https_url, "r");
do not work as intended in the contrast to
ini_set("default_socket_timeout", $time);
fopen($http_url, "r");
Socket timeout for SSL connections can be set successfully when
libcurl trough curl PHP extension is used:
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $https_url);
curl_setopt($ch, CURLOPT_TIMEOUT, $time);
curl_exec($ch);
curl_close($ch);
++++++ README.macros ++++++
README for php-macros
Author: Christian Wittmer
%php_gen_filelist generates an rpmlint happy filelist of your installed files
In most cases you only need to check the %doc part
sometimes there is a "Changes" or "ChangeLog",....
Requirements for %php_gen_filelist
You have to define following parts inside your spec file
Example:
Name: php5-pear-Date
%define pear_name Date
%define pear_sname date
BuildRequires: php-macros
Provides: php-pear-%{pear_name} pear-%{pear_name}
# Fix for renaming (package convention)
Provides: php5-pear-%{pear_sname} = %{version}
Provides: php-pear-%{pear_sname} = %{version}
Provides: pear-%{pear_sname} = %{version}
Obsoletes: php5-pear-%{pear_sname} < %{version}
Obsoletes: php-pear-%{pear_sname} < %{version}
Obsoletes: pear-%{pear_sname} < %{version}
%install
%{__mv} package*.xml %{pear_name}-%{version}
cd %{pear_name}-%{version}
PHP_PEAR_PHP_BIN="$(which php) -d memory_limit=50m"
%{__pear} -v \
-d doc_dir=/doc \
-d bin_dir=%{_bindir} \
-d data_dir=%{peardir}/data \
install --offline --nodeps -R "$RPM_BUILD_ROOT" package.xml
%{__install} -D -m 0644 package.xml $RPM_BUILD_ROOT%{php_pearxmldir}/%{pear_name}.xml
%{__rm} -rf $RPM_BUILD_ROOT/{doc,tmp}
%{__rm} -rf "$RPM_BUILD_ROOT"/%{peardir}/.{filemap,lock,registry,channels,depdb,depdblock}
%php_gen_filelist
%post
# on `rpm -ivh` PARAM is 1
# on `rpm -Uvh` PARAM is 2
if [ "$1" = "1" ]; then
%{__pear} install --nodeps --soft --force --register-only %{php_pearxmldir}/%{pear_name}.xml
fi
if [ "$1" = "2" ]; then
%{__pear} upgrade --offline --register-only %{php_pearxmldir}/%{pear_name}.xml
fi
%postun
# on `rpm -e` PARAM is 0
if [ "$1" = "0" ]; then
%{__pear} uninstall --nodeps --ignore-errors --register-only pear.php.net/%{pear_name}
fi
%clean
%{__rm} -rf %{buildroot}
%files -f %{name}.files
%defattr(-,root,root)
%doc Changes README
%changelog
#############################################################################
And here an Example of the generated filelist:
/usr/share/php5/PEAR/Date.php
%dir /usr/share/php5/PEAR/Date
/usr/share/php5/PEAR/Date/Calc.php
/usr/share/php5/PEAR/Date/Human.php
/usr/share/php5/PEAR/Date/Span.php
/usr/share/php5/PEAR/Date/TimeZone.php
%dir /usr/share/php5/PEAR/test
%dir /usr/share/php5/PEAR/test/Date
%dir /usr/share/php5/PEAR/test/Date/tests
/usr/share/php5/PEAR/test/Date/tests/test_date_methods_span.php
/usr/share/php5/PEAR/test/Date/tests/testunit_date_span.php
/usr/share/php5/PEAR/test/Date/tests/test_calc.php
/usr/share/php5/PEAR/test/Date/tests/calc.php
/usr/share/php5/PEAR/test/Date/tests/testunit_date.php
/usr/share/php5/PEAR/test/Date/tests/testunit.php
%dir /usr/share/php5/PEAR/test/Date/tests/bugs
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-727-1.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-727-2.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-727-3.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-727-4.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-674.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-9213.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-9414.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-8912.phpt
/usr/share/php5/PEAR/test/Date/tests/bugs/bug-967.phpt
/var/lib/pear/Date.xml
++++++ macros.php ++++++
# macros.php file
# macros for module building. handle with care.
#
# Interface versions exposed by PHP:
#
%php_core_api @PHP_APIVER@
%php_zend_api @PHP_ZENDVER@
# Useful php macros (from Christian Wittmer )
#
%__php /usr/bin/php
%__phpize /usr/bin/phpize
%__php_config /usr/bin/php-config
%php_version %(%{__php_config} --version)
#
%__pear /usr/bin/pear
%php_peardir %(%{__pear} config-get php_dir)
%php_pearxmldir /var/lib/pear
# macro: php_pear_gen_filelist
# do the rpmlint happy filelist generation
# with %dir in front of directories
%php_pear_gen_filelist(n)\
FILES=%{name}.files\
# fgen_dir func\
# IN: dir\
fgen_dir(){\
%{__cat} >> $FILES << EOF\
%dir ${1}\
EOF\
}\
# fgen_file func\
# IN: file\
fgen_file(){\
%{__cat} >> $FILES << EOF\
${1}\
EOF\
}\
# check for files in %{php_peardir}\
RES=`find ${RPM_BUILD_ROOT}%{php_peardir} -maxdepth 1 -type f`\
if [ -n "$RES" ]; then\
for file in $RES; do\
fgen_file "%{php_peardir}/$(basename ${file})"\
done\
fi\
\
# get all dirs into array\
base_dir="${RPM_BUILD_ROOT}%{php_peardir}/"\
for dir in `find ${base_dir} -type d | sort`; do\
if [ "$dir" = "${base_dir}" ]; then\
continue\
else\
el=`echo $dir | %{__awk} -F"${base_dir}" '{print $2}'`\
all_dir=(${all_dir[@]} $el)\
fi\
done\
\
# build filelist\
for i in ${all_dir[@]}; do\
if [ -d ${base_dir}/${i} ]; then\
RES=`find "${base_dir}/${i}" -maxdepth 1 -type f`\
if [ -n "$RES" ]; then\
fgen_dir "%{php_peardir}/${i}"\
for file in $RES; do\
fgen_file "%{php_peardir}/${i}/$(basename ${file})"\
done\
else\
fgen_dir "%{php_peardir}/${i}"\
fi\
fi\
done\
# add xml file\
fgen_file "%php_pearxmldir/%{pear_name}.xml"\
#
++++++ php-5.4.20-CVE-2013-6420.patch ++++++
https://bugzilla.redhat.com/attachment.cgi?id=831933&action=diff&context=patch&collapsed=&headers=1&format=raw
--- ext/openssl/openssl.c 2013-11-28 13:03:15.000000000 +0100
+++ ext/openssl/openssl.c 2013-11-28 12:57:36.000000000 +0100
@@ -688,18 +688,28 @@
char * thestr;
long gmadjust = 0;
- if (timestr->length < 13) {
+ if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
+ return (time_t)-1;
+ }
+
+ if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
+ return (time_t)-1;
+ }
+
+ if (ASN1_STRING_length(timestr) < 13) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
return (time_t)-1;
}
- strbuf = estrdup((char *)timestr->data);
+ strbuf = estrdup((char *)ASN1_STRING_data(timestr));
memset(&thetime, 0, sizeof(thetime));
/* we work backwards so that we can use atoi more easily */
- thestr = strbuf + timestr->length - 3;
+ thestr = strbuf + ASN1_STRING_length(timestr) - 3;
thetime.tm_sec = atoi(thestr);
*thestr = '\0';
++++++ php-5.4.20-CVE-2013-6712.patch ++++++
From: Remi Collet
Date: Wed, 27 Nov 2013 10:13:16 +0000 (+0100)
Subject: Fixed bug #66060 (Heap buffer over-read in DateInterval)
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=12fe4e90be7bfa2a763197079f68f5568a14e071
Fixed bug #66060 (Heap buffer over-read in DateInterval)
---
--- ext/date/lib/parse_iso_intervals.re
+++ ext/date/lib/parse_iso_intervals.re
@@ -383,7 +383,7 @@ isoweek = year4 "-"? "W" weekofyear;
break;
}
ptr++;
- } while (*ptr);
+ } while (!s->errors->error_count && *ptr);
s->have_period = 1;
TIMELIB_DEINIT;
return TIMELIB_PERIOD;
++++++ php-5.4.20-CVE-2014-0185.patch ++++++
>From 1875b4648f138df77abcb513149a3340ade69a4c Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev
Date: Tue, 15 Apr 2014 10:43:24 -0700
Subject: [PATCH] Fix bug #67060: use default mode of 660
---
sapi/fpm/fpm/fpm_unix.c | 2 +-
sapi/fpm/php-fpm.conf.in | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- sapi/fpm/fpm/fpm_unix.c
+++ sapi/fpm/fpm/fpm_unix.c
@@ -35,7 +35,7 @@ int fpm_unix_resolve_socket_premissions(struct fpm_worker_pool_s *wp) /* {{{ */
/* uninitialized */
wp->socket_uid = -1;
wp->socket_gid = -1;
- wp->socket_mode = 0666;
+ wp->socket_mode = 0660;
if (!c) {
return 0;
--- sapi/fpm/php-fpm.conf.in
+++ sapi/fpm/php-fpm.conf.in
@@ -166,10 +166,10 @@ listen = 127.0.0.1:9000
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions.
; Default Values: user and group are set as the running user
-; mode is set to 0666
+; mode is set to 0660
;listen.owner = @php_fpm_user@
;listen.group = @php_fpm_group@
-;listen.mode = 0666
+;listen.mode = 0660
; List of ipv4 addresses of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
--
1.8.4
++++++ php-5.4.20-CVE-2014-0207.patch ++++++
From: Remi Collet
Date: Tue, 3 Jun 2014 09:05:00 +0000 (+0200)
Subject: Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check
X-Git-Tag: php-5.4.30RC1~33
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=4fcb9a9d1b1063a65fbeb27395de4979c75bd962
Fix bug #67326 fileinfo: cdf_read_short_sector insufficient boundary check
Upstream fix https://github.com/file/file/commit/6d209c1c489457397a5763bca4b28e43aac90391.patch
Only revelant part applied
---
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 4712e84..16649f1 100644
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -365,10 +365,10 @@ cdf_read_short_sector(const cdf_stream_t *sst, void *buf, size_t offs,
size_t ss = CDF_SHORT_SEC_SIZE(h);
size_t pos = CDF_SHORT_SEC_POS(h, id);
assert(ss == len);
- if (pos > CDF_SEC_SIZE(h) * sst->sst_len) {
+ if (pos + len > CDF_SEC_SIZE(h) * sst->sst_len) {
DPRINTF(("Out of bounds read %" SIZE_T_FORMAT "u > %"
SIZE_T_FORMAT "u\n",
- pos, CDF_SEC_SIZE(h) * sst->sst_len));
+ pos + len, CDF_SEC_SIZE(h) * sst->sst_len));
return -1;
}
(void)memcpy(((char *)buf) + offs,
++++++ php-5.4.20-CVE-2014-0237.patch ++++++
http://git.php.net/?p=php-src.git;a=commit;h=68ce2d0ea6da79b12a365e375e1c2ce882c77480
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -942,7 +942,7 @@ int
cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
{
- size_t i, maxcount;
+ size_t maxcount;
const cdf_summary_info_header_t *si =
CAST(const cdf_summary_info_header_t *, sst->sst_tab);
const cdf_section_declaration_t *sd =
@@ -957,21 +957,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
ssi->si_os = CDF_TOLE2(si->si_os);
ssi->si_class = si->si_class;
cdf_swap_class(&ssi->si_class);
- ssi->si_count = CDF_TOLE2(si->si_count);
+ ssi->si_count = CDF_TOLE4(si->si_count);
*count = 0;
maxcount = 0;
*info = NULL;
- for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
- if (i >= CDF_LOOP_LIMIT) {
- DPRINTF(("Unpack summary info loop limit"));
- errno = EFTYPE;
- return -1;
- }
- if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
- info, count, &maxcount) == -1) {
+ if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
+ count, &maxcount) == -1)
return -1;
- }
- }
return 0;
}
++++++ php-5.4.20-CVE-2014-0238.patch ++++++
http://git.php.net/?p=php-src.git;a=commit;h=22736b7c56d678f142d5dd21f4996e5819507a2b
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
if (inp[i].pi_type & CDF_VECTOR) {
nelements = CDF_GETUINT32(q, 1);
+ if (nelements == 0) {
+ DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+ goto out;
+ }
o = 2;
} else {
nelements = 1;
@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
}
DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
nelements));
- for (j = 0; j < nelements; j++, i++) {
+ for (j = 0; j < nelements && i < sh.sh_properties;
+ j++, i++)
+ {
uint32_t l = CDF_GETUINT32(q, o);
inp[i].pi_str.s_len = l;
inp[i].pi_str.s_buf = (const char *)
++++++ php-5.4.20-CVE-2014-2497.patch ++++++
Description: Patch to fix PHP bug 66901.
Author: Andres Mejia
Forwarded: no
Index: ext/gd/libgd/gdxpm.c
===================================================================
--- ext/gd/libgd/gdxpm.c.orig 2014-02-05 11:00:36.000000000 +0100
+++ ext/gd/libgd/gdxpm.c 2014-04-04 14:06:15.991206709 +0200
@@ -39,6 +39,14 @@
number = image.ncolors;
colors = (int *) safe_emalloc(number, sizeof(int), 0);
for (i = 0; i < number; i++) {
+ if (!image.colorTable[i].c_color)
+ {
+ /* unsupported color key or color key not defined */
+ gdImageDestroy(im);
+ gdFree(colors);
+ im = 0;
+ goto done;
+ }
switch (strlen (image.colorTable[i].c_color)) {
case 4:
buf[1] = '\0';
++++++ php-5.4.20-CVE-2014-3478.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fsoftmagic.c;h=01e49778bf42811dcb34d8b6e9597922df69520b;hp=21fea6b72647b71fba8b6f56d83f96f612406b2b;hb=e77659a8c87272e5061738a31430d2111482c426;hpb=949cab09f24abb80b8585af744bd964dc17f7401
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 21fea6b..01e4977 100644
--- ext/fileinfo/libmagic/softmagic.c
+++ ext/fileinfo/libmagic/softmagic.c
@@ -881,10 +881,18 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
return 1;
}
case FILE_PSTRING: {
- char *ptr1 = p->s, *ptr2 = ptr1 + file_pstring_length_size(m);
+ size_t sz = file_pstring_length_size(m);
+ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
size_t len = file_pstring_get_length(m, ptr1);
- if (len >= sizeof(p->s))
- len = sizeof(p->s) - 1;
+ if (len >= sizeof(p->s)) {
+ /*
+ * The size of the pascal string length (sz)
+ * is 1, 2, or 4. We need at least 1 byte for NUL
+ * termination, but we've already truncated the
+ * string by p->s, so we need to deduct sz.
+ */
+ len = sizeof(p->s) - sz;
+ }
while (len--)
*ptr1++ = *ptr2++;
*ptr1 = '\0';
++++++ php-5.4.20-CVE-2014-3479.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fcdf.c;h=c9a5d50a35bae973cc01801a422c94f8ff9cd86d;hp=16649f193fbce5336369f30ce23cad3fd24f87aa;hb=5c9f96799961818944d43b22c241cc56c215c2e4;hpb=d02aa440909b7a20098ccc9d3820629a36037596
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 16649f1..c9a5d50 100644
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -277,13 +277,15 @@ cdf_check_stream_offset(const cdf_stream_t *sst, const cdf_header_t *h,
{
const char *b = (const char *)sst->sst_tab;
const char *e = ((const char *)p) + tail;
+ size_t ss = sst->sst_dirlen < h->h_min_size_standard_stream ?
+ CDF_SHORT_SEC_SIZE(h) : CDF_SEC_SIZE(h);
(void)&line;
- if (e >= b && (size_t)(e - b) <= CDF_SEC_SIZE(h) * sst->sst_len)
+ if (e >= b && (size_t)(e - b) <= ss * sst->sst_len)
return 0;
DPRINTF(("%d: offset begin %p < end %p || %" SIZE_T_FORMAT "u"
" > %" SIZE_T_FORMAT "u [%" SIZE_T_FORMAT "u %"
SIZE_T_FORMAT "u]\n", line, b, e, (size_t)(e - b),
- CDF_SEC_SIZE(h) * sst->sst_len, CDF_SEC_SIZE(h), sst->sst_len));
+ ss * sst->sst_len, ss, sst->sst_len));
errno = EFTYPE;
return -1;
}
++++++ php-5.4.20-CVE-2014-3480.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fcdf.c;h=ee467a6671ed93b91728f9820ed643efaab736a9;hp=c9a5d50a35bae973cc01801a422c94f8ff9cd86d;hb=40ef6e07e0b2cdced57c506e08cf18f47122292d;hpb=2b33a41162a729b3b680fa2015efe11f15cc3114
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index c9a5d50..ee467a6 100644
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -470,7 +470,8 @@ size_t
cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
{
size_t i, j;
- cdf_secid_t maxsector = (cdf_secid_t)(sat->sat_len * size);
+ cdf_secid_t maxsector = (cdf_secid_t)((sat->sat_len * size)
+ / sizeof(maxsector));
DPRINTF(("Chain:"));
for (j = i = 0; sid >= 0; i++, j++) {
@@ -480,8 +481,8 @@ cdf_count_chain(const cdf_sat_t *sat, cdf_secid_t sid, size_t size)
errno = EFTYPE;
return (size_t)-1;
}
- if (sid > maxsector) {
- DPRINTF(("Sector %d > %d\n", sid, maxsector));
+ if (sid >= maxsector) {
+ DPRINTF(("Sector %d >= %d\n", sid, maxsector));
errno = EFTYPE;
return (size_t)-1;
}
++++++ php-5.4.20-CVE-2014-3487.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Ffileinfo%2Flibmagic%2Fcdf.c;h=429f3b952f68d1ef7f2ebb4925ef5b16c54b7833;hp=ee467a6671ed93b91728f9820ed643efaab736a9;hb=25b1dc917a53787dbb2532721ca22f3f36eb13c0;hpb=da5d40bae6505364c3604385a2b6ae4e27a4a5d6
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index ee467a6..429f3b9 100644
--- ext/fileinfo/libmagic/cdf.c
+++ ext/fileinfo/libmagic/cdf.c
@@ -812,7 +812,11 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
if (cdf_check_stream_offset(sst, h, e, 0, __LINE__) == -1)
goto out;
for (i = 0; i < sh.sh_properties; i++) {
- size_t ofs = CDF_GETUINT32(p, (i << 1) + 1);
+ size_t ofs, tail = (i << 1) + 1;
+ if (cdf_check_stream_offset(sst, h, p, tail * sizeof(uint32_t),
+ __LINE__) == -1)
+ goto out;
+ ofs = CDF_GETUINT32(p, tail);
q = (const uint8_t *)(const void *)
((const char *)(const void *)p + ofs
- 2 * sizeof(uint32_t));
++++++ php-5.4.20-CVE-2014-3515.patch ++++++
From: Stanislav Malyshev
Date: Sun, 22 Jun 2014 02:46:16 +0000 (-0700)
Subject: Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
X-Git-Tag: php-5.4.30~6
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=88223c5245e9b470e1e6362bfd96829562ffe6ab
Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
---
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 758947a..bf034ab 100644
--- ext/spl/spl_array.c
+++ ext/spl/spl_array.c
@@ -1808,7 +1808,7 @@ SPL_METHOD(Array, unserialize)
++p;
ALLOC_INIT_ZVAL(pmembers);
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 1a706f7..da9110b 100644
--- ext/spl/spl_observer.c
+++ ext/spl/spl_observer.c
@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
++p;
ALLOC_INIT_ZVAL(pmembers);
- if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
zval_ptr_dtor(&pmembers);
goto outexcept;
}
++++++ php-5.4.20-CVE-2014-4049.patch ++++++
>From 4f73394fdd95d3165b4391e1b0dedd57fced8c3b Mon Sep 17 00:00:00 2001
From: Sara Golemon
Date: Tue, 10 Jun 2014 11:18:02 -0700
Subject: [PATCH] Fix potential segfault in dns_get_record()
If the remote sends us a packet with a malformed TXT record,
we could end up trying to over-consume the packet and wander
off into overruns.
---
ext/standard/dns.c | 4 ++++
1 file changed, 4 insertions(+)
--- ext/standard/dns.c
+++ ext/standard/dns.c
@@ -517,6 +517,10 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
while (ll < dlen) {
n = cp[ll];
+ if ((ll + n) >= dlen) {
+ // Invalid chunk length, truncate
+ n = dlen - (ll + 1);
+ }
memcpy(tp + ll , cp + ll + 1, n);
add_next_index_stringl(entries, cp + ll + 1, n, 1);
ll = ll + n + 1;
--
1.9.3
++++++ php-CVE-2014-3597.patch ++++++
>From 2fefae47716d501aec41c1102f3fd4531f070b05 Mon Sep 17 00:00:00 2001
From: Remi Collet
Date: Tue, 19 Aug 2014 08:33:49 +0200
Subject: [PATCH] Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597
Incomplete fix for CVE-2014-4049
Check possible buffer overflow
- pass real buffer end to dn_expand calls
- check buffer len before each read
---
ext/standard/dns.c | 84 ++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 60 insertions(+), 24 deletions(-)
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 214a7dc..0b5e69c 100644
--- ext/standard/dns.c
+++ ext/standard/dns.c
@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record)
#if HAVE_FULL_DNS_FUNCS
+#define CHECKCP(n) do { \
+ if (cp + n > end) { \
+ return NULL; \
+ } \
+} while (0)
+
/* {{{ php_parserr */
-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
+static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
{
u_short type, class, dlen;
u_long ttl;
@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
*subarray = NULL;
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
if (n < 0) {
return NULL;
}
cp += n;
+ CHECKCP(10);
GETSHORT(type, cp);
GETSHORT(class, cp);
GETLONG(ttl, cp);
GETSHORT(dlen, cp);
+ CHECKCP(dlen);
if (type_to_fetch != T_ANY && type != type_to_fetch) {
cp += dlen;
return cp;
@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
switch (type) {
case DNS_T_A:
+ CHECKCP(4);
add_assoc_string(*subarray, "type", "A", 1);
snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
add_assoc_string(*subarray, "ip", name, 1);
cp += dlen;
break;
case DNS_T_MX:
+ CHECKCP(2);
add_assoc_string(*subarray, "type", "MX", 1);
GETSHORT(n, cp);
add_assoc_long(*subarray, "pri", n);
@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
if (type == DNS_T_PTR) {
add_assoc_string(*subarray, "type", "PTR", 1);
}
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
case DNS_T_HINFO:
/* See RFC 1010 for values */
add_assoc_string(*subarray, "type", "HINFO", 1);
+ CHECKCP(1);
n = *cp & 0xFF;
cp++;
+ CHECKCP(n);
add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
cp += n;
+ CHECKCP(1);
n = *cp & 0xFF;
cp++;
+ CHECKCP(n);
add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
cp += n;
break;
case DNS_T_TXT:
{
- int ll = 0;
+ int l1 = 0, l2 = 0;
zval *entries = NULL;
add_assoc_string(*subarray, "type", "TXT", 1);
@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
MAKE_STD_ZVAL(entries);
array_init(entries);
- while (ll < dlen) {
- n = cp[ll];
- if ((ll + n) >= dlen) {
+ while (l1 < dlen) {
+ n = cp[l1];
+ if ((l1 + n) >= dlen) {
// Invalid chunk length, truncate
- n = dlen - (ll + 1);
+ n = dlen - (l1 + 1);
+ }
+ if (n) {
+ memcpy(tp + l2 , cp + l1 + 1, n);
+ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
}
- memcpy(tp + ll , cp + ll + 1, n);
- add_next_index_stringl(entries, cp + ll + 1, n, 1);
- ll = ll + n + 1;
+ l1 = l1 + n + 1;
+ l2 = l2 + n;
}
- tp[dlen] = '\0';
+ tp[l2] = '\0';
cp += dlen;
- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
+ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
add_assoc_zval(*subarray, "entries", entries);
}
break;
case DNS_T_SOA:
add_assoc_string(*subarray, "type", "SOA", 1);
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
if (n < 0) {
return NULL;
}
cp += n;
add_assoc_string(*subarray, "mname", name, 1);
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
if (n < 0) {
return NULL;
}
cp += n;
add_assoc_string(*subarray, "rname", name, 1);
+ CHECKCP(5*4);
GETLONG(n, cp);
add_assoc_long(*subarray, "serial", n);
GETLONG(n, cp);
@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
break;
case DNS_T_AAAA:
tp = (u_char*)name;
+ CHECKCP(8*2);
for(i=0; i < 8; i++) {
GETSHORT(s, cp);
if (s != 0) {
@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
case DNS_T_A6:
p = cp;
add_assoc_string(*subarray, "type", "A6", 1);
+ CHECKCP(1);
n = ((int)cp[0]) & 0xFF;
cp++;
add_assoc_long(*subarray, "masklen", n);
@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
cp++;
}
for (i = (n + 8) / 16; i < 8; i++) {
+ CHECKCP(2);
GETSHORT(s, cp);
if (s != 0) {
if (tp > (u_char *)name) {
@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
tp[0] = '\0';
add_assoc_string(*subarray, "ipv6", name, 1);
if (cp < p + dlen) {
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
}
break;
case DNS_T_SRV:
+ CHECKCP(3*2);
add_assoc_string(*subarray, "type", "SRV", 1);
GETSHORT(n, cp);
add_assoc_long(*subarray, "pri", n);
@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
add_assoc_long(*subarray, "weight", n);
GETSHORT(n, cp);
add_assoc_long(*subarray, "port", n);
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
add_assoc_string(*subarray, "target", name, 1);
break;
case DNS_T_NAPTR:
+ CHECKCP(2*2);
add_assoc_string(*subarray, "type", "NAPTR", 1);
GETSHORT(n, cp);
add_assoc_long(*subarray, "order", n);
GETSHORT(n, cp);
add_assoc_long(*subarray, "pref", n);
+
+ CHECKCP(1);
n = (cp[0] & 0xFF);
- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
+ cp++;
+ CHECKCP(n);
+ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
cp += n;
+
+ CHECKCP(1);
n = (cp[0] & 0xFF);
- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
+ cp++;
+ CHECKCP(n);
+ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
cp += n;
+
+ CHECKCP(1);
n = (cp[0] & 0xFF);
- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
+ cp++;
+ CHECKCP(n);
+ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
cp += n;
- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+
+ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
if (n < 0) {
return NULL;
}
@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record)
while (an-- && cp && cp < end) {
zval *retval;
- cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval);
+ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval);
if (retval != NULL && store_results) {
add_next_index_zval(return_value, retval);
}
@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record)
while (ns-- > 0 && cp && cp < end) {
zval *retval = NULL;
- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
if (retval != NULL) {
add_next_index_zval(authns, retval);
}
@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record)
while (ar-- > 0 && cp && cp < end) {
zval *retval = NULL;
- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval);
+ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval);
if (retval != NULL) {
add_next_index_zval(addtl, retval);
}
++++++ php-CVE-2014-3668.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fxmlrpc%2Flibxmlrpc%2Fxmlrpc.c;h=b766a5495a41b3ecd5eecdcfae901c9068937da0;hp=ce70c2afd909b748f3ddc4560a1c3f882a498014;hb=88412772d295ebf7dd34409534507dc9bcac726e;hpb=82b07b62c06e9e55ab3590f20bd80a84ce73a801
diff --git a/ext/xmlrpc/libxmlrpc/xmlrpc.c b/ext/xmlrpc/libxmlrpc/xmlrpc.c
index ce70c2a..b766a54 100644
--- ext/xmlrpc/libxmlrpc/xmlrpc.c
+++ ext/xmlrpc/libxmlrpc/xmlrpc.c
@@ -219,16 +219,19 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
n = 10;
tm.tm_mon = 0;
for(i = 0; i < 2; i++) {
- XMLRPC_IS_NUMBER(text[i])
+ XMLRPC_IS_NUMBER(text[i+4])
tm.tm_mon += (text[i+4]-'0')*n;
n /= 10;
}
tm.tm_mon --;
+ if(tm.tm_mon < 0 || tm.tm_mon > 11) {
+ return -1;
+ }
n = 10;
tm.tm_mday = 0;
for(i = 0; i < 2; i++) {
- XMLRPC_IS_NUMBER(text[i])
+ XMLRPC_IS_NUMBER(text[i+6])
tm.tm_mday += (text[i+6]-'0')*n;
n /= 10;
}
@@ -236,7 +239,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
n = 10;
tm.tm_hour = 0;
for(i = 0; i < 2; i++) {
- XMLRPC_IS_NUMBER(text[i])
+ XMLRPC_IS_NUMBER(text[i+9])
tm.tm_hour += (text[i+9]-'0')*n;
n /= 10;
}
@@ -244,7 +247,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
n = 10;
tm.tm_min = 0;
for(i = 0; i < 2; i++) {
- XMLRPC_IS_NUMBER(text[i])
+ XMLRPC_IS_NUMBER(text[i+12])
tm.tm_min += (text[i+12]-'0')*n;
n /= 10;
}
@@ -252,7 +255,7 @@ static int date_from_ISO8601 (const char *text, time_t * value) {
n = 10;
tm.tm_sec = 0;
for(i = 0; i < 2; i++) {
- XMLRPC_IS_NUMBER(text[i])
+ XMLRPC_IS_NUMBER(text[i+15])
tm.tm_sec += (text[i+15]-'0')*n;
n /= 10;
}
++++++ php-CVE-2014-3669.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Fvar_unserializer.re;h=6de158392e116823eaba710dbf221e722e351250;hp=130750805f462a4a79cddf5a96e95bf2e63bf432;hb=56754a7f9eba0e4f559b6ca081d9f2a447b3f159;hpb=88412772d295ebf7dd34409534507dc9bcac726e
diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
index 1307508..6de1583 100644
--- ext/standard/var_unserializer.re
+++ ext/standard/var_unserializer.re
@@ -376,7 +376,7 @@ static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)
(*p) += 2;
- if (datalen < 0 || (*p) + datalen >= max) {
+ if (datalen < 0 || (max - (*p)) <= datalen) {
zend_error(E_WARNING, "Insufficient data for unserializing - %ld required, %ld present", datalen, (long)(max - (*p)));
return 0;
}
++++++ php-CVE-2014-3670.patch ++++++
-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=637ebf9289b40d157fdf8edcdddeb3d907b28d9b;hp=38907b4d942a8d2419060a688aa3c5e5dedcb118;hb=ddb207e7fa2e9adeba021a1303c3781efda5409b;hpb=d1e030db02f402efebfe2976482dd7e7ebe2956f
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 38907b4..637ebf9 100644
--- ext/exif/exif.c
+++ ext/exif/exif.c
@@ -2426,11 +2426,11 @@ static void* exif_ifd_make_value(image_info_data *info_data, int motorola_intel
data_ptr += 8;
break;
case TAG_FMT_SINGLE:
- memmove(data_ptr, &info_data->value.f, byte_count);
+ memmove(data_ptr, &info_value->f, 4);
data_ptr += 4;
break;
case TAG_FMT_DOUBLE:
- memmove(data_ptr, &info_data->value.d, byte_count);
+ memmove(data_ptr, &info_value->d, 8);
data_ptr += 8;
break;
}
++++++ php-CVE-2014-4670.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_dllist.c;h=0b44d414d82378bf2741fcd568dff20f407380a6;hp=39a0733b9ac78901cc7eaf9eba080ff060517771;hb=df78c48354f376cf419d7a97f88ca07d572f00fb;hpb=131e60ce569631b5b7c61b8392f545dde936df3e
--- ext/spl/spl_dllist.c
+++ ext/spl/spl_dllist.c
@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
#define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
efree(elem); \
- elem = NULL; \
}
#define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
efree(elem); \
- elem = NULL; \
}
#define SPL_LLIST_ADDREF(elem) (elem)->rc++
@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
llist->dtor(element TSRMLS_CC);
}
+ if (intern->traverse_pointer == element) {
+ SPL_LLIST_DELREF(element);
+ intern->traverse_pointer = NULL;
+ }
+
zval_ptr_dtor((zval **)&element->data);
element->data = NULL;
++++++ php-CVE-2014-4698.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=0fe47b651c13f80c35e612de5cf69ea306095fe6;hp=8392e72714b80483641b1a0d2b6e6389e3c22959;hb=22882a9d89712ff2b6ebc20a689a89452bba4dcd;hpb=df78c48354f376cf419d7a97f88ca07d572f00fb
Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig 2014-07-17 15:55:19.213412193 +0200
+++ ext/spl/spl_array.c 2014-07-17 15:55:19.229412192 +0200
@@ -1738,6 +1738,7 @@
const unsigned char *p, *s;
php_unserialize_data_t var_hash;
zval *pmembers, *pflags = NULL;
+ HashTable *aht;
long flags;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
@@ -1749,6 +1750,12 @@
return;
}
+ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+ if (aht->nApplyCount > 0) {
+ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
+ return;
+ }
+
/* storage */
s = p = (const unsigned char*)buf;
PHP_VAR_UNSERIALIZE_INIT(var_hash);
++++++ php-CVE-2014-4721.patch ++++++
https://bugs.php.net/patch-display.php?bug_id=67498&patch=bug67948-patch&revision=latest
--- ext/standard/info.c
+++ ext/standard/info.c
@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
php_info_print_table_start();
php_info_print_table_header(2, "Variable", "Value");
- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
}
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
}
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
}
- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
}
php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
++++++ php-CVE-2014-5120.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fgd%2Fgd_ctx.c;h=253b6648f35e19aeec2bcd06edc7bfb2c8eb4c8d;hp=59eff80443685ffc99516423f47beb1ace4910eb;hb=1daa4c0090b7cd8178dcaa96287234c69ac6ca18;hpb=fbceec5861e08b10e75af36a097da35d9f808ef6
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index 59eff80..253b664 100644
--- ext/gd/gd_ctx.c
+++ ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
RETURN_FALSE;
}
} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+ if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+ RETURN_FALSE;
+ }
+
stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
if (stream == NULL) {
RETURN_FALSE;
++++++ php-CVE-2014-8142.patch ++++++
http://git.php.net/?p=php-src.git;a=commitdiff;h=630f9c33c23639de85c3fd306b209b538b73b4c9
index 7afef6a..4cf1d10 100644
--- ext/standard/var_unserializer.re
+++ ext/standard/var_unserializer.re
@@ -347,6 +347,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
+ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
sizeof data, NULL);
}
++++++ php-CVE-2014-9427.patch ++++++
http://git.php.net/?p=php-src.git;a=commit;h=f9ad3086693fce680fbe246e4a45aa92edd2ac35
Index: sapi/cgi/cgi_main.c
===================================================================
--- sapi/cgi/cgi_main.c.orig 2015-01-05 17:05:35.584546329 +0100
+++ sapi/cgi/cgi_main.c 2015-01-05 17:06:02.786896356 +0100
@@ -2435,14 +2435,17 @@
int i = 1;
c = file_handle.handle.stream.mmap.buf[i++];
- while (c != '\n' && c != '\r' && c != EOF) {
+ while (c != '\n' && c != '\r' && i < file_handle.handle.stream.mmap.len) {
c = file_handle.handle.stream.mmap.buf[i++];
}
if (c == '\r') {
- if (file_handle.handle.stream.mmap.buf[i] == '\n') {
+ if (i < file_handle.handle.stream.mmap.len && file_handle.handle.stream.mmap.buf[i] == '\n') {
i++;
}
}
+ if(i > file_handle.handle.stream.mmap.len) {
+ i = file_handle.handle.stream.mmap.len;
+ }
file_handle.handle.stream.mmap.buf += i;
file_handle.handle.stream.mmap.len -= i;
}
++++++ php-CVE-2014-9652.patch ++++++
https://github.com/php/php-src/commit/ede59c8feb4b80e1b94e4abdaa0711051e2912ab
diff --git ext/fileinfo/libmagic/softmagic.c ext/fileinfo/libmagic/softmagic.c
index 7e0c856..e7b7855 100644
--- ext/fileinfo/libmagic/softmagic.c
+++ ext/fileinfo/libmagic/softmagic.c
@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
size_t sz = file_pstring_length_size(m);
char *ptr1 = p->s, *ptr2 = ptr1 + sz;
size_t len = file_pstring_get_length(m, ptr1);
- if (len >= sizeof(p->s)) {
+ sz = sizeof(p->s) - sz; /* maximum length of string */
+ if (len >= sz) {
/*
* The size of the pascal string length (sz)
* is 1, 2, or 4. We need at least 1 byte for NUL
* termination, but we've already truncated the
* string by p->s, so we need to deduct sz.
+ * Because we can use one of the bytes of the length
+ * after we shifted as NUL termination.
*/
- len = sizeof(p->s) - sz;
+ len = sz;
}
while (len--)
*ptr1++ = *ptr2++;
++++++ php-CVE-2014-9705.patch ++++++
https://bugzilla.suse.com/show_bug.cgi?id=922451#c12
--- ext/enchant/enchant.c 2014-06-25 15:06:23.000000000 +0200
+++ ext/enchant/enchant.c 2015-03-19 11:32:48.517178050 +0100
@@ -550,13 +550,12 @@
d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
if (d) {
- if (pbroker->dictcnt) {
+ pos = pbroker->dictcnt++;
+ if (pos) {
pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
- pos = pbroker->dictcnt++;
} else {
pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
pos = 0;
- pbroker->dictcnt++;
}
dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
@@ -607,14 +606,14 @@
d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
if (d) {
- if (pbroker->dictcnt) {
- pos = pbroker->dictcnt++;
+ pos = pbroker->dictcnt++;
+ if (pos) {
pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
} else {
pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
pos = 0;
- pbroker->dictcnt++;
}
+
dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
dict->id = pos;
dict->pbroker = pbroker;
++++++ php-CVE-2014-9709.patch ++++++
From: Remi Collet
Date: Sat, 13 Dec 2014 08:03:44 +0000 (+0100)
Subject: Fix bug #68601 buffer read overflow in gd_gif_in.c
X-Git-Tag: php-5.5.21RC1~38
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=07b5896a1389c3e865cbd2fb353806b2cefe4f5c
Fix bug #68601 buffer read overflow in gd_gif_in.c
---
Index: ext/gd/libgd/gd_gif_in.c
===================================================================
--- ext/gd/libgd/gd_gif_in.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/gd/libgd/gd_gif_in.c 2015-03-24 15:59:13.076070347 +0100
@@ -72,8 +72,10 @@
#define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+#define CSD_BUF_SIZE 280
+
typedef struct {
- unsigned char buf[280];
+ unsigned char buf[CSD_BUF_SIZE];
int curbit, lastbit, done, last_byte;
} CODE_STATIC_DATA;
@@ -398,9 +400,14 @@
scd->lastbit = (2+count)*8 ;
}
- ret = 0;
- for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
+ if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) {
+ ret = -1;
+ } else {
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+ }
+ }
scd->curbit += code_size;
return ret;
++++++ php-CVE-2015-0231.patch ++++++
http://git.php.net/?p=php-src.git;a=commitdiff;h=e63f7b47e1937821e75e9862284c3150e1b1d524;hp=fc6aa939f59c9be0febe0fa141629e49541bab8c
--- ext/standard/var_unserializer.re
+++ ext/standard/var_unserializer.re
@@ -347,7 +347,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
} else {
/* object properties should include no integers */
convert_to_string(key);
- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
var_push_dtor(var_hash, old_data);
}
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
++++++ php-CVE-2015-0232.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fexif%2Fexif.c;h=7f95ff43ea7cc9a2c41a912863ed70069c0e34c5;hp=637ebf9289b40d157fdf8edcdddeb3d907b28d9b;hb=2fc178cf448d8e1b95d1314e47eeef610729e0df;hpb=f9ad3086693fce680fbe246e4a45aa92edd2ac35
index 637ebf9..7f95ff4 100644
Index: ext/exif/exif.c
===================================================================
--- ext/exif/exif.c.orig 2015-01-26 13:09:34.856131108 +0100
+++ ext/exif/exif.c 2015-01-26 13:09:56.748392976 +0100
@@ -2701,6 +2701,7 @@
{
xp_field->tag = tag;
+ xp_field->value = NULL;
/* Copy the comment */
if (zend_multibyte_encoding_converter(
(unsigned char**)&xp_field->value,
++++++ php-CVE-2015-2301.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Fphar_object.c;h=712795b1a4f863cea7b0a224e3adf3caa42ab881;hp=3671054b816f267f63cdd951146eeb3ac0cd54eb;hb=b2cf3f064b8f5efef89bb084521b61318c71781b;hpb=4c5995b1729b100b00707ddf32d072355dcc3ae8
--- ext/phar/phar_object.c
+++ ext/phar/phar_object.c
@@ -2139,8 +2139,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
}
its_ok:
if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {
- efree(oldpath);
zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);
+ efree(oldpath);
return NULL;
}
if (!phar->is_data) {
++++++ php-CVE-2015-2305.patch ++++++
From: Stanislav Malyshev
Date: Wed, 18 Mar 2015 00:04:57 +0000 (-0700)
Subject: Fix bug #69248 - heap overflow vulnerability in regcomp.c
X-Git-Tag: php-5.4.39~2
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282
Fix bug #69248 - heap overflow vulnerability in regcomp.c
Merged from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334
---
--- ext/ereg/regex/regcomp.c
+++ ext/ereg/regex/regcomp.c
@@ -117,7 +117,15 @@ int cflags;
(NC-1)*sizeof(cat_t));
if (g == NULL)
return(REG_ESPACE);
- p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
+ {
+ /* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */
+ size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */
+ if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) {
+ free((char *) g);
+ return REG_INVARG;
+ }
+ p->ssize = new_ssize;
+ }
p->strip = (sop *)malloc(p->ssize * sizeof(sop));
p->slen = 0;
if (p->strip == NULL) {
++++++ php-CVE-2015-2348.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Fbasic_functions.c;h=c3e223048afaa30e087036e006adb0849babcccc;hp=9a9df3094bec559376bacfbb9e6737c28f91dfda;hb=1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1;hpb=c8eaca013a3922e8383def6158ece2b63f6ec483
--- ext/standard/basic_functions.c
+++ ext/standard/basic_functions.c
@@ -5775,7 +5775,7 @@ PHP_FUNCTION(move_uploaded_file)
RETURN_FALSE;
}
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
return;
}
++++++ php-CVE-2015-2783.patch ++++++
>From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev
Date: Sun, 5 Apr 2015 15:07:36 -0700
Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when
parsing Phar)
---
ext/phar/phar.c | 65 ++++++++++++++++++++-----------------------
ext/phar/phar_internal.h | 2 +-
ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes
ext/phar/tests/bug69324.phpt | 17 +++++++++++
4 files changed, 48 insertions(+), 36 deletions(-)
create mode 100644 ext/phar/tests/bug69324.phar
create mode 100644 ext/phar/tests/bug69324.phpt
--- ext/phar/phar.c
+++ ext/phar/phar.c
@@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
*
* data is the serialized zval
*/
-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */
+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
{
const unsigned char *p;
- php_uint32 buf_len;
php_unserialize_data_t var_hash;
- if (!zip_metadata_len) {
- PHAR_GET_32(*buffer, buf_len);
- } else {
- buf_len = zip_metadata_len;
- }
-
- if (buf_len) {
+ if (zip_metadata_len) {
ALLOC_ZVAL(*metadata);
INIT_ZVAL(**metadata);
p = (const unsigned char*) *buffer;
PHP_VAR_UNSERIALIZE_INIT(var_hash);
- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) {
+ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
zval_ptr_dtor(metadata);
*metadata = NULL;
@@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR
if (PHAR_G(persist)) {
/* lazy init metadata */
zval_ptr_dtor(metadata);
- *metadata = (zval *) pemalloc(buf_len, 1);
- memcpy(*metadata, *buffer, buf_len);
- *buffer += buf_len;
+ *metadata = (zval *) pemalloc(zip_metadata_len, 1);
+ memcpy(*metadata, *buffer, zip_metadata_len);
return SUCCESS;
}
} else {
*metadata = NULL;
}
- if (!zip_metadata_len) {
- *buffer += buf_len;
- }
-
return SUCCESS;
}
/* }}}*/
@@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
phar_entry_info entry;
php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
php_uint16 manifest_ver;
+ php_uint32 len;
long offset;
int sig_len, register_alias = 0, temp_alias = 0;
char *signature = NULL;
@@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
mydata->is_persistent = PHAR_G(persist);
/* check whether we have meta data, zero check works regardless of byte order */
+ PHAR_GET_32(buffer, len);
if (mydata->is_persistent) {
- PHAR_GET_32(buffer, mydata->metadata_len);
- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) {
- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
- }
- } else {
- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) {
- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+ mydata->metadata_len = len;
+ if(!len) {
+ /* FIXME: not sure why this is needed but removing it breaks tests */
+ PHAR_GET_32(buffer, len);
}
}
+ if(len > endbuffer - buffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
+ }
+ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
+ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+ }
+ buffer += len;
/* set up our manifest */
zend_hash_init(&mydata->manifest, manifest_count,
@@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.manifest_pos = manifest_index;
}
- if (buffer + entry.filename_len + 20 > endbuffer) {
+ if (entry.filename_len + 20 > endbuffer - buffer) {
MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
}
@@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
entry.flags |= PHAR_ENT_PERM_DEF_DIR;
}
+ PHAR_GET_32(buffer, len);
if (entry.is_persistent) {
- PHAR_GET_32(buffer, entry.metadata_len);
- if (!entry.metadata_len) buffer -= 4;
- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) {
- pefree(entry.filename, entry.is_persistent);
- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
- }
+ entry.metadata_len = len;
} else {
- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) {
- pefree(entry.filename, entry.is_persistent);
- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
- }
+ entry.metadata_len = 0;
+ }
+ if (len > endbuffer - buffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
+ pefree(entry.filename, entry.is_persistent);
+ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
}
+ buffer += len;
entry.offset = entry.offset_abs = offset;
offset += entry.compressed_filesize;
--- ext/phar/phar_internal.h
+++ ext/phar/phar_internal.h
@@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC);
char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC);
phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC);
-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC);
+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
void destroy_phar_manifest_entry(void *pDest);
int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);
--
2.1.4
++++++ php-CVE-2015-2787.patch ++++++
https://gist.github.com/smalyshev/eea9eafc7c88a4a6d10d
--- ext/standard/var_unserializer.re
+++ ext/standard/var_unserializer.re
@@ -353,6 +353,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
sizeof data, NULL);
}
+ var_push_dtor(var_hash, &data);
zval_dtor(key);
FREE_ZVAL(key);
++++++ php-CVE-2015-3329.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Fphar_internal.h;h=84282d2a8fe8f3a7da67fa00d9f5dba48f4d8124;hp=fcfc86457d623350b93e88ab2438a07093bdde86;hb=f59b67ae50064560d7bfcdb0d6a8ab284179053c;hpb=45facd15fb1be704ee1ae374fa306dad8450edbd
--- ext/phar/phar_internal.h
+++ ext/phar/phar_internal.h
@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
{
char tmp[MAXPATHLEN];
int tmp_len;
+ size_t len;
- tmp_len = entry->filename_len + entry->phar->fname_len;
- memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
+ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
+ len = MIN(entry->phar->fname_len, tmp_len);
+ memcpy(tmp, entry->phar->fname, len);
+ len = MIN(tmp_len - len, entry->filename_len);
+ memcpy(tmp + entry->phar->fname_len, entry->filename, len);
entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
}
/* }}} */
++++++ php-CVE-2015-3330.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=sapi%2Fapache2handler%2Fsapi_apache2.c;h=840c55041d25f7f6e574335d82d659eb29ed36a0;hp=088ff77769b7400dbde18c61f7f49b58ed8e0922;hb=01883bcffb682f34309f9fbf112eecb050559522;hpb=f678693e1a6950cae08a99cd145d5d0dc24f92bb
--- sapi/apache2handler/sapi_apache2.c
+++ sapi/apache2handler/sapi_apache2.c
@@ -688,6 +688,7 @@ zend_first_try {
} zend_end_try();
}
apr_brigade_cleanup(brigade);
+ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
} else {
ctx->r = parent_req;
}
++++++ php-CVE-2015-3411,3412,4598.patch ++++++
From: Stanislav Malyshev
Date: Sun, 5 Apr 2015 23:01:24 +0000 (-0700)
Subject: Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
X-Git-Tag: php-5.5.24~14
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=52b93f0cfd3cba7ff98cc5198df6ca4f23865f80
Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
---
Index: ext/dom/document.c
===================================================================
--- ext/dom/document.c.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/dom/document.c 2015-06-22 13:17:03.008970520 +0200
@@ -1574,6 +1574,9 @@
xmlInitParser();
if (mode == DOM_LOAD_FILE) {
+ if (CHECK_NULL_PATH(source, source_len)) {
+ return NULL;
+ }
char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
if (file_dest) {
ctxt = xmlCreateFileParserCtxt(file_dest);
@@ -2162,7 +2165,7 @@
id = getThis();
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
return;
}
Index: ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
===================================================================
--- ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt 2015-06-22 13:17:03.009970533 +0200
@@ -13,6 +13,11 @@
$doc = new DOMDocument();
$result = $doc->loadHTMLFile("");
assert('$result === false');
+$doc = new DOMDocument();
+$result = $doc->loadHTMLFile("text.html\0something");
+assert('$result === null');
?>
--EXPECTF--
%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s
+
+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s
Index: ext/fileinfo/fileinfo.c
===================================================================
--- ext/fileinfo/fileinfo.c.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/fileinfo/fileinfo.c 2015-06-22 13:17:03.009970533 +0200
@@ -506,6 +506,11 @@
RETVAL_FALSE;
goto clean;
}
+ if (CHECK_NULL_PATH(buffer, buffer_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+ RETVAL_FALSE;
+ goto clean;
+ }
wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC);
Index: ext/fileinfo/tests/finfo_file_basic.phpt
===================================================================
--- ext/fileinfo/tests/finfo_file_basic.phpt.orig 2015-06-22 13:12:07.223032487 +0200
+++ ext/fileinfo/tests/finfo_file_basic.phpt 2015-06-22 13:17:03.009970533 +0200
@@ -19,6 +19,7 @@
var_dump( finfo_file( $finfo, __FILE__) );
var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
var_dump( finfo_file( $finfo, $magicFile ) );
+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );
?>
===DONE===
@@ -27,4 +28,7 @@
string(28) "text/x-php; charset=us-ascii"
string(22) "PHP script, ASCII text"
string(25) "text/plain; charset=utf-8"
+
+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
+bool(false)
===DONE===
Index: ext/gd/gd.c
===================================================================
--- ext/gd/gd.c.orig 2015-06-22 13:12:07.225032514 +0200
+++ ext/gd/gd.c 2015-06-22 13:17:03.010970546 +0200
@@ -1495,7 +1495,7 @@
gdFontPtr font;
php_stream *stream;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) {
return;
}
@@ -2438,7 +2438,7 @@
long ignore_warning;
#endif
if (image_type == PHP_GDIMG_TYPE_GD2PART) {
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
return;
}
if (width < 1 || height < 1) {
@@ -2446,7 +2446,7 @@
RETURN_FALSE;
}
} else {
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
return;
}
}
@@ -4178,7 +4178,7 @@
char *enc, **enc_vector;
int enc_len, *f_ind;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) {
return;
}
Index: ext/hash/hash.c
===================================================================
--- ext/hash/hash.c.orig 2015-06-22 13:12:07.225032514 +0200
+++ ext/hash/hash.c 2015-06-22 13:17:03.011970559 +0200
@@ -142,6 +142,7 @@
}
if (isfilename) {
if (CHECK_NULL_PATH(data, data_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
RETURN_FALSE;
}
stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
@@ -222,6 +223,10 @@
RETURN_FALSE;
}
if (isfilename) {
+ if (CHECK_NULL_PATH(data, data_len)) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+ RETURN_FALSE;
+ }
stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
if (!stream) {
/* Stream will report errors opening file */
@@ -449,7 +454,7 @@
char *filename, buf[1024];
int filename_len, n;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
return;
}
Index: ext/hash/tests/hash_hmac_file_error.phpt
===================================================================
--- ext/hash/tests/hash_hmac_file_error.phpt.orig 2015-06-22 13:12:07.225032514 +0200
+++ ext/hash/tests/hash_hmac_file_error.phpt 2015-06-22 13:17:03.011970559 +0200
@@ -28,6 +28,9 @@
echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
hash_hmac_file('foo', $file, $key, TRUE);
+echo "\n-- Testing hash_hmac_file() function with bad path --\n";
+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
+
?>
===Done===
--EXPECTF--
@@ -51,4 +54,8 @@
-- Testing hash_hmac_file() function with invalid hash algorithm --
Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
+
+-- Testing hash_hmac_file() function with bad path --
+
+Warning: hash_hmac_file(): Invalid path in %s on line %d
===Done===
\ No newline at end of file
Index: ext/pgsql/pgsql.c
===================================================================
--- ext/pgsql/pgsql.c.orig 2015-06-22 13:17:03.012970572 +0200
+++ ext/pgsql/pgsql.c 2015-06-22 13:17:25.116258641 +0200
@@ -2963,7 +2963,7 @@
php_stream *stream;
id = PGG(default_link);
- if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+ if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
return;
}
Index: ext/standard/link.c
===================================================================
--- ext/standard/link.c.orig 2013-09-18 07:48:57.000000000 +0200
+++ ext/standard/link.c 2015-06-22 13:17:03.013970585 +0200
@@ -59,7 +59,7 @@
char buff[MAXPATHLEN];
int ret;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) {
return;
}
Index: ext/standard/streamsfuncs.c
===================================================================
--- ext/standard/streamsfuncs.c.orig 2015-06-22 13:12:07.227032540 +0200
+++ ext/standard/streamsfuncs.c 2015-06-22 13:17:03.013970585 +0200
@@ -1545,7 +1545,7 @@
char *filename, *resolved_path;
int filename_len;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) {
return;
}
Index: ext/xmlwriter/php_xmlwriter.c
===================================================================
--- ext/xmlwriter/php_xmlwriter.c.orig 2015-06-22 13:12:07.227032540 +0200
+++ ext/xmlwriter/php_xmlwriter.c 2015-06-22 13:17:03.014970598 +0200
@@ -1738,7 +1738,7 @@
/* }}} */
#endif
-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
+/* {{{ proto resource xmlwriter_open_uri(string source)
Create new xmlwriter using source uri for output */
static PHP_FUNCTION(xmlwriter_open_uri)
{
@@ -1759,7 +1759,7 @@
void *ioctx;
#endif
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) {
return;
}
Index: ext/zlib/zlib.c
===================================================================
--- ext/zlib/zlib.c.orig 2015-06-22 13:12:07.228032554 +0200
+++ ext/zlib/zlib.c 2015-06-22 13:17:03.014970598 +0200
@@ -581,7 +581,7 @@
php_stream *stream;
long use_include_path = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
return;
}
@@ -609,7 +609,7 @@
int size;
long use_include_path = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) {
return;
}
++++++ php-CVE-2015-4021.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Ftar.c;h=d6d63e659905b8fd28860f83d953b773ae288b91;hp=ca8eafcc8a6607d58e217273ba4e352fb1b683e3;hb=c27f012b7a447e59d4a704688971cbfa7dddaa74;hpb=ac2832935435556dc593784cd0087b5e576bbe4d
Index: ext/phar/tar.c
===================================================================
--- ext/phar/tar.c.orig 2015-05-22 10:18:13.999554887 +0200
+++ ext/phar/tar.c 2015-05-22 10:19:31.123560294 +0200
@@ -425,7 +425,7 @@
entry.filename_len = i;
entry.filename = pestrndup(hdr->name, i, myphar->is_persistent);
- if (entry.filename[entry.filename_len - 1] == '/') {
+ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') {
/* some tar programs store directories with trailing slash */
entry.filename[entry.filename_len - 1] = '\0';
entry.filename_len--;
++++++ php-CVE-2015-4022.patch ++++++
>From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev
Date: Wed, 29 Apr 2015 21:57:33 -0700
Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list
--- ext/ftp/ftp.c
+++ ext/ftp/ftp.c
@@ -1615,8 +1615,8 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
databuf_t *data = NULL;
char *ptr;
int ch, lastch;
- int size, rcvd;
- int lines;
+ size_t size, rcvd;
+ size_t lines;
char **ret = NULL;
char **entry;
char *text;
@@ -1658,7 +1658,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
lines = 0;
lastch = 0;
while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) {
- if (rcvd == -1) {
+ if (rcvd == -1 || rcvd > ((size_t)(-1))-size) {
goto bail;
}
++++++ php-CVE-2015-4024.patch ++++++
-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=main%2Frfc1867.c;h=9e2fbd52ebc79ee0ea895146c58fd49e9376b9c3;hp=fab199b543aa81534728ed31598aabe76fd463f0;hb=4605d536d23b00813d11cc906bb48d39bdcf5f25;hpb=c27f012b7a447e59d4a704688971cbfa7dddaa74
--- main/rfc1867.c
+++ main/rfc1867.c
@@ -33,6 +33,7 @@
#include "php_variables.h"
#include "rfc1867.h"
#include "ext/standard/php_string.h"
+#include "ext/standard/php_smart_str.h"
#define DEBUG_FILE_UPLOAD ZEND_DEBUG
@@ -398,8 +399,9 @@ static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC)
static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
{
char *line;
- mime_header_entry prev_entry = {0}, entry;
- int prev_len, cur_len;
+ mime_header_entry entry = {0};
+ smart_str buf_value = {0};
+ char *key = NULL;
/* didn't find boundary, abort */
if (!find_boundary(self, self->boundary TSRMLS_CC)) {
@@ -411,11 +413,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
while( (line = get_line(self TSRMLS_CC)) && strlen(line) > 0 )
{
/* add header to table */
- char *key = line;
char *value = NULL;
if (php_rfc1867_encoding_translation(TSRMLS_C)) {
- self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
+ self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
}
/* space in the beginning means same header */
@@ -424,31 +425,33 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
}
if (value) {
- *value = 0;
- do { value++; } while(isspace(*value));
-
- entry.value = estrdup(value);
- entry.key = estrdup(key);
-
- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
-
- prev_len = strlen(prev_entry.value);
- cur_len = strlen(line);
-
- entry.value = emalloc(prev_len + cur_len + 1);
- memcpy(entry.value, prev_entry.value, prev_len);
- memcpy(entry.value + prev_len, line, cur_len);
- entry.value[cur_len + prev_len] = '\0';
+ if(buf_value.c && key) {
+ /* new entry, add the old one to the list */
+ smart_str_0(&buf_value);
+ entry.key = key;
+ entry.value = buf_value.c;
+ zend_llist_add_element(header, &entry);
+ buf_value.c = NULL;
+ key = NULL;
+ }
- entry.key = estrdup(prev_entry.key);
+ *value = '\0';
+ do { value++; } while(isspace(*value));
- zend_llist_remove_tail(header);
+ key = estrdup(line);
+ smart_str_appends(&buf_value, value);
+ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
+ smart_str_appends(&buf_value, line);
} else {
continue;
}
-
+ }
+ if(buf_value.c && key) {
+ /* add the last one to the list */
+ smart_str_0(&buf_value);
+ entry.key = key;
+ entry.value = buf_value.c;
zend_llist_add_element(header, &entry);
- prev_entry = entry;
}
return 1;
multipart_event_formdata event_formdata;
++++++ php-CVE-2015-4026.patch ++++++
Index: ext/pcntl/pcntl.c
===================================================================
--- ext/pcntl/pcntl.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/pcntl/pcntl.c 2015-05-21 16:18:06.837656155 +0200
@@ -755,7 +755,7 @@
int path_len;
ulong key_num;
- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|aa", &path, &path_len, &args, &envs) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|aa", &path, &path_len, &args, &envs) == FAILURE) {
return;
}
++++++ php-CVE-2015-4148.patch ++++++
From: Dmitry Stogov
Date: Tue, 3 Mar 2015 06:44:46 +0000 (+0300)
Subject: Added type checks
X-Git-Tag: php-5.4.39~9
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8
Added type checks
---
Index: ext/soap/php_encoding.c
===================================================================
--- ext/soap/php_encoding.c.orig 2015-06-04 08:49:54.347250040 +0200
+++ ext/soap/php_encoding.c 2015-06-04 08:50:13.552508410 +0200
@@ -3649,18 +3649,21 @@
Z_OBJCE_PP(tmp) == soap_var_class_entry) {
zval **ztype;
- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) {
+ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE ||
+ Z_TYPE_PP(ztype) != IS_LONG) {
soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property");
}
cur_type = Z_LVAL_PP(ztype);
- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS &&
+ Z_TYPE_PP(ztype) == IS_STRING) {
cur_stype = Z_STRVAL_PP(ztype);
} else {
cur_stype = NULL;
}
- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS &&
+ Z_TYPE_PP(ztype) == IS_STRING) {
cur_ns = Z_STRVAL_PP(ztype);
} else {
cur_ns = NULL;
Index: ext/soap/php_http.c
===================================================================
--- ext/soap/php_http.c.orig 2015-06-04 08:49:54.348250053 +0200
+++ ext/soap/php_http.c 2015-06-04 08:50:13.553508424 +0200
@@ -36,14 +36,16 @@
{
zval **login, **password;
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS &&
+ Z_TYPE_PP(login) == IS_STRING) {
unsigned char* buf;
int len;
smart_str auth = {0};
smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login));
smart_str_appendc(&auth, ':');
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS &&
+ Z_TYPE_PP(password) == IS_STRING) {
smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password));
}
smart_str_0(&auth);
@@ -64,14 +66,16 @@
zval **login, **password;
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS &&
- !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) {
+ Z_TYPE_PP(login) == IS_STRING &&
+ !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) {
unsigned char* buf;
int len;
smart_str auth = {0};
smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login));
smart_str_appendc(&auth, ':');
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS &&
+ Z_TYPE_PP(password) == IS_STRING) {
smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password));
}
smart_str_0(&auth);
@@ -509,6 +513,7 @@
}
if (!http_1_1 ||
(zend_hash_find(Z_OBJPROP_P(this_ptr), "_keep_alive", sizeof("_keep_alive"), (void **)&tmp) == SUCCESS &&
+ (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) &&
Z_LVAL_PP(tmp) == 0)) {
smart_str_append_const(&soap_headers, "\r\n"
"Connection: close\r\n");
@@ -742,7 +747,8 @@
}
/* Send cookies along with request */
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS &&
+ Z_TYPE_PP(cookies) == IS_ARRAY) {
zval **data;
char *key;
int i, n;
@@ -785,7 +791,7 @@
smart_str_append_const(&soap_headers, "\r\n");
smart_str_0(&soap_headers);
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_LVAL_PP(trace) > 0) {
+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1);
}
smart_str_appendl(&soap_headers, request, request_size);
@@ -830,7 +836,7 @@
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_LVAL_PP(trace) > 0) {
+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1);
}
@@ -879,7 +885,8 @@
char *eqpos, *sempos;
zval **cookies;
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE ||
+ Z_TYPE_PP(cookies) != IS_ARRAY) {
zval *tmp_cookies;
MAKE_STD_ZVAL(tmp_cookies);
array_init(tmp_cookies);
Index: ext/soap/soap.c
===================================================================
--- ext/soap/soap.c.orig 2015-06-04 08:49:54.350250080 +0200
+++ ext/soap/soap.c 2015-06-04 08:52:47.719584114 +0200
@@ -2557,7 +2557,7 @@
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
+ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1);
}
@@ -2597,7 +2597,7 @@
}
ret = FALSE;
} else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
+ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1);
}
xmlFree(buf);
@@ -2636,13 +2636,13 @@
SOAP_CLIENT_BEGIN_CODE();
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS
- && Z_LVAL_PP(trace) > 0) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"));
zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"));
}
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS
- && Z_LVAL_PP(tmp) == SOAP_1_2) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS &&
+ Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) {
soap_version = SOAP_1_2;
} else {
soap_version = SOAP_1_1;
@@ -2738,7 +2738,7 @@
zval **uri;
smart_str action = {0};
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) {
add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC);
} else if (location == NULL) {
add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC);
@@ -3008,7 +3008,8 @@
return;
}
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS &&
+ Z_TYPE_PP(tmp) == IS_STRING) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
RETURN_NULL();
@@ -3026,7 +3027,8 @@
return;
}
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS &&
+ Z_TYPE_PP(tmp) == IS_STRING) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
RETURN_NULL();
@@ -3044,7 +3046,8 @@
return;
}
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS &&
+ Z_TYPE_PP(tmp) == IS_STRING) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
RETURN_NULL();
@@ -3062,7 +3065,8 @@
return;
}
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS &&
+ Z_TYPE_PP(tmp) == IS_STRING) {
RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
}
RETURN_NULL();
@@ -3118,13 +3122,15 @@
}
if (val == NULL) {
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS &&
+ Z_TYPE_PP(cookies) == IS_ARRAY) {
zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1);
}
} else {
zval *zcookie;
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE ||
+ Z_TYPE_PP(cookies) != IS_ARRAY) {
zval *tmp_cookies;
MAKE_STD_ZVAL(tmp_cookies);
@@ -4221,7 +4227,8 @@
}
}
} else {
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS &&
+ Z_TYPE_PP(zstyle) == IS_LONG) {
style = Z_LVAL_PP(zstyle);
} else {
style = SOAP_RPC;
@@ -4244,7 +4251,7 @@
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS &&
- Z_LVAL_PP(zuse) == SOAP_LITERAL) {
+ Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) {
use = SOAP_LITERAL;
} else {
use = SOAP_ENCODED;
@@ -4374,6 +4381,7 @@
zval **param_data;
if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS &&
+ Z_TYPE_PP(param_name) == IS_STRING &&
zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) {
param_val = *param_data;
name = Z_STRVAL_PP(param_name);
++++++ php-CVE-2015-4599,4600,4601.patch ++++++
Fixed bug #69152
http://git.php.net/?p=php-src.git;a=commitdiff;h=0c136a2abd49298b66acb0cad504f0f972f5bfe8
Index: ext/soap/soap.c
===================================================================
--- ext/soap/soap.c.orig 2015-06-18 16:35:35.132045252 +0200
+++ ext/soap/soap.c 2015-06-18 16:37:05.693283747 +0200
@@ -940,6 +940,12 @@
zend_call_function(&fci, NULL TSRMLS_CC);
+ convert_to_string(faultcode);
+ convert_to_string(faultstring);
+ convert_to_string(file);
+ convert_to_long(line);
+ convert_to_string(trace);
+
len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s",
Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line),
Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");
++++++ php-CVE-2015-4602.patch ++++++
From: Stanislav Malyshev
Date: Mon, 23 Mar 2015 01:17:47 +0000 (-0700)
Subject: Check that the type is correct
X-Git-Tag: php-5.4.40~14^2~1
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=fb83c76deec58f1fab17c350f04c9f042e5977d1
Check that the type is correct
---
--- ext/standard/incomplete_class.c
+++ ext/standard/incomplete_class.c
@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen)
object_properties = Z_OBJPROP_P(object);
- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) {
+ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) {
retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
if (nlen) {
++++++ php-CVE-2015-4603.patch ++++++
http://git.php.net/?p=php-src.git;a=commitdiff;h=51856a76f87ecb24fe1385342be43610fb6c86e4
Index: Zend/zend_exceptions.c
===================================================================
--- Zend/zend_exceptions.c.orig 2015-06-18 16:37:05.694283761 +0200
+++ Zend/zend_exceptions.c 2015-06-18 16:38:26.414387032 +0200
@@ -591,6 +591,9 @@
str = &res;
trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC);
+ if(Z_TYPE_P(trace) != IS_ARRAY) {
+ RETURN_FALSE;
+ }
zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num);
s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1);
++++++ php-CVE-2015-4643.patch ++++++
http://git.php.net/?p=php-src.git;a=commitdiff;h=0765623d6991b62ffcd93ddb6be8a5203a2fa7e2
--- ext/ftp/ftp.c
+++ ext/ftp/ftp.c
@@ -1668,8 +1668,6 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
for (ptr = data->buf; rcvd; rcvd--, ptr++) {
if (*ptr == '\n' && lastch == '\r') {
lines++;
- } else {
- size++;
}
lastch = *ptr;
}
++++++ php-CVE-2015-4644.patch ++++++
http://git.php.net/?p=php-src.git;a=commitdiff;h=2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64
--- ext/pgsql/pgsql.c
+++ ext/pgsql/pgsql.c
@@ -5120,7 +5120,11 @@ PHP_PGSQL_API int php_pgsql_meta_data(PGconn *pg_link, const char *table_name, z
src = estrdup(table_name);
tmp_name = php_strtok_r(src, ".", &tmp_name2);
-
+ if (!tmp_name) {
+ efree(src);
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The table name must be specified");
+ return FAILURE;
+ }
if (!tmp_name2 || !*tmp_name2) {
/* Default schema */
tmp_name2 = tmp_name;
++++++ php-CVE-2015-5589.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Fphar_object.c;h=1184863de9063b10e54018310ef3791173c717b8;hp=add1fa0d5c7bded8901f5ee5f62b68a8e2435464;hb=bf58162ddf970f63502837f366930e44d6a992cf;hpb=29533ae528af6ddf2ea93228721e75c6b94370fc
Index: ext/phar/phar_object.c
===================================================================
--- ext/phar/phar_object.c.orig 2015-07-28 10:41:25.077878746 +0200
+++ ext/phar/phar_object.c 2015-07-28 10:41:39.048064003 +0200
@@ -2341,7 +2341,9 @@
zend_hash_destroy(&(phar->manifest));
zend_hash_destroy(&(phar->mounted_dirs));
zend_hash_destroy(&(phar->virtual_dirs));
- php_stream_close(phar->fp);
+ if (phar->fp) {
+ php_stream_close(phar->fp);
+ }
efree(phar->fname);
efree(phar);
return NULL;
++++++ php-CVE-2015-5590.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fphar%2Fphar.c;h=ba734629367f9671b25202408d13914fa63d8396;hp=223bfe84c633117896adf55fb080c62e72480175;hb=6dedeb40db13971af45276f80b5375030aa7e76f;hpb=bf58162ddf970f63502837f366930e44d6a992cf
--- ext/phar/phar.c
+++ ext/phar/phar.c
@@ -2142,7 +2142,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */
*/
char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */
{
- char newpath[MAXPATHLEN];
+ char *newpath;
int newpath_len;
char *ptr;
char *tok;
@@ -2150,8 +2150,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') {
newpath_len = PHAR_G(cwd_len);
+ newpath = emalloc(strlen(path) + newpath_len + 1);
memcpy(newpath, PHAR_G(cwd), newpath_len);
} else {
+ newpath = emalloc(strlen(path) + 2);
newpath[0] = '/';
newpath_len = 1;
}
@@ -2174,6 +2176,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
if (*tok == '.') {
efree(path);
*new_len = 1;
+ efree(newpath);
return estrndup("/", 1);
}
break;
@@ -2181,9 +2184,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{
if (tok[0] == '.' && tok[1] == '.') {
efree(path);
*new_len = 1;
+ efree(newpath);
return estrndup("/", 1);
}
}
+ efree(newpath);
return path;
}
@@ -2232,7 +2237,8 @@ last_time:
efree(path);
*new_len = newpath_len;
- return estrndup(newpath, newpath_len);
+ newpath[newpath_len] = '\0';
+ return erealloc(newpath, newpath_len + 1);
}
/* }}} */
++++++ php-CVE-2015-6831.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_array.c;h=86608c0d5296616327c50d93fe280d03b5dbba4a;hp=a37eced00253e005366a7d5087e174572b28e547;hb=7381b6accc5559b2de039af3a22f6ec1003b03b3;hpb=c7d3c027d5ce45c96c8450a7f074ab2dfbcaa0c4
Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/spl/spl_array.c 2015-08-20 09:16:26.594618824 +0200
@@ -1774,6 +1774,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pflags);
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
zval_ptr_dtor(&pflags);
@@ -1798,6 +1799,7 @@
if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
goto outexcept;
}
+ var_push_dtor(&var_hash, &intern->array);
}
if (*p != ';') {
goto outexcept;
@@ -1816,6 +1818,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
Index: ext/spl/spl_observer.c
===================================================================
--- ext/spl/spl_observer.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/spl/spl_observer.c 2015-08-20 10:15:57.164329814 +0200
@@ -848,6 +848,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pcount);
--p; /* for ';' */
count = Z_LVAL_P(pcount);
@@ -919,6 +920,7 @@
goto outexcept;
}
+ var_push_dtor(&var_hash, &pmembers);
/* copy members */
if (!intern->std.properties) {
rebuild_object_properties(&intern->std);
commit e9d961ee18c6dba28a3a7670a3de29dfa349148e
Author: Stanislav Malyshev
Date: Sat Aug 1 21:51:08 2015 -0700
Fixed bug #70169 (Use After Free Vulnerability in unserialize() with SplDoublyLinkedList)
--- ext/spl/spl_dllist.c
+++ ext/spl/spl_dllist.c
@@ -1209,6 +1209,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&flags);
goto error;
}
+ var_push_dtor(&var_hash, &flags);
intern->flags = Z_LVAL_P(flags);
zval_ptr_dtor(&flags);
++++++ php-CVE-2015-6832.patch ++++++
https://gist.githubusercontent.com/smalyshev/c08cacf74c3bc381452c/raw/180a70d296ebf3c5a0a3fece5e3a0503d6b59af1/70068.diff
Index: ext/spl/spl_array.c
===================================================================
--- ext/spl/spl_array.c.orig 2015-08-20 15:40:25.190035728 +0200
+++ ext/spl/spl_array.c 2015-08-20 15:41:44.443163795 +0200
@@ -1770,14 +1770,12 @@
ALLOC_INIT_ZVAL(pflags);
if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) {
- zval_ptr_dtor(&pflags);
goto outexcept;
}
var_push_dtor(&var_hash, &pflags);
--p; /* for ';' */
flags = Z_LVAL_P(pflags);
- zval_ptr_dtor(&pflags);
/* flags needs to be verified and we also need to verify whether the next
* thing we get is ';'. After that we require an 'm' or somethign else
* where 'm' stands for members and anything else should be an array. If
@@ -1829,10 +1827,16 @@
/* done reading $serialized */
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
return;
outexcept:
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ if (pflags) {
+ zval_ptr_dtor(&pflags);
+ }
zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len);
return;
++++++ php-CVE-2015-6833.patch ++++++
>From dda81f0505217a95db065e6bf9cc2d81eb902417 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev
Date: Tue, 4 Aug 2015 14:00:29 -0700
Subject: [PATCH] Fix bug #70019 - limit extracted files to given directory
--- ext/phar/phar_object.c
+++ ext/phar/phar_object.c
@@ -4200,6 +4200,9 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
char *fullpath;
const char *slash;
mode_t mode;
+ cwd_state new_state;
+ char *filename;
+ size_t filename_len;
if (entry->is_mounted) {
/* silently ignore mounted entries */
@@ -4209,8 +4212,39 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
if (entry->filename_len >= sizeof(".phar")-1 && !memcmp(entry->filename, ".phar", sizeof(".phar")-1)) {
return SUCCESS;
}
+ /* strip .. from path and restrict it to be under dest directory */
+ new_state.cwd = (char*)malloc(2);
+ new_state.cwd[0] = DEFAULT_SLASH;
+ new_state.cwd[1] = '\0';
+ new_state.cwd_length = 1;
+ if (virtual_file_ex(&new_state, entry->filename, NULL, CWD_EXPAND TSRMLS_CC) != 0 ||
+ new_state.cwd_length <= 1) {
+ if (EINVAL == errno && entry->filename_len > 50) {
+ char *tmp = estrndup(entry->filename, 50);
+ spprintf(error, 4096, "Cannot extract \"%s...\" to \"%s...\", extracted filename is too long for filesystem", tmp, dest);
+ efree(tmp);
+ } else {
+ spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename);
+ }
+ free(new_state.cwd);
+ return FAILURE;
+ }
+ filename = new_state.cwd + 1;
+ filename_len = new_state.cwd_length - 1;
+#ifdef PHP_WIN32
+ /* unixify the path back, otherwise non zip formats might be broken */
+ {
+ int cnt = filename_len;
+
+ do {
+ if ('\\' == filename[cnt]) {
+ filename[cnt] = '/';
+ }
+ } while (cnt-- >= 0);
+ }
+#endif
- len = spprintf(&fullpath, 0, "%s/%s", dest, entry->filename);
+ len = spprintf(&fullpath, 0, "%s/%s", dest, filename);
if (len >= MAXPATHLEN) {
char *tmp;
@@ -4224,18 +4258,21 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
spprintf(error, 4096, "Cannot extract \"%s\" to \"%s...\", extracted filename is too long for filesystem", entry->filename, fullpath);
}
efree(fullpath);
+ free(new_state.cwd);
return FAILURE;
}
if (!len) {
spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename);
efree(fullpath);
+ free(new_state.cwd);
return FAILURE;
}
if (PHAR_OPENBASEDIR_CHECKPATH(fullpath)) {
spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", openbasedir/safe mode restrictions in effect", entry->filename, fullpath);
efree(fullpath);
+ free(new_state.cwd);
return FAILURE;
}
@@ -4243,14 +4280,15 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
if (!overwrite && SUCCESS == php_stream_stat_path(fullpath, &ssb)) {
spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", path already exists", entry->filename, fullpath);
efree(fullpath);
+ free(new_state.cwd);
return FAILURE;
}
/* perform dirname */
- slash = zend_memrchr(entry->filename, '/', entry->filename_len);
+ slash = zend_memrchr(filename, '/', filename_len);
if (slash) {
- fullpath[dest_len + (slash - entry->filename) + 1] = '\0';
+ fullpath[dest_len + (slash - filename) + 1] = '\0';
} else {
fullpath[dest_len] = '\0';
}
@@ -4260,23 +4298,27 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char *
if (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK, PHP_STREAM_MKDIR_RECURSIVE, NULL)) {
spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath);
efree(fullpath);
+ free(new_state.cwd);
return FAILURE;
}
} else {
if (!php_stream_mkdir(fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL)) {
spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath);
efree(fullpath);
+ free(new_state.cwd);
return FAILURE;
}
}
}
if (slash) {
- fullpath[dest_len + (slash - entry->filename) + 1] = '/';
+ fullpath[dest_len + (slash - filename) + 1] = '/';
} else {
fullpath[dest_len] = '/';
}
+ filename = NULL;
+ free(new_state.cwd);
/* it is a standalone directory, job done */
if (entry->is_dir) {
efree(fullpath);
++++++ php-CVE-2015-6834.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fstandard%2Fvar.c;h=33b976f42dff8dc388b92124a1b0c236a23fc259;hp=7603ff2ee093d986e16f3c421ba2ba7a8fd6fb83;hb=e8429400d40e3c3aa4b22ba701991d698a2f3b2f;hpb=e201f01ac17243a1e5fb6a3911ed8e21b1619ac1
Index: ext/standard/var.c
===================================================================
--- ext/standard/var.c.orig 2014-10-01 11:17:38.000000000 +0200
+++ ext/standard/var.c 2015-09-14 16:19:34.307893363 +0200
@@ -951,6 +951,8 @@
int buf_len;
const unsigned char *p;
php_unserialize_data_t var_hash;
+ int oldlevel;
+ zval *old_rval = return_value;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
RETURN_FALSE;
@@ -970,6 +972,19 @@
}
RETURN_FALSE;
}
+ if (return_value != old_rval) {
+ /*
+ * Terrible hack due to the fact that executor passes us zval *,
+ * but unserialize with r/R wants to replace it with another zval *
+ */
+ zval_dtor(old_rval);
+ *old_rval = *return_value;
+ zval_copy_ctor(old_rval);
+ var_push_dtor_no_addref(&var_hash, &return_value);
+ var_push_dtor_no_addref(&var_hash, &old_rval);
+ } else {
+ var_push_dtor(&var_hash, &return_value);
+ }
PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
}
/* }}} */
Index: ext/standard/var_unserializer.re
===================================================================
--- ext/standard/var_unserializer.re.orig 2015-09-14 16:19:34.179891643 +0200
+++ ext/standard/var_unserializer.re 2015-09-14 16:19:34.307893363 +0200
@@ -496,7 +496,7 @@
}
if (*rval != NULL) {
- zval_ptr_dtor(rval);
+ var_push_dtor_no_addref(var_hash, rval);
}
*rval = *rval_ref;
Z_ADDREF_PP(rval);
@@ -655,6 +655,7 @@
long elements = parse_iv(start + 2);
/* use iv() not uiv() in order to check data range */
*p = YYCURSOR;
+ if (!var_hash) return 0;
if (elements < 0) {
return 0;
@@ -672,6 +673,7 @@
}
"o:" iv ":" ["] {
+ if (!var_hash) return 0;
INIT_PZVAL(*rval);
@@ -694,6 +696,7 @@
zval **args[1];
zval *arg_func_name;
+ if (!var_hash) return 0;
if (*start == 'C') {
custom_object = 1;
}
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_observer.c;h=6a2e3211e501a556b493b008b685294a847ed06e;hp=5d94a3b7b36b8edd94c2cbc9bc4fd671fa9243a2;hb=f06a069c462d37c2e009f6d1d93b8c8e7b713393;hpb=e8429400d40e3c3aa4b22ba701991d698a2f3b2f
--- ext/spl/spl_observer.c
+++ ext/spl/spl_observer.c
@@ -853,6 +853,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pentry);
goto outexcept;
}
+ var_push_dtor(&var_hash, &pentry);
if(Z_TYPE_P(pentry) != IS_OBJECT) {
zval_ptr_dtor(&pentry);
goto outexcept;
@@ -864,6 +865,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
zval_ptr_dtor(&pinf);
goto outexcept;
}
+ var_push_dtor(&var_hash, &pinf);
}
hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC);
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fspl%2Fspl_dllist.c;h=ebe61c3f7a7fcc90568b91d115ae5b5a0783629d;hp=011d7a6e3c43634139fa59094b64f13646a8f00e;hb=259057b2a484747a6c73ce54c4fa0f5acbd56179;hpb=f06a069c462d37c2e009f6d1d93b8c8e7b713393
--- ext/spl/spl_dllist.c
+++ ext/spl/spl_dllist.c
@@ -1221,6 +1221,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize)
zval_ptr_dtor(&elem);
goto error;
}
+ var_push_dtor(&var_hash, &elem);
spl_ptr_llist_push(intern->llist, elem TSRMLS_CC);
}
++++++ php-CVE-2015-6835.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fsession%2Fsession.c;h=0e53c621338a34604b93444a315c731ae1d17252;hp=306aba3a7de037e3a5d092f81e8a5d7a39294348;hb=df4bf28f9f104ca3ef78ed94b497859f15b004e5;hpb=1744be2d17befc69bf00033993f4081852a747d6
--- ext/session/session.c
+++ ext/session/session.c
@@ -210,16 +210,18 @@ static char *php_session_encode(int *newlen TSRMLS_DC) /* {{{ */
}
/* }}} */
-static void php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */
+static int php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */
{
if (!PS(serializer)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object");
- return;
+ return FAILURE;
}
if (PS(serializer)->decode(val, vallen TSRMLS_CC) == FAILURE) {
php_session_destroy(TSRMLS_C);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode session object. Session has been destroyed");
+ return FAILURE;
}
+ return SUCCESS;
}
/* }}} */
@@ -855,8 +857,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
+ } else {
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ return FAILURE;
}
- zval_ptr_dtor(¤t);
+ var_push_dtor_no_addref(&var_hash, ¤t);
}
PS_ADD_VARL(name, namelen);
efree(name);
@@ -947,8 +952,13 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */
ALLOC_INIT_ZVAL(current);
if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) {
php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC);
+ } else {
+ var_push_dtor_no_addref(&var_hash, ¤t);
+ efree(name);
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ return FAILURE;
}
- zval_ptr_dtor(¤t);
+ var_push_dtor_no_addref(&var_hash, ¤t);
}
PS_ADD_VARL(name, namelen);
skip:
@@ -1922,9 +1932,7 @@ static PHP_FUNCTION(session_decode)
return;
}
- php_session_decode(str, str_len TSRMLS_CC);
-
- RETURN_TRUE;
+ RETVAL_BOOL(php_session_decode(str, str_len TSRMLS_CC) == SUCCESS);
}
/* }}} */
--- ext/standard/var_unserializer.re
+++ ext/standard/var_unserializer.re
@@ -90,7 +90,13 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval)
{
- var_entries *var_hash = (*var_hashx)->last_dtor;
+ var_entries *var_hash;
+
+ if (!var_hashx || !*var_hashx) {
+ return;
+ }
+
+ var_hash = (*var_hashx)->last_dtor;
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval));
#endif
@@ -308,24 +314,20 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
ALLOC_INIT_ZVAL(key);
if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) {
- zval_dtor(key);
- FREE_ZVAL(key);
+ var_push_dtor_no_addref(var_hash, &key);
return 0;
}
if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) {
- zval_dtor(key);
- FREE_ZVAL(key);
+ var_push_dtor_no_addref(var_hash, &key);
return 0;
}
ALLOC_INIT_ZVAL(data);
if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) {
- zval_dtor(key);
- FREE_ZVAL(key);
- zval_dtor(data);
- FREE_ZVAL(data);
+ var_push_dtor_no_addref(var_hash, &key);
+ var_push_dtor_no_addref(var_hash, &data);
return 0;
}
@@ -354,9 +356,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
sizeof data, NULL);
}
var_push_dtor(var_hash, &data);
-
- zval_dtor(key);
- FREE_ZVAL(key);
+ var_push_dtor_no_addref(var_hash, &key);
if (elements && *(*p-1) != ';' && *(*p-1) != '}') {
(*p)--;
++++++ php-CVE-2015-6836.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fsoap%2Fsoap.c;h=a0e64a39001e9bba76ff7ee945ae51d38ef9d4e5;hp=1b8f545b85518504fe40848a8a90b74a8cefaadf;hb=e201f01ac17243a1e5fb6a3911ed8e21b1619ac1;hpb=f9c2bf73adb2ede0a486b0db466c264f2b27e0bb
Index: ext/soap/soap.c
===================================================================
--- ext/soap/soap.c.orig 2015-09-15 12:10:31.205575121 +0200
+++ ext/soap/soap.c 2015-09-15 12:10:48.787810174 +0200
@@ -2930,8 +2930,10 @@
}
zend_hash_internal_pointer_reset(default_headers);
while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) {
- Z_ADDREF_PP(tmp);
- zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL);
+ if(Z_TYPE_PP(tmp) == IS_OBJECT) {
+ Z_ADDREF_PP(tmp);
+ zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL);
+ }
zend_hash_move_forward(default_headers);
}
} else {
@@ -4353,11 +4355,18 @@
if (head) {
zval** header;
- zend_hash_internal_pointer_reset(soap_headers);
- while (zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS) {
- HashTable *ht = Z_OBJPROP_PP(header);
+ for(zend_hash_internal_pointer_reset(soap_headers);
+ zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS;
+ zend_hash_move_forward(soap_headers)
+ ) {
+ HashTable *ht;
zval **name, **ns, **tmp;
+ if (Z_TYPE_PP(header) != IS_OBJECT) {
+ continue;
+ }
+
+ ht = Z_OBJPROP_PP(header);
if (zend_hash_find(ht, "name", sizeof("name"), (void**)&name) == SUCCESS &&
Z_TYPE_PP(name) == IS_STRING &&
zend_hash_find(ht, "namespace", sizeof("namespace"), (void**)&ns) == SUCCESS &&
@@ -4396,7 +4405,6 @@
xmlSetNs(h, nsptr);
set_soap_header_attributes(h, ht, version);
}
- zend_hash_move_forward(soap_headers);
}
}
++++++ php-CVE-2015-6837,6838.patch ++++++
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=blobdiff_plain;f=ext%2Fxsl%2Fxsltprocessor.c;h=d21a8ebcb70c08e8a69f0395b42ee850112e846a;hp=67c90f501f1b9a89d72756537d76e3266ddb8a21;hb=1744be2d17befc69bf00033993f4081852a747d6;hpb=b221df5549533fe04c151cca85be43eb624a643d
Index: ext/xsl/xsltprocessor.c
===================================================================
--- ext/xsl/xsltprocessor.c.orig 2015-09-15 14:35:26.704389342 +0200
+++ ext/xsl/xsltprocessor.c 2015-09-15 14:36:04.238895016 +0200
@@ -219,15 +219,17 @@
}
}
}
-
+
if (error == 1) {
for (i = nargs - 1; i >= 0; i--) {
obj = valuePop(ctxt);
- xmlXPathFreeObject(obj);
+ if (obj) {
+ xmlXPathFreeObject(obj);
+ }
}
return;
}
-
+
fci.param_count = nargs - 1;
if (fci.param_count > 0) {
fci.params = safe_emalloc(fci.param_count, sizeof(zval**), 0);
@@ -297,14 +299,16 @@
xmlXPathFreeObject(obj);
fci.params[i] = &args[i];
}
-
+
fci.size = sizeof(fci);
fci.function_table = EG(function_table);
-
+
obj = valuePop(ctxt);
- if (obj->stringval == NULL) {
- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string");
- xmlXPathFreeObject(obj);
+ if (obj == NULL || obj->stringval == NULL) {
+ if (obj) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string");
+ xmlXPathFreeObject(obj);
+ }
valuePush(ctxt, xmlXPathNewString(""));
if (fci.param_count > 0) {
for (i = 0; i < nargs - 1; i++) {
++++++ php-fpm.init ++++++
#!/bin/sh
#
# Template SUSE system startup script for example service/daemon php-fpm
# Copyright (C) 1995--2005 Kurt Garloff, SUSE / Novell Inc.
#
# This library is free software; you can redistribute it and/or modify it
# under the terms of the GNU Lesser General Public License as published by
# the Free Software Foundation; either version 2.1 of the License, or (at
# your option) any later version.
#
# This library is distributed in the hope that it will be useful, but
# WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
# Lesser General Public License for more details.
#
# You should have received a copy of the GNU Lesser General Public
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307,
# USA.
#
# /etc/init.d/php-fpm
# and its symbolic link
# /(usr/)sbin/rcphp-fpm
#
# Template system startup script for some example service/daemon php-fpm
#
# LSB compatible service control script; see http://www.linuxbase.org/spec/
#
# Note: This template uses functions rc_XXX defined in /etc/rc.status on
# UnitedLinux/SUSE/Novell based Linux distributions. If you want to base your
# script on this template and ensure that it works on non UL based LSB
# compliant Linux distributions, you either have to provide the rc.status
# functions from UL or change the script to work without them.
# See skeleton.compat for a template that works with other distros as well.
#
### BEGIN INIT INFO
# Provides: php-fpm
# Required-Start: $remote_fs $network
# Should-Start: nginx lighttpd httpd
# Required-Stop: $network $remote_fs
# Should-Stop: nginx lighttpd httpd
# Default-Start: 3 5
# Default-Stop: 0 1 2 6
# Short-Description: php-fpm daemon
# Description: Start php-fpm to
# continued on second line by '#'
# should contain enough info for the runlevel editor
# to give admin some idea what this service does and
# what it's needed for ...
# (The Short-Description should already be a good hint.)
### END INIT INFO
#
# Any extensions to the keywords given above should be preceeded by
# X-VendorTag- (X-UnitedLinux- X-SuSE- for us) according to LSB.
#
# Notes on Required-Start/Should-Start:
# * There are two different issues that are solved by Required-Start
# and Should-Start
# (a) Hard dependencies: This is used by the runlevel editor to determine
# which services absolutely need to be started to make the start of
# this service make sense. Example: nfsserver should have
# Required-Start: $portmap
# Also, required services are started before the dependent ones.
# The runlevel editor will warn about such missing hard dependencies
# and suggest enabling. During system startup, you may expect an error,
# if the dependency is not fulfilled.
# (b) Specifying the init script ordering, not real (hard) dependencies.
# This is needed by insserv to determine which service should be
# started first (and at a later stage what services can be started
# in parallel). The tag Should-Start: is used for this.
# It tells, that if a service is available, it should be started
# before. If not, never mind.
# * When specifying hard dependencies or ordering requirements, you can
# use names of services (contents of their Provides: section)
# or pseudo names starting with a $. The following ones are available
# according to LSB (1.1):
# $local_fs all local file systems are mounted
# (most services should need this!)
# $remote_fs all remote file systems are mounted
# (note that /usr may be remote, so
# many services should Require this!)
# $syslog system logging facility up
# $network low level networking (eth card, ...)
# $named hostname resolution available
# $netdaemons all network daemons are running
# The $netdaemons pseudo service has been removed in LSB 1.2.
# For now, we still offer it for backward compatibility.
# These are new (LSB 1.2):
# $time the system time has been set correctly
# $portmap SunRPC portmapping service available
# UnitedLinux extensions:
# $ALL indicates that a script should be inserted
# at the end
# * The services specified in the stop tags
# (Required-Stop/Should-Stop)
# specify which services need to be still running when this service
# is shut down. Often the entries there are just copies or a subset
# from the respective start tag.
# * Should-Start/Stop are now part of LSB as of 2.0,
# formerly SUSE/Unitedlinux used X-UnitedLinux-Should-Start/-Stop.
# insserv does support both variants.
# * X-UnitedLinux-Default-Enabled: yes/no is used at installation time
# (%fillup_and_insserv macro in %post of many RPMs) to specify whether
# a startup script should default to be enabled after installation.
# It's not used by insserv.
#
# Note on runlevels:
# 0 - halt/poweroff 6 - reboot
# 1 - single user 2 - multiuser without network exported
# 3 - multiuser w/ network (text mode) 5 - multiuser w/ network and X11 (xdm)
#
# Note on script names:
# http://www.linuxbase.org/spec/refspecs/LSB_1.3.0/gLSB/gLSB/scrptnames.html
# A registry has been set up to manage the init script namespace.
# http://www.lanana.org/
# Please use the names already registered or register one or use a
# vendor prefix.
# Check for missing binaries (stale symlinks should not happen)
# Note: Special treatment of stop for LSB conformance
PHPFPM_BIN=/usr/sbin/php-fpm
test -x $PHPFPM_BIN || { echo "$PHPFPM_BIN not installed";
if [ "$1" = "stop" ]; then exit 0;
else exit 5; fi; }
FPM_CONFIG="--fpm-config /etc/php5/fpm/php-fpm.conf"
# Source LSB init functions
# providing start_daemon, killproc, pidofproc,
# log_success_msg, log_failure_msg and log_warning_msg.
# This is currently not used by UnitedLinux based distributions and
# not needed for init scripts for UnitedLinux only. If it is used,
# the functions from rc.status should not be sourced or used.
#. /lib/lsb/init-functions
# Shell functions sourced from /etc/rc.status:
# rc_check check and set local and overall rc status
# rc_status check and set local and overall rc status
# rc_status -v be verbose in local rc status and clear it afterwards
# rc_status -v -r ditto and clear both the local and overall rc status
# rc_status -s display "skipped" and exit with status 3
# rc_status -u display "unused" and exit with status 3
# rc_failed set local and overall rc status to failed
# rc_failed set local and overall rc status to
# rc_reset clear both the local and overall rc status
# rc_exit exit appropriate to overall rc status
# rc_active checks whether a service is activated by symlinks
. /etc/rc.status
# Reset status of this service
rc_reset
# Return values acc. to LSB for all commands but status:
# 0 - success
# 1 - generic or unspecified error
# 2 - invalid or excess argument(s)
# 3 - unimplemented feature (e.g. "reload")
# 4 - user had insufficient privileges
# 5 - program is not installed
# 6 - program is not configured
# 7 - program is not running
# 8--199 - reserved (8--99 LSB, 100--149 distrib, 150--199 appl)
#
# Note that starting an already running service, stopping
# or restarting a not-running service as well as the restart
# with force-reload (in case signaling is not supported) are
# considered a success.
case "$1" in
start)
echo -n "Starting php-fpm"
## Start daemon with startproc(8). If this fails
## the return value is set appropriately by startproc.
/sbin/startproc $PHPFPM_BIN $FPM_CONFIG
# Remember status and be verbose
rc_status -v
;;
stop)
echo -n "Shutting down php-fpm "
## Stop daemon with killproc(8) and if this fails
## killproc sets the return value according to LSB.
/sbin/killproc -QUIT $PHPFPM_BIN
# Remember status and be verbose
rc_status -v
;;
try-restart|condrestart)
## Do a restart only if the service was active before.
## Note: try-restart is now part of LSB (as of 1.9).
## RH has a similar command named condrestart.
if test "$1" = "condrestart"; then
echo "${attn} Use try-restart ${done}(LSB)${attn} rather than condrestart ${warn}(RH)${norm}"
fi
$0 status
if test $? = 0; then
$0 restart
else
rc_reset # Not running is not a failure.
fi
# Remember status and be quiet
rc_status
;;
restart)
## Stop the service and regardless of whether it was
## running or not, start it again.
$0 stop
$0 start
# Remember status and be quiet
rc_status
;;
force-reload)
## Signal the daemon to reload its config. Most daemons
## do this on signal 1 (SIGHUP).
## If it does not support it, restart the service if it
## is running.
echo -n "Reload service php-fpm"
## if it supports it:
/sbin/killproc -USR2 $PHPFPM_BIN
rc_status -v
## Otherwise:
#$0 try-restart
#rc_status
;;
reload)
## Like force-reload, but if daemon does not support
## signaling, do nothing (!)
# If it supports signaling:
echo -n "Reload service php-fpm "
/sbin/killproc -USR2 $PHPFPM_BIN
rc_status -v
## Otherwise if it does not support reload:
#rc_failed 3
#rc_status -v
;;
status)
echo -n "Checking for service php-fpm "
## Check status with checkproc(8), if process is running
## checkproc will return with exit status 0.
# Return value is slightly different for the status command:
# 0 - service up and running
# 1 - service dead, but /var/run/ pid file exists
# 2 - service dead, but /var/lock/ lock file exists
# 3 - service not running (unused)
# 4 - service status unknown :-(
# 5--199 reserved (5--99 LSB, 100--149 distro, 150--199 appl.)
# NOTE: checkproc returns LSB compliant status values.
/sbin/checkproc $PHPFPM_BIN
# NOTE: rc_status knows that we called this init script with
# "status" option and adapts its messages accordingly.
rc_status -v
;;
*)
echo "Usage: $0 {start|stop|status|try-restart|restart|force-reload|reload}"
exit 1
;;
esac
rc_exit
++++++ php-unserialize-null-ptr-deref.patch ++++++
http://git.php.net/?p=php-src.git;a=commitdiff;h=13f1c276ab72cf1a8a400fd013b9289d0018a340
Index: ext/standard/var_unserializer.re
===================================================================
--- ext/standard/var_unserializer.re.orig 2014-12-30 09:31:06.509843894 +0100
+++ ext/standard/var_unserializer.re 2014-12-30 09:32:36.810979870 +0100
@@ -58,7 +58,13 @@
PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval)
{
- var_entries *var_hash = (*var_hashx)->last_dtor;
+ var_entries *var_hash;
+
+ if (!var_hashx || !*var_hashx) {
+ return;
+ }
+
+ var_hash = (*var_hashx)->last_dtor;
#if VAR_ENTRIES_DBG
fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval));
#endif
++++++ php-unserialize-soap-type-confusion.patch ++++++
From: Xinchen Hui
Date: Fri, 27 Feb 2015 15:32:32 +0000 (+0800)
Subject: Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
X-Git-Tag: php-5.5.23RC1~15
X-Git-Url: http://72.52.91.13:8000/?p=php-src.git;a=commitdiff_plain;h=997b7e56302710bb3db00b56d0629ac75d73a207
Fixed bug #69085 (SoapClient's __call() type confusion through unserialize()).
---
Index: ext/soap/soap.c
===================================================================
--- ext/soap/soap.c.orig 2015-03-31 15:01:28.820492972 +0200
+++ ext/soap/soap.c 2015-03-31 15:01:29.081496396 +0200
@@ -2557,7 +2557,7 @@
}
if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_LVAL_PP(trace) > 0) {
+ Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1);
}
@@ -2597,7 +2597,7 @@
}
ret = FALSE;
} else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
- Z_LVAL_PP(trace) > 0) {
+ Z_TYPE_PP(trace) == IS_LONG && Z_LVAL_PP(trace) > 0) {
add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1);
}
xmlFree(buf);
@@ -2887,7 +2887,7 @@
}
/* Add default headers */
- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) {
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) {
HashTable *default_headers = Z_ARRVAL_P(*tmp);
if (soap_headers) {
if (!free_soap_headers) {
++++++ php5-64-bit-post-large-files.patch ++++++
https://bugs.php.net/bug.php?id=44522
Index: php-5.4.13/main/rfc1867.c
===================================================================
--- php-5.4.13.orig/main/rfc1867.c
+++ php-5.4.13/main/rfc1867.c
@@ -676,7 +676,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_
{
char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
- int boundary_len = 0, total_bytes = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
+ long total_bytes = 0; int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
int max_file_size = 0, skip_upload = 0, anonindex = 0, is_anonymous;
zval *http_post_files = NULL;
HashTable *uploaded_files = NULL;
Index: php-5.4.13/main/SAPI.h
===================================================================
--- php-5.4.13.orig/main/SAPI.h
+++ php-5.4.13/main/SAPI.h
@@ -82,7 +82,7 @@ typedef struct {
char *post_data, *raw_post_data;
char *cookie_data;
long content_length;
- uint post_data_length, raw_post_data_length;
+ uint IGNORE_post_data_length, IGNORE_raw_post_data_length;
char *path_translated;
char *request_uri;
@@ -112,6 +112,7 @@ typedef struct {
int argc;
char **argv;
int proto_num;
+ long post_data_length, raw_post_data_length;
} sapi_request_info;
@@ -119,7 +120,7 @@ typedef struct _sapi_globals_struct {
void *server_context;
sapi_request_info request_info;
sapi_headers_struct sapi_headers;
- int read_post_bytes;
+ long read_post_bytes;
unsigned char headers_sent;
struct stat global_stat;
char *default_mimetype;
Index: php-5.4.13/sapi/cgi/cgi_main.c
===================================================================
--- php-5.4.13.orig/sapi/cgi/cgi_main.c
+++ php-5.4.13/sapi/cgi/cgi_main.c
@@ -508,7 +508,7 @@ static int sapi_cgi_read_post(char *buff
uint read_bytes = 0;
int tmp_read_bytes;
- count_bytes = MIN(count_bytes, (uint) SG(request_info).content_length - SG(read_post_bytes));
+ count_bytes = MIN(count_bytes, SG(request_info).content_length - SG(read_post_bytes));
while (read_bytes < count_bytes) {
tmp_read_bytes = read(STDIN_FILENO, buffer + read_bytes, count_bytes - read_bytes);
if (tmp_read_bytes <= 0) {
Index: php-5.4.13/ext/suhosin/rfc1867.c
===================================================================
--- php-5.4.13.orig/ext/suhosin/rfc1867.c
+++ php-5.4.13/ext/suhosin/rfc1867.c
@@ -779,7 +779,7 @@ SAPI_POST_HANDLER_FUNC(suhosin_rfc1867_p
{
char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL;
char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL;
- int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0;
+ long boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0;
int max_file_size=0, skip_upload=0, anonindex=0, is_anonymous;
zval *http_post_files=NULL; HashTable *uploaded_files=NULL;
#if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
++++++ php5-BNC-457056.patch ++++++
Index: ext/xml/compat.c
===================================================================
--- ext/xml/compat.c.orig 2009-01-12 15:30:21.000000000 +0100
+++ ext/xml/compat.c 2009-03-14 18:32:40.000000000 +0100
@@ -482,9 +482,7 @@ XML_ParserCreate_MM(const XML_Char *enco
parser->parser->charset = XML_CHAR_ENCODING_NONE;
#endif
-#if LIBXML_VERSION >= 20703
xmlCtxtUseOptions(parser->parser, XML_PARSE_OLDSAX);
-#endif
parser->parser->replaceEntities = 1;
parser->parser->wellFormed = 0;
++++++ php5-CVE-2015-0273.patch ++++++
https://bugs.php.net/patch-display.php?bug=68942&patch=patch-5.4&revision=1422773336
commit a812c1f5bf3edc986d9ed0a3810cd7bb9eca1330
Author: Stanislav Malyshev
Date: Sat Jan 31 22:40:08 2015 -0800
Fix bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone)
Conflicts:
ext/date/php_date.c
diff --git ext/date/php_date.c ext/date/php_date.c
index 92e9480..08bfd08 100644
--- ext/date/php_date.c
+++ ext/date/php_date.c
@@ -2575,12 +2575,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
timelib_tzinfo *tzi;
php_timezone_obj *tzobj;
- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
- convert_to_string(*z_date);
- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
- convert_to_long(*z_timezone_type);
- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
- convert_to_string(*z_timezone);
+ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
+ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
+ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
switch (Z_LVAL_PP(z_timezone_type)) {
case TIMELIB_ZONETYPE_OFFSET:
@@ -2595,7 +2592,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
case TIMELIB_ZONETYPE_ID: {
int ret;
- convert_to_string(*z_timezone);
tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
++++++ php5-apache24-updates.patch ++++++
commit 918a01f55b5e0a82c1a2e886143a56eddffe6649
Author: Cristian Rodríguez
Date: Wed Aug 8 19:30:04 2012 +0200
sapi/apache2*: Use ap_state_query where possible instead of old method of creating a pool userdata entry.
diff --git a/sapi/apache2filter/sapi_apache2.c b/sapi/apache2filter/sapi_apache2.c
index a8fec5c..21f2fa3 100644
--- a/sapi/apache2filter/sapi_apache2.c
+++ b/sapi/apache2filter/sapi_apache2.c
@@ -606,11 +606,17 @@ static int
php_apache_server_startup(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_t *ptemp, server_rec *s)
{
+
+#if AP_MODULE_MAGIC_AT_LEAST(20110203,1)
+ /* Apache will load, unload and then reload a DSO module. This
+ * prevents us from starting PHP until the second load. */
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
+ return OK;
+ }
+#else
void *data = NULL;
const char *userdata_key = "apache2filter_post_config";
- /* Apache will load, unload and then reload a DSO module. This
- * prevents us from starting PHP until the second load. */
apr_pool_userdata_get(&data, userdata_key, s->process->pool);
if (data == NULL) {
/* We must use set() here and *not* setn(), otherwise the
@@ -622,6 +628,7 @@ php_apache_server_startup(apr_pool_t *pconf, apr_pool_t *plog,
apr_pool_cleanup_null, s->process->pool);
return OK;
}
+#endif
/* Set up our overridden path. */
if (apache2_php_ini_path_override) {
diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c
index 900a3a4..a578740 100644
--- a/sapi/apache2handler/sapi_apache2.c
+++ b/sapi/apache2handler/sapi_apache2.c
@@ -430,12 +430,19 @@ static int php_pre_config(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp
static int
php_apache_server_startup(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp, server_rec *s)
{
- void *data = NULL;
- const char *userdata_key = "apache2hook_post_config";
+#if AP_MODULE_MAGIC_AT_LEAST(20110203,1)
/* Apache will load, unload and then reload a DSO module. This
* prevents us from starting PHP until the second load. */
+ if (ap_state_query(AP_SQ_MAIN_STATE) == AP_SQ_MS_CREATE_PRE_CONFIG) {
+ return OK;
+ }
+#else
+ void *data = NULL;
+ const char *userdata_key = "apache2hook_post_config";
+
apr_pool_userdata_get(&data, userdata_key, s->process->pool);
+
if (data == NULL) {
/* We must use set() here and *not* setn(), otherwise the
* static string pointed to by userdata_key will be mapped
@@ -445,6 +452,7 @@ php_apache_server_startup(apr_pool_t *pconf, apr_pool_t *plog, apr_pool_t *ptemp
apr_pool_userdata_set((const void *)1, userdata_key, apr_pool_cleanup_null, s->process->pool);
return OK;
}
+#endif
/* Set up our overridden path. */
if (apache2_php_ini_path_override) {
++++++ php5-apache_sapi_install.patch ++++++
# Do not attempt to modify apache configuration on module install
================================================================================
---
sapi/apache2handler/config.m4 | 9 ---------
1 file changed, 9 deletions(-)
Index: sapi/apache2handler/config.m4
===================================================================
--- sapi/apache2handler/config.m4.orig 2008-03-11 23:47:39.000000000 +0100
+++ sapi/apache2handler/config.m4 2010-08-03 06:31:18.512616000 +0200
@@ -68,18 +68,9 @@ if test "$PHP_APXS2" != "no"; then
fi
APXS_LIBEXECDIR='$(INSTALL_ROOT)'`$APXS -q LIBEXECDIR`
- if test -z `$APXS -q SYSCONFDIR`; then
INSTALL_IT="\$(mkinstalldirs) '$APXS_LIBEXECDIR' && \
$APXS -S LIBEXECDIR='$APXS_LIBEXECDIR' \
-i -n php5"
- else
- APXS_SYSCONFDIR='$(INSTALL_ROOT)'`$APXS -q SYSCONFDIR`
- INSTALL_IT="\$(mkinstalldirs) '$APXS_LIBEXECDIR' && \
- \$(mkinstalldirs) '$APXS_SYSCONFDIR' && \
- $APXS -S LIBEXECDIR='$APXS_LIBEXECDIR' \
- -S SYSCONFDIR='$APXS_SYSCONFDIR' \
- -i -a -n php5"
- fi
case $host_alias in
*aix*)
++++++ php5-cloexec.patch ++++++
Index: ext/standard/exec.c
===================================================================
--- ext/standard/exec.c.orig
+++ ext/standard/exec.c
@@ -76,7 +76,11 @@ PHPAPI int php_exec(int type, char *cmd,
#ifdef PHP_WIN32
fp = VCWD_POPEN(cmd, "rb");
#else
+ #if defined(__linux__) && __GLIBC_PREREQ(2, 9)
+ fp = VCWD_POPEN(cmd, "re");
+ #else
fp = VCWD_POPEN(cmd, "r");
+ #endif
#endif
if (!fp) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to fork [%s]", cmd);
Index: ext/standard/file.c
===================================================================
--- ext/standard/file.c.orig
+++ ext/standard/file.c
@@ -926,6 +926,12 @@ PHP_FUNCTION(popen)
}
}
#endif
+#if defined(__linux__) && __GLIBC_PREREQ(2, 9)
+ char *e = memchr(posix_mode, 'e', mode_len);
+ if (e) {
+ memmove(e, e + 1, mode_len - (e - posix_mode));
+ }
+#endif
fp = VCWD_POPEN(command, posix_mode);
if (!fp) {
Index: ext/standard/mail.c
===================================================================
--- ext/standard/mail.c.orig
+++ ext/standard/mail.c
@@ -321,8 +321,12 @@ PHPAPI int php_mail(char *to, char *subj
* (e.g. the shell can't be executed) we explicitly set it to 0 to be
* sure we don't catch any older errno value. */
errno = 0;
+#if defined(__linux__) && __GLIBC_PREREQ(2, 9)
+ sendmail = popen(sendmail_cmd, "we");
+#else
sendmail = popen(sendmail_cmd, "w");
#endif
+#endif
if (extra_cmd != NULL) {
efree (sendmail_cmd);
}
++++++ php5-crypt-tests.patch ++++++
Index: ext/standard/config.m4
===================================================================
--- ext/standard/config.m4.orig
+++ ext/standard/config.m4
@@ -60,7 +60,14 @@ if test "$ac_cv_func_crypt" = "no"; then
AC_DEFINE(HAVE_CRYPT, 1, [ ])
])
fi
-
+
+if test "$ac_cv_func_crypt" = "no"; then
+ AC_CHECK_LIB(crypt, crypt_r, [
+ LIBS="-lcrypt $LIBS -lcrypt"
+ AC_DEFINE(HAVE_CRYPT_R, 1, [ ])
+ ])
+fi
+
AC_CACHE_CHECK(for standard DES crypt, ac_cv_crypt_des,[
AC_TRY_RUN([
#if HAVE_UNISTD_H
@@ -172,7 +179,7 @@ main() {
ac_cv_crypt_blowfish=no
])])
-AC_CACHE_CHECK(for SHA512 crypt, ac_cv_crypt_SHA512,[
+AC_CACHE_CHECK(for SHA512 crypt, ac_cv_crypt_sha512,[
AC_TRY_RUN([
#if HAVE_UNISTD_H
#include
@@ -184,24 +191,22 @@ AC_TRY_RUN([
main() {
#if HAVE_CRYPT
- char salt[30], answer[80];
+ char salt[120];
- salt[0]='$'; salt[1]='6'; salt[2]='$'; salt[3]='$'; salt[4]='b'; salt[5]='a'; salt[6]='r'; salt[7]='\0';
- strcpy(answer, salt);
- strcpy(&answer[29],"$6$$QMXjqd7rHQZPQ1yHsXkQqC1FBzDiVfTHXL.LaeDAeVV.IzMaV9VU4MQ8kPuZa2SOP1A0RPm772EaFYjpEJtdu.");
- exit (strcmp((char *)crypt("foo",salt),answer));
+ strcpy(salt, "\$6\$rounds=5000\$usesomesillystri\$D4IrlXatmP7rx3P3InaxBeoomnAihCKRVQP22JZ6EY47Wc6BkroIuUUBOov1i.S5KPgErtP/EN5mcO.ChWQW21");
+ exit (strcmp((char *)crypt("rasmuslerdorf",salt),salt));
#else
exit(0);
#endif
}],[
- ac_cv_crypt_SHA512=yes
+ ac_cv_crypt_sha512=yes
],[
- ac_cv_crypt_SHA512=no
+ ac_cv_crypt_sha512=no
],[
- ac_cv_crypt_SHA512=no
+ ac_cv_crypt_sha512=no
])])
-AC_CACHE_CHECK(for SHA256 crypt, ac_cv_crypt_SHA256,[
+AC_CACHE_CHECK(for SHA256 crypt, ac_cv_crypt_sha256,[
AC_TRY_RUN([
#if HAVE_UNISTD_H
#include
@@ -213,28 +218,31 @@ AC_TRY_RUN([
main() {
#if HAVE_CRYPT
- char salt[30], answer[80];
- salt[0]='$'; salt[1]='5'; salt[2]='$'; salt[3]='$'; salt[4]='s'; salt[5]='a'; salt[6]='l'; salt[7]='t'; salt[8]='s'; salt[9]='t'; salt[10]='r'; salt[11]='i'; salt[12]='n'; salt[13]='g'; salt[14]='\0';
- strcat(salt,"");
- strcpy(answer, salt);
- strcpy(&answer[29], "$5$saltstring$5B8vYYiY.CVt1RlTTf8KbXBH3hsxY/GNooZaBBGWEc5");
- exit (strcmp((char *)crypt("foo",salt),answer));
+ char salt[80];
+ strcpy(salt, "\$5\$rounds=5000\$usesomesillystri\$KqJWpanXZHKq2BOB43TSaYhEWsQ1Lr5QNyPCDH/Tp.6");
+ exit (strcmp((char *)crypt("rasmuslerdorf",salt),salt));
#else
exit(0);
#endif
}],[
- ac_cv_crypt_SHA256=yes
+ ac_cv_crypt_sha256=yes
],[
- ac_cv_crypt_SHA256=no
+ ac_cv_crypt_sha256=no
],[
- ac_cv_crypt_SHA256=no
+ ac_cv_crypt_sha256=no
])])
dnl
-dnl If one of them is missing, use our own implementation, portable code is then possible
+dnl If one of them or crypt_r() is missing, use our own implementation, portable code is then possible
dnl
-if test "$ac_cv_crypt_blowfish" = "no" || test "$ac_cv_crypt_des" = "no" || test "$ac_cv_crypt_ext_des" = "no" || test "x$php_crypt_r" = "x0"; then
+if test "$ac_cv_crypt_des" = "no" ||
+ /* test "$ac_cv_crypt_ext_des" = "no" ||*/
+ test "$ac_cv_crypt_md5" = "no" ||
+ test "$ac_cv_crypt_blowfish" = "no" ||
+ test "$ac_cv_crypt_sha512" = "no" ||
+ test "$ac_cv_crypt_sha256" = "no" ||
+ test "$ac_cv_lib_crypt_crypt_r" = "no"; then
dnl
dnl Check for __alignof__ support in the compiler
++++++ php5-format-string-issues.patch ++++++
--- main/snprintf.h.orig
+++ main/snprintf.h
@@ -83,7 +83,7 @@ PHPAPI int ap_php_vslprintf(char *buf, s
PHPAPI int ap_php_snprintf(char *, size_t, const char *, ...);
PHPAPI int ap_php_vsnprintf(char *, size_t, const char *, va_list ap);
PHPAPI int ap_php_vasprintf(char **buf, const char *format, va_list ap);
-PHPAPI int ap_php_asprintf(char **buf, const char *format, ...);
+PHPAPI int ap_php_asprintf(char **buf, const char *format, ...) PHP_ATTRIBUTE_FORMAT(printf, 2, 3);
PHPAPI int php_sprintf (char* s, const char* format, ...) PHP_ATTRIBUTE_FORMAT(printf, 2, 3);
PHPAPI char * php_gcvt(double value, int ndigit, char dec_point, char exponent, char *buf);
PHPAPI char * php_conv_fp(register char format, register double num,
--- main/main.c.orig
+++ main/main.c
@@ -898,7 +898,7 @@ PHPAPI void php_html_puts(const char *st
/* {{{ php_error_cb
extended error handling function */
-static void php_error_cb(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args)
+static PHP_ATTRIBUTE_FORMAT(printf, 4, 0) void php_error_cb(int type, const char *error_filename, const uint error_lineno, const char *format, va_list args)
{
char *buffer;
int buffer_len, display;
--- Zend/zend.h.orig
+++ Zend/zend.h
@@ -146,6 +146,14 @@ char *alloca ();
# define ZEND_ATTRIBUTE_MALLOC
#endif
+#if ZEND_GCC_VERSION >= 4003
+#define ZEND_ATTR_ALLOC_SIZE(x) __attribute__((__alloc_size__(x)))
+#define ZEND_ATTR_ALLOC_SIZE2(x,y) __attribute__((__alloc_size__(x,y)))
+#else
+#define ZEND_ATTR_ALLOC_SIZE(x)
+#define ZEND_ATTR_ALLOC_SIZE2(x,y)
+#endif
+
#if ZEND_GCC_VERSION >= 2007
# define ZEND_ATTRIBUTE_FORMAT(type, idx, first) __attribute__ ((format(type, idx, first)))
#else
--- Zend/zend_alloc.h.orig
+++ Zend/zend_alloc.h
@@ -54,14 +54,14 @@ BEGIN_EXTERN_C()
ZEND_API char *zend_strndup(const char *s, unsigned int length) ZEND_ATTRIBUTE_MALLOC;
-ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
-ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
-ZEND_API void *_safe_malloc(size_t nmemb, size_t size, size_t offset) ZEND_ATTRIBUTE_MALLOC;
+ZEND_API void *_emalloc(size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTR_ALLOC_SIZE(1);
+ZEND_API void *_safe_emalloc(size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTR_ALLOC_SIZE2(1,2);
+ZEND_API void *_safe_malloc(size_t nmemb, size_t size, size_t offset) ZEND_ATTRIBUTE_MALLOC ZEND_ATTR_ALLOC_SIZE2(1,2);
ZEND_API void _efree(void *ptr ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
-ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
-ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
-ZEND_API void *_safe_erealloc(void *ptr, size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
-ZEND_API void *_safe_realloc(void *ptr, size_t nmemb, size_t size, size_t offset);
+ZEND_API void *_ecalloc(size_t nmemb, size_t size ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC ZEND_ATTR_ALLOC_SIZE2(1,2);
+ZEND_API void *_erealloc(void *ptr, size_t size, int allow_failure ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTR_ALLOC_SIZE(2);
+ZEND_API void *_safe_erealloc(void *ptr, size_t nmemb, size_t size, size_t offset ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTR_ALLOC_SIZE2(2,3);
+ZEND_API void *_safe_realloc(void *ptr, size_t nmemb, size_t size, size_t offset) ZEND_ATTR_ALLOC_SIZE2(2,3);
ZEND_API char *_estrdup(const char *s ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
ZEND_API char *_estrndup(const char *s, unsigned int length ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC) ZEND_ATTRIBUTE_MALLOC;
ZEND_API size_t _zend_mem_block_size(void *ptr TSRMLS_DC ZEND_FILE_LINE_DC ZEND_FILE_LINE_ORIG_DC);
@@ -90,7 +90,7 @@ ZEND_API size_t _zend_mem_block_size(voi
#define estrndup_rel(s, length) _estrndup((s), (length) ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_CC)
#define zend_mem_block_size_rel(ptr) _zend_mem_block_size((ptr) TSRMLS_CC ZEND_FILE_LINE_RELAY_CC ZEND_FILE_LINE_CC)
-inline static void * __zend_malloc(size_t len)
+inline static ZEND_ATTR_ALLOC_SIZE(1) void * __zend_malloc(size_t len)
{
void *tmp = malloc(len);
if (tmp) {
@@ -100,14 +100,14 @@ inline static void * __zend_malloc(size_
exit(1);
}
-inline static void * __zend_calloc(size_t nmemb, size_t len)
+inline static ZEND_ATTR_ALLOC_SIZE2(1,2) void * __zend_calloc(size_t nmemb, size_t len)
{
void *tmp = _safe_malloc(nmemb, len, 0);
memset(tmp, 0, nmemb * len);
return tmp;
}
-inline static void * __zend_realloc(void *p, size_t len)
+inline static ZEND_ATTR_ALLOC_SIZE(2) void * __zend_realloc(void *p, size_t len)
{
p = realloc(p, len);
if (p) {
++++++ php5-gcc_builtins.patch ++++++
--- Zend/zend_alloc.c.orig
+++ Zend/zend_alloc.c
@@ -36,7 +36,7 @@
# include
# include
#endif
-
+#include
#ifndef ZEND_MM_HEAP_PROTECTION
# define ZEND_MM_HEAP_PROTECTION ZEND_DEBUG
#endif
@@ -665,10 +665,7 @@ static inline unsigned int zend_mm_high_
__asm__("bsrl %1,%0\n\t" : "=r" (n) : "rm" (_size));
return n;
#elif defined(__GNUC__) && defined(__x86_64__)
- unsigned long n;
-
- __asm__("bsrq %1,%0\n\t" : "=r" (n) : "rm" (_size));
- return (unsigned int)n;
+ return __bsrq(_size);
#elif defined(_MSC_VER) && defined(_M_IX86)
__asm {
bsr eax, _size
@@ -691,10 +688,7 @@ static inline unsigned int zend_mm_low_b
__asm__("bsfl %1,%0\n\t" : "=r" (n) : "rm" (_size));
return n;
#elif defined(__GNUC__) && defined(__x86_64__)
- unsigned long n;
-
- __asm__("bsfq %1,%0\n\t" : "=r" (n) : "rm" (_size));
- return (unsigned int)n;
+ return __bsfq(_size);
#elif defined(_MSC_VER) && defined(_M_IX86)
__asm {
bsf eax, _size
++++++ php5-ini.patch ++++++
Index: php.ini-production
===================================================================
--- php.ini-production.orig
+++ php.ini-production
@@ -702,7 +702,7 @@ default_mimetype = "text/html"
;;;;;;;;;;;;;;;;;;;;;;;;;
; UNIX: "/path1:/path2"
-;include_path = ".:/php/includes"
+include_path = ".:/usr/share/php5:/usr/share/php5/PEAR"
;
; Windows: "\path1;\path2"
;include_path = ".;c:\php\includes"
@@ -916,7 +916,7 @@ cli_server.color = On
[Date]
; Defines the default timezone used by the date functions
; http://php.net/date.timezone
-;date.timezone =
+date.timezone = 'UTC'
; http://php.net/date.default-latitude
;date.default_latitude = 31.7667
@@ -1106,7 +1106,7 @@ mysql.allow_local_infile = On
; Allow or prevent persistent links.
; http://php.net/mysql.allow-persistent
-mysql.allow_persistent = On
+mysql.allow_persistent = Off
; If mysqlnd is used: Number of cache slots for the internal result set cache
; http://php.net/mysql.cache_size
@@ -1169,7 +1169,7 @@ mysqli.max_persistent = -1
; Allow or prevent persistent links.
; http://php.net/mysqli.allow-persistent
-mysqli.allow_persistent = On
+mysqli.allow_persistent = Off
; Maximum number of links. -1 means no limit.
; http://php.net/mysqli.max-links
@@ -1391,7 +1391,7 @@ session.save_handler = files
; where MODE is the octal representation of the mode. Note that this
; does not overwrite the process's umask.
; http://php.net/session.save-path
-;session.save_path = "/tmp"
+session.save_path = "/var/lib/php5"
; Whether to use cookies.
; http://php.net/session.use-cookies
@@ -1507,7 +1507,7 @@ session.referer_check =
; How many bytes to read from the file.
; http://php.net/session.entropy-length
-;session.entropy_length = 32
+session.entropy_length = 32
; Specified here to create the session id.
; http://php.net/session.entropy-file
@@ -1516,7 +1516,7 @@ session.referer_check =
; If neither are found at compile time, the default is no entropy file.
; On windows, setting the entropy_length setting will activate the
; Windows random source (using the CryptoAPI)
-;session.entropy_file = /dev/urandom
+session.entropy_file = /dev/urandom
; Set to {nocache,private,public,} to determine HTTP caching aspects
; or leave this empty to avoid sending anti-caching headers.
@@ -1547,7 +1547,7 @@ session.use_trans_sid = 0
; the hash extension. A list of available hashes is returned by the hash_algos()
; function.
; http://php.net/session.hash-function
-session.hash_function = 0
+session.hash_function = sha256
; Define how many bits are stored in each character when converting
; the binary hash data to something readable.
++++++ php5-mbstring-missing-return.patch ++++++
Index: ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c
===================================================================
--- ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c.orig 2013-09-18 07:48:57.000000000 +0200
+++ ext/mbstring/libmbfl/filters/mbfilter_sjis_2004.c 2013-09-25 11:59:19.925758346 +0200
@@ -672,6 +672,8 @@
CK(mbfl_filt_conv_illegal_output(c, filter));
}
}
+
+ return c;
}
int
Index: ext/mbstring/libmbfl/filters/mbfilter_utf8.c
===================================================================
--- ext/mbstring/libmbfl/filters/mbfilter_utf8.c.orig 2013-09-18 07:48:57.000000000 +0200
+++ ext/mbstring/libmbfl/filters/mbfilter_utf8.c 2013-09-25 12:22:04.061030824 +0200
@@ -101,6 +101,7 @@
filter->status = 0;
filter->cache = 0;
CK((*filter->output_function)(w, filter->data));
+ return 0;
}
++++++ php5-missing-extdeps.patch ++++++
Index: ext/soap/soap.c
===================================================================
--- ext/soap/soap.c.orig
+++ ext/soap/soap.c
@@ -442,10 +442,18 @@ static const zend_function_entry soap_he
PHP_FE_END
};
-zend_module_entry soap_module_entry = {
-#ifdef STANDARD_MODULE_HEADER
- STANDARD_MODULE_HEADER,
+/* {{{ soap dependencies */
+static const zend_module_dep soap_module_deps[] = {
+ ZEND_MOD_REQUIRED("standard")
+#if HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)
+ ZEND_MOD_REQUIRED("session")
#endif
+ {NULL, NULL, NULL}
+};
+
+zend_module_entry soap_module_entry = {
+ STANDARD_MODULE_HEADER_EX, NULL,
+ soap_module_deps,
"soap",
soap_functions,
PHP_MINIT(soap),
Index: ext/wddx/wddx.c
===================================================================
--- ext/wddx/wddx.c.orig
+++ ext/wddx/wddx.c
@@ -154,10 +154,21 @@ ZEND_GET_MODULE(wddx)
#endif /* COMPILE_DL_WDDX */
/* }}} */
+/* {{{ wddx dependencies */
+static const zend_module_dep wddx_module_deps[] = {
+ ZEND_MOD_REQUIRED("standard")
+ ZEND_MOD_REQUIRED("xml")
+ ZEND_MOD_REQUIRED("date")
+#if HAVE_PHP_SESSION && !defined(COMPILE_DL_SESSION)
+ ZEND_MOD_REQUIRED("session")
+#endif
+ {NULL, NULL, NULL}
+};
/* {{{ wddx_module_entry
*/
zend_module_entry wddx_module_entry = {
- STANDARD_MODULE_HEADER,
+ STANDARD_MODULE_HEADER_EX, NULL,
+ wddx_module_deps,
"wddx",
wddx_functions,
PHP_MINIT(wddx),
Index: ext/filter/filter.c
===================================================================
--- ext/filter/filter.c.orig
+++ ext/filter/filter.c
@@ -132,12 +132,17 @@ static const zend_function_entry filter_
};
/* }}} */
+/* {{{ filter dependencies */
+static const zend_module_dep filter_module_deps[] = {
+ ZEND_MOD_REQUIRED("standard")
+ ZEND_MOD_REQUIRED("pcre")
+ {NULL, NULL, NULL}
+};
/* {{{ filter_module_entry
*/
zend_module_entry filter_module_entry = {
-#if ZEND_MODULE_API_NO >= 20010901
- STANDARD_MODULE_HEADER,
-#endif
+ STANDARD_MODULE_HEADER_EX, NULL,
+ filter_module_deps,
"filter",
filter_functions,
PHP_MINIT(filter),
Index: ext/mbstring/mbstring.c
===================================================================
--- ext/mbstring/mbstring.c.orig
+++ ext/mbstring/mbstring.c
@@ -570,9 +570,19 @@ const zend_function_entry mbstring_funct
};
/* }}} */
+/* {{{ mbstring dependencies */
+static const zend_module_dep mbstring_module_deps[] = {
+ ZEND_MOD_REQUIRED("standard")
+#if (HAVE_PCRE || HAVE_BUNDLED_PCRE) && !HAVE_ONIG
+ ZEND_MOD_REQUIRED("pcre")
+#endif
+ {NULL, NULL, NULL}
+};
+
/* {{{ zend_module_entry mbstring_module_entry */
zend_module_entry mbstring_module_entry = {
- STANDARD_MODULE_HEADER,
+ STANDARD_MODULE_HEADER_EX, NULL,
+ mbstring_module_deps,
"mbstring",
mbstring_functions,
PHP_MINIT(mbstring),
++++++ php5-no-build-date.patch ++++++
Index: ext/standard/info.c
===================================================================
--- ext/standard/info.c.orig
+++ ext/standard/info.c
@@ -697,7 +697,7 @@ PHPAPI void php_print_info(int flag TSRM
php_info_print_box_end();
php_info_print_table_start();
php_info_print_table_row(2, "System", php_uname );
- php_info_print_table_row(2, "Build Date", __DATE__ " " __TIME__ );
+ /* php_info_print_table_row(2, "Build Date", __DATE__ " " __TIME__ ); */
#ifdef COMPILER
php_info_print_table_row(2, "Compiler", COMPILER);
#endif
@@ -705,7 +705,7 @@ PHPAPI void php_print_info(int flag TSRM
php_info_print_table_row(2, "Architecture", ARCHITECTURE);
#endif
#ifdef CONFIGURE_COMMAND
- php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND );
+ /* php_info_print_table_row(2, "Configure Command", CONFIGURE_COMMAND ); */
#endif
if (sapi_module.pretty_name) {
Index: sapi/fpm/fpm/fpm_main.c
===================================================================
--- sapi/fpm/fpm/fpm_main.c.orig
+++ sapi/fpm/fpm/fpm_main.c
@@ -1710,7 +1710,7 @@ int main(int argc, char *argv[])
#if ZEND_DEBUG
php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
#else
- php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+ php_printf("PHP %s (%s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, get_zend_version());
#endif
php_request_shutdown((void *) 0);
fcgi_shutdown();
Index: configure.in
===================================================================
--- configure.in.orig
+++ configure.in
@@ -1257,8 +1257,8 @@ fi
EXTRA_LDFLAGS="$EXTRA_LDFLAGS $PHP_LDFLAGS"
EXTRA_LDFLAGS_PROGRAM="$EXTRA_LDFLAGS_PROGRAM $PHP_LDFLAGS"
-
-PHP_BUILD_DATE=`date '+%Y-%m-%d'`
+#totally fake, not used anywhere in userspace
+PHP_BUILD_DATE="1970-01-01"
AC_DEFINE_UNQUOTED(PHP_BUILD_DATE,"$PHP_BUILD_DATE",[PHP build date])
case $host_alias in
@@ -1269,7 +1269,8 @@ case $host_alias in
AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[hardcode for each of the cross compiler host])
;;
*)
- PHP_UNAME=`uname -a | xargs`
+dnl Totally fake, it wasnt and will never be reliable anyway.
+ PHP_UNAME="Linux suse 2.6.36 #1 SMP 2011-02-21 10:34:10 +0100 x86_64 x86_64 x86_64 GNU/Linux"
AC_DEFINE_UNQUOTED(PHP_UNAME,"$PHP_UNAME",[uname -a output])
PHP_OS=`uname | xargs`
AC_DEFINE_UNQUOTED(PHP_OS,"$PHP_OS",[uname output])
Index: sapi/cli/php_cli.c
===================================================================
--- sapi/cli/php_cli.c.orig
+++ sapi/cli/php_cli.c
@@ -687,8 +687,8 @@ static int do_cli(int argc, char **argv
goto out;
case 'v': /* show php version & quit */
- php_printf("PHP %s (%s) (built: %s %s) %s\nCopyright (c) 1997-2013 The PHP Group\n%s",
- PHP_VERSION, cli_sapi_module.name, __DATE__, __TIME__,
+ php_printf("PHP %s (%s) %s\nCopyright (c) 1997-2013 The PHP Group\n%s",
+ PHP_VERSION, cli_sapi_module.name,
#if ZEND_DEBUG && defined(HAVE_GCOV)
"(DEBUG GCOV)",
#elif ZEND_DEBUG
Index: sapi/cgi/cgi_main.c
===================================================================
--- sapi/cgi/cgi_main.c.orig
+++ sapi/cgi/cgi_main.c
@@ -2218,7 +2218,7 @@ consult the installation file that came
#if ZEND_DEBUG
php_printf("PHP %s (%s) (built: %s %s) (DEBUG)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
#else
- php_printf("PHP %s (%s) (built: %s %s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, __DATE__, __TIME__, get_zend_version());
+ php_printf("PHP %s (%s)\nCopyright (c) 1997-2013 The PHP Group\n%s", PHP_VERSION, sapi_module.name, get_zend_version());
#endif
php_request_shutdown((void *) 0);
fcgi_shutdown();
++++++ php5-no-reentrant-crypt.patch ++++++
Index: ext/standard/crypt.c
===================================================================
--- ext/standard/crypt.c
+++ ext/standard/crypt.c
@@ -302,6 +302,8 @@ PHP_FUNCTION(crypt)
RETURN_STRING(crypt_res, 1);
}
}
+# else
+ RETURN_STRING(crypt(str, salt), 1);
# endif
#endif
}
++++++ php5-openssl.patch ++++++
Index: ext/openssl/openssl.c
===================================================================
--- ext/openssl/openssl.c.orig
+++ ext/openssl/openssl.c
@@ -51,6 +51,7 @@
#include
#include
#include
+#include
/* Common */
#include
@@ -1015,10 +1016,16 @@ PHP_MINIT_FUNCTION(openssl)
le_x509 = zend_register_list_destructors_ex(php_x509_free, NULL, "OpenSSL X.509", module_number);
le_csr = zend_register_list_destructors_ex(php_csr_free, NULL, "OpenSSL X.509 CSR", module_number);
+ OPENSSL_config(NULL);
SSL_library_init();
OpenSSL_add_all_ciphers();
OpenSSL_add_all_digests();
OpenSSL_add_all_algorithms();
+/* Load all bundled ENGINEs into memory and make them visible */
+ ENGINE_load_builtin_engines();
+ /* Register all of them for every algorithm they collectively implement */
+ ENGINE_register_all_complete();
+
SSL_load_error_strings();
Index: ext/openssl/xp_ssl.c
===================================================================
--- ext/openssl/xp_ssl.c.orig
+++ ext/openssl/xp_ssl.c
@@ -378,6 +378,10 @@ static inline int php_openssl_setup_cryp
return -1;
}
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ SSL_CTX_set_mode(sslsock->ctx, SSL_MODE_RELEASE_BUFFERS);
+#endif
+
#if OPENSSL_VERSION_NUMBER >= 0x0090605fL
ssl_ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS;
#endif
++++++ php5-per-mod-log.patch ++++++
commit 59dfd98677886d418bda90ac5291ba8dea638dc7
Author: Cristian Rodríguez
Date: Wed Aug 8 21:12:57 2012 +0200
Fix per-module logging in apache 2.4
--- php-5.4.17.orig/sapi/apache2handler/php_apache.h
+++ php-5.4.17/sapi/apache2handler/php_apache.h
@@ -24,7 +24,11 @@
#include "httpd.h"
#include "http_config.h"
#include "http_core.h"
+#include "http_log.h"
+#ifdef APLOG_USE_MODULE
+APLOG_USE_MODULE(php5);
+#endif
/* Declare this so we can get to it from outside the sapi_apache2.c file */
extern module AP_MODULE_DECLARE_DATA php5_module;
++++++ php5-php-config.patch ++++++
---
scripts/php-config.in | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Index: scripts/php-config.in
===================================================================
--- scripts/php-config.in.orig 2007-08-24 13:44:10.000000000 +0200
+++ scripts/php-config.in 2010-08-03 06:31:18.786529000 +0200
@@ -5,7 +5,7 @@ prefix="@prefix@"
exec_prefix="@exec_prefix@"
version="@PHP_VERSION@"
vernum="@PHP_VERSION_ID@"
-include_dir="@includedir@/php"
+include_dir="@includedir@/php5"
includes="-I$include_dir -I$include_dir/main -I$include_dir/TSRM -I$include_dir/Zend -I$include_dir/ext -I$include_dir/ext/date/lib"
ldflags="@PHP_LDFLAGS@"
libs="@EXTRA_LIBS@"
++++++ php5-phpize.patch ++++++
---
scripts/Makefile.frag | 4 ++--
scripts/phpize.in | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
Index: scripts/Makefile.frag
===================================================================
--- scripts/Makefile.frag.orig
+++ scripts/Makefile.frag
@@ -3,8 +3,8 @@
# Build environment install
#
-phpincludedir = $(includedir)/php
-phpbuilddir = $(libdir)/build
+phpincludedir = $(includedir)/php5
+phpbuilddir = $(datadir)/build
BUILD_FILES = \
scripts/phpize.m4 \
Index: scripts/phpize.in
===================================================================
--- scripts/phpize.in.orig
+++ scripts/phpize.in
@@ -4,8 +4,8 @@
prefix='@prefix@'
datarootdir='@datarootdir@'
exec_prefix="`eval echo @exec_prefix@`"
-phpdir="`eval echo @libdir@`/build"
-includedir="`eval echo @includedir@`/php"
+phpdir="`eval echo @datadir@`/build"
+includedir="`eval echo @includedir@`/php5"
builddir="`pwd`"
SED="@SED@"
++++++ php5-pts.patch ++++++
--- ext/standard/proc_open.c.orig
+++ ext/standard/proc_open.c
@@ -62,7 +62,7 @@
* */
#ifdef PHP_CAN_SUPPORT_PROC_OPEN
-#if 0 && HAVE_PTSNAME && HAVE_GRANTPT && HAVE_UNLOCKPT && HAVE_SYS_IOCTL_H && HAVE_TERMIOS_H
+#if HAVE_PTSNAME && HAVE_GRANTPT && HAVE_UNLOCKPT && HAVE_SYS_IOCTL_H && HAVE_TERMIOS_H
# include
# include
# define PHP_CAN_DO_PTS 1
++++++ php5-suhosin-crash.patch ++++++
>From 117b6aa6efec61afaa1431c698dad8eb553b55f5 Mon Sep 17 00:00:00 2001
From: Olivier Blin
Date: Sun, 31 Mar 2013 01:15:48 +0100
Subject: [PATCH] Fix saving sessions in PHP 5.4 with user session handlers
(fix #12)
When session storage functions are set with session_set_save_handler()
(this is the "mod_user" mode), mod_data will be NULL in PHP 5.4, and
suhosin session hooks will bail out.
PHP 5.4 allows to check this with mod_user_implemented instead.
---
session.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
diff --git a/session.c b/session.c
index 1045a93..513c195 100644
--- ext/suhosin/session.c
+++ ext/suhosin/session.c
@@ -728,7 +728,12 @@ static int suhosin_hook_s_read(void **mod_data, const char *key, char **val, int
}*/
/* protect dumb session handlers */
- if (key == NULL || !key[0] || *mod_data == NULL) {
+ if (key == NULL || !key[0] ||
+ (*mod_data == NULL
+#if PHP_VERSION_ID >= 50400
+ && !SESSION_G(mod_user_implemented)
+#endif
+ )) {
regenerate:
SDEBUG("regenerating key is %s", key);
KEY = SESSION_G(id) = SESSION_G(mod)->s_create_sid(&SESSION_G(mod_data), NULL TSRMLS_CC);
@@ -777,7 +782,12 @@ static int suhosin_hook_s_write(void **mod_data, const char *key, const char *va
char *v = (char *)val;
/* protect dumb session handlers */
- if (key == NULL || !key[0] || val == NULL || strlen(key) > SUHOSIN_G(session_max_id_length) || *mod_data == NULL) {
+ if (key == NULL || !key[0] || val == NULL || strlen(key) > SUHOSIN_G(session_max_id_length) ||
+ (*mod_data == NULL
+#if PHP_VERSION_ID >= 50400
+ && !SESSION_G(mod_user_implemented)
+#endif
+ )) {
r = FAILURE;
goto return_write;
}
@@ -820,7 +830,12 @@ static int suhosin_hook_s_destroy(void **mod_data, const char *key TSRMLS_DC)
int r;
/* protect dumb session handlers */
- if (key == NULL || !key[0] || strlen(key) > SUHOSIN_G(session_max_id_length) || *mod_data == NULL) {
+ if (key == NULL || !key[0] || strlen(key) > SUHOSIN_G(session_max_id_length) ||
+ (*mod_data == NULL
+#if PHP_VERSION_ID >= 50400
+ && !SESSION_G(mod_user_implemented)
+#endif
+ )) {
return FAILURE;
}
++++++ php5-suhosin-php54.patch ++++++
++++ 714 lines (skipped)
++++++ php5-systzdata-v7.patch ++++++
++++ 619 lines (skipped)
++++++ php5-wrong-fail-stack_push.patch ++++++
Index: Zend/zend_stack.c
===================================================================
--- Zend/zend_stack.c.orig 2014-12-17 10:39:40.000000000 +0100
+++ Zend/zend_stack.c 2015-01-07 15:13:38.258091022 +0100
@@ -34,10 +34,11 @@
{
if (stack->top >= stack->max) { /* we need to allocate more memory */
stack->elements = (void **) erealloc(stack->elements,
- (sizeof(void **) * (stack->max += STACK_BLOCK_SIZE)));
+ (sizeof(void **) * (stack->max + STACK_BLOCK_SIZE)));
if (!stack->elements) {
return FAILURE;
}
+ stack->max += STACK_BLOCK_SIZE;
}
stack->elements[stack->top] = (void *) emalloc(size);
memcpy(stack->elements[stack->top], element, size);