| 1 |
commit: 1869730d58f3d9cbfefa83bd47a94873a3b37989 |
| 2 |
Author: Brian Evans <grknight <AT> gentoo <DOT> org> |
| 3 |
AuthorDate: Thu May 30 18:03:56 2019 +0000 |
| 4 |
Commit: Brian Evans <grknight <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Thu May 30 18:03:56 2019 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/php-patches.git/commit/?id=1869730d |
| 7 |
|
| 8 |
Add backports from 7.1.30 |
| 9 |
|
| 10 |
Signed-off-by: Brian Evans <grknight <AT> gentoo.org> |
| 11 |
|
| 12 |
00180_June2019-backports.patch | 223 ++++++++++++++++++++++++++++++++++++ |
| 13 |
bug77540.jpg => exif/bug77540.jpg | Bin |
| 14 |
bug77563.jpg => exif/bug77563.jpg | Bin |
| 15 |
bug77753.tiff => exif/bug77753.tiff | Bin |
| 16 |
bug77831.tiff => exif/bug77831.tiff | Bin |
| 17 |
bug77950.tiff => exif/bug77950.tiff | Bin |
| 18 |
exif/bug77988.jpg | Bin 0 -> 1202 bytes |
| 19 |
iconv/bug78069.data | Bin 0 -> 107 bytes |
| 20 |
8 files changed, 223 insertions(+) |
| 21 |
|
| 22 |
diff --git a/00180_June2019-backports.patch b/00180_June2019-backports.patch |
| 23 |
new file mode 100644 |
| 24 |
index 0000000..0f0f55f |
| 25 |
--- /dev/null |
| 26 |
+++ b/00180_June2019-backports.patch |
| 27 |
@@ -0,0 +1,223 @@ |
| 28 |
+From fde7833378c023134aafd054efa023d40aa78858 Mon Sep 17 00:00:00 2001 |
| 29 |
+From: "Christoph M. Becker" <cmbecker69@×××.de> |
| 30 |
+Date: Mon, 6 May 2019 10:18:51 +0200 |
| 31 |
+Subject: [PATCH 1/5] Fix #77973: Uninitialized read in gdImageCreateFromXbm |
| 32 |
+ |
| 33 |
+We have to ensure that `sscanf()` does indeed read a hex value here, |
| 34 |
+and bail out otherwise. |
| 35 |
+ |
| 36 |
+(cherry picked from commit ed6dee9a198c904ad5e03113e58a2d2c200f5184) |
| 37 |
+--- |
| 38 |
+ ext/gd/libgd/xbm.c | 6 +++++- |
| 39 |
+ ext/gd/tests/bug77973.phpt | 26 ++++++++++++++++++++++++++ |
| 40 |
+ 2 files changed, 31 insertions(+), 1 deletion(-) |
| 41 |
+ create mode 100644 ext/gd/tests/bug77973.phpt |
| 42 |
+ |
| 43 |
+diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c |
| 44 |
+index 503ac824bc..99931a5878 100644 |
| 45 |
+--- a/ext/gd/libgd/xbm.c |
| 46 |
++++ b/ext/gd/libgd/xbm.c |
| 47 |
+@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) |
| 48 |
+ } |
| 49 |
+ h[3] = ch; |
| 50 |
+ } |
| 51 |
+- sscanf(h, "%x", &b); |
| 52 |
++ if (sscanf(h, "%x", &b) != 1) { |
| 53 |
++ php_gd_error("invalid XBM"); |
| 54 |
++ gdImageDestroy(im); |
| 55 |
++ return 0; |
| 56 |
++ } |
| 57 |
+ for (bit = 1; bit <= max_bit; bit = bit << 1) { |
| 58 |
+ gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); |
| 59 |
+ if (x == im->sx) { |
| 60 |
+diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt |
| 61 |
+new file mode 100644 |
| 62 |
+index 0000000000..2545dbe128 |
| 63 |
+--- /dev/null |
| 64 |
++++ b/ext/gd/tests/bug77973.phpt |
| 65 |
+@@ -0,0 +1,26 @@ |
| 66 |
++--TEST-- |
| 67 |
++Bug #77973 (Uninitialized read in gdImageCreateFromXbm) |
| 68 |
++--SKIPIF-- |
| 69 |
++<?php |
| 70 |
++if (!extension_loaded('gd')) die("skip gd extension not available"); |
| 71 |
++if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available"); |
| 72 |
++?> |
| 73 |
++--FILE-- |
| 74 |
++<?php |
| 75 |
++$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a"); |
| 76 |
++$filepath = __DIR__ . '/bug77973.xbm'; |
| 77 |
++file_put_contents($filepath, $contents); |
| 78 |
++$im = imagecreatefromxbm($filepath); |
| 79 |
++var_dump($im); |
| 80 |
++?> |
| 81 |
++===DONE=== |
| 82 |
++--EXPECTF-- |
| 83 |
++Warning: imagecreatefromxbm(): invalid XBM in %s on line %d |
| 84 |
++ |
| 85 |
++Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d |
| 86 |
++bool(false) |
| 87 |
++===DONE=== |
| 88 |
++--CLEAN-- |
| 89 |
++<?php |
| 90 |
++unlink(__DIR__ . '/bug77973.xbm'); |
| 91 |
++?> |
| 92 |
+ |
| 93 |
+From aabd02d6dd1eab180486cff933dc8d08d4297e38 Mon Sep 17 00:00:00 2001 |
| 94 |
+From: Stanislav Malyshev <stas@×××.net> |
| 95 |
+Date: Mon, 27 May 2019 16:32:42 -0700 |
| 96 |
+Subject: [PATCH 2/5] Fix bug #78069 - Out-of-bounds read in |
| 97 |
+ iconv.c:_php_iconv_mime_decode() due to integer overflow |
| 98 |
+ |
| 99 |
+(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac) |
| 100 |
+--- |
| 101 |
+ ext/iconv/iconv.c | 4 +++- |
| 102 |
+ ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes |
| 103 |
+ ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++ |
| 104 |
+ 3 files changed, 18 insertions(+), 1 deletion(-) |
| 105 |
+ create mode 100644 ext/iconv/tests/bug78069.data |
| 106 |
+ create mode 100644 ext/iconv/tests/bug78069.phpt |
| 107 |
+ |
| 108 |
+diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c |
| 109 |
+index 335dbd17e9..bbc4b0f5e3 100644 |
| 110 |
+--- a/ext/iconv/iconv.c |
| 111 |
++++ b/ext/iconv/iconv.c |
| 112 |
+@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st |
| 113 |
+ * we can do at this point. */ |
| 114 |
+ if (*(p1 + 1) == '=') { |
| 115 |
+ ++p1; |
| 116 |
+- --str_left; |
| 117 |
++ if (str_left > 1) { |
| 118 |
++ --str_left; |
| 119 |
++ } |
| 120 |
+ } |
| 121 |
+ |
| 122 |
+ err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); |
| 123 |
+diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt |
| 124 |
+new file mode 100644 |
| 125 |
+index 0000000000..1341a5ef4f |
| 126 |
+--- /dev/null |
| 127 |
++++ b/ext/iconv/tests/bug78069.phpt |
| 128 |
+@@ -0,0 +1,15 @@ |
| 129 |
++--TEST-- |
| 130 |
++Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) |
| 131 |
++--SKIPIF-- |
| 132 |
++<?php |
| 133 |
++if (!extension_loaded('iconv')) die('skip ext/iconv required'); |
| 134 |
++?> |
| 135 |
++--FILE-- |
| 136 |
++<?php |
| 137 |
++$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); |
| 138 |
++var_dump(count($hdr)); |
| 139 |
++?> |
| 140 |
++DONE |
| 141 |
++--EXPECT-- |
| 142 |
++int(1) |
| 143 |
++DONE |
| 144 |
+\ No newline at end of file |
| 145 |
+ |
| 146 |
+From ad08e8b3cecdde5d10038501c310494ba01a7aa8 Mon Sep 17 00:00:00 2001 |
| 147 |
+From: Remi Collet <remi@××××××××.net> |
| 148 |
+Date: Tue, 28 May 2019 07:28:46 +0200 |
| 149 |
+Subject: [PATCH 3/5] fix test output |
| 150 |
+ |
| 151 |
+(cherry picked from commit 4e0362c2c3b667e55fadee1029a626d63cb9a655) |
| 152 |
+--- |
| 153 |
+ ext/iconv/tests/bug78069.phpt | 5 +++-- |
| 154 |
+ 1 file changed, 3 insertions(+), 2 deletions(-) |
| 155 |
+ |
| 156 |
+diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt |
| 157 |
+index 1341a5ef4f..d2fcaf871e 100644 |
| 158 |
+--- a/ext/iconv/tests/bug78069.phpt |
| 159 |
++++ b/ext/iconv/tests/bug78069.phpt |
| 160 |
+@@ -10,6 +10,7 @@ $hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2 |
| 161 |
+ var_dump(count($hdr)); |
| 162 |
+ ?> |
| 163 |
+ DONE |
| 164 |
+---EXPECT-- |
| 165 |
++--EXPECTF-- |
| 166 |
++Notice: iconv_mime_decode_headers%s |
| 167 |
+ int(1) |
| 168 |
+-DONE |
| 169 |
+\ No newline at end of file |
| 170 |
++DONE |
| 171 |
+ |
| 172 |
+From 9e0574adfd9566ed6308291e4917b095a238fa79 Mon Sep 17 00:00:00 2001 |
| 173 |
+From: Stanislav Malyshev <stas@×××.net> |
| 174 |
+Date: Mon, 27 May 2019 17:16:29 -0700 |
| 175 |
+Subject: [PATCH 4/5] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16 |
| 176 |
+ |
| 177 |
+(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb) |
| 178 |
+--- |
| 179 |
+ NEWS | 14 ++++++++++++++ |
| 180 |
+ ext/exif/exif.c | 2 ++ |
| 181 |
+ ext/exif/tests/bug77988.jpg | Bin 0 -> 1202 bytes |
| 182 |
+ ext/exif/tests/bug77988.phpt | 11 +++++++++++ |
| 183 |
+ 4 files changed, 27 insertions(+) |
| 184 |
+ create mode 100644 ext/exif/tests/bug77988.jpg |
| 185 |
+ create mode 100644 ext/exif/tests/bug77988.phpt |
| 186 |
+ |
| 187 |
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c |
| 188 |
+index 15e091b6c5..b6c31773ab 100644 |
| 189 |
+--- a/ext/exif/exif.c |
| 190 |
++++ b/ext/exif/exif.c |
| 191 |
+@@ -3536,6 +3536,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC) |
| 192 |
+ if (c == 0xFF) |
| 193 |
+ return FALSE; |
| 194 |
+ marker = c; |
| 195 |
++ if (pos>=ImageInfo->Thumbnail.size) |
| 196 |
++ return FALSE; |
| 197 |
+ length = php_jpg_get16(data+pos); |
| 198 |
+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { |
| 199 |
+ return FALSE; |
| 200 |
+diff --git a/ext/exif/tests/bug77988.phpt b/ext/exif/tests/bug77988.phpt |
| 201 |
+new file mode 100644 |
| 202 |
+index 0000000000..1632c8afaa |
| 203 |
+--- /dev/null |
| 204 |
++++ b/ext/exif/tests/bug77988.phpt |
| 205 |
+@@ -0,0 +1,11 @@ |
| 206 |
++--TEST-- |
| 207 |
++Bug #77988 (heap-buffer-overflow on php_jpg_get16) |
| 208 |
++--SKIPIF-- |
| 209 |
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> |
| 210 |
++--FILE-- |
| 211 |
++<?php |
| 212 |
++exif_read_data(__DIR__."/bug77988.jpg", 'COMMENT', FALSE, TRUE); |
| 213 |
++?> |
| 214 |
++DONE |
| 215 |
++--EXPECTF-- |
| 216 |
++DONE |
| 217 |
+\ No newline at end of file |
| 218 |
+ |
| 219 |
+From 7de8c0284cd9e237eb8a1faa9b41af1d3ef32ea9 Mon Sep 17 00:00:00 2001 |
| 220 |
+From: Stanislav Malyshev <stas@×××.net> |
| 221 |
+Date: Mon, 27 May 2019 18:04:00 -0700 |
| 222 |
+Subject: [PATCH 5/5] Fix bug #77967 - Bypassing open_basedir restrictions via |
| 223 |
+ file uris |
| 224 |
+ |
| 225 |
+(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216) |
| 226 |
+--- |
| 227 |
+ NEWS | 7 +++++-- |
| 228 |
+ ext/sqlite3/sqlite3.c | 9 +++++++++ |
| 229 |
+ 2 files changed, 14 insertions(+), 2 deletions(-) |
| 230 |
+ |
| 231 |
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c |
| 232 |
+index 761b777d06..7bf873ff69 100644 |
| 233 |
+--- a/ext/sqlite3/sqlite3.c |
| 234 |
++++ b/ext/sqlite3/sqlite3.c |
| 235 |
+@@ -2062,6 +2062,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar |
| 236 |
+ } |
| 237 |
+ #endif |
| 238 |
+ |
| 239 |
++ if (strncmp(arg3, "file:", 5) == 0) { |
| 240 |
++ /* starts with "file:" */ |
| 241 |
++ if (!arg3[5]) { |
| 242 |
++ return SQLITE_DENY; |
| 243 |
++ } |
| 244 |
++ if (php_check_open_basedir(arg3 + 5 TSRMLS_CC)) { |
| 245 |
++ return SQLITE_DENY; |
| 246 |
++ } |
| 247 |
++ } |
| 248 |
+ if (php_check_open_basedir(arg3 TSRMLS_CC)) { |
| 249 |
+ return SQLITE_DENY; |
| 250 |
+ } |
| 251 |
|
| 252 |
diff --git a/bug77540.jpg b/exif/bug77540.jpg |
| 253 |
similarity index 100% |
| 254 |
rename from bug77540.jpg |
| 255 |
rename to exif/bug77540.jpg |
| 256 |
|
| 257 |
diff --git a/bug77563.jpg b/exif/bug77563.jpg |
| 258 |
similarity index 100% |
| 259 |
rename from bug77563.jpg |
| 260 |
rename to exif/bug77563.jpg |
| 261 |
|
| 262 |
diff --git a/bug77753.tiff b/exif/bug77753.tiff |
| 263 |
similarity index 100% |
| 264 |
rename from bug77753.tiff |
| 265 |
rename to exif/bug77753.tiff |
| 266 |
|
| 267 |
diff --git a/bug77831.tiff b/exif/bug77831.tiff |
| 268 |
similarity index 100% |
| 269 |
rename from bug77831.tiff |
| 270 |
rename to exif/bug77831.tiff |
| 271 |
|
| 272 |
diff --git a/bug77950.tiff b/exif/bug77950.tiff |
| 273 |
similarity index 100% |
| 274 |
rename from bug77950.tiff |
| 275 |
rename to exif/bug77950.tiff |
| 276 |
|
| 277 |
diff --git a/exif/bug77988.jpg b/exif/bug77988.jpg |
| 278 |
new file mode 100644 |
| 279 |
index 0000000..120ff85 |
| 280 |
Binary files /dev/null and b/exif/bug77988.jpg differ |
| 281 |
|
| 282 |
diff --git a/iconv/bug78069.data b/iconv/bug78069.data |
| 283 |
new file mode 100644 |
| 284 |
index 0000000..ebd5d0b |
| 285 |
Binary files /dev/null and b/iconv/bug78069.data differ |
Archives