1 |
commit: 1869730d58f3d9cbfefa83bd47a94873a3b37989 |
2 |
Author: Brian Evans <grknight <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu May 30 18:03:56 2019 +0000 |
4 |
Commit: Brian Evans <grknight <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 30 18:03:56 2019 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/php-patches.git/commit/?id=1869730d |
7 |
|
8 |
Add backports from 7.1.30 |
9 |
|
10 |
Signed-off-by: Brian Evans <grknight <AT> gentoo.org> |
11 |
|
12 |
00180_June2019-backports.patch | 223 ++++++++++++++++++++++++++++++++++++ |
13 |
bug77540.jpg => exif/bug77540.jpg | Bin |
14 |
bug77563.jpg => exif/bug77563.jpg | Bin |
15 |
bug77753.tiff => exif/bug77753.tiff | Bin |
16 |
bug77831.tiff => exif/bug77831.tiff | Bin |
17 |
bug77950.tiff => exif/bug77950.tiff | Bin |
18 |
exif/bug77988.jpg | Bin 0 -> 1202 bytes |
19 |
iconv/bug78069.data | Bin 0 -> 107 bytes |
20 |
8 files changed, 223 insertions(+) |
21 |
|
22 |
diff --git a/00180_June2019-backports.patch b/00180_June2019-backports.patch |
23 |
new file mode 100644 |
24 |
index 0000000..0f0f55f |
25 |
--- /dev/null |
26 |
+++ b/00180_June2019-backports.patch |
27 |
@@ -0,0 +1,223 @@ |
28 |
+From fde7833378c023134aafd054efa023d40aa78858 Mon Sep 17 00:00:00 2001 |
29 |
+From: "Christoph M. Becker" <cmbecker69@×××.de> |
30 |
+Date: Mon, 6 May 2019 10:18:51 +0200 |
31 |
+Subject: [PATCH 1/5] Fix #77973: Uninitialized read in gdImageCreateFromXbm |
32 |
+ |
33 |
+We have to ensure that `sscanf()` does indeed read a hex value here, |
34 |
+and bail out otherwise. |
35 |
+ |
36 |
+(cherry picked from commit ed6dee9a198c904ad5e03113e58a2d2c200f5184) |
37 |
+--- |
38 |
+ ext/gd/libgd/xbm.c | 6 +++++- |
39 |
+ ext/gd/tests/bug77973.phpt | 26 ++++++++++++++++++++++++++ |
40 |
+ 2 files changed, 31 insertions(+), 1 deletion(-) |
41 |
+ create mode 100644 ext/gd/tests/bug77973.phpt |
42 |
+ |
43 |
+diff --git a/ext/gd/libgd/xbm.c b/ext/gd/libgd/xbm.c |
44 |
+index 503ac824bc..99931a5878 100644 |
45 |
+--- a/ext/gd/libgd/xbm.c |
46 |
++++ b/ext/gd/libgd/xbm.c |
47 |
+@@ -135,7 +135,11 @@ gdImagePtr gdImageCreateFromXbm(FILE * fd) |
48 |
+ } |
49 |
+ h[3] = ch; |
50 |
+ } |
51 |
+- sscanf(h, "%x", &b); |
52 |
++ if (sscanf(h, "%x", &b) != 1) { |
53 |
++ php_gd_error("invalid XBM"); |
54 |
++ gdImageDestroy(im); |
55 |
++ return 0; |
56 |
++ } |
57 |
+ for (bit = 1; bit <= max_bit; bit = bit << 1) { |
58 |
+ gdImageSetPixel(im, x++, y, (b & bit) ? 1 : 0); |
59 |
+ if (x == im->sx) { |
60 |
+diff --git a/ext/gd/tests/bug77973.phpt b/ext/gd/tests/bug77973.phpt |
61 |
+new file mode 100644 |
62 |
+index 0000000000..2545dbe128 |
63 |
+--- /dev/null |
64 |
++++ b/ext/gd/tests/bug77973.phpt |
65 |
+@@ -0,0 +1,26 @@ |
66 |
++--TEST-- |
67 |
++Bug #77973 (Uninitialized read in gdImageCreateFromXbm) |
68 |
++--SKIPIF-- |
69 |
++<?php |
70 |
++if (!extension_loaded('gd')) die("skip gd extension not available"); |
71 |
++if (!function_exists('imagecreatefromxbm')) die("skip imagecreatefromxbm not available"); |
72 |
++?> |
73 |
++--FILE-- |
74 |
++<?php |
75 |
++$contents = hex2bin("23646566696e6520776964746820320a23646566696e652068656967687420320a737461746963206368617220626974735b5d203d7b0a7a7a787a7a"); |
76 |
++$filepath = __DIR__ . '/bug77973.xbm'; |
77 |
++file_put_contents($filepath, $contents); |
78 |
++$im = imagecreatefromxbm($filepath); |
79 |
++var_dump($im); |
80 |
++?> |
81 |
++===DONE=== |
82 |
++--EXPECTF-- |
83 |
++Warning: imagecreatefromxbm(): invalid XBM in %s on line %d |
84 |
++ |
85 |
++Warning: imagecreatefromxbm(): '%s' is not a valid XBM file in %s on line %d |
86 |
++bool(false) |
87 |
++===DONE=== |
88 |
++--CLEAN-- |
89 |
++<?php |
90 |
++unlink(__DIR__ . '/bug77973.xbm'); |
91 |
++?> |
92 |
+ |
93 |
+From aabd02d6dd1eab180486cff933dc8d08d4297e38 Mon Sep 17 00:00:00 2001 |
94 |
+From: Stanislav Malyshev <stas@×××.net> |
95 |
+Date: Mon, 27 May 2019 16:32:42 -0700 |
96 |
+Subject: [PATCH 2/5] Fix bug #78069 - Out-of-bounds read in |
97 |
+ iconv.c:_php_iconv_mime_decode() due to integer overflow |
98 |
+ |
99 |
+(cherry picked from commit 7cf7148a8f8f4f55fb04de2a517d740bb6253eac) |
100 |
+--- |
101 |
+ ext/iconv/iconv.c | 4 +++- |
102 |
+ ext/iconv/tests/bug78069.data | Bin 0 -> 107 bytes |
103 |
+ ext/iconv/tests/bug78069.phpt | 15 +++++++++++++++ |
104 |
+ 3 files changed, 18 insertions(+), 1 deletion(-) |
105 |
+ create mode 100644 ext/iconv/tests/bug78069.data |
106 |
+ create mode 100644 ext/iconv/tests/bug78069.phpt |
107 |
+ |
108 |
+diff --git a/ext/iconv/iconv.c b/ext/iconv/iconv.c |
109 |
+index 335dbd17e9..bbc4b0f5e3 100644 |
110 |
+--- a/ext/iconv/iconv.c |
111 |
++++ b/ext/iconv/iconv.c |
112 |
+@@ -1645,7 +1645,9 @@ static php_iconv_err_t _php_iconv_mime_decode(smart_str *pretval, const char *st |
113 |
+ * we can do at this point. */ |
114 |
+ if (*(p1 + 1) == '=') { |
115 |
+ ++p1; |
116 |
+- --str_left; |
117 |
++ if (str_left > 1) { |
118 |
++ --str_left; |
119 |
++ } |
120 |
+ } |
121 |
+ |
122 |
+ err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl); |
123 |
+diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt |
124 |
+new file mode 100644 |
125 |
+index 0000000000..1341a5ef4f |
126 |
+--- /dev/null |
127 |
++++ b/ext/iconv/tests/bug78069.phpt |
128 |
+@@ -0,0 +1,15 @@ |
129 |
++--TEST-- |
130 |
++Bug #78069 (Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow) |
131 |
++--SKIPIF-- |
132 |
++<?php |
133 |
++if (!extension_loaded('iconv')) die('skip ext/iconv required'); |
134 |
++?> |
135 |
++--FILE-- |
136 |
++<?php |
137 |
++$hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2); |
138 |
++var_dump(count($hdr)); |
139 |
++?> |
140 |
++DONE |
141 |
++--EXPECT-- |
142 |
++int(1) |
143 |
++DONE |
144 |
+\ No newline at end of file |
145 |
+ |
146 |
+From ad08e8b3cecdde5d10038501c310494ba01a7aa8 Mon Sep 17 00:00:00 2001 |
147 |
+From: Remi Collet <remi@××××××××.net> |
148 |
+Date: Tue, 28 May 2019 07:28:46 +0200 |
149 |
+Subject: [PATCH 3/5] fix test output |
150 |
+ |
151 |
+(cherry picked from commit 4e0362c2c3b667e55fadee1029a626d63cb9a655) |
152 |
+--- |
153 |
+ ext/iconv/tests/bug78069.phpt | 5 +++-- |
154 |
+ 1 file changed, 3 insertions(+), 2 deletions(-) |
155 |
+ |
156 |
+diff --git a/ext/iconv/tests/bug78069.phpt b/ext/iconv/tests/bug78069.phpt |
157 |
+index 1341a5ef4f..d2fcaf871e 100644 |
158 |
+--- a/ext/iconv/tests/bug78069.phpt |
159 |
++++ b/ext/iconv/tests/bug78069.phpt |
160 |
+@@ -10,6 +10,7 @@ $hdr = iconv_mime_decode_headers(file_get_contents(__DIR__ . "/bug78069.data"),2 |
161 |
+ var_dump(count($hdr)); |
162 |
+ ?> |
163 |
+ DONE |
164 |
+---EXPECT-- |
165 |
++--EXPECTF-- |
166 |
++Notice: iconv_mime_decode_headers%s |
167 |
+ int(1) |
168 |
+-DONE |
169 |
+\ No newline at end of file |
170 |
++DONE |
171 |
+ |
172 |
+From 9e0574adfd9566ed6308291e4917b095a238fa79 Mon Sep 17 00:00:00 2001 |
173 |
+From: Stanislav Malyshev <stas@×××.net> |
174 |
+Date: Mon, 27 May 2019 17:16:29 -0700 |
175 |
+Subject: [PATCH 4/5] Fix bug #77988 - heap-buffer-overflow on php_jpg_get16 |
176 |
+ |
177 |
+(cherry picked from commit 73ff4193be24192c894dc0502d06e2b2db35eefb) |
178 |
+--- |
179 |
+ NEWS | 14 ++++++++++++++ |
180 |
+ ext/exif/exif.c | 2 ++ |
181 |
+ ext/exif/tests/bug77988.jpg | Bin 0 -> 1202 bytes |
182 |
+ ext/exif/tests/bug77988.phpt | 11 +++++++++++ |
183 |
+ 4 files changed, 27 insertions(+) |
184 |
+ create mode 100644 ext/exif/tests/bug77988.jpg |
185 |
+ create mode 100644 ext/exif/tests/bug77988.phpt |
186 |
+ |
187 |
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c |
188 |
+index 15e091b6c5..b6c31773ab 100644 |
189 |
+--- a/ext/exif/exif.c |
190 |
++++ b/ext/exif/exif.c |
191 |
+@@ -3536,6 +3536,8 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo TSRMLS_DC) |
192 |
+ if (c == 0xFF) |
193 |
+ return FALSE; |
194 |
+ marker = c; |
195 |
++ if (pos>=ImageInfo->Thumbnail.size) |
196 |
++ return FALSE; |
197 |
+ length = php_jpg_get16(data+pos); |
198 |
+ if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) { |
199 |
+ return FALSE; |
200 |
+diff --git a/ext/exif/tests/bug77988.phpt b/ext/exif/tests/bug77988.phpt |
201 |
+new file mode 100644 |
202 |
+index 0000000000..1632c8afaa |
203 |
+--- /dev/null |
204 |
++++ b/ext/exif/tests/bug77988.phpt |
205 |
+@@ -0,0 +1,11 @@ |
206 |
++--TEST-- |
207 |
++Bug #77988 (heap-buffer-overflow on php_jpg_get16) |
208 |
++--SKIPIF-- |
209 |
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?> |
210 |
++--FILE-- |
211 |
++<?php |
212 |
++exif_read_data(__DIR__."/bug77988.jpg", 'COMMENT', FALSE, TRUE); |
213 |
++?> |
214 |
++DONE |
215 |
++--EXPECTF-- |
216 |
++DONE |
217 |
+\ No newline at end of file |
218 |
+ |
219 |
+From 7de8c0284cd9e237eb8a1faa9b41af1d3ef32ea9 Mon Sep 17 00:00:00 2001 |
220 |
+From: Stanislav Malyshev <stas@×××.net> |
221 |
+Date: Mon, 27 May 2019 18:04:00 -0700 |
222 |
+Subject: [PATCH 5/5] Fix bug #77967 - Bypassing open_basedir restrictions via |
223 |
+ file uris |
224 |
+ |
225 |
+(cherry picked from commit c34895e837b50213c2bb201c612904342d2bd216) |
226 |
+--- |
227 |
+ NEWS | 7 +++++-- |
228 |
+ ext/sqlite3/sqlite3.c | 9 +++++++++ |
229 |
+ 2 files changed, 14 insertions(+), 2 deletions(-) |
230 |
+ |
231 |
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c |
232 |
+index 761b777d06..7bf873ff69 100644 |
233 |
+--- a/ext/sqlite3/sqlite3.c |
234 |
++++ b/ext/sqlite3/sqlite3.c |
235 |
+@@ -2062,6 +2062,15 @@ static int php_sqlite3_authorizer(void *autharg, int access_type, const char *ar |
236 |
+ } |
237 |
+ #endif |
238 |
+ |
239 |
++ if (strncmp(arg3, "file:", 5) == 0) { |
240 |
++ /* starts with "file:" */ |
241 |
++ if (!arg3[5]) { |
242 |
++ return SQLITE_DENY; |
243 |
++ } |
244 |
++ if (php_check_open_basedir(arg3 + 5 TSRMLS_CC)) { |
245 |
++ return SQLITE_DENY; |
246 |
++ } |
247 |
++ } |
248 |
+ if (php_check_open_basedir(arg3 TSRMLS_CC)) { |
249 |
+ return SQLITE_DENY; |
250 |
+ } |
251 |
|
252 |
diff --git a/bug77540.jpg b/exif/bug77540.jpg |
253 |
similarity index 100% |
254 |
rename from bug77540.jpg |
255 |
rename to exif/bug77540.jpg |
256 |
|
257 |
diff --git a/bug77563.jpg b/exif/bug77563.jpg |
258 |
similarity index 100% |
259 |
rename from bug77563.jpg |
260 |
rename to exif/bug77563.jpg |
261 |
|
262 |
diff --git a/bug77753.tiff b/exif/bug77753.tiff |
263 |
similarity index 100% |
264 |
rename from bug77753.tiff |
265 |
rename to exif/bug77753.tiff |
266 |
|
267 |
diff --git a/bug77831.tiff b/exif/bug77831.tiff |
268 |
similarity index 100% |
269 |
rename from bug77831.tiff |
270 |
rename to exif/bug77831.tiff |
271 |
|
272 |
diff --git a/bug77950.tiff b/exif/bug77950.tiff |
273 |
similarity index 100% |
274 |
rename from bug77950.tiff |
275 |
rename to exif/bug77950.tiff |
276 |
|
277 |
diff --git a/exif/bug77988.jpg b/exif/bug77988.jpg |
278 |
new file mode 100644 |
279 |
index 0000000..120ff85 |
280 |
Binary files /dev/null and b/exif/bug77988.jpg differ |
281 |
|
282 |
diff --git a/iconv/bug78069.data b/iconv/bug78069.data |
283 |
new file mode 100644 |
284 |
index 0000000..ebd5d0b |
285 |
Binary files /dev/null and b/iconv/bug78069.data differ |