|
[-]
[+]
|
Changed |
php5.changes
|
|
|
|
[-]
[+]
|
Changed |
php-5.2.17.spec
^
|
|
|
|
[-]
[+]
|
Added |
php-5.2.14-64-bit-post-large-files.patch
^
|
| @@ -0,0 +1,122 @@
+diff -u -r old/main/rfc1867.c php5-5.2.10.dfsg.1/main/rfc1867.c
+--- old/main/rfc1867.c 2009-12-09 08:20:52.000000000 +0000
++++ php5-5.2.10.dfsg.1/main/rfc1867.c 2009-12-09 08:23:25.000000000 +0000
+@@ -765,7 +765,7 @@
+ {
+ char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ char *temp_filename = NULL, *lbuf = NULL, *abuf = NULL;
+- int boundary_len = 0, total_bytes = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++ long total_bytes = 0; int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
+ int max_file_size = 0, skip_upload = 0, anonindex = 0, is_anonymous;
+ zval *http_post_files = NULL;
+ HashTable *uploaded_files = NULL;
+diff -u -r old/main/SAPI.h php5-5.2.10.dfsg.1/main/SAPI.h
+--- old/main/SAPI.h 2008-12-31 11:17:47.000000000 +0000
++++ php5-5.2.10.dfsg.1/main/SAPI.h 2009-12-09 08:23:25.000000000 +0000
+@@ -80,7 +80,7 @@
+ char *post_data, *raw_post_data;
+ char *cookie_data;
+ long content_length;
+- uint post_data_length, raw_post_data_length;
++ uint IGNORE_post_data_length, IGNORE_raw_post_data_length;
+
+ char *path_translated;
+ char *request_uri;
+@@ -111,6 +111,7 @@
+ int argc;
+ char **argv;
+ int proto_num;
++ long post_data_length, raw_post_data_length;
+ } sapi_request_info;
+
+
+@@ -118,7 +119,7 @@
+ void *server_context;
+ sapi_request_info request_info;
+ sapi_headers_struct sapi_headers;
+- int read_post_bytes;
++ long read_post_bytes;
+ unsigned char headers_sent;
+ struct stat global_stat;
+ char *default_mimetype;
+diff -u -r old/sapi/apache/mod_php5.c php5-5.2.10.dfsg.1/sapi/apache/mod_php5.c
+--- old/sapi/apache/mod_php5.c 2009-12-09 08:20:51.000000000 +0000
++++ php5-5.2.10.dfsg.1/sapi/apache/mod_php5.c 2009-12-09 08:23:25.000000000 +0000
+@@ -511,7 +511,7 @@
+ SG(request_info).request_uri = r->uri;
+ SG(request_info).request_method = (char *)r->method;
+ SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+ SG(sapi_headers).http_response_code = r->status;
+ SG(request_info).proto_num = r->proto_num;
+
+diff -u -r old/sapi/apache2filter/sapi_apache2.c php5-5.2.10.dfsg.1/sapi/apache2filter/sapi_apache2.c
+--- old/sapi/apache2filter/sapi_apache2.c 2009-12-09 08:20:51.000000000 +0000
++++ php5-5.2.10.dfsg.1/sapi/apache2filter/sapi_apache2.c 2009-12-09 08:23:25.000000000 +0000
+@@ -402,7 +402,7 @@
+ efree(content_type);
+
+ content_length = (char *) apr_table_get(f->r->headers_in, "Content-Length");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+
+ apr_table_unset(f->r->headers_out, "Content-Length");
+ apr_table_unset(f->r->headers_out, "Last-Modified");
+diff -u -r old/sapi/apache2handler/sapi_apache2.c php5-5.2.10.dfsg.1/sapi/apache2handler/sapi_apache2.c
+--- old/sapi/apache2handler/sapi_apache2.c 2009-12-09 08:20:51.000000000 +0000
++++ php5-5.2.10.dfsg.1/sapi/apache2handler/sapi_apache2.c 2009-12-09 08:23:25.000000000 +0000
+@@ -464,7 +464,7 @@
+ r->no_local_copy = 1;
+
+ content_length = (char *) apr_table_get(r->headers_in, "Content-Length");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+
+ apr_table_unset(r->headers_out, "Content-Length");
+ apr_table_unset(r->headers_out, "Last-Modified");
+diff -u -r old/sapi/apache_hooks/mod_php5.c php5-5.2.10.dfsg.1/sapi/apache_hooks/mod_php5.c
+--- old/sapi/apache_hooks/mod_php5.c 2008-12-31 11:17:48.000000000 +0000
++++ php5-5.2.10.dfsg.1/sapi/apache_hooks/mod_php5.c 2009-12-09 08:23:25.000000000 +0000
+@@ -571,7 +571,7 @@
+ SG(request_info).request_method = (char *)r->method;
+ SG(request_info).proto_num = r->proto_num;
+ SG(request_info).content_type = (char *) table_get(r->subprocess_env, "CONTENT_TYPE");
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+ SG(sapi_headers).http_response_code = r->status;
+
+ if (r->headers_in) {
+diff -u -r old/sapi/cgi/cgi_main.c php5-5.2.10.dfsg.1/sapi/cgi/cgi_main.c
+--- old/sapi/cgi/cgi_main.c 2009-12-09 08:20:51.000000000 +0000
++++ php5-5.2.10.dfsg.1/sapi/cgi/cgi_main.c 2009-12-09 08:23:25.000000000 +0000
+@@ -469,7 +469,7 @@
+ {
+ int read_bytes=0, tmp_read_bytes;
+
+- count_bytes = MIN(count_bytes, (uint) SG(request_info).content_length - SG(read_post_bytes));
++ count_bytes = MIN(count_bytes, SG(request_info).content_length - SG(read_post_bytes));
+ while (read_bytes < count_bytes) {
+ #if PHP_FASTCGI
+ if (fcgi_is_fastcgi()) {
+@@ -1188,7 +1188,7 @@
+ /* FIXME - Work out proto_num here */
+ SG(request_info).query_string = sapi_cgibin_getenv("QUERY_STRING", sizeof("QUERY_STRING")-1 TSRMLS_CC);
+ SG(request_info).content_type = (content_type ? content_type : "" );
+- SG(request_info).content_length = (content_length ? atoi(content_length) : 0);
++ SG(request_info).content_length = (content_length ? atol(content_length) : 0);
+
+ /* The CGI RFC allows servers to pass on unvalidated Authorization data */
+ auth = sapi_cgibin_getenv("HTTP_AUTHORIZATION", sizeof("HTTP_AUTHORIZATION")-1 TSRMLS_CC);
+diff -ur php-5.2.14.orig/ext/suhosin/rfc1867.c php-5.2.14/ext/suhosin/rfc1867.c
+--- php-5.2.14.orig/ext/suhosin/rfc1867.c 2011-08-22 12:48:55.933908000 +0200
++++ php-5.2.14/ext/suhosin/rfc1867.c 2011-08-22 12:49:55.702561000 +0200
+@@ -771,7 +771,7 @@
+ {
+ char *boundary, *s=NULL, *boundary_end = NULL, *start_arr=NULL, *array_index=NULL;
+ char *temp_filename=NULL, *lbuf=NULL, *abuf=NULL;
+- int boundary_len=0, total_bytes=0, cancel_upload=0, is_arr_upload=0, array_len=0;
++ long total_bytes=0; int boundary_len=0, cancel_upload=0, is_arr_upload=0, array_len=0;
+ int max_file_size=0, skip_upload=0, anonindex=0, is_anonymous;
+ zval *http_post_files=NULL; HashTable *uploaded_files=NULL;
+ #if HAVE_MBSTRING && !defined(COMPILE_DL_MBSTRING)
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-3709.patch
^
|
| @@ -0,0 +1,14 @@
+Index: ext/zip/php_zip.c
+===================================================================
+--- ext/zip/php_zip.c.orig
++++ ext/zip/php_zip.c
+@@ -1829,6 +1829,9 @@ static ZIPARCHIVE_METHOD(getArchiveComme
+ }
+
+ comment = zip_get_archive_comment(intern, &comment_len, (int)flags);
++ if(comment==NULL) {
++ RETURN_FALSE;
++ }
+ RETURN_STRINGL((char *)comment, (long)comment_len, 1);
+ }
+ /* }}} */
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-3710.patch
^
|
| @@ -0,0 +1,37 @@
+Index: php-5.3.3/ext/filter/logical_filters.c
+===================================================================
+--- php-5.3.3.orig/ext/filter/logical_filters.c
++++ php-5.3.3/ext/filter/logical_filters.c
+@@ -530,6 +530,10 @@ void php_filter_validate_email(PHP_INPUT
+ int ovector[150]; /* Needs to be a multiple of 3 */
+ int matches;
+
++ /* The maximum length of an e-mail address is 320 octets, per RFC 2821. */
++ if (Z_STRLEN_P(value) > 320) {
++ RETURN_VALIDATION_FAILED
++ }
+
+ re = pcre_get_compiled_regex((char *)regexp, &pcre_extra, &preg_options TSRMLS_CC);
+ if (!re) {
+Index: php-5.3.3/ext/filter/tests/bug52929.phpt
+===================================================================
+--- /dev/null
++++ php-5.3.3/ext/filter/tests/bug52929.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #52929 (Segfault in filter_var with FILTER_VALIDATE_EMAIL with large amount of data)
++--SKIPIF--
++<?php if (!extension_loaded("filter")) die("skip"); ?>
++--FILE--
++<?php
++var_dump(filter_var('valid@email.address', FILTER_VALIDATE_EMAIL));
++// Beyond the allowable limit for an e-mail address.
++var_dump(filter_var('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx@yyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyyy.zz', FILTER_VALIDATE_EMAIL));
++// An invalid address likely to crash PHP due to stack exhaustion if it goes to
++// the validation regex.
++var_dump(filter_var(str_repeat('x', 8000), FILTER_VALIDATE_EMAIL));
++--EXPECT--
++string(19) "valid@email.address"
++bool(false)
++bool(false)
++
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-3870.patch
^
|
| @@ -0,0 +1,192 @@
+Index: ext/xml/xml.c
+===================================================================
+--- ext/xml/xml.c.orig
++++ ext/xml/xml.c
+@@ -659,10 +659,111 @@ PHPAPI char *xml_utf8_encode(const char
+ }
+ /* }}} */
+
++/* copied from trunk's implementation of get_next_char in ext/standard/html.c */
++#define MB_FAILURE(pos, advance) do { \
++ *cursor = pos + (advance); \
++ *status = FAILURE; \
++ return 0; \
++} while (0)
++
++#define CHECK_LEN(pos, chars_need) ((str_len - (pos)) >= (chars_need))
++#define utf8_lead(c) ((c) < 0x80 || ((c) >= 0xC2 && (c) <= 0xF4))
++#define utf8_trail(c) ((c) >= 0x80 && (c) <= 0xBF)
++
++/* {{{ php_next_utf8_char
++ */
++static inline unsigned int php_next_utf8_char(
++ const unsigned char *str,
++ size_t str_len,
++ size_t *cursor,
++ int *status)
++{
++ size_t pos = *cursor;
++ unsigned int this_char = 0;
++ unsigned char c;
++
++ *status = SUCCESS;
++
++ if (!CHECK_LEN(pos, 1))
++ MB_FAILURE(pos, 1);
++
++ /* We'll follow strategy 2. from section 3.6.1 of UTR #36:
++ * "In a reported illegal byte sequence, do not include any
++ * non-initial byte that encodes a valid character or is a leading
++ * byte for a valid sequence.ยป */
++ c = str[pos];
++ if (c < 0x80) {
++ this_char = c;
++ pos++;
++ } else if (c < 0xc2) {
++ MB_FAILURE(pos, 1);
++ } else if (c < 0xe0) {
++ if (!CHECK_LEN(pos, 2))
++ MB_FAILURE(pos, 1);
++
++ if (!utf8_trail(str[pos + 1])) {
++ MB_FAILURE(pos, utf8_lead(str[pos + 1]) ? 1 : 2);
++ }
++ this_char = ((c & 0x1f) << 6) | (str[pos + 1] & 0x3f);
++ if (this_char < 0x80) { /* non-shortest form */
++ MB_FAILURE(pos, 2);
++ }
++ pos += 2;
++ } else if (c < 0xf0) {
++ size_t avail = str_len - pos;
++
++ if (avail < 3 ||
++ !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2])) {
++ if (avail < 2 || utf8_lead(str[pos + 1]))
++ MB_FAILURE(pos, 1);
++ else if (avail < 3 || utf8_lead(str[pos + 2]))
++ MB_FAILURE(pos, 2);
++ else
++ MB_FAILURE(pos, 3);
++ }
++
++ this_char = ((c & 0x0f) << 12) | ((str[pos + 1] & 0x3f) << 6) | (str[pos + 2] & 0x3f);
++ if (this_char < 0x800) { /* non-shortest form */
++ MB_FAILURE(pos, 3);
++ } else if (this_char >= 0xd800 && this_char <= 0xdfff) { /* surrogate */
++ MB_FAILURE(pos, 3);
++ }
++ pos += 3;
++ } else if (c < 0xf5) {
++ size_t avail = str_len - pos;
++
++ if (avail < 4 ||
++ !utf8_trail(str[pos + 1]) || !utf8_trail(str[pos + 2]) ||
++ !utf8_trail(str[pos + 3])) {
++ if (avail < 2 || utf8_lead(str[pos + 1]))
++ MB_FAILURE(pos, 1);
++ else if (avail < 3 || utf8_lead(str[pos + 2]))
++ MB_FAILURE(pos, 2);
++ else if (avail < 4 || utf8_lead(str[pos + 3]))
++ MB_FAILURE(pos, 3);
++ else
++ MB_FAILURE(pos, 4);
++ }
++
++ this_char = ((c & 0x07) << 18) | ((str[pos + 1] & 0x3f) << 12) | ((str[pos + 2] & 0x3f) << 6) | (str[pos + 3] & 0x3f);
++ if (this_char < 0x10000 || this_char > 0x10FFFF) { /* non-shortest form or outside range */
++ MB_FAILURE(pos, 4);
++ }
++ pos += 4;
++ } else {
++ MB_FAILURE(pos, 1);
++ }
++
++ *cursor = pos;
++ return this_char;
++}
++/* }}} */
++
++
+ /* {{{ xml_utf8_decode */
+ PHPAPI char *xml_utf8_decode(const XML_Char *s, int len, int *newlen, const XML_Char *encoding)
+ {
+- int pos = len;
++ size_t pos = 0;
+ char *newbuf = emalloc(len + 1);
+ unsigned int c;
+ char (*decoder)(unsigned short) = NULL;
+@@ -681,36 +782,15 @@ PHPAPI char *xml_utf8_decode(const XML_C
+ newbuf[*newlen] = '\0';
+ return newbuf;
+ }
+- while (pos > 0) {
+- c = (unsigned char)(*s);
+- if (c >= 0xf0) { /* four bytes encoded, 21 bits */
+- if(pos-4 >= 0) {
+- c = ((s[0]&7)<<18) | ((s[1]&63)<<12) | ((s[2]&63)<<6) | (s[3]&63);
+- } else {
+- c = '?';
+- }
+- s += 4;
+- pos -= 4;
+- } else if (c >= 0xe0) { /* three bytes encoded, 16 bits */
+- if(pos-3 >= 0) {
+- c = ((s[0]&63)<<12) | ((s[1]&63)<<6) | (s[2]&63);
+- } else {
+- c = '?';
+- }
+- s += 3;
+- pos -= 3;
+- } else if (c >= 0xc0) { /* two bytes encoded, 11 bits */
+- if(pos-2 >= 0) {
+- c = ((s[0]&63)<<6) | (s[1]&63);
+- } else {
+- c = '?';
+- }
+- s += 2;
+- pos -= 2;
+- } else {
+- s++;
+- pos--;
++
++ while (pos < (size_t)len) {
++ int status = FAILURE;
++ c = php_next_utf8_char((const unsigned char*)s, (size_t) len, &pos, &status);
++
++ if (status == FAILURE || c > 0xFFU) {
++ c = '?';
+ }
++
+ newbuf[*newlen] = decoder ? decoder(c) : c;
+ ++*newlen;
+ }
+Index: ext/xml/tests/bug49687.phpt
+===================================================================
+--- /dev/null
++++ ext/xml/tests/bug49687.phpt
+@@ -0,0 +1,25 @@
++--TEST--
++Bug #49687 Several utf8_decode deficiencies and vulnerabilities
++--SKIPIF--
++<?php
++require_once("skipif.inc");
++if (!extension_loaded('xml')) die ("skip xml extension not available");
++?>
++--FILE--
++<?php
++
++$tests = array(
++ "\x41\xC2\x3E\x42",
++ "\xE3\x80\x22",
++ "\x41\x98\xBA\x42\xE2\x98\x43\xE2\x98\xBA\xE2\x98",
++);
++foreach ($tests as $t) {
++ echo bin2hex(utf8_decode($t)), "\n";
++}
++echo "Done.\n";
++--EXPECT--
++413f3e42
++3f22
++413f3f423f433f3f
++Done.
++
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-4150.patch
^
|
| @@ -0,0 +1,16 @@
+--- ext/imap/php_imap.c 2010/11/02 17:44:23 305031
++++ ext/imap/php_imap.c 2010/11/02 17:50:39 305032
+@@ -794,10 +794,12 @@
+
+ if (IMAPG(imap_user)) {
+ efree(IMAPG(imap_user));
++ IMAPG(imap_user) = 0;
+ }
+
+ if (IMAPG(imap_password)) {
+ efree(IMAPG(imap_password));
++ IMAPG(imap_password) = 0;
+ }
+
+ /* local filename, need to perform open_basedir and safe_mode checks */
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-4645.patch
^
|
| @@ -0,0 +1,13 @@
+Index: php-5.3.3/Zend/zend_strtod.c
+===================================================================
+--- php-5.3.3.orig/Zend/zend_strtod.c
++++ php-5.3.3/Zend/zend_strtod.c
+@@ -2035,7 +2035,7 @@ ZEND_API double zend_strtod (CONST char
+ int bb2, bb5, bbe, bd2, bd5, bbbits, bs2, c, dsign,
+ e, e1, esign, i, j, k, nd, nd0, nf, nz, nz0, sign;
+ CONST char *s, *s0, *s1;
+- double aadj, aadj1, adj;
++ volatile double aadj, aadj1, adj;
+ volatile _double rv, rv0;
+ Long L;
+ ULong y, z;
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-4697.patch
^
|
| @@ -0,0 +1,83 @@
+Index: Zend/zend_object_handlers.c
+===================================================================
+--- Zend/zend_object_handlers.c.orig
++++ Zend/zend_object_handlers.c
+@@ -329,6 +329,9 @@ zval *zend_std_read_property(zval *objec
+ !guard->in_get) {
+ /* have getter - try with it! */
+ ZVAL_ADDREF(object);
++ if (PZVAL_IS_REF(object)) {
++ SEPARATE_ZVAL(&object);
++ }
+ guard->in_get = 1; /* prevent circular getting */
+ rv = zend_std_call_getter(object, member TSRMLS_CC);
+ guard->in_get = 0;
+@@ -418,22 +421,22 @@ static void zend_std_write_property(zval
+ }
+ }
+ } else {
+- int setter_done = 0;
+ zend_guard *guard;
+
+ if (zobj->ce->__set &&
+ zend_get_property_guard(zobj, property_info, member, &guard) == SUCCESS &&
+ !guard->in_set) {
+ ZVAL_ADDREF(object);
++ if (PZVAL_IS_REF(object)) {
++ SEPARATE_ZVAL(&object);
++ }
+ guard->in_set = 1; /* prevent circular setting */
+ if (zend_std_call_setter(object, member, value TSRMLS_CC) != SUCCESS) {
+ /* for now, just ignore it - __set should take care of warnings, etc. */
+ }
+- setter_done = 1;
+ guard->in_set = 0;
+ zval_ptr_dtor(&object);
+- }
+- if (!setter_done && property_info) {
++ } else if (property_info) {
+ zval **foo;
+
+ /* if we assign referenced variable, we should separate it */
+@@ -611,6 +614,9 @@ static void zend_std_unset_property(zval
+ !guard->in_unset) {
+ /* have unseter - try with it! */
+ ZVAL_ADDREF(object);
++ if (PZVAL_IS_REF(object)) {
++ SEPARATE_ZVAL(&object);
++ }
+ guard->in_unset = 1; /* prevent circular unsetting */
+ zend_std_call_unsetter(object, member TSRMLS_CC);
+ guard->in_unset = 0;
+@@ -1042,6 +1048,9 @@ static int zend_std_has_property(zval *o
+
+ /* have issetter - try with it! */
+ ZVAL_ADDREF(object);
++ if (PZVAL_IS_REF(object)) {
++ SEPARATE_ZVAL(&object);
++ }
+ guard->in_isset = 1; /* prevent circular getting */
+ rv = zend_std_call_issetter(object, member TSRMLS_CC);
+ if (rv) {
+Index: Zend/tests/bug52879.phpt
+===================================================================
+--- /dev/null
++++ Zend/tests/bug52879.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #52879 (Objects unreferenced in __get, __set, __isset or __unset can be freed too early)
++--FILE--
++<?php
++class MyClass {
++public $myRef;
++public function __set($property,$value) {
++$this->myRef = $value;
++}
++}
++$myGlobal=new MyClass($myGlobal);
++$myGlobal->myRef=&$myGlobal;
++$myGlobal->myNonExistentProperty="ok\n";
++echo $myGlobal;
++--EXPECT--
++ok
++
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-4698.patch
^
|
| @@ -0,0 +1,15 @@
+--- ext/gd/gd.c 2010/12/08 08:20:44 306074
++++ ext/gd/gd.c 2010/12/08 08:45:56 306075
+@@ -4228,6 +4228,11 @@
+ return;
+ }
+
++ if (aa_steps != 4 && aa_steps != 16) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Antialias steps must be 4 or 16");
++ RETURN_FALSE;
++ }
++
+ ZEND_FETCH_RESOURCE(bg_img, gdImagePtr, &img, -1, "Image", le_gd);
+ ZEND_FETCH_RESOURCE(f_ind, int *, &fnt, -1, "Type 1 font", le_ps_font);
+
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2010-4699.patch
^
|
| @@ -0,0 +1,98 @@
+Index: ext/iconv/iconv.c
+===================================================================
+--- ext/iconv/iconv.c.orig
++++ ext/iconv/iconv.c
+@@ -1457,16 +1457,43 @@ static php_iconv_err_t _php_iconv_mime_d
+
+ if (cd == (iconv_t)(-1)) {
+ if ((mode & PHP_ICONV_MIME_DECODE_CONTINUE_ON_ERROR)) {
++ /* Bad character set, but the user wants us to
++ * press on. In this case, we'll just insert the
++ * undecoded encoded word, since there isn't really
++ * a more sensible behaviour available; the only
++ * other options are to swallow the encoded word
++ * entirely or decode it with an arbitrarily chosen
++ * single byte encoding, both of which seem to have
++ * a higher WTF factor than leaving it undecoded.
++ *
++ * Given this approach, we need to skip ahead to
++ * the end of the encoded word. */
++ int qmarks = 2;
++ while (qmarks > 0 && str_left > 1) {
++ if (*(++p1) == '?') {
++ --qmarks;
++ }
++ --str_left;
++ }
++
++ /* Look ahead to check for the terminating = that
++ * should be there as well; if it's there, we'll
++ * also include that. If it's not, there isn't much
++ * we can do at this point. */
++ if (*(p1 + 1) == '=') {
++ ++p1;
++ --str_left;
++ }
++
+ err = _php_iconv_appendl(pretval, encoded_word, (size_t)((p1 + 1) - encoded_word), cd_pl);
+ if (err != PHP_ICONV_ERR_SUCCESS) {
+ goto out;
+ }
+- encoded_word = NULL;
+- if ((mode & PHP_ICONV_MIME_DECODE_STRICT)) {
+- scan_stat = 12;
+- } else {
+- scan_stat = 0;
+- }
++
++ /* Let's go back and see if there are further
++ * encoded words or bare content, and hope they
++ * might actually have a valid character set. */
++ scan_stat = 12;
+ break;
+ } else {
+ #if ICONV_SUPPORTS_ERRNO
+Index: ext/iconv/tests/bug52941.phpt
+===================================================================
+--- /dev/null
++++ ext/iconv/tests/bug52941.phpt
+@@ -0,0 +1,39 @@
++<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
++--FILE--
++<?php
++$headers = <<<HEADERS
++From: =?UTF-8?B?PGZvb0BleGFtcGxlLmNvbT4=?=
++Subject: =?ks_c_5601-1987?B?UkU6odk=?=
++X-Foo: =?ks_c_5601-1987?B?UkU6odk=?= Foo
++X-Bar: =?ks_c_5601-1987?B?UkU6odk=?= =?UTF-8?Q?Foo?=
++To: <test@example.com>
++HEADERS;
++
++$decoded = iconv_mime_decode_headers($headers, ICONV_MIME_DECODE_CONTINUE_ON_ERROR, 'UTF-8');
++
++var_dump($decoded['From']);
++var_dump($decoded['Subject']);
++var_dump($decoded['X-Foo']);
++var_dump($decoded['X-Bar']);
++var_dump($decoded['To']);
++
++$decoded = iconv_mime_decode_headers($headers, ICONV_MIME_DECODE_CONTINUE_ON_ERROR | ICONV_MIME_DECODE_STRICT, 'UTF-8');
++
++var_dump($decoded['From']);
++var_dump($decoded['Subject']);
++var_dump($decoded['X-Foo']);
++var_dump($decoded['X-Bar']);
++var_dump($decoded['To']);
++?>
++--EXPECT--
++string(17) "<foo@example.com>"
++string(29) "=?ks_c_5601-1987?B?UkU6odk=?="
++string(33) "=?ks_c_5601-1987?B?UkU6odk=?= Foo"
++string(32) "=?ks_c_5601-1987?B?UkU6odk=?=Foo"
++string(18) "<test@example.com>"
++string(17) "<foo@example.com>"
++string(29) "=?ks_c_5601-1987?B?UkU6odk=?="
++string(33) "=?ks_c_5601-1987?B?UkU6odk=?= Foo"
++string(32) "=?ks_c_5601-1987?B?UkU6odk=?=Foo"
++string(18) "<test@example.com>"
++
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-0421.patch
^
|
| @@ -0,0 +1,14 @@
+--- ext/zip/lib/zip_name_locate.c 2011/01/30 22:16:39 307866
++++ ext/zip/lib/zip_name_locate.c 2011/01/30 22:28:57 307867
+@@ -60,6 +60,10 @@
+ return -1;
+ }
+
++ if((flags & ZIP_FL_UNCHANGED) && !za->cdir) {
++ return -1;
++ }
++
+ cmp = (flags & ZIP_FL_NOCASE) ? strcmpi : strcmp;
+
+ n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-0708.patch
^
|
| @@ -0,0 +1,55 @@
+Index: ext/exif/exif.c
+===================================================================
+--- ext/exif/exif.c.orig
++++ ext/exif/exif.c
+@@ -40,6 +40,10 @@
+ #include "php.h"
+ #include "ext/standard/file.h"
+
++#ifdef PHP_WIN32
++#include "win32/php_stdint.h"
++#endif
++
+ #if HAVE_EXIF
+
+ /* When EXIF_DEBUG is defined the module generates a lot of debug messages
+@@ -2821,6 +2825,7 @@ static int exif_process_IFD_TAG(image_in
+ int tag, format, components;
+ char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ size_t byte_count, offset_val, fpos, fgot;
++ int64_t byte_count_signed;
+ xp_field_type *tmp_xp;
+ #ifdef EXIF_DEBUG
+ char *dump_data;
+@@ -2845,13 +2850,20 @@ static int exif_process_IFD_TAG(image_in
+ /*return TRUE;*/
+ }
+
+- byte_count = components * php_tiff_bytes_per_format[format];
++ if (components < 0) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal components(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), components);
++ return FALSE;
++ }
+
+- if ((ssize_t)byte_count < 0) {
+- exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count(%ld)", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC), byte_count);
++ byte_count_signed = (int64_t)components * php_tiff_bytes_per_format[format];
++
++ if (byte_count_signed < 0 || (byte_count_signed > 2147483648)) {
++ exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Process tag(x%04X=%s): Illegal byte_count", tag, exif_get_tagname(tag, tagname, -12, tag_table TSRMLS_CC));
+ return FALSE;
+ }
+
++ byte_count = (size_t)byte_count_signed;
++
+ if (byte_count > 4) {
+ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ /* If its bigger than 4 bytes, the dir entry contains an offset. */
+@@ -2916,6 +2928,7 @@ static int exif_process_IFD_TAG(image_in
+ efree(dump_data);
+ }
+ #endif
++
+ if (section_index==SECTION_THUMBNAIL) {
+ if (!ImageInfo->Thumbnail.data) {
+ switch(tag) {
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-0752.patch
^
|
| @@ -0,0 +1,17 @@
+Index: ext/standard/array.c
+===================================================================
+--- ext/standard/array.c.orig
++++ ext/standard/array.c
+@@ -1516,10 +1516,10 @@ PHP_FUNCTION(extract)
+
+ case EXTR_OVERWRITE:
+ /* GLOBALS protection */
+- if (var_exists && var_name_len == sizeof("GLOBALS") && !strcmp(var_name, "GLOBALS")) {
++ if (var_exists && var_name_len == sizeof("GLOBALS")-1 && !strcmp(var_name, "GLOBALS")) {
+ break;
+ }
+- if (var_exists && var_name_len == sizeof("this") && !strcmp(var_name, "this") && EG(scope) && EG(scope)->name_length != 0) {
++ if (var_exists && var_name_len == sizeof("this")-1 && !strcmp(var_name, "this") && EG(scope) && EG(scope)->name_length != 0) {
+ break;
+ }
+ smart_str_appendl(&final_name, var_name, var_name_len);
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-0753.patch
^
|
| @@ -0,0 +1,87 @@
+Index: ext/pcntl/pcntl.c
+===================================================================
+--- ext/pcntl/pcntl.c.orig
++++ ext/pcntl/pcntl.c
+@@ -567,7 +567,7 @@ PHP_FUNCTION(pcntl_signal)
+ zend_hash_index_update(&PCNTL_G(php_signal_table), signo, (void **) &handle, sizeof(zval *), (void **) &dest_handle);
+ if (dest_handle) zval_add_ref(dest_handle);
+
+- if (php_signal(signo, pcntl_signal_handler, (int) restart_syscalls) == SIG_ERR) {
++ if (php_signal4(signo, pcntl_signal_handler, (int) restart_syscalls, 1) == SIG_ERR) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Error assigning signal");
+ RETURN_FALSE;
+ }
+@@ -682,11 +682,19 @@ void pcntl_tick_handler()
+ {
+ zval *param, **handle, *retval;
+ struct php_pcntl_pending_signal *queue, *next;
++ sigset_t mask;
++ sigset_t old_mask;
+ TSRMLS_FETCH();
++
++ /* Mask all signals */
++ sigfillset(&mask);
++ sigprocmask(SIG_BLOCK, &mask, &old_mask);
+
+ /* Bail if the queue is empty or if we are already playing the queue*/
+- if (! PCNTL_G(head) || PCNTL_G(processing_signal_queue))
++ if (! PCNTL_G(head) || PCNTL_G(processing_signal_queue)) {
++ sigprocmask(SIG_SETMASK, &old_mask, NULL);
+ return;
++ }
+
+ /* Prevent reentrant handler calls */
+ PCNTL_G(processing_signal_queue) = 1;
+@@ -718,6 +726,9 @@ void pcntl_tick_handler()
+
+ /* Re-enable queue */
+ PCNTL_G(processing_signal_queue) = 0;
++
++ /* return signal mask to previous state */
++ sigprocmask(SIG_SETMASK, &old_mask, NULL);
+ }
+
+
+Index: ext/pcntl/php_signal.c
+===================================================================
+--- ext/pcntl/php_signal.c.orig
++++ ext/pcntl/php_signal.c
+@@ -22,12 +22,16 @@
+
+ /* php_signal using sigaction is derrived from Advanced Programing
+ * in the Unix Environment by W. Richard Stevens p 298. */
+-Sigfunc *php_signal(int signo, Sigfunc *func, int restart)
++Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all)
+ {
+
+ struct sigaction act,oact;
+ act.sa_handler = func;
+- sigemptyset(&act.sa_mask);
++ if (mask_all) {
++ sigfillset(&act.sa_mask);
++ } else {
++ sigemptyset(&act.sa_mask);
++ }
+ act.sa_flags = 0;
+ if (signo == SIGALRM || (! restart)) {
+ #ifdef SA_INTERRUPT
+@@ -44,3 +48,8 @@ Sigfunc *php_signal(int signo, Sigfunc *
+ return oact.sa_handler;
+ }
+
++Sigfunc *php_signal(int signo, Sigfunc *func, int restart)
++{
++ return php_signal4(signo, func, restart, 0);
++}
++
+Index: ext/pcntl/php_signal.h
+===================================================================
+--- ext/pcntl/php_signal.h.orig
++++ ext/pcntl/php_signal.h
+@@ -24,5 +24,6 @@
+
+ typedef void Sigfunc(int);
+ Sigfunc *php_signal(int signo, Sigfunc *func, int restart);
++Sigfunc *php_signal4(int signo, Sigfunc *func, int restart, int mask_all);
+
+ #endif
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-0755.patch
^
|
| @@ -0,0 +1,40 @@
+Index: ext/standard/tests/general_functions/bug46587.phpt
+===================================================================
+--- /dev/null
++++ ext/standard/tests/general_functions/bug46587.phpt
+@@ -0,0 +1,14 @@
++--TEST--
++Bug #46587 (mt_rand() does not check that max is greater than min).
++--FILE--
++<?php
++var_dump(mt_rand(3,8));
++var_dump(mt_rand(8,3));
++echo "Done.\n";
++?>
++--EXPECTF--
++int(%d)
++Warning: mt_rand(): max(3) is smaller than min(8) in %s on line %d
++bool(false)
++Done.
++
+Index: ext/standard/rand.c
+===================================================================
+--- ext/standard/rand.c.orig
++++ ext/standard/rand.c
+@@ -315,8 +315,14 @@ PHP_FUNCTION(mt_rand)
+ long number;
+ int argc = ZEND_NUM_ARGS();
+
+- if (argc != 0 && zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE)
+- return;
++ if (argc != 0) {
++ if (zend_parse_parameters(argc TSRMLS_CC, "ll", &min, &max) == FAILURE) {
++ return;
++ } else if (max < min) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "max(%ld) is smaller than min(%ld)", max, min);
++ RETURN_FALSE;
++ }
++ }
+
+ if (!BG(mt_rand_is_seeded)) {
+ php_mt_srand(GENERATE_SEED() TSRMLS_CC);
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1092.patch
^
|
| @@ -0,0 +1,13 @@
+http://svn.php.net/viewvc/?view=revision&revision=309018
+--- ext/shmop/shmop.c 2011/03/08 12:58:22 309017
++++ ext/shmop/shmop.c 2011/03/08 13:11:14 309018
+@@ -256,7 +256,7 @@
+ RETURN_FALSE;
+ }
+
+- if (start + count > shmop->size || count < 0) {
++ if (count < 0 || start > (INT_MAX - count) || start + count > shmop->size) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "count is out of range");
+ RETURN_FALSE;
+ }
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1148.patch
^
|
| @@ -0,0 +1,160 @@
+--- ext/standard/string.c 2011/04/13 03:32:19 310193
++++ ext/standard/string.c 2011/04/13 06:32:41 310194
+@@ -2352,20 +2352,35 @@
+
+ zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
+ while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
+- convert_to_string_ex(tmp_str);
++ zval *orig_str;
++ zval dummy;
++ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++ dummy = **tmp_str;
++ orig_str = &dummy;
++ zval_copy_ctor(orig_str);
++ convert_to_string(orig_str);
++ } else {
++ orig_str = *tmp_str;
++ }
+
+ if (Z_TYPE_PP(from) == IS_ARRAY) {
+ if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
+- convert_to_long_ex(tmp_from);
++ if(Z_TYPE_PP(tmp_from) != IS_LONG) {
++ zval dummy = **tmp_from;
++ zval_copy_ctor(&dummy);
++ convert_to_long(&dummy);
++ f = Z_LVAL(dummy);
++ } else {
++ f = Z_LVAL_PP(tmp_from);
++ }
+
+- f = Z_LVAL_PP(tmp_from);
+ if (f < 0) {
+- f = Z_STRLEN_PP(tmp_str) + f;
++ f = Z_STRLEN_P(orig_str) + f;
+ if (f < 0) {
+ f = 0;
+ }
+- } else if (f > Z_STRLEN_PP(tmp_str)) {
+- f = Z_STRLEN_PP(tmp_str);
++ } else if (f > Z_STRLEN_P(orig_str)) {
++ f = Z_STRLEN_P(orig_str);
+ }
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
+ } else {
+@@ -2374,72 +2389,94 @@
+ } else {
+ f = Z_LVAL_PP(from);
+ if (f < 0) {
+- f = Z_STRLEN_PP(tmp_str) + f;
++ f = Z_STRLEN_P(orig_str) + f;
+ if (f < 0) {
+ f = 0;
+ }
+- } else if (f > Z_STRLEN_PP(tmp_str)) {
+- f = Z_STRLEN_PP(tmp_str);
++ } else if (f > Z_STRLEN_P(orig_str)) {
++ f = Z_STRLEN_P(orig_str);
+ }
+ }
+
+ if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
+ if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
+- convert_to_long_ex(tmp_len);
++ if(Z_TYPE_PP(tmp_len) != IS_LONG) {
++ zval dummy = **tmp_len;
++ zval_copy_ctor(&dummy);
++ convert_to_long(&dummy);
++ l = Z_LVAL(dummy);
++ } else {
++ l = Z_LVAL_PP(tmp_len);
++ }
+
+ l = Z_LVAL_PP(tmp_len);
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
+ } else {
+- l = Z_STRLEN_PP(tmp_str);
++ l = Z_STRLEN_P(orig_str);
+ }
+ } else if (argc > 3) {
+ l = Z_LVAL_PP(len);
+ } else {
+- l = Z_STRLEN_PP(tmp_str);
++ l = Z_STRLEN_P(orig_str);
+ }
+
+ if (l < 0) {
+- l = (Z_STRLEN_PP(tmp_str) - f) + l;
++ l = (Z_STRLEN_P(orig_str) - f) + l;
+ if (l < 0) {
+ l = 0;
+ }
+ }
+
+- if ((f + l) > Z_STRLEN_PP(tmp_str)) {
+- l = Z_STRLEN_PP(tmp_str) - f;
++ if ((f + l) > Z_STRLEN_P(orig_str)) {
++ l = Z_STRLEN_P(orig_str) - f;
+ }
+
+- result_len = Z_STRLEN_PP(tmp_str) - l;
++ result_len = Z_STRLEN_P(orig_str) - l;
+
+ if (Z_TYPE_PP(repl) == IS_ARRAY) {
+ if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
+- convert_to_string_ex(tmp_repl);
+- result_len += Z_STRLEN_PP(tmp_repl);
++ zval *repl_str;
++ zval zrepl;
++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++ zrepl = **tmp_repl;
++ repl_str = &zrepl;
++ zval_copy_ctor(repl_str);
++ convert_to_string(repl_str);
++ } else {
++ repl_str = *tmp_repl;
++ }
++
++ result_len += Z_STRLEN_P(repl_str);
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);
+ result = emalloc(result_len + 1);
+
+- memcpy(result, Z_STRVAL_PP(tmp_str), f);
+- memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
+- memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++ memcpy(result, Z_STRVAL_P(orig_str), f);
++ memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
++ memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
++ if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++ zval_dtor(repl_str);
++ }
+ } else {
+ result = emalloc(result_len + 1);
+
+- memcpy(result, Z_STRVAL_PP(tmp_str), f);
+- memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++ memcpy(result, Z_STRVAL_P(orig_str), f);
++ memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ }
+ } else {
+ result_len += Z_STRLEN_PP(repl);
+
+ result = emalloc(result_len + 1);
+
+- memcpy(result, Z_STRVAL_PP(tmp_str), f);
++ memcpy(result, Z_STRVAL_P(orig_str), f);
+ memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
+- memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++ memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ }
+
+ result[result_len] = '\0';
+ add_next_index_stringl(return_value, result, result_len, 0);
+-
++ if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++ zval_dtor(orig_str);
++ }
+ zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
+ } /*while*/
+ } /* if */
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1398,4388.patch
^
|
| @@ -0,0 +1,42 @@
+Index: main/SAPI.c
+===================================================================
+--- main/SAPI.c.orig
++++ main/SAPI.c
+@@ -569,16 +569,27 @@ SAPI_API int sapi_header_op(sapi_header_
+
+ /* new line safety check */
+ {
+- char *s = header_line, *e = header_line + header_line_len, *p;
+- while (s < e && (p = memchr(s, '\n', (e - s)))) {
+- if (*(p + 1) == ' ' || *(p + 1) == '\t') {
+- s = p + 1;
+- continue;
+- }
+- efree(header_line);
+- sapi_module.sapi_error(E_WARNING, "Header may not contain more than a single header, new line detected.");
+- return FAILURE;
+- }
++ /* new line/NUL character safety check */
++ int i;
++ for (i = 0; i < header_line_len; i++) {
++ /* RFC 2616 allows new lines if followed by SP or HT */
++ int illegal_break =
++ (header_line[i+1] != ' ' && header_line[i+1] != '\t')
++ && (
++ header_line[i] == '\n'
++ || (header_line[i] == '\r' && header_line[i+1] != '\n'));
++ if (illegal_break) {
++ efree(header_line);
++ sapi_module.sapi_error(E_WARNING, "Header may not contain "
++ "more than a single header, new line detected");
++ return FAILURE;
++ }
++ if (header_line[i] == '\0') {
++ efree(header_line);
++ sapi_module.sapi_error(E_WARNING, "Header may not contain NUL bytes");
++ return FAILURE;
++ }
++ }
+ }
+
+ sapi_header.header = header_line;
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1464.patch
^
|
| @@ -0,0 +1,69 @@
+http://svn.php.net/viewvc/?view=revision&revision=308525
+--- main/snprintf.c 2011/02/21 06:22:00 308524
++++ main/snprintf.c 2011/02/21 06:53:24 308525
+@@ -677,10 +677,6 @@
+
+ /*
+ * Check if a precision was specified
+- *
+- * XXX: an unreasonable amount of precision may be specified
+- * resulting in overflow of num_buf. Currently we
+- * ignore this possibility.
+ */
+ if (*fmt == '.') {
+ adjust_precision = YES;
+@@ -694,6 +690,10 @@
+ precision = 0;
+ } else
+ precision = 0;
++
++ if (precision > FORMAT_CONV_MAX_PRECISION) {
++ precision = FORMAT_CONV_MAX_PRECISION;
++ }
+ } else
+ adjust_precision = NO;
+ } else
+--- main/spprintf.c 2011/02/21 06:22:00 308524
++++ main/spprintf.c 2011/02/21 06:53:24 308525
+@@ -285,10 +285,6 @@
+
+ /*
+ * Check if a precision was specified
+- *
+- * XXX: an unreasonable amount of precision may be specified
+- * resulting in overflow of num_buf. Currently we
+- * ignore this possibility.
+ */
+ if (*fmt == '.') {
+ adjust_precision = YES;
+@@ -302,6 +298,10 @@
+ precision = 0;
+ } else
+ precision = 0;
++
++ if (precision > FORMAT_CONV_MAX_PRECISION) {
++ precision = FORMAT_CONV_MAX_PRECISION;
++ }
+ } else
+ adjust_precision = NO;
+ } else
+--- main/snprintf.h 2011/02/21 06:22:00 308524
++++ main/snprintf.h 2011/02/21 06:53:24 308525
+@@ -157,6 +157,17 @@
+
+ extern char * ap_php_conv_p2(register u_wide_int num, register int nbits,
+ char format, char *buf_end, register int *len);
++
++/* The maximum precision that's allowed for float conversion. Does not include
++ * decimal separator, exponent, sign, terminator. Currently does not affect
++ * the modes e/f, only g/k/H, as those have a different limit enforced at
++ * another level (see NDIG in php_conv_fp()).
++ * Applies to the formatting functions of both spprintf.c and snprintf.c, which
++ * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the
++ * call to php_gcvt().
++ * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9
++ * should be enough, but let's give some more space) */
++#define FORMAT_CONV_MAX_PRECISION 500
+
+ #endif /* SNPRINTF_H */
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1466.patch
^
|
| @@ -0,0 +1,107 @@
+http://svn.php.net/viewvc/?view=revision&revision=306475
+http://svn.php.net/viewvc/?view=revision&revision=317360
+http://svn.php.net/viewvc/?view=revision&revision=317387
+
+Index: ext/calendar/gregor.c
+===================================================================
+--- ext/calendar/gregor.c.orig
++++ ext/calendar/gregor.c
+@@ -127,6 +127,7 @@
+ **************************************************************************/
+
+ #include "sdncal.h"
++#include <limits.h>
+
+ #define GREGOR_SDN_OFFSET 32045
+ #define DAYS_PER_5_MONTHS 153
+@@ -146,21 +147,12 @@ void SdnToGregorian(
+ long int temp;
+ int dayOfYear;
+
+- if (sdn <= 0) {
+- *pYear = 0;
+- *pMonth = 0;
+- *pDay = 0;
+- return;
++ if (sdn <= 0 ||
++ sdn > (LONG_MAX - 4 * GREGOR_SDN_OFFSET) / 4) {
++ goto fail;
+ }
+ temp = (sdn + GREGOR_SDN_OFFSET) * 4 - 1;
+
+- if (temp < 0) {
+- *pYear = 0;
+- *pMonth = 0;
+- *pDay = 0;
+- return;
+- }
+-
+ /* Calculate the century (year/100). */
+ century = temp / DAYS_PER_400_YEARS;
+
+@@ -190,6 +182,11 @@ void SdnToGregorian(
+ *pYear = year;
+ *pMonth = month;
+ *pDay = day;
++ return;
++fail:
++ *pYear = 0;
++ *pMonth = 0;
++ *pDay = 0;
+ }
+
+ long int GregorianToSdn(
+Index: ext/calendar/julian.c
+===================================================================
+--- ext/calendar/julian.c.orig
++++ ext/calendar/julian.c
+@@ -146,6 +146,7 @@
+ **************************************************************************/
+
+ #include "sdncal.h"
++#include <limits.h>
+
+ #define JULIAN_SDN_OFFSET 32083
+ #define DAYS_PER_5_MONTHS 153
+@@ -164,15 +165,22 @@ void SdnToJulian(
+ int dayOfYear;
+
+ if (sdn <= 0) {
+- *pYear = 0;
+- *pMonth = 0;
+- *pDay = 0;
+- return;
++ goto fail;
+ }
+- temp = (sdn + JULIAN_SDN_OFFSET) * 4 - 1;
++ /* Check for overflow */
++ if (sdn > (LONG_MAX - JULIAN_SDN_OFFSET * 4 + 1) / 4 || sdn < LONG_MIN / 4) {
++ goto fail;
++ }
++ temp = sdn * 4 + (JULIAN_SDN_OFFSET * 4 - 1);
+
+ /* Calculate the year and day of year (1 <= dayOfYear <= 366). */
+- year = temp / DAYS_PER_4_YEARS;
++ {
++ long yearl = temp / DAYS_PER_4_YEARS;
++ if (yearl > INT_MAX || yearl < INT_MIN) {
++ goto fail;
++ }
++ year = (int) yearl;
++ }
+ dayOfYear = (temp % DAYS_PER_4_YEARS) / 4 + 1;
+
+ /* Calculate the month and day of month. */
+@@ -196,6 +204,12 @@ void SdnToJulian(
+ *pYear = year;
+ *pMonth = month;
+ *pDay = day;
++ return;
++
++fail:
++ *pYear = 0;
++ *pMonth = 0;
++ *pDay = 0;
+ }
+
+ long int JulianToSdn(
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1469.patch
^
|
| @@ -0,0 +1,125 @@
+Index: ext/standard/ftp_fopen_wrapper.c
+===================================================================
+--- ext/standard/ftp_fopen_wrapper.c.orig
++++ ext/standard/ftp_fopen_wrapper.c
+@@ -72,6 +72,12 @@
+ #define FTPS_ENCRYPT_DATA 1
+ #define GET_FTP_RESULT(stream) get_ftp_result((stream), tmp_line, sizeof(tmp_line) TSRMLS_CC)
+
++typedef struct _php_ftp_dirstream_data {
++ php_stream *datastream;
++ php_stream *controlstream;
++ php_stream *dirstream;
++} php_ftp_dirstream_data;
++
+ /* {{{ get_ftp_result
+ */
+ static inline int get_ftp_result(php_stream *stream, char *buffer, size_t buffer_size TSRMLS_DC)
+@@ -97,14 +103,28 @@ static int php_stream_ftp_stream_stat(ph
+ */
+ static int php_stream_ftp_stream_close(php_stream_wrapper *wrapper, php_stream *stream TSRMLS_DC)
+ {
+- php_stream *controlstream = (php_stream *)stream->wrapperdata;
++ php_stream *controlstream = stream->wrapperthis;
++ int ret = 0;
+
+ if (controlstream) {
++ if (strpbrk(stream->mode, "wa+")) {
++ char tmp_line[512];
++ int result;
++
++ /* For write modes close data stream first to signal EOF to server */
++ result = GET_FTP_RESULT(controlstream);
++ if (result != 226 && result != 250) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "FTP server error %d:%s", result, tmp_line);
++ ret = EOF;
++ }
++ }
++
+ php_stream_write_string(controlstream, "QUIT\r\n");
+ php_stream_close(controlstream);
+- stream->wrapperdata = NULL;
++ stream->wrapperthis = NULL;
+ }
+- return 0;
++
++ return ret;
+ }
+ /* }}} */
+
+@@ -564,7 +584,7 @@ php_stream * php_stream_url_wrap_ftp(php
+ }
+
+ /* remember control stream */
+- datastream->wrapperdata = (zval *)stream;
++ datastream->wrapperthis = stream;
+
+ php_url_free(resource);
+ return datastream;
+@@ -588,11 +608,13 @@ errexit:
+ static size_t php_ftp_dirstream_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
+ {
+ php_stream_dirent *ent = (php_stream_dirent *)buf;
+- php_stream *innerstream = (php_stream *)stream->abstract;
++ php_stream *innerstream;
+ size_t tmp_len;
+ char *basename;
+ size_t basename_len;
+
++ innerstream = ((php_ftp_dirstream_data *)stream->abstract)->datastream;
++
+ if (count != sizeof(php_stream_dirent)) {
+ return 0;
+ }
+@@ -636,13 +658,18 @@ static size_t php_ftp_dirstream_read(php
+ */
+ static int php_ftp_dirstream_close(php_stream *stream, int close_handle TSRMLS_DC)
+ {
+- php_stream *innerstream = (php_stream *)stream->abstract;
++ php_ftp_dirstream_data *data = stream->abstract;
+
+- if (innerstream->wrapperdata) {
+- php_stream_close((php_stream *)innerstream->wrapperdata);
+- innerstream->wrapperdata = NULL;
+- }
+- php_stream_close((php_stream *)stream->abstract);
++ /* close control connection */
++ if (data->controlstream) {
++ php_stream_close(data->controlstream);
++ data->controlstream = NULL;
++ }
++ /* close data connection */
++ php_stream_close(data->datastream);
++ data->datastream = NULL;
++
++ efree(data);
+ stream->abstract = NULL;
+
+ return 0;
+@@ -668,6 +695,7 @@ static php_stream_ops php_ftp_dirstream_
+ php_stream * php_stream_ftp_opendir(php_stream_wrapper *wrapper, char *path, char *mode, int options, char **opened_path, php_stream_context *context STREAMS_DC TSRMLS_DC)
+ {
+ php_stream *stream, *reuseid, *datastream = NULL;
++ php_ftp_dirstream_data *dirsdata;
+ php_url *resource = NULL;
+ int result = 0, use_ssl, use_ssl_on_data = 0;
+ char *hoststart = NULL, tmp_line[512];
+@@ -727,11 +755,14 @@ php_stream * php_stream_ftp_opendir(php_
+ goto opendir_errexit;
+ }
+
+- /* remember control stream */
+- datastream->wrapperdata = (zval *)stream;
+-
+ php_url_free(resource);
+- return php_stream_alloc(&php_ftp_dirstream_ops, datastream, 0, mode);
++
++ dirsdata = emalloc(sizeof *dirsdata);
++ dirsdata->datastream = datastream;
++ dirsdata->controlstream = stream;
++ dirsdata->dirstream = php_stream_alloc(&php_ftp_dirstream_ops, dirsdata, 0, mode);
++
++ return dirsdata->dirstream;
+
+ opendir_errexit:
+ if (resource) {
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1470.patch
^
|
| @@ -0,0 +1,12 @@
+http://svn.php.net/viewvc/?view=revision&revision=306493
+--- ext/zip/zip_stream.c 2010/12/20 10:50:59 306492
++++ ext/zip/zip_stream.c 2010/12/20 11:00:27 306493
+@@ -216,6 +216,7 @@
+ self->stream = NULL;
+ self->cursor = 0;
+ stream = php_stream_alloc(&php_stream_zipio_ops, self, NULL, mode);
++ stream->orig_path = estrdup(path);
+ } else {
+ zip_close(stream_za);
+ }
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1471.patch
^
|
| @@ -0,0 +1,35 @@
+http://svn.php.net/viewvc/?view=revision&revision=307917
+Index: ext/zip/zip_stream.c
+===================================================================
+--- ext/zip/zip_stream.c.orig
++++ ext/zip/zip_stream.c
+@@ -30,11 +30,11 @@ struct php_zip_stream_data_t {
+ /* {{{ php_zip_ops_read */
+ static size_t php_zip_ops_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
+ {
+- int n = 0;
++ ssize_t n = 0;
+ STREAM_DATA_FROM_STREAM();
+
+ if (self->za && self->zf) {
+- n = (size_t)zip_fread(self->zf, buf, (int)count);
++ n = zip_fread(self->zf, buf, count);
+ if (n < 0) {
+ int ze, se;
+ zip_file_error_get(self->zf, &ze, &se);
+@@ -42,13 +42,13 @@ static size_t php_zip_ops_read(php_strea
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Zip stream error: %s", zip_file_strerror(self->zf));
+ return 0;
+ }
+- if (n == 0 || n < count) {
++ if (n == 0 || n < (ssize_t)count) {
+ stream->eof = 1;
+ } else {
+ self->cursor += n;
+ }
+ }
+- return n<1 ? 0 : n;
++ return n<1 ? 0 : (size_t)n;
+ }
+ /* }}} */
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-1938.patch
^
|
| @@ -0,0 +1,15 @@
+--- ext/sockets/sockets.c 2011/05/23 23:51:28 311368
++++ ext/sockets/sockets.c 2011/05/24 00:05:50 311369
+@@ -1336,6 +1336,11 @@
+ break;
+
+ case AF_UNIX:
++ if (addr_len >= sizeof(s_un.sun_path)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Path too long", php_sock->type);
++ RETURN_FALSE;
++ }
++
+ memset(&s_un, 0, sizeof(struct sockaddr_un));
+
+ s_un.sun_family = AF_UNIX;
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-2202.patch
^
|
| @@ -0,0 +1,22 @@
+http://svn.php.net/viewvc?view=revision&revision=312103
+--- main/rfc1867.c 2011/06/12 15:03:18 312102
++++ main/rfc1867.c 2011/06/12 15:14:18 312103
+@@ -1223,7 +1223,7 @@
+ #endif
+
+ if (!is_anonymous) {
+- if (s && s > filename) {
++ if (s && s >= filename) {
+ safe_php_register_variable(lbuf, s+1, strlen(s+1), NULL, 0 TSRMLS_CC);
+ } else {
+ safe_php_register_variable(lbuf, filename, strlen(filename), NULL, 0 TSRMLS_CC);
+@@ -1236,7 +1236,7 @@
+ } else {
+ snprintf(lbuf, llen, "%s[name]", param);
+ }
+- if (s && s > filename) {
++ if (s && s >= filename) {
+ register_http_post_files_variable(lbuf, s+1, http_post_files, 0 TSRMLS_CC);
+ } else {
+ register_http_post_files_variable(lbuf, filename, http_post_files, 0 TSRMLS_CC);
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-3182.patch
^
|
| @@ -0,0 +1,149 @@
+http://svn.php.net/viewvc?view=revision&revision=313826
+http://svn.php.net/viewvc?view=revision&revision=313827
+http://svn.php.net/viewvc?view=revision&revision=313828
+http://svn.php.net/viewvc?view=revision&revision=313830
+http://svn.php.net/viewvc?view=revision&revision=313831
+http://svn.php.net/viewvc?view=revision&revision=313832
+http://svn.php.net/viewvc?view=revision&revision=313833
+http://svn.php.net/viewvc?view=revision&revision=313835
+http://svn.php.net/viewvc?view=revision&revision=313903
+https://bugzilla.redhat.com/show_bug.cgi?id=732516
+Index: ext/curl/interface.c
+===================================================================
+--- ext/curl/interface.c.orig
++++ ext/curl/interface.c
+@@ -803,6 +803,9 @@ PHP_MINIT_FUNCTION(curl)
+ int i, c = CRYPTO_num_locks();
+
+ php_curl_openssl_tsl = malloc(c * sizeof(MUTEX_T));
++ if (!php_curl_openssl_tsl) {
++ return FAILURE;
++ }
+
+ for (i = 0; i < c; ++i) {
+ php_curl_openssl_tsl[i] = tsrm_mutex_alloc();
+Index: ext/com_dotnet/com_dotnet.c
+===================================================================
+--- ext/com_dotnet/com_dotnet.c.orig
++++ ext/com_dotnet/com_dotnet.c
+@@ -129,6 +129,9 @@ static HRESULT dotnet_init(char **p_wher
+ char *where = "";
+
+ stuff = malloc(sizeof(*stuff));
++ if (!stuff) {
++ return S_FALSE;
++ }
+ memset(stuff, 0, sizeof(*stuff));
+
+ where = "CoCreateInstance";
+Index: ext/pdo_odbc/pdo_odbc.c
+===================================================================
+--- ext/pdo_odbc/pdo_odbc.c.orig
++++ ext/pdo_odbc/pdo_odbc.c
+@@ -98,6 +98,9 @@ PHP_MINIT_FUNCTION(pdo_odbc)
+ char *instance = INI_STR("pdo_odbc.db2_instance_name");
+ if (instance) {
+ char *env = malloc(sizeof("DB2INSTANCE=") + strlen(instance));
++ if (!env) {
++ return FAILURE;
++ }
+ strcpy(env, "DB2INSTANCE=");
+ strcat(env, instance);
+ putenv(env);
+Index: ext/interbase/interbase.c
+===================================================================
+--- ext/interbase/interbase.c.orig
++++ ext/interbase/interbase.c
+@@ -998,9 +998,12 @@ static void _php_ibase_connect(INTERNAL_
+ ZEND_REGISTER_RESOURCE(return_value, ib_link, le_link);
+ } else {
+ zend_rsrc_list_entry new_le;
+-
++
+ ib_link = (ibase_db_link *) malloc(sizeof(ibase_db_link));
+-
++ if (!ib_link) {
++ RETURN_FALSE;
++ }
++
+ /* hash it up */
+ Z_TYPE(new_le) = le_plink;
+ new_le.ptr = ib_link;
+Index: ext/readline/readline.c
+===================================================================
+--- ext/readline/readline.c.orig
++++ ext/readline/readline.c
+@@ -465,6 +465,9 @@ static char **_readline_completion_cb(co
+ matches = rl_completion_matches(text,_readline_command_generator);
+ } else {
+ matches = malloc(sizeof(char *) * 2);
++ if (!matches) {
++ return NULL;
++ }
+ matches[0] = strdup("");
+ matches[1] = '\0';
+ }
+@@ -505,6 +508,10 @@ PHP_FUNCTION(readline_completion_functio
+ zval_copy_ctor(_readline_completion);
+
+ rl_attempted_completion_function = _readline_completion_cb;
++ if (rl_attempted_completion_function == NULL) {
++ efree(name);
++ RETURN_FALSE;
++ }
+
+ RETURN_TRUE;
+ }
+Index: ext/standard/url_scanner_ex.re
+===================================================================
+--- ext/standard/url_scanner_ex.re.orig
++++ ext/standard/url_scanner_ex.re
+@@ -55,9 +55,13 @@ static PHP_INI_MH(OnUpdateTags)
+
+ if (ctx->tags)
+ zend_hash_destroy(ctx->tags);
+- else
++ else {
+ ctx->tags = malloc(sizeof(HashTable));
+-
++ if (!ctx->tags) {
++ return FAILURE;
++ }
++ }
++
+ zend_hash_init(ctx->tags, 0, NULL, NULL, 1);
+
+ for (key = php_strtok_r(tmp, ",", &lasts);
+Index: ext/sybase_ct/php_sybase_ct.c
+===================================================================
+--- ext/sybase_ct/php_sybase_ct.c.orig
++++ ext/sybase_ct/php_sybase_ct.c
+@@ -777,6 +777,10 @@ static void php_sybase_do_connect(INTERN
+ }
+
+ sybase_ptr = (sybase_link *) malloc(sizeof(sybase_link));
++ if (!sybase_ptr) {
++ efree(hashed_details);
++ RETURN_FALSE;
++ }
+ if (!php_sybase_do_connect_internal(sybase_ptr, host, user, passwd, charset, appname TSRMLS_CC)) {
+ free(sybase_ptr);
+ efree(hashed_details);
+Index: ext/mssql/php_mssql.c
+===================================================================
+--- ext/mssql/php_mssql.c.orig
++++ ext/mssql/php_mssql.c
+@@ -685,6 +685,13 @@ static void php_mssql_do_connect(INTERNA
+
+ /* hash it up */
+ mssql_ptr = (mssql_link *) malloc(sizeof(mssql_link));
++ if (!mssql_ptr) {
++ efree(hashed_details);
++ dbfreelogin(mssql.login);
++ dbclose(mssql.link);
++ RETURN_FALSE;
++ }
++
+ memcpy(mssql_ptr, &mssql, sizeof(mssql_link));
+ Z_TYPE(new_le) = le_plink;
+ new_le.ptr = mssql_ptr;
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-4153.patch
^
|
| @@ -0,0 +1,115 @@
+http://svn.php.net/viewvc?view=revision&revision=319442
+http://svn.php.net/viewvc?view=revision&revision=319453
+#-0-
+Zend/zend_builtin_functions.c
+#-1-
+ext/soap/php_sdl.c
+#-2-
+ext/standard/syslog.c
+#-3-
+ext/standard/browscap.c
+#-4-
+N/A
+#-5-
+N/A
+#-6-
+ext/session/mod_files.c
+ext/standard/file.c
+Index: Zend/zend_builtin_functions.c
+===================================================================
+--- Zend/zend_builtin_functions.c.orig
++++ Zend/zend_builtin_functions.c
+@@ -514,6 +514,9 @@ repeat:
+ }
+ c.flags = case_sensitive; /* non persistent */
+ c.name = zend_strndup(name, name_len);
++ if(c.name == NULL) {
++ RETURN_FALSE;
++ }
+ c.name_len = name_len+1;
+ c.module_number = PHP_USER_CONSTANT;
+ if (zend_register_constant(&c TSRMLS_CC) == SUCCESS) {
+Index: ext/standard/syslog.c
+===================================================================
+--- ext/standard/syslog.c.orig
++++ ext/standard/syslog.c
+@@ -236,6 +236,9 @@ PHP_FUNCTION(openlog)
+ free(BG(syslog_device));
+ }
+ BG(syslog_device) = zend_strndup(ident, ident_len);
++ if(BG(syslog_device) == NULL) {
++ RETURN_FALSE;
++ }
+ openlog(BG(syslog_device), option, facility);
+ RETURN_TRUE;
+ }
+Index: ext/soap/php_sdl.c
+===================================================================
+--- ext/soap/php_sdl.c.orig
++++ ext/soap/php_sdl.c
+@@ -147,6 +147,10 @@ encodePtr get_encoder(sdlPtr sdl, const
+ memcpy(new_enc, enc, sizeof(encode));
+ if (sdl->is_persistent) {
+ new_enc->details.ns = zend_strndup(ns, ns_len);
++ if (new_enc->details.ns == NULL) {
++ efree(nscat);
++ return NULL;
++ }
+ new_enc->details.type_str = strdup(new_enc->details.type_str);
+ } else {
+ new_enc->details.ns = estrndup(ns, ns_len);
+Index: ext/standard/file.c
+===================================================================
+--- ext/standard/file.c.orig
++++ ext/standard/file.c
+@@ -2565,7 +2565,12 @@ PHP_FUNCTION(fnmatch)
+ Returns directory path used for temporary files */
+ PHP_FUNCTION(sys_get_temp_dir)
+ {
+- RETURN_STRING((char *)php_get_temporary_directory(), 1);
++ char *tmp_dir;
++ tmp_dir = (char *)php_get_temporary_directory();
++ if (tmp_dir == NULL) {
++ return;
++ }
++ RETURN_STRING(tmp_dir, 1);
+ }
+ /* }}} */
+
+Index: ext/session/mod_files.c
+===================================================================
+--- ext/session/mod_files.c.orig
++++ ext/session/mod_files.c
+@@ -273,6 +273,9 @@ PS_OPEN_FUNC(files)
+ if (*save_path == '\0') {
+ /* if save path is an empty string, determine the temporary dir */
+ save_path = php_get_temporary_directory();
++ if (save_path == NULL) {
++ return FAILURE;
++ }
+
+ if (strcmp(save_path, "/tmp")) {
+ if (PG(safe_mode) && (!php_checkuid(save_path, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+Index: ext/standard/browscap.c
+===================================================================
+--- ext/standard/browscap.c.orig
++++ ext/standard/browscap.c
+@@ -103,10 +103,18 @@ static void php_browscap_parser_cb(zval
+ new_property = (zval *) pemalloc(sizeof(zval), 1);
+ INIT_PZVAL(new_property);
+ Z_STRVAL_P(new_property) = zend_strndup(Z_STRVAL_P(arg2), Z_STRLEN_P(arg2));
++ if (Z_STRVAL_P(new_property) == NULL) {
++ zend_error(E_CORE_ERROR, "Out of memory");
++ return;
++ }
+ Z_STRLEN_P(new_property) = Z_STRLEN_P(arg2);
+ Z_TYPE_P(new_property) = IS_STRING;
+
+ new_key = zend_strndup(Z_STRVAL_P(arg1), Z_STRLEN_P(arg1));
++ if (new_key == NULL) {
++ zend_error(E_CORE_ERROR, "Out of memory");
++ return;
++ }
+ zend_str_tolower(new_key, Z_STRLEN_P(arg1));
+ zend_hash_update(Z_ARRVAL_P(current_section), new_key, Z_STRLEN_P(arg1)+1, &new_property, sizeof(zval *), NULL);
+ free(new_key);
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-4566.patch
^
|
| @@ -0,0 +1,18 @@
+http://svn.php.net/viewvc/?view=revision&revision=319535
+--- ext/exif/exif.c 2011/11/19 04:41:03 319534
++++ ext/exif/exif.c 2011/11/19 04:49:36 319535
+@@ -2874,11 +2874,11 @@
+ offset_val = php_ifd_get32u(dir_entry+8, ImageInfo->motorola_intel);
+ /* If its bigger than 4 bytes, the dir entry contains an offset. */
+ value_ptr = offset_base+offset_val;
+- if (offset_val+byte_count > IFDlength || value_ptr < dir_entry) {
++ if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry) {
+ /* It is important to check for IMAGE_FILETYPE_TIFF
+ * JPEG does not use absolute pointers instead its pointers are
+ * relative to the start of the TIFF header in APP1 section. */
+- if (offset_val+byte_count>ImageInfo->FileSize || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
++ if (byte_count > ImageInfo->FileSize || offset_val>ImageInfo->FileSize-byte_count || (ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_II && ImageInfo->FileType!=IMAGE_FILETYPE_TIFF_MM && ImageInfo->FileType!=IMAGE_FILETYPE_JPEG)) {
+ if (value_ptr < dir_entry) {
+ /* we can read this if offset_val > 0 */
+ /* some files have their values in other parts of the file */
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2011-4885.patch
^
|
| @@ -0,0 +1,98 @@
+http://svn.php.net/viewvc?view=revision&revision=321038
+http://svn.php.net/viewvc?view=revision&revision=321040
+http://svn.php.net/viewvc?view=revision&revision=321335
+Index: php.ini-dist
+===================================================================
+--- php.ini-dist.orig
++++ php.ini-dist
+@@ -255,6 +255,7 @@ expose_php = On
+ max_execution_time = 30 ; Maximum execution time of each script, in seconds
+ max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
+ ;max_input_nesting_level = 64 ; Maximum input variable nesting level
++;max_input_vars = 1000 ; How many GET/POST/COOKIE input variables may be accepted
+ memory_limit = 128M ; Maximum amount of memory a script may consume (128MB)
+
+
+Index: php.ini-recommended
+===================================================================
+--- php.ini-recommended.orig
++++ php.ini-recommended
+@@ -306,6 +306,7 @@ expose_php = On
+ max_execution_time = 30 ; Maximum execution time of each script, in seconds
+ max_input_time = 60 ; Maximum amount of time each script may spend parsing request data
+ ;max_input_nesting_level = 64 ; Maximum input variable nesting level
++;max_input_vars = 1000 ; How many GET/POST/COOKIE input variables may be accepted
+ memory_limit = 128M ; Maximum amount of memory a script may consume (128MB)
+
+
+Index: main/main.c
+===================================================================
+--- main/main.c.orig
++++ main/main.c
+@@ -439,6 +439,7 @@ PHP_INI_BEGIN()
+ STD_PHP_INI_ENTRY("post_max_size", "8M", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLong, post_max_size, sapi_globals_struct,sapi_globals)
+ STD_PHP_INI_ENTRY("upload_tmp_dir", NULL, PHP_INI_SYSTEM, OnUpdateStringUnempty, upload_tmp_dir, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("max_input_nesting_level", "64", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_nesting_level, php_core_globals, core_globals)
++ STD_PHP_INI_ENTRY("max_input_vars", "1000", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateLongGEZero, max_input_vars, php_core_globals, core_globals)
+
+ STD_PHP_INI_ENTRY("user_dir", NULL, PHP_INI_SYSTEM, OnUpdateString, user_dir, php_core_globals, core_globals)
+ STD_PHP_INI_ENTRY("variables_order", "EGPCS", PHP_INI_SYSTEM|PHP_INI_PERDIR, OnUpdateStringUnempty, variables_order, php_core_globals, core_globals)
+Index: main/php_globals.h
+===================================================================
+--- main/php_globals.h.orig
++++ main/php_globals.h
+@@ -162,6 +162,8 @@ struct _php_core_globals {
+ long max_input_nesting_level;
+ zend_bool in_user_include;
+ zend_bool in_error_log;
++
++ long max_input_vars;
+ };
+
+
+Index: main/php_variables.c
+===================================================================
+--- main/php_variables.c.orig
++++ main/php_variables.c
+@@ -29,6 +29,7 @@
+ #include "SAPI.h"
+ #include "php_logos.h"
+ #include "zend_globals.h"
++#include "zend_ini.h"
+
+ /* for systems that need to override reading of environment variables */
+ void _php_import_environment_variables(zval *array_ptr TSRMLS_DC);
+@@ -187,9 +188,14 @@ PHPAPI void php_register_variable_ex(cha
+ }
+ if (zend_symtable_find(symtable1, escaped_index, index_len + 1, (void **) &gpc_element_p) == FAILURE
+ || Z_TYPE_PP(gpc_element_p) != IS_ARRAY) {
+- MAKE_STD_ZVAL(gpc_element);
+- array_init(gpc_element);
+- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
++ MAKE_STD_ZVAL(gpc_element);
++ array_init(gpc_element);
++ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ }
+ }
+ if (index != escaped_index) {
+ efree(escaped_index);
+@@ -232,7 +238,14 @@ plain_var:
+ zend_symtable_exists(symtable1, escaped_index, index_len + 1)) {
+ zval_ptr_dtor(&gpc_element);
+ } else {
+- zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ if (zend_hash_num_elements(symtable1) <= PG(max_input_vars)) {
++ if (zend_hash_num_elements(symtable1) == PG(max_input_vars)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
++ }
++ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ } else {
++ zval_ptr_dtor(&gpc_element);
++ }
+ }
+ if (escaped_index != index) {
+ efree(escaped_index);
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0057.patch
^
|
| @@ -0,0 +1,153 @@
+http://svn.php.net/viewvc/?view=revision&revision=317759
+http://svn.php.net/viewvc/?view=revision&revision=317801
+http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=658088#22
+Index: ext/xsl/xsltprocessor.c
+===================================================================
+--- ext/xsl/xsltprocessor.c.orig
++++ ext/xsl/xsltprocessor.c
+@@ -26,6 +26,7 @@
+ #include "php.h"
+ #include "php_xsl.h"
+ #include "ext/libxml/php_libxml.h"
++#include "zend_ini.h"
+
+ /* {{{ arginfo */
+ static
+@@ -478,6 +479,9 @@ static xmlDocPtr php_xsl_apply_styleshee
+ int clone;
+ zval *doXInclude, *member;
+ zend_object_handlers *std_hnd;
++ int secPrefsError = 0;
++ int secPrefsIni;
++ xsltSecurityPrefsPtr secPrefs = NULL;
+
+ node = php_libxml_import_node(docp TSRMLS_CC);
+
+@@ -523,9 +527,52 @@ static xmlDocPtr php_xsl_apply_styleshee
+ }
+ efree(member);
+
+- newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, NULL, ctxt);
++ secPrefsIni = INI_INT("xsl.security_prefs");
++
++ //if securityPrefs is set to NONE, we don't have to do any checks, but otherwise...
++ if (secPrefsIni != XSL_SECPREF_NONE) {
++ secPrefs = xsltNewSecurityPrefs();
++ if (secPrefsIni & XSL_SECPREF_READ_FILE ) {
++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_FILE, xsltSecurityForbid)) {
++ secPrefsError = 1;
++ }
++ }
++ if (secPrefsIni & XSL_SECPREF_WRITE_FILE ) {
++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_FILE, xsltSecurityForbid)) {
++ secPrefsError = 1;
++ }
++ }
++ if (secPrefsIni & XSL_SECPREF_CREATE_DIRECTORY ) {
++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_CREATE_DIRECTORY, xsltSecurityForbid)) {
++ secPrefsError = 1;
++ }
++ }
++ if (secPrefsIni & XSL_SECPREF_READ_NETWORK) {
++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_READ_NETWORK, xsltSecurityForbid)) {
++ secPrefsError = 1;
++ }
++ }
++ if (secPrefsIni & XSL_SECPREF_WRITE_NETWORK) {
++ if (0 != xsltSetSecurityPrefs(secPrefs, XSLT_SECPREF_WRITE_NETWORK, xsltSecurityForbid)) {
++ secPrefsError = 1;
++ }
++ }
++
++ if (0 != xsltSetCtxtSecurityPrefs(secPrefs, ctxt)) {
++ secPrefsError = 1;
++ }
++ }
++
++ if (secPrefsError == 1) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Can't set libxslt security properties, not doing transformation for security reasons");
++ } else {
++ newdocp = xsltApplyStylesheetUser(style, doc, (const char**) params, NULL, NULL, ctxt);
++ }
+
+ xsltFreeTransformContext(ctxt);
++ if (secPrefs) {
++ xsltFreeSecurityPrefs(secPrefs);
++ }
+
+ if (intern->node_list != NULL) {
+ zend_hash_destroy(intern->node_list);
+Index: ext/xsl/php_xsl.h
+===================================================================
+--- ext/xsl/php_xsl.h.orig
++++ ext/xsl/php_xsl.h
+@@ -38,6 +38,7 @@ extern zend_module_entry xsl_module_entr
+ #include <libxslt/xsltInternals.h>
+ #include <libxslt/xsltutils.h>
+ #include <libxslt/transform.h>
++#include <libxslt/security.h>
+ #if HAVE_XSL_EXSLT
+ #include <libexslt/exslt.h>
+ #include <libexslt/exsltconfig.h>
+@@ -49,6 +50,13 @@ extern zend_module_entry xsl_module_entr
+ #include <libxslt/extensions.h>
+ #include <libxml/xpathInternals.h>
+
++#define XSL_SECPREF_NONE 0
++#define XSL_SECPREF_READ_FILE 2
++#define XSL_SECPREF_WRITE_FILE 4
++#define XSL_SECPREF_CREATE_DIRECTORY 8
++#define XSL_SECPREF_READ_NETWORK 16
++#define XSL_SECPREF_WRITE_NETWORK 32
++
+ typedef struct _xsl_object {
+ zend_object std;
+ void *ptr;
+Index: ext/xsl/php_xsl.c
+===================================================================
+--- ext/xsl/php_xsl.c.orig
++++ ext/xsl/php_xsl.c
+@@ -137,6 +137,11 @@ zend_object_value xsl_objects_new(zend_c
+ }
+ /* }}} */
+
++PHP_INI_BEGIN()
++//XSL_SECPREF_CREATE_DIRECTORY | XSL_SECPREF_WRITE_NETWORK |ร XSL_SECPREF_WRITE_FILE == 44
++PHP_INI_ENTRY("xsl.security_prefs", "44", PHP_INI_ALL, NULL)
++PHP_INI_END()
++
+ /* {{{ PHP_MINIT_FUNCTION
+ */
+ PHP_MINIT_FUNCTION(xsl)
+@@ -163,6 +168,13 @@ PHP_MINIT_FUNCTION(xsl)
+ REGISTER_LONG_CONSTANT("XSL_CLONE_NEVER", -1, CONST_CS | CONST_PERSISTENT);
+ REGISTER_LONG_CONSTANT("XSL_CLONE_ALWAYS", 1, CONST_CS | CONST_PERSISTENT);
+
++ REGISTER_LONG_CONSTANT("XSL_SECPREF_NONE", XSL_SECPREF_NONE, CONST_CS | CONST_PERSISTENT);
++ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_FILE", XSL_SECPREF_READ_FILE, CONST_CS | CONST_PERSISTENT);
++ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_FILE", XSL_SECPREF_WRITE_FILE, CONST_CS | CONST_PERSISTENT);
++ REGISTER_LONG_CONSTANT("XSL_SECPREF_CREATE_DIRECTORY", XSL_SECPREF_CREATE_DIRECTORY, CONST_CS | CONST_PERSISTENT);
++ REGISTER_LONG_CONSTANT("XSL_SECPREF_READ_NETWORK", XSL_SECPREF_READ_NETWORK, CONST_CS | CONST_PERSISTENT);
++ REGISTER_LONG_CONSTANT("XSL_SECPREF_WRITE_NETWORK", XSL_SECPREF_WRITE_NETWORK, CONST_CS | CONST_PERSISTENT);
++
+ REGISTER_LONG_CONSTANT("LIBXSLT_VERSION", LIBXSLT_VERSION, CONST_CS | CONST_PERSISTENT);
+ REGISTER_STRING_CONSTANT("LIBXSLT_DOTTED_VERSION", LIBXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
+
+@@ -171,6 +183,8 @@ PHP_MINIT_FUNCTION(xsl)
+ REGISTER_STRING_CONSTANT("LIBEXSLT_DOTTED_VERSION", LIBEXSLT_DOTTED_VERSION, CONST_CS | CONST_PERSISTENT);
+ #endif
+
++ REGISTER_INI_ENTRIES();
++
+ return SUCCESS;
+ }
+ /* }}} */
+@@ -257,6 +271,8 @@ PHP_MSHUTDOWN_FUNCTION(xsl)
+
+ xsltCleanupGlobals();
+
++ UNREGISTER_INI_ENTRIES();
++
+ return SUCCESS;
+ }
+ /* }}} */
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0781.patch
^
|
| @@ -0,0 +1,13 @@
+http://svn.php.net/viewvc?view=revision&revision=319254
+--- ext/tidy/tidy.c 2011/11/15 14:20:13 319253
++++ ext/tidy/tidy.c 2011/11/15 15:16:20 319254
+@@ -1288,7 +1288,7 @@
+ {
+ TIDY_FETCH_OBJECT;
+
+- if (tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
++ if (tidyStatus(obj->ptdoc->doc) != 0 && tidyRunDiagnostics(obj->ptdoc->doc) >= 0) {
+ tidy_doc_update_properties(obj TSRMLS_CC);
+ RETURN_TRUE;
+ }
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0788.patch
^
|
| @@ -0,0 +1,32 @@
+http://svn.php.net/viewvc/?view=revision&revision=317272
+--- ext/pdo/pdo_stmt.c 2011/09/25 12:14:09 317271
++++ ext/pdo/pdo_stmt.c 2011/09/25 12:39:05 317272
+@@ -2351,6 +2351,7 @@
+ }
+
+ zend_object_handlers pdo_dbstmt_object_handlers;
++static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC);
+
+ void pdo_stmt_init(TSRMLS_D)
+ {
+@@ -2374,6 +2375,7 @@
+ pdo_row_ce = zend_register_internal_class(&ce TSRMLS_CC);
+ pdo_row_ce->ce_flags |= ZEND_ACC_FINAL_CLASS; /* when removing this a lot of handlers need to be redone */
+ pdo_row_ce->create_object = pdo_row_new;
++ pdo_row_ce->serialize = pdo_row_serialize;
+ }
+
+ static void free_statement(pdo_stmt_t *stmt TSRMLS_DC)
+@@ -2796,6 +2798,12 @@
+ retval.handlers = &pdo_row_object_handlers;
+
+ return retval;
++}
++
++static int pdo_row_serialize(zval *object, unsigned char **buffer, zend_uint *buf_len, zend_serialize_data *data TSRMLS_DC)
++{
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "PDORow instances may not be serialized");
++ return FAILURE;
+ }
+ /* }}} */
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0789.patch
^
|
| @@ -0,0 +1,197 @@
+Index: ext/date/lib/parse_date.c
+===================================================================
+--- ext/date/lib/parse_date.c.orig
++++ ext/date/lib/parse_date.c
+@@ -691,7 +691,7 @@ static long timelib_lookup_zone(char **p
+ return value;
+ }
+
+-static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb)
++static long timelib_get_zone(char **ptr, int *dst, timelib_time *t, int *tz_not_found, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_wrapper)
+ {
+ timelib_tzinfo *res;
+ long retval = 0;
+@@ -737,7 +737,7 @@ static long timelib_get_zone(char **ptr,
+ #endif
+ /* If we have a TimeZone identifier to start with, use it */
+ if (strstr(tz_abbr, "/") || strcmp(tz_abbr, "UTC") == 0) {
+- if ((res = timelib_parse_tzfile(tz_abbr, tzdb)) != NULL) {
++ if ((res = tz_wrapper(tz_abbr, tzdb)) != NULL) {
+ t->tz_info = res;
+ t->zone_type = TIMELIB_ZONETYPE_ID;
+ found++;
+@@ -766,7 +766,7 @@ static long timelib_get_zone(char **ptr,
+ } \
+ }
+
+-static int scan(Scanner *s)
++static int scan(Scanner *s, timelib_tz_get_wrapper tz_get_wrapper)
+ {
+ uchar *cursor = s->cur;
+ char *str, *ptr = NULL;
+@@ -921,7 +921,7 @@ yy3:
+ DEBUG_OUTPUT("tzcorrection | tz");
+ TIMELIB_INIT;
+ TIMELIB_HAVE_TZ();
+- s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb);
++ s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper);
+ if (tz_not_found) {
+ add_error(s, "The timezone could not be found in the database");
+ }
+@@ -5793,7 +5793,7 @@ yy333:
+ }
+
+ if (*ptr != '\0') {
+- s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb);
++ s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper);
+ if (tz_not_found) {
+ add_error(s, "The timezone could not be found in the database");
+ }
+@@ -13445,7 +13445,7 @@ yy696:
+ }
+
+ if (*ptr != '\0') {
+- s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb);
++ s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper);
+ if (tz_not_found) {
+ add_error(s, "The timezone could not be found in the database");
+ }
+@@ -15498,7 +15498,7 @@ yy888:
+ s->time->h = timelib_get_nr((char **) &ptr, 2);
+ s->time->i = timelib_get_nr((char **) &ptr, 2);
+ s->time->s = timelib_get_nr((char **) &ptr, 2);
+- s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb);
++ s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper);
+ if (tz_not_found) {
+ add_error(s, "The timezone could not be found in the database");
+ }
+@@ -16860,7 +16860,7 @@ yy1028:
+ if (*ptr == '.') {
+ s->time->f = timelib_get_frac_nr((char **) &ptr, 9);
+ if (*ptr) { /* timezone is optional */
+- s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb);
++ s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper);
+ if (tz_not_found) {
+ add_error(s, "The timezone could not be found in the database");
+ }
+@@ -19183,7 +19183,7 @@ yy1258:
+ s->time->s = timelib_get_nr((char **) &ptr, 2);
+
+ if (*ptr != '\0') {
+- s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb);
++ s->time->z = timelib_get_zone((char **) &ptr, &s->time->dst, s->time, &tz_not_found, s->tzdb, tz_get_wrapper);
+ if (tz_not_found) {
+ add_error(s, "The timezone could not be found in the database");
+ }
+@@ -23149,7 +23149,7 @@ yy1431:
+
+ #define YYMAXFILL 30
+
+-timelib_time* timelib_strtotime(char *s, int len, struct timelib_error_container **errors, const timelib_tzdb *tzdb)
++timelib_time* timelib_strtotime(char *s, int len, struct timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper)
+ {
+ Scanner in;
+ int t;
+@@ -23204,7 +23204,7 @@ timelib_time* timelib_strtotime(char *s,
+ in.time->zone_type = 0;
+
+ do {
+- t = scan(&in);
++ t = scan(&in, tz_get_wrapper);
+ #ifdef DEBUG_PARSER
+ printf("%d\n", t);
+ #endif
+Index: ext/date/lib/timelib.h
+===================================================================
+--- ext/date/lib/timelib.h.orig
++++ ext/date/lib/timelib.h
+@@ -52,6 +52,9 @@
+ #define strncasecmp strnicmp
+ #endif
+
++/* Function pointers */
++typedef timelib_tzinfo* (*timelib_tz_get_wrapper)(char *tzname, const timelib_tzdb *tzdb);
++
+ /* From dow.c */
+ timelib_sll timelib_day_of_week(timelib_sll y, timelib_sll m, timelib_sll d);
+ timelib_sll timelib_iso_day_of_week(timelib_sll y, timelib_sll m, timelib_sll d);
+@@ -61,7 +64,7 @@ timelib_sll timelib_days_in_month(timeli
+ void timelib_isoweek_from_date(timelib_sll y, timelib_sll m, timelib_sll d, timelib_sll *iw, timelib_sll *iy);
+
+ /* From parse_date.re */
+-timelib_time *timelib_strtotime(char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb);
++timelib_time *timelib_strtotime(char *s, int len, timelib_error_container **errors, const timelib_tzdb *tzdb, timelib_tz_get_wrapper tz_get_wrapper);
+ void timelib_fill_holes(timelib_time *parsed, timelib_time *now, int options);
+ char *timelib_timezone_id_from_abbr(const char *abbr, long gmtoffset, int isdst);
+ const timelib_tz_lookup_table *timelib_timezone_abbreviations_list(void);
+Index: ext/date/php_date.c
+===================================================================
+--- ext/date/php_date.c.orig
++++ ext/date/php_date.c
+@@ -576,6 +576,12 @@ static timelib_tzinfo *php_date_parse_tz
+ }
+ return tzi;
+ }
++
++timelib_tzinfo *php_date_parse_tzfile_wrapper(char *formal_tzname, const timelib_tzdb *tzdb)
++{
++ TSRMLS_FETCH();
++ return php_date_parse_tzfile(formal_tzname, tzdb TSRMLS_CC);
++}
+ /* }}} */
+
+ /* {{{ Helper functions */
+@@ -1113,7 +1119,7 @@ PHPAPI signed long php_parse_date(char *
+ int error2;
+ signed long retval;
+
+- parsed_time = timelib_strtotime(string, strlen(string), NULL, DATE_TIMEZONEDB);
++ parsed_time = timelib_strtotime(string, strlen(string), NULL, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
+ timelib_update_ts(parsed_time, NULL);
+ retval = timelib_date_to_int(parsed_time, &error2);
+ timelib_time_dtor(parsed_time);
+@@ -1145,7 +1151,7 @@ PHP_FUNCTION(strtotime)
+
+ initial_ts = emalloc(25);
+ snprintf(initial_ts, 24, "@%ld UTC", preset_ts);
+- t = timelib_strtotime(initial_ts, strlen(initial_ts), NULL, DATE_TIMEZONEDB); /* we ignore the error here, as this should never fail */
++ t = timelib_strtotime(initial_ts, strlen(initial_ts), NULL, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper); /* we ignore the error here, as this should never fail */
+ timelib_update_ts(t, tzi);
+ now->tz_info = tzi;
+ now->zone_type = TIMELIB_ZONETYPE_ID;
+@@ -1167,7 +1173,7 @@ PHP_FUNCTION(strtotime)
+ RETURN_FALSE;
+ }
+
+- t = timelib_strtotime(times, time_len, &error, DATE_TIMEZONEDB);
++ t = timelib_strtotime(times, time_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
+ error1 = error->error_count;
+ timelib_error_container_dtor(error);
+ timelib_fill_holes(t, now, TIMELIB_NO_CLONE);
+@@ -1708,7 +1714,7 @@ static int date_initialize(php_date_obj
+ if (dateobj->time) {
+ timelib_time_dtor(dateobj->time);
+ }
+- dateobj->time = timelib_strtotime(time_str_len ? time_str : "now", time_str_len ? time_str_len : sizeof("now") -1, &err, DATE_TIMEZONEDB);
++ dateobj->time = timelib_strtotime(time_str_len ? time_str : "now", time_str_len ? time_str_len : sizeof("now") -1, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
+
+ if (err && err->error_count) {
+ if (ctor) {
+@@ -1826,7 +1832,7 @@ PHP_FUNCTION(date_parse)
+ RETURN_FALSE;
+ }
+
+- parsed_time = timelib_strtotime(date, date_len, &error, DATE_TIMEZONEDB);
++ parsed_time = timelib_strtotime(date, date_len, &error, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
+ array_init(return_value);
+ #define PHP_DATE_PARSE_DATE_SET_TIME_ELEMENT(name, elem) \
+ if (parsed_time->elem == -99999) { \
+@@ -1947,7 +1953,7 @@ PHP_FUNCTION(date_modify)
+ dateobj = (php_date_obj *) zend_object_store_get_object(object TSRMLS_CC);
+ DATE_CHECK_INITIALIZED(dateobj->time, DateTime);
+
+- tmp_time = timelib_strtotime(modify, modify_len, &err, DATE_TIMEZONEDB);
++ tmp_time = timelib_strtotime(modify, modify_len, &err, DATE_TIMEZONEDB, php_date_parse_tzfile_wrapper);
+
+ if (err && err->error_count) {
+ /* spit out the first library error message, at least */
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0807.patch
^
|
| @@ -0,0 +1,161 @@
+https://github.com/stefanesser/suhosin/commit/73b1968ee30f6d9d2dae497544b910e68e114bfa
+Index: ext/suhosin/header.c
+===================================================================
+--- ext/suhosin/header.c.orig
++++ ext/suhosin/header.c
+@@ -3,7 +3,7 @@
+ | Suhosin Version 1 |
+ +----------------------------------------------------------------------+
+ | Copyright (c) 2006-2007 The Hardened-PHP Project |
+- | Copyright (c) 2007-2010 SektionEins GmbH |
++ | Copyright (c) 2007-2012 SektionEins GmbH |
+ +----------------------------------------------------------------------+
+ | This source file is subject to version 3.01 of the PHP license, |
+ | that is bundled with this package in the file LICENSE, and is |
+@@ -40,28 +40,20 @@ static int (*orig_header_handler)(sapi_h
+
+ char *suhosin_encrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key TSRMLS_DC)
+ {
+- char buffer[4096];
+- char buffer2[4096];
+- char *buf = buffer, *buf2 = buffer2, *d, *d_url;
+- int l;
+-
+- if (name_len > sizeof(buffer)-2) {
+- buf = estrndup(name, name_len);
+- } else {
+- memcpy(buf, name, name_len);
+- buf[name_len] = 0;
+- }
++ char *buf, *buf2, *d, *d_url;
++ int l;
++
++ buf = estrndup(name, name_len);
++
+
+ name_len = php_url_decode(buf, name_len);
+- normalize_varname(buf);
+- name_len = strlen(buf);
++ normalize_varname(buf);
++ name_len = strlen(buf);
+
+ if (SUHOSIN_G(cookie_plainlist)) {
+ if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
+ encrypt_return_plain:
+- if (buf != buffer) {
+- efree(buf);
+- }
++ efree(buf);
+ return estrndup(value, value_len);
+ }
+ } else if (SUHOSIN_G(cookie_cryptlist)) {
+@@ -70,52 +62,34 @@ encrypt_return_plain:
+ }
+ }
+
+- if (strlen(value) <= sizeof(buffer2)-2) {
+- memcpy(buf2, value, value_len);
+- buf2[value_len] = 0;
+- } else {
+- buf2 = estrndup(value, value_len);
+- }
++ buf2 = estrndup(value, value_len);
+
+ value_len = php_url_decode(buf2, value_len);
+
+ d = suhosin_encrypt_string(buf2, value_len, buf, name_len, key TSRMLS_CC);
+ d_url = php_url_encode(d, strlen(d), &l);
+ efree(d);
+- if (buf != buffer) {
+- efree(buf);
+- }
+- if (buf2 != buffer2) {
+- efree(buf2);
+- }
++ efree(buf);
++ efree(buf2);
+ return d_url;
+ }
+
+ char *suhosin_decrypt_single_cookie(char *name, int name_len, char *value, int value_len, char *key, char **where TSRMLS_DC)
+ {
+- char buffer[4096];
+- char buffer2[4096];
+ int o_name_len = name_len;
+- char *buf = buffer, *buf2 = buffer2, *d, *d_url;
++ char *buf, *buf2, *d, *d_url;
+ int l;
+
+- if (name_len > sizeof(buffer)-2) {
+- buf = estrndup(name, name_len);
+- } else {
+- memcpy(buf, name, name_len);
+- buf[name_len] = 0;
+- }
+-
++ buf = estrndup(name, name_len);
++
+ name_len = php_url_decode(buf, name_len);
+- normalize_varname(buf);
+- name_len = strlen(buf);
++ normalize_varname(buf);
++ name_len = strlen(buf);
+
+ if (SUHOSIN_G(cookie_plainlist)) {
+ if (zend_hash_exists(SUHOSIN_G(cookie_plainlist), buf, name_len+1)) {
+ decrypt_return_plain:
+- if (buf != buffer) {
+- efree(buf);
+- }
++ efree(buf);
+ memcpy(*where, name, o_name_len);
+ *where += o_name_len;
+ **where = '='; *where +=1;
+@@ -130,12 +104,7 @@ decrypt_return_plain:
+ }
+
+
+- if (strlen(value) <= sizeof(buffer2)-2) {
+- memcpy(buf2, value, value_len);
+- buf2[value_len] = 0;
+- } else {
+- buf2 = estrndup(value, value_len);
+- }
++ buf2 = estrndup(value, value_len);
+
+ value_len = php_url_decode(buf2, value_len);
+
+@@ -152,12 +121,8 @@ decrypt_return_plain:
+ *where += l;
+ efree(d_url);
+ skip_cookie:
+- if (buf != buffer) {
+- efree(buf);
+- }
+- if (buf2 != buffer2) {
+- efree(buf2);
+- }
++ efree(buf);
++ efree(buf2);
+ return *where;
+ }
+
+@@ -240,7 +205,7 @@ int suhosin_header_handler(sapi_header_s
+ }
+ #endif
+
+- if (!SUHOSIN_G(allow_multiheader) && sapi_header && sapi_header->header) {
++ if (sapi_header && sapi_header->header) {
+
+ tmp = sapi_header->header;
+
+@@ -256,6 +221,9 @@ int suhosin_header_handler(sapi_header_s
+ if (!SUHOSIN_G(simulation)) {
+ sapi_header->header_len = i;
+ }
++ }
++ if (SUHOSIN_G(allow_multiheader)) {
++ continue;
+ } else if ((tmp[0] == '\r' && (tmp[1] != '\n' || i == 0)) ||
+ (tmp[0] == '\n' && (i == sapi_header->header_len-1 || i == 0 || (tmp[1] != ' ' && tmp[1] != '\t')))) {
+ char *fname = get_active_function_name(TSRMLS_C);
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0830.patch
^
|
| @@ -0,0 +1,43 @@
+http://svn.php.net/viewvc?view=revision&revision=323007
+http://svn.php.net/viewvc?view=revision&revision=323013
+--- a/main/php_variables.c
++++ b/main/php_variables.c
+@@ -182,7 +182,12 @@ PHPAPI void php_register_variable_ex(cha
+ if (!index) {
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+- zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) {
++ zval_ptr_dtor(&gpc_element);
++ zval_dtor(val);
++ efree(var_orig);
++ return;
++ }
+ } else {
+ if (PG(magic_quotes_gpc)) {
+ escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
+@@ -198,6 +203,13 @@ PHPAPI void php_register_variable_ex(cha
+ MAKE_STD_ZVAL(gpc_element);
+ array_init(gpc_element);
+ zend_symtable_update(symtable1, escaped_index, index_len + 1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ } else {
++ if (index != escaped_index) {
++ efree(escaped_index);
++ }
++ zval_dtor(val);
++ efree(var_orig);
++ return;
+ }
+ }
+ if (index != escaped_index) {
+@@ -223,7 +235,9 @@ plain_var:
+ gpc_element->value = val->value;
+ Z_TYPE_P(gpc_element) = Z_TYPE_P(val);
+ if (!index) {
+- zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p);
++ if (zend_hash_next_index_insert(symtable1, &gpc_element, sizeof(zval *), (void **) &gpc_element_p) == FAILURE) {
++ zval_ptr_dtor(&gpc_element);
++ }
+ } else {
+ if (PG(magic_quotes_gpc)) {
+ escaped_index = php_addslashes(index, index_len, &index_len, 0 TSRMLS_CC);
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-0831.patch
^
|
| @@ -0,0 +1,51 @@
+http://svn.php.net/viewvc?view=revision&revision=323016
+Index: main/php_variables.c
+===================================================================
+--- main/php_variables.c.orig
++++ main/php_variables.c
+@@ -448,7 +449,10 @@ void _php_import_environment_variables(z
+
+ /* turn off magic_quotes while importing environment variables */
+ int magic_quotes_gpc = PG(magic_quotes_gpc);
+- PG(magic_quotes_gpc) = 0;
++
++ if (PG(magic_quotes_gpc)) {
++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
++ }
+
+ for (env = environ; env != NULL && *env != NULL; env++) {
+ p = strchr(*env, '=');
+@@ -591,7 +595,9 @@ static inline void php_register_server_v
+ zval_ptr_dtor(&PG(http_globals)[TRACK_VARS_SERVER]);
+ }
+ PG(http_globals)[TRACK_VARS_SERVER] = array_ptr;
+- PG(magic_quotes_gpc) = 0;
++ if (PG(magic_quotes_gpc)) {
++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
++ }
+
+ /* Server variables */
+ if (sapi_module.register_server_variables) {
+Index: sapi/cgi/cgi_main.c
+===================================================================
+--- sapi/cgi/cgi_main.c.orig
++++ sapi/cgi/cgi_main.c
+@@ -77,6 +77,7 @@ int __riscosify_control = __RISCOSIFY_ST
+ #include "zend_execute.h"
+ #include "zend_highlight.h"
+ #include "zend_indent.h"
++#include "zend_ini.h"
+
+ #include "php_getopt.h"
+
+@@ -609,7 +610,9 @@ void cgi_php_import_environment_variable
+ int filter_arg = (array_ptr == PG(http_globals)[TRACK_VARS_ENV])?PARSE_ENV:PARSE_SERVER;
+
+ /* turn off magic_quotes while importing environment variables */
+- PG(magic_quotes_gpc) = 0;
++ if (PG(magic_quotes_gpc)) {
++ zend_alter_ini_entry_ex("magic_quotes_gpc", sizeof("magic_quotes_gpc"), "0", 1, ZEND_INI_SYSTEM, ZEND_INI_STAGE_ACTIVATE, 1 TSRMLS_CC);
++ }
+ for (zend_hash_internal_pointer_reset_ex(&request->env, &pos);
+ zend_hash_get_current_key_ex(&request->env, &var, &var_len, &idx, 0, &pos) == HASH_KEY_IS_STRING &&
+ zend_hash_get_current_data_ex(&request->env, (void **) &val, &pos) == SUCCESS;
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-1172.patch
^
|
| @@ -0,0 +1,15 @@
+http://svn.php.net/viewvc?view=revision&revision=321664
+--- main/rfc1867.c 2012/01/01 23:51:21 321663
++++ main/rfc1867.c 2012/01/01 23:54:25 321664
+@@ -942,6 +942,10 @@
+ }
+ tmp++;
+ }
++ /* Brackets should always be closed */
++ if(c != 0) {
++ skip_upload = 1;
++ }
+ }
+
+ total_bytes = cancel_upload = 0;
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-1823-impr.patch
^
|
| @@ -0,0 +1,32 @@
+http://git.php.net/?p=php-src.git;a=commitdiff;h=000e84aa88ce16deabbf61e7086fc8db63ca88aa
+Index: sapi/cgi/cgi_main.c
+===================================================================
+--- sapi/cgi/cgi_main.c.orig
++++ sapi/cgi/cgi_main.c
+@@ -1413,10 +1413,15 @@ int main(int argc, char *argv[])
+ }
+ #endif
+
+- if(query_string = getenv("QUERY_STRING")) {
++ if((query_string = getenv("QUERY_STRING")) != NULL && strchr(query_string, '=') == NULL) {
++ /* we've got query string that has no = - apache CGI will pass it to command line */
++ unsigned char *p;
+ decoded_query_string = strdup(query_string);
+ php_url_decode(decoded_query_string, strlen(decoded_query_string));
+- if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
++ for (p = decoded_query_string; *p && *p <= ' '; p++) {
++ /* skip all leading spaces */
++ }
++ if(*p == '-') {
+ skip_getopt = 1;
+ }
+ free(decoded_query_string);
+@@ -1676,7 +1681,7 @@ consult the installation file that came
+ #endif /* FASTCGI */
+
+ zend_first_try {
+- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1)) != -1) {
++ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 1)) != -1) {
+ switch (c) {
+ #if PHP_FASTCGI
+ case 'T':
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-1823.patch
^
|
| @@ -0,0 +1,46 @@
+CVE-2012-1823
+https://bugs.php.net/patch-display.php?bug=61910&patch=cgi.diff&revision=1335984315
+plus
+CVE-2012-2311
+https://bugs.php.net/patch-display.php?bug_id=61910&patch=cgi.diff-fix-check.patch&revision=latest
+Index: sapi/cgi/cgi_main.c
+===================================================================
+--- sapi/cgi/cgi_main.c.orig
++++ sapi/cgi/cgi_main.c
+@@ -62,6 +62,7 @@
+ #include "php_main.h"
+ #include "fopen_wrappers.h"
+ #include "ext/standard/php_standard.h"
++#include "ext/standard/url.h"
+ #ifdef PHP_WIN32
+ #include <io.h>
+ #include <fcntl.h>
+@@ -1354,6 +1355,10 @@ int main(int argc, char *argv[])
+ int status = 0;
+ #endif
+ #endif /* PHP_FASTCGI */
++
++ char *query_string;
++ char *decoded_query_string;
++ int skip_getopt = 0;
+
+ #if 0 && defined(PHP_DEBUG)
+ /* IIS is always making things more difficult. This allows
+@@ -1408,7 +1413,16 @@ int main(int argc, char *argv[])
+ }
+ #endif
+
+- while ((c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
++ if(query_string = getenv("QUERY_STRING")) {
++ decoded_query_string = strdup(query_string);
++ php_url_decode(decoded_query_string, strlen(decoded_query_string));
++ if(*decoded_query_string == '-' && strchr(query_string, '=') == NULL) {
++ skip_getopt = 1;
++ }
++ free(decoded_query_string);
++ }
++
++ while (!skip_getopt && (c = php_getopt(argc, argv, OPTIONS, &php_optarg, &php_optind, 0)) != -1) {
+ switch (c) {
+ case 'c':
+ if (cgi_sapi_module.php_ini_path_override) {
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-2688.patch
^
|
| @@ -0,0 +1,17 @@
+http://git.php.net/?p=php-src.git;a=commit;h=fc74503792b1ee92e4b813690890f3ed38fa3ad5
+Index: main/streams/streams.c
+===================================================================
+--- main/streams/streams.c.orig
++++ main/streams/streams.c
+@@ -2274,6 +2274,11 @@ PHPAPI int _php_stream_scandir(char *dir
+ if (vector_size == 0) {
+ vector_size = 10;
+ } else {
++ if(vector_size*2 < vector_size) {
++ /* overflow */
++ efree(vector);
++ return FAILURE;
++ }
+ vector_size *= 2;
+ }
+ vector = (char **) erealloc(vector, vector_size * sizeof(char *));
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2012-3365.patch
^
|
| @@ -0,0 +1,76 @@
+http://git.php.net/?p=php-src.git;a=commit;h=055ecbc62878e86287d742c7246c21606cee8183
+Index: ext/pdo_sqlite/sqlite_driver.c
+===================================================================
+--- ext/pdo_sqlite/sqlite_driver.c.orig
++++ ext/pdo_sqlite/sqlite_driver.c
+@@ -642,7 +642,7 @@ static struct pdo_dbh_methods sqlite_met
+
+ static char *make_filename_safe(const char *filename TSRMLS_DC)
+ {
+- if (*filename && strncmp(filename, ":memory:", sizeof(":memory:")-1)) {
++ if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) {
+ char *fullpath = expand_filepath(filename, NULL TSRMLS_CC);
+
+ if (!fullpath) {
+Index: ext/sqlite/pdo_sqlite2.c
+===================================================================
+--- ext/sqlite/pdo_sqlite2.c.orig
++++ ext/sqlite/pdo_sqlite2.c
+@@ -515,7 +515,7 @@ static struct pdo_dbh_methods sqlite2_me
+
+ static char *make_filename_safe(const char *filename TSRMLS_DC)
+ {
+- if (*filename && strncmp(filename, ":memory:", sizeof(":memory:")-1)) {
++ if (*filename && memcmp(filename, ":memory:", sizeof(":memory:"))) {
+ char *fullpath = expand_filepath(filename, NULL TSRMLS_CC);
+
+ if (!fullpath) {
+Index: ext/sqlite/sqlite.c
+===================================================================
+--- ext/sqlite/sqlite.c.orig
++++ ext/sqlite/sqlite.c
+@@ -734,7 +734,7 @@ static int php_sqlite_authorizer(void *a
+ {
+ switch (access_type) {
+ case SQLITE_COPY:
+- if (strncmp(arg4, ":memory:", sizeof(":memory:") - 1)) {
++ if (memcmp(arg4, ":memory:", sizeof(":memory:"))) {
+ TSRMLS_FETCH();
+ if (PG(safe_mode) && (!php_checkuid(arg4, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ return SQLITE_DENY;
+@@ -747,7 +747,7 @@ static int php_sqlite_authorizer(void *a
+ return SQLITE_OK;
+ #ifdef SQLITE_ATTACH
+ case SQLITE_ATTACH:
+- if (strncmp(arg3, ":memory:", sizeof(":memory:") - 1)) {
++ if (memcmp(arg3, ":memory:", sizeof(":memory:"))) {
+ TSRMLS_FETCH();
+ if (PG(safe_mode) && (!php_checkuid(arg3, NULL, CHECKUID_CHECK_FILE_AND_DIR))) {
+ return SQLITE_DENY;
+@@ -1230,7 +1230,7 @@ PHP_FUNCTION(sqlite_popen)
+ ZVAL_NULL(errmsg);
+ }
+
+- if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
++ if (memcmp(filename, ":memory:", sizeof(":memory:"))) {
+ /* resolve the fully-qualified path name to use as the hash key */
+ if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
+ RETURN_FALSE;
+@@ -1306,7 +1306,7 @@ PHP_FUNCTION(sqlite_open)
+ ZVAL_NULL(errmsg);
+ }
+
+- if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
++ if (memcmp(filename, ":memory:", sizeof(":memory:"))) {
+ /* resolve the fully-qualified path name to use as the hash key */
+ if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
+ php_std_error_handling();
+@@ -1358,7 +1358,7 @@ PHP_FUNCTION(sqlite_factory)
+ ZVAL_NULL(errmsg);
+ }
+
+- if (strncmp(filename, ":memory:", sizeof(":memory:") - 1)) {
++ if (memcmp(filename, ":memory:", sizeof(":memory:"))) {
+ /* resolve the fully-qualified path name to use as the hash key */
+ if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
+ php_std_error_handling();
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2013-1635.patch
^
|
| @@ -0,0 +1,48 @@
+X-Git-Url: http://git.php.net/?p=php-src.git;a=blobdiff_plain;f=ext%2Fsoap%2Fsoap.c;h=7df84e5b2a6c960d3e044f83d55b4e02411468cf;hp=13f163ab3d6a9e6c84bc0e1c81ae9fbf6432b75e;hb=702b436ef470cc02f8e2cc21f2fadeee42103c74;hpb=0a7395e009b2df94c2a3f05aef69fb1779edf8f8
+
+Index: ext/soap/soap.c
+===================================================================
+--- ext/soap/soap.c
++++ ext/soap/soap.c
+@@ -594,10 +594,40 @@ ZEND_INI_MH(OnUpdateCacheMode)
+ return SUCCESS;
+ }
+
++static PHP_INI_MH(OnUpdateCacheDir)
++{
++ /* Only do the open_basedir check at runtime */
++ if (stage == PHP_INI_STAGE_RUNTIME || stage == PHP_INI_STAGE_HTACCESS) {
++ char *p;
++
++ if (memchr(new_value, '\0', new_value_length) != NULL) {
++ return FAILURE;
++ }
++
++ /* we do not use zend_memrchr() since path can contain ; itself */
++ if ((p = strchr(new_value, ';'))) {
++ char *p2;
++ p++;
++ if ((p2 = strchr(p, ';'))) {
++ p = p2 + 1;
++ }
++ } else {
++ p = new_value;
++ }
++
++ if (PG(open_basedir) && *p && php_check_open_basedir(p TSRMLS_CC)) {
++ return FAILURE;
++ }
++ }
++
++ OnUpdateString(entry, new_value, new_value_length, mh_arg1, mh_arg2, mh_arg3, stage TSRMLS_CC);
++ return SUCCESS;
++}
++
+ PHP_INI_BEGIN()
+ STD_PHP_INI_ENTRY("soap.wsdl_cache_enabled", "1", PHP_INI_ALL, OnUpdateCacheEnabled,
+ cache_enabled, zend_soap_globals, soap_globals)
+-STD_PHP_INI_ENTRY("soap.wsdl_cache_dir", "/tmp", PHP_INI_ALL, OnUpdateString,
++STD_PHP_INI_ENTRY("soap.wsdl_cache_dir", "/tmp", PHP_INI_ALL, OnUpdateCacheDir,
+ cache_dir, zend_soap_globals, soap_globals)
+ STD_PHP_INI_ENTRY("soap.wsdl_cache_ttl", "86400", PHP_INI_ALL, OnUpdateLong,
+ cache_ttl, zend_soap_globals, soap_globals)
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2013-1643.patch
^
|
| @@ -0,0 +1,148 @@
+Index: ext/libxml/libxml.c
+===================================================================
+--- ext/libxml/libxml.c.orig
++++ ext/libxml/libxml.c
+@@ -267,6 +267,7 @@ static PHP_GINIT_FUNCTION(libxml)
+ libxml_globals->stream_context = NULL;
+ libxml_globals->error_buffer.c = NULL;
+ libxml_globals->error_list = NULL;
++ libxml_globals->entity_loader_disabled = 0;
+ }
+
+ /* Channel libxml file io layer through the PHP streams subsystem.
+@@ -356,16 +357,15 @@ static int php_libxml_streams_IO_close(v
+ }
+
+ static xmlParserInputBufferPtr
+-php_libxml_input_buffer_noload(const char *URI, xmlCharEncoding enc)
+-{
+- return NULL;
+-}
+-
+-static xmlParserInputBufferPtr
+ php_libxml_input_buffer_create_filename(const char *URI, xmlCharEncoding enc)
+ {
+ xmlParserInputBufferPtr ret;
+ void *context = NULL;
++ TSRMLS_FETCH();
++
++ if (LIBXML(entity_loader_disabled)) {
++ return NULL;
++ }
+
+ if (URI == NULL)
+ return(NULL);
+@@ -839,28 +839,25 @@ static PHP_FUNCTION(libxml_clear_errors)
+ }
+ /* }}} */
+
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC)
++{
++ zend_bool old = LIBXML(entity_loader_disabled);
++
++ LIBXML(entity_loader_disabled) = disable;
++ return old;
++}
++
+ /* {{{ proto bool libxml_disable_entity_loader([boolean disable])
+ Disable/Enable ability to load external entities */
+ static PHP_FUNCTION(libxml_disable_entity_loader)
+ {
+ zend_bool disable = 1;
+- xmlParserInputBufferCreateFilenameFunc old;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|b", &disable) == FAILURE) {
+ return;
+ }
+
+- if (disable == 0) {
+- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_create_filename);
+- } else {
+- old = xmlParserInputBufferCreateFilenameDefault(php_libxml_input_buffer_noload);
+- }
+-
+- if (old == php_libxml_input_buffer_noload) {
+- RETURN_TRUE;
+- }
+-
+- RETURN_FALSE;
++ RETURN_BOOL(php_libxml_disable_entity_loader(disable TSRMLS_CC));
+ }
+ /* }}} */
+
+Index: ext/libxml/php_libxml.h
+===================================================================
+--- ext/libxml/php_libxml.h.orig
++++ ext/libxml/php_libxml.h
+@@ -41,6 +41,7 @@ ZEND_BEGIN_MODULE_GLOBALS(libxml)
+ zval *stream_context;
+ smart_str error_buffer;
+ zend_llist *error_list;
++ zend_bool entity_loader_disabled;
+ ZEND_END_MODULE_GLOBALS(libxml)
+
+ typedef struct _libxml_doc_props {
+@@ -91,6 +92,7 @@ void php_libxml_ctx_error(void *ctx, con
+ PHP_LIBXML_API int php_libxml_xmlCheckUTF8(const unsigned char *s);
+ PHP_LIBXML_API zval *php_libxml_switch_context(zval *context TSRMLS_DC);
+ PHP_LIBXML_API void php_libxml_issue_error(int level, const char *msg TSRMLS_DC);
++PHP_LIBXML_API zend_bool php_libxml_disable_entity_loader(zend_bool disable TSRMLS_DC);
+
+ /* Init/shutdown functions*/
+ PHP_LIBXML_API void php_libxml_initialize(void);
+Index: ext/soap/php_xml.c
+===================================================================
+--- ext/soap/php_xml.c.orig
++++ ext/soap/php_xml.c
+@@ -20,6 +20,7 @@
+ /* $Id: php_xml.c 293036 2010-01-03 09:23:27Z sebastian $ */
+
+ #include "php_soap.h"
++#include "ext/libxml/php_libxml.h"
+ #include "libxml/parser.h"
+ #include "libxml/parserInternals.h"
+
+@@ -91,13 +92,17 @@ xmlDocPtr soap_xmlParseFile(const char *
+ ctxt = xmlCreateFileParserCtxt(filename);
+ PG(allow_url_fopen) = old_allow_url_fopen;
+ if (ctxt) {
++ zend_bool old;
++
+ ctxt->keepBlanks = 0;
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+ ctxt->sax->error = NULL;
+ /*ctxt->sax->fatalError = NULL;*/
++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC);
+ xmlParseDocument(ctxt);
++ php_libxml_disable_entity_loader(old TSRMLS_CC);
+ if (ctxt->wellFormed) {
+ ret = ctxt->myDoc;
+ if (ret->URL == NULL && ctxt->directory != NULL) {
+@@ -128,11 +133,15 @@ xmlDocPtr soap_xmlParseMemory(const void
+ xmlParserCtxtPtr ctxt = NULL;
+ xmlDocPtr ret;
+
++ TSRMLS_FETCH();
++
+ /*
+ xmlInitParser();
+ */
+ ctxt = xmlCreateMemoryParserCtxt(buf, buf_size);
+ if (ctxt) {
++ zend_bool old;
++
+ ctxt->sax->ignorableWhitespace = soap_ignorableWhitespace;
+ ctxt->sax->comment = soap_Comment;
+ ctxt->sax->warning = NULL;
+@@ -141,7 +150,9 @@ xmlDocPtr soap_xmlParseMemory(const void
+ #if LIBXML_VERSION >= 20703
+ ctxt->options |= XML_PARSE_HUGE;
+ #endif
++ old = php_libxml_disable_entity_loader(1 TSRMLS_CC);
+ xmlParseDocument(ctxt);
++ php_libxml_disable_entity_loader(old TSRMLS_CC);
+ if (ctxt->wellFormed) {
+ ret = ctxt->myDoc;
+ if (ret->URL == NULL && ctxt->directory != NULL) {
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2013-4113.patch
^
|
| @@ -0,0 +1,135 @@
+http://git.php.net/?p=php-src.git;a=commit;h=7d163e8a0880ae8af2dd869071393e5dc07ef271
+--- ext/xml/xml.c
++++ ext/xml/xml.c
+@@ -427,7 +427,7 @@ static void xml_parser_dtor(zend_rsrc_list_entry *rsrc TSRMLS_DC)
+ }
+ if (parser->ltags) {
+ int inx;
+- for (inx = 0; inx < parser->level; inx++)
++ for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
+ efree(parser->ltags[ inx ]);
+ efree(parser->ltags);
+ }
+@@ -905,45 +905,50 @@ void _xml_startElementHandler(void *userData, const XML_Char *name, const XML_Ch
+ }
+
+ if (parser->data) {
+- zval *tag, *atr;
+- int atcnt = 0;
++ if (parser->level <= XML_MAXLEVEL) {
++ zval *tag, *atr;
++ int atcnt = 0;
+
+- MAKE_STD_ZVAL(tag);
+- MAKE_STD_ZVAL(atr);
++ MAKE_STD_ZVAL(tag);
++ MAKE_STD_ZVAL(atr);
+
+- array_init(tag);
+- array_init(atr);
++ array_init(tag);
++ array_init(atr);
+
+- _xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
++ _xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
+
+- add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
+- add_assoc_string(tag,"type","open",1);
+- add_assoc_long(tag,"level",parser->level);
++ add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
++ add_assoc_string(tag,"type","open",1);
++ add_assoc_long(tag,"level",parser->level);
+
+- parser->ltags[parser->level-1] = estrdup(tag_name);
+- parser->lastwasopen = 1;
++ parser->ltags[parser->level-1] = estrdup(tag_name);
++ parser->lastwasopen = 1;
+
+- attributes = (const XML_Char **) attrs;
++ attributes = (const XML_Char **) attrs;
+
+- while (attributes && *attributes) {
+- att = _xml_decode_tag(parser, attributes[0]);
+- val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
+-
+- add_assoc_stringl(atr,att,val,val_len,0);
++ while (attributes && *attributes) {
++ att = _xml_decode_tag(parser, attributes[0]);
++ val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
+
+- atcnt++;
+- attributes += 2;
++ add_assoc_stringl(atr,att,val,val_len,0);
+
+- efree(att);
+- }
++ atcnt++;
++ attributes += 2;
+
+- if (atcnt) {
+- zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
+- } else {
+- zval_ptr_dtor(&atr);
+- }
++ efree(att);
++ }
++
++ if (atcnt) {
++ zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
++ } else {
++ zval_ptr_dtor(&atr);
++ }
+
+- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
++ } else if (parser->level == (XML_MAXLEVEL + 1)) {
++ TSRMLS_FETCH();
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
++ }
+ }
+
+ efree(tag_name);
+@@ -995,7 +1000,7 @@ void _xml_endElementHandler(void *userData, const XML_Char *name)
+
+ efree(tag_name);
+
+- if (parser->ltags) {
++ if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
+ efree(parser->ltags[parser->level-1]);
+ }
+
+@@ -1079,18 +1084,23 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
+ }
+ }
+
+- MAKE_STD_ZVAL(tag);
+-
+- array_init(tag);
+-
+- _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
++ if (parser->level <= XML_MAXLEVEL) {
++ MAKE_STD_ZVAL(tag);
+
+- add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
+- add_assoc_string(tag,"value",decoded_value,0);
+- add_assoc_string(tag,"type","cdata",1);
+- add_assoc_long(tag,"level",parser->level);
++ array_init(tag);
+
+- zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
++ _xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
++
++ add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
++ add_assoc_string(tag,"value",decoded_value,0);
++ add_assoc_string(tag,"type","cdata",1);
++ add_assoc_long(tag,"level",parser->level);
++
++ zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
++ } else if (parser->level == (XML_MAXLEVEL + 1)) {
++ TSRMLS_FETCH();
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
++ }
+ }
+ } else {
+ efree(decoded_value);
+
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2013-4248.patch
^
|
| @@ -0,0 +1,114 @@
+http://git.php.net/?p=php-src.git;a=commitdiff;h=dcea4ec698dcae39b7bba6f6aa08933cbfee67
+http://git.php.net/?p=php-src.git;a=commitdiff;h=c1c49d6e3983c9ce0b43ffe7bf6e03b809ed048b
+Index: ext/openssl/openssl.c
+===================================================================
+--- ext/openssl/openssl.c.orig 2013-12-13 10:20:13.246036355 +0100
++++ ext/openssl/openssl.c 2013-12-13 10:20:57.912572160 +0100
+@@ -1343,6 +1343,74 @@
+ }
+ /* }}} */
+
++/* Special handling of subjectAltName, see CVE-2013-4073
++ * Christian Heimes
++ */
++
++static int openssl_x509v3_subjectAltName(BIO *bio, X509_EXTENSION *extension)
++{
++ GENERAL_NAMES *names;
++ const X509V3_EXT_METHOD *method = NULL;
++ long i, length, num;
++ const unsigned char *p;
++
++ method = X509V3_EXT_get(extension);
++ if (method == NULL) {
++ return -1;
++ }
++
++ p = extension->value->data;
++ length = extension->value->length;
++ if (method->it) {
++ names = (GENERAL_NAMES*)(ASN1_item_d2i(NULL, &p, length,
++ ASN1_ITEM_ptr(method->it)));
++ } else {
++ names = (GENERAL_NAMES*)(method->d2i(NULL, &p, length));
++ }
++ if (names == NULL) {
++ return -1;
++ }
++
++ num = sk_GENERAL_NAME_num(names);
++ for (i = 0; i < num; i++) {
++ GENERAL_NAME *name;
++ ASN1_STRING *as;
++ name = sk_GENERAL_NAME_value(names, i);
++ switch (name->type) {
++ case GEN_EMAIL:
++ BIO_puts(bio, "email:");
++ as = name->d.rfc822Name;
++ BIO_write(bio, ASN1_STRING_data(as),
++ ASN1_STRING_length(as));
++ break;
++ case GEN_DNS:
++ BIO_puts(bio, "DNS:");
++ as = name->d.dNSName;
++ BIO_write(bio, ASN1_STRING_data(as),
++ ASN1_STRING_length(as));
++ break;
++ case GEN_URI:
++ BIO_puts(bio, "URI:");
++ as = name->d.uniformResourceIdentifier;
++ BIO_write(bio, ASN1_STRING_data(as),
++ ASN1_STRING_length(as));
++ break;
++ default:
++ /* use builtin print for GEN_OTHERNAME, GEN_X400,
++ * GEN_EDIPARTY, GEN_DIRNAME, GEN_IPADD and GEN_RID
++ */
++ GENERAL_NAME_print(bio, name);
++ }
++ /* trailing ', ' except for last element */
++ if (i < (num - 1)) {
++ BIO_puts(bio, ", ");
++ }
++ }
++ sk_GENERAL_NAME_pop_free(names, GENERAL_NAME_free);
++
++ return 0;
++}
++
+ /* {{{ proto array openssl_x509_parse(mixed x509 [, bool shortnames=true])
+ Returns an array of the fields/values of the CERT */
+ PHP_FUNCTION(openssl_x509_parse)
+@@ -1439,15 +1507,30 @@
+
+
+ for (i = 0; i < X509_get_ext_count(cert); i++) {
++ int nid;
+ extension = X509_get_ext(cert, i);
+- if (OBJ_obj2nid(X509_EXTENSION_get_object(extension)) != NID_undef) {
++ nid = OBJ_obj2nid(X509_EXTENSION_get_object(extension));
++ if (nid != NID_undef) {
+ extname = (char *)OBJ_nid2sn(OBJ_obj2nid(X509_EXTENSION_get_object(extension)));
+ } else {
+ OBJ_obj2txt(buf, sizeof(buf)-1, X509_EXTENSION_get_object(extension), 1);
+ extname = buf;
+ }
+ bio_out = BIO_new(BIO_s_mem());
+- if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
++ if (nid == NID_subject_alt_name) {
++ if (openssl_x509v3_subjectAltName(bio_out, extension) == 0) {
++ BIO_get_mem_ptr(bio_out, &bio_buf);
++ add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
++ } else {
++ zval_dtor(return_value);
++ if (certresource == -1 && cert) {
++ X509_free(cert);
++ }
++ BIO_free(bio_out);
++ RETURN_FALSE;
++ }
++ }
++ else if (X509V3_EXT_print(bio_out, extension, 0, 0)) {
+ BIO_get_mem_ptr(bio_out, &bio_buf);
+ add_assoc_stringl(subitem, extname, bio_buf->data, bio_buf->length, 1);
+ } else {
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2013-4635.patch
^
|
| @@ -0,0 +1,23 @@
+http://git.php.net/?p=php-src.git;a=commit;h=4828f7343b3f31d914f4d4a5545865b8a19f7fb6
+http://git.php.net/?p=php-src.git;a=commit;h=fc2a9d6e47ae23adb28122539b56df0d6195bdce
+diff --git a/ext/calendar/jewish.c b/ext/calendar/jewish.c
+index f4dc7c3..1e7a06c 100644
+--- ext/calendar/jewish.c
++++ ext/calendar/jewish.c
+@@ -272,6 +272,7 @@
+ #define HALAKIM_PER_METONIC_CYCLE (HALAKIM_PER_LUNAR_CYCLE * (12 * 19 + 7))
+
+ #define JEWISH_SDN_OFFSET 347997
++#define JEWISH_SDN_MAX 324542846L /* 12/13/887605, greater value raises interger overflow */
+ #define NEW_MOON_OF_CREATION 31524
+
+ #define SUNDAY 0
+@@ -519,7 +520,7 @@ void SdnToJewish(
+ int tishri1After;
+ int yearLength;
+
+- if (sdn <= JEWISH_SDN_OFFSET) {
++ if (sdn <= JEWISH_SDN_OFFSET || sdn > JEWISH_SDN_MAX) {
+ *pYear = 0;
+ *pMonth = 0;
+ *pDay = 0;
|
|
[-]
[+]
|
Added |
php-5.2.14-CVE-2013-6420.patch
^
|
| @@ -0,0 +1,35 @@
+https://bugzilla.redhat.com/attachment.cgi?id=831933&action=diff&context=patch&collapsed=&headers=1&format=raw
+--- ext/openssl/openssl.c 2013-11-28 13:03:15.000000000 +0100
++++ ext/openssl/openssl.c 2013-11-28 12:57:36.000000000 +0100
+@@ -688,18 +688,28 @@
+ char * thestr;
+ long gmadjust = 0;
+
+- if (timestr->length < 13) {
++ if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
++ return (time_t)-1;
++ }
++
++ if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
++ return (time_t)-1;
++ }
++
++ if (ASN1_STRING_length(timestr) < 13) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
+ return (time_t)-1;
+ }
+
+- strbuf = estrdup((char *)timestr->data);
++ strbuf = estrdup((char *)ASN1_STRING_data(timestr));
+
+ memset(&thetime, 0, sizeof(thetime));
+
+ /* we work backwards so that we can use atoi more easily */
+
+- thestr = strbuf + timestr->length - 3;
++ thestr = strbuf + ASN1_STRING_length(timestr) - 3;
+
+ thetime.tm_sec = atoi(thestr);
+ *thestr = '\0';
|
|
[-]
[+]
|
Added |
php-5.2.14-abstract-classes.patch
^
|
| @@ -0,0 +1,16 @@
+Fixed bug #43200 (Interface implementation / inheritence not possible in abstract classes)
+http://git.php.net/?p=php-src.git;a=commit;h=14b5e775b01ab22d9686a7ab2ce7b805f5818233
+Index: Zend/zend_compile.c
+===================================================================
+--- Zend/zend_compile.c.orig
++++ Zend/zend_compile.c
+@@ -2628,7 +2628,8 @@ static zend_bool do_inherit_method_check
+ return 1; /* method doesn't exist in child, copy from parent */
+ }
+
+- if (parent->common.fn_flags & ZEND_ACC_ABSTRACT
++ if ((parent->common.scope->ce_flags & ZEND_ACC_INTERFACE) == 0
++ && parent->common.fn_flags & ZEND_ACC_ABSTRACT
+ && parent->common.scope != (child->common.prototype ? child->common.prototype->common.scope : child->common.scope)
+ && child->common.fn_flags & (ZEND_ACC_ABSTRACT|ZEND_ACC_IMPLEMENTED_ABSTRACT)) {
+ zend_error(E_COMPILE_ERROR, "Can't inherit abstract function %s::%s() (previously declared abstract in %s)",
|
|
[-]
[+]
|
Added |
php-5.2.14-determine-sign.patch
^
|
| @@ -0,0 +1,13 @@
+Index: php-5.2.14/ext/standard/pack.c
+===================================================================
+--- php-5.2.14.orig/ext/standard/pack.c
++++ php-5.2.14/ext/standard/pack.c
+@@ -767,7 +767,7 @@ PHP_FUNCTION(unpack)
+
+ if (type == 'i') {
+ issigned = input[inputpos + (machine_little_endian ? (sizeof(int) - 1) : 0)] & 0x80;
+- } else if (sizeof(long) > 4 && (input[inputpos + machine_endian_long_map[3]] & 0x80) == 0x80) {
++ } else if (sizeof(long) > 4 && (input[inputpos + (machine_little_endian ? (sizeof(int) - 1) : 0)] & 0x80) == 0x80) {
+ v = ~INT_MAX;
+ }
+
|
|
[-]
[+]
|
Added |
php-5.2.14-fix-OnUpdateLong.patch
^
|
| @@ -0,0 +1,22 @@
+Index: php-5.2.14/Zend/zend_ini.c
+===================================================================
+--- php-5.2.14.orig/Zend/zend_ini.c
++++ php-5.2.14/Zend/zend_ini.c
+@@ -565,7 +565,7 @@ ZEND_API ZEND_INI_MH(OnUpdateLong) /* {{
+
+ p = (long *) (base+(size_t) mh_arg1);
+
+- *p = zend_atoi(new_value, new_value_length);
++ *p = zend_atol(new_value, new_value_length);
+ return SUCCESS;
+ }
+ /* }}} */
+@@ -581,7 +581,7 @@ ZEND_API ZEND_INI_MH(OnUpdateLongGEZero)
+ base = (char *) ts_resource(*((int *) mh_arg2));
+ #endif
+
+- tmp = zend_atoi(new_value, new_value_length);
++ tmp = zend_atol(new_value, new_value_length);
+ if (tmp < 0) {
+ return FAILURE;
+ }
|
|
[-]
[+]
|
Added |
php-5.2.14-fopen_https_proxy_auth_fix.patch
^
|
| @@ -0,0 +1,109 @@
+c.f. PHP Bug #50489
+ http://bugs.php.net/bug.php?id=50489
+--- php-5.3.3-orig/ext/standard/http_fopen_wrapper.c 2010-08-13 09:06:36.000000000 +0000
++++ php-5.3.3/ext/standard/http_fopen_wrapper.c 2010-08-13 09:45:54.000000000 +0000
+@@ -201,7 +201,56 @@ php_stream *php_stream_url_wrap_http_ex(
+ smart_str_appends(&header, resource->host);
+ smart_str_appendc(&header, ':');
+ smart_str_append_unsigned(&header, resource->port);
+- smart_str_appendl(&header, " HTTP/1.0\r\n\r\n", sizeof(" HTTP/1.0\r\n\r\n")-1);
++ smart_str_appendl(&header, " HTTP/1.0\r\n", sizeof(" HTTP/1.0\r\n")-1);
++ if (context && php_stream_context_get_option(context, "http", "header", &tmpzval) == SUCCESS) {
++ /* Look out for ProxyAuthentication header, appending it */
++ tmp = NULL;
++
++ if (Z_TYPE_PP(tmpzval) == IS_ARRAY) {
++ HashPosition pos;
++ zval **tmpheader = NULL;
++ smart_str tmpstr = {0};
++
++ for (zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(tmpzval), &pos);
++ SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(tmpzval), (void *)&tmpheader, &pos);
++ zend_hash_move_forward_ex(Z_ARRVAL_PP(tmpzval), &pos)
++ ) {
++ if (Z_TYPE_PP(tmpheader) == IS_STRING) {
++ smart_str_appendl(&tmpstr, Z_STRVAL_PP(tmpheader), Z_STRLEN_PP(tmpheader));
++ smart_str_appendl(&tmpstr, "\r\n", sizeof("\r\n") - 1);
++ }
++ }
++ smart_str_0(&tmpstr);
++ /* Remove newlines and spaces from start and end. there's at least one extra \r\n at the end that needs to go. */
++ if (tmpstr.c) {
++ tmp = php_trim(tmpstr.c, strlen(tmpstr.c), NULL, 0, NULL, 3 TSRMLS_CC);
++ smart_str_free(&tmpstr);
++ }
++ }
++ if (Z_TYPE_PP(tmpzval) == IS_STRING && Z_STRLEN_PP(tmpzval)) {
++ /* Remove newlines and spaces from start and end php_trim will estrndup() */
++ tmp = php_trim(Z_STRVAL_PP(tmpzval), Z_STRLEN_PP(tmpzval), NULL, 0, NULL, 3 TSRMLS_CC);
++ }
++ if (tmp && strlen(tmp) > 0) {
++ /* Strip Proxy-Authorization header for HTTPS */
++ int l = strlen(tmp);
++ char *s, *s2, *tmp_c = estrdup(tmp);
++
++ php_strtolower(tmp_c, l);
++ if ((s = strstr(tmp_c, "proxy-authorization:"))) {
++ if ((s2 = memchr(s, '\n', tmp_c + l - s))) {
++ smart_str_appendl(&header, tmp + (s - tmp_c), s2 - s - 1);
++ } else {
++ smart_str_appendl(&header, tmp + (s - tmp_c), tmp_c + l - s);
++ }
++ smart_str_appendl(&header, "\r\n", sizeof("\r\n")-1);
++ }
++ efree(tmp_c);
++ }
++ if (tmp)
++ efree(tmp);
++ }
++ smart_str_appendl(&header, "\r\n", sizeof("\r\n")-1);
+ if (php_stream_write(stream, header.c, header.len) != header.len) {
+ php_stream_wrapper_log_error(wrapper, options TSRMLS_CC, "Cannot connect to HTTPS server through proxy");
+ php_stream_close(stream);
+@@ -363,6 +412,18 @@ php_stream *php_stream_url_wrap_http_ex(
+ char *s, *s2, *tmp_c = estrdup(tmp);
+
+ php_strtolower(tmp_c, l);
++ if (use_proxy && use_ssl && (s = strstr(tmp_c, "proxy-authorization:"))) {
++ /* Strip Proxy-Authorization header for HTTPS */
++ if ((s2 = memchr(s, '\n', tmp_c + l - s))) {
++ int b = tmp_c + l - 1 - s2;
++ memmove(tmp, tmp + (s2 + 1 - tmp_c), b);
++ memmove(tmp_c, s2 + 1, b);
++
++ } else {
++ tmp[s - tmp_c] = *s = '\0';
++ }
++ l = strlen(tmp_c);
++ }
+ if ((s = strstr(tmp_c, "content-length:"))) {
+ if ((s2 = memchr(s, '\n', tmp_c + l - s))) {
+ int b = tmp_c + l - 1 - s2;
+@@ -385,6 +446,27 @@ php_stream *php_stream_url_wrap_http_ex(
+ tmp_c = php_trim(tmp, strlen(tmp), NULL, 0, NULL, 3 TSRMLS_CC);
+ efree(tmp);
+ tmp = tmp_c;
++ } else if (use_proxy && use_ssl) {
++ /* Strip Proxy-Authorization header for HTTPS */
++ int l = strlen(tmp);
++ char *s, *s2, *tmp_c = estrdup(tmp);
++
++ php_strtolower(tmp_c, l);
++ if ((s = strstr(tmp_c, "proxy-authorization:"))) {
++ if ((s2 = memchr(s, '\n', tmp_c + l - s))) {
++ int b = tmp_c + l - 1 - s2;
++ memmove(tmp, tmp + (s2 + 1 - tmp_c), b);
++ memmove(tmp_c, s2 + 1, b);
++
++ } else {
++ tmp[s - tmp_c] = *s = '\0';
++ }
++ l = strlen(tmp_c);
++ }
++ efree(tmp_c);
++ tmp_c = php_trim(tmp, strlen(tmp), NULL, 0, NULL, 3 TSRMLS_CC);
++ efree(tmp);
++ tmp = tmp_c;
+ }
+
+ user_headers = estrdup(tmp);
|
|
[-]
[+]
|
Added |
php-5.2.14-libedit-build.patch
^
|
| @@ -0,0 +1,13 @@
+Index: php-5.2.14/ext/readline/config.m4
+===================================================================
+--- php-5.2.14.orig/ext/readline/config.m4
++++ php-5.2.14/ext/readline/config.m4
+@@ -90,7 +90,7 @@ elif test "$PHP_LIBEDIT" != "no"; then
+ ], [
+ AC_MSG_ERROR(edit library required by readline not found)
+ ], [
+- -L$READLINE_DIR/$PHP_LIBDIR
++ -L$READLINE_DIR/$PHP_LIBDIR -lncurses
+ ])
+
+ AC_DEFINE(HAVE_LIBEDIT, 1, [ ])
|
|
[-]
[+]
|
Added |
php-5.2.14-libxml2-bug.patch
^
|
| @@ -0,0 +1,12 @@
+--- ext/xml/compat.c.orig
++++ ext/xml/compat.c
+@@ -482,9 +482,7 @@ XML_ParserCreate_MM(const XML_Char *enco
+ parser->parser->charset = XML_CHAR_ENCODING_NONE;
+ #endif
+
+-#if LIBXML_VERSION >= 20703
+ xmlCtxtUseOptions(parser->parser, XML_PARSE_OLDSAX);
+-#endif
+
+ parser->parser->replaceEntities = 1;
+ parser->parser->wellFormed = 0;
|
|
[-]
[+]
|
Added |
php-5.2.6-bnc-435595.patch
^
|
| @@ -0,0 +1,102 @@
+Index: ext/standard/array.c
+===================================================================
+--- ext/standard/array.c.orig
++++ ext/standard/array.c
+@@ -2733,42 +2733,35 @@ PHP_FUNCTION(array_reverse)
+ Returns a copy of input array padded with pad_value to size pad_size */
+ PHP_FUNCTION(array_pad)
+ {
+- zval **input; /* Input array */
+- zval **pad_size; /* Size to pad to */
+- zval **pad_value; /* Padding value obviously */
++ zval *input; /* Input array */
++ zval *pad_value; /* Padding value obviously */
+ zval ***pads; /* Array to pass to splice */
+- HashTable *new_hash; /* Return value from splice */
+- int input_size; /* Size of the input array */
+- int pad_size_abs; /* Absolute value of pad_size */
+- int num_pads; /* How many pads do we need */
+- int do_pad; /* Whether we should do padding at all */
++ HashTable *new_hash;/* Return value from splice */
++ HashTable old_hash;
++ long pad_size; /* Size to pad to */
++ long pad_size_abs; /* Absolute value of pad_size */
++ int input_size; /* Size of the input array */
++ int num_pads; /* How many pads do we need */
++ int do_pad; /* Whether we should do padding at all */
+ int i;
+-
+- /* Get arguments and do error-checking */
+- if (ZEND_NUM_ARGS() != 3 || zend_get_parameters_ex(3, &input, &pad_size, &pad_value) == FAILURE) {
+- WRONG_PARAM_COUNT;
+- }
+-
+- convert_to_long_ex(pad_size);
+- /* Make sure arguments are of the proper type */
+- if (Z_TYPE_PP(input) != IS_ARRAY) {
+- php_error_docref(NULL TSRMLS_CC, E_WARNING, "The argument should be an array");
++
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "alz", &input, &pad_size, &pad_value) == FAILURE) {
+ return;
+ }
+-
++
+ /* Do some initial calculations */
+- input_size = zend_hash_num_elements(Z_ARRVAL_PP(input));
+- pad_size_abs = abs(Z_LVAL_PP(pad_size));
++ input_size = zend_hash_num_elements(Z_ARRVAL_P(input));
++ pad_size_abs = abs(pad_size);
+ if (pad_size_abs < 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may only pad up to 1048576 elements at a time");
+ zval_dtor(return_value);
+ RETURN_FALSE;
+ }
+ do_pad = (input_size >= pad_size_abs) ? 0 : 1;
+-
++
+ /* Copy the original array */
+- RETVAL_ZVAL(*input, 1, 0);
+-
++ RETVAL_ZVAL(input, 1, 0);
++
+ /* If no need to pad, no need to continue */
+ if (!do_pad) {
+ return;
+@@ -2776,31 +2769,32 @@ PHP_FUNCTION(array_pad)
+
+ /* Populate the pads array */
+ num_pads = pad_size_abs - input_size;
+- if(num_pads > 1048576) {
++ if (num_pads > 1048576) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "You may only pad up to 1048576 elements at a time");
+ zval_dtor(return_value);
+ RETURN_FALSE;
+ }
+ pads = (zval ***)safe_emalloc(num_pads, sizeof(zval **), 0);
+ for (i = 0; i < num_pads; i++) {
+- pads[i] = pad_value;
++ pads[i] = &pad_value;
+ }
+
+ /* Pad on the right or on the left */
+- if (Z_LVAL_PP(pad_size) > 0) {
++ if (pad_size > 0) {
+ new_hash = php_splice(Z_ARRVAL_P(return_value), input_size, 0, pads, num_pads, NULL);
+ } else {
+ new_hash = php_splice(Z_ARRVAL_P(return_value), 0, 0, pads, num_pads, NULL);
+ }
+
+ /* Copy the result hash into return value */
+- zend_hash_destroy(Z_ARRVAL_P(return_value));
++ old_hash = *Z_ARRVAL_P(return_value);
+ if (Z_ARRVAL_P(return_value) == &EG(symbol_table)) {
+ zend_reset_all_cv(&EG(symbol_table) TSRMLS_CC);
+ }
+ *Z_ARRVAL_P(return_value) = *new_hash;
+ FREE_HASHTABLE(new_hash);
+-
++ zend_hash_destroy(&old_hash);
++
+ /* Clean up */
+ efree(pads);
+ }
|
