From e140245806c0dc8dd72d6b5806704093c4861340 Mon Sep 17 00:00:00 2001
From: CentOS Buildsys <bugs@centos.org>
Date: Mar 07 2014 09:08:51 +0000
Subject: import php-5.4.16-21.el7.src.rpm


---

diff --git a/SOURCES/php-5.4.16-CVE-2013-6420.patch b/SOURCES/php-5.4.16-CVE-2013-6420.patch
new file mode 100644
index 0000000..df64151
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2013-6420.patch
@@ -0,0 +1,90 @@
+diff -up php-5.4.16/ext/openssl/openssl.c.cve6420 php-5.4.16/ext/openssl/openssl.c
+--- php-5.4.16/ext/openssl/openssl.c.cve6420	2013-12-06 07:05:06.870106576 +0100
++++ php-5.4.16/ext/openssl/openssl.c	2013-12-06 07:05:06.872106575 +0100
+@@ -656,18 +656,28 @@ static time_t asn1_time_to_time_t(ASN1_U
+ 	char * thestr;
+ 	long gmadjust = 0;
+ 
+-	if (timestr->length < 13) {
++	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
++		return (time_t)-1;
++	}
++
++	if (ASN1_STRING_length(timestr) != strlen(ASN1_STRING_data(timestr))) {
++		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal length in timestamp");
++		return (time_t)-1;
++	}
++
++	if (ASN1_STRING_length(timestr) < 13) {
+ 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "extension author too lazy to parse %s correctly", timestr->data);
+ 		return (time_t)-1;
+ 	}
+ 
+-	strbuf = estrdup((char *)timestr->data);
++	strbuf = estrdup((char *)ASN1_STRING_data(timestr));
+ 
+ 	memset(&thetime, 0, sizeof(thetime));
+ 
+ 	/* we work backwards so that we can use atoi more easily */
+ 
+-	thestr = strbuf + timestr->length - 3;
++	thestr = strbuf + ASN1_STRING_length(timestr) - 3;
+ 
+ 	thetime.tm_sec = atoi(thestr);
+ 	*thestr = '\0';
+diff -up php-5.4.16/ext/openssl/tests/cve-2013-6420.crt.cve6420 php-5.4.16/ext/openssl/tests/cve-2013-6420.crt
+--- php-5.4.16/ext/openssl/tests/cve-2013-6420.crt.cve6420	2013-12-06 07:05:06.872106575 +0100
++++ php-5.4.16/ext/openssl/tests/cve-2013-6420.crt	2013-12-06 07:05:06.872106575 +0100
+@@ -0,0 +1,29 @@
++-----BEGIN CERTIFICATE-----
++MIIEpDCCA4ygAwIBAgIJAJzu8r6u6eBcMA0GCSqGSIb3DQEBBQUAMIHDMQswCQYD
++VQQGEwJERTEcMBoGA1UECAwTTm9yZHJoZWluLVdlc3RmYWxlbjEQMA4GA1UEBwwH
++S8ODwrZsbjEUMBIGA1UECgwLU2VrdGlvbkVpbnMxHzAdBgNVBAsMFk1hbGljaW91
++cyBDZXJ0IFNlY3Rpb24xITAfBgNVBAMMGG1hbGljaW91cy5zZWt0aW9uZWlucy5k
++ZTEqMCgGCSqGSIb3DQEJARYbc3RlZmFuLmVzc2VyQHNla3Rpb25laW5zLmRlMHUY
++ZDE5NzAwMTAxMDAwMDAwWgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
++AAAAAAAXDTE0MTEyODExMzkzNVowgcMxCzAJBgNVBAYTAkRFMRwwGgYDVQQIDBNO
++b3JkcmhlaW4tV2VzdGZhbGVuMRAwDgYDVQQHDAdLw4PCtmxuMRQwEgYDVQQKDAtT
++ZWt0aW9uRWluczEfMB0GA1UECwwWTWFsaWNpb3VzIENlcnQgU2VjdGlvbjEhMB8G
++A1UEAwwYbWFsaWNpb3VzLnNla3Rpb25laW5zLmRlMSowKAYJKoZIhvcNAQkBFhtz
++dGVmYW4uZXNzZXJAc2VrdGlvbmVpbnMuZGUwggEiMA0GCSqGSIb3DQEBAQUAA4IB
++DwAwggEKAoIBAQDDAf3hl7JY0XcFniyEJpSSDqn0OqBr6QP65usJPRt/8PaDoqBu
++wEYT/Na+6fsgPjC0uK9DZgWg2tHWWoanSblAMoz5PH6Z+S4SHRZ7e2dDIjPjdhjh
++0mLg2UMO5yp0V797Ggs9lNt6JRfH81MN2obXWs4NtztLMuD6egqpr8dDbr34aOs8
++pkdui5UawTZksy5pLPHq5cMhFGm06v65CLo0V2Pd9+KAokPrPcN5KLKebz7mLpk6
++SMeEXOKP4idEqxyQ7O7fBuHMedsQhu+prY3si3BUyKfQtP5CZnX2bp0wKHxX12DX
++1nfFIt9DbGvHTcyOuN+nZLPBm3vWxntyIIvVAgMBAAGjQjBAMAkGA1UdEwQCMAAw
++EQYJYIZIAYb4QgEBBAQDAgeAMAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEF
++BQcDAjANBgkqhkiG9w0BAQUFAAOCAQEAG0fZYYCTbdj1XYc+1SnoaPR+vI8C8CaD
++8+0UYhdnyU4gga0BAcDrY9e94eEAu6ZqycF6FjLqXXdAboppWocr6T6GD1x33Ckl
++VArzG/KxQohGD2JeqkhIMlDomxHO7ka39+Oa8i2vWLVyjU8AZvWMAruHa4EENyG7
++lW2AagaFKFCr9TnXTfrdxGVEbv7KVQ6bdhg5p5SjpWH1+Mq03uR3ZXPBYdyV8319
++o0lVj1KFI2DCL/liWisJRoof+1cR35Ctd0wYBcpB6TZslMcOPl76dwKwJgeJo2Qg
++Zsfmc2vC1/qOlNuNq/0TzzkVGv8ETT3CgaU+UXe4XOVvkccebJn2dg==
++-----END CERTIFICATE-----
++
++
+diff -up php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt.cve6420 php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt
+--- php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt.cve6420	2013-12-06 07:05:06.872106575 +0100
++++ php-5.4.16/ext/openssl/tests/cve-2013-6420.phpt	2013-12-06 07:05:06.872106575 +0100
+@@ -0,0 +1,18 @@
++--TEST--
++CVE-2013-6420
++--SKIPIF--
++<?php 
++if (!extension_loaded("openssl")) die("skip"); 
++?>
++--FILE--
++<?php
++$crt = substr(__FILE__, 0, -4).'.crt';
++$info = openssl_x509_parse("file://$crt");
++var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
++?>
++Done
++--EXPECTF--
++%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s/cve-2013-6420.php on line 3
++string(27) "stefan.esser@sektioneins.de"
++int(-1)
++Done
diff --git a/SOURCES/php-5.4.16-CVE-2013-6712.patch b/SOURCES/php-5.4.16-CVE-2013-6712.patch
new file mode 100644
index 0000000..ba7d0f0
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2013-6712.patch
@@ -0,0 +1,40 @@
+From 12fe4e90be7bfa2a763197079f68f5568a14e071 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Wed, 27 Nov 2013 11:13:16 +0100
+Subject: [PATCH] Fixed bug #66060 (Heap buffer over-read in DateInterval)
+
+---
+ NEWS                                | 3 +++
+ ext/date/lib/parse_iso_intervals.c  | 4 ++--
+ ext/date/lib/parse_iso_intervals.re | 2 +-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c
+index bd1ad05..480ea38 100644
+--- a/ext/date/lib/parse_iso_intervals.c
++++ b/ext/date/lib/parse_iso_intervals.c
+@@ -415,7 +415,7 @@ yy6:
+ 					break;
+ 			}
+ 			ptr++;
+-		} while (*ptr);
++		} while (!s->errors->error_count && *ptr);
+ 		s->have_period = 1;
+ 		TIMELIB_DEINIT;
+ 		return TIMELIB_PERIOD;
+diff --git a/ext/date/lib/parse_iso_intervals.re b/ext/date/lib/parse_iso_intervals.re
+index 56aa34d..c5e9f67 100644
+--- a/ext/date/lib/parse_iso_intervals.re
++++ b/ext/date/lib/parse_iso_intervals.re
+@@ -383,7 +383,7 @@ isoweek          = year4 "-"? "W" weekofyear;
+ 					break;
+ 			}
+ 			ptr++;
+-		} while (*ptr);
++		} while (!s->errors->error_count && *ptr);
+ 		s->have_period = 1;
+ 		TIMELIB_DEINIT;
+ 		return TIMELIB_PERIOD;
+-- 
+1.8.4.3
+
diff --git a/SOURCES/php-5.4.16-CVE-2014-1943.patch b/SOURCES/php-5.4.16-CVE-2014-1943.patch
new file mode 100644
index 0000000..6842286
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2014-1943.patch
@@ -0,0 +1,213 @@
+From 89f864c547014646e71862df3664e3ff33d7143d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 18 Feb 2014 13:54:33 +0100
+Subject: [PATCH] Fixed Bug #66731 file: infinite recursion
+
+Upstream commit (available in file-5.17)
+
+https://github.com/glensc/file/commit/3c081560c23f20b2985c285338b52c7aae9fdb0f
+https://github.com/glensc/file/commit/cc9e74dfeca5265ad725acc926ef0b8d2a18ee70
+---
+ ext/fileinfo/libmagic/ascmagic.c      |  2 +-
+ ext/fileinfo/libmagic/file.h          |  2 +-
+ ext/fileinfo/libmagic/funcs.c         |  2 +-
+ ext/fileinfo/libmagic/softmagic.c     |  8 ++++---
+ ext/fileinfo/tests/cve-2014-1943.phpt | 39 +++++++++++++++++++++++++++++++++++
+ 5 files changed, 47 insertions(+), 6 deletions(-)
+ create mode 100644 ext/fileinfo/tests/cve-2014-1943.phpt
+
+diff --git a/ext/fileinfo/libmagic/ascmagic.c b/ext/fileinfo/libmagic/ascmagic.c
+index 2090097..c0041df 100644
+--- a/ext/fileinfo/libmagic/ascmagic.c
++++ b/ext/fileinfo/libmagic/ascmagic.c
+@@ -147,7 +147,7 @@ file_ascmagic_with_encoding(struct magic_set *ms, const unsigned char *buf,
+ 		    == NULL)
+ 			goto done;
+ 		if ((rv = file_softmagic(ms, utf8_buf,
+-		    (size_t)(utf8_end - utf8_buf), TEXTTEST, text)) == 0)
++		    (size_t)(utf8_end - utf8_buf), 0, TEXTTEST, text)) == 0)
+ 			rv = -1;
+ 	}
+ 
+diff --git a/ext/fileinfo/libmagic/file.h b/ext/fileinfo/libmagic/file.h
+index 19b6872..ab5082d 100644
+--- a/ext/fileinfo/libmagic/file.h
++++ b/ext/fileinfo/libmagic/file.h
+@@ -437,7 +437,7 @@ protected int file_encoding(struct magic_set *, const unsigned char *, size_t,
+     unichar **, size_t *, const char **, const char **, const char **);
+ protected int file_is_tar(struct magic_set *, const unsigned char *, size_t);
+ protected int file_softmagic(struct magic_set *, const unsigned char *, size_t,
+-    int, int);
++    size_t, int, int);
+ protected int file_apprentice(struct magic_set *, const char *, int);
+ protected int file_magicfind(struct magic_set *, const char *, struct mlist *);
+ protected uint64_t file_signextend(struct magic_set *, struct magic *,
+diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
+index 9c0d2bd..011ca42 100644
+--- a/ext/fileinfo/libmagic/funcs.c
++++ b/ext/fileinfo/libmagic/funcs.c
+@@ -235,7 +235,7 @@ file_buffer(struct magic_set *ms, php_stream *stream, const char *inname, const
+ 
+ 	/* try soft magic tests */
+ 	if ((ms->flags & MAGIC_NO_CHECK_SOFT) == 0)
+-		if ((m = file_softmagic(ms, ubuf, nb, BINTEST,
++		if ((m = file_softmagic(ms, ubuf, nb, 0, BINTEST,
+ 		    looks_text)) != 0) {
+ 			if ((ms->flags & MAGIC_DEBUG) != 0)
+ 				(void)fprintf(stderr, "softmagic %d\n", m);
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 0671fa9..7c5f628 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -74,13 +74,13 @@ private void cvt_64(union VALUETYPE *, const struct magic *);
+ /*ARGSUSED1*/		/* nbytes passed for regularity, maybe need later */
+ protected int
+ file_softmagic(struct magic_set *ms, const unsigned char *buf, size_t nbytes,
+-    int mode, int text)
++    size_t level, int mode, int text)
+ {
+ 	struct mlist *ml;
+ 	int rv, printed_something = 0, need_separator = 0;
+ 	for (ml = ms->mlist[0]->next; ml != ms->mlist[0]; ml = ml->next)
+ 		if ((rv = match(ms, ml->magic, ml->nmagic, buf, nbytes, 0, mode,
+-		    text, 0, 0, &printed_something, &need_separator,
++		    text, 0, level, &printed_something, &need_separator,
+ 		    NULL)) != 0)
+ 			return rv;
+ 
+@@ -1680,6 +1680,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		break;
+ 
+ 	case FILE_INDIRECT:
++		if (offset == 0)
++			return 0;
+ 		if (nbytes < offset)
+ 			return 0;
+ 		sbuf = ms->o.buf;
+@@ -1687,7 +1689,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		ms->o.buf = NULL;
+ 		ms->offset = 0;
+ 		rv = file_softmagic(ms, s + offset, nbytes - offset,
+-		    BINTEST, text);
++		    recursion_level, BINTEST, text);
+ 		if ((ms->flags & MAGIC_DEBUG) != 0)
+ 			fprintf(stderr, "indirect @offs=%u[%d]\n", offset, rv);
+ 		rbuf = ms->o.buf;
+diff --git a/ext/fileinfo/tests/cve-2014-1943.phpt b/ext/fileinfo/tests/cve-2014-1943.phpt
+new file mode 100644
+index 0000000..b2e9c17
+--- /dev/null
++++ b/ext/fileinfo/tests/cve-2014-1943.phpt
+@@ -0,0 +1,39 @@
++--TEST--
++Bug #66731: file: infinite recursion
++--SKIPIF--
++<?php
++if (!class_exists('finfo'))
++	die('skip no fileinfo extension');
++--FILE--
++<?php
++$fd = __DIR__.'/cve-2014-1943.data';
++$fm = __DIR__.'/cve-2014-1943.magic';
++
++$a = "\105\122\000\000\000\000\000";
++$b = str_repeat("\001", 250000);
++$m =  "0           byte        x\n".
++      ">(1.b)      indirect    x\n";
++
++file_put_contents($fd, $a);
++$fi = finfo_open(FILEINFO_NONE);
++var_dump(finfo_file($fi, $fd));
++finfo_close($fi);
++
++file_put_contents($fd, $b);
++file_put_contents($fm, $m);
++$fi = finfo_open(FILEINFO_NONE, $fm);
++var_dump(finfo_file($fi, $fd));
++finfo_close($fi);
++?>
++Done
++--CLEAN--
++<?php
++@unlink(__DIR__.'/cve-2014-1943.data');
++@unlink(__DIR__.'/cve-2014-1943.magic');
++?>
++--EXPECTF--
++string(%d) "%s"
++
++Warning: finfo_file(): Failed identify data 0:(null) in %s on line %d
++bool(false)
++Done
+-- 
+1.8.4.3
+
+From 10eb0070700382f966bf260e44135e1f724a15d2 Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Thu, 20 Feb 2014 18:53:53 +0100
+Subject: [PATCH] fixed leak introduced after CVE/upgrade
+
+---
+ ext/fileinfo/libmagic/softmagic.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 7c5f628..33970e5 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -1701,6 +1701,8 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 			return -1;
+ 			if (file_printf(ms, "%s", rbuf) == -1)
+ 				return -1;
++		}
++		if (rbuf) {
+ 			efree(rbuf);
+ 		}
+ 		return rv;
+-- 
+1.8.4.3
+
+From 731013ee8e9cf405101d4fd584214fadb1c1d390 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 4 Mar 2014 13:41:37 +0100
+Subject: [PATCH] Improves fix for memory leak, keep in sync with upstream.
+
+Previous fix:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=10eb0070700382f966bf260e44135e1f724a15d2
+
+Upstream fix:
+https://github.com/glensc/file/commit/c0c0032b9e9eb57b91fefef905a3b018bab492d9
+---
+ ext/fileinfo/libmagic/softmagic.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 33970e5..82a470a 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -1696,11 +1696,19 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		ms->o.buf = sbuf;
+ 		ms->offset = soffset;
+ 		if (rv == 1) {
+-	  	if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
+-			    file_printf(ms, m->desc, offset) == -1)
+-			return -1;
+-			if (file_printf(ms, "%s", rbuf) == -1)
++			if ((ms->flags & (MAGIC_MIME|MAGIC_APPLE)) == 0 &&
++			    file_printf(ms, m->desc, offset) == -1) {
++				if (rbuf) {
++					efree(rbuf);
++				}
++				return -1;
++			}
++			if (file_printf(ms, "%s", rbuf) == -1) {
++				if (rbuf) {
++					efree(rbuf);
++				}
+ 				return -1;
++			}
+ 		}
+ 		if (rbuf) {
+ 			efree(rbuf);
+-- 
+1.8.4.3
+
diff --git a/SOURCES/php-5.4.16-CVE-2014-2270.patch b/SOURCES/php-5.4.16-CVE-2014-2270.patch
new file mode 100644
index 0000000..1923b66
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2014-2270.patch
@@ -0,0 +1,168 @@
+From a33759fd275b32ed0bbe89796fe2953b3cb0b41f Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 4 Mar 2014 20:32:52 +0100
+Subject: [PATCH] Fixed Bug #66820 out-of-bounds memory access in fileinfo
+
+Upstream fix:
+https://github.com/glensc/file/commit/447558595a3650db2886cd2f416ad0beba965801
+
+Notice, test changed, with upstream agreement:
+-define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >= ((n) - (o)))
++define OFFSET_OOB(n, o, i)	((n) < (o) || (i) >  ((n) - (o)))
+---
+ ext/fileinfo/libmagic/softmagic.c | 34 ++++++++++++++++++----------------
+ 1 file changed, 18 insertions(+), 16 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 82a470a..21fea6b 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -67,6 +67,8 @@ private void cvt_16(union VALUETYPE *, const struct magic *);
+ private void cvt_32(union VALUETYPE *, const struct magic *);
+ private void cvt_64(union VALUETYPE *, const struct magic *);
+ 
++#define OFFSET_OOB(n, o, i)	((n) < (o) || (i) > ((n) - (o)))
++
+ /*
+  * softmagic - lookup one file in parsed, in-memory copy of database
+  * Passed the name and FILE * of one file to be typed.
+@@ -1171,7 +1173,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		}
+ 		switch (cvt_flip(m->in_type, flip)) {
+ 		case FILE_BYTE:
+-			if (nbytes < (offset + 1))
++			if (OFFSET_OOB(nbytes, offset, 1))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1206,7 +1208,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_BESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1258,7 +1260,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LESHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1310,7 +1312,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_SHORT:
+-			if (nbytes < (offset + 2))
++			if (OFFSET_OOB(nbytes, offset, 2))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1347,7 +1349,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 			break;
+ 		case FILE_BELONG:
+ 		case FILE_BEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1418,7 +1420,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 			break;
+ 		case FILE_LELONG:
+ 		case FILE_LEID3:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1488,7 +1490,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_MELONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1558,7 +1560,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 				offset = ~offset;
+ 			break;
+ 		case FILE_LONG:
+-			if (nbytes < (offset + 4))
++			if (OFFSET_OOB(nbytes, offset, 4))
+ 				return 0;
+ 			if (off) {
+ 				switch (m->in_op & FILE_OPS_MASK) {
+@@ -1630,14 +1632,14 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 	/* Verify we have enough data to match magic type */
+ 	switch (m->type) {
+ 	case FILE_BYTE:
+-		if (nbytes < (offset + 1)) /* should alway be true */
++		if (OFFSET_OOB(nbytes, offset, 1))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_SHORT:
+ 	case FILE_BESHORT:
+ 	case FILE_LESHORT:
+-		if (nbytes < (offset + 2))
++		if (OFFSET_OOB(nbytes, offset, 2))
+ 			return 0;
+ 		break;
+ 
+@@ -1656,33 +1658,33 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 	case FILE_FLOAT:
+ 	case FILE_BEFLOAT:
+ 	case FILE_LEFLOAT:
+-		if (nbytes < (offset + 4))
++		if (OFFSET_OOB(nbytes, offset, 4))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_DOUBLE:
+ 	case FILE_BEDOUBLE:
+ 	case FILE_LEDOUBLE:
+-		if (nbytes < (offset + 8))
++		if (OFFSET_OOB(nbytes, offset, 8))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_STRING:
+ 	case FILE_PSTRING:
+ 	case FILE_SEARCH:
+-		if (nbytes < (offset + m->vallen))
++		if (OFFSET_OOB(nbytes, offset, m->vallen))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_REGEX:
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		break;
+ 
+ 	case FILE_INDIRECT:
+ 		if (offset == 0)
+ 			return 0;
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		sbuf = ms->o.buf;
+ 		soffset = ms->offset;
+@@ -1716,7 +1718,7 @@ mget(struct magic_set *ms, const unsigned char *s, struct magic *m,
+ 		return rv;
+ 
+ 	case FILE_USE:
+-		if (nbytes < offset)
++		if (OFFSET_OOB(nbytes, offset, 0))
+ 			return 0;
+ 		sbuf = m->value.s;
+ 		if (*sbuf == '^') {
+-- 
+1.8.4.3
+
diff --git a/SPECS/php.spec b/SPECS/php.spec
index d9f0f09..8870edd 100644
--- a/SPECS/php.spec
+++ b/SPECS/php.spec
@@ -67,7 +67,8 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.4.16
-Release: 7%{?dist}
+# Only odd release to avoid conflicts with even release used by php54 SCL
+Release: 21%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -127,6 +128,10 @@ Patch60: php-5.4.16-pdotests.patch
 # Security fixes
 Patch100: php-5.4.17-CVE-2013-4013.patch
 Patch101: php-5.4.16-CVE-2013-4248.patch
+Patch102: php-5.4.16-CVE-2013-6420.patch
+Patch104: php-5.4.16-CVE-2014-1943.patch
+Patch105: php-5.4.16-CVE-2013-6712.patch
+Patch106: php-5.4.16-CVE-2014-2270.patch
 
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel
@@ -636,6 +641,10 @@ support for using the enchant library to PHP.
 
 %patch100 -p1 -b .cve4113
 %patch101 -p1 -b .cve4248
+%patch102 -p1 -b .cve6420
+%patch104 -p1 -b .cve1943
+%patch105 -p1 -b .cve6712
+%patch106 -p1 -b .cve2270
 
 
 # Prevent %%doc confusion over LICENSE files
@@ -743,8 +752,8 @@ chmod 644 README.*
 # php-fpm configuration files for tmpfiles.d
 echo "d /run/php-fpm 755 root root" >php-fpm.tmpfiles
 
-# bring in newer config.guess and config.sub for aarch64 support
-cp -f /usr/lib/rpm/config.{guess,sub} .
+# bring in newer Red Hat config.guess and config.sub for aarch64/ppc64p7 support
+cp -f /usr/lib/rpm/redhat/config.{guess,sub} .
 
 
 %build
@@ -760,6 +769,9 @@ touch configure.in
 ./buildconf --force
 
 CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-pointer-sign"
+%ifarch ppc64
+CFLAGS="$CFLAGS -O3"
+%endif
 export CFLAGS
 
 # Install extension modules in %{_libdir}/php/modules.
@@ -1407,6 +1419,35 @@ fi
 
 
 %changelog
+* Fri Mar  7 2014 Remi Collet <rcollet@redhat.com> - 5.5.16-21
+- fix out-of-bounds memory access in fileinfo CVE-2014-2270
+
+* Fri Feb 21 2014 Remi Collet <rcollet@redhat.com> - 5.5.16-19
+- fix memory leak introduce in patch for CVE-2014-1943
+- fix heap-based buffer over-read in DateInterval CVE-2013-6712
+
+* Wed Feb 19 2014 Remi Collet <rcollet@redhat.com> - 5.5.16-17
+- fix infinite recursion in fileinfo CVE-2014-1943
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 5.4.16-15
+- Mass rebuild 2014-01-24
+
+* Wed Jan 15 2014 Honza Horak <hhorak@redhat.com> - 5.4.16-14
+- Rebuild for mariadb-libs
+  Related: #1045013
+
+* Fri Jan 10 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-13
+- build with -O3 on ppc64 #1051073
+
+* Thu Jan  9 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-11
+- use correct config.{guess,sub} for ppc64p7 #1048892
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 5.4.16-10
+- Mass rebuild 2013-12-27
+
+* Fri Dec  6 2013 Remi Collet <rcollet@redhat.com> - 5.4.16-9
+- add security fix for CVE-2013-6420
+
 * Mon Nov  4 2013 Remi Collet <rcollet@redhat.com> - 5.4.16-7
 - fix for non x86 build #1023796