From 3d9fed8bf6d190d5237be17cad126ebc803c77c9 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 15 2016 11:14:21 +0000 Subject: import rh-php56-php-5.6.25-1.el7 --- diff --git a/.gitignore b/.gitignore index 79a7b67..ef7a682 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/php-5.6.5-strip.tar.xz +SOURCES/php-5.6.25-strip.tar.xz diff --git a/.rh-php56-php.metadata b/.rh-php56-php.metadata index 31023df..1e09cb0 100644 --- a/.rh-php56-php.metadata +++ b/.rh-php56-php.metadata @@ -1 +1 @@ -8907c86c66cc5496808ae0a154920193c9acbc26 SOURCES/php-5.6.5-strip.tar.xz +855e81a6930a0120b02a5629c4f6e96b63b84ad5 SOURCES/php-5.6.25-strip.tar.xz diff --git a/SOURCES/php-5.4.7-odbctimer.patch b/SOURCES/php-5.4.7-odbctimer.patch deleted file mode 100644 index 88c4da4..0000000 --- a/SOURCES/php-5.4.7-odbctimer.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 657494235eafe048e9fa6a19dcdb3c73a0cbe6ec Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Thu, 27 Sep 2012 13:45:32 +0200 -Subject: [PATCH] Fixed bug #63171, script hangs if odbc call during timeout - ---- - ext/odbc/php_odbc.c | 21 ++++++++++++++------- - 1 file changed, 14 insertions(+), 7 deletions(-) - -diff --git a/ext/odbc/php_odbc.c b/ext/odbc/php_odbc.c -index 52d46b2..2169e65 100644 ---- a/ext/odbc/php_odbc.c -+++ b/ext/odbc/php_odbc.c -@@ -431,7 +431,8 @@ static void _free_odbc_result(zend_rsrc_list_entry *rsrc TSRMLS_DC) - efree(res->values); - res->values = NULL; - } -- if (res->stmt) { -+ /* If aborted via timer expiration, don't try to call any unixODBC function */ -+ if (res->stmt && !(PG(connection_status) & PHP_CONNECTION_TIMEOUT)) { - #if defined(HAVE_SOLID) || defined(HAVE_SOLID_30) || defined(HAVE_SOLID_35) - SQLTransact(res->conn_ptr->henv, res->conn_ptr->hdbc, - (SQLUSMALLINT) SQL_COMMIT); -@@ -484,9 +485,12 @@ static void _close_odbc_conn(zend_rsrc_list_entry *rsrc TSRMLS_DC) - } - } - -- safe_odbc_disconnect(conn->hdbc); -- SQLFreeConnect(conn->hdbc); -- SQLFreeEnv(conn->henv); -+ /* If aborted via timer expiration, don't try to call any unixODBC function */ -+ if (!(PG(connection_status) & PHP_CONNECTION_TIMEOUT)) { -+ safe_odbc_disconnect(conn->hdbc); -+ SQLFreeConnect(conn->hdbc); -+ SQLFreeEnv(conn->henv); -+ } - efree(conn); - ODBCG(num_links)--; - } -@@ -512,9 +516,12 @@ static void _close_odbc_pconn(zend_rsrc_list_entry *rsrc TSRMLS_DC) - } - } - -- safe_odbc_disconnect(conn->hdbc); -- SQLFreeConnect(conn->hdbc); -- SQLFreeEnv(conn->henv); -+ /* If aborted via timer expiration, don't try to call any unixODBC function */ -+ if (!(PG(connection_status) & PHP_CONNECTION_TIMEOUT)) { -+ safe_odbc_disconnect(conn->hdbc); -+ SQLFreeConnect(conn->hdbc); -+ SQLFreeEnv(conn->henv); -+ } - free(conn); - - ODBCG(num_links)--; --- -1.7.10 - diff --git a/SOURCES/php-5.5.30-curl.patch b/SOURCES/php-5.5.30-curl.patch new file mode 100644 index 0000000..0c72d56 --- /dev/null +++ b/SOURCES/php-5.5.30-curl.patch @@ -0,0 +1,14 @@ +diff -up php-5.5.30/ext/curl/interface.c.old php-5.5.30/ext/curl/interface.c +--- php-5.5.30/ext/curl/interface.c.old 2015-12-14 13:58:27.911676702 +0100 ++++ php-5.5.30/ext/curl/interface.c 2015-12-14 14:08:04.581124497 +0100 +@@ -1213,7 +1213,9 @@ PHP_MINIT_FUNCTION(curl) + REGISTER_CURL_CONSTANT(CURLSSLOPT_ALLOW_BEAST); + #endif + +-#if LIBCURL_VERSION_NUM >= 0x072200 /* Available since 7.34.0 */ ++#if LIBCURL_VERSION_NUM >= 0x071300 /* Available since 7.19.0 (in upstream curl 7.34) ++ backported in RHEL-7 curl-7.29.0-16.el7 rhbz#1012136 ++ backported in RHEL-6 curl-7.19.7-43.el6 rhbz#1036789 */ + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_0); + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_1); + REGISTER_CURL_CONSTANT(CURL_SSLVERSION_TLSv1_2); diff --git a/SOURCES/php-5.6.13-systzdata-v12.patch b/SOURCES/php-5.6.13-systzdata-v12.patch new file mode 100644 index 0000000..8981212 --- /dev/null +++ b/SOURCES/php-5.6.13-systzdata-v12.patch @@ -0,0 +1,659 @@ +Add support for use of the system timezone database, rather +than embedding a copy. Discussed upstream but was not desired. + +History: +r12: adapt for upstream changes for new zic +r11: use canonical names to avoid more case sensitivity issues + round lat/long from zone.tab towards zero per builtin db +r10: make timezone case insensitive +r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold) +r8: fix compile error without --with-system-tzdata configured +r7: improve check for valid timezone id to exclude directories +r6: fix fd leak in r5, fix country code/BC flag use in + timezone_identifiers_list() using system db, + fix use of PECL timezonedb to override system db, +r5: reverts addition of "System/Localtime" fake tzname. + updated for 5.3.0, parses zone.tab to pick up mapping between + timezone name, country code and long/lat coords +r4: added "System/Localtime" tzname which uses /etc/localtime +r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) +r2: add filesystem trawl to set up name alias index +r1: initial revision + +diff -up php-5.6.13/ext/date/lib/parse_tz.c.systzdata php-5.6.13/ext/date/lib/parse_tz.c +--- php-5.6.13/ext/date/lib/parse_tz.c.systzdata 2015-09-03 02:02:45.000000000 +0200 ++++ php-5.6.13/ext/date/lib/parse_tz.c 2015-09-03 12:50:52.555576944 +0200 +@@ -20,6 +20,16 @@ + + #include "timelib.h" + ++#ifdef HAVE_SYSTEM_TZDATA ++#include ++#include ++#include ++#include ++#include ++ ++#include "php_scandir.h" ++#endif ++ + #include + + #ifdef HAVE_LOCALE_H +@@ -33,7 +43,11 @@ + #endif + + #define TIMELIB_SUPPORTS_V2DATA ++#ifndef HAVE_SYSTEM_TZDATA + #include "timezonedb.h" ++#endif ++ ++#include + + #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) + # if defined(__LITTLE_ENDIAN__) +@@ -55,6 +69,10 @@ static int read_preamble(const unsigned + { + uint32_t version; + ++ if (memcmp(*tzf, "TZif", 4) == 0) { ++ *tzf += 20; ++ return 0; ++ } + /* read ID */ + version = (*tzf)[3] - '0'; + *tzf += 4; +@@ -298,7 +316,418 @@ void timelib_dump_tzinfo(timelib_tzinfo + } + } + +-static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) ++#ifdef HAVE_SYSTEM_TZDATA ++ ++#ifdef HAVE_SYSTEM_TZDATA_PREFIX ++#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX ++#else ++#define ZONEINFO_PREFIX "/usr/share/zoneinfo" ++#endif ++ ++/* System timezone database pointer. */ ++static const timelib_tzdb *timezonedb_system; ++ ++/* Hash table entry for the cache of the zone.tab mapping table. */ ++struct location_info { ++ char code[2]; ++ double latitude, longitude; ++ char name[64]; ++ char *comment; ++ struct location_info *next; ++}; ++ ++/* Cache of zone.tab. */ ++static struct location_info **system_location_table; ++ ++/* Size of the zone.tab hash table; a random-ish prime big enough to ++ * prevent too many collisions. */ ++#define LOCINFO_HASH_SIZE (1021) ++ ++/* Compute a case insensitive hash of str */ ++static uint32_t tz_hash(const char *str) ++{ ++ const unsigned char *p = (const unsigned char *)str; ++ uint32_t hash = 5381; ++ int c; ++ ++ while ((c = tolower(*p++)) != '\0') { ++ hash = (hash << 5) ^ hash ^ c; ++ } ++ ++ return hash % LOCINFO_HASH_SIZE; ++} ++ ++/* Parse an ISO-6709 date as used in zone.tab. Returns end of the ++ * parsed string on success, or NULL on parse error. On success, ++ * writes the parsed number to *result. */ ++static char *parse_iso6709(char *p, double *result) ++{ ++ double v, sign; ++ char *pend; ++ size_t len; ++ ++ if (*p == '+') ++ sign = 1.0; ++ else if (*p == '-') ++ sign = -1.0; ++ else ++ return NULL; ++ ++ p++; ++ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) ++ ;; ++ ++ /* Annoying encoding used by zone.tab has no decimal point, so use ++ * the length to determine the format: ++ * ++ * 4 = DDMM ++ * 5 = DDDMM ++ * 6 = DDMMSS ++ * 7 = DDDMMSS ++ */ ++ len = pend - p; ++ if (len < 4 || len > 7) { ++ return NULL; ++ } ++ ++ /* p => [D]DD */ ++ v = (p[0] - '0') * 10.0 + (p[1] - '0'); ++ p += 2; ++ if (len == 5 || len == 7) ++ v = v * 10.0 + (*p++ - '0'); ++ /* p => MM[SS] */ ++ v += (10.0 * (p[0] - '0') ++ + p[1] - '0') / 60.0; ++ p += 2; ++ /* p => [SS] */ ++ if (len > 5) { ++ v += (10.0 * (p[0] - '0') ++ + p[1] - '0') / 3600.0; ++ p += 2; ++ } ++ ++ /* Round to five decimal place, not because it's a good idea, ++ * but, because the builtin data uses rounded data, so, match ++ * that. */ ++ *result = trunc(v * sign * 100000.0) / 100000.0; ++ ++ return p; ++} ++ ++/* This function parses the zone.tab file to build up the mapping of ++ * timezone to country code and geographic location, and returns a ++ * hash table. The hash table is indexed by the function: ++ * ++ * tz_hash(timezone-name) ++ */ ++static struct location_info **create_location_table(void) ++{ ++ struct location_info **li, *i; ++ char zone_tab[PATH_MAX]; ++ char line[512]; ++ FILE *fp; ++ ++ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); ++ ++ fp = fopen(zone_tab, "r"); ++ if (!fp) { ++ return NULL; ++ } ++ ++ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); ++ ++ while (fgets(line, sizeof line, fp)) { ++ char *p = line, *code, *name, *comment; ++ uint32_t hash; ++ double latitude, longitude; ++ ++ while (isspace(*p)) ++ p++; ++ ++ if (*p == '#' || *p == '\0' || *p == '\n') ++ continue; ++ ++ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') ++ continue; ++ ++ /* code => AA */ ++ code = p; ++ p[2] = 0; ++ p += 3; ++ ++ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ ++ p = parse_iso6709(p, &latitude); ++ if (!p) { ++ continue; ++ } ++ p = parse_iso6709(p, &longitude); ++ if (!p) { ++ continue; ++ } ++ ++ if (!p || *p != '\t') { ++ continue; ++ } ++ ++ /* name = string */ ++ name = ++p; ++ while (*p != '\t' && *p && *p != '\n') ++ p++; ++ ++ *p++ = '\0'; ++ ++ /* comment = string */ ++ comment = p; ++ while (*p != '\t' && *p && *p != '\n') ++ p++; ++ ++ if (*p == '\n' || *p == '\t') ++ *p = '\0'; ++ ++ hash = tz_hash(name); ++ i = malloc(sizeof *i); ++ memcpy(i->code, code, 2); ++ strncpy(i->name, name, sizeof i->name); ++ i->comment = strdup(comment); ++ i->longitude = longitude; ++ i->latitude = latitude; ++ i->next = li[hash]; ++ li[hash] = i; ++ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ ++ } ++ ++ fclose(fp); ++ ++ return li; ++} ++ ++/* Return location info from hash table, using given timezone name. ++ * Returns NULL if the name could not be found. */ ++const struct location_info *find_zone_info(struct location_info **li, ++ const char *name) ++{ ++ uint32_t hash = tz_hash(name); ++ const struct location_info *l; ++ ++ if (!li) { ++ return NULL; ++ } ++ ++ for (l = li[hash]; l; l = l->next) { ++ if (strcasecmp(l->name, name) == 0) ++ return l; ++ } ++ ++ return NULL; ++} ++ ++/* Filter out some non-tzdata files and the posix/right databases, if ++ * present. */ ++static int index_filter(const struct dirent *ent) ++{ ++ return strcmp(ent->d_name, ".") != 0 ++ && strcmp(ent->d_name, "..") != 0 ++ && strcmp(ent->d_name, "posix") != 0 ++ && strcmp(ent->d_name, "posixrules") != 0 ++ && strcmp(ent->d_name, "right") != 0 ++ && strstr(ent->d_name, ".tab") == NULL; ++} ++ ++static int sysdbcmp(const void *first, const void *second) ++{ ++ const timelib_tzdb_index_entry *alpha = first, *beta = second; ++ ++ return strcasecmp(alpha->id, beta->id); ++} ++ ++ ++/* Create the zone identifier index by trawling the filesystem. */ ++static void create_zone_index(timelib_tzdb *db) ++{ ++ size_t dirstack_size, dirstack_top; ++ size_t index_size, index_next; ++ timelib_tzdb_index_entry *db_index; ++ char **dirstack; ++ ++ /* LIFO stack to hold directory entries to scan; each slot is a ++ * directory name relative to the zoneinfo prefix. */ ++ dirstack_size = 32; ++ dirstack = malloc(dirstack_size * sizeof *dirstack); ++ dirstack_top = 1; ++ dirstack[0] = strdup(""); ++ ++ /* Index array. */ ++ index_size = 64; ++ db_index = malloc(index_size * sizeof *db_index); ++ index_next = 0; ++ ++ do { ++ struct dirent **ents; ++ char name[PATH_MAX], *top; ++ int count; ++ ++ /* Pop the top stack entry, and iterate through its contents. */ ++ top = dirstack[--dirstack_top]; ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); ++ ++ count = php_scandir(name, &ents, index_filter, php_alphasort); ++ ++ while (count > 0) { ++ struct stat st; ++ const char *leaf = ents[count - 1]->d_name; ++ ++ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", ++ top, leaf); ++ ++ if (strlen(name) && stat(name, &st) == 0) { ++ /* Name, relative to the zoneinfo prefix. */ ++ const char *root = top; ++ ++ if (root[0] == '/') root++; ++ ++ snprintf(name, sizeof name, "%s%s%s", root, ++ *root ? "/": "", leaf); ++ ++ if (S_ISDIR(st.st_mode)) { ++ if (dirstack_top == dirstack_size) { ++ dirstack_size *= 2; ++ dirstack = realloc(dirstack, ++ dirstack_size * sizeof *dirstack); ++ } ++ dirstack[dirstack_top++] = strdup(name); ++ } ++ else { ++ if (index_next == index_size) { ++ index_size *= 2; ++ db_index = realloc(db_index, ++ index_size * sizeof *db_index); ++ } ++ ++ db_index[index_next++].id = strdup(name); ++ } ++ } ++ ++ free(ents[--count]); ++ } ++ ++ if (count != -1) free(ents); ++ free(top); ++ } while (dirstack_top); ++ ++ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); ++ ++ db->index = db_index; ++ db->index_size = index_next; ++ ++ free(dirstack); ++} ++ ++#define FAKE_HEADER "1234\0??\1??" ++#define FAKE_UTC_POS (7 - 4) ++ ++/* Create a fake data segment for database 'sysdb'. */ ++static void fake_data_segment(timelib_tzdb *sysdb, ++ struct location_info **info) ++{ ++ size_t n; ++ char *data, *p; ++ ++ data = malloc(3 * sysdb->index_size + 7); ++ ++ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); ++ ++ for (n = 0; n < sysdb->index_size; n++) { ++ const struct location_info *li; ++ timelib_tzdb_index_entry *ent; ++ ++ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; ++ ++ /* Lookup the timezone name in the hash table. */ ++ if (strcmp(ent->id, "UTC") == 0) { ++ ent->pos = FAKE_UTC_POS; ++ continue; ++ } ++ ++ li = find_zone_info(info, ent->id); ++ if (li) { ++ /* If found, append the BC byte and the ++ * country code; set the position for this ++ * section of timezone data. */ ++ ent->pos = (p - data) - 4; ++ *p++ = '\1'; ++ *p++ = li->code[0]; ++ *p++ = li->code[1]; ++ } ++ else { ++ /* If not found, the timezone data can ++ * point at the header. */ ++ ent->pos = 0; ++ } ++ } ++ ++ sysdb->data = (unsigned char *)data; ++} ++ ++/* Returns true if the passed-in stat structure describes a ++ * probably-valid timezone file. */ ++static int is_valid_tzfile(const struct stat *st) ++{ ++ return S_ISREG(st->st_mode) && st->st_size > 20; ++} ++ ++/* To allow timezone names to be used case-insensitively, find the ++ * canonical name for this timezone, if possible. */ ++static const char *canonical_tzname(const char *timezone) ++{ ++ if (timezonedb_system) { ++ timelib_tzdb_index_entry *ent, lookup; ++ ++ lookup.id = (char *)timezone; ++ ++ ent = bsearch(&lookup, timezonedb_system->index, ++ timezonedb_system->index_size, sizeof lookup, ++ sysdbcmp); ++ if (ent) { ++ return ent->id; ++ } ++ } ++ ++ return timezone; ++} ++ ++/* Return the mmap()ed tzfile if found, else NULL. On success, the ++ * length of the mapped data is placed in *length. */ ++static char *map_tzfile(const char *timezone, size_t *length) ++{ ++ char fname[PATH_MAX]; ++ struct stat st; ++ char *p; ++ int fd; ++ ++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { ++ return NULL; ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); ++ ++ fd = open(fname, O_RDONLY); ++ if (fd == -1) { ++ return NULL; ++ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st)) { ++ close(fd); ++ return NULL; ++ } ++ ++ *length = st.st_size; ++ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); ++ close(fd); ++ ++ return p != MAP_FAILED ? p : NULL; ++} ++ ++#endif ++ ++static int inmem_seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) + { + int left = 0, right = tzdb->index_size - 1; + #ifdef HAVE_SETLOCALE +@@ -337,21 +766,87 @@ static int seek_to_tz_position(const uns + return 0; + } + ++static int seek_to_tz_position(const unsigned char **tzf, char *timezone, ++ char **map, size_t *maplen, ++ const timelib_tzdb *tzdb) ++{ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (tzdb == timezonedb_system) { ++ char *orig; ++ ++ orig = map_tzfile(timezone, maplen); ++ if (orig == NULL) { ++ return 0; ++ } ++ ++ (*tzf) = (unsigned char *)orig ; ++ *map = orig; ++ return 1; ++ } ++ else ++#endif ++ { ++ return inmem_seek_to_tz_position(tzf, timezone, tzdb); ++ } ++} ++ + const timelib_tzdb *timelib_builtin_db(void) + { ++#ifdef HAVE_SYSTEM_TZDATA ++ if (timezonedb_system == NULL) { ++ timelib_tzdb *tmp = malloc(sizeof *tmp); ++ ++ tmp->version = "0.system"; ++ tmp->data = NULL; ++ create_zone_index(tmp); ++ system_location_table = create_location_table(); ++ fake_data_segment(tmp, system_location_table); ++ timezonedb_system = tmp; ++ } ++ ++ return timezonedb_system; ++#else + return &timezonedb_builtin; ++#endif + } + + const timelib_tzdb_index_entry *timelib_timezone_builtin_identifiers_list(int *count) + { ++#ifdef HAVE_SYSTEM_TZDATA ++ *count = timezonedb_system->index_size; ++ return timezonedb_system->index; ++#else + *count = sizeof(timezonedb_idx_builtin) / sizeof(*timezonedb_idx_builtin); + return timezonedb_idx_builtin; ++#endif + } + + int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) + { + const unsigned char *tzf; +- return (seek_to_tz_position(&tzf, timezone, tzdb)); ++ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (tzdb == timezonedb_system) { ++ char fname[PATH_MAX]; ++ struct stat st; ++ ++ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { ++ return 0; ++ } ++ ++ if (system_location_table) { ++ if (find_zone_info(system_location_table, timezone) != NULL) { ++ /* found in cache */ ++ return 1; ++ } ++ } ++ ++ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); ++ ++ return stat(fname, &st) == 0 && is_valid_tzfile(&st); ++ } ++#endif ++ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); + } + + static void skip_64bit_preamble(const unsigned char **tzf, timelib_tzinfo *tz) +@@ -376,24 +871,54 @@ static void read_64bit_header(const unsi + timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb) + { + const unsigned char *tzf; ++ char *memmap = NULL; ++ size_t maplen; + timelib_tzinfo *tmp; + int version; + +- if (seek_to_tz_position(&tzf, timezone, tzdb)) { ++ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { + tmp = timelib_tzinfo_ctor(timezone); + + version = read_preamble(&tzf, tmp); + read_header(&tzf, tmp); + read_transistions(&tzf, tmp); + read_types(&tzf, tmp); +- if (version == 2) { +- skip_64bit_preamble(&tzf, tmp); +- read_64bit_header(&tzf, tmp); +- skip_64bit_transistions(&tzf, tmp); +- skip_64bit_types(&tzf, tmp); +- skip_posix_string(&tzf, tmp); +- } +- read_location(&tzf, tmp); ++ ++#ifdef HAVE_SYSTEM_TZDATA ++ if (memmap) { ++ const struct location_info *li; ++ ++ /* TZif-style - grok the location info from the system database, ++ * if possible. */ ++ ++ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { ++ tmp->location.comments = strdup(li->comment); ++ strncpy(tmp->location.country_code, li->code, 2); ++ tmp->location.longitude = li->longitude; ++ tmp->location.latitude = li->latitude; ++ tmp->bc = 1; ++ } ++ else { ++ strcpy(tmp->location.country_code, "??"); ++ tmp->bc = 0; ++ tmp->location.comments = strdup(""); ++ } ++ ++ /* Now done with the mmap segment - discard it. */ ++ munmap(memmap, maplen); ++ } else ++#endif ++ { ++ if (version == 2) { ++ skip_64bit_preamble(&tzf, tmp); ++ read_64bit_header(&tzf, tmp); ++ skip_64bit_transistions(&tzf, tmp); ++ skip_64bit_types(&tzf, tmp); ++ skip_posix_string(&tzf, tmp); ++ } ++ /* PHP-style - use the embedded info. */ ++ read_location(&tzf, tmp); ++ } + } else { + tmp = NULL; + } +diff -up php-5.6.13/ext/date/lib/timelib.m4.systzdata php-5.6.13/ext/date/lib/timelib.m4 +--- php-5.6.13/ext/date/lib/timelib.m4.systzdata 2015-09-03 02:02:45.000000000 +0200 ++++ php-5.6.13/ext/date/lib/timelib.m4 2015-09-03 12:49:43.247226154 +0200 +@@ -78,3 +78,17 @@ stdlib.h + + dnl Check for strtoll, atoll + AC_CHECK_FUNCS(strtoll atoll strftime) ++ ++PHP_ARG_WITH(system-tzdata, for use of system timezone data, ++[ --with-system-tzdata[=DIR] to specify use of system timezone data], ++no, no) ++ ++if test "$PHP_SYSTEM_TZDATA" != "no"; then ++ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) ++ ++ if test "$PHP_SYSTEM_TZDATA" != "yes"; then ++ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", ++ [Define for location of system timezone data]) ++ fi ++fi ++ diff --git a/SOURCES/php-5.6.17-libdb.patch b/SOURCES/php-5.6.17-libdb.patch new file mode 100644 index 0000000..a7bbd2e --- /dev/null +++ b/SOURCES/php-5.6.17-libdb.patch @@ -0,0 +1,92 @@ +diff -up php-5.6.17RC1/ext/dba/config.m4.libdb php-5.6.17RC1/ext/dba/config.m4 +--- php-5.6.17RC1/ext/dba/config.m4.libdb 2015-12-10 10:42:34.643252975 +0100 ++++ php-5.6.17RC1/ext/dba/config.m4 2015-12-10 10:44:27.924729361 +0100 +@@ -312,61 +312,13 @@ if test "$PHP_DB4" != "no"; then + dbdp4="/usr/local/BerkeleyDB.4." + dbdp5="/usr/local/BerkeleyDB.5." + for i in $PHP_DB4 ${dbdp5}1 ${dbdp5}0 ${dbdp4}8 ${dbdp4}7 ${dbdp4}6 ${dbdp4}5 ${dbdp4}4 ${dbdp4}3 ${dbdp4}2 ${dbdp4}1 ${dbdp}0 /usr/local /usr; do +- if test -f "$i/db5/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/db5/db.h +- break +- elif test -f "$i/db4/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/db4/db.h +- break +- elif test -f "$i/include/db5.3/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.3/db.h +- break +- elif test -f "$i/include/db5.1/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.1/db.h +- break +- elif test -f "$i/include/db5.0/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db5.0/db.h +- break +- elif test -f "$i/include/db4.8/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.8/db.h +- break +- elif test -f "$i/include/db4.7/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.7/db.h +- break +- elif test -f "$i/include/db4.6/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.6/db.h +- break +- elif test -f "$i/include/db4.5/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.5/db.h +- break +- elif test -f "$i/include/db4/db.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4/db.h +- break +- elif test -f "$i/include/db/db4.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db/db4.h +- break +- elif test -f "$i/include/db4.h"; then +- THIS_PREFIX=$i +- THIS_INCLUDE=$i/include/db4.h +- break +- elif test -f "$i/include/db.h"; then ++ if test -f "$i/include/db.h"; then + THIS_PREFIX=$i + THIS_INCLUDE=$i/include/db.h + break + fi + done +- PHP_DBA_DB_CHECK(4, db-5.3 db-5.1 db-5.0 db-4.8 db-4.7 db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) ++ PHP_DBA_DB_CHECK(4, db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) + fi + PHP_DBA_STD_RESULT(db4,Berkeley DB4) + +diff -up php-5.6.17RC1/ext/dba/dba.c.libdb php-5.6.17RC1/ext/dba/dba.c +--- php-5.6.17RC1/ext/dba/dba.c.libdb 2015-12-10 01:36:02.000000000 +0100 ++++ php-5.6.17RC1/ext/dba/dba.c 2015-12-10 10:42:34.644252979 +0100 +@@ -52,6 +52,10 @@ + #include "php_qdbm.h" + #include "php_tcadb.h" + ++#ifdef DB4_INCLUDE_FILE ++#include DB4_INCLUDE_FILE ++#endif ++ + /* {{{ arginfo */ + ZEND_BEGIN_ARG_INFO_EX(arginfo_dba_popen, 0, 0, 2) + ZEND_ARG_INFO(0, path) +@@ -535,6 +539,10 @@ PHP_MINFO_FUNCTION(dba) + + php_info_print_table_start(); + php_info_print_table_row(2, "DBA support", "enabled"); ++#ifdef DB_VERSION_STRING ++ php_info_print_table_row(2, "libdb header version", DB_VERSION_STRING); ++ php_info_print_table_row(2, "libdb library version", db_version(NULL, NULL, NULL)); ++#endif + if (handlers.c) { + smart_str_0(&handlers); + php_info_print_table_row(2, "Supported handlers", handlers.c); diff --git a/SOURCES/php-5.6.24-datetests.patch b/SOURCES/php-5.6.24-datetests.patch new file mode 100644 index 0000000..9f3bbfe --- /dev/null +++ b/SOURCES/php-5.6.24-datetests.patch @@ -0,0 +1,103 @@ +diff -up ./ext/date/tests/bug33414-2.phpt.datetests ./ext/date/tests/bug33414-2.phpt +--- ./ext/date/tests/bug33414-2.phpt.datetests 2016-07-21 02:23:03.000000000 +0200 ++++ ./ext/date/tests/bug33414-2.phpt 2016-07-26 07:28:10.323598643 +0200 +@@ -74,7 +74,7 @@ $strtotime_tstamp = strtotime("next Frid + print "result=".date("l Y-m-d H:i:s T I", $strtotime_tstamp)."\n"; + print "wanted=Friday 00:00:00\n\n"; + ?> +---EXPECT-- ++--EXPECTF-- + TZ=Pacific/Rarotonga - wrong day. + tStamp=Thursday 1970-01-01 17:17:17 CKT 0 + result=Tuesday 1970-01-06 00:00:00 CKT 0 +@@ -106,8 +106,8 @@ result=Tuesday 2005-04-12 00:00:00 CDT 1 + wanted=Tuesday 00:00:00 + + TZ=Pacific/Pitcairn - wrong day. +-tStamp=Thursday 1970-01-01 17:17:17 PNT 0 +-result=Wednesday 1970-01-07 00:00:00 PNT 0 ++tStamp=Thursday 1970-%s ++result=Wednesday 1970-%s + wanted=Wednesday 00:00:00 + + TZ=Pacific/Fakaofo - wrong day. +diff -up ./ext/date/tests/bug66985.phpt.datetests ./ext/date/tests/bug66985.phpt +--- ./ext/date/tests/bug66985.phpt.datetests 2016-07-21 02:23:03.000000000 +0200 ++++ ./ext/date/tests/bug66985.phpt 2016-07-26 07:28:10.323598643 +0200 +@@ -3,7 +3,7 @@ Bug #66985 (Some timezones are no longer + --FILE-- + 3 +- [timezone] => Factory +-) +-DateTimeZone Object +-( + [timezone_type] => 3 + [timezone] => GB-Eire + ) +diff -up ./ext/date/tests/date_sunrise_variation9.phpt.datetests ./ext/date/tests/date_sunrise_variation9.phpt +--- ./ext/date/tests/date_sunrise_variation9.phpt.datetests 2016-07-21 02:23:03.000000000 +0200 ++++ ./ext/date/tests/date_sunrise_variation9.phpt 2016-07-26 07:28:10.323598643 +0200 +@@ -43,5 +43,5 @@ int\((-1097256359|123456811756)\) + -- Testing date_sunrise\(\) function by passing float -12.3456789000e10 value to time -- + string\(5\) "(07:42|08:48|08:04)" + float\((7.713[0-9]*|8.810[0-9]*|8.074[0-9]*)\) +-int\((1097304168|-2147443882|-123456761731)\) ++int\((.*)\) + ===DONE=== +diff -up ./ext/date/tests/date_sunset_variation9.phpt.datetests ./ext/date/tests/date_sunset_variation9.phpt +--- ./ext/date/tests/date_sunset_variation9.phpt.datetests 2016-07-21 02:23:03.000000000 +0200 ++++ ./ext/date/tests/date_sunset_variation9.phpt 2016-07-26 07:28:10.323598643 +0200 +@@ -43,5 +43,5 @@ int\((-1097212211|123456853728)\) + -- Testing date_sunset\(\) function by passing float -12.3456789000e10 value to time -- + string\(5\) "(19:03|18:12|18:48)" + float\((19.056[0-9]*|18.213[0-9]*|18.808[0-9]*)\) +-int\((1097345002|-2147410031|-123456723090)\) ++int\((.*)\) + ===DONE=== +diff -up ./ext/date/tests/getdate_variation7.phpt.datetests ./ext/date/tests/getdate_variation7.phpt +--- ./ext/date/tests/getdate_variation7.phpt.datetests 2016-07-21 02:23:03.000000000 +0200 ++++ ./ext/date/tests/getdate_variation7.phpt 2016-07-26 07:28:10.323598643 +0200 +@@ -55,9 +55,9 @@ array\(11\) { + \["seconds"\]=> + int\((.+)\) + \["minutes"\]=> +- int\((39|23)\) ++ int\(([0-9]*)\) + \["hours"\]=> +- int\((0|2|5)\) ++ int\(([0-9]*)\) + \["mday"\]=> + int\((9|14|23)\) + \["wday"\]=> +diff -up ./ext/date/tests/strtotime3-64bit.phpt.datetests ./ext/date/tests/strtotime3-64bit.phpt +--- ./ext/date/tests/strtotime3-64bit.phpt.datetests 2016-07-21 02:23:03.000000000 +0200 ++++ ./ext/date/tests/strtotime3-64bit.phpt 2016-07-26 07:39:45.713272263 +0200 +@@ -44,7 +44,7 @@ foreach ($strs as $str) { + } + + ?> +---EXPECT-- ++--EXPECTF-- + bool(false) + bool(false) + string(31) "Thu, 15 Jun 2006 00:00:00 +0100" +@@ -53,7 +53,7 @@ bool(false) + string(31) "Fri, 16 Jun 2006 23:49:12 +0100" + bool(false) + string(31) "Fri, 16 Jun 2006 02:22:00 +0100" +-string(31) "Sun, 16 Jun 0222 02:22:00 -0036" ++string(31) "Sun, 16 Jun 0222 02:22:00 %s" + string(31) "Fri, 16 Jun 2006 02:22:33 +0100" + bool(false) + string(31) "Tue, 02 Mar 2004 00:00:00 +0000" diff --git a/SOURCES/php-5.6.3-datetests.patch b/SOURCES/php-5.6.3-datetests.patch deleted file mode 100644 index a29bb63..0000000 --- a/SOURCES/php-5.6.3-datetests.patch +++ /dev/null @@ -1,23 +0,0 @@ ---- a/ext/date/tests/bug66985.phpt 2014-10-30 07:32:03.297693403 +0100 -+++ b/ext/date/tests/bug66985.phpt 2014-10-30 07:32:45.138877977 +0100 -@@ -3,7 +3,7 @@ - --FILE-- - 3 -- [timezone] => Factory --) --DateTimeZone Object --( - [timezone_type] => 3 - [timezone] => GB-Eire - ) diff --git a/SOURCES/php-5.6.3-libdb.patch b/SOURCES/php-5.6.3-libdb.patch deleted file mode 100644 index dc0e40b..0000000 --- a/SOURCES/php-5.6.3-libdb.patch +++ /dev/null @@ -1,86 +0,0 @@ ---- php-5.4.7/ext/dba/config.m4.orig 2012-09-20 12:23:00.548322754 +0200 -+++ php-5.4.7/ext/dba/config.m4 2012-09-20 12:28:07.656380829 +0200 -@@ -312,57 +312,13 @@ - dbdp4="/usr/local/BerkeleyDB.4." - dbdp5="/usr/local/BerkeleyDB.5." - for i in $PHP_DB4 ${dbdp5}1 ${dbdp5}0 ${dbdp4}8 ${dbdp4}7 ${dbdp4}6 ${dbdp4}5 ${dbdp4}4 ${dbdp4}3 ${dbdp4}2 ${dbdp4}1 ${dbdp}0 /usr/local /usr; do -- if test -f "$i/db5/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/db5/db.h -- break -- elif test -f "$i/db4/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/db4/db.h -- break -- elif test -f "$i/include/db5.1/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db5.1/db.h -- break -- elif test -f "$i/include/db5.0/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db5.0/db.h -- break -- elif test -f "$i/include/db4.8/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.8/db.h -- break -- elif test -f "$i/include/db4.7/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.7/db.h -- break -- elif test -f "$i/include/db4.6/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.6/db.h -- break -- elif test -f "$i/include/db4.5/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.5/db.h -- break -- elif test -f "$i/include/db4/db.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4/db.h -- break -- elif test -f "$i/include/db/db4.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db/db4.h -- break -- elif test -f "$i/include/db4.h"; then -- THIS_PREFIX=$i -- THIS_INCLUDE=$i/include/db4.h -- break -- elif test -f "$i/include/db.h"; then -+ if test -f "$i/include/db.h"; then - THIS_PREFIX=$i - THIS_INCLUDE=$i/include/db.h - break - fi - done -- PHP_DBA_DB_CHECK(4, db-5.1 db-5.0 db-4.8 db-4.7 db-4.6 db-4.5 db-4.4 db-4.3 db-4.2 db-4.1 db-4.0 db-4 db4 db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) -+ PHP_DBA_DB_CHECK(4, db, [(void)db_create((DB**)0, (DB_ENV*)0, 0)]) - fi - PHP_DBA_STD_RESULT(db4,Berkeley DB4) - ---- php-5.4.7/ext/dba/dba.c.old 2012-09-19 14:55:23.868456900 +0200 -+++ php-5.4.7/ext/dba/dba.c 2012-09-19 15:02:42.796009320 +0200 -@@ -52,6 +52,10 @@ - #include "php_qdbm.h" - #include "php_tcadb.h" - -+#ifdef DB4_INCLUDE_FILE -+#include DB4_INCLUDE_FILE -+#endif -+ - /* {{{ arginfo */ - ZEND_BEGIN_ARG_INFO_EX(arginfo_dba_popen, 0, 0, 2) - ZEND_ARG_INFO(0, path) -@@ -535,6 +539,10 @@ - - php_info_print_table_start(); - php_info_print_table_row(2, "DBA support", "enabled"); -+#ifdef DB_VERSION_STRING -+ php_info_print_table_row(2, "libdb header version", DB_VERSION_STRING); -+ php_info_print_table_row(2, "libdb library version", db_version(NULL, NULL, NULL)); -+#endif - if (handlers.c) { - smart_str_0(&handlers); - php_info_print_table_row(2, "Supported handlers", handlers.c); diff --git a/SOURCES/php-5.6.3-systzdata-v11.patch b/SOURCES/php-5.6.3-systzdata-v11.patch deleted file mode 100644 index bfca49b..0000000 --- a/SOURCES/php-5.6.3-systzdata-v11.patch +++ /dev/null @@ -1,655 +0,0 @@ -Add support for use of the system timezone database, rather -than embedding a copy. Discussed upstream but was not desired. - -History: -r11: use canonical names to avoid more case sensitivity issues - round lat/long from zone.tab towards zero per builtin db -r10: make timezone case insensitive -r9: fix another compile error without --with-system-tzdata configured (Michael Heimpold) -r8: fix compile error without --with-system-tzdata configured -r7: improve check for valid timezone id to exclude directories -r6: fix fd leak in r5, fix country code/BC flag use in - timezone_identifiers_list() using system db, - fix use of PECL timezonedb to override system db, -r5: reverts addition of "System/Localtime" fake tzname. - updated for 5.3.0, parses zone.tab to pick up mapping between - timezone name, country code and long/lat coords -r4: added "System/Localtime" tzname which uses /etc/localtime -r3: fix a crash if /usr/share/zoneinfo doesn't exist (Raphael Geissert) -r2: add filesystem trawl to set up name alias index -r1: initial revision - -diff --git a/ext/date/lib/parse_tz.c b/ext/date/lib/parse_tz.c -index 5d2aec9..671b398 100644 ---- a/ext/date/lib/parse_tz.c -+++ b/ext/date/lib/parse_tz.c -@@ -20,6 +20,16 @@ - - #include "timelib.h" - -+#ifdef HAVE_SYSTEM_TZDATA -+#include -+#include -+#include -+#include -+#include -+ -+#include "php_scandir.h" -+#endif -+ - #include - - #ifdef HAVE_LOCALE_H -@@ -31,7 +41,12 @@ - #else - #include - #endif -+ -+#ifndef HAVE_SYSTEM_TZDATA - #include "timezonedb.h" -+#endif -+ -+#include - - #if (defined(__APPLE__) || defined(__APPLE_CC__)) && (defined(__BIG_ENDIAN__) || defined(__LITTLE_ENDIAN__)) - # if defined(__LITTLE_ENDIAN__) -@@ -51,9 +66,14 @@ - - static void read_preamble(const unsigned char **tzf, timelib_tzinfo *tz) - { -- /* skip ID */ -- *tzf += 4; -- -+ if (memcmp(tzf, "TZif", 4) == 0) { -+ *tzf += 20; -+ return; -+ } -+ -+ /* skip ID */ -+ *tzf += 4; -+ - /* read BC flag */ - tz->bc = (**tzf == '\1'); - *tzf += 1; -@@ -256,7 +276,418 @@ void timelib_dump_tzinfo(timelib_tzinfo *tz) - } - } - --static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) -+#ifdef HAVE_SYSTEM_TZDATA -+ -+#ifdef HAVE_SYSTEM_TZDATA_PREFIX -+#define ZONEINFO_PREFIX HAVE_SYSTEM_TZDATA_PREFIX -+#else -+#define ZONEINFO_PREFIX "/usr/share/zoneinfo" -+#endif -+ -+/* System timezone database pointer. */ -+static const timelib_tzdb *timezonedb_system; -+ -+/* Hash table entry for the cache of the zone.tab mapping table. */ -+struct location_info { -+ char code[2]; -+ double latitude, longitude; -+ char name[64]; -+ char *comment; -+ struct location_info *next; -+}; -+ -+/* Cache of zone.tab. */ -+static struct location_info **system_location_table; -+ -+/* Size of the zone.tab hash table; a random-ish prime big enough to -+ * prevent too many collisions. */ -+#define LOCINFO_HASH_SIZE (1021) -+ -+/* Compute a case insensitive hash of str */ -+static uint32_t tz_hash(const char *str) -+{ -+ const unsigned char *p = (const unsigned char *)str; -+ uint32_t hash = 5381; -+ int c; -+ -+ while ((c = tolower(*p++)) != '\0') { -+ hash = (hash << 5) ^ hash ^ c; -+ } -+ -+ return hash % LOCINFO_HASH_SIZE; -+} -+ -+/* Parse an ISO-6709 date as used in zone.tab. Returns end of the -+ * parsed string on success, or NULL on parse error. On success, -+ * writes the parsed number to *result. */ -+static char *parse_iso6709(char *p, double *result) -+{ -+ double v, sign; -+ char *pend; -+ size_t len; -+ -+ if (*p == '+') -+ sign = 1.0; -+ else if (*p == '-') -+ sign = -1.0; -+ else -+ return NULL; -+ -+ p++; -+ for (pend = p; *pend >= '0' && *pend <= '9'; pend++) -+ ;; -+ -+ /* Annoying encoding used by zone.tab has no decimal point, so use -+ * the length to determine the format: -+ * -+ * 4 = DDMM -+ * 5 = DDDMM -+ * 6 = DDMMSS -+ * 7 = DDDMMSS -+ */ -+ len = pend - p; -+ if (len < 4 || len > 7) { -+ return NULL; -+ } -+ -+ /* p => [D]DD */ -+ v = (p[0] - '0') * 10.0 + (p[1] - '0'); -+ p += 2; -+ if (len == 5 || len == 7) -+ v = v * 10.0 + (*p++ - '0'); -+ /* p => MM[SS] */ -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 60.0; -+ p += 2; -+ /* p => [SS] */ -+ if (len > 5) { -+ v += (10.0 * (p[0] - '0') -+ + p[1] - '0') / 3600.0; -+ p += 2; -+ } -+ -+ /* Round to five decimal place, not because it's a good idea, -+ * but, because the builtin data uses rounded data, so, match -+ * that. */ -+ *result = trunc(v * sign * 100000.0) / 100000.0; -+ -+ return p; -+} -+ -+/* This function parses the zone.tab file to build up the mapping of -+ * timezone to country code and geographic location, and returns a -+ * hash table. The hash table is indexed by the function: -+ * -+ * tz_hash(timezone-name) -+ */ -+static struct location_info **create_location_table(void) -+{ -+ struct location_info **li, *i; -+ char zone_tab[PATH_MAX]; -+ char line[512]; -+ FILE *fp; -+ -+ strncpy(zone_tab, ZONEINFO_PREFIX "/zone.tab", sizeof zone_tab); -+ -+ fp = fopen(zone_tab, "r"); -+ if (!fp) { -+ return NULL; -+ } -+ -+ li = calloc(LOCINFO_HASH_SIZE, sizeof *li); -+ -+ while (fgets(line, sizeof line, fp)) { -+ char *p = line, *code, *name, *comment; -+ uint32_t hash; -+ double latitude, longitude; -+ -+ while (isspace(*p)) -+ p++; -+ -+ if (*p == '#' || *p == '\0' || *p == '\n') -+ continue; -+ -+ if (!isalpha(p[0]) || !isalpha(p[1]) || p[2] != '\t') -+ continue; -+ -+ /* code => AA */ -+ code = p; -+ p[2] = 0; -+ p += 3; -+ -+ /* coords => [+-][D]DDMM[SS][+-][D]DDMM[SS] */ -+ p = parse_iso6709(p, &latitude); -+ if (!p) { -+ continue; -+ } -+ p = parse_iso6709(p, &longitude); -+ if (!p) { -+ continue; -+ } -+ -+ if (!p || *p != '\t') { -+ continue; -+ } -+ -+ /* name = string */ -+ name = ++p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ *p++ = '\0'; -+ -+ /* comment = string */ -+ comment = p; -+ while (*p != '\t' && *p && *p != '\n') -+ p++; -+ -+ if (*p == '\n' || *p == '\t') -+ *p = '\0'; -+ -+ hash = tz_hash(name); -+ i = malloc(sizeof *i); -+ memcpy(i->code, code, 2); -+ strncpy(i->name, name, sizeof i->name); -+ i->comment = strdup(comment); -+ i->longitude = longitude; -+ i->latitude = latitude; -+ i->next = li[hash]; -+ li[hash] = i; -+ /* printf("%s [%u, %f, %f]\n", name, hash, latitude, longitude); */ -+ } -+ -+ fclose(fp); -+ -+ return li; -+} -+ -+/* Return location info from hash table, using given timezone name. -+ * Returns NULL if the name could not be found. */ -+const struct location_info *find_zone_info(struct location_info **li, -+ const char *name) -+{ -+ uint32_t hash = tz_hash(name); -+ const struct location_info *l; -+ -+ if (!li) { -+ return NULL; -+ } -+ -+ for (l = li[hash]; l; l = l->next) { -+ if (strcasecmp(l->name, name) == 0) -+ return l; -+ } -+ -+ return NULL; -+} -+ -+/* Filter out some non-tzdata files and the posix/right databases, if -+ * present. */ -+static int index_filter(const struct dirent *ent) -+{ -+ return strcmp(ent->d_name, ".") != 0 -+ && strcmp(ent->d_name, "..") != 0 -+ && strcmp(ent->d_name, "posix") != 0 -+ && strcmp(ent->d_name, "posixrules") != 0 -+ && strcmp(ent->d_name, "right") != 0 -+ && strstr(ent->d_name, ".tab") == NULL; -+} -+ -+static int sysdbcmp(const void *first, const void *second) -+{ -+ const timelib_tzdb_index_entry *alpha = first, *beta = second; -+ -+ return strcasecmp(alpha->id, beta->id); -+} -+ -+ -+/* Create the zone identifier index by trawling the filesystem. */ -+static void create_zone_index(timelib_tzdb *db) -+{ -+ size_t dirstack_size, dirstack_top; -+ size_t index_size, index_next; -+ timelib_tzdb_index_entry *db_index; -+ char **dirstack; -+ -+ /* LIFO stack to hold directory entries to scan; each slot is a -+ * directory name relative to the zoneinfo prefix. */ -+ dirstack_size = 32; -+ dirstack = malloc(dirstack_size * sizeof *dirstack); -+ dirstack_top = 1; -+ dirstack[0] = strdup(""); -+ -+ /* Index array. */ -+ index_size = 64; -+ db_index = malloc(index_size * sizeof *db_index); -+ index_next = 0; -+ -+ do { -+ struct dirent **ents; -+ char name[PATH_MAX], *top; -+ int count; -+ -+ /* Pop the top stack entry, and iterate through its contents. */ -+ top = dirstack[--dirstack_top]; -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s", top); -+ -+ count = php_scandir(name, &ents, index_filter, php_alphasort); -+ -+ while (count > 0) { -+ struct stat st; -+ const char *leaf = ents[count - 1]->d_name; -+ -+ snprintf(name, sizeof name, ZONEINFO_PREFIX "/%s/%s", -+ top, leaf); -+ -+ if (strlen(name) && stat(name, &st) == 0) { -+ /* Name, relative to the zoneinfo prefix. */ -+ const char *root = top; -+ -+ if (root[0] == '/') root++; -+ -+ snprintf(name, sizeof name, "%s%s%s", root, -+ *root ? "/": "", leaf); -+ -+ if (S_ISDIR(st.st_mode)) { -+ if (dirstack_top == dirstack_size) { -+ dirstack_size *= 2; -+ dirstack = realloc(dirstack, -+ dirstack_size * sizeof *dirstack); -+ } -+ dirstack[dirstack_top++] = strdup(name); -+ } -+ else { -+ if (index_next == index_size) { -+ index_size *= 2; -+ db_index = realloc(db_index, -+ index_size * sizeof *db_index); -+ } -+ -+ db_index[index_next++].id = strdup(name); -+ } -+ } -+ -+ free(ents[--count]); -+ } -+ -+ if (count != -1) free(ents); -+ free(top); -+ } while (dirstack_top); -+ -+ qsort(db_index, index_next, sizeof *db_index, sysdbcmp); -+ -+ db->index = db_index; -+ db->index_size = index_next; -+ -+ free(dirstack); -+} -+ -+#define FAKE_HEADER "1234\0??\1??" -+#define FAKE_UTC_POS (7 - 4) -+ -+/* Create a fake data segment for database 'sysdb'. */ -+static void fake_data_segment(timelib_tzdb *sysdb, -+ struct location_info **info) -+{ -+ size_t n; -+ char *data, *p; -+ -+ data = malloc(3 * sysdb->index_size + 7); -+ -+ p = mempcpy(data, FAKE_HEADER, sizeof(FAKE_HEADER) - 1); -+ -+ for (n = 0; n < sysdb->index_size; n++) { -+ const struct location_info *li; -+ timelib_tzdb_index_entry *ent; -+ -+ ent = (timelib_tzdb_index_entry *)&sysdb->index[n]; -+ -+ /* Lookup the timezone name in the hash table. */ -+ if (strcmp(ent->id, "UTC") == 0) { -+ ent->pos = FAKE_UTC_POS; -+ continue; -+ } -+ -+ li = find_zone_info(info, ent->id); -+ if (li) { -+ /* If found, append the BC byte and the -+ * country code; set the position for this -+ * section of timezone data. */ -+ ent->pos = (p - data) - 4; -+ *p++ = '\1'; -+ *p++ = li->code[0]; -+ *p++ = li->code[1]; -+ } -+ else { -+ /* If not found, the timezone data can -+ * point at the header. */ -+ ent->pos = 0; -+ } -+ } -+ -+ sysdb->data = (unsigned char *)data; -+} -+ -+/* Returns true if the passed-in stat structure describes a -+ * probably-valid timezone file. */ -+static int is_valid_tzfile(const struct stat *st) -+{ -+ return S_ISREG(st->st_mode) && st->st_size > 20; -+} -+ -+/* To allow timezone names to be used case-insensitively, find the -+ * canonical name for this timezone, if possible. */ -+static const char *canonical_tzname(const char *timezone) -+{ -+ if (timezonedb_system) { -+ timelib_tzdb_index_entry *ent, lookup; -+ -+ lookup.id = (char *)timezone; -+ -+ ent = bsearch(&lookup, timezonedb_system->index, -+ timezonedb_system->index_size, sizeof lookup, -+ sysdbcmp); -+ if (ent) { -+ return ent->id; -+ } -+ } -+ -+ return timezone; -+} -+ -+/* Return the mmap()ed tzfile if found, else NULL. On success, the -+ * length of the mapped data is placed in *length. */ -+static char *map_tzfile(const char *timezone, size_t *length) -+{ -+ char fname[PATH_MAX]; -+ struct stat st; -+ char *p; -+ int fd; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return NULL; -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ fd = open(fname, O_RDONLY); -+ if (fd == -1) { -+ return NULL; -+ } else if (fstat(fd, &st) != 0 || !is_valid_tzfile(&st)) { -+ close(fd); -+ return NULL; -+ } -+ -+ *length = st.st_size; -+ p = mmap(NULL, st.st_size, PROT_READ, MAP_SHARED, fd, 0); -+ close(fd); -+ -+ return p != MAP_FAILED ? p : NULL; -+} -+ -+#endif -+ -+static int inmem_seek_to_tz_position(const unsigned char **tzf, char *timezone, const timelib_tzdb *tzdb) - { - int left = 0, right = tzdb->index_size - 1; - #ifdef HAVE_SETLOCALE -@@ -295,36 +726,135 @@ static int seek_to_tz_position(const unsigned char **tzf, char *timezone, const - return 0; - } - -+static int seek_to_tz_position(const unsigned char **tzf, char *timezone, -+ char **map, size_t *maplen, -+ const timelib_tzdb *tzdb) -+{ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char *orig; -+ -+ orig = map_tzfile(timezone, maplen); -+ if (orig == NULL) { -+ return 0; -+ } -+ -+ (*tzf) = (unsigned char *)orig ; -+ *map = orig; -+ -+ return 1; -+ } -+ else -+#endif -+ { -+ return inmem_seek_to_tz_position(tzf, timezone, tzdb); -+ } -+} -+ - const timelib_tzdb *timelib_builtin_db(void) - { -+#ifdef HAVE_SYSTEM_TZDATA -+ if (timezonedb_system == NULL) { -+ timelib_tzdb *tmp = malloc(sizeof *tmp); -+ -+ tmp->version = "0.system"; -+ tmp->data = NULL; -+ create_zone_index(tmp); -+ system_location_table = create_location_table(); -+ fake_data_segment(tmp, system_location_table); -+ timezonedb_system = tmp; -+ } -+ -+ -+ return timezonedb_system; -+#else - return &timezonedb_builtin; -+#endif - } - - const timelib_tzdb_index_entry *timelib_timezone_builtin_identifiers_list(int *count) - { -+#ifdef HAVE_SYSTEM_TZDATA -+ *count = timezonedb_system->index_size; -+ return timezonedb_system->index; -+#else - *count = sizeof(timezonedb_idx_builtin) / sizeof(*timezonedb_idx_builtin); - return timezonedb_idx_builtin; -+#endif - } - - int timelib_timezone_id_is_valid(char *timezone, const timelib_tzdb *tzdb) - { - const unsigned char *tzf; -- return (seek_to_tz_position(&tzf, timezone, tzdb)); -+ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (tzdb == timezonedb_system) { -+ char fname[PATH_MAX]; -+ struct stat st; -+ -+ if (timezone[0] == '\0' || strstr(timezone, "..") != NULL) { -+ return 0; -+ } -+ -+ if (system_location_table) { -+ if (find_zone_info(system_location_table, timezone) != NULL) { -+ /* found in cache */ -+ return 1; -+ } -+ } -+ -+ snprintf(fname, sizeof fname, ZONEINFO_PREFIX "/%s", canonical_tzname(timezone)); -+ -+ return stat(fname, &st) == 0 && is_valid_tzfile(&st); -+ } -+#endif -+ -+ return (inmem_seek_to_tz_position(&tzf, timezone, tzdb)); - } - - timelib_tzinfo *timelib_parse_tzfile(char *timezone, const timelib_tzdb *tzdb) - { - const unsigned char *tzf; -+ char *memmap = NULL; -+ size_t maplen; - timelib_tzinfo *tmp; - -- if (seek_to_tz_position(&tzf, timezone, tzdb)) { -+ if (seek_to_tz_position(&tzf, timezone, &memmap, &maplen, tzdb)) { - tmp = timelib_tzinfo_ctor(timezone); - - read_preamble(&tzf, tmp); - read_header(&tzf, tmp); - read_transistions(&tzf, tmp); - read_types(&tzf, tmp); -- read_location(&tzf, tmp); -+ -+#ifdef HAVE_SYSTEM_TZDATA -+ if (memmap) { -+ const struct location_info *li; -+ -+ /* TZif-style - grok the location info from the system database, -+ * if possible. */ -+ -+ if ((li = find_zone_info(system_location_table, timezone)) != NULL) { -+ tmp->location.comments = strdup(li->comment); -+ strncpy(tmp->location.country_code, li->code, 2); -+ tmp->location.longitude = li->longitude; -+ tmp->location.latitude = li->latitude; -+ tmp->bc = 1; -+ } -+ else { -+ strcpy(tmp->location.country_code, "??"); -+ tmp->bc = 0; -+ tmp->location.comments = strdup(""); -+ } -+ -+ /* Now done with the mmap segment - discard it. */ -+ munmap(memmap, maplen); -+ } else -+#endif -+ { -+ /* PHP-style - use the embedded info. */ -+ read_location(&tzf, tmp); -+ } - } else { - tmp = NULL; - } -diff --git a/ext/date/lib/timelib.m4 b/ext/date/lib/timelib.m4 -index c725572..4c837c7 100644 ---- a/ext/date/lib/timelib.m4 -+++ b/ext/date/lib/timelib.m4 -@@ -78,3 +78,17 @@ stdlib.h - - dnl Check for strtoll, atoll - AC_CHECK_FUNCS(strtoll atoll strftime) -+ -+PHP_ARG_WITH(system-tzdata, for use of system timezone data, -+[ --with-system-tzdata[=DIR] to specify use of system timezone data], -+no, no) -+ -+if test "$PHP_SYSTEM_TZDATA" != "no"; then -+ AC_DEFINE(HAVE_SYSTEM_TZDATA, 1, [Define if system timezone data is used]) -+ -+ if test "$PHP_SYSTEM_TZDATA" != "yes"; then -+ AC_DEFINE_UNQUOTED(HAVE_SYSTEM_TZDATA_PREFIX, "$PHP_SYSTEM_TZDATA", -+ [Define for location of system timezone data]) -+ fi -+fi -+ - diff --git a/SOURCES/php-5.6.5-CVE-2014-9705.patch b/SOURCES/php-5.6.5-CVE-2014-9705.patch deleted file mode 100644 index 5ce115d..0000000 --- a/SOURCES/php-5.6.5-CVE-2014-9705.patch +++ /dev/null @@ -1,49 +0,0 @@ -From bdfe457a2c1b47209e32783b3a6447e81baf179a Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 16 Feb 2015 06:50:10 +0100 -Subject: [PATCH] Port for for bug #68552 - ---- - NEWS | 6 ++++++ - ext/enchant/enchant.c | 7 +++---- - 2 files changed, 9 insertions(+), 4 deletions(-) - -diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c -index 6de2fea..0eb8144 100644 ---- a/ext/enchant/enchant.c -+++ b/ext/enchant/enchant.c -@@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict) - - d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag); - if (d) { -+ pos = pbroker->dictcnt++; - if (pbroker->dictcnt) { - pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); -- pos = pbroker->dictcnt++; - } else { - pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); - pos = 0; -- pbroker->dictcnt++; - } - - dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); -@@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict) - - d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl); - if (d) { -+ pos = pbroker->dictcnt++; - if (pbroker->dictcnt) { -- pos = pbroker->dictcnt++; - pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt); - } else { - pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *)); - pos = 0; -- pbroker->dictcnt++; - } -+ - dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict)); - dict->id = pos; - dict->pbroker = pbroker; --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-0273.patch b/SOURCES/php-5.6.5-CVE-2015-0273.patch deleted file mode 100644 index 3485d19..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-0273.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 29a4e710de6a73341da3d268343fdfc072ba682a Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Feb 2015 06:53:27 +0100 -Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize() - with DateTimeZone) - ---- - NEWS | 2 ++ - ext/date/php_date.c | 21 ++++++++++----------- - ext/date/tests/bug68942.phpt | 9 +++++++++ - ext/date/tests/bug68942_2.phpt | 9 +++++++++ - 4 files changed, 30 insertions(+), 11 deletions(-) - create mode 100644 ext/date/tests/bug68942.phpt - create mode 100644 ext/date/tests/bug68942_2.phpt - -diff --git a/ext/date/php_date.c b/ext/date/php_date.c -index 58e23c0..909377b 100644 ---- a/ext/date/php_date.c -+++ b/ext/date/php_date.c -@@ -2807,12 +2807,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht - timelib_tzinfo *tzi; - php_timezone_obj *tzobj; - -- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) { -- convert_to_string(*z_date); -- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { -- convert_to_long(*z_timezone_type); -- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { -- convert_to_string(*z_timezone); -+ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) { -+ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { -+ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { - - switch (Z_LVAL_PP(z_timezone_type)) { - case TIMELIB_ZONETYPE_OFFSET: -@@ -2827,7 +2830,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht - - case TIMELIB_ZONETYPE_ID: { - int ret; -- convert_to_string(*z_timezone); - - tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC); - -@@ -3744,9 +3740,8 @@ static int php_date_timezone_initialize_from_hash(zval **return_value, php_timez - zval **z_timezone = NULL; - zval **z_timezone_type = NULL; - -- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) { -+ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { - if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { -- convert_to_long(*z_timezone_type); - if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { - return SUCCESS; - } -@@ -3771,7 +3766,9 @@ PHP_METHOD(DateTimeZone, __set_state) - - php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC); - tzobj = (php_timezone_obj *) zend_object_store_get_object(return_value TSRMLS_CC); -- php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC); -+ if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { -+ php_error_docref(NULL, E_ERROR, "Timezone initialization failed"); -+ } - } - /* }}} */ - -@@ -3787,7 +3784,9 @@ PHP_METHOD(DateTimeZone, __wakeup) - - myht = Z_OBJPROP_P(object); - -- php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC); -+ if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { -+ php_error_docref(NULL, E_ERROR, "Timezone initialization failed"); -+ } - } - /* }}} */ - -diff --git a/ext/date/tests/bug68942.phpt b/ext/date/tests/bug68942.phpt -new file mode 100644 -index 0000000..595cd9f ---- /dev/null -+++ b/ext/date/tests/bug68942.phpt -@@ -0,0 +1,9 @@ -+--TEST-- -+Bug #68942 (Use after free vulnerability in unserialize() with DateTimeZone). -+--FILE-- -+ -+--EXPECTF-- -+Fatal error: DateTimeZone::__wakeup(): Timezone initialization failed in %s/bug68942.php on line %d -diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt -new file mode 100644 -index 0000000..5b02567 ---- /dev/null -+++ b/ext/date/tests/bug68942_2.phpt -@@ -0,0 +1,9 @@ -+--TEST-- -+Bug #68942 (Use after free vulnerability in unserialize() with DateTime). -+--FILE-- -+ -+--EXPECTF-- -+Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d -From 213725057e0625829615f90f76cbb0172f757a33 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Feb 2015 07:47:12 +0100 -Subject: [PATCH] fix TS build - ---- - ext/date/php_date.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ext/date/php_date.c b/ext/date/php_date.c -index 909377b..720cdb6 100644 ---- a/ext/date/php_date.c -+++ b/ext/date/php_date.c -@@ -3767,7 +3767,7 @@ PHP_METHOD(DateTimeZone, __set_state) - php_date_instantiate(date_ce_timezone, return_value TSRMLS_CC); - tzobj = (php_timezone_obj *) zend_object_store_get_object(return_value TSRMLS_CC); - if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { -- php_error_docref(NULL, E_ERROR, "Timezone initialization failed"); -+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Timezone initialization failed"); - } - } - /* }}} */ -@@ -3785,7 +3785,7 @@ PHP_METHOD(DateTimeZone, __wakeup) - myht = Z_OBJPROP_P(object); - - if(php_date_timezone_initialize_from_hash(&return_value, &tzobj, myht TSRMLS_CC) != SUCCESS) { -- php_error_docref(NULL, E_ERROR, "Timezone initialization failed"); -+ php_error_docref(NULL TSRMLS_CC, E_ERROR, "Timezone initialization failed"); - } - } - /* }}} */ -From e441d71baae89bdc5dc6f75407b4a8f5e42b8fa9 Mon Sep 17 00:00:00 2001 -From: Taoguang Chen -Date: Fri, 27 Feb 2015 10:41:53 +0800 -Subject: [PATCH] fix bug#68942's patch - -Fix type confusion bug in unserialize() with DateTimeZone. https://bugs.php.net/bug.php?id=68942 ---- - ext/date/php_date.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/date/php_date.c b/ext/date/php_date.c -index 720cdb6..81f6ae4 100644 ---- a/ext/date/php_date.c -+++ b/ext/date/php_date.c -@@ -3741,7 +3741,7 @@ static int php_date_timezone_initialize_from_hash(zval **return_value, php_timez - zval **z_timezone_type = NULL; - - if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) { -- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) { -+ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) { - if (SUCCESS == timezone_initialize(*tzobj, Z_STRVAL_PP(z_timezone) TSRMLS_CC)) { - return SUCCESS; - } diff --git a/SOURCES/php-5.6.5-CVE-2015-1351.patch b/SOURCES/php-5.6.5-CVE-2015-1351.patch deleted file mode 100644 index 40f73a3..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-1351.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 0a8f28b43212cc2ddbc1f2df710e37b1bec0addd Mon Sep 17 00:00:00 2001 -From: Xinchen Hui -Date: Thu, 8 Jan 2015 16:32:20 +0800 -Subject: [PATCH] Fixed bug #68677 (Use After Free in OPcache) - -(cherry picked from commit 777c39f4042327eac4b63c7ee87dc1c7a09a3115) ---- - ext/opcache/zend_shared_alloc.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/opcache/zend_shared_alloc.c b/ext/opcache/zend_shared_alloc.c -index bbe26e8..8880b88 100644 ---- a/ext/opcache/zend_shared_alloc.c -+++ b/ext/opcache/zend_shared_alloc.c -@@ -346,10 +346,10 @@ void *_zend_shared_memdup(void *source, size_t size, zend_bool free_source TSRML - retval = ZCG(mem);; - ZCG(mem) = (void*)(((char*)ZCG(mem)) + ZEND_ALIGNED_SIZE(size)); - memcpy(retval, source, size); -+ zend_shared_alloc_register_xlat_entry(source, retval); - if (free_source) { - interned_efree((char*)source); - } -- zend_shared_alloc_register_xlat_entry(source, retval); - return retval; - } - diff --git a/SOURCES/php-5.6.5-CVE-2015-1352.patch b/SOURCES/php-5.6.5-CVE-2015-1352.patch deleted file mode 100644 index 5f16565..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-1352.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 968fbc6acf0bc27be17c0209be7f966e89a55943 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 22 Mar 2015 18:20:59 -0700 -Subject: [PATCH] Bacport fix bug #68741 - Null pointer dereference - ---- - NEWS | 3 +++ - ext/pgsql/pgsql.c | 3 +++ - 2 files changed, 6 insertions(+) - -diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c -index 16ce7bf..eb55777 100644 ---- a/ext/pgsql/pgsql.c -+++ b/ext/pgsql/pgsql.c -@@ -6484,6 +6484,9 @@ static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const c - /* schame.table should be "schame"."table" */ - table_copy = estrdup(table); - token = php_strtok_r(table_copy, ".", &tmp); -+ if (token == NULL) { -+ token = table; -+ } - len = strlen(token); - if (_php_pgsql_detect_identifier_escape(token, len) == SUCCESS) { - smart_str_appendl(querystr, token, len); --- -2.1.4 - -From 2cc4e69cc6d8dbc4b3568ad3dd583324a7c11d64 Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 20 May 2015 08:08:41 +0200 -Subject: [PATCH] Fixed Bug #69667 segfault in php_pgsql_meta_data - -Incomplete fix for #68741 ---- - ext/pgsql/pg_insert_002.phpt | 27 +++++++++++++++++++++++++++ - ext/pgsql/pgsql.c | 9 +++++++-- - 2 files changed, 34 insertions(+), 2 deletions(-) - create mode 100644 ext/pgsql/pg_insert_002.phpt - -diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c -index 23d55cb..5418b3c 100644 ---- a/ext/pgsql/pgsql.c -+++ b/ext/pgsql/pgsql.c -@@ -5463,7 +5463,11 @@ PHP_PGSQL_API int php_pgsql_meta_data(PGconn *pg_link, const char *table_name, z - - src = estrdup(table_name); - tmp_name = php_strtok_r(src, ".", &tmp_name2); -- -+ if (!tmp_name) { -+ efree(src); -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "The table name must be specified"); -+ return FAILURE; -+ } - if (!tmp_name2 || !*tmp_name2) { - /* Default schema */ - tmp_name2 = tmp_name; -@@ -6478,7 +6486,8 @@ static int do_exec(smart_str *querystr, int expect, PGconn *pg_link, ulong opt T - - static inline void build_tablename(smart_str *querystr, PGconn *pg_link, const char *table) - { -- char *table_copy, *escaped, *token, *tmp; -+ char *table_copy, *escaped, *tmp; -+ const char *token; - size_t len; - - /* schame.table should be "schame"."table" */ --- -2.1.4 - -From 3be4e5d71af3d7f495876fabd5a9ce46580e2d0d Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Wed, 20 May 2015 14:02:13 +0200 -Subject: [PATCH] move test - ---- - ext/pgsql/pg_insert_002.phpt | 27 --------------------------- - ext/pgsql/tests/pg_insert_002.phpt | 27 +++++++++++++++++++++++++++ - 2 files changed, 27 insertions(+), 27 deletions(-) - delete mode 100644 ext/pgsql/pg_insert_002.phpt - create mode 100644 ext/pgsql/tests/pg_insert_002.phpt - -diff --git a/ext/pgsql/tests/pg_insert_002.phpt b/ext/pgsql/tests/pg_insert_002.phpt -new file mode 100644 -index 0000000..87d87b8 ---- /dev/null -+++ b/ext/pgsql/tests/pg_insert_002.phpt -@@ -0,0 +1,27 @@ -+--TEST-- -+PostgreSQL pg_select() - basic test using schema -+--SKIPIF-- -+ -+--FILE-- -+ 1, 'id2' => 1))); -+} -+?> -+Done -+--EXPECTF-- -+ -+Warning: pg_insert(): The table name must be specified in %s on line %d -+bool(false) -+ -+Warning: pg_insert(): The table name must be specified in %s on line %d -+bool(false) -+ -+Warning: pg_insert(): The table name must be specified in %s on line %d -+bool(false) -+Done -\ No newline at end of file --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-2301.patch b/SOURCES/php-5.6.5-CVE-2015-2301.patch deleted file mode 100644 index d6906fb..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-2301.patch +++ /dev/null @@ -1,24 +0,0 @@ -From 920a0afbf8f83962c70aaf9a144810f320be92b3 Mon Sep 17 00:00:00 2001 -From: Xinchen Hui -Date: Thu, 29 Jan 2015 00:00:09 +0800 -Subject: [PATCH] Fixed bug #68901 (use after free) - ---- - NEWS | 3 +++ - ext/phar/phar_object.c | 2 +- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index a021200..add1fa0 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -2141,8 +2141,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c - } - its_ok: - if (SUCCESS == php_stream_stat_path(newpath, &ssb)) { -- efree(oldpath); - zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath); -+ efree(oldpath); - return NULL; - } - if (!phar->is_data) { diff --git a/SOURCES/php-5.6.5-CVE-2015-2305.patch b/SOURCES/php-5.6.5-CVE-2015-2305.patch deleted file mode 100644 index e3309f4..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-2305.patch +++ /dev/null @@ -1,35 +0,0 @@ -From fb04dcf6dbb48aecd8d2dc986806cb58c8ae5282 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Mar 2015 17:04:57 -0700 -Subject: [PATCH] Fix bug #69248 - heap overflow vulnerability in regcomp.c - -Merged from https://github.com/garyhouston/regex/commit/70bc2965604b6b8aaf260049e64c708dddf85334 ---- - NEWS | 3 +++ - ext/ereg/regex/regcomp.c | 10 +++++++++- - 2 files changed, 12 insertions(+), 1 deletion(-) - -diff --git a/ext/ereg/regex/regcomp.c b/ext/ereg/regex/regcomp.c -index 156eee9..f4bfc1c 100644 ---- a/ext/ereg/regex/regcomp.c -+++ b/ext/ereg/regex/regcomp.c -@@ -117,7 +117,15 @@ int cflags; - (NC-1)*sizeof(cat_t)); - if (g == NULL) - return(REG_ESPACE); -- p->ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ -+ { -+ /* Patched for CERT Vulnerability Note VU#695940, Feb 2015. */ -+ size_t new_ssize = len/(size_t)2*(size_t)3 + (size_t)1; /* ugh */ -+ if (new_ssize < len || new_ssize > LONG_MAX / sizeof(sop)) { -+ free((char *) g); -+ return REG_INVARG; -+ } -+ p->ssize = new_ssize; -+ } - p->strip = (sop *)malloc(p->ssize * sizeof(sop)); - p->slen = 0; - if (p->strip == NULL) { --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-2331.patch b/SOURCES/php-5.6.5-CVE-2015-2331.patch deleted file mode 100644 index 0cbc9c7..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-2331.patch +++ /dev/null @@ -1,24 +0,0 @@ -From ef8fc4b53d92fbfcd8ef1abbd6f2f5fe2c4a11e5 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Mar 2015 21:59:56 -0700 -Subject: [PATCH] Fix bug #69253 - ZIP Integer Overflow leads to writing past - heap boundary - ---- - NEWS | 4 ++++ - ext/zip/lib/zip_dirent.c | 2 +- - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ext/zip/lib/zip_dirent.c b/ext/zip/lib/zip_dirent.c -index b9dac5c..0090801 100644 ---- a/ext/zip/lib/zip_dirent.c -+++ b/ext/zip/lib/zip_dirent.c -@@ -110,7 +110,7 @@ - - if (nentry == 0) - cd->entry = NULL; -- else if ((cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { -+ else if (nentry > ((size_t)-1)/sizeof(*(cd->entry)) || (cd->entry=(struct zip_entry *)malloc(sizeof(*(cd->entry))*(size_t)nentry)) == NULL) { - _zip_error_set(error, ZIP_ER_MEMORY, 0); - free(cd); - return NULL; diff --git a/SOURCES/php-5.6.5-CVE-2015-2348.patch b/SOURCES/php-5.6.5-CVE-2015-2348.patch deleted file mode 100644 index eb0ff92..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-2348.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Mar 2015 12:47:58 -0700 -Subject: [PATCH] Fix bug #69207 - move_uploaded_file allows nulls in path - ---- - NEWS | 3 +++ - ext/standard/basic_functions.c | 2 +- - 2 files changed, 4 insertions(+), 1 deletion(-) - -diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c -index 9a9df30..c3e2230 100644 ---- a/ext/standard/basic_functions.c -+++ b/ext/standard/basic_functions.c -@@ -5798,7 +5798,7 @@ PHP_FUNCTION(move_uploaded_file) - RETURN_FALSE; - } - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) { - return; - } - diff --git a/SOURCES/php-5.6.5-CVE-2015-2783.patch b/SOURCES/php-5.6.5-CVE-2015-2783.patch deleted file mode 100644 index 087ee97..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-2783.patch +++ /dev/null @@ -1,255 +0,0 @@ -From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 5 Apr 2015 15:07:36 -0700 -Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when - parsing Phar) - ---- - ext/phar/phar.c | 65 ++++++++++++++++++++----------------------- - ext/phar/phar_internal.h | 2 +- - ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes - ext/phar/tests/bug69324.phpt | 17 +++++++++++ - 4 files changed, 48 insertions(+), 36 deletions(-) - create mode 100644 ext/phar/tests/bug69324.phar - create mode 100644 ext/phar/tests/bug69324.phpt - -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index ec82351..bf0c985 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -601,25 +601,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len - * - * data is the serialized zval - */ --int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */ -+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ - { - const unsigned char *p; -- php_uint32 buf_len; - php_unserialize_data_t var_hash; - -- if (!zip_metadata_len) { -- PHAR_GET_32(*buffer, buf_len); -- } else { -- buf_len = zip_metadata_len; -- } -- -- if (buf_len) { -+ if (zip_metadata_len) { - ALLOC_ZVAL(*metadata); - INIT_ZVAL(**metadata); - p = (const unsigned char*) *buffer; - PHP_VAR_UNSERIALIZE_INIT(var_hash); - -- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) { -+ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - zval_ptr_dtor(metadata); - *metadata = NULL; -@@ -631,19 +624,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR - if (PHAR_G(persist)) { - /* lazy init metadata */ - zval_ptr_dtor(metadata); -- *metadata = (zval *) pemalloc(buf_len, 1); -- memcpy(*metadata, *buffer, buf_len); -- *buffer += buf_len; -+ *metadata = (zval *) pemalloc(zip_metadata_len, 1); -+ memcpy(*metadata, *buffer, zip_metadata_len); - return SUCCESS; - } - } else { - *metadata = NULL; - } - -- if (!zip_metadata_len) { -- *buffer += buf_len; -- } -- - return SUCCESS; - } - /* }}}*/ -@@ -664,6 +652,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char - phar_entry_info entry; - php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags; - php_uint16 manifest_ver; -+ php_uint32 len; - long offset; - int sig_len, register_alias = 0, temp_alias = 0; - char *signature = NULL; -@@ -1029,16 +1018,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char - mydata->is_persistent = PHAR_G(persist); - - /* check whether we have meta data, zero check works regardless of byte order */ -+ PHAR_GET_32(buffer, len); - if (mydata->is_persistent) { -- PHAR_GET_32(buffer, mydata->metadata_len); -- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) { -- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); -- } -- } else { -- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) { -- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); -+ mydata->metadata_len = len; -+ if(!len) { -+ /* FIXME: not sure why this is needed but removing it breaks tests */ -+ PHAR_GET_32(buffer, len); - } - } -+ if(len > endbuffer - buffer) { -+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)"); -+ } -+ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) { -+ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\""); -+ } -+ buffer += len; - - /* set up our manifest */ - zend_hash_init(&mydata->manifest, manifest_count, -@@ -1073,7 +1067,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char - entry.manifest_pos = manifest_index; - } - -- if (buffer + entry.filename_len + 20 > endbuffer) { -+ if (entry.filename_len + 20 > endbuffer - buffer) { - MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); - } - -@@ -1109,19 +1103,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char - entry.flags |= PHAR_ENT_PERM_DEF_DIR; - } - -+ PHAR_GET_32(buffer, len); - if (entry.is_persistent) { -- PHAR_GET_32(buffer, entry.metadata_len); -- if (!entry.metadata_len) buffer -= 4; -- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) { -- pefree(entry.filename, entry.is_persistent); -- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); -- } -+ entry.metadata_len = len; - } else { -- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) { -- pefree(entry.filename, entry.is_persistent); -- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); -- } -+ entry.metadata_len = 0; -+ } -+ if (len > endbuffer - buffer) { -+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); -+ } -+ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { -+ pefree(entry.filename, entry.is_persistent); -+ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\""); - } -+ buffer += len; - - entry.offset = entry.offset_abs = offset; - offset += entry.compressed_filesize; -diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h -index c9306c1..fcfc864 100644 ---- a/ext/phar/phar_internal.h -+++ b/ext/phar/phar_internal.h -@@ -570,7 +570,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len, - char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC); - char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC); - phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC); --int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC); -+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC); - void destroy_phar_manifest_entry(void *pDest); - int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC); - php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC); --- -2.1.4 - -From 12d3bdee3dfa6605024a72080d8a17c165c5ed24 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 11 Apr 2015 16:42:16 -0700 -Subject: [PATCH] Additional fix for bug #69324 - -Not so happy about duplication but needed due to bug #69429 ---- - ext/phar/phar.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index bf0c985..c5c8b46 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -598,27 +598,28 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len - * - * Meta-data is in this format: - * [len32][data...] -- * -+ * - * data is the serialized zval - */ - int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */ - { -- const unsigned char *p; - php_unserialize_data_t var_hash; - - if (zip_metadata_len) { -+ const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len); -+ p = p_buff; - ALLOC_ZVAL(*metadata); - INIT_ZVAL(**metadata); -- p = (const unsigned char*) *buffer; - PHP_VAR_UNSERIALIZE_INIT(var_hash); - - if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) { -+ efree(p_buff); - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - zval_ptr_dtor(metadata); - *metadata = NULL; - return FAILURE; - } -- -+ efree(p_buff); - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - - if (PHAR_G(persist)) { -@@ -641,7 +642,7 @@ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_ - * - * Parse a new one and add it to the cache, returning either SUCCESS or - * FAILURE, and setting pphar to the pointer to the manifest entry -- * -+ * - * This is used by phar_open_from_filename to process the manifest, but can be called - * directly. - */ -@@ -2212,7 +2213,7 @@ last_time: - - /** - * Process a phar stream name, ensuring we can handle any of: -- * -+ * - * - whatever.phar - * - whatever.phar.gz - * - whatever.phar.bz2 --- -2.1.4 - -From cee97220285fd7b955a58617b3e0300ec104ed87 Mon Sep 17 00:00:00 2001 -From: Dmitry Stogov -Date: Tue, 14 Apr 2015 15:47:26 +0300 -Subject: [PATCH] Fixed recently introduced memory leak - ---- - ext/phar/phar.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index c5c8b46..223bfe8 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -1111,6 +1111,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char - entry.metadata_len = 0; - } - if (len > endbuffer - buffer) { -+ pefree(entry.filename, entry.is_persistent); - MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)"); - } - if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) { --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-2787.patch b/SOURCES/php-5.6.5-CVE-2015-2787.patch deleted file mode 100644 index 75a766a..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-2787.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Mar 2015 13:20:22 -0700 -Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in - unserialize() - ---- - NEWS | 3 +- - ext/standard/var_unserializer.c | 63 ++++++++++++++++++++-------------------- - ext/standard/var_unserializer.re | 1 + - 3 files changed, 35 insertions(+), 32 deletions(-) - -diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c -index f114080..ee0cac4 100644 ---- a/ext/standard/var_unserializer.c -+++ b/ext/standard/var_unserializer.c -@@ -346,6 +346,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long - zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, - sizeof data, NULL); - } -+ var_push_dtor(var_hash, &data); - - zval_dtor(key); - FREE_ZVAL(key); -diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re -index f04fc74..abac77c 100644 ---- a/ext/standard/var_unserializer.re -+++ b/ext/standard/var_unserializer.re -@@ -352,6 +352,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long - zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data, - sizeof data, NULL); - } -+ var_push_dtor(var_hash, &data); - - zval_dtor(key); - FREE_ZVAL(key); -From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 17 Mar 2015 17:03:46 -0700 -Subject: [PATCH] add test for bug #68976 - ---- - ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++ - 1 file changed, 37 insertions(+) - create mode 100644 ext/standard/tests/serialize/bug68976.phpt - -diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt -new file mode 100644 -index 0000000..a79a953 ---- /dev/null -+++ b/ext/standard/tests/serialize/bug68976.phpt -@@ -0,0 +1,37 @@ -+--TEST-- -+Bug #68976 Use After Free Vulnerability in unserialize() -+--FILE-- -+name); -+ } -+} -+ -+$fakezval = pack( -+ 'IIII', -+ 0x00100000, -+ 0x00000400, -+ 0x00000000, -+ 0x00000006 -+); -+ -+$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}'); -+ -+for($i = 0; $i < 5; $i++) { -+ $v[$i] = $fakezval.$i; -+} -+ -+var_dump($data); -+?> -+===DONE=== -+--EXPECTF-- -+array(2) { -+ [0]=> -+ object(evilClass)#1 (0) { -+ } -+ [1]=> -+ int(1) -+} -+===DONE=== diff --git a/SOURCES/php-5.6.5-CVE-2015-3329.patch b/SOURCES/php-5.6.5-CVE-2015-3329.patch deleted file mode 100644 index ffbff30..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-3329.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 14 Apr 2015 00:03:50 -0700 -Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in - phar_set_inode) - ---- - ext/phar/phar_internal.h | 9 ++++++--- - ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes - ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++ - 3 files changed, 27 insertions(+), 3 deletions(-) - create mode 100644 ext/phar/tests/bug69441.phar - create mode 100644 ext/phar/tests/bug69441.phpt - -diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h -index fcfc864..84282d2 100644 ---- a/ext/phar/phar_internal.h -+++ b/ext/phar/phar_internal.h -@@ -534,10 +534,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */ - { - char tmp[MAXPATHLEN]; - int tmp_len; -+ size_t len; - -- tmp_len = entry->filename_len + entry->phar->fname_len; -- memcpy(tmp, entry->phar->fname, entry->phar->fname_len); -- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len); -+ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len); -+ len = MIN(entry->phar->fname_len, tmp_len); -+ memcpy(tmp, entry->phar->fname, len); -+ len = MIN(tmp_len - len, entry->filename_len); -+ memcpy(tmp + entry->phar->fname_len, entry->filename, len); - entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len); - } - /* }}} */ --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-3330.patch b/SOURCES/php-5.6.5-CVE-2015-3330.patch deleted file mode 100644 index 4e5b963..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-3330.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 809610f5ea38a83b284e1125d1fff129bdd615e7 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 4 Apr 2015 15:03:46 -0700 -Subject: [PATCH] Fix bug #68486 and bug #69218 (segfault in apache2handler - with apache 2.4) - ---- - sapi/apache2handler/sapi_apache2.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c -index e97f11c..cfebc5f 100644 ---- a/sapi/apache2handler/sapi_apache2.c -+++ b/sapi/apache2handler/sapi_apache2.c -@@ -688,6 +688,7 @@ zend_first_try { - } zend_end_try(); - } - apr_brigade_cleanup(brigade); -+ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup); - } else { - ctx->r = parent_req; - } --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-4021.patch b/SOURCES/php-5.6.5-CVE-2015-4021.patch deleted file mode 100644 index 4310ff1..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-4021.patch +++ /dev/null @@ -1,27 +0,0 @@ -From c27f012b7a447e59d4a704688971cbfa7dddaa74 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Wed, 29 Apr 2015 22:04:20 -0700 -Subject: [PATCH] Fix bug #69453 - don't try to cut empty string - ---- - ext/phar/tar.c | 2 +- - ext/phar/tests/bug69453.phpt | 21 +++++++++++++++++++++ - 2 files changed, 22 insertions(+), 1 deletion(-) - create mode 100644 ext/phar/tests/bug69453.phpt - -diff --git a/ext/phar/tar.c b/ext/phar/tar.c -index ca8eafc..d6d63e6 100644 ---- a/ext/phar/tar.c -+++ b/ext/phar/tar.c -@@ -425,7 +425,7 @@ bail: - entry.filename_len = i; - entry.filename = pestrndup(hdr->name, i, myphar->is_persistent); - -- if (entry.filename[entry.filename_len - 1] == '/') { -+ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') { - /* some tar programs store directories with trailing slash */ - entry.filename[entry.filename_len - 1] = '\0'; - entry.filename_len--; --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-4022.patch b/SOURCES/php-5.6.5-CVE-2015-4022.patch deleted file mode 100644 index c1a8b39..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-4022.patch +++ /dev/null @@ -1,352 +0,0 @@ -From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Wed, 29 Apr 2015 21:57:33 -0700 -Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list - ---- - ext/ftp/ftp.c | 82 +++++++++++++++++++++++++++++------------------------------ - 1 file changed, 41 insertions(+), 41 deletions(-) - -diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c -index 3ff54ff..53560eb 100644 ---- a/ext/ftp/ftp.c -+++ b/ext/ftp/ftp.c -@@ -188,9 +188,9 @@ ftp_close(ftpbuf_t *ftp) - SSL_shutdown(ftp->ssl_handle); - SSL_free(ftp->ssl_handle); - } --#endif -+#endif - closesocket(ftp->fd); -- } -+ } - ftp_gc(ftp); - efree(ftp); - return NULL; -@@ -262,7 +262,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) - if (!ftp_getresp(ftp)) { - return 0; - } -- -+ - if (ftp->resp != 234) { - if (!ftp_putcmd(ftp, "AUTH", "SSL")) { - return 0; -@@ -270,7 +270,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) - if (!ftp_getresp(ftp)) { - return 0; - } -- -+ - if (ftp->resp != 334) { - return 0; - } else { -@@ -278,7 +278,7 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) - ftp->use_ssl_for_data = 1; - } - } -- -+ - ctx = SSL_CTX_new(SSLv23_client_method()); - if (ctx == NULL) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "failed to create the SSL context"); -@@ -325,8 +325,8 @@ ftp_login(ftpbuf_t *ftp, const char *user, const char *pass TSRMLS_DC) - if (!ftp_getresp(ftp)) { - return 0; - } -- -- ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); -+ -+ ftp->use_ssl_for_data = (ftp->resp >= 200 && ftp->resp <=299); - } - } - #endif -@@ -360,7 +360,7 @@ ftp_reinit(ftpbuf_t *ftp) - { - if (ftp == NULL) { - return 0; -- } -+ } - - ftp_gc(ftp); - -@@ -395,7 +395,7 @@ ftp_syst(ftpbuf_t *ftp) - if (!ftp_putcmd(ftp, "SYST", NULL)) { - return NULL; - } -- if (!ftp_getresp(ftp) || ftp->resp != 215) { -+ if (!ftp_getresp(ftp) || ftp->resp != 215) { - return NULL; - } - syst = ftp->inbuf; -@@ -431,14 +431,14 @@ ftp_pwd(ftpbuf_t *ftp) - if (!ftp_putcmd(ftp, "PWD", NULL)) { - return NULL; - } -- if (!ftp_getresp(ftp) || ftp->resp != 257) { -+ if (!ftp_getresp(ftp) || ftp->resp != 257) { - return NULL; - } - /* copy out the pwd from response */ -- if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { -+ if ((pwd = strchr(ftp->inbuf, '"')) == NULL) { - return NULL; - } -- if ((end = strrchr(++pwd, '"')) == NULL) { -+ if ((end = strrchr(++pwd, '"')) == NULL) { - return NULL; - } - ftp->pwd = estrndup(pwd, end - pwd); -@@ -608,7 +608,7 @@ ftp_chmod(ftpbuf_t *ftp, const int mode, const char *filename, const int filenam - if (!ftp_getresp(ftp) || ftp->resp != 200) { - return 0; - } -- -+ - return 1; - } - /* }}} */ -@@ -625,7 +625,7 @@ ftp_alloc(ftpbuf_t *ftp, const long size, char **response) - } - - snprintf(buffer, sizeof(buffer) - 1, "%ld", size); -- -+ - if (!ftp_putcmd(ftp, "ALLO", buffer)) { - return 0; - } -@@ -642,7 +642,7 @@ ftp_alloc(ftpbuf_t *ftp, const long size, char **response) - return 0; - } - -- return 1; -+ return 1; - } - /* }}} */ - -@@ -674,7 +674,7 @@ ftp_type(ftpbuf_t *ftp, ftptype_t type) - if (ftp == NULL) { - return 0; - } -- if (type == ftp->type) { -+ if (type == ftp->type) { - return 1; - } - if (type == FTPTYPE_ASCII) { -@@ -765,7 +765,7 @@ ftp_pasv(ftpbuf_t *ftp, int pasv) - if (!ftp_putcmd(ftp, "PASV", NULL)) { - return 0; - } -- if (!ftp_getresp(ftp) || ftp->resp != 227) { -+ if (!ftp_getresp(ftp) || ftp->resp != 227) { - return 0; - } - /* parse out the IP and port */ -@@ -807,7 +807,7 @@ ftp_get(ftpbuf_t *ftp, php_stream *outstream, const char *path, ftptype_t type, - if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { - goto bail; - } -- -+ - ftp->data = data; - - if (resumepos > 0) { -@@ -900,7 +900,7 @@ ftp_put(ftpbuf_t *ftp, const char *path, php_stream *instream, ftptype_t type, l - if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { - goto bail; - } -- ftp->data = data; -+ ftp->data = data; - - if (startpos > 0) { - snprintf(arg, sizeof(arg), "%ld", startpos); -@@ -1101,7 +1101,7 @@ ftp_putcmd(ftpbuf_t *ftp, const char *cmd, const char *args) - - if (strpbrk(cmd, "\r\n")) { - return 0; -- } -+ } - /* build the output buffer */ - if (args && args[0]) { - /* "cmd args\r\n\0" */ -@@ -1247,7 +1247,7 @@ my_send(ftpbuf_t *ftp, php_socket_t s, void *buf, size_t len) - #if HAVE_OPENSSL_EXT - if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { - sent = SSL_write(ftp->ssl_handle, buf, size); -- } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { -+ } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { - sent = SSL_write(ftp->data->ssl_handle, buf, size); - } else { - #endif -@@ -1287,14 +1287,14 @@ my_recv(ftpbuf_t *ftp, php_socket_t s, void *buf, size_t len) - #if HAVE_OPENSSL_EXT - if (ftp->use_ssl && ftp->fd == s && ftp->ssl_active) { - nr_bytes = SSL_read(ftp->ssl_handle, buf, len); -- } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { -+ } else if (ftp->use_ssl && ftp->fd != s && ftp->use_ssl_for_data && ftp->data->ssl_active) { - nr_bytes = SSL_read(ftp->data->ssl_handle, buf, len); - } else { - #endif - nr_bytes = recv(s, buf, len, 0); - #if HAVE_OPENSSL_EXT - } --#endif -+#endif - return (nr_bytes); - } - /* }}} */ -@@ -1511,7 +1511,7 @@ data_accept(databuf_t *data, ftpbuf_t *ftp TSRMLS_DC) - - data_accepted: - #if HAVE_OPENSSL_EXT -- -+ - /* now enable ssl if we need to */ - if (ftp->use_ssl && ftp->use_ssl_for_data) { - ctx = SSL_CTX_new(SSLv23_client_method()); -@@ -1531,23 +1531,23 @@ data_accepted: - SSL_CTX_free(ctx); - return 0; - } -- -- -+ -+ - SSL_set_fd(data->ssl_handle, data->fd); - - if (ftp->old_ssl) { - SSL_copy_session_id(data->ssl_handle, ftp->ssl_handle); - } -- -+ - if (SSL_connect(data->ssl_handle) <= 0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "data_accept: SSL/TLS handshake failed"); - SSL_shutdown(data->ssl_handle); - SSL_free(data->ssl_handle); - return 0; - } -- -+ - data->ssl_active = 1; -- } -+ } - - #endif - -@@ -1562,14 +1562,14 @@ data_close(ftpbuf_t *ftp, databuf_t *data) - { - #if HAVE_OPENSSL_EXT - SSL_CTX *ctx; --#endif -+#endif - if (data == NULL) { - return NULL; - } - if (data->listener != -1) { - #if HAVE_OPENSSL_EXT - if (data->ssl_active) { -- -+ - ctx = SSL_get_SSL_CTX(data->ssl_handle); - SSL_CTX_free(ctx); - -@@ -1577,9 +1577,9 @@ data_close(ftpbuf_t *ftp, databuf_t *data) - SSL_free(data->ssl_handle); - data->ssl_active = 0; - } --#endif -+#endif - closesocket(data->listener); -- } -+ } - if (data->fd != -1) { - #if HAVE_OPENSSL_EXT - if (data->ssl_active) { -@@ -1590,9 +1590,9 @@ data_close(ftpbuf_t *ftp, databuf_t *data) - SSL_free(data->ssl_handle); - data->ssl_active = 0; - } --#endif -+#endif - closesocket(data->fd); -- } -+ } - if (ftp) { - ftp->data = NULL; - } -@@ -1610,8 +1610,8 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) - databuf_t *data = NULL; - char *ptr; - int ch, lastch; -- int size, rcvd; -- int lines; -+ size_t size, rcvd; -+ size_t lines; - char **ret = NULL; - char **entry; - char *text; -@@ -1629,7 +1629,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) - if ((data = ftp_getdata(ftp TSRMLS_CC)) == NULL) { - goto bail; - } -- ftp->data = data; -+ ftp->data = data; - - if (!ftp_putcmd(ftp, cmd, path)) { - goto bail; -@@ -1653,7 +1653,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) - lines = 0; - lastch = 0; - while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) { -- if (rcvd == -1) { -+ if (rcvd == -1 || rcvd > ((size_t)(-1))-size) { - goto bail; - } - -@@ -1858,7 +1858,7 @@ ftp_nb_put(ftpbuf_t *ftp, const char *path, php_stream *instream, ftptype_t type - if (!ftp_getresp(ftp) || (ftp->resp != 150 && ftp->resp != 125)) { - goto bail; - } -- if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { -+ if ((data = data_accept(data, ftp TSRMLS_CC)) == NULL) { - goto bail; - } - ftp->data = data; -@@ -1914,7 +1914,7 @@ ftp_nb_continue_write(ftpbuf_t *ftp TSRMLS_DC) - goto bail; - } - ftp->data = data_close(ftp, ftp->data); -- -+ - if (!ftp_getresp(ftp) || (ftp->resp != 226 && ftp->resp != 250)) { - goto bail; - } --- -2.1.4 - -From 0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 31 May 2015 17:23:06 -0700 -Subject: [PATCH] improve fix for Bug #69545 - ---- - NEWS | 4 ++++ - ext/ftp/ftp.c | 2 -- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c -index 53560eb..50d8def 100644 ---- a/ext/ftp/ftp.c -+++ b/ext/ftp/ftp.c -@@ -1663,8 +1663,6 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC) - for (ptr = data->buf; rcvd; rcvd--, ptr++) { - if (*ptr == '\n' && lastch == '\r') { - lines++; -- } else { -- size++; - } - lastch = *ptr; - } --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-4024.patch b/SOURCES/php-5.6.5-CVE-2015-4024.patch deleted file mode 100644 index 9b29074..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-4024.patch +++ /dev/null @@ -1,111 +0,0 @@ -From 4605d536d23b00813d11cc906bb48d39bdcf5f25 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 9 May 2015 23:04:25 -0700 -Subject: [PATCH] Fixed bug #69364 - use smart_str to assemble strings - ---- - main/rfc1867.c | 51 +++++++++++++++++++++++++++------------------------ - 1 file changed, 27 insertions(+), 24 deletions(-) - -diff --git a/main/rfc1867.c b/main/rfc1867.c -index fab199b..9e2fbd5 100644 ---- a/main/rfc1867.c -+++ b/main/rfc1867.c -@@ -33,6 +33,7 @@ - #include "php_variables.h" - #include "rfc1867.h" - #include "ext/standard/php_string.h" -+#include "ext/standard/php_smart_str.h" - - #if defined(PHP_WIN32) && !defined(HAVE_ATOLL) - # define atoll(s) _atoi64(s) -@@ -403,8 +404,9 @@ static int find_boundary(multipart_buffer *self, char *boundary TSRMLS_DC) - static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC) - { - char *line; -- mime_header_entry prev_entry = {0}, entry; -- int prev_len, cur_len; -+ mime_header_entry entry = {0}; -+ smart_str buf_value = {0}; -+ char *key = NULL; - - /* didn't find boundary, abort */ - if (!find_boundary(self, self->boundary TSRMLS_CC)) { -@@ -416,11 +418,10 @@ - while( (line = get_line(self TSRMLS_CC)) && line[0] != '\0' ) - { - /* add header to table */ -- char *key = line; - char *value = NULL; - - if (php_rfc1867_encoding_translation(TSRMLS_C)) { -- self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); -+ self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC); - } - - /* space in the beginning means same header */ -@@ -429,31 +430,33 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T - } - - if (value) { -- *value = 0; -- do { value++; } while(isspace(*value)); -- -- entry.value = estrdup(value); -- entry.key = estrdup(key); -- -- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */ -- -- prev_len = strlen(prev_entry.value); -- cur_len = strlen(line); -- -- entry.value = emalloc(prev_len + cur_len + 1); -- memcpy(entry.value, prev_entry.value, prev_len); -- memcpy(entry.value + prev_len, line, cur_len); -- entry.value[cur_len + prev_len] = '\0'; -+ if(buf_value.c && key) { -+ /* new entry, add the old one to the list */ -+ smart_str_0(&buf_value); -+ entry.key = key; -+ entry.value = buf_value.c; -+ zend_llist_add_element(header, &entry); -+ buf_value.c = NULL; -+ key = NULL; -+ } - -- entry.key = estrdup(prev_entry.key); -+ *value = '\0'; -+ do { value++; } while(isspace(*value)); - -- zend_llist_remove_tail(header); -+ key = estrdup(line); -+ smart_str_appends(&buf_value, value); -+ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */ -+ smart_str_appends(&buf_value, line); - } else { - continue; - } -- -+ } -+ if(buf_value.c && key) { -+ /* add the last one to the list */ -+ smart_str_0(&buf_value); -+ entry.key = key; -+ entry.value = buf_value.c; - zend_llist_add_element(header, &entry); -- prev_entry = entry; - } - - return 1; -@@ -890,7 +893,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */ - if (count == PG(max_input_vars) + 1) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars)); - } -- -+ - if (php_rfc1867_callback != NULL) { - multipart_event_formdata event_formdata; - --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-4025.patch b/SOURCES/php-5.6.5-CVE-2015-4025.patch deleted file mode 100644 index e7c3d19..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-4025.patch +++ /dev/null @@ -1,415 +0,0 @@ -From be9b2a95adb504abd5acdc092d770444ad6f6854 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 9 May 2015 23:13:06 -0700 -Subject: [PATCH] Fixed bug #69418 - more s->p fixes for filenames - ---- - ext/pcntl/pcntl.c | 74 +++++++++++++++++++++--------------------- - ext/standard/basic_functions.c | 24 +++++++------- - ext/standard/dir.c | 62 +++++++++++++++++------------------ - ext/standard/file.c | 10 +++--- - 4 files changed, 85 insertions(+), 85 deletions(-) - -diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c -index 7a8acaf..6189bdf 100644 ---- a/ext/pcntl/pcntl.c -+++ b/ext/pcntl/pcntl.c -@@ -755,7 +755,7 @@ PHP_FUNCTION(pcntl_exec) - int path_len; - ulong key_num; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|aa", &path, &path_len, &args, &envs) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|aa", &path, &path_len, &args, &envs) == FAILURE) { - return; - } - -diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c -index c3e2230..7d0bfed 100644 ---- a/ext/standard/basic_functions.c -+++ b/ext/standard/basic_functions.c -@@ -5460,7 +5460,7 @@ PHP_FUNCTION(set_include_path) - int new_value_len; - char *old_value; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &new_value, &new_value_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &new_value, &new_value_len) == FAILURE) { - return; - } - -diff --git a/ext/standard/dir.c b/ext/standard/dir.c -index c64f37c..27ffb9d 100644 ---- a/ext/standard/dir.c -+++ b/ext/standard/dir.c -@@ -219,12 +219,12 @@ static void _php_do_opendir(INTERNAL_FUNCTION_PARAMETERS, int createobject) - php_stream_context *context = NULL; - php_stream *dirp; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dirname, &dir_len, &zcontext) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dirname, &dir_len, &zcontext) == FAILURE) { - RETURN_NULL(); - } - - context = php_stream_context_from_zval(zcontext, 0); -- -+ - dirp = php_stream_opendir(dirname, REPORT_ERRORS, context); - - if (dirp == NULL) { -@@ -293,11 +293,11 @@ PHP_FUNCTION(chroot) - { - char *str; - int ret, str_len; -- -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { -+ -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &str, &str_len) == FAILURE) { - RETURN_FALSE; - } -- -+ - ret = chroot(str); - if (ret != 0) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno); -diff --git a/ext/standard/file.c b/ext/standard/file.c -index 708c3e2..21e1e53 100644 ---- a/ext/standard/file.c -+++ b/ext/standard/file.c -@@ -822,7 +822,7 @@ PHP_FUNCTION(tempnam) - char *p; - int fd; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) { - return; - } - -@@ -1347,7 +1347,7 @@ PHP_FUNCTION(rmdir) - zval *zcontext = NULL; - php_stream_context *context; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dir, &dir_len, &zcontext) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dir, &dir_len, &zcontext) == FAILURE) { - RETURN_FALSE; - } - --- -2.1.4 - -From 634aa0a2dbf8ec5e6fabb4ee01c6d1355ba7ee67 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 10 May 2015 23:33:44 -0700 -Subject: [PATCH] Update tests - ---- - ext/standard/tests/dir/dir_variation1.phpt | 22 +++++++++++----------- - .../tests/dir/opendir_variation1-win32.phpt | 12 ++++++------ - ext/standard/tests/dir/opendir_variation1.phpt | 12 ++++++------ - .../tests/file/mkdir_rmdir_variation2.phpt | 2 +- - .../tests/file/tempnam_variation3-win32.phpt | 18 +++++++++--------- - ext/standard/tests/file/tempnam_variation3.phpt | 22 ++++++++++++---------- - .../tests/general_functions/include_path.phpt | 4 ++-- - 7 files changed, 47 insertions(+), 45 deletions(-) - -diff --git a/ext/standard/tests/dir/dir_variation1.phpt b/ext/standard/tests/dir/dir_variation1.phpt -index abb4719..fff04ba 100644 ---- a/ext/standard/tests/dir/dir_variation1.phpt -+++ b/ext/standard/tests/dir/dir_variation1.phpt -@@ -8,7 +8,7 @@ if (substr(PHP_OS, 0, 3) == 'WIN') { - ?> - --FILE-- - path = $path; -@@ -73,7 +73,7 @@ $inputs = array( - false, - TRUE, - FALSE, -- -+ - // empty data - /*16*/ "", - '', -@@ -83,7 +83,7 @@ $inputs = array( - /*19*/ "$path", - 'string', - $heredoc, -- -+ - // object data - /*22*/ new classA($path), - -@@ -194,7 +194,7 @@ bool(false) - - -- Iteration 18 -- - --Warning: opendir() expects parameter 1 to be string, array given in %s on line %d -+Warning: opendir() expects parameter 1 to be a valid path, array given in %s on line %d - NULL - - -- Iteration 19 -- -@@ -219,6 +219,6 @@ bool(false) - - -- Iteration 25 -- - --Warning: opendir() expects parameter 1 to be string, resource given in %s on line %d -+Warning: opendir() expects parameter 1 to be a valid path, resource given in %s on line %d - NULL - ===DONE=== -diff --git a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt -index 14dd361..24dfc96 100644 ---- a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt -+++ b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt -@@ -68,7 +68,7 @@ bool(false) - Warning: mkdir() expects parameter 1 to be a valid path, string given in %s on line %d - bool(false) - --Warning: rmdir(%s): No such file or directory in %s on line %d -+Warning: rmdir() expects parameter 1 to be a valid path, string given in %s on line %d - bool(false) - - *** Testing mkdir() with miscelleneous input *** -diff --git a/ext/standard/tests/file/tempnam_variation3-win32.phpt b/ext/standard/tests/file/tempnam_variation3-win32.phpt -index fb457cb..cc8194a 100644 ---- a/ext/standard/tests/file/tempnam_variation3-win32.phpt -+++ b/ext/standard/tests/file/tempnam_variation3-win32.phpt -@@ -22,9 +22,9 @@ if (!mkdir($file_path)) { - - $file_path = realpath($file_path); - --/* An array of prefixes */ -+/* An array of prefixes */ - $names_arr = array( -- /* Valid args (casting)*/ -+ /* Valid args (casting)*/ - -1, - TRUE, - FALSE, -@@ -32,17 +32,17 @@ $names_arr = array( - "", - " ", - "\0", -- /* Invalid args */ -+ /* Invalid args */ - array(), - -- /* Valid args*/ -+ /* Valid args*/ - /* prefix with path separator of a non existing directory*/ -- "/no/such/file/dir", -+ "/no/such/file/dir", - "php/php" - ); - - $res_arr = array( -- /* Invalid args */ -+ /* Invalid args */ - true, - true, - true, -@@ -53,7 +53,7 @@ $res_arr = array( - false, - - /* prefix with path separator of a non existing directory*/ -- true, -+ true, - true - ); - -@@ -72,7 +72,7 @@ for( $i=0; $i "; - printf("%o", fileperms($file_name) ); - echo "\n"; -- -+ - echo "File created in => "; - $file_dir = dirname($file_name); -- -+ - if ($file_dir == sys_get_temp_dir()) { - echo "temp dir\n"; - } -@@ -61,7 +61,7 @@ for( $i=0; $i %s/%s - File permissions are => 100600 - File created in => directory specified - -- Iteration 6 -- --File name is => %s/%s --File permissions are => 100600 --File created in => directory specified -+ -+Warning: tempnam() expects parameter 2 to be a valid path, string given in %s on line %d -+-- File is not created -- -+ -+Warning: unlink(): %s in %s on line %d - -- Iteration 7 -- - --Warning: tempnam() expects parameter 2 to be string, array given in %s on line %d -+Warning: tempnam() expects parameter 2 to be a valid path, array given in %s on line %d - -- File is not created -- - - Warning: unlink(): %s in %s on line %d -diff --git a/ext/standard/tests/general_functions/include_path.phpt b/ext/standard/tests/general_functions/include_path.phpt -index 0392307..8b6626f 100644 ---- a/ext/standard/tests/general_functions/include_path.phpt -+++ b/ext/standard/tests/general_functions/include_path.phpt -@@ -41,7 +41,7 @@ var_dump(get_include_path()); - - echo "Done\n"; - ?> ----EXPECTF-- -+--EXPECTF-- - string(1) "." - - Warning: get_include_path() expects exactly 0 parameters, 1 given in %s on line %d -@@ -67,7 +67,7 @@ string(1) "." - NULL - string(1) "." - --Warning: set_include_path() expects parameter 1 to be string, array given in %s on line %d -+Warning: set_include_path() expects parameter 1 to be a valid path, array given in %s on line %d - NULL - string(1) "." - NULL --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-5589.patch b/SOURCES/php-5.6.5-CVE-2015-5589.patch deleted file mode 100644 index 3a74c19..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-5589.patch +++ /dev/null @@ -1,95 +0,0 @@ -Patch cleanup for 5.6.5 -Binary diff removed - -From bf58162ddf970f63502837f366930e44d6a992cf Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 4 Jul 2015 21:01:50 -0700 -Subject: [PATCH] Fix bug #69958 - Segfault in Phar::convertToData on invalid - file - ---- - ext/phar/phar_object.c | 70 ++++++++++++++++++++++--------------------- - ext/phar/tests/bug69958.phpt | 14 +++++++++ - ext/phar/tests/bug69958.tar | Bin 0 -> 513 bytes - 3 files changed, 50 insertions(+), 34 deletions(-) - create mode 100644 ext/phar/tests/bug69958.phpt - create mode 100644 ext/phar/tests/bug69958.tar - -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index add1fa0..1184863 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -2341,7 +2341,9 @@ static zval *phar_convert_to_other(phar_archive_data *source, int convert, char - zend_hash_destroy(&(phar->manifest)); - zend_hash_destroy(&(phar->mounted_dirs)); - zend_hash_destroy(&(phar->virtual_dirs)); -- php_stream_close(phar->fp); -+ if (phar->fp) { -+ php_stream_close(phar->fp); -+ } - efree(phar->fname); - efree(phar); - return NULL; - -From 885edfef0a0eb1016a906d197399f92375a795e4 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 6 Jul 2015 22:58:28 -0700 -Subject: [PATCH] Better fix for bug #69958 - ---- - ext/phar/phar_object.c | 22 +++++++++++++--------- - ext/phar/tests/bug69958.phpt | 2 ++ - 2 files changed, 15 insertions(+), 9 deletions(-) - -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index 1184863..8cfe0c8 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -2019,9 +2019,10 @@ static int phar_copy_file_contents(phar_entry_info *entry, php_stream *fp TSRMLS - } - /* }}} */ - --static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool compress TSRMLS_DC) /* {{{ */ -+static zval *phar_rename_archive(phar_archive_data **sphar, char *ext, zend_bool compress TSRMLS_DC) /* {{{ */ - { - const char *oldname = NULL; -+ phar_archive_data *phar = *sphar; - char *oldpath = NULL; - char *basename = NULL, *basepath = NULL; - char *newname = NULL, *newpath = NULL; -@@ -2129,6 +2130,7 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c - phar->fp = NULL; - phar_destroy_phar_data(phar TSRMLS_CC); - phar = *pphar; -+ *sphar = NULL; - phar->refcount++; - newpath = oldpath; - goto its_ok; -@@ -2335,17 +2337,19 @@ static zval *phar_convert_to_other(phar_archive_data *source, int convert, char - phar_add_virtual_dirs(phar, newentry.filename, newentry.filename_len TSRMLS_CC); - } - -- if ((ret = phar_rename_archive(phar, ext, 0 TSRMLS_CC))) { -+ if ((ret = phar_rename_archive(&phar, ext, 0 TSRMLS_CC))) { - return ret; - } else { -- zend_hash_destroy(&(phar->manifest)); -- zend_hash_destroy(&(phar->mounted_dirs)); -- zend_hash_destroy(&(phar->virtual_dirs)); -- if (phar->fp) { -- php_stream_close(phar->fp); -+ if(phar != NULL) { -+ zend_hash_destroy(&(phar->manifest)); -+ zend_hash_destroy(&(phar->mounted_dirs)); -+ zend_hash_destroy(&(phar->virtual_dirs)); -+ if (phar->fp) { -+ php_stream_close(phar->fp); -+ } -+ efree(phar->fname); -+ efree(phar); - } -- efree(phar->fname); -- efree(phar); - return NULL; - } - } diff --git a/SOURCES/php-5.6.5-CVE-2015-5590.patch b/SOURCES/php-5.6.5-CVE-2015-5590.patch deleted file mode 100644 index 7837718..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-5590.patch +++ /dev/null @@ -1,69 +0,0 @@ -Patch cleanup for 5.6.5 - -From 6dedeb40db13971af45276f80b5375030aa7e76f Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 4 Jul 2015 23:47:48 -0700 -Subject: [PATCH] Fix bug #69923 - Buffer overflow and stack smashing error in - phar_fix_filepath - ---- - ext/phar/phar.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index 223bfe8..ba73462 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -2118,7 +2118,7 @@ char *tsrm_strtok_r(char *s, const char *delim, char **last) /* {{{ */ - */ - char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ */ - { -- char newpath[MAXPATHLEN]; -+ char *newpath; - int newpath_len; - char *ptr; - char *tok; -@@ -2126,8 +2126,10 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ - - if (PHAR_G(cwd_len) && use_cwd && path_length > 2 && path[0] == '.' && path[1] == '/') { - newpath_len = PHAR_G(cwd_len); -+ newpath = emalloc(strlen(path) + newpath_len + 1); - memcpy(newpath, PHAR_G(cwd), newpath_len); - } else { -+ newpath = emalloc(strlen(path) + 2); - newpath[0] = '/'; - newpath_len = 1; - } -@@ -2150,6 +2152,7 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ - if (*tok == '.') { - efree(path); - *new_len = 1; -+ efree(newpath); - return estrndup("/", 1); - } - break; -@@ -2157,9 +2160,11 @@ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC) /* {{{ - if (tok[0] == '.' && tok[1] == '.') { - efree(path); - *new_len = 1; -+ efree(newpath); - return estrndup("/", 1); - } - } -+ efree(newpath); - return path; - } - -@@ -2208,7 +2213,8 @@ last_time: - - efree(path); - *new_len = newpath_len; -- return estrndup(newpath, newpath_len); -+ newpath[newpath_len] = '\0'; -+ return erealloc(newpath, newpath_len + 1); - } - /* }}} */ - --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6831.patch b/SOURCES/php-5.6.5-CVE-2015-6831.patch deleted file mode 100644 index a2df6bd..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6831.patch +++ /dev/null @@ -1,201 +0,0 @@ -From 7381b6accc5559b2de039af3a22f6ec1003b03b3 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 1 Aug 2015 21:45:19 -0700 -Subject: [PATCH] Fixed bug #70166 - Use After Free Vulnerability in - unserialize() with SPLArrayObject - ---- - ext/spl/spl_array.c | 3 +++ - ext/spl/tests/bug70166.phpt | 29 +++++++++++++++++++++++++++++ - 2 files changed, 32 insertions(+) - create mode 100644 ext/spl/tests/bug70166.phpt - -diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c -index a37eced..86608c0 100644 ---- a/ext/spl/spl_array.c -+++ b/ext/spl/spl_array.c -@@ -1773,6 +1773,7 @@ SPL_METHOD(Array, unserialize) - goto outexcept; - } - -+ var_push_dtor(&var_hash, &pflags); - --p; /* for ';' */ - flags = Z_LVAL_P(pflags); - /* flags needs to be verified and we also need to verify whether the next -@@ -1796,6 +1797,7 @@ SPL_METHOD(Array, unserialize) - if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) { - goto outexcept; - } -+ var_push_dtor(&var_hash, &intern->array); - } - if (*p != ';') { - goto outexcept; -@@ -1814,6 +1816,7 @@ SPL_METHOD(Array, unserialize) - goto outexcept; - } - -+ var_push_dtor(&var_hash, &pmembers); - /* copy members */ - if (!intern->std.properties) { - rebuild_object_properties(&intern->std); -diff --git a/ext/spl/tests/bug70166.phpt b/ext/spl/tests/bug70166.phpt -new file mode 100644 -index 0000000..51a3596 ---- /dev/null -+++ b/ext/spl/tests/bug70166.phpt -@@ -0,0 +1,29 @@ -+--TEST-- -+SPL: Bug #70166 Use After Free Vulnerability in unserialize() with SPLArrayObject -+--FILE-- -+ -+===DONE=== -+--EXPECTF-- -+array(2) { -+ [0]=> -+ object(ArrayObject)#%d (1) { -+ ["storage":"ArrayObject":private]=> -+ array(0) { -+ } -+ } -+ [1]=> -+ array(0) { -+ } -+} -+===DONE=== --- -2.1.4 - -From c2e197e4efc663ca55f393bf0e799848842286f3 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 1 Aug 2015 21:12:38 -0700 -Subject: [PATCH] Fix bug #70168 - Use After Free Vulnerability in - unserialize() with SplObjectStorage - ---- - ext/spl/spl_observer.c | 68 +++++++++++++++++++++++---------------------- - ext/spl/tests/bug70168.phpt | 19 +++++++++++++ - 2 files changed, 54 insertions(+), 33 deletions(-) - create mode 100644 ext/spl/tests/bug70168.phpt - -diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c -index da9110b..5d94a3b 100644 ---- a/ext/spl/spl_observer.c -+++ b/ext/spl/spl_observer.c -@@ -848,6 +848,7 @@ SPL_METHOD(SplObjectStorage, unserialize - goto outexcept; - } - -+ var_push_dtor(&var_hash, &pcount); - --p; /* for ';' */ - count = Z_LVAL_P(pcount); - -@@ -919,6 +920,7 @@ SPL_METHOD(SplObjectStorage, unserialize - goto outexcept; - } - -+ var_push_dtor(&var_hash, &pmembers); - /* copy members */ - if (!intern->std.properties) { - rebuild_object_properties(&intern->std); -diff --git a/ext/spl/tests/bug70168.phpt b/ext/spl/tests/bug70168.phpt -new file mode 100644 -index 0000000..192f0f3 ---- /dev/null -+++ b/ext/spl/tests/bug70168.phpt -@@ -0,0 +1,19 @@ -+--TEST-- -+SPL: Bug #70168 Use After Free Vulnerability in unserialize() with SplObjectStorage -+--FILE-- -+ -+===DONE=== -+--EXPECT-- -+int(1) -+===DONE=== --- -2.1.4 - -From 863bf294feb9ad425eadb94f288bc7f18673089d Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 1 Aug 2015 21:51:08 -0700 -Subject: [PATCH] Fixed bug #70169 (Use After Free Vulnerability in - unserialize() with SplDoublyLinkedList) - ---- - ext/spl/spl_dllist.c | 25 +++++++++++++------------ - ext/spl/tests/bug70169.phpt | 30 ++++++++++++++++++++++++++++++ - 2 files changed, 43 insertions(+), 12 deletions(-) - create mode 100644 ext/spl/tests/bug70169.phpt - -diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c -index b5ddfc0..011d7a6 100644 ---- a/ext/spl/spl_dllist.c -+++ b/ext/spl/spl_dllist.c -@@ -1207,6 +1207,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) - zval_ptr_dtor(&flags); - goto error; - } -+ var_push_dtor(&var_hash, &flags); - intern->flags = Z_LVAL_P(flags); - zval_ptr_dtor(&flags); - -diff --git a/ext/spl/tests/bug70169.phpt b/ext/spl/tests/bug70169.phpt -new file mode 100644 -index 0000000..9d814be ---- /dev/null -+++ b/ext/spl/tests/bug70169.phpt -@@ -0,0 +1,30 @@ -+--TEST-- -+SPL: Bug #70169 Use After Free Vulnerability in unserialize() with SplDoublyLinkedList -+--FILE-- -+ -+===DONE=== -+--EXPECTF-- -+array(2) { -+ [0]=> -+ object(SplDoublyLinkedList)#%d (2) { -+ ["flags":"SplDoublyLinkedList":private]=> -+ int(1) -+ ["dllist":"SplDoublyLinkedList":private]=> -+ array(0) { -+ } -+ } -+ [1]=> -+ int(1) -+} -+===DONE=== --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6832.patch b/SOURCES/php-5.6.5-CVE-2015-6832.patch deleted file mode 100644 index 0df76d3..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6832.patch +++ /dev/null @@ -1,68 +0,0 @@ -Patch cleanup for 5.6.5 - -From b7fa67742cd8d2b0ca0c0273b157f6ffee9ad6e2 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 26 Jul 2015 17:25:25 -0700 -Subject: [PATCH] Fix bug #70068 (Dangling pointer in the unserialization of - ArrayObject items) - ---- - ext/spl/spl_array.c | 90 +++++++++++++++++++++++---------------------- - ext/spl/tests/bug70068.phpt | 9 +++++ - 2 files changed, 56 insertions(+), 43 deletions(-) - create mode 100644 ext/spl/tests/bug70068.phpt - -diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c -index ec9ce21..a37eced 100644 ---- a/ext/spl/spl_array.c -+++ b/ext/spl/spl_array.c -@@ -1770,13 +1770,11 @@ SPL_METHOD(Array, unserialize) - - ALLOC_INIT_ZVAL(pflags); - if (!php_var_unserialize(&pflags, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pflags) != IS_LONG) { -- zval_ptr_dtor(&pflags); - goto outexcept; - } - - --p; /* for ';' */ - flags = Z_LVAL_P(pflags); -- zval_ptr_dtor(&pflags); - /* flags needs to be verified and we also need to verify whether the next - * thing we get is ';'. After that we require an 'm' or somethign else - * where 'm' stands for members and anything else should be an array. If -@@ -1826,10 +1824,16 @@ SPL_METHOD(Array, unserialize) - /* done reading $serialized */ - - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); -+ if (pflags) { -+ zval_ptr_dtor(&pflags); -+ } - return; - - outexcept: - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); -+ if (pflags) { -+ zval_ptr_dtor(&pflags); -+ } - zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0 TSRMLS_CC, "Error at offset %ld of %d bytes", (long)((char*)p - buf), buf_len); - return; - -diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt -new file mode 100644 -index 0000000..92a38df ---- /dev/null -+++ b/ext/spl/tests/bug70068.phpt -@@ -0,0 +1,9 @@ -+--TEST-- -+Bug #70068 (Dangling pointer in the unserialization of ArrayObject items) -+--FILE-- -+ -+OK -+--EXPECT-- -+OK -\ No newline at end of file --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6833.patch b/SOURCES/php-5.6.5-CVE-2015-6833.patch deleted file mode 100644 index 156dadd..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6833.patch +++ /dev/null @@ -1,215 +0,0 @@ -Patch cleanup for 5.6.5 -Binary diff removed - -From dda81f0505217a95db065e6bf9cc2d81eb902417 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 4 Aug 2015 14:00:29 -0700 -Subject: [PATCH] Fix bug #70019 - limit extracted files to given directory - ---- - ext/phar/phar_object.c | 50 +++++++++++++++++++++++++++++++++++++++---- - ext/phar/tests/bug70019.phpt | 22 +++++++++++++++++++ - ext/phar/tests/bug70019.zip | Bin 0 -> 184 bytes - 3 files changed, 68 insertions(+), 4 deletions(-) - create mode 100644 ext/phar/tests/bug70019.phpt - create mode 100644 ext/phar/tests/bug70019.zip - -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index 8cfe0c8..b652181 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -4118,6 +4118,9 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - char *fullpath; - const char *slash; - mode_t mode; -+ cwd_state new_state; -+ char *filename; -+ size_t filename_len; - - if (entry->is_mounted) { - /* silently ignore mounted entries */ -@@ -4127,8 +4130,39 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - if (entry->filename_len >= sizeof(".phar")-1 && !memcmp(entry->filename, ".phar", sizeof(".phar")-1)) { - return SUCCESS; - } -+ /* strip .. from path and restrict it to be under dest directory */ -+ new_state.cwd = (char*)malloc(2); -+ new_state.cwd[0] = DEFAULT_SLASH; -+ new_state.cwd[1] = '\0'; -+ new_state.cwd_length = 1; -+ if (virtual_file_ex(&new_state, entry->filename, NULL, CWD_EXPAND TSRMLS_CC) != 0 || -+ new_state.cwd_length <= 1) { -+ if (EINVAL == errno && entry->filename_len > 50) { -+ char *tmp = estrndup(entry->filename, 50); -+ spprintf(error, 4096, "Cannot extract \"%s...\" to \"%s...\", extracted filename is too long for filesystem", tmp, dest); -+ efree(tmp); -+ } else { -+ spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename); -+ } -+ free(new_state.cwd); -+ return FAILURE; -+ } -+ filename = new_state.cwd + 1; -+ filename_len = new_state.cwd_length - 1; -+#ifdef PHP_WIN32 -+ /* unixify the path back, otherwise non zip formats might be broken */ -+ { -+ int cnt = filename_len; -+ -+ do { -+ if ('\\' == filename[cnt]) { -+ filename[cnt] = '/'; -+ } -+ } while (cnt-- >= 0); -+ } -+#endif - -- len = spprintf(&fullpath, 0, "%s/%s", dest, entry->filename); -+ len = spprintf(&fullpath, 0, "%s/%s", dest, filename); - - if (len >= MAXPATHLEN) { - char *tmp; -@@ -4142,18 +4176,21 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - spprintf(error, 4096, "Cannot extract \"%s\" to \"%s...\", extracted filename is too long for filesystem", entry->filename, fullpath); - } - efree(fullpath); -+ free(new_state.cwd); - return FAILURE; - } - - if (!len) { - spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename); - efree(fullpath); -+ free(new_state.cwd); - return FAILURE; - } - - if (PHAR_OPENBASEDIR_CHECKPATH(fullpath)) { - spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", openbasedir/safe mode restrictions in effect", entry->filename, fullpath); - efree(fullpath); -+ free(new_state.cwd); - return FAILURE; - } - -@@ -4161,14 +4198,15 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - if (!overwrite && SUCCESS == php_stream_stat_path(fullpath, &ssb)) { - spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", path already exists", entry->filename, fullpath); - efree(fullpath); -+ free(new_state.cwd); - return FAILURE; - } - - /* perform dirname */ -- slash = zend_memrchr(entry->filename, '/', entry->filename_len); -+ slash = zend_memrchr(filename, '/', filename_len); - - if (slash) { -- fullpath[dest_len + (slash - entry->filename) + 1] = '\0'; -+ fullpath[dest_len + (slash - filename) + 1] = '\0'; - } else { - fullpath[dest_len] = '\0'; - } -@@ -4178,23 +4216,27 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - if (!php_stream_mkdir(fullpath, entry->flags & PHAR_ENT_PERM_MASK, PHP_STREAM_MKDIR_RECURSIVE, NULL)) { - spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath); - efree(fullpath); -+ free(new_state.cwd); - return FAILURE; - } - } else { - if (!php_stream_mkdir(fullpath, 0777, PHP_STREAM_MKDIR_RECURSIVE, NULL)) { - spprintf(error, 4096, "Cannot extract \"%s\", could not create directory \"%s\"", entry->filename, fullpath); - efree(fullpath); -+ free(new_state.cwd); - return FAILURE; - } - } - } - - if (slash) { -- fullpath[dest_len + (slash - entry->filename) + 1] = '/'; -+ fullpath[dest_len + (slash - filename) + 1] = '/'; - } else { - fullpath[dest_len] = '/'; - } - -+ filename = NULL; -+ free(new_state.cwd); - /* it is a standalone directory, job done */ - if (entry->is_dir) { - efree(fullpath); - -From eb7ba73079b73ca4ef91307ae1ef30b43468717b Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 4 Aug 2015 16:31:57 -0700 -Subject: [PATCH] virtual_file_ex uses emalloc in 5.6+ - ---- - ext/phar/phar_object.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c -index 22d59c2..d7c9541 100644 ---- a/ext/phar/phar_object.c -+++ b/ext/phar/phar_object.c -@@ -4131,7 +4131,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - return SUCCESS; - } - /* strip .. from path and restrict it to be under dest directory */ -- new_state.cwd = (char*)malloc(2); -+ new_state.cwd = (char*)emalloc(2); - new_state.cwd[0] = DEFAULT_SLASH; - new_state.cwd[1] = '\0'; - new_state.cwd_length = 1; -@@ -4144,7 +4144,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - } else { - spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename); - } -- free(new_state.cwd); -+ efree(new_state.cwd); - return FAILURE; - } - filename = new_state.cwd + 1; -@@ -4176,21 +4176,21 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - spprintf(error, 4096, "Cannot extract \"%s\" to \"%s...\", extracted filename is too long for filesystem", entry->filename, fullpath); - } - efree(fullpath); -- free(new_state.cwd); -+ efree(new_state.cwd); - return FAILURE; - } - - if (!len) { - spprintf(error, 4096, "Cannot extract \"%s\", internal error", entry->filename); - efree(fullpath); -- free(new_state.cwd); -+ efree(new_state.cwd); - return FAILURE; - } - - if (PHAR_OPENBASEDIR_CHECKPATH(fullpath)) { - spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", openbasedir/safe mode restrictions in effect", entry->filename, fullpath); - efree(fullpath); -- free(new_state.cwd); -+ efree(new_state.cwd); - return FAILURE; - } - -@@ -4198,7 +4198,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - if (!overwrite && SUCCESS == php_stream_stat_path(fullpath, &ssb)) { - spprintf(error, 4096, "Cannot extract \"%s\" to \"%s\", path already exists", entry->filename, fullpath); - efree(fullpath); -- free(new_state.cwd); -+ efree(new_state.cwd); - return FAILURE; - } - -@@ -4236,7 +4236,7 @@ static int phar_extract_file(zend_bool overwrite, phar_entry_info *entry, char * - } - - filename = NULL; -- free(new_state.cwd); -+ efree(new_state.cwd); - /* it is a standalone directory, job done */ - if (entry->is_dir) { - efree(fullpath); diff --git a/SOURCES/php-5.6.5-CVE-2015-6834-1.patch b/SOURCES/php-5.6.5-CVE-2015-6834-1.patch deleted file mode 100644 index 8977714..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6834-1.patch +++ /dev/null @@ -1,355 +0,0 @@ -From e8429400d40e3c3aa4b22ba701991d698a2f3b2f Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 31 Aug 2015 21:28:11 -0700 -Subject: [PATCH] Fix bug #70172 - Use After Free Vulnerability in - unserialize() - ---- - ext/standard/tests/serialize/bug70172.phpt | 52 ++++++++++++++++++++ - ext/standard/var.c | 23 +++++++-- - ext/standard/var_unserializer.c | 76 ++++++++++++++++-------------- - ext/standard/var_unserializer.re | 12 +++-- - 4 files changed, 121 insertions(+), 42 deletions(-) - create mode 100644 ext/standard/tests/serialize/bug70172.phpt - -diff --git a/ext/standard/tests/serialize/bug70172.phpt b/ext/standard/tests/serialize/bug70172.phpt -new file mode 100644 -index 0000000..0e9d7ed ---- /dev/null -+++ b/ext/standard/tests/serialize/bug70172.phpt -@@ -0,0 +1,52 @@ -+--TEST-- -+Bug #70172 - Use After Free Vulnerability in unserialize() -+--FILE-- -+data); -+ } -+ function unserialize($data) { -+ $this->data = unserialize($data); -+ } -+} -+ -+$fakezval = ptr2str(1122334455); -+$fakezval .= ptr2str(0); -+$fakezval .= "\x00\x00\x00\x00"; -+$fakezval .= "\x01"; -+$fakezval .= "\x00"; -+$fakezval .= "\x00\x00"; -+ -+$inner = 'r:2;'; -+$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; -+ -+$data = unserialize($exploit); -+ -+for ($i = 0; $i < 5; $i++) { -+ $v[$i] = $fakezval.$i; -+} -+ -+var_dump($data); -+ -+function ptr2str($ptr) -+{ -+ $out = ''; -+ for ($i = 0; $i < 8; $i++) { -+ $out .= chr($ptr & 0xff); -+ $ptr >>= 8; -+ } -+ return $out; -+} -+?> -+--EXPECTF-- -+array(2) { -+ [0]=> -+ int(1) -+ [1]=> -+ object(obj)#%d (1) { -+ ["data"]=> -+ int(1) -+ } -+} -\ No newline at end of file -diff --git a/ext/standard/var.c b/ext/standard/var.c -index 7603ff2..33b976f 100644 ---- a/ext/standard/var.c -+++ b/ext/standard/var.c -@@ -951,6 +951,8 @@ PHP_FUNCTION(unserialize) - int buf_len; - const unsigned char *p; - php_unserialize_data_t var_hash; -+ int oldlevel; -+ zval *old_rval = return_value; - - if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) { - RETURN_FALSE; -@@ -970,6 +972,19 @@ PHP_FUNCTION(unserialize) - } - RETURN_FALSE; - } -+ if (return_value != old_rval) { -+ /* -+ * Terrible hack due to the fact that executor passes us zval *, -+ * but unserialize with r/R wants to replace it with another zval * -+ */ -+ zval_dtor(old_rval); -+ *old_rval = *return_value; -+ zval_copy_ctor(old_rval); -+ var_push_dtor_no_addref(&var_hash, &return_value); -+ var_push_dtor_no_addref(&var_hash, &old_rval); -+ } else { -+ var_push_dtor(&var_hash, &return_value); -+ } - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - } - /* }}} */ -diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c -index ffaf680..5f2336e 100644 ---- a/ext/standard/var_unserializer.c -+++ b/ext/standard/var_unserializer.c -@@ -67,7 +67,7 @@ - - var_hash = (*var_hashx)->last_dtor; - #if VAR_ENTRIES_DBG -- fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); -+ fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); - #endif - - if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { -@@ -98,7 +98,7 @@ - - var_hash = (*var_hashx)->last_dtor; - #if VAR_ENTRIES_DBG -- fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); -+ fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); - #endif - - if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { -@@ -177,6 +177,9 @@ - - while (var_hash) { - for (i = 0; i < var_hash->used_slots; i++) { -+#if VAR_ENTRIES_DBG -+ fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); -+#endif - zval_ptr_dtor(&var_hash->data[i]); - } - next = var_hash->next; -@@ -629,6 +632,7 @@ - zval **args[1]; - zval *arg_func_name; - -+ if (!var_hash) return 0; - if (*start == 'C') { - custom_object = 1; - } -@@ -784,6 +788,7 @@ - if (yych != '"') goto yy18; - ++YYCURSOR; - { -+ if (!var_hash) return 0; - - INIT_PZVAL(*rval); - -@@ -814,6 +819,7 @@ - long elements = parse_iv(start + 2); - /* use iv() not uiv() in order to check data range */ - *p = YYCURSOR; -+ if (!var_hash) return 0; - - if (elements < 0) { - return 0; -@@ -1243,7 +1249,7 @@ - } - - if (*rval != NULL) { -- zval_ptr_dtor(rval); -+ var_push_dtor_no_addref(var_hash, rval); - } - *rval = *rval_ref; - Z_ADDREF_PP(rval); -diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re -index f02602c..ed82152 100644 ---- a/ext/standard/var_unserializer.re -+++ b/ext/standard/var_unserializer.re -@@ -66,7 +66,7 @@ - - var_hash = (*var_hashx)->last_dtor; - #if VAR_ENTRIES_DBG -- fprintf(stderr, "var_push_dtor(%ld): %d\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); -+ fprintf(stderr, "var_push_dtor(%p, %ld): %d\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval)); - #endif - - if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { -@@ -97,7 +97,7 @@ - - var_hash = (*var_hashx)->last_dtor; - #if VAR_ENTRIES_DBG -- fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); -+ fprintf(stderr, "var_push_dtor_no_addref(%p, %ld): %d (%d)\n", *rval, var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); - #endif - - if (!var_hash || var_hash->used_slots == VAR_ENTRIES_MAX) { -@@ -176,6 +176,9 @@ - - while (var_hash) { - for (i = 0; i < var_hash->used_slots; i++) { -+#if VAR_ENTRIES_DBG -+ fprintf(stderr, "var_destroy dtor(%p, %ld)\n", var_hash->data[i], Z_REFCOUNT_P(var_hash->data[i])); -+#endif - zval_ptr_dtor(&var_hash->data[i]); - } - next = var_hash->next; -@@ -496,7 +499,7 @@ - } - - if (*rval != NULL) { -- zval_ptr_dtor(rval); -+ var_push_dtor_no_addref(var_hash, rval); - } - *rval = *rval_ref; - Z_ADDREF_PP(rval); -@@ -655,6 +658,7 @@ - long elements = parse_iv(start + 2); - /* use iv() not uiv() in order to check data range */ - *p = YYCURSOR; -+ if (!var_hash) return 0; - - if (elements < 0) { - return 0; -@@ -672,6 +676,7 @@ - } - - "o:" iv ":" ["] { -+ if (!var_hash) return 0; - - INIT_PZVAL(*rval); - -@@ -694,6 +699,7 @@ - zval **args[1]; - zval *arg_func_name; - -+ if (!var_hash) return 0; - if (*start == 'C') { - custom_object = 1; - } --- -2.1.4 - -From 7c31203935589ab4fcb104041ef9d87f747bfee4 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 1 Sep 2015 11:38:15 -0700 -Subject: [PATCH] Improve fix for #70172 - ---- - ext/standard/tests/serialize/bug70172.phpt | 2 + - ext/standard/tests/serialize/bug70172_2.phpt | 68 ++++++++++++++++++++++++++++ - ext/standard/var.c | 3 +- - 3 files changed, 72 insertions(+), 1 deletion(-) - create mode 100644 ext/standard/tests/serialize/bug70172_2.phpt - -diff --git a/ext/standard/tests/serialize/bug70172.phpt b/ext/standard/tests/serialize/bug70172.phpt -index 0e9d7ed..0a4aa4b 100644 ---- a/ext/standard/tests/serialize/bug70172.phpt -+++ b/ext/standard/tests/serialize/bug70172.phpt -@@ -1,5 +1,7 @@ - --TEST-- - Bug #70172 - Use After Free Vulnerability in unserialize() -+--XFAIL-- -+Memory leak on debug build, needs fix. - --FILE-- - data); -+ } -+ function unserialize($data) { -+ $this->data = unserialize($data); -+ } -+} -+ -+class obj2 { -+ var $ryat; -+ function __wakeup() { -+ $this->ryat = 1; -+ } -+} -+ -+$fakezval = ptr2str(1122334455); -+$fakezval .= ptr2str(0); -+$fakezval .= "\x00\x00\x00\x00"; -+$fakezval .= "\x01"; -+$fakezval .= "\x00"; -+$fakezval .= "\x00\x00"; -+ -+$inner = 'r:2;'; -+$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}'; -+ -+$data = unserialize($exploit); -+ -+for ($i = 0; $i < 5; $i++) { -+ $v[$i] = $fakezval.$i; -+} -+ -+var_dump($data); -+ -+function ptr2str($ptr) -+{ -+ $out = ''; -+ for ($i = 0; $i < 8; $i++) { -+ $out .= chr($ptr & 0xff); -+ $ptr >>= 8; -+ } -+ return $out; -+} -+?> -+--EXPECTF-- -+array(2) { -+ [0]=> -+ object(obj2)#%d (1) { -+ ["ryat"]=> -+ int(1) -+ } -+ [1]=> -+ array(1) { -+ [0]=> -+ array(1) { -+ [0]=> -+ object(obj2)#%d (1) { -+ ["ryat"]=> -+ int(1) -+ } -+ } -+ } -+} -\ No newline at end of file -diff --git a/ext/standard/var.c b/ext/standard/var.c -index 33b976f..113b8cb 100644 ---- a/ext/standard/var.c -+++ b/ext/standard/var.c -@@ -981,7 +981,8 @@ PHP_FUNCTION(unserialize) - *old_rval = *return_value; - zval_copy_ctor(old_rval); - var_push_dtor_no_addref(&var_hash, &return_value); -- var_push_dtor_no_addref(&var_hash, &old_rval); -+ /* FIXME: old_rval is not freed in some scenarios, see bug #70172 -+ var_push_dtor_no_addref(&var_hash, &old_rval); */ - } else { - var_push_dtor(&var_hash, &return_value); - } --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6834-2.patch b/SOURCES/php-5.6.5-CVE-2015-6834-2.patch deleted file mode 100644 index e8fd7fb..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6834-2.patch +++ /dev/null @@ -1,191 +0,0 @@ -From f06a069c462d37c2e009f6d1d93b8c8e7b713393 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 1 Sep 2015 00:14:15 -0700 -Subject: [PATCH] Fix bug #70365 - use-after-free vulnerability in - unserialize() with SplObjectStorage - ---- - ext/spl/spl_observer.c | 2 ++ - ext/spl/tests/bug70365.phpt | 50 +++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 52 insertions(+) - create mode 100644 ext/spl/tests/bug70365.phpt - -diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c -index 5d94a3b..6a2e321 100644 ---- a/ext/spl/spl_observer.c -+++ b/ext/spl/spl_observer.c -@@ -869,6 +869,7 @@ SPL_METHOD(SplObjectStorage, unserialize) - zval_ptr_dtor(&pentry); - goto outexcept; - } -+ var_push_dtor(&var_hash, &pentry); - if(Z_TYPE_P(pentry) != IS_OBJECT) { - zval_ptr_dtor(&pentry); - goto outexcept; -@@ -880,6 +881,7 @@ SPL_METHOD(SplObjectStorage, unserialize) - zval_ptr_dtor(&pinf); - goto outexcept; - } -+ var_push_dtor(&var_hash, &pinf); - } - - hash = spl_object_storage_get_hash(intern, getThis(), pentry, &hash_len TSRMLS_CC); -diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt -new file mode 100644 -index 0000000..bd57360 ---- /dev/null -+++ b/ext/spl/tests/bug70365.phpt -@@ -0,0 +1,50 @@ -+--TEST-- -+SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage -+--FILE-- -+ryat = 1; -+ } -+} -+ -+$fakezval = ptr2str(1122334455); -+$fakezval .= ptr2str(0); -+$fakezval .= "\x00\x00\x00\x00"; -+$fakezval .= "\x01"; -+$fakezval .= "\x00"; -+$fakezval .= "\x00\x00"; -+ -+$inner = 'x:i:1;O:8:"stdClass":0:{},i:1;;m:a:0:{}'; -+$exploit = 'a:5:{i:0;i:1;i:1;C:16:"SplObjectStorage":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;R:6;i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; -+ -+$data = unserialize($exploit); -+ -+var_dump($data); -+ -+function ptr2str($ptr) -+{ -+ $out = ''; -+ for ($i = 0; $i < 8; $i++) { -+ $out .= chr($ptr & 0xff); -+ $ptr >>= 8; -+ } -+ return $out; -+} -+--EXPECTF-- -+array(5) { -+ [0]=> -+ int(1) -+ [1]=> -+ &int(1) -+ [2]=> -+ object(obj)#%d (1) { -+ ["ryat"]=> -+ &int(1) -+ } -+ [3]=> -+ int(1) -+ [4]=> -+ string(24) "%s" -+} --- -2.1.4 - -From 259057b2a484747a6c73ce54c4fa0f5acbd56179 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 1 Sep 2015 00:20:45 -0700 -Subject: [PATCH] Fix bug #70366 - use-after-free vulnerability in - unserialize() with SplDoublyLinkedList - ---- - ext/spl/spl_dllist.c | 1 + - ext/spl/tests/bug70365.phpt | 2 +- - ext/spl/tests/bug70366.phpt | 54 +++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 56 insertions(+), 1 deletion(-) - create mode 100644 ext/spl/tests/bug70366.phpt - -diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c -index 011d7a6..ebe61c3 100644 ---- a/ext/spl/spl_dllist.c -+++ b/ext/spl/spl_dllist.c -@@ -1219,6 +1219,7 @@ SPL_METHOD(SplDoublyLinkedList, unserialize) - zval_ptr_dtor(&elem); - goto error; - } -+ var_push_dtor(&var_hash, &elem); - - spl_ptr_llist_push(intern->llist, elem TSRMLS_CC); - } -diff --git a/ext/spl/tests/bug70365.phpt b/ext/spl/tests/bug70365.phpt -index bd57360..c18110e 100644 ---- a/ext/spl/tests/bug70365.phpt -+++ b/ext/spl/tests/bug70365.phpt -@@ -1,5 +1,5 @@ - --TEST-- --SPL: Bug #70365 yet another use-after-free vulnerability in unserialize() with SplObjectStorage -+SPL: Bug #70365 use-after-free vulnerability in unserialize() with SplObjectStorage - --FILE-- - ryat = 1; -+ } -+} -+ -+$fakezval = ptr2str(1122334455); -+$fakezval .= ptr2str(0); -+$fakezval .= "\x00\x00\x00\x00"; -+$fakezval .= "\x01"; -+$fakezval .= "\x00"; -+$fakezval .= "\x00\x00"; -+ -+$inner = 'i:1234;:i:1;'; -+$exploit = 'a:5:{i:0;i:1;i:1;C:19:"SplDoublyLinkedList":'.strlen($inner).':{'.$inner.'}i:2;O:3:"obj":1:{s:4:"ryat";R:3;}i:3;a:1:{i:0;R:5;}i:4;s:'.strlen($fakezval).':"'.$fakezval.'";}'; -+ -+$data = unserialize($exploit); -+ -+var_dump($data); -+ -+function ptr2str($ptr) -+{ -+ $out = ''; -+ for ($i = 0; $i < 8; $i++) { -+ $out .= chr($ptr & 0xff); -+ $ptr >>= 8; -+ } -+ return $out; -+} -+?> -+--EXPECTF-- -+array(5) { -+ [0]=> -+ int(1) -+ [1]=> -+ &int(1) -+ [2]=> -+ object(obj)#%d (1) { -+ ["ryat"]=> -+ &int(1) -+ } -+ [3]=> -+ array(1) { -+ [0]=> -+ int(1) -+ } -+ [4]=> -+ string(24) "%s" -+} -\ No newline at end of file --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6835.patch b/SOURCES/php-5.6.5-CVE-2015-6835.patch deleted file mode 100644 index a2536ac..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6835.patch +++ /dev/null @@ -1,1021 +0,0 @@ -Patch cleanup for 5.6.5 - -From df4bf28f9f104ca3ef78ed94b497859f15b004e5 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 23 Aug 2015 13:27:59 -0700 -Subject: [PATCH] Fix bug #70219 (Use after free vulnerability in session - deserializer) - ---- - ext/session/session.c | 36 +- - ext/session/tests/session_decode_error2.phpt | 518 +++++------------------ - ext/session/tests/session_decode_variation3.phpt | 2 +- - ext/standard/tests/serialize/bug70219.phpt | 38 ++ - ext/standard/var_unserializer.c | 68 +-- - ext/standard/var_unserializer.re | 64 +-- - 6 files changed, 228 insertions(+), 498 deletions(-) - create mode 100644 ext/standard/tests/serialize/bug70219.phpt - -diff --git a/ext/session/session.c b/ext/session/session.c -index 306aba3..0e53c62 100644 ---- a/ext/session/session.c -+++ b/ext/session/session.c -@@ -210,16 +210,18 @@ static char *php_session_encode(int *newlen TSRMLS_DC) /* {{{ */ - } - /* }}} */ - --static void php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ -+static int php_session_decode(const char *val, int vallen TSRMLS_DC) /* {{{ */ - { - if (!PS(serializer)) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unknown session.serialize_handler. Failed to decode session object"); -- return; -+ return FAILURE; - } - if (PS(serializer)->decode(val, vallen TSRMLS_CC) == FAILURE) { - php_session_destroy(TSRMLS_C); - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Failed to decode session object. Session has been destroyed"); -+ return FAILURE; - } -+ return SUCCESS; - } - /* }}} */ - -@@ -855,8 +857,11 @@ PS_SERIALIZER_DECODE_FUNC(php_binary) /* {{{ */ - ALLOC_INIT_ZVAL(current); - if (php_var_unserialize(¤t, (const unsigned char **) &p, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { - php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); -+ } else { -+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); -+ return FAILURE; - } -- zval_ptr_dtor(¤t); -+ var_push_dtor_no_addref(&var_hash, ¤t); - } - PS_ADD_VARL(name, namelen); - efree(name); -@@ -947,8 +952,13 @@ PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */ - ALLOC_INIT_ZVAL(current); - if (php_var_unserialize(¤t, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC)) { - php_set_session_var(name, namelen, current, &var_hash TSRMLS_CC); -+ } else { -+ var_push_dtor_no_addref(&var_hash, ¤t); -+ efree(name); -+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash); -+ return FAILURE; - } -- zval_ptr_dtor(¤t); -+ var_push_dtor_no_addref(&var_hash, ¤t); - } - PS_ADD_VARL(name, namelen); - skip: -@@ -1922,9 +1932,7 @@ static PHP_FUNCTION(session_decode) - return; - } - -- php_session_decode(str, str_len TSRMLS_CC); -- -- RETURN_TRUE; -+ RETVAL_BOOL(php_session_decode(str, str_len TSRMLS_CC) == SUCCESS); - } - /* }}} */ - -diff --git a/ext/session/tests/session_decode_error2.phpt b/ext/session/tests/session_decode_error2.phpt -index 4160f87..515047b 100644 ---- a/ext/session/tests/session_decode_error2.phpt -+++ b/ext/session/tests/session_decode_error2.phpt -@@ -53,563 +53,247 @@ array(0) { - } - - -- Iteration 4 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+ -+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s/session_decode_error2.php on line %d -+bool(false) -+array(0) { - } - - -- Iteration 5 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 6 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 7 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 8 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 9 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 10 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 11 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 12 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 13 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 14 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 15 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 16 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 17 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 18 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 19 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 20 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 21 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 22 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 23 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 24 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 25 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 26 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 27 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 28 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 29 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 30 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 31 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 32 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 33 -- --bool(true) --array(1) { -- ["foo"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 34 -- --bool(true) --array(1) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 35 -- --bool(true) --array(1) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 36 -- --bool(true) --array(1) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 37 -- --bool(true) --array(1) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 38 -- --bool(true) --array(1) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 39 -- --bool(true) --array(2) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 40 -- --bool(true) --array(2) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 41 -- --bool(true) --array(2) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 42 -- --bool(true) --array(2) { -- ["foo"]=> -- array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 43 -- --bool(true) --array(2) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 44 -- --bool(true) --array(2) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 45 -- --bool(true) --array(2) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 46 -- --bool(true) --array(2) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 47 -- --bool(true) --array(2) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -+bool(false) -+array(0) { - } - - -- Iteration 48 -- --bool(true) --array(3) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["blah"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 49 -- --bool(true) --array(3) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["blah"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 50 -- --bool(true) --array(3) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["blah"]=> -- NULL -+bool(false) -+array(0) { - } - - -- Iteration 51 -- --bool(true) --array(3) { -- ["foo"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["guff"]=> -- &array(3) { -- [0]=> -- int(1) -- [1]=> -- int(2) -- [2]=> -- int(3) -- } -- ["blah"]=> -- NULL -+bool(false) -+array(0) { - } --bool(true) --Done - -+Warning: session_destroy(): Trying to destroy uninitialized session in %s/session_decode_error2.php on line %d -+bool(false) -+Done -diff --git a/ext/session/tests/session_decode_variation3.phpt b/ext/session/tests/session_decode_variation3.phpt -index 4a6f768..0960531 100644 ---- a/ext/session/tests/session_decode_variation3.phpt -+++ b/ext/session/tests/session_decode_variation3.phpt -@@ -49,7 +49,7 @@ array(3) { - } - - Warning: session_decode(): Unknown session.serialize_handler. Failed to decode session object in %s on line %d --bool(true) -+bool(false) - array(3) { - ["foo"]=> - int(1234567890) -diff --git a/ext/standard/tests/serialize/bug70219.phpt b/ext/standard/tests/serialize/bug70219.phpt -new file mode 100644 -index 0000000..84a059f ---- /dev/null -+++ b/ext/standard/tests/serialize/bug70219.phpt -@@ -0,0 +1,38 @@ -+--TEST-- -+Bug #70219 Use after free vulnerability in session deserializer -+--FILE-- -+data); -+ } -+ function unserialize($data) { -+ session_start(); -+ session_decode($data); -+ } -+} -+ -+$inner = 'ryat|a:1:{i:0;a:1:{i:1;'; -+$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}'; -+ -+$data = unserialize($exploit); -+ -+for ($i = 0; $i < 5; $i++) { -+ $v[$i] = 'hi'.$i; -+} -+ -+var_dump($data); -+?> -+--EXPECTF-- -+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d -+array(2) { -+ [0]=> -+ object(obj)#%d (1) { -+ ["data"]=> -+ NULL -+ } -+ [1]=> -+ array(0) { -+ } -+} -diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c -index ee0cac4..ffaf680 100644 ---- a/ext/standard/var_unserializer.c -+++ b/ext/standard/var_unserializer.c -@@ -90,7 +90,13 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) - - PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) - { -- var_entries *var_hash = (*var_hashx)->last_dtor; -+ var_entries *var_hash; -+ -+ if (!var_hashx || !*var_hashx) { -+ return; -+ } -+ -+ var_hash = (*var_hashx)->last_dtor; - #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); - #endif -@@ -301,24 +307,20 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long - ALLOC_INIT_ZVAL(key); - - if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) { -- zval_dtor(key); -- FREE_ZVAL(key); -+ var_push_dtor_no_addref(var_hash, &key); - return 0; - } - - if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) { -- zval_dtor(key); -- FREE_ZVAL(key); -+ var_push_dtor_no_addref(var_hash, &key); - return 0; - } - - ALLOC_INIT_ZVAL(data); - - if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { -- zval_dtor(key); -- FREE_ZVAL(key); -- zval_dtor(data); -- FREE_ZVAL(data); -+ var_push_dtor_no_addref(var_hash, &key); -+ var_push_dtor_no_addref(var_hash, &data); - return 0; - } - -@@ -347,9 +349,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long - sizeof data, NULL); - } - var_push_dtor(var_hash, &data); -- -- zval_dtor(key); -- FREE_ZVAL(key); -+ var_push_dtor_no_addref(var_hash, &key); - - if (elements && *(*p-1) != ';' && *(*p-1) != '}') { - (*p)--; -diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re -index abac77c..f02602c 100644 ---- a/ext/standard/var_unserializer.re -+++ b/ext/standard/var_unserializer.re -@@ -89,7 +89,13 @@ PHPAPI void var_push_dtor(php_unserialize_data_t *var_hashx, zval **rval) - - PHPAPI void var_push_dtor_no_addref(php_unserialize_data_t *var_hashx, zval **rval) - { -- var_entries *var_hash = (*var_hashx)->last_dtor; -+ var_entries *var_hash; -+ -+ if (!var_hashx || !*var_hashx) { -+ return; -+ } -+ -+ var_hash = (*var_hashx)->last_dtor; - #if VAR_ENTRIES_DBG - fprintf(stderr, "var_push_dtor_no_addref(%ld): %d (%d)\n", var_hash?var_hash->used_slots:-1L, Z_TYPE_PP(rval), Z_REFCOUNT_PP(rval)); - #endif -@@ -307,24 +313,20 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long - ALLOC_INIT_ZVAL(key); - - if (!php_var_unserialize(&key, p, max, NULL TSRMLS_CC)) { -- zval_dtor(key); -- FREE_ZVAL(key); -+ var_push_dtor_no_addref(var_hash, &key); - return 0; - } - - if (Z_TYPE_P(key) != IS_LONG && Z_TYPE_P(key) != IS_STRING) { -- zval_dtor(key); -- FREE_ZVAL(key); -+ var_push_dtor_no_addref(var_hash, &key); - return 0; - } - - ALLOC_INIT_ZVAL(data); - - if (!php_var_unserialize(&data, p, max, var_hash TSRMLS_CC)) { -- zval_dtor(key); -- FREE_ZVAL(key); -- zval_dtor(data); -- FREE_ZVAL(data); -+ var_push_dtor_no_addref(var_hash, &key); -+ var_push_dtor_no_addref(var_hash, &data); - return 0; - } - -@@ -353,9 +355,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long - sizeof data, NULL); - } - var_push_dtor(var_hash, &data); -- -- zval_dtor(key); -- FREE_ZVAL(key); -+ var_push_dtor_no_addref(var_hash, &key); - - if (elements && *(*p-1) != ';' && *(*p-1) != '}') { - (*p)--; --- -2.1.4 - -From fc8eff897bd7fe3fed7f6867d2d6a86117a5278d Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Fri, 28 Aug 2015 21:50:21 -0700 -Subject: [PATCH] More fixes for bug #70219 - ---- - ext/session/session.c | 7 +++-- - ext/standard/tests/serialize/bug70219_1.phpt | 46 ++++++++++++++++++++++++++++ - 2 files changed, 51 insertions(+), 2 deletions(-) - create mode 100644 ext/standard/tests/serialize/bug70219_1.phpt - -diff --git a/ext/session/session.c b/ext/session/session.c -index 247f9b2..f5439ea 100644 ---- a/ext/session/session.c -+++ b/ext/session/session.c -@@ -863,7 +863,10 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ - - PHP_VAR_UNSERIALIZE_INIT(var_hash); - ALLOC_INIT_ZVAL(session_vars); -- php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC); -+ if (php_var_unserialize(&session_vars, &val, endptr, &var_hash TSRMLS_CC)) { -+ var_push_dtor(&var_hash, &session_vars); -+ } -+ - PHP_VAR_UNSERIALIZE_DESTROY(var_hash); - if (PS(http_session_vars)) { - zval_ptr_dtor(&PS(http_session_vars)); -@@ -872,7 +875,7 @@ PS_SERIALIZER_DECODE_FUNC(php_serialize) /* {{{ */ - array_init(session_vars); - } - PS(http_session_vars) = session_vars; -- ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), 2, 1); -+ ZEND_SET_GLOBAL_VAR_WITH_LENGTH("_SESSION", sizeof("_SESSION"), PS(http_session_vars), Z_REFCOUNT_P(PS(http_session_vars)) + 1, 1); - return SUCCESS; - } - /* }}} */ -diff --git a/ext/standard/tests/serialize/bug70219_1.phpt b/ext/standard/tests/serialize/bug70219_1.phpt -new file mode 100644 -index 0000000..f9c4c67 ---- /dev/null -+++ b/ext/standard/tests/serialize/bug70219_1.phpt -@@ -0,0 +1,46 @@ -+--TEST-- -+Bug #70219 Use after free vulnerability in session deserializer -+--FILE-- -+data); -+ } -+ function unserialize($data) { -+ session_decode($data); -+ } -+} -+ -+$inner = 'r:2;'; -+$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; -+ -+$data = unserialize($exploit); -+ -+for ($i = 0; $i < 5; $i++) { -+ $v[$i] = 'hi'.$i; -+} -+ -+var_dump($data); -+var_dump($_SESSION); -+?> -+--EXPECTF-- -+array(2) { -+ [0]=> -+ &object(obj)#%d (1) { -+ ["data"]=> -+ NULL -+ } -+ [1]=> -+ object(obj)#%d (1) { -+ ["data"]=> -+ NULL -+ } -+} -+object(obj)#1 (1) { -+ ["data"]=> -+ NULL -+} -\ No newline at end of file --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6836.patch b/SOURCES/php-5.6.5-CVE-2015-6836.patch deleted file mode 100644 index eaf1e7e..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6836.patch +++ /dev/null @@ -1,88 +0,0 @@ -Patch cleanup for 5.6.5 - -From e201f01ac17243a1e5fb6a3911ed8e21b1619ac1 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 31 Aug 2015 21:06:03 -0700 -Subject: [PATCH] Fix bug #70388 - SOAP serialize_function_call() type - confusion - ---- - ext/soap/soap.c | 96 ++++++++++++++++++++++++-------------------- - ext/soap/tests/bug70388.phpt | 17 ++++++++ - 2 files changed, 69 insertions(+), 44 deletions(-) - create mode 100644 ext/soap/tests/bug70388.phpt - -diff --git a/ext/soap/soap.c b/ext/soap/soap.c -index 1b8f545..a0e64a3 100644 ---- a/ext/soap/soap.c -+++ b/ext/soap/soap.c -@@ -2921,8 +2921,10 @@ PHP_METHOD(SoapClient, __call) - } - zend_hash_internal_pointer_reset(default_headers); - while (zend_hash_get_current_data(default_headers, (void**)&tmp) == SUCCESS) { -- Z_ADDREF_PP(tmp); -- zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); -+ if(Z_TYPE_PP(tmp) == IS_OBJECT) { -+ Z_ADDREF_PP(tmp); -+ zend_hash_next_index_insert(soap_headers, tmp, sizeof(zval *), NULL); -+ } - zend_hash_move_forward(default_headers); - } - } else { -@@ -4346,11 +4348,18 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function - if (head) { - zval** header; - -- zend_hash_internal_pointer_reset(soap_headers); -- while (zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS) { -- HashTable *ht = Z_OBJPROP_PP(header); -+ for(zend_hash_internal_pointer_reset(soap_headers); -+ zend_hash_get_current_data(soap_headers,(void**)&header) == SUCCESS; -+ zend_hash_move_forward(soap_headers) -+ ) { -+ HashTable *ht; - zval **name, **ns, **tmp; - -+ if (Z_TYPE_PP(header) != IS_OBJECT) { -+ continue; -+ } -+ -+ ht = Z_OBJPROP_PP(header); - if (zend_hash_find(ht, "name", sizeof("name"), (void**)&name) == SUCCESS && - Z_TYPE_PP(name) == IS_STRING && - zend_hash_find(ht, "namespace", sizeof("namespace"), (void**)&ns) == SUCCESS && -@@ -4389,7 +4398,6 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function - xmlSetNs(h, nsptr); - set_soap_header_attributes(h, ht, version); - } -- zend_hash_move_forward(soap_headers); - } - } - -diff --git a/ext/soap/tests/bug70388.phpt b/ext/soap/tests/bug70388.phpt -new file mode 100644 -index 0000000..49a8efc ---- /dev/null -+++ b/ext/soap/tests/bug70388.phpt -@@ -0,0 +1,17 @@ -+--TEST-- -+Bug #70388 (SOAP serialize_function_call() type confusion / RCE) -+--SKIPIF-- -+ -+--FILE-- -+notexisting()); -+} catch(Exception $e) { -+ var_dump($e->getMessage()); -+ var_dump(get_class($e)); -+} -+?> -+--EXPECTF-- -+string(%d) "%s" -+string(9) "SoapFault" -\ No newline at end of file --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-6837.patch b/SOURCES/php-5.6.5-CVE-2015-6837.patch deleted file mode 100644 index 3be1430..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-6837.patch +++ /dev/null @@ -1,42 +0,0 @@ -Patch cleanup for 5.6.5 - -From 1744be2d17befc69bf00033993f4081852a747d6 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 16 Aug 2015 17:16:15 -0700 -Subject: [PATCH] Fix for bug #69782 - ---- - ext/xsl/xsltprocessor.c | 142 +++++++++++++++++++++++++----------------------- - 1 file changed, 73 insertions(+), 69 deletions(-) - -diff --git a/ext/xsl/xsltprocessor.c b/ext/xsl/xsltprocessor.c -index 67c90f5..d21a8eb 100644 ---- a/ext/xsl/xsltprocessor.c -+++ b/ext/xsl/xsltprocessor.c -@@ -223,7 +223,9 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t - if (error == 1) { - for (i = nargs - 1; i >= 0; i--) { - obj = valuePop(ctxt); -- xmlXPathFreeObject(obj); -+ if (obj) { -+ xmlXPathFreeObject(obj); -+ } - } - return; - } -@@ -304,7 +306,9 @@ static void xsl_ext_function_php(xmlXPathParserContextPtr ctxt, int nargs, int t - obj = valuePop(ctxt); -- if (obj->stringval == NULL) { -- php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string"); -- xmlXPathFreeObject(obj); -+ if (obj == NULL || obj->stringval == NULL) { -+ if (obj) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Handler name must be a string"); -+ xmlXPathFreeObject(obj); -+ } - valuePush(ctxt, xmlXPathNewString("")); - if (fci.param_count > 0) { - for (i = 0; i < nargs - 1; i++) { --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-CVE-2015-7803.patch b/SOURCES/php-5.6.5-CVE-2015-7803.patch deleted file mode 100644 index e92065e..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-7803.patch +++ /dev/null @@ -1,55 +0,0 @@ -Patch cleanup for 5.6.5 -Binary diff removed - -From d698f0ae51f67c9cce870b09c59df3d6ba959244 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 28 Sep 2015 15:51:59 -0700 -Subject: [PATCH] Fix bug #69720: Null pointer dereference in - phar_get_fp_offset() - ---- - ext/phar/tests/bug69720.phar | Bin 0 -> 8192 bytes - ext/phar/tests/bug69720.phpt | 40 ++++++++++++++++++++++++++++++++++++++++ - ext/phar/util.c | 6 +++++- - 3 files changed, 45 insertions(+), 1 deletion(-) - create mode 100644 ext/phar/tests/bug69720.phar - create mode 100644 ext/phar/tests/bug69720.phpt - -diff --git a/ext/phar/util.c b/ext/phar/util.c -index 2c41adf..69da7b9 100644 ---- a/ext/phar/util.c -+++ b/ext/phar/util.c -@@ -494,7 +494,11 @@ int phar_get_entry_data(phar_entry_data **ret, char *fname, int fname_len, char - (*ret)->is_tar = entry->is_tar; - (*ret)->fp = phar_get_efp(entry, 1 TSRMLS_CC); - if (entry->link) { -- (*ret)->zero = phar_get_fp_offset(phar_get_link_source(entry TSRMLS_CC) TSRMLS_CC); -+ phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC); -+ if(!link) { -+ return FAILURE; -+ } -+ (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC); - } else { - (*ret)->zero = phar_get_fp_offset(entry TSRMLS_CC); - } -From f98ab19dc0c978e3caaa2614579e4a61f2c317f5 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 28 Sep 2015 20:43:18 -0700 -Subject: [PATCH] fix memory leak - ---- - ext/phar/util.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ext/phar/util.c b/ext/phar/util.c -index 69da7b9..e7decda 100644 ---- a/ext/phar/util.c -+++ b/ext/phar/util.c -@@ -496,6 +496,7 @@ int phar_get_entry_data(phar_entry_data **ret, char *fname, int fname_len, char - if (entry->link) { - phar_entry_info *link = phar_get_link_source(entry TSRMLS_CC); - if(!link) { -+ efree(*ret); - return FAILURE; - } - (*ret)->zero = phar_get_fp_offset(link TSRMLS_CC); diff --git a/SOURCES/php-5.6.5-CVE-2015-7804.patch b/SOURCES/php-5.6.5-CVE-2015-7804.patch deleted file mode 100644 index 4060535..0000000 --- a/SOURCES/php-5.6.5-CVE-2015-7804.patch +++ /dev/null @@ -1,82 +0,0 @@ -Patch cleanup for 5.6.5 -Binary diff removed - -From e78ac461dbefb7c4a3e9fde78d50fbc56b7b0183 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 28 Sep 2015 17:12:35 -0700 -Subject: [PATCH] FIx bug #70433 - Uninitialized pointer in phar_make_dirstream - when zip entry filename is "/" - ---- - ext/phar/dirstream.c | 2 +- - ext/phar/tests/bug70433.phpt | 23 +++++++++++++++++++++++ - ext/phar/tests/bug70433.zip | Bin 0 -> 264 bytes - 3 files changed, 24 insertions(+), 1 deletion(-) - create mode 100644 ext/phar/tests/bug70433.phpt - create mode 100755 ext/phar/tests/bug70433.zip - -diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c -index 75cf049..4728e29 100644 ---- a/ext/phar/dirstream.c -+++ b/ext/phar/dirstream.c -@@ -198,7 +198,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC) - zend_hash_internal_pointer_reset(manifest); - - while (FAILURE != zend_hash_has_more_elements(manifest)) { -- if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { -+ if (HASH_KEY_IS_STRING != zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { - break; - } - -From 1ddf72180a52d247db88ea42a3e35f824a8fbda1 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Mon, 28 Sep 2015 21:37:26 -0700 -Subject: [PATCH] Better fix for bug #70433 - ---- - ext/phar/dirstream.c | 2 +- - ext/phar/util.c | 2 +- - ext/phar/zip.c | 4 +++- - 3 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/ext/phar/dirstream.c b/ext/phar/dirstream.c -index 4728e29..75cf049 100644 ---- a/ext/phar/dirstream.c -+++ b/ext/phar/dirstream.c -@@ -198,7 +198,7 @@ static php_stream *phar_make_dirstream(char *dir, HashTable *manifest TSRMLS_DC) - zend_hash_internal_pointer_reset(manifest); - - while (FAILURE != zend_hash_has_more_elements(manifest)) { -- if (HASH_KEY_IS_STRING != zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { -+ if (HASH_KEY_NON_EXISTENT == zend_hash_get_current_key_ex(manifest, &str_key, &keylen, &unused, 0, NULL)) { - break; - } - -diff --git a/ext/phar/util.c b/ext/phar/util.c -index e7decda..303daed 100644 ---- a/ext/phar/util.c -+++ b/ext/phar/util.c -@@ -1970,7 +1970,7 @@ void phar_add_virtual_dirs(phar_archive_data *phar, char *filename, int filename - - while ((s = zend_memrchr(filename, '/', filename_len))) { - filename_len = s - filename; -- if (FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { -+ if (!filename_len || FAILURE == zend_hash_add_empty_element(&phar->virtual_dirs, filename, filename_len)) { - break; - } - } -diff --git a/ext/phar/zip.c b/ext/phar/zip.c -index 142165c..e4883d3 100644 ---- a/ext/phar/zip.c -+++ b/ext/phar/zip.c -@@ -396,7 +396,9 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias, - - if (entry.filename[entry.filename_len - 1] == '/') { - entry.is_dir = 1; -- entry.filename_len--; -+ if(entry.filename_len > 1) { -+ entry.filename_len--; -+ } - entry.flags |= PHAR_ENT_PERM_DEF_DIR; - } else { - entry.is_dir = 0; diff --git a/SOURCES/php-5.6.5-CVE-2016-5385.patch b/SOURCES/php-5.6.5-CVE-2016-5385.patch deleted file mode 100644 index 2853355..0000000 --- a/SOURCES/php-5.6.5-CVE-2016-5385.patch +++ /dev/null @@ -1,114 +0,0 @@ -Adapted for 5.6 from: - - -From 98b9dfaec95e6f910f125ed172cdbd25abd006ec Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 10 Jul 2016 16:17:54 -0700 -Subject: [PATCH] Fix for HTTP_PROXY issue. - -The following changes are made: -- _SERVER/_ENV only has HTTP_PROXY if the local environment has it, - and only one from the environment. -- getenv('HTTP_PROXY') only returns one from the local environment -- getenv has optional second parameter, telling it to only consider - local environment - ---- php-5.6.23/ext/standard/basic_functions.c 2016-06-22 03:50:40.000000000 +0200 -+++ php-5.6.24/ext/standard/basic_functions.c 2016-07-21 02:23:03.000000000 +0200 -@@ -635,8 +635,9 @@ - ZEND_ARG_INFO(0, proper_address) - ZEND_END_ARG_INFO() - --ZEND_BEGIN_ARG_INFO(arginfo_getenv, 0) -+ZEND_BEGIN_ARG_INFO_EX(arginfo_getenv, 0, 0, 1) - ZEND_ARG_INFO(0, varname) -+ ZEND_ARG_INFO(0, local_only) - ZEND_END_ARG_INFO() - - #ifdef HAVE_PUTENV -@@ -3977,21 +3978,24 @@ - * System Functions * - ********************/ - --/* {{{ proto string getenv(string varname) -+/* {{{ proto string getenv(string varname[, bool local_only]) - Get the value of an environment variable */ - PHP_FUNCTION(getenv) - { - char *ptr, *str; - int str_len; -+ zend_bool local_only = 0; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|b", &str, &str_len, &local_only) == FAILURE) { - RETURN_FALSE; - } - -- /* SAPI method returns an emalloc()'d string */ -- ptr = sapi_getenv(str, str_len TSRMLS_CC); -- if (ptr) { -- RETURN_STRING(ptr, 0); -+ if (!local_only) { -+ /* SAPI method returns an emalloc()'d string */ -+ ptr = sapi_getenv(str, str_len TSRMLS_CC); -+ if (ptr) { -+ RETURN_STRING(ptr, 0); -+ } - } - #ifdef PHP_WIN32 - { ---- php-5.6.23/main/SAPI.c 2016-06-22 03:50:40.000000000 +0200 -+++ php-5.6.24/main/SAPI.c 2016-07-21 02:23:03.000000000 +0200 -@@ -1020,6 +1020,10 @@ - - SAPI_API char *sapi_getenv(char *name, size_t name_len TSRMLS_DC) - { -+ if (!strncasecmp(name, "HTTP_PROXY", name_len)) { -+ /* Ugly fix for HTTP_PROXY issue, see bug #72573 */ -+ return NULL; -+ } - if (sapi_module.getenv) { - char *value, *tmp = sapi_module.getenv(name, name_len TSRMLS_CC); - if (tmp) { ---- php-5.6.23/main/php_variables.c 2016-06-22 03:50:40.000000000 +0200 -+++ php-5.6.24/main/php_variables.c 2016-07-21 02:23:03.000000000 +0200 -@@ -798,6 +798,23 @@ - return 0; /* don't rearm */ - } - -+/* Upgly hack to fix HTTP_PROXY issue, see bug #72573 */ -+static void check_http_proxy(HashTable *var_table) -+{ -+ if (zend_hash_exists(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"))) { -+ char *local_proxy = getenv("HTTP_PROXY"); -+ -+ if (!local_proxy) { -+ zend_hash_del(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY")); -+ } else { -+ zval *local_zval; -+ ALLOC_INIT_ZVAL(local_zval); -+ ZVAL_STRING(local_zval, local_proxy, 1); -+ zend_hash_update(var_table, "HTTP_PROXY", sizeof("HTTP_PROXY"), &local_zval, sizeof(zval **), NULL); -+ } -+ } -+} -+ - static zend_bool php_auto_globals_create_server(const char *name, uint name_len TSRMLS_DC) - { - if (PG(variables_order) && (strchr(PG(variables_order),'S') || strchr(PG(variables_order),'s'))) { -@@ -830,6 +647,7 @@ - PG(http_globals)[TRACK_VARS_SERVER] = server_vars; - } - -+ check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_SERVER])); - zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_SERVER], sizeof(zval *), NULL); - Z_ADDREF_P(PG(http_globals)[TRACK_VARS_SERVER]); - -@@ -851,6 +869,7 @@ - php_import_environment_variables(PG(http_globals)[TRACK_VARS_ENV] TSRMLS_CC); - } - -+ check_http_proxy(Z_ARRVAL_P(PG(http_globals)[TRACK_VARS_ENV])); - zend_hash_update(&EG(symbol_table), name, name_len + 1, &PG(http_globals)[TRACK_VARS_ENV], sizeof(zval *), NULL); - Z_ADDREF_P(PG(http_globals)[TRACK_VARS_ENV]); - diff --git a/SOURCES/php-5.6.5-bug68819.patch b/SOURCES/php-5.6.5-bug68819.patch deleted file mode 100644 index b93c492..0000000 --- a/SOURCES/php-5.6.5-bug68819.patch +++ /dev/null @@ -1,87 +0,0 @@ -From f938112c495b0d26572435c0be73ac0bfe642ecd Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sat, 4 Apr 2015 15:01:37 -0700 -Subject: [PATCH] Fix bug #68819 (Fileinfo on specific file causes spurious OOM - and/or segfault) - ---- - ext/fileinfo/libmagic/softmagic.c | 3 +++ - ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++ - ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++ - 3 files changed, 47 insertions(+) - create mode 100644 ext/fileinfo/tests/bug68819_001.phpt - create mode 100644 ext/fileinfo/tests/bug68819_002.phpt - -diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c -index e7b7855..54c1a03 100644 ---- a/ext/fileinfo/libmagic/softmagic.c -+++ b/ext/fileinfo/libmagic/softmagic.c -@@ -1072,6 +1072,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir, - if (bytecnt > nbytes) { - bytecnt = nbytes; - } -+ if (offset > bytecnt) { -+ offset = bytecnt; -+ } - if (s == NULL) { - ms->search.s_len = 0; - ms->search.s = NULL; -diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt -new file mode 100644 -index 0000000..ce39ee6 ---- /dev/null -+++ b/ext/fileinfo/tests/bug68819_001.phpt -@@ -0,0 +1,18 @@ -+--TEST-- -+Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1 -+--SKIPIF-- -+ -+--FILE-- -+buffer($string); -+ -+var_dump($type); -+?> -+--EXPECT-- -+string(60) "ASCII text, with very long lines, with CRLF line terminators" -diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt -new file mode 100644 -index 0000000..cec238d ---- /dev/null -+++ b/ext/fileinfo/tests/bug68819_002.phpt -@@ -0,0 +1,26 @@ -+--TEST-- -+Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2 -+--SKIPIF-- -+ -+--FILE-- -+ 8192 -+$string .= str_repeat(chr(rand(32, 127)), 8184); -+ -+// Ending in this string -+$string .= "say"; -+ -+$finfo = new finfo(); -+$type = $finfo->buffer($string); -+var_dump($type); -+ -+?> -+--EXPECT-- -+string(60) "ASCII text, with very long lines, with CRLF line terminators" --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-bug69085.patch b/SOURCES/php-5.6.5-bug69085.patch deleted file mode 100644 index 0b86156..0000000 --- a/SOURCES/php-5.6.5-bug69085.patch +++ /dev/null @@ -1,427 +0,0 @@ -Single patch merged from - -From 997b7e56302710bb3db00b56d0629ac75d73a207 Mon Sep 17 00:00:00 2001 -From: Xinchen Hui -Date: Fri, 27 Feb 2015 23:32:32 +0800 -Subject: [PATCH] Fixed bug #69085 (SoapClient's __call() type confusion - through unserialize()). - -From 0c136a2abd49298b66acb0cad504f0f972f5bfe8 Mon Sep 17 00:00:00 2001 -From: Dmitry Stogov -Date: Tue, 3 Mar 2015 09:44:46 +0300 -Subject: [PATCH] Added type checks - -From c8eaca013a3922e8383def6158ece2b63f6ec483 Mon Sep 17 00:00:00 2001 -From: Dmitry Stogov -Date: Tue, 3 Mar 2015 10:43:48 +0300 -Subject: [PATCH] Added type checks - -From 76c1ec5e96640e3076c105bde2cccfceb7557690 Mon Sep 17 00:00:00 2001 -From: Xinchen Hui -Date: Wed, 25 Mar 2015 12:07:25 +0800 -Subject: [PATCH] Bug #69293 NEW segfault when using - SoapClient::__setSoapHeader (bisected, regression) - -From c61ceef7796b3967dd5e270245d33ba72ba055ee Mon Sep 17 00:00:00 2001 -From: Remi Collet -Date: Mon, 13 Apr 2015 14:39:11 +0200 -Subject: [PATCH] fix type in fix for #69085 - -diff -I Copyright -up a/ext/soap/php_encoding.c ext/soap/php_encoding.c ---- a/ext/soap/php_encoding.c 2015-01-21 01:40:37.000000000 +0100 -+++ b/ext/soap/php_encoding.c 2015-04-15 14:03:43.585454281 +0200 -@@ -402,12 +402,15 @@ static xmlNodePtr master_to_xml_int(enco - encodePtr enc = NULL; - HashTable *ht = Z_OBJPROP_P(data); - -- if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { -+ if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || -+ Z_TYPE_PP(ztype) != IS_LONG) { - soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); - } - -- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { -- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { -+ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && -+ Z_TYPE_PP(zstype) == IS_STRING) { -+ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && -+ Z_TYPE_PP(zns) == IS_STRING) { - enc = get_encoder(SOAP_GLOBAL(sdl), Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); - } else { - zns = NULL; -@@ -443,8 +446,10 @@ static xmlNodePtr master_to_xml_int(enco - } - - if (style == SOAP_ENCODED || (SOAP_GLOBAL(sdl) && encode != enc)) { -- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) { -- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) { -+ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS && -+ Z_TYPE_PP(zstype) == IS_STRING) { -+ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS && -+ Z_TYPE_PP(zns) == IS_STRING) { - set_ns_and_type_ex(node, Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype)); - } else { - set_ns_and_type_ex(node, NULL, Z_STRVAL_PP(zstype)); -@@ -452,10 +457,12 @@ static xmlNodePtr master_to_xml_int(enco - } - } - -- if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS) { -+ if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS && -+ Z_TYPE_PP(zname) == IS_STRING) { - xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname))); - } -- if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS) { -+ if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS && -+ Z_TYPE_PP(znamens) == IS_STRING) { - xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens)); - xmlSetNs(node, nsp); - } -@@ -3638,18 +3645,21 @@ static encodePtr get_array_type(xmlNodeP - Z_OBJCE_PP(tmp) == soap_var_class_entry) { - zval **ztype; - -- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) { -+ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE || -+ Z_TYPE_PP(ztype) != IS_LONG) { - soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property"); - } - cur_type = Z_LVAL_PP(ztype); - -- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS && -+ Z_TYPE_PP(ztype) == IS_STRING) { - cur_stype = Z_STRVAL_PP(ztype); - } else { - cur_stype = NULL; - } - -- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS && -+ Z_TYPE_PP(ztype) == IS_STRING) { - cur_ns = Z_STRVAL_PP(ztype); - } else { - cur_ns = NULL; -diff -I Copyright -up a/ext/soap/php_http.c ext/soap/php_http.c ---- a/ext/soap/php_http.c 2015-01-21 01:40:37.000000000 +0100 -+++ b/ext/soap/php_http.c 2015-04-15 14:03:43.586454288 +0200 -@@ -36,14 +36,16 @@ int proxy_authentication(zval* this_ptr, - { - zval **login, **password; - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS && -+ Z_TYPE_PP(login) == IS_STRING) { - unsigned char* buf; - int len; - smart_str auth = {0}; - - smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); - smart_str_appendc(&auth, ':'); -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS && -+ Z_TYPE_PP(password) == IS_STRING) { - smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); - } - smart_str_0(&auth); -@@ -64,14 +66,16 @@ int basic_authentication(zval* this_ptr, - zval **login, **password; - - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS && -- !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { -+ Z_TYPE_PP(login) == IS_STRING && -+ !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) { - unsigned char* buf; - int len; - smart_str auth = {0}; - - smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login)); - smart_str_appendc(&auth, ':'); -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS && -+ Z_TYPE_PP(password) == IS_STRING) { - smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password)); - } - smart_str_0(&auth); -@@ -571,6 +575,7 @@ try_again: - } - if (!http_1_1 || - (zend_hash_find(Z_OBJPROP_P(this_ptr), "_keep_alive", sizeof("_keep_alive"), (void **)&tmp) == SUCCESS && -+ (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) && - Z_LVAL_PP(tmp) == 0)) { - smart_str_append_const(&soap_headers, "\r\n" - "Connection: close\r\n"); -@@ -804,7 +809,8 @@ try_again: - } - - /* Send cookies along with request */ -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && -+ Z_TYPE_PP(cookies) == IS_ARRAY) { - zval **data; - char *key; - uint key_len; -@@ -848,7 +854,7 @@ try_again: - smart_str_append_const(&soap_headers, "\r\n"); - smart_str_0(&soap_headers); - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && -- Z_LVAL_PP(trace) > 0) { -+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { - add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1); - } - smart_str_appendl(&soap_headers, request, request_size); -@@ -893,7 +899,7 @@ try_again: - } - - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && -- Z_LVAL_PP(trace) > 0) { -+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { - add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1); - } - -@@ -942,7 +948,8 @@ try_again: - char *eqpos, *sempos; - zval **cookies; - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || -+ Z_TYPE_PP(cookies) != IS_ARRAY) { - zval *tmp_cookies; - MAKE_STD_ZVAL(tmp_cookies); - array_init(tmp_cookies); -diff -I Copyright -up a/ext/soap/soap.c ext/soap/soap.c ---- a/ext/soap/soap.c 2015-01-21 01:40:37.000000000 +0100 -+++ b/ext/soap/soap.c 2015-04-15 14:03:43.592454334 +0200 -@@ -932,6 +932,12 @@ PHP_METHOD(SoapFault, __toString) - - zend_call_function(&fci, NULL TSRMLS_CC); - -+ convert_to_string(faultcode); -+ convert_to_string(faultstring); -+ convert_to_string(file); -+ convert_to_long(line); -+ convert_to_string(trace); -+ - len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s", - Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line), - Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n"); -@@ -2070,8 +2076,7 @@ static void soap_server_fault_ex(sdlFunc - - xmlDocDumpMemory(doc_return, &buf, &size); - -- zend_is_auto_global("_SERVER", sizeof("_SERVER") - 1 TSRMLS_CC); -- if (PG(http_globals)[TRACK_VARS_SERVER] && -+ if ((PG(http_globals)[TRACK_VARS_SERVER] || zend_is_auto_global("_SERVER", sizeof("_SERVER") - 1 TSRMLS_CC)) && - zend_hash_find(PG(http_globals)[TRACK_VARS_SERVER]->value.ht, "HTTP_USER_AGENT", sizeof("HTTP_USER_AGENT"), (void **) &agent_name) == SUCCESS && - Z_TYPE_PP(agent_name) == IS_STRING) { - if (strncmp(Z_STRVAL_PP(agent_name), "Shockwave Flash", sizeof("Shockwave Flash")-1) == 0) { -@@ -2564,7 +2569,7 @@ static int do_request(zval *this_ptr, xm - } - - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && -- Z_LVAL_PP(trace) > 0) { -+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { - add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1); - } - -@@ -2599,7 +2604,7 @@ static int do_request(zval *this_ptr, xm - } - ret = FALSE; - } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && -- Z_LVAL_PP(trace) > 0) { -+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { - add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1); - } - zval_ptr_dtor(¶ms[4]); -@@ -2643,13 +2648,13 @@ static void do_soap_call(zval* this_ptr, - - SOAP_CLIENT_BEGIN_CODE(); - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS -- && Z_LVAL_PP(trace) > 0) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS && -+ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) { - zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request")); - zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response")); - } -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS -- && Z_LVAL_PP(tmp) == SOAP_1_2) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) { - soap_version = SOAP_1_2; - } else { - soap_version = SOAP_1_1; -@@ -2746,7 +2751,7 @@ static void do_soap_call(zval* this_ptr, - zval **uri; - smart_str action = {0}; - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) { - add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC); - } else if (location == NULL) { - add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC); -@@ -2904,7 +2909,7 @@ PHP_METHOD(SoapClient, __call) - } - - /* Add default headers */ -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp) == SUCCESS && Z_TYPE_PP(tmp) == IS_ARRAY) { - HashTable *default_headers = Z_ARRVAL_P(*tmp); - if (soap_headers) { - if (!free_soap_headers) { -@@ -3025,7 +3030,8 @@ PHP_METHOD(SoapClient, __getLastRequest) - return; - } - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_STRING) { - RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); - } - RETURN_NULL(); -@@ -3043,7 +3049,8 @@ PHP_METHOD(SoapClient, __getLastResponse - return; - } - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_STRING) { - RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); - } - RETURN_NULL(); -@@ -3061,7 +3068,8 @@ PHP_METHOD(SoapClient, __getLastRequestH - return; - } - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_STRING) { - RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); - } - RETURN_NULL(); -@@ -3079,7 +3087,8 @@ PHP_METHOD(SoapClient, __getLastResponse - return; - } - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_STRING) { - RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1); - } - RETURN_NULL(); -@@ -3135,13 +3144,15 @@ PHP_METHOD(SoapClient, __setCookie) - } - - if (val == NULL) { -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS && -+ Z_TYPE_PP(cookies) == IS_ARRAY) { - zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1); - } - } else { - zval *zcookie; - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE || -+ Z_TYPE_PP(cookies) != IS_ARRAY) { - zval *tmp_cookies; - - MAKE_STD_ZVAL(tmp_cookies); -@@ -3169,7 +3180,8 @@ PHP_METHOD(SoapClient, __getCookies) - - array_init(return_value); - -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) != FAILURE) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) != FAILURE && -+ Z_TYPE_PP(cookies) == IS_ARRAY) { - zend_hash_copy(Z_ARRVAL_P(return_value), Z_ARRVAL_P(*cookies), (copy_ctor_func_t) zval_add_ref, (void *)&tmp, sizeof(zval*)); - } - } -@@ -3991,7 +4003,8 @@ static xmlDocPtr serialize_response_call - } - - if (version == SOAP_1_1) { -- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { -+ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_STRING) { - size_t new_len; - xmlNodePtr node = xmlNewNode(NULL, BAD_CAST("faultcode")); - char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); -@@ -4004,7 +4017,7 @@ static xmlDocPtr serialize_response_call - } else { - xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len); - } -- efree(str); -+ str_efree(str); - } - if (zend_hash_find(prop, "faultstring", sizeof("faultstring"), (void**)&tmp) == SUCCESS) { - xmlNodePtr node = master_to_xml(get_conversion(IS_STRING), *tmp, SOAP_LITERAL, param TSRMLS_CC); -@@ -4016,7 +4029,8 @@ static xmlDocPtr serialize_response_call - } - detail_name = "detail"; - } else { -- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) { -+ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS && -+ Z_TYPE_PP(tmp) == IS_STRING) { - size_t new_len; - xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Code"), NULL); - char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC); -@@ -4029,7 +4043,7 @@ static xmlDocPtr serialize_response_call - } else { - xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len); - } -- efree(str); -+ str_efree(str); - } - if (zend_hash_find(prop, "faultstring", sizeof("faultstring"), (void**)&tmp) == SUCCESS) { - xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Reason"), NULL); -@@ -4256,7 +4270,8 @@ static xmlDocPtr serialize_function_call - } - } - } else { -- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) { -+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS && -+ Z_TYPE_PP(zstyle) == IS_LONG) { - style = Z_LVAL_PP(zstyle); - } else { - style = SOAP_RPC; -@@ -4279,7 +4294,7 @@ static xmlDocPtr serialize_function_call - } - - if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS && -- Z_LVAL_PP(zuse) == SOAP_LITERAL) { -+ Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) { - use = SOAP_LITERAL; - } else { - use = SOAP_ENCODED; -@@ -4409,6 +4424,7 @@ static xmlNodePtr serialize_parameter(sd - zval **param_data; - - if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS && -+ Z_TYPE_PP(param_name) == IS_STRING && - zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) { - param_val = *param_data; - name = Z_STRVAL_PP(param_name); -diff --git a/ext/soap/tests/bugs/bug69085.phpt b/ext/soap/tests/bugs/bug69085.phpt -new file mode 100644 -index 0000000..cb27cfd ---- /dev/null -+++ b/ext/soap/tests/bugs/bug69085.phpt -@@ -0,0 +1,17 @@ -+--TEST-- -+Bug #69085 (SoapClient's __call() type confusion through unserialize()) -+--SKIPIF-- -+ -+--INI-- -+soap.wsdl_cache_enabled=0 -+--FILE-- -+whatever(); -+} catch (Exception $e) { -+ echo "okey"; -+} -+--EXPECT-- -+okey diff --git a/SOURCES/php-5.6.5-bug69152.patch b/SOURCES/php-5.6.5-bug69152.patch deleted file mode 100644 index 61d753e..0000000 --- a/SOURCES/php-5.6.5-bug69152.patch +++ /dev/null @@ -1,75 +0,0 @@ -From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 22 Mar 2015 18:17:47 -0700 -Subject: [PATCH] Check that the type is correct - ---- - ext/standard/incomplete_class.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c -index 1816ac4..30c82e6 100644 ---- a/ext/standard/incomplete_class.c -+++ b/ext/standard/incomplete_class.c -@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen) - - object_properties = Z_OBJPROP_P(object); - -- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) { -+ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) { - retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val)); - - if (nlen) { --- -2.1.4 - -From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 5 Apr 2015 17:30:59 -0700 -Subject: [PATCH] More fixes for bug #69152 - ---- - Zend/zend_exceptions.c | 3 +++ - ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++ - 2 files changed, 19 insertions(+) - create mode 100644 ext/standard/tests/serialize/bug69152.phpt - -diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c -index bf90ae7..1ca2ead 100644 ---- a/Zend/zend_exceptions.c -+++ b/Zend/zend_exceptions.c -@@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString) - str = &res; - - trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC); -+ if(Z_TYPE_P(trace) != IS_ARRAY) { -+ RETURN_FALSE; -+ } - zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num); - - s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1); -diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt -new file mode 100644 -index 0000000..4e74168 ---- /dev/null -+++ b/ext/standard/tests/serialize/bug69152.phpt -@@ -0,0 +1,16 @@ -+--TEST-- -+Bug #69152: Type Confusion Infoleak Vulnerability in unserialize() -+--FILE-- -+test(); -+ -+?> -+--EXPECTF-- -+exception 'Exception' in %s:%d -+Stack trace: -+#0 {main} -+ -+Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d --- -2.1.4 - diff --git a/SOURCES/php-5.6.5-bug69353.patch b/SOURCES/php-5.6.5-bug69353.patch deleted file mode 100644 index 4e32ba0..0000000 --- a/SOURCES/php-5.6.5-bug69353.patch +++ /dev/null @@ -1,597 +0,0 @@ -From 52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 5 Apr 2015 16:01:24 -0700 -Subject: [PATCH] Fixed bug #69353 (Missing null byte checks for paths in - various PHP extensions) - ---- - ext/dom/document.c | 5 ++++- - ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 +++++ - ext/fileinfo/fileinfo.c | 5 +++++ - ext/fileinfo/tests/finfo_file_basic.phpt | 4 ++++ - ext/gd/gd.c | 8 ++++---- - ext/hash/hash.c | 7 ++++++- - ext/hash/tests/hash_hmac_file_error.phpt | 7 +++++++ - ext/pgsql/pgsql.c | 2 +- - ext/standard/link.c | 2 +- - ext/standard/streamsfuncs.c | 2 +- - ext/xmlwriter/php_xmlwriter.c | 4 ++-- - ext/zlib/zlib.c | 4 ++-- - 12 files changed, 42 insertions(+), 13 deletions(-) - -diff --git a/ext/dom/document.c b/ext/dom/document.c -index 18c9cc6..7c5817a 100644 ---- a/ext/dom/document.c -+++ b/ext/dom/document.c -@@ -1519,6 +1519,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc - xmlInitParser(); - - if (mode == DOM_LOAD_FILE) { -+ if (CHECK_NULL_PATH(source, source_len)) { -+ return NULL; -+ } - char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); - if (file_dest) { - ctxt = xmlCreateFileParserCtxt(file_dest); -@@ -2115,7 +2118,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */ - - id = getThis(); - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { - return; - } - -diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt -index e59ff56..75004e2 100644 ---- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt -+++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt -@@ -13,6 +13,11 @@ assert.bail=true - $doc = new DOMDocument(); - $result = $doc->loadHTMLFile(""); - assert('$result === false'); -+$doc = new DOMDocument(); -+$result = $doc->loadHTMLFile("text.html\0something"); -+assert('$result === null'); - ?> - --EXPECTF-- - %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s -+ -+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s -diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c -index ead7585..9f651af 100644 ---- a/ext/fileinfo/fileinfo.c -+++ b/ext/fileinfo/fileinfo.c -@@ -508,6 +508,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime - RETVAL_FALSE; - goto clean; - } -+ if (CHECK_NULL_PATH(buffer, buffer_len)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); -+ RETVAL_FALSE; -+ goto clean; -+ } - - wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC); - -diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt -index 20223fd..ee70e2e 100644 ---- a/ext/fileinfo/tests/finfo_file_basic.phpt -+++ b/ext/fileinfo/tests/finfo_file_basic.phpt -@@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n"; - var_dump( finfo_file( $finfo, __FILE__) ); - var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) ); - var_dump( finfo_file( $finfo, $magicFile ) ); -+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) ); - - ?> - ===DONE=== -@@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) ); - string(28) "text/x-php; charset=us-ascii" - string(22) "PHP script, ASCII text" - string(25) "text/plain; charset=utf-8" -+ -+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d -+bool(false) - ===DONE=== -diff --git a/ext/gd/gd.c b/ext/gd/gd.c -index cbc1d2b..322325e 100644 ---- a/ext/gd/gd.c -+++ b/ext/gd/gd.c -@@ -1432,7 +1432,7 @@ PHP_FUNCTION(imageloadfont) - gdFontPtr font; - php_stream *stream; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) { - return; - } - -@@ -2369,7 +2369,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, - long ignore_warning; - - if (image_type == PHP_GDIMG_TYPE_GD2PART) { -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) { - return; - } - if (width < 1 || height < 1) { -@@ -2377,7 +2377,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type, - RETURN_FALSE; - } - } else { -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { - return; - } - } -@@ -4046,7 +4046,7 @@ PHP_FUNCTION(imagepsencodefont) - char *enc, **enc_vector; - int enc_len, *f_ind; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) { - return; - } - -diff --git a/ext/hash/hash.c b/ext/hash/hash.c -index abdc62b..9cd6b8e 100644 ---- a/ext/hash/hash.c -+++ b/ext/hash/hash.c -@@ -143,6 +143,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_ - } - if (isfilename) { - if (CHECK_NULL_PATH(data, data_len)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); - RETURN_FALSE; - } - stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); -@@ -258,6 +259,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename, - RETURN_FALSE; - } - if (isfilename) { -+ if (CHECK_NULL_PATH(data, data_len)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path"); -+ RETURN_FALSE; -+ } - stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT); - if (!stream) { - /* Stream will report errors opening file */ -@@ -462,7 +467,7 @@ PHP_FUNCTION(hash_update_file) - char *filename, buf[1024]; - int filename_len, n; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) { - return; - } - -diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt -index 42ab122..26ba8aa 100644 ---- a/ext/hash/tests/hash_hmac_file_error.phpt -+++ b/ext/hash/tests/hash_hmac_file_error.phpt -@@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg); - echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n"; - hash_hmac_file('foo', $file, $key, TRUE); - -+echo "\n-- Testing hash_hmac_file() function with bad path --\n"; -+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE); -+ - ?> - ===Done=== - --EXPECTF-- -@@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d - -- Testing hash_hmac_file() function with invalid hash algorithm -- - - Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d -+ -+-- Testing hash_hmac_file() function with bad path -- -+ -+Warning: hash_hmac_file(): Invalid path in %s on line %d - ===Done=== -\ No newline at end of file -diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c -index 7af7e8b..23d55cb 100644 ---- a/ext/pgsql/pgsql.c -+++ b/ext/pgsql/pgsql.c -@@ -3114,7 +3114,7 @@ PHP_FUNCTION(pg_trace) - php_stream *stream; - id = PGG(default_link); - -- if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { -+ if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) { - return; - } - -diff --git a/ext/standard/link.c b/ext/standard/link.c -index 0e40a0b..4ed2c5e 100644 ---- a/ext/standard/link.c -+++ b/ext/standard/link.c -@@ -59,7 +59,7 @@ PHP_FUNCTION(readlink) - char buff[MAXPATHLEN]; - int ret; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) { - return; - } - -diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c -index 7ddfc66..4c2837e 100644 ---- a/ext/standard/streamsfuncs.c -+++ b/ext/standard/streamsfuncs.c -@@ -1548,7 +1548,7 @@ PHP_FUNCTION(stream_resolve_include_path) - char *filename, *resolved_path; - int filename_len; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) { - return; - } - -diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c -index 206d82a..7a650e2 100644 ---- a/ext/xmlwriter/php_xmlwriter.c -+++ b/ext/xmlwriter/php_xmlwriter.c -@@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity) - /* }}} */ - #endif - --/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source) -+/* {{{ proto resource xmlwriter_open_uri(string source) - Create new xmlwriter using source uri for output */ - static PHP_FUNCTION(xmlwriter_open_uri) - { -@@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri) - void *ioctx; - #endif - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) { - return; - } - -diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c -index d70198c..ec958e1 100644 ---- a/ext/zlib/zlib.c -+++ b/ext/zlib/zlib.c -@@ -593,7 +593,7 @@ static PHP_FUNCTION(gzopen) - php_stream *stream; - long use_include_path = 0; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) { - return; - } - -@@ -621,7 +621,7 @@ static PHP_FUNCTION(readgzfile) - int size; - long use_include_path = 0; - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) { - return; - } - --- -2.1.4 - -From a643ccfb90750e0d830106588d2a46af87706b5b Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 12 Apr 2015 20:53:09 -0700 -Subject: [PATCH] Fix tests - ---- - ext/gd/tests/imageloadfont_error1.phpt | 6 +++--- - ext/zlib/tests/gzopen_variation1.phpt | 28 ++++++++++++++-------------- - ext/zlib/tests/readgzfile_variation1.phpt | 10 +++++----- - ext/zlib/tests/readgzfile_variation6.phpt | 4 ++-- - 4 files changed, 24 insertions(+), 24 deletions(-) - -diff --git a/ext/gd/tests/imageloadfont_error1.phpt b/ext/gd/tests/imageloadfont_error1.phpt -index 16d1a3c..418bbf3 100644 ---- a/ext/gd/tests/imageloadfont_error1.phpt -+++ b/ext/gd/tests/imageloadfont_error1.phpt -@@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter - --CREDITS-- - Neveo Harrison #testfest #tek11 - --SKIPIF-- -- - --FILE-- -@@ -11,5 +11,5 @@ Neveo Harrison #testfest #tek11 - var_dump( imageloadfont(array()) ); - ?> - --EXPECTF-- --Warning: imageloadfont() expects parameter 1 to be string, array given in %s on line %d --NULL -\ No newline at end of file -+Warning: imageloadfont() expects parameter 1 to be a valid path, array given in %s on line %d -+NULL -diff --git a/ext/zlib/tests/gzopen_variation1.phpt b/ext/zlib/tests/gzopen_variation1.phpt -index c5a47f4..bca48f3 100644 ---- a/ext/zlib/tests/gzopen_variation1.phpt -+++ b/ext/zlib/tests/gzopen_variation1.phpt -@@ -1,17 +1,17 @@ - --TEST-- --Test gzopen() function : usage variation -+Test gzopen() function : usage variation - --SKIPIF-- -- - --FILE-- - @$unset_var, -- -+ - // resource variable -- 'resource' => $fp -+ 'resource' => $fp - ); - - // loop through each element of the array for filename -@@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d) - bool(false) - - --empty array-- --Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) -+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) - NULL - - --int indexed array-- --Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) -+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) - NULL - - --associative array-- --Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) -+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) - NULL - - --nested arrays-- --Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d) -+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d) - NULL - - --uppercase NULL-- -@@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct - bool(false) - - --instance of classWithoutToString-- --Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d) -+Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d) - NULL - - --undefined var-- -@@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d) - bool(false) - - --resource-- --Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d) -+Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d) - NULL - ===DONE=== - -diff --git a/ext/zlib/tests/readgzfile_variation1.phpt b/ext/zlib/tests/readgzfile_variation1.phpt -index 5a5ec4f..5d9b639 100644 ---- a/ext/zlib/tests/readgzfile_variation1.phpt -+++ b/ext/zlib/tests/readgzfile_variation1.phpt -@@ -29,15 +29,15 @@ foreach ( $variation as $var ) { - ===DONE=== - --EXPECTF-- - --Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d -+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d - NULL - --Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d -+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d - NULL - --Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d -+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d - NULL - --Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d -+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d - NULL --===DONE=== -\ No newline at end of file -+===DONE=== -diff --git a/ext/zlib/tests/readgzfile_variation6.phpt b/ext/zlib/tests/readgzfile_variation6.phpt -index 702f918..9fcea02 100644 ---- a/ext/zlib/tests/readgzfile_variation6.phpt -+++ b/ext/zlib/tests/readgzfile_variation6.phpt -@@ -45,5 +45,5 @@ foreach ( $variation as $var ) { - --EXPECTF-- - Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d) - bool(false) --Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d) --NULL -\ No newline at end of file -+Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d) -+NULL --- -2.1.4 - -From 1defbb25ed69e7a1a90e2bcb2ee3b9190ea06577 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 12 Apr 2015 00:56:02 -0700 -Subject: [PATCH] Fix test - ---- - ext/standard/tests/file/readlink_variation1.phpt | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ext/standard/tests/file/readlink_variation1.phpt b/ext/standard/tests/file/readlink_variation1.phpt -index 1dae17c..d4f1a5f 100644 ---- a/ext/standard/tests/file/readlink_variation1.phpt -+++ b/ext/standard/tests/file/readlink_variation1.phpt -@@ -65,7 +65,7 @@ bool(false) - Warning: readlink(): %s in %s on line %d - bool(false) - --Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d -+Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d - NULL - - Warning: readlink(): %s in %s on line %d --- -2.1.4 - -From f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Sun, 31 May 2015 22:47:52 -0700 -Subject: [PATCH] Fix #69719 - more checks for nulls in paths - ---- - ext/dom/document.c | 22 +++++++++++++++++----- - ext/gd/gd.c | 16 ++++++++-------- - 2 files changed, 25 insertions(+), 13 deletions(-) - -diff --git a/ext/dom/document.c b/ext/dom/document.c -index 48a19dd..097fcba 100644 ---- a/ext/dom/document.c -+++ b/ext/dom/document.c -@@ -1699,7 +1699,7 @@ PHP_FUNCTION(dom_document_save) - char *file; - long options = 0; - -- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { -+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) { - return; - } - -@@ -1929,7 +1929,7 @@ static void _dom_document_schema_validat - int is_valid; - char resolved_path[MAXPATHLEN + 1]; - -- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) { -+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &source, &source_len, &flags) == FAILURE) { - return; - } - -@@ -1942,6 +1942,10 @@ static void _dom_document_schema_validat - - switch (type) { - case DOM_LOAD_FILE: -+ if (CHECK_NULL_PATH(source, source_len)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); -+ RETURN_FALSE; -+ } - valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); - if (!valid_file) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source"); -@@ -2025,7 +2029,7 @@ static void _dom_document_relaxNG_valida - int is_valid; - char resolved_path[MAXPATHLEN + 1]; - -- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { -+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) { - return; - } - -@@ -2038,6 +2042,10 @@ static void _dom_document_relaxNG_valida - - switch (type) { - case DOM_LOAD_FILE: -+ if (CHECK_NULL_PATH(source, source_len)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); -+ RETURN_FALSE; -+ } - valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC); - if (!valid_file) { - php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source"); -@@ -2118,7 +2126,7 @@ static void dom_load_html(INTERNAL_FUNCT - - id = getThis(); - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) { - return; - } - -@@ -2128,6 +2136,10 @@ static void dom_load_html(INTERNAL_FUNCT - } - - if (mode == DOM_LOAD_FILE) { -+ if (CHECK_NULL_PATH(source, source_len)) { -+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source"); -+ RETURN_FALSE; -+ } - ctxt = htmlCreateFileParserCtxt(source, NULL); - } else { - source_len = xmlStrlen(source); -@@ -2216,7 +2228,7 @@ PHP_FUNCTION(dom_document_save_html_file - char *file; - const char *encoding; - -- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { -+ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) { - return; - } - -diff --git a/ext/gd/gd.c b/ext/gd/gd.c -index d258c3d..e527575 100644 ---- a/ext/gd/gd.c -+++ b/ext/gd/gd.c -@@ -3939,7 +3939,7 @@ PHP_FUNCTION(imagepsloadfont) - struct stat st; - #endif - -- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) { -+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) { - return; - } - --- -2.1.4 - -From eee8b6c33fc968ef8c496db8fb54e8c9d9d5a8f9 Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Tue, 9 Jun 2015 17:11:33 -0700 -Subject: [PATCH] fix test - ---- - ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt -index 75004e2..e0d0923 100644 ---- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt -+++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt -@@ -15,9 +15,9 @@ $result = $doc->loadHTMLFile(""); - assert('$result === false'); - $doc = new DOMDocument(); - $result = $doc->loadHTMLFile("text.html\0something"); --assert('$result === null'); -+assert('$result === false'); - ?> - --EXPECTF-- - %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s - --%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s -+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Invalid file source %s --- -2.1.4 - diff --git a/SPECS/php.spec b/SPECS/php.spec index ded9c96..46350ab 100644 --- a/SPECS/php.spec +++ b/SPECS/php.spec @@ -24,7 +24,7 @@ %global zendver 20131226 %global pdover 20080721 # Extension version -%global opcachever 7.0.4-dev +%global opcachever 7.0.6-dev # Use for first build of PHP (before pecl/jsonc) %global php_bootstrap 0 @@ -110,8 +110,8 @@ Summary: PHP scripting language for creating dynamic web sites Name: %{?scl_prefix}php -Version: 5.6.5 -Release: 9%{?dist} +Version: 5.6.25 +Release: 1%{?dist} # All files licensed under PHP version 3.01, except # Zend is licensed under Zend # TSRM is licensed under BSD @@ -139,15 +139,14 @@ Source51: opcache-default.blacklist Patch5: php-5.6.3-includedir.patch Patch6: php-5.6.3-embed.patch Patch7: php-5.3.0-recode.patch -Patch8: php-5.6.3-libdb.patch +Patch8: php-5.6.17-libdb.patch +Patch9: php-5.5.30-curl.patch # Fixes for extension modules -# https://bugs.php.net/63171 no odbc call during timeout -Patch21: php-5.4.7-odbctimer.patch # Functional changes Patch40: php-5.4.0-dlopen.patch -Patch42: php-5.6.3-systzdata-v11.patch +Patch42: php-5.6.13-systzdata-v12.patch # See http://bugs.php.net/53436 Patch43: php-5.4.0-phpize.patch # Use -lldap_r for OpenLDAP @@ -160,44 +159,11 @@ Patch47: php-5.6.3-phpinfo.patch # Upstream fixes (100+) # Security fixes (200+) -Patch135: php-5.6.5-CVE-2015-0273.patch -Patch136: php-5.6.5-CVE-2014-9705.patch -Patch137: php-5.6.5-CVE-2015-2301.patch -Patch138: php-5.6.5-bug69085.patch -Patch139: php-5.6.5-CVE-2015-2787.patch -Patch140: php-5.6.5-CVE-2015-2348.patch -Patch141: php-5.6.5-CVE-2015-1351.patch -Patch142: php-5.6.5-CVE-2015-1352.patch -Patch143: php-5.6.5-CVE-2015-2305.patch -Patch144: php-5.6.5-CVE-2015-2331.patch -Patch145: php-5.6.5-CVE-2015-4022.patch -Patch146: php-5.6.5-CVE-2015-4021.patch -Patch147: php-5.6.5-CVE-2015-4024.patch -Patch148: php-5.6.5-CVE-2015-4025.patch -Patch149: php-5.6.5-CVE-2015-3330.patch -Patch150: php-5.6.5-bug69353.patch -Patch151: php-5.6.5-CVE-2015-2783.patch -Patch152: php-5.6.5-CVE-2015-3329.patch -Patch153: php-5.6.5-bug68819.patch -Patch154: php-5.6.5-bug69152.patch -Patch155: php-5.6.5-CVE-2015-5589.patch -Patch156: php-5.6.5-CVE-2015-5590.patch -Patch157: php-5.6.5-CVE-2015-6833.patch -Patch158: php-5.6.5-CVE-2015-7803.patch -Patch159: php-5.6.5-CVE-2015-7804.patch -Patch160: php-5.6.5-CVE-2015-6837.patch -Patch161: php-5.6.5-CVE-2015-6835.patch -Patch162: php-5.6.5-CVE-2015-6834-1.patch -Patch163: php-5.6.5-CVE-2015-6832.patch -Patch164: php-5.6.5-CVE-2015-6831.patch -Patch165: php-5.6.5-CVE-2015-6834-2.patch -Patch166: php-5.6.5-CVE-2015-6836.patch -Patch167: php-5.6.5-CVE-2016-5385.patch - # Fixes for tests (300+) # Factory is droped from system tzdata -Patch300: php-5.6.3-datetests.patch +# Relax some tests with erratic results with system tzdata +Patch300: php-5.6.24-datetests.patch # Revert changes for pcre < 8.34 Patch301: php-5.6.0-oldpcre.patch @@ -747,8 +713,7 @@ support for using the enchant library to PHP. %patch6 -p1 -b .embed %patch7 -p1 -b .recode %patch8 -p1 -b .libdb - -%patch21 -p1 -b .odbctimer +%patch9 -p1 -b .curltls %patch40 -p1 -b .dlopen %patch42 -p1 -b .systzdata @@ -762,39 +727,6 @@ support for using the enchant library to PHP. # upstream patches # security patches -%patch135 -p1 -b .cve0273 -%patch136 -p1 -b .cve9705 -%patch137 -p1 -b .cve2301 -%patch138 -p1 -b .bug69085 -%patch139 -p1 -b .cve2787 -%patch140 -p1 -b .cve2348 -%patch141 -p1 -b .cve1351 -%patch142 -p1 -b .cve1352 -%patch143 -p1 -b .cve2305 -%patch144 -p1 -b .cve2331 -%patch145 -p1 -b .cve4022 -%patch146 -p1 -b .cve4021 -%patch147 -p1 -b .cve4024 -%patch148 -p1 -b .cve4025 -%patch149 -p1 -b .cve3330 -%patch150 -p1 -b .bug69353 -%patch151 -p1 -b .cve2783 -%patch152 -p1 -b .cve3329 -%patch153 -p1 -b .bug68819 -%patch154 -p1 -b .bug69152 -%patch155 -p1 -b .cve5589 -%patch156 -p1 -b .cve5590 -%patch157 -p1 -b .cve6833 -%patch158 -p1 -b .cve7803 -%patch159 -p1 -b .cve7804 -%patch160 -p1 -b .cve6837 -%patch161 -p1 -b .cve6835 -%patch162 -p1 -b .cve6834 -%patch163 -p1 -b .cve6832 -%patch164 -p1 -b .cve6831 -%patch165 -p1 -b .cve6834 -%patch166 -p1 -b .cve6836 -%patch167 -p1 -b .cve5385 # Fixes for tests %patch300 -p1 -b .datetests @@ -1717,6 +1649,15 @@ fi %changelog +* Tue Sep 6 2016 Remi Collet - 5.6.25-1 +- rebase to 5.6.25 #1365401 + +* Tue Jul 26 2016 Remi Collet - 5.6.24-2 +- add options to enable TLS in curl + +* Mon Jul 25 2016 Remi Collet - 5.6.24-1 +- rebase to 5.6.24 + * Mon Jul 25 2016 Remi Collet - 5.6.5-9 - don't set environmental variable based on user supplied Proxy request header CVE-2016-5385