April 2019 backports from 7.1.287.1.28bp

Signed-off-by: Brian Evans <grknight@gentoo.org>

3 files changed, 429 insertions, 0 deletions

diff --git a/00160_April2019-backports.patch b/00160_April2019-backports.patch
new file mode 100644
index 0000000..36c6445
--- /dev/null
+++ b/00160_April2019-backports.patch
@@ -0,0 +1,429 @@
+From 467239f10a6021d3eabe237ad0508b12d5d7d19e Mon Sep 17 00:00:00 2001
+From: bohwaz <github.bohwaz@miam.kd2.org>
+Date: Sun, 16 Dec 2018 22:52:37 +0100
+Subject: [PATCH 1/4] SQLite3: add DEFENSIVE config for SQLite >= 3.26.0 as a
+ mitigation strategy against potential security flaws
+
+(cherry picked from commit 58c25bf679125a2da354db58ddc6b0cf6d10ee00)
+---
+ ext/sqlite3/php_sqlite3.h                |  1 +
+ ext/sqlite3/sqlite3.c                    |  9 ++++++
+ ext/sqlite3/tests/sqlite3_defensive.phpt | 40 ++++++++++++++++++++++++
+ php.ini-development                      | 11 +++++++
+ php.ini-production                       | 11 +++++++
+ 6 files changed, 77 insertions(+)
+ create mode 100644 ext/sqlite3/tests/sqlite3_defensive.phpt
+
+diff --git a/ext/sqlite3/php_sqlite3.h b/ext/sqlite3/php_sqlite3.h
+index 88da39e75c..5304f00dbf 100644
+--- a/ext/sqlite3/php_sqlite3.h
++++ b/ext/sqlite3/php_sqlite3.h
+@@ -28,6 +28,7 @@ extern zend_module_entry sqlite3_module_entry;
+ 
+ ZEND_BEGIN_MODULE_GLOBALS(sqlite3)
+ 	char *extension_dir;
++	int dbconfig_defensive;
+ ZEND_END_MODULE_GLOBALS(sqlite3)
+ 
+ #ifdef ZTS
+diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c
+index 80d6b897f1..761b777d06 100644
+--- a/ext/sqlite3/sqlite3.c
++++ b/ext/sqlite3/sqlite3.c
+@@ -82,6 +82,9 @@ static void php_sqlite3_error(php_sqlite3_db_object *db_obj, char *format, ...)
+ */
+ PHP_INI_BEGIN()
+ 	STD_PHP_INI_ENTRY("sqlite3.extension_dir",  NULL, PHP_INI_SYSTEM, OnUpdateString, extension_dir, zend_sqlite3_globals, sqlite3_globals)
++#if SQLITE_VERSION_NUMBER >= 3026000
++	STD_PHP_INI_ENTRY("sqlite3.defensive",  "1", PHP_INI_SYSTEM, OnUpdateBool, dbconfig_defensive, zend_sqlite3_globals, sqlite3_globals)
++#endif
+ PHP_INI_END()
+ /* }}} */
+ 
+@@ -177,6 +180,12 @@ PHP_METHOD(sqlite3, open)
+ 		sqlite3_set_authorizer(db_obj->db, php_sqlite3_authorizer, NULL);
+ 	}
+ 
++#if SQLITE_VERSION_NUMBER >= 3026000
++	if (SQLITE3G(dbconfig_defensive)) {
++		sqlite3_db_config(db_obj->db, SQLITE_DBCONFIG_DEFENSIVE, 1, NULL);
++	}
++#endif
++
+ 	if (fullpath != filename) {
+ 		efree(fullpath);
+ 	}
+diff --git a/ext/sqlite3/tests/sqlite3_defensive.phpt b/ext/sqlite3/tests/sqlite3_defensive.phpt
+new file mode 100644
+index 0000000000..064d87b50a
+--- /dev/null
++++ b/ext/sqlite3/tests/sqlite3_defensive.phpt
+@@ -0,0 +1,40 @@
++--TEST--
++SQLite3 defensive mode ini setting
++--SKIPIF--
++<?php require_once(__DIR__ . '/skipif.inc');
++
++if (SQLite3::version()['versionNumber'] < 3026000) {
++	die("skip: sqlite3 library version < 3.26: no support for defensive mode");
++}
++
++?>
++--INI--
++sqlite3.defensive=On
++--FILE--
++<?php
++
++$db = new SQLite3(':memory:');
++var_dump($db->exec('CREATE TABLE test (a, b);'));
++
++// This does not generate an error!
++var_dump($db->exec('PRAGMA writable_schema = ON;'));
++var_dump($db->querySingle('PRAGMA writable_schema;'));
++
++// Should be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++
++// Should generate an error!
++var_dump($db->querySingle('DELETE FROM sqlite_master;'));
++
++// Should still be 1
++var_dump($db->querySingle('SELECT COUNT(*) FROM sqlite_master;'));
++?>
++--EXPECTF--
++bool(true)
++bool(true)
++int(1)
++int(1)
++
++Warning: SQLite3::querySingle(): Unable to prepare statement: 1, table sqlite_master may not be modified in %s on line %d
++bool(false)
++int(1)
+\ No newline at end of file
+diff --git a/php.ini-development b/php.ini-development
+index 752f601436..27cc55b75b 100644
+--- a/php.ini-development
++++ b/php.ini-development
+@@ -981,8 +981,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+ 
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+ 
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
+diff --git a/php.ini-production b/php.ini-production
+index 97b5043ce9..d7e9420a72 100644
+--- a/php.ini-production
++++ b/php.ini-production
+@@ -981,8 +981,19 @@ cli_server.color = On
+ ;intl.use_exceptions = 0
+ 
+ [sqlite3]
++; Directory pointing to SQLite3 extensions
++; http://php.net/sqlite3.extension-dir
+ ;sqlite3.extension_dir =
+ 
++; SQLite defensive mode flag (only available from SQLite 3.26+)
++; When the defensive flag is enabled, language features that allow ordinary
++; SQL to deliberately corrupt the database file are disabled. This forbids
++; writing directly to the schema, shadow tables (eg. FTS data tables), or
++; the sqlite_dbpage virtual table.
++; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
++; (for older SQLite versions, this flag has no use)
++sqlite3.defensive = 1
++
+ [Pcre]
+ ;PCRE library backtracking limit.
+ ; http://php.net/pcre.backtrack-limit
+
+From 1e7511f2476380f9eb523f60817610c8eab6b116 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 17 Mar 2019 22:54:46 -0700
+Subject: [PATCH 2/4] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
+
+(cherry picked from commit f3aefc6d071b807ddacae0a0bc49f09c38e18490)
+---
+ ext/exif/exif.c              |   4 ++++
+ ext/exif/tests/bug77753.phpt |  16 ++++++++++++++++
+ 3 files changed, 20 insertions(+)
+ create mode 100644 ext/exif/tests/bug77753.phpt
+ create mode 100644 ext/exif/tests/bug77753.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index ce8db170c7..4350124305 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2812,6 +2812,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ 		return FALSE;
+ 	}
++	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
++		return FALSE;
++	}
+ 
+ 	for (de=0;de<NumDirEntries;de++) {
+ 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+diff --git a/ext/exif/tests/bug77753.phpt b/ext/exif/tests/bug77753.phpt
+new file mode 100644
+index 0000000000..d987a5cf46
+--- /dev/null
++++ b/ext/exif/tests/bug77753.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #77753 (Heap-buffer-overflow in php_ifd_get32s)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++var_dump(exif_read_data(__DIR__."/bug77753.tiff"));
++?>
++DONE
++--EXPECTF--
++%A
++Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d
++
++Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d
++bool(false)
++DONE
+\ No newline at end of file
+
+From 1f2fdcd9a2471e6fac220ec2e7a2ca56b7879113 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Apr 2019 00:12:26 -0700
+Subject: [PATCH 3/4] Fixed bug #77831 - Heap-buffer-overflow in
+ exif_iif_add_value in EXIF
+
+(cherry picked from commit 887a7b571407f7a49a5e7cf1e612d21ef83fedb4)
+---
+ NEWS                         |   4 ++++
+ ext/exif/exif.c              |  43 +++++++++++++++++++++++------------
+ ext/exif/tests/bug77831.phpt |  13 +++++++++++
+ 4 files changed, 45 insertions(+), 15 deletions(-)
+ create mode 100644 ext/exif/tests/bug77831.phpt
+ create mode 100644 ext/exif/tests/bug77831.tiff
+
+diff --git a/NEWS b/NEWS
+index 0bff457d2b..0dde9880d5 100644
+--- a/NEWS
++++ b/NEWS
+@@ -3,6 +3,10 @@ PHP                                                                        NEWS
+ 
+ Backported from 7.1.28
+ 
++- EXIF:
++  . Fixed bug #77753 (Heap-buffer-overflow in php_ifd_get32s). (Stas)
++  . Fixed bug #77831 (Heap-buffer-overflow in exif_iif_add_value). (Stas)
++
+ - SQLite3:
+   . Added sqlite3.defensive INI directive. (BohwaZ)
+ 
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 4350124305..547bd58dfb 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1660,10 +1660,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
+ /* {{{ exif_iif_add_value
+  Add a value to image_info
+ */
+-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel TSRMLS_DC)
++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel TSRMLS_DC)
+ {
+ 	size_t idex;
+-	void *vptr;
++	void *vptr, *vptr_end;
+ 	image_info_value *info_value;
+ 	image_info_data  *info_data;
+ 	image_info_data  *list;
+@@ -1685,8 +1685,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 
+ 	switch (format) {
+ 		case TAG_FMT_STRING:
++			if (length > value_len) {
++				exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++				value = NULL;
++			}
+ 			if (value) {
+-				length = php_strnlen(value, length);
++				length = (int)php_strnlen(value, length);
+ 				info_value->s = estrndup(value, length);
+ 				info_data->length = length;
+ 			} else {
+@@ -1708,6 +1712,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			if (!length)
+ 				break;
+ 		case TAG_FMT_UNDEFINED:
++			if (length > value_len) {
++				exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++				value = NULL;
++			}
+ 			if (value) {
+ 				if (tag == TAG_MAKER_NOTE) {
+ 					length = (int) php_strnlen(value, length);
+@@ -1738,7 +1746,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			} else {
+ 				info_value = &info_data->value;
+ 			}
++			vptr_end = value+value_len;
+ 			for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
++				if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++					exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
++					break;
++				}
+ 				if (length>1) {
+ 					info_value = &info_data->value.list[idex];
+ 				}
+@@ -1774,7 +1787,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type single");
+ #endif
+ 						info_value->f = *(float *)value;
+-
++						break;
+ 					case TAG_FMT_DOUBLE:
+ #ifdef EXIF_DEBUG
+ 						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Found value of type double");
+@@ -1792,9 +1805,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ /* {{{ exif_iif_add_tag
+  Add a tag from IFD to image_info
+ */
+-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value TSRMLS_DC)
++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len TSRMLS_DC)
+ {
+-	exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel TSRMLS_CC);
++	exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel TSRMLS_CC);
+ }
+ /* }}} */
+ 
+@@ -2218,7 +2231,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
+ */
+ static void exif_process_COM (image_info_type *image_info, char *value, size_t length TSRMLS_DC)
+ {
+-	exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2 TSRMLS_CC);
++	exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2 TSRMLS_CC);
+ }
+ /* }}} */
+ 
+@@ -2233,17 +2246,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ 	if (length>3) {
+ 		switch(value[2]) {
+ 			case 0:
+-				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value TSRMLS_CC);
++				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value, length TSRMLS_CC);
+ 				break;
+ 			case 1:
+-				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
++				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+ 				break;
+ 			default:
+ 				php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Undefined JPEG2000 comment encoding");
+ 				break;
+ 		}
+ 	} else {
+-		exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
++		exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0 TSRMLS_CC);
+ 		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "JPEG2000 comment section too small");
+ 	}
+ }
+@@ -2837,7 +2850,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table TSRMLS_DC)
+ {
+ 	size_t length;
+-	int tag, format, components;
++	unsigned int tag, format, components;
+ 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ 	size_t byte_count, offset_val, fpos, fgot;
+ 	int64_t byte_count_signed;
+@@ -3148,7 +3161,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ 				}
+ 		}
+ 	}
+-	exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr TSRMLS_CC);
++	exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table TSRMLS_CC), tag, format, components, value_ptr, byte_count TSRMLS_CC);
+ 	EFREE_IF(outside);
+ 	return TRUE;
+ }
+@@ -3306,10 +3319,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
+ 	size_t l1, l2=0;
+ 
+ 	if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
+-		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2 TSRMLS_CC);
++		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1 TSRMLS_CC);
+ 		if (length > 2+l1+1) {
+ 			l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
+-			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1 TSRMLS_CC);
++			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2 TSRMLS_CC);
+ 		}
+ 	}
+ #ifdef EXIF_DEBUG
+@@ -4107,7 +4120,7 @@ PHP_FUNCTION(exif_read_data)
+ 	if (ImageInfo.Thumbnail.size) {
+ 		if (read_thumbnail) {
+ 			/* not exif_iif_add_str : this is a buffer */
+-			exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data TSRMLS_CC);
++			exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size TSRMLS_CC);
+ 		}
+ 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+ 			/* try to evaluate if thumbnail data is present */
+diff --git a/ext/exif/tests/bug77831.phpt b/ext/exif/tests/bug77831.phpt
+new file mode 100644
+index 0000000000..d868d47a1f
+--- /dev/null
++++ b/ext/exif/tests/bug77831.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #77831 (Heap-buffer-overflow in exif_iif_add_value in EXIF)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++var_dump(exif_read_data(__DIR__."/bug77831.tiff"));
++?>
++DONE
++--EXPECTF--
++%A
++bool(false)
++DONE
+\ No newline at end of file
+
+From 8b4b035dcd3f382e9de4e2f661df2dc0797fc478 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Tue, 2 Apr 2019 10:37:40 +0200
+Subject: [PATCH 4/4] Pointer arithmetic on void pointers is illegal
+
+We quick-fix this by casting to char*; it might be more appropriate to
+use char pointers in the first place.
+
+(cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
+---
+ ext/exif/exif.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 547bd58dfb..81cf438a8e 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1746,9 +1746,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			} else {
+ 				info_value = &info_data->value;
+ 			}
+-			vptr_end = value+value_len;
++			vptr_end = (char *) value + value_len;
+ 			for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
+-				if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++				if ((char *) vptr_end - (char *) vptr < php_tiff_bytes_per_format[format]) {
+ 					exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
+ 					break;
+ 				}
diff --git a/bug77753.tiff b/bug77753.tiff
new file mode 100644
index 0000000..b237f39
--- /dev/null
+++ b/bug77753.tiff
diff --git a/bug77831.tiff b/bug77831.tiff
new file mode 100644
index 0000000..c7e9f44
--- /dev/null
+++ b/bug77831.tiff