path: root/00200_September2019-backports.patch

From 127c34f2e5f9d6045971e79bdb191bc3e0519384 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 24 Aug 2019 23:11:45 -0700
Subject: [PATCH 1/6] Fix CVE-2019-13224: don't allow different encodings for
 onig_new_deluxe()

Backport from https://github.com/kkos/oniguruma/commit/0f7f61ed1b7b697e283e37bd2d731d0bd57adb55

(cherry picked from commit 1258303e66d8dede4f02347334b9f6576e98a21b)
---
 ext/mbstring/oniguruma/regext.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/mbstring/oniguruma/regext.c b/ext/mbstring/oniguruma/regext.c
index b1b957b4..b108e638 100644
--- a/ext/mbstring/oniguruma/regext.c
+++ b/ext/mbstring/oniguruma/regext.c
@@ -29,6 +29,7 @@
 
 #include "regint.h"
 
+#if 0
 static void
 conv_ext0be32(const UChar* s, const UChar* end, UChar* conv)
 {
@@ -158,6 +159,7 @@ conv_encoding(OnigEncoding from, OnigEncoding to, const UChar* s, const UChar* e
 
   return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
 }
+#endif
 
 extern int
 onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
@@ -169,9 +171,7 @@ onig_new_deluxe(regex_t** reg, const UChar* pattern, const UChar* pattern_end,
   if (IS_NOT_NULL(einfo)) einfo->par = (UChar* )NULL;
 
   if (ci->pattern_enc != ci->target_enc) {
-    r = conv_encoding(ci->pattern_enc, ci->target_enc, pattern, pattern_end,
-                      &cpat, &cpat_end);
-    if (r) return r;
+    return ONIGERR_NOT_SUPPORTED_ENCODING_COMBINATION;
   }
   else {
     cpat     = (UChar* )pattern;

From 94445c3a85f38ffc4a3952d3fdad0fc184f92a5b Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Fri, 16 Aug 2019 14:29:19 +0200
Subject: [PATCH 2/6] Fix #75457: heap-use-after-free in php7.0.25

Backport <https://vcs.pcre.org/pcre?view=revision&revision=1638>.

(cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9)
---
 ext/pcre/pcrelib/pcre_compile.c | 11 ++++++++++-
 ext/pcre/tests/bug75457.phpt    | 10 ++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)
 create mode 100644 ext/pcre/tests/bug75457.phpt

diff --git a/ext/pcre/pcrelib/pcre_compile.c b/ext/pcre/pcrelib/pcre_compile.c
index c9171cbe..1d376716 100644
--- a/ext/pcre/pcrelib/pcre_compile.c
+++ b/ext/pcre/pcrelib/pcre_compile.c
@@ -485,7 +485,7 @@ static const char error_texts[] =
   "lookbehind assertion is not fixed length\0"
   "malformed number or name after (?(\0"
   "conditional group contains more than two branches\0"
-  "assertion expected after (?(\0"
+  "assertion expected after (?( or (?(?C)\0"
   "(?R or (?[+-]digits must be followed by )\0"
   /* 30 */
   "unknown POSIX class name\0"
@@ -6734,6 +6734,15 @@ for (;; ptr++)
           for (i = 3;; i++) if (!IS_DIGIT(ptr[i])) break;
           if (ptr[i] == CHAR_RIGHT_PARENTHESIS)
             tempptr += i + 1;
+
+          /* tempptr should now be pointing to the opening parenthesis of the
+          assertion condition. */
+
+          if (*tempptr != CHAR_LEFT_PARENTHESIS)
+            {
+            *errorcodeptr = ERR28;
+            goto FAILED;
+            }
           }
 
         /* For conditions that are assertions, check the syntax, and then exit
diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
new file mode 100644
index 00000000..c7ce9ed0
--- /dev/null
+++ b/ext/pcre/tests/bug75457.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #75457 (heap-use-after-free in php7.0.25)
+--FILE--
+<?php
+$pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
+var_dump(preg_match($pattern, "hello"));
+?>
+--EXPECTF--
+Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
+bool(false)

From c5279f8c37ae91697f5a60e395d901394ff9e4aa Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Wed, 28 Aug 2019 14:34:48 +0200
Subject: [PATCH 3/6] relax test, offset may be different on various system lib
 versions

---
 ext/pcre/tests/bug75457.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/pcre/tests/bug75457.phpt b/ext/pcre/tests/bug75457.phpt
index c7ce9ed0..571a4bde 100644
--- a/ext/pcre/tests/bug75457.phpt
+++ b/ext/pcre/tests/bug75457.phpt
@@ -6,5 +6,5 @@ $pattern = "/(((?(?C)0?=))(?!()0|.(?0)0)())/";
 var_dump(preg_match($pattern, "hello"));
 ?>
 --EXPECTF--
-Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset 4 in %sbug75457.php on line %d
+Warning: preg_match(): Compilation failed: assertion expected after (?( or (?(?C) at offset %d in %sbug75457.php on line %d
 bool(false)

From ca1431fe5eb5f11b20f576f8501fa60eccee0b1e Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Fri, 18 May 2018 18:36:39 +0200
Subject: [PATCH 4/6] Fix Opcache test fails regarding to AppVeyor image update

(cherry picked from php/php-src@6043a2d6f74bf5125573fde198070ac9804d5e6e)
---
 ext/opcache/tests/php_cli_server.inc | 18 ++++++++++++------
 1 file changed, 12 insertions(+), 6 deletions(-)

diff --git a/ext/opcache/tests/php_cli_server.inc b/ext/opcache/tests/php_cli_server.inc
index 0878bfaf..e5e72c41 100644
--- a/ext/opcache/tests/php_cli_server.inc
+++ b/ext/opcache/tests/php_cli_server.inc
@@ -7,16 +7,22 @@ function php_cli_server_start($ini = "") {
 	$php_executable = getenv('TEST_PHP_EXECUTABLE');
 	$doc_root = __DIR__;
 
-	$descriptorspec = array(
-		0 => STDIN,
-		1 => STDOUT,
-		2 => STDERR,
-	);
-
 	if (substr(PHP_OS, 0, 3) == 'WIN') {
+		$descriptorspec = array(
+			0 => STDIN,
+			1 => STDOUT,
+			2 => array("pipe", "w"),
+		);
+
 		$cmd = "{$php_executable} -t {$doc_root} $ini -S " . PHP_CLI_SERVER_ADDRESS;
 		$handle = proc_open(addslashes($cmd), $descriptorspec, $pipes, $doc_root, NULL, array("bypass_shell" => true,  "suppress_errors" => true));
 	} else {
+		$descriptorspec = array(
+			0 => STDIN,
+			1 => STDOUT,
+			2 => STDERR,
+		);
+
 		$cmd = "exec {$php_executable} -t {$doc_root} $ini -S " . PHP_CLI_SERVER_ADDRESS . " 2>/dev/null";
 		$handle = proc_open($cmd, $descriptorspec, $pipes, $doc_root);
 	}

From 3df6c9a8acda8fc9437dd7a6b6123ab6715ef040 Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Wed, 23 Dec 2015 03:52:01 +0300
Subject: [PATCH 5/6] Fixed test on 32-bit systems

(cherry picked from php/php-src@1e3ab158432f8d97c3561fdfc17b7e4aa3dbdd60)
---
 ext/opcache/tests/bug71127.phpt | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/opcache/tests/bug71127.phpt b/ext/opcache/tests/bug71127.phpt
index 5770aea1..0c606097 100644
--- a/ext/opcache/tests/bug71127.phpt
+++ b/ext/opcache/tests/bug71127.phpt
@@ -3,7 +3,7 @@ Bug #71127 (Define in auto_prepend_file is overwrite)
 --INI--
 opcache.enable=1
 opcache.enable_cli=1
-opcache.optimization_level=0xFFFFBFFF
+opcache.optimization_level=0x7FFFBFFF
 --SKIPIF--
 <?php if (!extension_loaded('Zend OPcache')) die("skip"); ?>
 --FILE--

From 03d9cf265a1febe21175b4cc856104e9fc9d4cdb Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 21 May 2019 11:17:28 +0200
Subject: [PATCH 6/6] Prevent test case failure

If opcache.log_verbosity_level is greater than 1, opcache will raise
warnings, which will be written to stderr in the default case.  These
warnings are actually to be expected, but would break the test, so we
make sure that the log_verbosity_level is 1 when running this test.

(cherry picked from php/php-src@e6a191de1b73c902b631cb8f0f70ed58b81005d4)
---
 ext/opcache/tests/bug66461.phpt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ext/opcache/tests/bug66461.phpt b/ext/opcache/tests/bug66461.phpt
index 33132abe..2d09feff 100644
--- a/ext/opcache/tests/bug66461.phpt
+++ b/ext/opcache/tests/bug66461.phpt
@@ -4,6 +4,7 @@ Bug #66461 (PHP crashes if opcache.interned_strings_buffer=0)
 opcache.enable=1
 opcache.enable_cli=1
 opcache.optimization_level=-1
+opcache.log_verbosity_level=1
 opcache.file_update_protection=0
 opcache.interned_strings_buffer=0
 --SKIPIF--