From 0f263225b57d506b46cccdb21e7110707937c293 Mon Sep 17 00:00:00 2001
From: Aleksandr Proklov <a.proklov@rosalinux.ru>
Date: Thu, 28 Nov 2024 11:15:49 +0900
Subject: [PATCH] fix CVE

---
 CVE-2022-4900.patch | 30 ++++++++++++++++++++++++++++++
 php7.spec           |  4 +++-
 2 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-4900.patch

diff --git a/CVE-2022-4900.patch b/CVE-2022-4900.patch
new file mode 100644
index 0000000..20dca73
--- /dev/null
+++ b/CVE-2022-4900.patch
@@ -0,0 +1,30 @@
+# from https://github.com/php/php-src/commit/789a37f14405e2d1a05a76c9fb4ed2d49d4580d5#diff-0265438340ea11a73f2e268834e3ac37b52342d9a911b5c4193df0b0072895ecR2389
+
+diff -ruN a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
+--- a/sapi/cli/php_cli_server.c	2022-10-31 19:36:05.000000000 +0900
++++ b/sapi/cli/php_cli_server.c	2024-11-28 11:05:56.301504326 +0900
+@@ -517,13 +517,8 @@
+ 		if (php_cli_server_workers_max > 1) {
+ 			zend_long php_cli_server_worker;
+ 
+-			php_cli_server_workers = calloc(
+-				php_cli_server_workers_max, sizeof(pid_t));
+-			if (!php_cli_server_workers) {
+-				php_cli_server_workers_max = 1;
+-
+-				return SUCCESS;
+-			}
++			php_cli_server_workers = pecalloc(
++				php_cli_server_workers_max, sizeof(pid_t), 1);
+ 
+ 			php_cli_server_master = getpid();
+ 
+@@ -2361,7 +2356,7 @@
+ 					  !WIFSIGNALED(php_cli_server_worker_status));
+ 		}
+ 
+-		free(php_cli_server_workers);
++		pefree(php_cli_server_workers, 1);
+ 	}
+ #endif
+ } /* }}} */
diff --git a/php7.spec b/php7.spec
index c30cdd6..ee52018 100644
--- a/php7.spec
+++ b/php7.spec
@@ -27,7 +27,7 @@
 Summary:	The PHP7 scripting language
 Name:		php
 Version:	7.4.33
-Release:	10
+Release:	11
 Source0:	http://ch1.php.net/distributions/php-%{version}.tar.gz
 Source1:	macros.php
 Group:		Development/PHP
@@ -87,6 +87,7 @@ Patch128:	0001-Revert-Throw-notice-on-array-access-on-illegal-type.patch
 Patch200:	fix-include-e2k.patch
 # fix for openssl3, rediff from https://git.remirepo.net/cgit/rpms/scl-php74/php.git/plain/php-7.4.26-openssl3.patch
 Patch201:	php-7.4.33-openssl3.patch
+Patch202:	CVE-2022-4900.patch
 BuildRequires:	autoconf
 BuildRequires:	automake
 BuildRequires:	bison
@@ -1298,6 +1299,7 @@ fi
 %patch200 -p1
 %endif
 %patch201 -p1
+%patch202 -p1
 
 cp %{SOURCE2} maxlifetime
 cp %{SOURCE3} php.crond