diff --git a/.abf.yml b/.abf.yml index 58d5617..6216a89 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,2 +1,2 @@ sources: - php-7.4.30.tar.gz: 7fe1005b3677e2a4d112ecce7e54734fc9d668c9 + php-7.4.33.tar.gz: 7c29812c51880390b74a5b23f0afe61e3b374645 diff --git a/0059-Fix-81726-phar-wrapper-DOS-when-using-quine-gzip-fil.patch b/0059-Fix-81726-phar-wrapper-DOS-when-using-quine-gzip-fil.patch deleted file mode 100644 index 6a8320a..0000000 --- a/0059-Fix-81726-phar-wrapper-DOS-when-using-quine-gzip-fil.patch +++ /dev/null @@ -1,72 +0,0 @@ -From 404e8bdb68350931176a5bdc86fc417b34fb583d Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Mon, 25 Jul 2022 15:58:59 +0200 -Subject: [PATCH] Fix #81726: phar wrapper: DOS when using quine gzip file - -The phar wrapper needs to uncompress the file; the uncompressed file -might be compressed, so the wrapper implementation loops. This raises -potential DOS issues regarding too deep or even infinite recursion (the -latter are called compressed file quines[1]). We avoid that by -introducing a recursion limit; we choose the somewhat arbitrary limit -`3`. - -This issue has been reported by real_as3617 and gPayl0ad. - -[1] ---- - NEWS | 1 + - ext/phar/phar.c | 16 +++++++++++----- - ext/phar/tests/bug81726.gz | Bin 0 -> 204 bytes - ext/phar/tests/bug81726.phpt | 14 ++++++++++++++ - 4 files changed, 26 insertions(+), 5 deletions(-) - create mode 100644 ext/phar/tests/bug81726.gz - create mode 100644 ext/phar/tests/bug81726.phpt - -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index 7cb1b06363..4a761ef799 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -1584,7 +1584,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - const char zip_magic[] = "PK\x03\x04"; - const char gz_magic[] = "\x1f\x8b\x08"; - const char bz_magic[] = "BZh"; -- char *pos, test = '\0'; -+ char *pos; -+ int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion - const int window_size = 1024; - char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ - const zend_long readsize = sizeof(buffer) - sizeof(token); -@@ -1612,8 +1613,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)") - } - -- if (!test) { -- test = '\1'; -+ if (recursion_count) { - pos = buffer+tokenlen; - if (!memcmp(pos, gz_magic, 3)) { - char err = 0; -@@ -1673,7 +1673,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - compression = PHAR_FILE_COMPRESSED_GZ; - - /* now, start over */ -- test = '\0'; -+ if (!--recursion_count) { -+ MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\""); -+ break; -+ } - continue; - } else if (!memcmp(pos, bz_magic, 3)) { - php_stream_filter *filter; -@@ -1711,7 +1714,10 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - compression = PHAR_FILE_COMPRESSED_BZ2; - - /* now, start over */ -- test = '\0'; -+ if (!--recursion_count) { -+ MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\""); -+ break; -+ } - continue; - } - diff --git a/0060-Fix-regression-introduced-by-fixing-bug-81726.patch b/0060-Fix-regression-introduced-by-fixing-bug-81726.patch deleted file mode 100644 index 1bf39c1..0000000 --- a/0060-Fix-regression-introduced-by-fixing-bug-81726.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 432bf196d59bcb661fcf9cb7029cea9b43f490af Mon Sep 17 00:00:00 2001 -From: "Christoph M. Becker" -Date: Tue, 27 Sep 2022 17:43:40 +0200 -Subject: [PATCH] Fix regression introduced by fixing bug 81726 - -When a tar phar is created, `phar_open_from_fp()` is also called, but -since the file has just been created, none of the format checks can -succeed, so we continue to loop, but must not check again for the -format. Therefore, we bring back the old `test` variable. - -Closes GH-9620. ---- - ext/phar/phar.c | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/ext/phar/phar.c b/ext/phar/phar.c -index 4a761ef799..ecab9162fa 100644 ---- a/ext/phar/phar.c -+++ b/ext/phar/phar.c -@@ -1584,7 +1584,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - const char zip_magic[] = "PK\x03\x04"; - const char gz_magic[] = "\x1f\x8b\x08"; - const char bz_magic[] = "BZh"; -- char *pos; -+ char *pos, test = '\0'; - int recursion_count = 3; // arbitrary limit to avoid too deep or even infinite recursion - const int window_size = 1024; - char buffer[1024 + sizeof(token)]; /* a 1024 byte window + the size of the halt_compiler token (moving window) */ -@@ -1613,7 +1613,8 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - MAPPHAR_ALLOC_FAIL("internal corruption of phar \"%s\" (truncated entry)") - } - -- if (recursion_count) { -+ if (!test && recursion_count) { -+ test = '\1'; - pos = buffer+tokenlen; - if (!memcmp(pos, gz_magic, 3)) { - char err = 0; -@@ -1673,6 +1674,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - compression = PHAR_FILE_COMPRESSED_GZ; - - /* now, start over */ -+ test = '\0'; - if (!--recursion_count) { - MAPPHAR_ALLOC_FAIL("unable to decompress gzipped phar archive \"%s\""); - break; -@@ -1714,6 +1716,7 @@ static int phar_open_from_fp(php_stream* fp, char *fname, size_t fname_len, char - compression = PHAR_FILE_COMPRESSED_BZ2; - - /* now, start over */ -+ test = '\0'; - if (!--recursion_count) { - MAPPHAR_ALLOC_FAIL("unable to decompress bzipped phar archive \"%s\""); - break; --- -2.30.2 - diff --git a/0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch b/0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch deleted file mode 100644 index 3507e64..0000000 --- a/0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 0611be4e82887cee0de6c4cbae320d34eec946ca Mon Sep 17 00:00:00 2001 -From: Derick Rethans -Date: Fri, 9 Sep 2022 16:54:03 +0100 -Subject: [PATCH] Fix #81727: Don't mangle HTTP variable names that clash with - ones that have a specific semantic meaning. - ---- - NEWS | 6 ++++++ - ext/standard/tests/bug81727.phpt | 15 +++++++++++++++ - main/php_variables.c | 14 ++++++++++++++ - 3 files changed, 35 insertions(+) - create mode 100644 ext/standard/tests/bug81727.phpt - -diff --git a/ext/standard/tests/bug81727.phpt b/ext/standard/tests/bug81727.phpt -new file mode 100644 -index 0000000000..71a9cb46c8 ---- /dev/null -+++ b/ext/standard/tests/bug81727.phpt -@@ -0,0 +1,15 @@ -+--TEST-- -+Bug #81727: $_COOKIE name starting with ..Host/..Secure should be discarded -+--COOKIE-- -+..Host-test=ignore; __Host-test=correct; . Secure-test=ignore; . Elephpant=Awesome; -+--FILE-- -+ -+--EXPECT-- -+array(2) { -+ ["__Host-test"]=> -+ string(7) "correct" -+ ["__Elephpant"]=> -+ string(7) "Awesome" -+} -diff --git a/main/php_variables.c b/main/php_variables.c -index cbdc7cf171..18f6b65a6c 100644 ---- a/main/php_variables.c -+++ b/main/php_variables.c -@@ -115,6 +115,20 @@ PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars - } - var_len = p - var; - -+ /* Discard variable if mangling made it start with __Host-, where pre-mangling it did not start with __Host- */ -+ if (strncmp(var, "__Host-", sizeof("__Host-")-1) == 0 && strncmp(var_name, "__Host-", sizeof("__Host-")-1) != 0) { -+ zval_ptr_dtor_nogc(val); -+ free_alloca(var_orig, use_heap); -+ return; -+ } -+ -+ /* Discard variable if mangling made it start with __Secure-, where pre-mangling it did not start with __Secure- */ -+ if (strncmp(var, "__Secure-", sizeof("__Secure-")-1) == 0 && strncmp(var_name, "__Secure-", sizeof("__Secure-")-1) != 0) { -+ zval_ptr_dtor_nogc(val); -+ free_alloca(var_orig, use_heap); -+ return; -+ } -+ - if (var_len==0) { /* empty variable name, or variable name with a space in it */ - zval_ptr_dtor_nogc(val); - free_alloca(var_orig, use_heap); --- -2.30.2 - diff --git a/0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch b/0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch deleted file mode 100644 index e68e519..0000000 --- a/0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch +++ /dev/null @@ -1,109 +0,0 @@ -From 248f647724e385bfb8d83aa5b5a5ca3c4ee2c7fd Mon Sep 17 00:00:00 2001 -From: Stanislav Malyshev -Date: Thu, 20 Oct 2022 23:57:35 -0600 -Subject: [PATCH] Fix bug #81738 (buffer overflow in hash_update() on long - parameter) - ---- - NEWS | 4 ++++ - ext/hash/sha3/generic32lc/KeccakSponge.inc | 14 ++++++++------ - ext/hash/sha3/generic64lc/KeccakSponge.inc | 14 ++++++++------ - main/php_version.h | 10 +++++----- - 4 files changed, 25 insertions(+), 17 deletions(-) - -diff --git a/ext/hash/sha3/generic32lc/KeccakSponge.inc b/ext/hash/sha3/generic32lc/KeccakSponge.inc -index 42a15aac6d..f8c42ff788 100644 ---- a/ext/hash/sha3/generic32lc/KeccakSponge.inc -+++ b/ext/hash/sha3/generic32lc/KeccakSponge.inc -@@ -160,7 +160,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - if ((rateInBytes % (SnP_width/200)) == 0) { -@@ -186,9 +186,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - } - else { - /* normal lane: using the message queue */ -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -263,7 +264,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -280,9 +281,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); -diff --git a/ext/hash/sha3/generic64lc/KeccakSponge.inc b/ext/hash/sha3/generic64lc/KeccakSponge.inc -index 42a15aac6d..f8c42ff788 100644 ---- a/ext/hash/sha3/generic64lc/KeccakSponge.inc -+++ b/ext/hash/sha3/generic64lc/KeccakSponge.inc -@@ -160,7 +160,7 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == 0) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == 0) && (dataByteLen-i >= rateInBytes)) { - #ifdef SnP_FastLoop_Absorb - /* processing full blocks first */ - if ((rateInBytes % (SnP_width/200)) == 0) { -@@ -186,9 +186,10 @@ int SpongeAbsorb(SpongeInstance *instance, const unsigned char *data, size_t dat - } - else { - /* normal lane: using the message queue */ -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - #ifdef KeccakReference - displayBytes(1, "Block to be absorbed (part)", curData, partialBlock); - #endif -@@ -263,7 +264,7 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - i = 0; - curData = data; - while(i < dataByteLen) { -- if ((instance->byteIOIndex == rateInBytes) && (dataByteLen >= (i + rateInBytes))) { -+ if ((instance->byteIOIndex == rateInBytes) && (dataByteLen-i >= rateInBytes)) { - for(j=dataByteLen-i; j>=rateInBytes; j-=rateInBytes) { - SnP_Permute(instance->state); - SnP_ExtractBytes(instance->state, curData, 0, rateInBytes); -@@ -280,9 +281,10 @@ int SpongeSqueeze(SpongeInstance *instance, unsigned char *data, size_t dataByte - SnP_Permute(instance->state); - instance->byteIOIndex = 0; - } -- partialBlock = (unsigned int)(dataByteLen - i); -- if (partialBlock+instance->byteIOIndex > rateInBytes) -+ if (dataByteLen-i > rateInBytes-instance->byteIOIndex) - partialBlock = rateInBytes-instance->byteIOIndex; -+ else -+ partialBlock = (unsigned int)(dataByteLen - i); - i += partialBlock; - - SnP_ExtractBytes(instance->state, curData, instance->byteIOIndex, partialBlock); diff --git a/php-7.4.30-svace-fixes.patch b/php-7.4.30-svace-fixes.patch new file mode 100644 index 0000000..23c9b96 --- /dev/null +++ b/php-7.4.30-svace-fixes.patch @@ -0,0 +1,252 @@ +diff --git a/Zend/zend_builtin_functions.c b/Zend/zend_builtin_functions.c +index 33dfea0..057fe96 100644 +--- a/Zend/zend_builtin_functions.c ++++ b/Zend/zend_builtin_functions.c +@@ -1636,7 +1636,9 @@ ZEND_FUNCTION(set_error_handler) + zend_string *error_handler_name = zend_get_callable_name(error_handler); + zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback", + get_active_function_name(), error_handler_name?ZSTR_VAL(error_handler_name):"unknown"); +- zend_string_release_ex(error_handler_name, 0); ++ if (error_handler_name) { ++ zend_string_release_ex(error_handler_name, 0); ++ } + return; + } + } +@@ -1703,7 +1705,9 @@ ZEND_FUNCTION(set_exception_handler) + zend_string *exception_handler_name = zend_get_callable_name(exception_handler); + zend_error(E_WARNING, "%s() expects the argument (%s) to be a valid callback", + get_active_function_name(), exception_handler_name?ZSTR_VAL(exception_handler_name):"unknown"); +- zend_string_release_ex(exception_handler_name, 0); ++ if (exception_handler_name) { ++ zend_string_release_ex(exception_handler_name, 0); ++ } + return; + } + } +diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c +index 2d52e4e..a1c1022 100644 +--- a/Zend/zend_exceptions.c ++++ b/Zend/zend_exceptions.c +@@ -1040,8 +1040,12 @@ ZEND_API ZEND_COLD void zend_exception_error(zend_object *ex, int severity) /* { + zend_error_va(severity, (file && ZSTR_LEN(file) > 0) ? ZSTR_VAL(file) : NULL, line, + "Uncaught %s\n thrown", ZSTR_VAL(str)); + +- zend_string_release_ex(str, 0); +- zend_string_release_ex(file, 0); ++ if (str) { ++ zend_string_release_ex(str, 0); ++ } ++ if (file) { ++ zend_string_release_ex(file, 0); ++ } + } else { + zend_error(severity, "Uncaught exception '%s'", ZSTR_VAL(ce_exception->name)); + } +diff --git a/Zend/zend_multibyte.c b/Zend/zend_multibyte.c +index 956ffbb..0c7c65e 100644 +--- a/Zend/zend_multibyte.c ++++ b/Zend/zend_multibyte.c +@@ -115,6 +115,9 @@ ZEND_API int zend_multibyte_set_functions(const zend_multibyte_functions *functi + */ + { + const char *value = zend_ini_string("zend.script_encoding", sizeof("zend.script_encoding") - 1, 0); ++ if (!value) { ++ return FAILURE; ++ } + zend_multibyte_set_script_encoding_by_string(value, strlen(value)); + } + return SUCCESS; +diff --git a/ext/dom/entity.c b/ext/dom/entity.c +index b412550..34b83ee 100644 +--- a/ext/dom/entity.c ++++ b/ext/dom/entity.c +@@ -106,6 +106,9 @@ int dom_entity_notation_name_read(dom_object *obj, zval *retval) + ZVAL_NULL(retval); + } else { + content = (char *) xmlNodeGetContent((xmlNodePtr) nodep); ++ if (!content) { ++ return FAILURE; ++ } + ZVAL_STRING(retval, content); + xmlFree(content); + } +diff --git a/ext/phar/phar.c b/ext/phar/phar.c +index ecab916..06bb697 100644 +--- a/ext/phar/phar.c ++++ b/ext/phar/phar.c +@@ -2751,8 +2751,10 @@ int phar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int conv + newentry = phar_open_jit(phar, entry, error); + if (!newentry) { + /* major problem re-opening, so we ignore this file and the error */ +- efree(*error); +- *error = NULL; ++ if (error) { ++ efree(*error); ++ *error = NULL; ++ } + continue; + } + entry = newentry; +diff --git a/ext/phar/tar.c b/ext/phar/tar.c +index 03e6dd4..52b5c5d 100644 +--- a/ext/phar/tar.c ++++ b/ext/phar/tar.c +@@ -899,7 +899,7 @@ int phar_tar_setmetadata(zval *metadata, phar_entry_info *entry, char **error) / + spprintf(error, 0, "phar error: unable to create temporary file"); + return -1; + } +- if (ZSTR_LEN(entry->metadata_str.s) != php_stream_write(entry->fp, ZSTR_VAL(entry->metadata_str.s), ZSTR_LEN(entry->metadata_str.s))) { ++ if (entry->metadata_str.s && ZSTR_LEN(entry->metadata_str.s) != php_stream_write(entry->fp, ZSTR_VAL(entry->metadata_str.s), ZSTR_LEN(entry->metadata_str.s))) { + spprintf(error, 0, "phar tar error: unable to write metadata to magic metadata file \"%s\"", entry->filename); + zend_hash_str_del(&(entry->phar->manifest), entry->filename, entry->filename_len); + return ZEND_HASH_APPLY_STOP; +diff --git a/ext/sqlite3/sqlite3.c b/ext/sqlite3/sqlite3.c +index f4d8066..9386c05 100644 +--- a/ext/sqlite3/sqlite3.c ++++ b/ext/sqlite3/sqlite3.c +@@ -877,7 +877,9 @@ static int sqlite3_do_callback(struct php_sqlite3_fci *fc, zval *cb, int argc, s + if (agg_context && !Z_ISUNDEF(agg_context->zval_context)) { + zval_ptr_dtor(&agg_context->zval_context); + } +- ZVAL_COPY_VALUE(&agg_context->zval_context, &retval); ++ if (agg_context) { ++ ZVAL_COPY_VALUE(&agg_context->zval_context, &retval); ++ } + ZVAL_UNDEF(&retval); + } + +diff --git a/ext/standard/filters.c b/ext/standard/filters.c +index 018270c..6acce21 100644 +--- a/ext/standard/filters.c ++++ b/ext/standard/filters.c +@@ -766,7 +766,7 @@ static void php_conv_qprint_encode_dtor(php_conv_qprint_encode *inst) + } + + #define NEXT_CHAR(ps, icnt, lb_ptr, lb_cnt, lbchars) \ +- ((lb_ptr) < (lb_cnt) ? (lbchars)[(lb_ptr)] : *(ps)) ++ ((lb_ptr) < (lb_cnt) && (lbchars) ? (lbchars)[(lb_ptr)] : ((ps) ? *(ps) : '\0')) + + #define CONSUME_CHAR(ps, icnt, lb_ptr, lb_cnt) \ + if ((lb_ptr) < (lb_cnt)) { \ +diff --git a/ext/standard/var.c b/ext/standard/var.c +index 37a68bb..ba68cf3 100644 +--- a/ext/standard/var.c ++++ b/ext/standard/var.c +@@ -1070,8 +1070,10 @@ again: + /* Mark this value in the var_hash, to avoid creating references to it. */ + zval *var_idx = zend_hash_index_find(&var_hash->ht, + (zend_ulong) (zend_uintptr_t) Z_COUNTED_P(struc)); +- ZVAL_LONG(var_idx, -1); +- smart_str_appendl(buf, "N;", 2); ++ if (var_idx) { ++ ZVAL_LONG(var_idx, -1); ++ smart_str_appendl(buf, "N;", 2); ++ } + } + if (serialized_data) { + efree(serialized_data); +diff --git a/sapi/fpm/fpm/fpm_conf.c b/sapi/fpm/fpm/fpm_conf.c +index 7a05286..378c585 100644 +--- a/sapi/fpm/fpm/fpm_conf.c ++++ b/sapi/fpm/fpm/fpm_conf.c +@@ -720,8 +720,8 @@ static int fpm_evaluate_full_path(char **path, struct fpm_worker_pool_s *wp, cha + } + + if (strlen(*path) > strlen("$prefix")) { +- free(*path); + tmp = strdup((*path) + strlen("$prefix")); ++ free(*path); + *path = tmp; + } else { + free(*path); +diff --git a/sapi/fpm/fpm/zlog.c b/sapi/fpm/fpm/zlog.c +index 4808447..849370c 100644 +--- a/sapi/fpm/fpm/zlog.c ++++ b/sapi/fpm/fpm/zlog.c +@@ -348,7 +348,7 @@ static ssize_t zlog_stream_direct_write( + static inline ssize_t zlog_stream_unbuffered_write( + struct zlog_stream *stream, const char *buf, size_t len) /* {{{ */ + { +- const char *append; ++ const char *append = NULL; + size_t append_len = 0, required_len, reserved_len; + ssize_t written; + +@@ -637,10 +637,10 @@ zlog_bool zlog_stream_set_msg_suffix( + if (suffix != NULL) { + stream->msg_suffix_len = strlen(suffix); + len = stream->msg_suffix_len + 1; +- stream->msg_suffix = malloc(len); + if (stream->msg_suffix != NULL) { + free(stream->msg_suffix); + } ++ stream->msg_suffix = malloc(len); + if (stream->msg_suffix == NULL) { + return ZLOG_FALSE; + } +@@ -652,7 +652,7 @@ zlog_bool zlog_stream_set_msg_suffix( + len = stream->msg_final_suffix_len + 1; + stream->msg_final_suffix = malloc(len); + if (stream->msg_final_suffix != NULL) { +- free(stream->msg_suffix); ++ free(stream->msg_final_suffix); + } + if (stream->msg_final_suffix == NULL) { + return ZLOG_FALSE; +diff --git a/sapi/phpdbg/phpdbg_prompt.c b/sapi/phpdbg/phpdbg_prompt.c +index 6b0de5c..0764789 100644 +--- a/sapi/phpdbg/phpdbg_prompt.c ++++ b/sapi/phpdbg/phpdbg_prompt.c +@@ -544,6 +544,9 @@ int phpdbg_compile_stdin(zend_string *code) { + /* remove trailing data after zero byte, used for avoiding conflicts in eval()'ed code snippets */ + zend_string *source_path = strpprintf(0, "Standard input code%c%p", 0, PHPDBG_G(ops)->opcodes); + phpdbg_file_source *data = zend_hash_find_ptr(&PHPDBG_G(file_sources), source_path); ++ if (!data) { ++ return FAILURE; ++ } + dtor_func_t dtor = PHPDBG_G(file_sources).pDestructor; + PHPDBG_G(file_sources).pDestructor = NULL; + zend_hash_del(&PHPDBG_G(file_sources), source_path); +@@ -1349,7 +1352,7 @@ PHPDBG_API const char *phpdbg_load_module_or_extension(char **path, char **name) + module_entry->handle = handle; + + if ((module_entry = zend_register_module_ex(module_entry)) == NULL) { +- phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", module_entry->name); ++ phpdbg_error("dl", "type=\"registerfailure\" module=\"%s\"", "Unable to register module %s", "Unknown module"); + + goto quit; + } +diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c +index 4d10e68..1acfec6 100644 +--- a/main/streams/plain_wrapper.c ++++ b/main/streams/plain_wrapper.c +@@ -926,6 +926,7 @@ static int php_stdiop_set_option(php_stream *stream, int option, int value, void + } + } + ++ return PHP_STREAM_OPTION_RETURN_NOTIMPL; + #ifdef PHP_WIN32 + case PHP_STREAM_OPTION_PIPE_BLOCKING: + data->is_pipe_blocking = value; +diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c +index b0de6e4..5e3adec 100644 +--- a/ext/phar/phar_object.c ++++ b/ext/phar/phar_object.c +@@ -3484,12 +3484,10 @@ PHP_METHOD(Phar, copy) + RETURN_FALSE; + } + +- if (zend_hash_str_exists(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) { +- if (NULL != (temp = zend_hash_str_find_ptr(&phar_obj->archive->manifest, newfile, (uint32_t) newfile_len)) || !temp->is_deleted) { +- zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, +- "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname); +- RETURN_FALSE; +- } ++ if (!zend_hash_str_exists(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len) || NULL == (oldentry = zend_hash_str_find_ptr(&phar_obj->archive->manifest, oldfile, (uint32_t) oldfile_len)) || oldentry->is_deleted) { ++ zend_throw_exception_ex(spl_ce_UnexpectedValueException, 0, ++ "file \"%s\" cannot be copied to file \"%s\", file must not already exist in phar %s", oldfile, newfile, phar_obj->archive->fname); ++ RETURN_FALSE; + } + + tmp_len = newfile_len; diff --git a/php7.spec b/php7.spec index f7fe4cb..ef78f50 100644 --- a/php7.spec +++ b/php7.spec @@ -26,8 +26,8 @@ Summary: The PHP7 scripting language Name: php -Version: 7.4.30 -Release: 5 +Version: 7.4.33 +Release: 1 Source0: http://ch1.php.net/distributions/php-%{version}.tar.gz Source1: macros.php Group: Development/PHP @@ -81,15 +81,8 @@ Patch114: php-no_pam_in_c-client.diff # Fix bugs Patch121: php-bug43221.diff Patch122: php-not-use-libgd-const.patch -# CVE-2022-31628 -Patch123: 0059-Fix-81726-phar-wrapper-DOS-when-using-quine-gzip-fil.patch -Patch124: 0060-Fix-regression-introduced-by-fixing-bug-81726.patch -# CVE-2022-31629 -Patch125: 0061-Fix-81727-Don-t-mangle-HTTP-variable-names-that-clas.patch -# CVE-2022-37454 -Patch126: 0062-Fix-bug-81738-buffer-overflow-in-hash_update-on-long.patch -# Svace 11.05.23 -Patch127: php-7.4.30-svace.patch +# Sauce fixes +Patch127: php-7.4.30-svace-fixes.patch Patch200: fix-include-e2k.patch BuildRequires: autoconf @@ -1282,14 +1275,8 @@ fi %patch121 -p0 -b .bug43221.droplet %patch122 -p1 -%patch123 -p1 -%patch124 -p1 -%patch125 -p1 -%patch126 -p1 %patch127 -p1 -%ifarch %{e2k} %patch200 -p1 -%endif cp %{SOURCE2} maxlifetime cp %{SOURCE3} php.crond