!4 fix CVE-2020-7064 CVE-2020-7066

Merge pull request !4 from Vchanger/master

CVE-2020-7064.patch

@@ -0,0 +1,60 @@
+From 0c77b4307df73217283a4aaf9313e1a33a0967ff Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:26:00 -0700
+Subject: [PATCH] Fixed bug #79282
+
+---
+ ext/exif/exif.c              |  7 ++++++-
+ ext/exif/tests/bug79282.phpt | 15 +++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug79282.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a63e0c1..b85ac19 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3660,6 +3660,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
+ {
+ 	unsigned exif_value_2a, offset_of_ifd;
+ 
++	if (length < 2) {
++		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
++		return;
++	}
++
+ 	/* set the thumbnail stuff to nothing so we can test to see if they get set up */
+ 	if (memcmp(CharBuf, "II", 2) == 0) {
+ 		ImageInfo->motorola_intel = 0;
+@@ -3812,7 +3817,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo)
+ 			return FALSE;
+ 		}
+ 
+-		sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
++		sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
+ 		Data = ImageInfo->file.list[sn].data;
+ 
+ 		/* Store first two pre-read bytes. */
+diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
+new file mode 100644
+index 0000000..7b7e365
+--- /dev/null
++++ b/ext/exif/tests/bug79282.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #79282: Use-of-uninitialized-value in exif
++--FILE--
++<?php
++
++var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
++
++?>
++--EXPECTF--
++Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
++
++Warning: exif_read_data(): File structure corrupted in %s on line %d
++
++Warning: exif_read_data(): Invalid JPEG file in %s on line %d
++bool(false)
+-- 
+1.8.3.1
+

CVE-2020-7066.patch

@@ -0,0 +1,25 @@
+From 0181cb204b54ee08710147338b76dc0845aba4f9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 15 Mar 2020 17:30:44 -0700
+Subject: [PATCH] Fix bug #79329 - get_headers should not accept \0
+
+---
+ ext/standard/url.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/url.c b/ext/standard/url.c
+index 57fd80c..fe6d7f9 100644
+--- a/ext/standard/url.c
++++ b/ext/standard/url.c
+@@ -680,7 +680,7 @@ PHP_FUNCTION(get_headers)
+ 	php_stream_context *context;
+ 
+ 	ZEND_PARSE_PARAMETERS_START(1, 3)
+-		Z_PARAM_STRING(url, url_len)
++		Z_PARAM_PATH(url, url_len)
+ 		Z_PARAM_OPTIONAL
+ 		Z_PARAM_LONG(format)
+ 		Z_PARAM_RESOURCE_EX(zcontext, 1, 0)
+-- 
+1.8.3.1
+

php.spec

@@ -28,7 +28,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       3
+Release:       4
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@@ -89,6 +89,8 @@ Patch6019:     CVE-2019-11047.patch
 Patch6020:     CVE-2018-19518.patch
 #git.php.net/?p=php-src.git;a=patch;h=a15af81b5f0058e020eda0f109f51a3c863f5212
 Patch6021:     CVE-2019-6977.patch
+Patch6022:     CVE-2020-7064.patch
+Patch6023:     CVE-2020-7066.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1149,6 +1151,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Fri Apr 24 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.2.10-4
+- Type:cves
+- ID:CVE-2020-7064 CVE-2020-7066
+- SUG:restart
+- DESC:fix CVE-2020-7064 CVE-2020-7066
+
 * Mon Mar 16 2020 shijian <shijian16@huawei.com> - 7.2.10-3
 - Type:cves
 - ID:CVE-2018-19518 CVE-2019-6977