add CVE patches

CVE-2018-19935.patch

@@ -0,0 +1,50 @@
+From 3329e30a0c631753980757045ddfcc7b356a34a2 Mon Sep 17 00:00:00 2001
+Date: Wed, 4 Dec 2019 17:50:56 +0800
+Subject: Fix #77020: null pointer dereference in imap_mail
+
+If an empty $message is passed to imap_mail(), we must not set message
+to NULL, since _php_imap_mail() is not supposed to handle NULL pointers
+(opposed to pointers to NUL).
+
+---
+ ext/imap/php_imap.c          |  1 -
+ ext/imap/tests/bug77020.phpt | 15 +++++++++++++++
+ 2 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 php-7.2.10/ext/imap/tests/bug77020.phpt
+
+diff --git a/ext/imap/php_imap.c b/ext/imap/php_imap.c
+index e1adcf22..56126a0c 100644
+--- a/ext/imap/php_imap.c
++++ b/ext/imap/php_imap.c
+@@ -4106,7 +4106,6 @@ PHP_FUNCTION(imap_mail)
+ 	if (!ZSTR_LEN(message)) {
+ 		/* this is not really an error, so it is allowed. */
+ 		php_error_docref(NULL, E_WARNING, "No message string in mail command");
+-		message = NULL;
+ 	}
+ 
+ 	if (_php_imap_mail(ZSTR_VAL(to), ZSTR_VAL(subject), ZSTR_VAL(message), headers?ZSTR_VAL(headers):NULL, cc?ZSTR_VAL(cc):NULL,
+diff --git a/ext/imap/tests/bug77020.phpt b/ext/imap/tests/bug77020.phpt
+new file mode 100644
+index 00000000..76386a09
+--- /dev/null
++++ b/ext/imap/tests/bug77020.phpt
+@@ -0,0 +1,15 @@
++ --TEST--
++Bug #77020 (null pointer dereference in imap_mail)
++--SKIPIF--
++<?php
++if (!extension_loaded('imap')) die('skip imap extension not available');
++?>
++--FILE--
++<?php
++imap_mail('1', 1, NULL);
++?>
++===DONE===
++--EXPECTF--
++Warning: imap_mail(): No message string in mail command in %s on line %d
++%s
++===DONE===
+-- 
+2.19.1
+

CVE-2019-11034.patch

@@ -0,0 +1,55 @@
+From f3aefc6d071b807ddacae0a0bc49f09c38e18490 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 17 Mar 2019 22:54:46 -0700
+Subject: [PATCH] Fix bug #77753 - Heap-buffer-overflow in php_ifd_get32s
+
+---
+ ext/exif/exif.c              |   4 ++++
+ ext/exif/tests/bug77753.phpt |  16 ++++++++++++++++
+ ext/exif/tests/bug77753.tiff | Bin 0 -> 873 bytes
+ 3 files changed, 20 insertions(+)
+ create mode 100644 ext/exif/tests/bug77753.phpt
+ create mode 100644 ext/exif/tests/bug77753.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index fe89b85..0b5bb5a 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2802,6 +2802,10 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
+ 		return FALSE;
+ 	}
++	if ((dir_start - value_ptr) > value_len - (2+NumDirEntries*12)) {
++		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 0x%04X > 0x%04X", (dir_start - value_ptr) + (2+NumDirEntries*12), value_len);
++		return FALSE;
++	}
+ 
+ 	for (de=0;de<NumDirEntries;de++) {
+ 		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+diff --git a/ext/exif/tests/bug77753.phpt b/ext/exif/tests/bug77753.phpt
+new file mode 100644
+index 0000000..d987a5c
+--- /dev/null
++++ b/ext/exif/tests/bug77753.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #77753 (Heap-buffer-overflow in php_ifd_get32s)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++var_dump(exif_read_data(__DIR__."/bug77753.tiff"));
++?>
++DONE
++--EXPECTF--
++%A
++Warning: exif_read_data(bug77753.tiff): Illegal IFD size: 0x006A > 0x0065 in %sbug77753.php on line %d
++
++Warning: exif_read_data(bug77753.tiff): Invalid TIFF file in %sbug77753.php on line %d
++bool(false)
++DONE
+\ No newline at end of file
+
+-- 
+2.1.4
+

CVE-2019-11035.patch

@@ -0,0 +1,185 @@
+From 887a7b571407f7a49a5e7cf1e612d21ef83fedb4 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 2 Apr 2019 00:12:26 -0700
+Subject: [PATCH] Fixed bug #77831 - Heap-buffer-overflow in exif_iif_add_value
+ in EXIF
+
+---
+ NEWS                         |   1 +
+ ext/exif/exif.c              |  43 ++++++++++++++++++++++++++++---------------
+ ext/exif/tests/bug77831.phpt |  13 +++++++++++++
+ ext/exif/tests/bug77831.tiff | Bin 0 -> 49 bytes
+ 4 files changed, 42 insertions(+), 15 deletions(-)
+ create mode 100644 ext/exif/tests/bug77831.phpt
+ create mode 100644 ext/exif/tests/bug77831.tiff
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 0b5bb5a..408bf03 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -1654,10 +1654,10 @@ static int exif_file_sections_free(image_info_type *ImageInfo)
+ /* {{{ exif_iif_add_value
+  Add a value to image_info
+ */
+-static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, int motorola_intel)
++static void exif_iif_add_value(image_info_type *image_info, int section_index, char *name, int tag, int format, int length, void* value, size_t value_len, int motorola_intel)
+ {
+ 	size_t idex;
+-	void *vptr;
++	void *vptr, *vptr_end;
+ 	image_info_value *info_value;
+ 	image_info_data  *info_data;
+ 	image_info_data  *list;
+@@ -1679,8 +1679,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 
+ 	switch (format) {
+ 		case TAG_FMT_STRING:
++			if (length > value_len) {
++				exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++				value = NULL;
++			}
+ 			if (value) {
+-				length = php_strnlen(value, length);
++				length = (int)php_strnlen(value, length);
+ 				info_value->s = estrndup(value, length);
+ 				info_data->length = length;
+ 			} else {
+@@ -1702,6 +1706,10 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			if (!length)
+ 				break;
+ 		case TAG_FMT_UNDEFINED:
++			if (length > value_len) {
++				exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "length > value_len: %d > %zu", length, value_len);
++				value = NULL;
++			}
+ 			if (value) {
+ 				if (tag == TAG_MAKER_NOTE) {
+ 					length = (int) php_strnlen(value, length);
+@@ -1732,7 +1740,12 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 			} else {
+ 				info_value = &info_data->value;
+ 			}
++			vptr_end = value+value_len;
+ 			for (idex=0,vptr=value; idex<(size_t)length; idex++,vptr=(char *) vptr + php_tiff_bytes_per_format[format]) {
++				if (vptr_end - vptr < php_tiff_bytes_per_format[format]) {
++					exif_error_docref("exif_iif_add_value" EXIFERR_CC, image_info, E_WARNING, "Value too short");
++					break;
++				}
+ 				if (length>1) {
+ 					info_value = &info_data->value.list[idex];
+ 				}
+@@ -1768,7 +1781,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ 						php_error_docref(NULL, E_WARNING, "Found value of type single");
+ #endif
+ 						info_value->f = *(float *)value;
+-
++						break;
+ 					case TAG_FMT_DOUBLE:
+ #ifdef EXIF_DEBUG
+ 						php_error_docref(NULL, E_WARNING, "Found value of type double");
+@@ -1786,9 +1799,9 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
+ /* {{{ exif_iif_add_tag
+  Add a tag from IFD to image_info
+ */
+-static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value)
++static void exif_iif_add_tag(image_info_type *image_info, int section_index, char *name, int tag, int format, size_t length, void* value, size_t value_len)
+ {
+-	exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, image_info->motorola_intel);
++	exif_iif_add_value(image_info, section_index, name, tag, format, (int)length, value, value_len, image_info->motorola_intel);
+ }
+ /* }}} */
+ 
+@@ -2209,7 +2222,7 @@ static void add_assoc_image_info(zval *value, int sub_array, image_info_type *im
+ */
+ static void exif_process_COM (image_info_type *image_info, char *value, size_t length)
+ {
+-	exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2);
++	exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length-2, value+2, length-2);
+ }
+ /* }}} */
+ 
+@@ -2224,17 +2237,17 @@ static void exif_process_CME (image_info_type *image_info, char *value, size_t l
+ 	if (length>3) {
+ 		switch(value[2]) {
+ 			case 0:
+-				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value);
++				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, length, value), length;
+ 				break;
+ 			case 1:
+-				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value);
++				exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_STRING, length, value, length);
+ 				break;
+ 			default:
+ 				php_error_docref(NULL, E_NOTICE, "Undefined JPEG2000 comment encoding");
+ 				break;
+ 		}
+ 	} else {
+-		exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL);
++		exif_iif_add_tag(image_info, SECTION_COMMENT, "Comment", TAG_COMPUTED_VALUE, TAG_FMT_UNDEFINED, 0, NULL, 0);
+ 		php_error_docref(NULL, E_NOTICE, "JPEG2000 comment section too small");
+ 	}
+ }
+@@ -2827,7 +2840,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, char *offset_base, size_t IFDlength, size_t displacement, int section_index, int ReadNextIFD, tag_table_type tag_table)
+ {
+ 	size_t length;
+-	int tag, format, components;
++	unsigned int tag, format, components;
+ 	char *value_ptr, tagname[64], cbuf[32], *outside=NULL;
+ 	size_t byte_count, offset_val, fpos, fgot;
+ 	int64_t byte_count_signed;
+@@ -3138,7 +3151,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+ 				}
+ 		}
+ 	}
+-	exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr);
++	exif_iif_add_tag(ImageInfo, section_index, exif_get_tagname(tag, tagname, sizeof(tagname), tag_table), tag, format, components, value_ptr, byte_count);
+ 	EFREE_IF(outside);
+ 	return TRUE;
+ }
+@@ -3296,10 +3309,10 @@ static void exif_process_APP12(image_info_type *ImageInfo, char *buffer, size_t
+ 	size_t l1, l2=0;
+ 
+ 	if ((l1 = php_strnlen(buffer+2, length-2)) > 0) {
+-		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2);
++		exif_iif_add_tag(ImageInfo, SECTION_APP12, "Company", TAG_NONE, TAG_FMT_STRING, l1, buffer+2, l1);
+ 		if (length > 2+l1+1) {
+ 			l2 = php_strnlen(buffer+2+l1+1, length-2-l1-1);
+-			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1);
++			exif_iif_add_tag(ImageInfo, SECTION_APP12, "Info", TAG_NONE, TAG_FMT_STRING, l2, buffer+2+l1+1, l2);
+ 		}
+ 	}
+ #ifdef EXIF_DEBUG
+@@ -4100,7 +4113,7 @@ PHP_FUNCTION(exif_read_data)
+ 	if (ImageInfo.Thumbnail.size) {
+ 		if (read_thumbnail) {
+ 			/* not exif_iif_add_str : this is a buffer */
+-			exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data);
++			exif_iif_add_tag(&ImageInfo, SECTION_THUMBNAIL, "THUMBNAIL", TAG_NONE, TAG_FMT_UNDEFINED, ImageInfo.Thumbnail.size, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
+ 		}
+ 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+ 			/* try to evaluate if thumbnail data is present */
+diff --git a/ext/exif/tests/bug77831.phpt b/ext/exif/tests/bug77831.phpt
+new file mode 100644
+index 0000000..d868d47
+--- /dev/null
++++ b/ext/exif/tests/bug77831.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #77831 (Heap-buffer-overflow in exif_iif_add_value in EXIF)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++var_dump(exif_read_data(__DIR__."/bug77831.tiff"));
++?>
++DONE
++--EXPECTF--
++%A
++bool(false)
++DONE
+\ No newline at end of file
+
+-- 
+2.1.4
+

CVE-2019-11036.patch

@@ -0,0 +1,27 @@
+From f80ad18afae2230c2c1802c7d829100af646874e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 29 Apr 2019 23:38:12 -0700
+Subject: [PATCH] Fix bug #77950 - Heap-buffer-overflow in _estrndup via
+ exif_process_IFD_TAG
+
+I do not completely understand what is going on there, but I am pretty
+sure dir_entry <= offset_base if not a normal situation, so we better not
+to rely on such dir_entry.
+---
+ ext/exif/exif.c              |   2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index a763f6c..d174def 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2891,7 +2891,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
+             offset_base is ImageInfo->file.list[sn].data-dir_offset
+             dir_entry - offset_base is dir_offset+2+i*12
+         */
+-		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base)) {
++		if (byte_count > IFDlength || offset_val > IFDlength-byte_count || value_ptr < dir_entry || offset_val < (size_t)(dir_entry-offset_base) || dir_entry <= offset_base) {
+ 			/* It is important to check for IMAGE_FILETYPE_TIFF
+ 			 * JPEG does not use absolute pointers instead its pointers are
+ 			 * relative to the start of the TIFF header in APP1 section. */
+

CVE-2019-11041.patch

@@ -0,0 +1,45 @@
+From dea2989ab8ba87a6180af497b2efaf0527e985c5 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:01:01 -0700
+Subject: [PATCH] Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+
+---
+ ext/exif/exif.c              |   2 +-
+ ext/exif/tests/bug78222.phpt |  11 +++++++++++
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78222.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 605b37923f..cd7975a9f5 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3498,7 +3498,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ 	size_t          length=2, pos=0;
+ 	jpeg_sof_info   sof_info;
+ 
+-	if (!data) {
++	if (!data || ImageInfo->Thumbnail.size < 4) {
+ 		return FALSE; /* nothing to do here */
+ 	}
+ 	if (memcmp(data, "\xFF\xD8\xFF", 3)) {
+diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt
+new file mode 100644
+index 0000000000..0e4ead33e4
+--- /dev/null
++++ b/ext/exif/tests/bug78222.phpt
+@@ -0,0 +1,11 @@
++--TEST--
++Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE);
++?>
++DONE
++--EXPECTF--
++DONE
+\ No newline at end of file
+-- 
+2.21.0
+

CVE-2019-11042.patch

@@ -0,0 +1,51 @@
+From 99b7ef940e04cd273d03c5fa93bf182db2d7ce8d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 7 Jul 2019 17:39:59 -0700
+Subject: [PATCH] Fix bug #78256 (heap-buffer-overflow on
+ exif_process_user_comment)
+
+---
+ ext/exif/exif.c              |  4 ++--
+ ext/exif/tests/bug78256.phpt | 11 +++++++++++
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78256.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 77a11300..a80f2c2a 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3040,11 +3040,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
+ 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
+ 			 * since we have no encoding support for the BOM yet we skip that.
+ 			 */
+-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
++			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
+ 				decode = "UCS-2BE";
+ 				szValuePtr = szValuePtr+2;
+ 				ByteCount -= 2;
+-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
++			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
+ 				decode = "UCS-2LE";
+ 				szValuePtr = szValuePtr+2;
+ 				ByteCount -= 2;
+diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt
+new file mode 100644
+index 00000000..37a3f1d8
+--- /dev/null
++++ b/ext/exif/tests/bug78256.phpt
+@@ -0,0 +1,11 @@
++--TEST--
++Bug #78256 (heap-buffer-overflow on exif_process_user_comment)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE);
++?>
++DONE
++--EXPECTF--
++DONE
+\ No newline at end of file
+-- 
+2.21.0
+

CVE-2019-11043.patch

@@ -0,0 +1,131 @@
+From ab061f95ca966731b1c84cf5b7b20155c0a1c06a Mon Sep 17 00:00:00 2001
+From: Jakub Zelenka <bukka@php.net>
+Date: Sat, 12 Oct 2019 15:56:16 +0100
+Subject: [PATCH] Fix bug #78599 (env_path_info underflow can lead to RCE)
+ (CVE-2019-11043)
+
+---
+ sapi/fpm/fpm/fpm_main.c                       |  4 +-
+ .../tests/bug78599-path-info-underflow.phpt   | 61 +++++++++++++++++++
+ sapi/fpm/tests/tester.inc                     | 11 +++-
+ 3 files changed, 72 insertions(+), 4 deletions(-)
+ create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt
+
+diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
+index 24a7e5d56ac6..50f92981f1fb 100644
+--- a/sapi/fpm/fpm/fpm_main.c
++++ b/sapi/fpm/fpm/fpm_main.c
+@@ -1209,8 +1209,8 @@ static void init_request_info(void)
+ 								path_info = script_path_translated + ptlen;
+ 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
+ 							} else {
+-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
+-								tflag = (orig_path_info != path_info);
++								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
++								tflag = path_info && (orig_path_info != path_info);
+ 							}
+ 
+ 							if (tflag) {
+diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
+new file mode 100644
+index 000000000000..edd4e0d49699
+--- /dev/null
++++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
+@@ -0,0 +1,61 @@
++--TEST--
++FPM: bug78599 - env_path_info underflow - CVE-2019-11043
++--SKIPIF--
++<?php include "skipif.inc"; ?>
++--FILE--
++<?php
++
++require_once "tester.inc";
++
++$cfg = <<<EOT
++[global]
++error_log = {{FILE:LOG}}
++[unconfined]
++listen = {{ADDR}}
++pm = dynamic
++pm.max_children = 5
++pm.start_servers = 1
++pm.min_spare_servers = 1
++pm.max_spare_servers = 3
++EOT;
++
++$code = <<<EOT
++<?php
++echo "Test Start\n";
++var_dump(\$_SERVER["PATH_INFO"]);
++echo "Test End\n";
++EOT;
++
++$tester = new FPM\Tester($cfg, $code);
++$tester->start();
++$tester->expectLogStartNotices();
++$uri = $tester->makeSourceFile();
++$tester
++    ->request(
++        '',
++        [
++            'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),
++            'PATH_INFO'       => '',
++            'HTTP_HUI'        => str_repeat('PTEST', 1000),
++        ],
++        $uri
++    )
++    ->expectBody(
++        [
++            'Test Start',
++            'string(0) ""',
++            'Test End'
++        ]
++    );
++$tester->terminate();
++$tester->close();
++
++?>
++Done
++--EXPECT--
++Done
++--CLEAN--
++<?php
++require_once "tester.inc";
++FPM\Tester::clean();
++?>
+diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc
+index 70c03ad70f1c..3b6702866cc1 100644
+--- a/sapi/fpm/tests/tester.inc
++++ b/sapi/fpm/tests/tester.inc
+@@ -513,7 +513,7 @@ class Tester
+             return new Response(null, true);
+         }
+         if (is_null($uri)) {
+-            $uri = $this->makeFile('src.php', $this->code);
++            $uri = $this->makeSourceFile();
+         }
+ 
+         $params = array_merge(
+@@ -538,7 +538,6 @@ class Tester
+             ],
+             $headers
+         );
+-
+         try {
+             $this->response = new Response(
+                 $this->getClient($address, $connKeepAlive)->request_data($params, false)
+@@ -944,6 +943,14 @@ class Tester
+         return $filePath;
+     }
+ 
++    /**
++     * @return string
++     */
++    public function makeSourceFile()
++    {
++        return $this->makeFile('src.php', $this->code);
++    }
++
+     /**
+      * @param string|null $msg
+      */

CVE-2019-11045.patch

@@ -0,0 +1,72 @@
+From a5a15965da23c8e97657278fc8dfbf1dfb20c016 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 25 Nov 2019 16:56:34 +0100
+Subject: [PATCH] Fix #78863: DirectoryIterator class silently truncates after
+ a null byte
+
+Since the constructor of DirectoryIterator and friends is supposed to
+accepts paths (i.e. strings without NUL bytes), we must not accept
+arbitrary strings.
+---
+ ext/spl/spl_directory.c     |  4 ++--
+ ext/spl/tests/bug78863.phpt | 31 +++++++++++++++++++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+ create mode 100644 ext/spl/tests/bug78863.phpt
+
+diff --git a/ext/spl/spl_directory.c b/ext/spl/spl_directory.c
+index 91ea2e0265..56e809b1c7 100644
+--- a/ext/spl/spl_directory.c
++++ b/ext/spl/spl_directory.c
+@@ -701,10 +701,10 @@ void spl_filesystem_object_construct(INTERNAL_FUNCTION_PARAMETERS, zend_long cto
+ 
+ 	if (SPL_HAS_FLAG(ctor_flags, DIT_CTOR_FLAGS)) {
+ 		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_FILEINFO;
+-		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &path, &len, &flags);
++		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &path, &len, &flags);
+ 	} else {
+ 		flags = SPL_FILE_DIR_KEY_AS_PATHNAME|SPL_FILE_DIR_CURRENT_AS_SELF;
+-		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "s", &path, &len);
++		parsed = zend_parse_parameters(ZEND_NUM_ARGS(), "p", &path, &len);
+ 	}
+ 	if (SPL_HAS_FLAG(ctor_flags, SPL_FILE_DIR_SKIPDOTS)) {
+ 		flags |= SPL_FILE_DIR_SKIPDOTS;
+diff --git a/ext/spl/tests/bug78863.phpt b/ext/spl/tests/bug78863.phpt
+new file mode 100644
+index 0000000000..dc88d98dee
+--- /dev/null
++++ b/ext/spl/tests/bug78863.phpt
+@@ -0,0 +1,31 @@
++--TEST--
++Bug #78863 (DirectoryIterator class silently truncates after a null byte)
++--FILE--
++<?php
++$dir = __DIR__ . '/bug78863';
++mkdir($dir);
++touch("$dir/bad");
++mkdir("$dir/sub");
++touch("$dir/sub/good");
++
++$it = new DirectoryIterator(__DIR__ . "/bug78863\0/sub");
++foreach ($it as $fileinfo) {
++    if (!$fileinfo->isDot()) {
++        var_dump($fileinfo->getFilename());
++    }
++}
++?>
++--EXPECTF--
++Fatal error: Uncaught UnexpectedValueException: DirectoryIterator::__construct() expects parameter 1 to be a valid path, string given in %s:%d
++Stack trace:
++#0 %s(%d): DirectoryIterator->__construct('%s')
++#1 {main}
++  thrown in %s on line %d
++--CLEAN--
++<?php
++$dir = __DIR__ . '/bug78863';
++unlink("$dir/sub/good");
++rmdir("$dir/sub");
++unlink("$dir/bad");
++rmdir($dir);
++?>
+-- 
+2.19.1
+

CVE-2019-11046.patch

@@ -0,0 +1,51 @@
+From eb23c6008753b1cdc5359dead3a096dce46c9018 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Sat, 30 Nov 2019 12:26:37 +0100
+Subject: [PATCH] Fix #78878: Buffer underflow in bc_shift_addsub
+
+We must not rely on `isdigit()` to detect digits, since we only support
+decimal ASCII digits in the following processing.
+---
+ ext/bcmath/libbcmath/src/str2num.c |  4 ++--
+ ext/bcmath/tests/bug78878.phpt     | 13 +++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+ create mode 100644 ext/bcmath/tests/bug78878.phpt
+
+diff --git a/ext/bcmath/libbcmath/src/str2num.c b/ext/bcmath/libbcmath/src/str2num.c
+index f38d341570..03aec15930 100644
+--- a/ext/bcmath/libbcmath/src/str2num.c
++++ b/ext/bcmath/libbcmath/src/str2num.c
+@@ -57,9 +57,9 @@ bc_str2num (bc_num *num, char *str, int scale)
+   zero_int = FALSE;
+   if ( (*ptr == '+') || (*ptr == '-'))  ptr++;  /* Sign */
+   while (*ptr == '0') ptr++;			/* Skip leading zeros. */
+-  while (isdigit((int)*ptr)) ptr++, digits++;	/* digits */
++  while (*ptr >= '0' && *ptr <= '9') ptr++, digits++;	/* digits */
+   if (*ptr == '.') ptr++;			/* decimal point */
+-  while (isdigit((int)*ptr)) ptr++, strscale++;	/* digits */
++  while (*ptr >= '0' && *ptr <= '9') ptr++, strscale++;	/* digits */
+   if ((*ptr != '\0') || (digits+strscale == 0))
+     {
+       *num = bc_copy_num (BCG(_zero_));
+diff --git a/ext/bcmath/tests/bug78878.phpt b/ext/bcmath/tests/bug78878.phpt
+new file mode 100644
+index 0000000000..2c9d72b946
+--- /dev/null
++++ b/ext/bcmath/tests/bug78878.phpt
+@@ -0,0 +1,13 @@
++--TEST--
++Bug #78878 (Buffer underflow in bc_shift_addsub)
++--SKIPIF--
++<?php
++if (!extension_loaded('bcmath')) die('skip bcmath extension not available');
++?>
++--FILE--
++<?php
++print @bcmul("\xB26483605105519922841849335928742092", bcpowmod(2, 65535, -4e-4));
++?>
++--EXPECT--
++bc math warning: non-zero scale in modulus
++0
+-- 
+2.19.1
+

CVE-2019-11047.patch

@@ -0,0 +1,50 @@
+From d348cfb96f2543565691010ade5e0346338be5a7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 00:10:39 -0800
+Subject: [PATCH] Fixed bug #78910
+
+---
+ ext/exif/exif.c              |  3 ++-
+ ext/exif/tests/bug78910.phpt | 17 +++++++++++++++++
+ 2 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug78910.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index f961f44a46c..c0be05922fb 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3154,7 +3154,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 			continue;
+ 		if (maker_note->model && (!ImageInfo->model || strcmp(maker_note->model, ImageInfo->model)))
+ 			continue;
+-		if (maker_note->id_string && strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
++		if (maker_note->id_string && value_len >= maker_note->id_string_len
++				&& strncmp(maker_note->id_string, value_ptr, maker_note->id_string_len))
+ 			continue;
+ 		break;
+ 	}
+diff --git a/ext/exif/tests/bug78910.phpt b/ext/exif/tests/bug78910.phpt
+new file mode 100644
+index 00000000000..f5b1c32c1bd
+--- /dev/null
++++ b/ext/exif/tests/bug78910.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #78910: Heap-buffer-overflow READ in exif (OSS-Fuzz #19044)
++--FILE--
++<?php
++
++var_dump(exif_read_data('data:image/jpg;base64,TU0AKgAAAAwgICAgAAIBDwAEAAAAAgAAACKSfCAgAAAAAEZVSklGSUxN'));
++
++?>
++--EXPECTF--
++Notice: exif_read_data(): Read from TIFF: tag(0x927C, MakerNote  ): Illegal format code 0x2020, switching to BYTE in %s on line %d
++
++Warning: exif_read_data(): Process tag(x927C=MakerNote  ): Illegal format code 0x2020, suppose BYTE in %s on line %d
++
++Warning: exif_read_data(): IFD data too short: 0x0000 offset 0x000C in %s on line %d
++
++Warning: exif_read_data(): Invalid TIFF file in %s on line %d
++bool(false)
+-- 
+2.11.0

CVE-2019-11050.patch

@@ -0,0 +1,48 @@
+From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 01:14:38 -0800
+Subject: [PATCH] Fix bug #78793
+
+---
+ ext/exif/exif.c              |  5 +++--
+ ext/exif/tests/bug78793.phpt | 12 ++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78793.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index c0be05922f..7fe055f381 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3235,8 +3235,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 	}
+ 
+ 	for (de=0;de<NumDirEntries;de++) {
+-		if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+-								  offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
++		size_t offset = 2 + 12 * de;
++		if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
++								  offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
+ 			return FALSE;
+ 		}
+ 	}
+diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
+new file mode 100644
+index 0000000000..033f255ace
+--- /dev/null
++++ b/ext/exif/tests/bug78793.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #78793: Use-after-free in exif parsing under memory sanitizer
++--FILE--
++<?php
++$f = "ext/exif/tests/bug77950.tiff";
++for ($i = 0; $i < 10; $i++) {
++    @exif_read_data($f);
++}
++?>
++===DONE===
++--EXPECT--
++===DONE===
+-- 
+2.19.1
+

CVE-2019-9021.patch

@@ -0,0 +1,14 @@
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index 4d5988eaa9..812720a011 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -2026,7 +2026,7 @@ next_extension:
+ 	}
+ 
+ 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
+-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
++		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
+ 		if (!pos) {
+ 			return FAILURE;
+ 		}
+

CVE-2019-9022.patch

@@ -0,0 +1,37 @@
+From 8d3dfabef459fe7815e8ea2fd68753fd17859d7b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 29 Dec 2018 20:39:08 -0800
+Subject: [PATCH] Fix #77369 - memcpy with negative length via crafted DNS
+ response
+
+---
+ ext/standard/dns.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 8e102f8..b5fbcb9 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -459,6 +459,10 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t
+ 	GETLONG(ttl, cp);
+ 	GETSHORT(dlen, cp);
+ 	CHECKCP(dlen);
++	if (dlen == 0) {
++		/* No data in the response - nothing to do */
++		return NULL;
++	}
+ 	if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ 		cp += dlen;
+ 		return cp;
+@@ -549,6 +553,9 @@ static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_t
+ 			CHECKCP(n);
+ 			add_assoc_stringl(subarray, "tag", (char*)cp, n);
+ 			cp += n;
++			if ( (size_t) dlen < ((size_t)n) + 2 ) {
++				return NULL;
++			}
+ 			n = dlen - n - 2;
+ 			CHECKCP(n);
+ 			add_assoc_stringl(subarray, "value", (char*)cp, n);
+-- 
+2.1.4

CVE-2019-9023.patch

@@ -0,0 +1,91 @@
+From 9a96e864885ccc3b19d360ba410a562eb7c5dc45 Mon Sep 17 00:00:00 2001
+From: gwx620998 <gulining1@huawei.com>
+Date: Sat, 23 Mar 2019 03:34:11 -0400
+Subject: [PATCH] CVE-2019-9023
+
+Signed-off-by: gwx620998 <gulining1@huawei.com>
+---
+ ext/mbstring/oniguruma/src/regcomp.c  | 3 +++
+ ext/mbstring/oniguruma/src/regparse.c | 2 ++
+ ext/mbstring/oniguruma/src/unicode.c  | 1 +
+ ext/mbstring/oniguruma/src/utf32_be.c | 3 ++-
+ 4 files changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ext/mbstring/oniguruma/src/regcomp.c b/ext/mbstring/oniguruma/src/regcomp.c
+index 0e9a9ab..cf914cc 100644
+--- a/ext/mbstring/oniguruma/src/regcomp.c
++++ b/ext/mbstring/oniguruma/src/regcomp.c
+@@ -476,6 +476,7 @@ compile_length_string_node(Node* node, regex_t* reg)
+ 
+   for (; p < sn->end; ) {
+     len = enclen(enc, p);
++	if (p + len > sn->end) len = sn->end - p;
+     if (len == prev_len) {
+       slen++;
+     }
+@@ -524,6 +525,7 @@ compile_string_node(Node* node, regex_t* reg)
+ 
+   for (; p < end; ) {
+     len = enclen(enc, p);
++	if (p + len > end) len = end - p;
+     if (len == prev_len) {
+       slen++;
+     }
+@@ -3436,6 +3438,7 @@ expand_case_fold_string(Node* node, regex_t* reg)
+     }
+ 
+     len = enclen(reg->enc, p);
++	if (p + len > end) len = end - p;
+ 
+     if (n == 0) {
+       if (IS_NULL(snode)) {
+diff --git a/ext/mbstring/oniguruma/src/regparse.c b/ext/mbstring/oniguruma/src/regparse.c
+index 8153513..9393b9d 100644
+--- a/ext/mbstring/oniguruma/src/regparse.c
++++ b/ext/mbstring/oniguruma/src/regparse.c
+@@ -3594,6 +3594,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
+         }
+         else { /* string */
+           p = tok->backp + enclen(enc, tok->backp);
++		  if (p > end) p = end;
+         }
+       }
+       break;
+@@ -3763,6 +3764,7 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
+  out:
+ #endif
+   *src = p;
++  if (*src > end) *src = end;
+   return tok->type;
+ }
+ 
+diff --git a/ext/mbstring/oniguruma/src/unicode.c b/ext/mbstring/oniguruma/src/unicode.c
+index 8812ca2..cbdc42f 100644
+--- a/ext/mbstring/oniguruma/src/unicode.c
++++ b/ext/mbstring/oniguruma/src/unicode.c
+@@ -255,6 +255,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc,
+ 
+   code = ONIGENC_MBC_TO_CODE(enc, p, end);
+   len = enclen(enc, p);
++  if (*pp + len > end) len = end - *pp;
+   *pp += len;
+ 
+ #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
+diff --git a/ext/mbstring/oniguruma/src/utf32_be.c b/ext/mbstring/oniguruma/src/utf32_be.c
+index d0c7f39..4cf6fed 100644
+--- a/ext/mbstring/oniguruma/src/utf32_be.c
++++ b/ext/mbstring/oniguruma/src/utf32_be.c
+@@ -65,8 +65,9 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
+ }
+ 
+ static OnigCodePoint
+-utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++utf32be_mbc_to_code(const UChar* p, const UChar* end)
+ {
++  if (p + 4 > end) return (OnigCodePoint ) NULL;
+   return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
+ }
+ 
+-- 
+1.8.3.1
+

CVE-2019-9024.patch

@@ -0,0 +1,23 @@
+From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 1 Jan 2019 17:15:20 -0800
+Subject: [PATCH] Fix bug #77380  (Global out of bounds read in xmlrpc base64
+ code)
+
+---
+diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
+index 5ebdf31..a4fa193 100644
+--- a/ext/xmlrpc/libxmlrpc/base64.c
++++ b/ext/xmlrpc/libxmlrpc/base64.c
+@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
+ 		return;
+ 	    }
+ 
+-	    if (dtable[c] & 0x80) {
++	    if (dtable[(unsigned char)c] & 0x80) {
+ 	      /*
+ 	      fprintf(stderr, "Offset %i length %i\n", offset, length);
+ 	      fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
+-- 
+2.1.4
+

CVE-2019-9637.patch

@@ -0,0 +1,85 @@
+From 40f6425978917209cb0c2c3be05a25c65c9a900e Mon Sep 17 00:00:00 2001
+From: gwx620998 <gulining1@huawei.com>
+Date: Sat, 23 Mar 2019 07:14:35 -0400
+Subject: [PATCH] CVE-2019-9637
+
+Signed-off-by: gwx620998 <gulining1@huawei.com>
+---
+ main/streams/plain_wrapper.c | 50 +++++++++++++++++++++++++++++---------------
+ 1 file changed, 33 insertions(+), 17 deletions(-)
+
+diff --git a/main/streams/plain_wrapper.c b/main/streams/plain_wrapper.c
+index 9b36d00..cb9e642 100644
+--- a/main/streams/plain_wrapper.c
++++ b/main/streams/plain_wrapper.c
+@@ -1168,34 +1168,50 @@ static int php_plain_files_rename(php_stream_wrapper *wrapper, const char *url_f
+ # ifdef EXDEV
+ 		if (errno == EXDEV) {
+ 			zend_stat_t sb;
++# if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE)
++		/* not sure what to do in ZTS case, umask is not thread-safe */
++		int oldmask = umask(077);
++# endif
++			int success = 0;
+ 			if (php_copy_file(url_from, url_to) == SUCCESS) {
+ 				if (VCWD_STAT(url_from, &sb) == 0) {
++					success = 1;
+ #  ifndef TSRM_WIN32
+-					if (VCWD_CHMOD(url_to, sb.st_mode)) {
+-						if (errno == EPERM) {
+-							php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-							VCWD_UNLINK(url_from);
+-							return 1;
+-						}
++					/*
++					 * Try to set user and permission info on the target.
++					 * If we're not root, then some of these may fail.
++					 * We try chown first, to set proper group info, relying
++					 * on the system environment to have proper umask to not allow
++					 * access to the file in the meantime.
++					 */
++					if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
+ 						php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-						return 0;
++						if (errno != EPERM) {
++							success = 0;
++							}
+ 					}
+-					if (VCWD_CHOWN(url_to, sb.st_uid, sb.st_gid)) {
+-						if (errno == EPERM) {
++					if (success) {
++						if (VCWD_CHMOD(url_to, sb.st_mode)) {
+ 							php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-							VCWD_UNLINK(url_from);
+-							return 1;
++							if (errno != EPERM) {
++								success = 0;
++							}
+ 						}
+-						php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-						return 0;
+ 					}
+ #  endif
+-					VCWD_UNLINK(url_from);
+-					return 1;
++					if (success) {
++						VCWD_UNLINK(url_from);
++					}
++				} else {
++					php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ 				}
++			} else {
++				php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+ 			}
+-			php_error_docref2(NULL, url_from, url_to, E_WARNING, "%s", strerror(errno));
+-			return 0;
++#  if !defined(ZTS) && !defined(TSRM_WIN32) && !defined(NETWARE)
++			umask(oldmask);
++#  endif
++			return success;
+ 		}
+ # endif
+ #endif
+-- 
+1.8.3.1
+

CVE-2019-9638-CVE-2019-9639.patch

@@ -0,0 +1,60 @@
+From 7168d3dc576344f7e55fac81d86304d2421ffe93 Mon Sep 17 00:00:00 2001
+From: gwx620998 <gulining1@huawei.com>
+Date: Sat, 23 Mar 2019 07:42:34 -0400
+Subject: [PATCH] CVE-2019-9638
+
+Signed-off-by: gwx620998 <gulining1@huawei.com>
+---
+ ext/exif/exif.c              |  5 +++--
+ ext/exif/tests/bug77563.phpt | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug77563.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 3a76d8f..d82b5ae 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3151,8 +3151,8 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ 			continue;
+ 		break;
+ 	}
+-	
+-	if (maker_note->offset >= value_len) {
++
++	if (value_len < 2 || maker_note->offset >= value_len - 1) {	
+ 		/* Do not go past the value end */
+ 		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
+ 		return FALSE;
+@@ -3207,6 +3207,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+ #endif
+ 		default:
+ 		case MN_OFFSET_NORMAL:
++			data_len = value_len;
+ 			break;
+ 	}
+ 
+diff --git a/ext/exif/tests/bug77563.phpt b/ext/exif/tests/bug77563.phpt
+new file mode 100644
+index 0000000..d1c5b9f
+--- /dev/null
++++ b/ext/exif/tests/bug77563.phpt
+@@ -0,0 +1,16 @@
+++--TEST--
+++Bug 77563 (Uninitialized read in exif_process_IFD_in_MAKERNOTE)
+++--SKIPIF--
+++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+++--FILE--
+++<?php
+++$s = exif_thumbnail(__DIR__."/bug77563.jpg");
+++?>
+++DONE
+++--EXPECTF--
+++Warning: exif_thumbnail(bug77563.jpg): Illegal IFD offset in %s/bug77563.php on line %d
+++
+++Warning: exif_thumbnail(bug77563.jpg): File structure corrupted in %s/bug77563.php on line %d
+++
+++Warning: exif_thumbnail(bug77563.jpg): Invalid JPEG file in %s/bug77563.php on line %d
+++DONE
+-- 
+1.8.3.1
+

CVE-2019-9640.patch

@@ -0,0 +1,74 @@
+From 30d2b94a2e88021b77b07149e1f4438662ca8e5e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 2 Mar 2019 13:38:00 -0800
+Subject: [PATCH] Fix bug #77540 - Invalid Read on exif_process_SOFn
+
+---
+ ext/exif/exif.c              |  10 ++++++++--
+ ext/exif/tests/bug77540.jpg  | Bin 0 -> 91 bytes
+ ext/exif/tests/bug77540.phpt |  16 ++++++++++++++++
+ 3 files changed, 24 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug77540.jpg
+ create mode 100644 ext/exif/tests/bug77540.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 4f2f660..8ed9c85 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3902,7 +3902,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ 			return FALSE;
+ 		marker = c;
+ 		length = php_jpg_get16(data+pos);
+-		if (pos+length>=ImageInfo->Thumbnail.size) {
++		if (length > ImageInfo->Thumbnail.size || pos >= ImageInfo->Thumbnail.size - length) {
+ 			return FALSE;
+ 		}
+ #ifdef EXIF_DEBUG
+@@ -3923,6 +3923,10 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
+ 			case M_SOF14:
+ 			case M_SOF15:
+ 				/* handle SOFn block */
++				if (length < 8 || ImageInfo->Thumbnail.size - 8 < pos) {
++					/* exif_process_SOFn needs 8 bytes */
++					return FALSE;
++				}
+ 				exif_process_SOFn(data+pos, marker, &sof_info);
+ 				ImageInfo->Thumbnail.height   = sof_info.height;
+ 				ImageInfo->Thumbnail.width    = sof_info.width;
+@@ -4654,7 +4658,9 @@ PHP_FUNCTION(exif_thumbnail)
+ 	ZVAL_STRINGL(return_value, ImageInfo.Thumbnail.data, ImageInfo.Thumbnail.size);
+ 	if (arg_c >= 3) {
+ 		if (!ImageInfo.Thumbnail.width || !ImageInfo.Thumbnail.height) {
+-			exif_scan_thumbnail(&ImageInfo);
++			if (!exif_scan_thumbnail(&ImageInfo)) {
++				ImageInfo.Thumbnail.width = ImageInfo.Thumbnail.height = 0;
++			}
+ 		}
+ 		zval_dtor(z_width);
+ 		zval_dtor(z_height);
+-- 
+diff --git a/ext/exif/tests/bug77540.phpt b/ext/exif/tests/bug77540.phpt
+new file mode 100644
+index 0000000..8702e0c
+--- /dev/null
++++ b/ext/exif/tests/bug77540.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug 77540 (Invalid Read on exif_process_SOFn)
++--SKIPIF--
++<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
++--FILE--
++<?php
++$width = $height = 42;
++$s = exif_thumbnail(__DIR__."/bug77540.jpg", $width, $height);
++echo "Width ".$width."\n";
++echo "Height ".$height."\n";
++?>
++DONE
++--EXPECTF--
++Width 0
++Height 0
++DONE
+-- 
+2.1.4
+

php-CVE-2018-20783.patch

@@ -0,0 +1,146 @@
+From e7c8e6cde021afd637ea535b0641a1851e57fb2a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 12 Nov 2018 14:02:26 -0800
+Subject: [PATCH] Fix bug #77143 - add more checks to buffer reads
+
+---
+ NEWS                         |   4 ++++
+ ext/phar/phar.c              |  30 +++++++++++++++++++++---------
+ ext/phar/tests/bug73768.phpt |   2 +-
+ ext/phar/tests/bug77143.phar | Bin 0 -> 50 bytes
+ ext/phar/tests/bug77143.phpt |  18 ++++++++++++++++++
+ 5 files changed, 44 insertions(+), 10 deletions(-)
+ create mode 100644 ext/phar/tests/bug77143.phar
+ create mode 100644 ext/phar/tests/bug77143.phpt
+
+diff -Nur php-7.2.10/NEWS php-7.2.10_bak/NEWS
+--- php-7.2.10/NEWS	2018-09-11 15:06:00.000000000 +0800
++++ php-7.2.10_bak/NEWS	2019-04-04 17:41:54.869000000 +0800
+@@ -136,6 +136,10 @@
+   . Fixed bug #76477 (Opcache causes empty return value).
+     (Nikita, Laruence)
+ 
++- Phar:
++  . Fixed bug #77143 (Heap Buffer Overflow (READ: 4) in phar_parse_pharfile).
++    (Stas)
++
+ - PGSQL:
+   . Fixed bug #76548 (pg_fetch_result did not fetch the next row). (Anatol)
+
+diff -Nur php-7.2.10/ext/phar/phar.c php-7.2.10_bak/ext/phar/phar.c
+--- php-7.2.10/ext/phar/phar.c	2019-04-04 17:39:04.158000000 +0800
++++ php-7.2.10_bak/ext/phar/phar.c	2019-04-04 17:49:51.807000000 +0800
+@@ -643,6 +643,18 @@
+ /* }}}*/
+ 
+ /**
++ * Size of fixed fields in the manifest.
++ * See: http://php.net/manual/en/phar.fileformat.phar.php
++ */
++#define MANIFEST_FIXED_LEN 18
++
++#define SAFE_PHAR_GET_32(buffer, endbuffer, var) \
++   if (UNEXPECTED(buffer + 4 > endbuffer)) { \
++	   MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)"); \
++   } \
++   PHAR_GET_32(buffer, var);
++
++/**
+  * Does not check for a previously opened phar in the cache.
+  *
+  * Parse a new one and add it to the cache, returning either SUCCESS or
+@@ -725,7 +737,7 @@
+ 	savebuf = buffer;
+ 	endbuffer = buffer + manifest_len;
+ 
+-	if (manifest_len < 10 || manifest_len != php_stream_read(fp, buffer, manifest_len)) {
++    if (manifest_len < MANIFEST_FIXED_LEN || manifest_len != php_stream_read(fp, buffer, manifest_len)) {
+ 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")
+ 	}
+ 
+@@ -750,7 +762,7 @@
+ 		return FAILURE;
+ 	}
+ 
+-	PHAR_GET_32(buffer, manifest_flags);
++	SAFE_PHAR_GET_32(buffer, endbuffer, manifest_flags);
+ 
+ 	manifest_flags &= ~PHAR_HDR_COMPRESSION_MASK;
+ 	manifest_flags &= ~PHAR_FILE_COMPRESSION_MASK;
+@@ -970,13 +982,13 @@
+ 	}
+ 
+ 	/* extract alias */
+-	PHAR_GET_32(buffer, tmp_len);
++	SAFE_PHAR_GET_32(buffer, endbuffer, tmp_len);
+ 
+ 	if (buffer + tmp_len > endbuffer) {
+ 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (buffer overrun)");
+ 	}
+ 
+-	if (manifest_len < 10 + tmp_len) {
++	if (manifest_len < MANIFEST_FIXED_LEN + tmp_len) {
+ 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest header)")
+ 	}
+ 
+@@ -1014,7 +1026,7 @@
+ 	}
+ 
+ 	/* we have 5 32-bit items plus 1 byte at least */
+-	if (manifest_count > ((manifest_len - 10 - tmp_len) / (5 * 4 + 1))) {
++	if (manifest_count > ((manifest_len - MANIFEST_FIXED_LEN - tmp_len) / (5 * 4 + 1))) {
+ 		/* prevent serious memory issues */
+ 		MAPPHAR_FAIL("internal corruption of phar \"%s\" (too many manifest entries for size of manifest)")
+ 	}
+@@ -1023,12 +1035,12 @@
+ 	mydata->is_persistent = PHAR_G(persist);
+ 
+ 	/* check whether we have meta data, zero check works regardless of byte order */
+-	PHAR_GET_32(buffer, len);
++	SAFE_PHAR_GET_32(buffer, endbuffer, len);
+ 	if (mydata->is_persistent) {
+ 		mydata->metadata_len = len;
+-		if(!len) {
++		if (!len) {
+ 			/* FIXME: not sure why this is needed but removing it breaks tests */
+-			PHAR_GET_32(buffer, len);
++			SAFE_PHAR_GET_32(buffer, endbuffer, len);
+ 		}
+ 	}
+ 	if(len > (size_t)(endbuffer - buffer)) {
+diff -Nur php-7.2.10/ext/phar/tests/bug73768.phpt php-7.2.10_bak/ext/phar/tests/bug73768.phpt
+--- php-7.2.10/ext/phar/tests/bug73768.phpt	2018-09-11 15:06:03.000000000 +0800
++++ php-7.2.10_bak/ext/phar/tests/bug73768.phpt	2019-04-04 17:50:51.796000000 +0800
+@@ -13,4 +13,4 @@
+ }
+ ?>
+ --EXPECTF--
+-cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar"
++internal corruption of phar "%sbug73768.phar" (truncated manifest header)
+diff --git a/ext/phar/tests/bug77143.phpt b/ext/phar/tests/bug77143.phpt
+new file mode 100644
+index 0000000..f9f80fc
+--- /dev/null
++++ b/ext/phar/tests/bug77143.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++PHP bug #77143: Heap Buffer Overflow (READ: 4) in phar_parse_pharfile
++--INI--
++phar.readonly=0
++--SKIPIF--
++<?php if (!extension_loaded("phar")) die("skip"); ?>
++--FILE--
++<?php
++chdir(__DIR__);
++try {
++var_dump(new Phar('bug77143.phar',0,'project.phar'));
++echo "OK\n";
++} catch(UnexpectedValueException $e) {
++	echo $e->getMessage();
++}
++?>
++--EXPECTF--
++internal corruption of phar "%sbug77143.phar" (truncated manifest header)
+-- 
+2.1.4
+

php-CVE-2019-9641.patch

@@ -0,0 +1,47 @@
+commit 25aa5f434dfb3337a6617b46224f1b505053d8e9
+Author: Stanislav Malyshev <stas@php.net>
+Date:   Fri Mar 1 23:25:45 2019 -0800
+
+    Fix integer overflows on 32-bits
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index cbde3effed..b4563927a5 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3567,10 +3567,10 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 	tag_table_type tag_table = exif_get_tag_table(section_index);
+ 
+ 	if (ImageInfo->ifd_nesting_level > MAX_IFD_NESTING_LEVEL) {
+-                return FALSE;
+-        }
++		return FALSE;
++	}
+ 
+-	if (ImageInfo->FileSize >= dir_offset+2) {
++	if (ImageInfo->FileSize >= 2 && ImageInfo->FileSize - 2 >= dir_offset) {
+ 		sn = exif_file_sections_add(ImageInfo, M_PSEUDO, 2, NULL);
+ #ifdef EXIF_DEBUG
+ 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, 2);
+@@ -3578,8 +3578,8 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 		php_stream_seek(ImageInfo->infile, dir_offset, SEEK_SET); /* we do not know the order of sections */
+ 		php_stream_read(ImageInfo->infile, (char*)ImageInfo->file.list[sn].data, 2);
+ 		num_entries = php_ifd_get16u(ImageInfo->file.list[sn].data, ImageInfo->motorola_intel);
+-		dir_size = 2/*num dir entries*/ +12/*length of entry*/*num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/;
+-		if (ImageInfo->FileSize >= dir_offset+dir_size) {
++		dir_size = 2/*num dir entries*/ +12/*length of entry*/*(size_t)num_entries +4/* offset to next ifd (points to thumbnail or NULL)*/;
++		if (ImageInfo->FileSize >= dir_size && ImageInfo->FileSize - dir_size >= dir_offset) {
+ #ifdef EXIF_DEBUG
+ 			exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Read from TIFF: filesize(x%04X), IFD dir(x%04X + x%04X), IFD entries(%d)", ImageInfo->FileSize, dir_offset+2, dir_size-2, num_entries);
+ #endif
+@@ -3662,9 +3662,9 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 					}
+ 				}
+ 			}
+-			if (ImageInfo->FileSize >= dir_offset + ImageInfo->file.list[sn].size) {
++			if (ImageInfo->FileSize >= ImageInfo->file.list[sn].size && ImageInfo->FileSize - ImageInfo->file.list[sn].size >= dir_offset) {
+ 				if (ifd_size > dir_size) {
+-					if (dir_offset + ifd_size > ImageInfo->FileSize) {
++					if (ImageInfo->FileSize < ifd_size || dir_offset > ImageInfo->FileSize - ifd_size) {
+ 						exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Error in TIFF: filesize(x%04X) less than size of IFD(x%04X + x%04X)", ImageInfo->FileSize, dir_offset, ifd_size);
+ 						return FALSE;
+ 					}

php.spec

@@ -28,7 +28,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       1
+Release:       2
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@@ -65,6 +65,27 @@ Patch0014:     https://github.com/php/php-src/commit/be50a72715c141befe6f34ece66
 Patch0015:     https://github.com/php/php-src/commit/c1729272b17a1fe893d1a54e423d3b71470f3ee8.patch
 Patch0016:     php-5.6.3-datetests.patch
 
+Patch6000:     CVE-2019-9021.patch
+Patch6001:     CVE-2019-9022.patch
+Patch6002:     CVE-2019-9023.patch
+Patch6003:     CVE-2019-9024.patch
+Patch6004:     CVE-2019-9637.patch
+Patch6005:     CVE-2019-9638-CVE-2019-9639.patch
+Patch6006:     CVE-2019-9640.patch
+Patch6007:     php-CVE-2018-20783.patch
+Patch6008:     php-CVE-2019-9641.patch
+Patch6009:     CVE-2019-11034.patch
+Patch6010:     CVE-2019-11035.patch
+Patch6011:     CVE-2019-11036.patch
+Patch6012:     CVE-2019-11041.patch
+Patch6013:     CVE-2019-11042.patch
+Patch6014:     CVE-2019-11043.patch
+Patch6015:     CVE-2018-19935.patch
+Patch6016:     CVE-2019-11045.patch
+Patch6017:     CVE-2019-11046.patch
+Patch6018:     CVE-2019-11050.patch
+Patch6019:     CVE-2019-11047.patch
+
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
 BuildRequires: pcre-devel >= 6.6, bzip2, perl-interpreter, autoconf, automake, gcc, gcc-c++, libtool, libtool-ltdl-devel
@@ -1120,5 +1141,8 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Thu Mar 12 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.2.10-2
+- Add CVE patches
+
 * Fri Feb 14 2020 openEuler Buildteam <buildteam@openeuler.org> - 7.2.10-1
 - Package init