Skip to content
Branch: PHP-5.6-securi…
Commits on Aug 30, 2019
  1. Prevent test case failure

    cmb69 committed May 21, 2019
    If opcache.log_verbosity_level is greater than 1, opcache will raise
    warnings, which will be written to stderr in the default case.  These
    warnings are actually to be expected, but would break the test, so we
    make sure that the log_verbosity_level is 1 when running this test.
    (cherry picked from php/php-src@e6a191d)
  2. Fix erroneous test expectation

    cmb69 committed Aug 30, 2019
Commits on Aug 28, 2019
  1. Fix #75457: heap-use-after-free in php7.0.25

    cmb69 authored and remicollet committed Aug 16, 2019
    Backport <>.
    (cherry picked from commit 7bf1f9d561826c4a3ed748e55bb756375cdf28b9)
Commits on Jul 30, 2019
  1. Fix #77919: Potential UAF in Phar RSHUTDOWN

    cmb69 authored and remicollet committed Jul 29, 2019
    We have to properly clean up in case phar_flush() is failing.
    We also make the expectation of the respective test case less liberal
    to avoid missing such bugs in the future.
    (cherry picked from commit cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d)
Commits on Jul 9, 2019
  1. Upgrade to SQLite 3.28.0

    cmb69 committed Jun 21, 2019
    Over the years, multiple security vulnerabilities[1] have been found
    and fixed in SQLite3, so it makes sense to update our bundled libsqlite
    to the latest available version.
    [1] <>
    (cherry picked from commit e944ae6b2a0533cb6098af8c2beb8d0f2c84ec6d)
Commits on May 28, 2019
  1. Fix #77973: Uninitialized read in gdImageCreateFromXbm

    cmb69 authored and remicollet committed May 6, 2019
    We have to ensure that `sscanf()` does indeed read a hex value here,
    and bail out otherwise.
    (cherry picked from commit ed6dee9a198c904ad5e03113e58a2d2c200f5184)
Commits on Apr 30, 2019
  1. Fix potential "expanded command line too long" build errors

    cmb69 committed Apr 30, 2019
    Instead of passing the long argument list to cl.exe, we pass it as
    inline file to link.exe.
Commits on Apr 12, 2019
  1. Fix tests wrt. internationalization

    cmb69 committed Apr 12, 2019
    (cherry picked from commit php/php-src@d07a6fd)
Commits on Apr 4, 2019
  1. Fix typos

    cmb69 committed Apr 4, 2019
Commits on Apr 2, 2019
  1. Pointer arithmetic on void pointers is illegal

    cmb69 authored and remicollet committed Apr 2, 2019
    We quick-fix this by casting to char*; it might be more appropriate to
    use char pointers in the first place.
    (cherry picked from commit 01a4de5c5821f67daeff487ef9b3047ce7b47c4c)
Commits on Mar 6, 2019
  1. Fix #77431 SplFileInfo::__construct() accepts NUL bytes

    cmb69 authored and weltling committed Jan 9, 2019
    `SplFileInfo::__construct()` has to expect a path instead of a string,
    analogous to `SplFileObject::__construct()`.
    (cherry picked from commit 254a5914ad7f9dbdc4f6090229f6b0f4317a695e)
Commits on Jan 6, 2019
  1. Fix #77270: imagecolormatch Out Of Bounds Write on Heap

    cmb69 authored and smalyshev committed Dec 30, 2018
    At least some of the image reading functions may return images which
    use color indexes greater than or equal to im->colorsTotal.  We cater
    to this by always using a buffer size which is sufficient for
    `gdMaxColors` in `gdImageColorMatch()`.
  2. Fix #77269: Potential unsigned underflow in gdImageScale

    cmb69 authored and smalyshev committed Dec 12, 2018
    Belatedly, we're porting the respective upstream patch[1].
    [1] <libgd/libgd@60bfb40>
Commits on Apr 23, 2018
  1. Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value

    cmb69 authored and smalyshev committed Mar 27, 2018
    The MakerNote is not necessarily null-terminated, so we must not use
    `strlen()` to avoid OOB reads.  Instead `php_strnlen()` is the proper
    way to handle this.
Commits on Jan 2, 2018
  1. Fixed bug #75571: Potential infinite loop in gdImageCreateFromGifCtx

    cmb69 authored and smalyshev committed Nov 29, 2017
    Due to a signedness confusion in `GetCode_` a corrupt GIF file can
    trigger an infinite loop.  Furthermore we make sure that a GIF without
    any palette entries is treated as invalid *after* open palette entries
    have been removed.
Commits on Jul 5, 2017
  1. Fix #74435: Buffer over-read into uninitialized memory

    cmb69 authored and smalyshev committed Jun 20, 2017
    The stack allocated color map buffers were not zeroed before usage, and
    so undefined palette indexes could cause information leakage.
Commits on Jan 17, 2017
  1. Fix #73869: Signed Integer Overflow gd_io.c

    cmb69 authored and weltling committed Dec 17, 2016
    GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
    byte unsigned). These values are multiplied and assigned to an int when
    reading the image, what can cause integer overflows. We have to avoid
    that, and also make sure that either chunk count is actually greater
    than zero. If illegal chunk counts are detected, we bail out from
    reading the image.
    (cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)
  2. Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

    cmb69 authored and weltling committed Aug 16, 2016
    We must not pretend that there are image data if there are none. Instead
    we fail reading the image file gracefully.
    (cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)
Commits on Dec 29, 2016
  1. Revert "Fix #73530: Unsetting result set may reset other result set"

    cmb69 committed Dec 29, 2016
    This reverts commit eb57029.
    That commit caused a regression, so it's probably best to revert it, and
    to tackle the issue for the next minor release.
Commits on Nov 27, 2016
  1. Fix #73549: Use after free when stream is passed to imagepng

    cmb69 authored and smalyshev committed Nov 17, 2016
    If a stream is passed to imagepng() or other image output functions,
    opposed to a filename, we must not close this stream.
Commits on Nov 25, 2016
  1. Fix #73582: Failing ext/gd/tests/imagettftext_charmap_order.phpt

    cmb69 committed Nov 25, 2016
    This test is not supposed to work with JIS-mapped Japanese font support
Commits on Nov 18, 2016
Commits on Nov 16, 2016
  1. Fix #73530: Unsetting result set may reset other result set

    cmb69 committed Nov 16, 2016
    Calling sqlite3_reset() when a result set object is freed can cause
    undesired and maybe even hard to track interference with other result
    sets. Furthermore, there is no need to call sqlite3_reset(), because
    that is implicitly called on SQLite3Stmt::execute(), and users are
    encouraged to explicitly call either SQLite3Result::finalize() or
    SQLite3Stmt::reset() anyway.
Commits on Nov 1, 2016
  1. Fix #73436: Setting allow_url_fopen to Off makes several tests fail

    cmb69 committed Nov 1, 2016
    We make sure that these tests run with allow_url_fopen=1.
Commits on Oct 30, 2016
  1. Fix #72696: imagefilltoborder stackoverflow on truecolor images

    cmb69 authored and smalyshev committed Oct 25, 2016
    We must not allow negative color values be passed to
    gdImageFillToBorder(), because that can lead to infinite recursion
    since the recursion termination condition will not necessarily be met.
  2. Fix #72482: Ilegal write/read access caused by gdImageAALine overflow

    cmb69 authored and smalyshev committed Oct 25, 2016
    Instead of rolling our own bounds check we use clip_1d() as it's done
    in gdImageLine() and in external libgd. We must not pass the image
    width and height, respectively, but rather the largest ordinate value
    that is allowed to be accessed, i.e. width-1 and height-1,
Commits on Oct 25, 2016
  1. Fix #72494: imagecropauto out-of-bounds access

    cmb69 committed Oct 25, 2016
    This issue has actually already been fixed with commit 46f2c690. We're
    adding a regression test and a NEWS entry, and also port the fix in
    gdImageCropThreshold() from libgd:
      * <libgd/libgd@b347e03>
      * <libgd/libgd@46f2c69>
Commits on Oct 17, 2016
  1. Fix #73333: 2147483647 is fetched as string

    cmb69 committed Oct 17, 2016
    We return all integers that can be represented as such by PHP as
    integers, and only those that exceed the possible range as strings.
    On builds which represent integers with 64 bits, the range check is
    unnecessary and might cause code checkers to complain, so we skip this
    special casing via the preprocessor according to
Commits on Oct 13, 2016
  1. Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf

    cmb69 committed Oct 13, 2016
    We make sure to never pass a negative `rlen` as size to memcpy().
    Cf. <libgd/libgd@5311087>.
Commits on Oct 10, 2016
  1. Fix #73279: Integer overflow in gdImageScaleBilinearPalette()

    cmb69 committed Oct 10, 2016
    The color components are supposed to be in range 0..255, so we must not
    cast them to `signed char`, what can be the default for `char`.
    Port of <libgd/libgd@77c8d35>.
Commits on Oct 9, 2016
  1. Fix #73272: imagescale() affects imagesetinterpolation()

    cmb69 committed Oct 9, 2016
    We must not permanently change the interpolation method, but rather
    have to restore the old method after we're done with scaling the image.
Commits on Sep 30, 2016
  1. Fix #73203: passing additional_parameters causes mail to fail

    cmb69 committed Sep 30, 2016
    We make sure that there's no unsigned underflow, which happened for `y==0`.
Commits on Sep 26, 2016
  1. Fix #53745: cgi.discard_path option is missing from php.ini

    cmb69 committed Sep 26, 2016
    Also cgi.check_shebang_line has been missing.
Commits on Sep 25, 2016
  1. Fix test_image_equals_file() wrt. palette images

    cmb69 committed Sep 25, 2016
    The recently introduced test_image_equals_file() doesn't properly work for
    palette images, because in this case only the palette indexes are compared,
    what can lead to false positives and negatives as shown in the added test.
    To fix that we convert palette images to truecolor, what is supposed to be
    faster than calling imagecolorsforindex() for each pixel.
    We furthermore rely on PHP's refcounting to free unused images; after all,
    this is not C.
Commits on Sep 24, 2016
You can’t perform that action at this time.