19838509 upgrade php to version 5.3.29
18857741 problem in UTILITY/PHP
18890894 problem in UTILITY/PHP
18890895 problem in UTILITY/PHP
19003253 problem in UTILITY/PHP
19167518 problem in UTILITY/PHP
19519142 problem in UTILITY/PHP
19556437 problem in UTILITY/PHP
19707971 problem in UTILITY/PHP
19796954 problem in UTILITY/PHP
--- a/components/php-5_2/common.mk Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_2/common.mk Tue Feb 03 15:20:15 2015 -0800
@@ -161,7 +161,7 @@
CONF_ENVLINE += \
LIBS="$(LIBS)" \
EXTENSION_DIR=$(MODULES_DIR) \
- PHP_PEAR_CACHE_DIR=/var/tmp/pear/cache \
+ PHP_PEAR_CACHE_DIR=/var/cache/php-pear \
PHP_PEAR_DOWNLOAD_DIR=/var/tmp/pear/cache \
PHP_PEAR_EXTENSION_DIR=/var/php/$(PHP_REL)/modules \
PHP_PEAR_INSTALL_DIR=/var/php/$(PHP_REL)/pear \
--- a/components/php-5_2/php-sapi/Makefile Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_2/php-sapi/Makefile Tue Feb 03 15:20:15 2015 -0800
@@ -120,12 +120,12 @@
$(CP) $(COMPONENT_DIR)/../Solaris/php$(PHP_REL).conf \
$(PROTO_DIR)/$(APACHE2_PHP)/php$(PHP_REL).conf; \
$(CHMOD) 644 $(PROTO_DIR)/$(APACHE2_PHP)/php$(PHP_REL).conf; \
- $(SYMLINK) php$(PHP_REL).conf \
- $(PROTO_DIR)/$(APACHE2_PHP)/php.conf; \
+ cd $(PROTO_DIR)/$(APACHE2_PHP); \
+ $(SYMLINK) php$(PHP_REL).conf php.conf; \
$(CP) $(PROTO_DIR)/$(APACHE2_EXTDIR)/libphp5.so \
$(PROTO_DIR)/$(APACHE2_EXTDIR)/mod_php$(PHP_REL).so; \
- $(SYMLINK) $(PROTO_DIR)/$(APACHE2_EXTDIR)/mod_php$(PHP_REL).so \
- $(PROTO_DIR)/$(APACHE2_EXTDIR)/mod_php5.so; \
+ cd $(PROTO_DIR)/$(APACHE2_EXTDIR); \
+ $(SYMLINK) mod_php$(PHP_REL).so mod_php5.so; \
)
# Ship a default php.ini to simplify ease of use.
--- a/components/php-5_2/php-sapi/patches/41_php_zlib.patch Tue Feb 03 13:51:23 2015 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,55 +0,0 @@
-Patch origin: upstream
-Patch status: Part 1: unclear; patch attached to bug
-Patch status: Part 2: more generic fix already in php 5.3
-
-https://bugs.php.net/bug.php?id=53829
-http://git.php.net/?p=php-src.git;a=commitdiff;h=a8948d08083bf59d437ac21abe5929f5668f41d7
-
---- php-5.2.17/ext/zlib/zlib.c
-+++ php-5.2.17/ext/zlib/zlib.c
-@@ -58,6 +58,18 @@
- # endif
- #endif
-
-+/*
-+ * zlib include files can define the following preprocessor defines which rename
-+ * the corresponding PHP functions to gzopen64, gzseek64 and gztell64 and thereby
-+ * breaking some software, most notably PEAR's Archive_Tar, which halts execution
-+ * without error message on gzip compressed archivesa.
-+ *
-+ * This only seems to happen on 32bit systems with large file support.
-+ */
-+#undef gzopen
-+#undef gzseek
-+#undef gztell
-+
- #if defined(HAVE_UNISTD_H) && defined(PHP_WIN32)
- # undef HAVE_UNISTD_H
- #endif
---- php-5.2.17/ext/zlib/tests/gzgetc_basic.phpt
-+++ php-5.2.17/ext/zlib/tests/gzgetc_basic.phpt
-@@ -14,16 +14,17 @@
-
- $f = dirname(__FILE__)."/004.txt.gz";
- $h = gzopen($f, 'r');
-+if ($h) {
-+ $count = 0;
-+ while (($c = fgetc( $h )) !== false) {
-+ $count++;
-+ echo $c;
-+ }
-
--$count = 0;
--while (gzeof($h) === false) {
-- $count++;
-- echo fgetc( $h );
-+ echo "\ncharacters counted=$count\n";
-+ gzclose($h);
- }
-
--echo "\ncharacters counted=$count\n";
--gzclose($h);
--
- ?>
- ===DONE===
- --EXPECT--
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/50_php_zlib.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,55 @@
+Patch origin: upstream
+Patch status: Part 1: unclear; patch attached to bug
+Patch status: Part 2: more generic fix already in php 5.3
+
+https://bugs.php.net/bug.php?id=53829
+http://git.php.net/?p=php-src.git;a=commitdiff;h=a8948d08083bf59d437ac21abe5929f5668f41d7
+
+--- php-5.2.17/ext/zlib/zlib.c
++++ php-5.2.17/ext/zlib/zlib.c
+@@ -58,6 +58,18 @@
+ # endif
+ #endif
+
++/*
++ * zlib include files can define the following preprocessor defines which rename
++ * the corresponding PHP functions to gzopen64, gzseek64 and gztell64 and thereby
++ * breaking some software, most notably PEAR's Archive_Tar, which halts execution
++ * without error message on gzip compressed archivesa.
++ *
++ * This only seems to happen on 32bit systems with large file support.
++ */
++#undef gzopen
++#undef gzseek
++#undef gztell
++
+ #if defined(HAVE_UNISTD_H) && defined(PHP_WIN32)
+ # undef HAVE_UNISTD_H
+ #endif
+--- php-5.2.17/ext/zlib/tests/gzgetc_basic.phpt
++++ php-5.2.17/ext/zlib/tests/gzgetc_basic.phpt
+@@ -14,16 +14,17 @@
+
+ $f = dirname(__FILE__)."/004.txt.gz";
+ $h = gzopen($f, 'r');
++if ($h) {
++ $count = 0;
++ while (($c = fgetc( $h )) !== false) {
++ $count++;
++ echo $c;
++ }
+
+-$count = 0;
+-while (gzeof($h) === false) {
+- $count++;
+- echo fgetc( $h );
++ echo "\ncharacters counted=$count\n";
++ gzclose($h);
+ }
+
+-echo "\ncharacters counted=$count\n";
+-gzclose($h);
+-
+ ?>
+ ===DONE===
+ --EXPECT--
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/60_php_18857741.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,32 @@
+Fix for CVE-2014-2497
+Patch:
+http://git.php.net/?p=php-src.git;a=patch;h=cf4753691dc55999373d1c576f62ecb298723420
+Code:
+http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420
+Verified by hand that it patches the correct code
+but needed one slight tweak needing return instead of goto.
+
+
+diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c
+index 73f86e5..b69414e 100644
+--- a/ext/gd/libgd/gdxpm.c
++++ b/ext/gd/libgd/gdxpm.c
+@@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename)
+ if (ret != XpmSuccess) {
+ return 0;
+ }
++ number = image.ncolors;
++ for(i = 0; i < number; i++) {
++ if (!image.colorTable[i].c_color) {
++ return 0;
++ }
++ }
+
+ if (!(im = gdImageCreate(image.width, image.height))) {
+ return 0;
+ }
+
+- number = image.ncolors;
+ colors = (int *) safe_emalloc(number, sizeof(int), 0);
+ for (i = 0; i < number; i++) {
+ switch (strlen (image.colorTable[i].c_color)) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/61_php_19003253.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,21 @@
+Fix for CVE-2014-4049
+Community bug:
+https://bugs.php.net/bug.php?id=67432
+Patch based on:
+https://github.com/php/php-src/commit/b34d7849ed90ced9345f8ea1c59bc8d101c18468
+Slightly modified from the above source as the context is slightly different.
+
+
+--- php-5.2.17/ext/standard/dns.c_orig 2010-01-03 01:23:27.000000000 -0800
++++ php-5.2.17/ext/standard/dns.c 2014-10-17 11:12:46.117985578 -0700
+@@ -484,6 +484,10 @@
+
+ while (ll < dlen) {
+ n = cp[ll];
++ if ((ll + n) >= dlen) {
++ // Invalid chunk length, truncate
++ n = dlen - (ll + 1);
++ }
+ memcpy(tp + ll , cp + ll + 1, n);
+ ll = ll + n + 1;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/62_php_19167518.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,54 @@
+Fix for CVE-2014-4721
+Bug:
+https://bugs.php.net/bug.php?id=67498
+Patch:
+https://bugs.php.net/patch-display.php?bug=67498&patch=bug67948-patch&revision=1403508072
+Slightly modified to correct for diff context.
+
+
+diff --git a/ext/standard/info.c b/ext/standard/info.c
+index 70b2e2f..0f15bbe 100644
+--- a/ext/standard/info.c
++++ b/ext/standard/info.c
+@@ -875,16 +875,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
+
+ php_info_print_table_start();
+ php_info_print_table_header(2, "Variable", "Value");
+- if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
+ }
+- if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
++ if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
+ php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
+ }
+ php_print_gpcse_array("_REQUEST", sizeof("_REQUEST")-1 TSRMLS_CC);
+diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
+new file mode 100644
+index 0000000..5b5951b
+--- /dev/null
++++ b/ext/standard/tests/general_functions/bug67498.phpt
+@@ -0,0 +1,15 @@
++--TEST--
++phpinfo() Type Confusion Information Leak Vulnerability
++--FILE--
++<?php
++$PHP_SELF = 1;
++phpinfo(INFO_VARIABLES);
++
++?>
++==DONE==
++--EXPECTF--
++phpinfo()
++
++PHP Variables
++%A
++==DONE==
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/63_php_19796954.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,29 @@
+Fix for CVE-2014-8088
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Code:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Verified by hand that it patches the correct code.
+
+
+diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
+index 10daa82..da5aa5f 100644
+--- a/ext/ldap/ldap.c
++++ b/ext/ldap/ldap.c
+@@ -399,6 +399,16 @@ PHP_FUNCTION(ldap_bind)
+ RETURN_FALSE;
+ }
+
++ if (ldap_bind_dn != NULL && memchr(ldap_bind_dn, '\0', ldap_bind_dnlen) != NULL) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "DN contains a null byte");
++ RETURN_FALSE;
++ }
++
++ if (ldap_bind_pw != NULL && memchr(ldap_bind_pw, '\0', ldap_bind_pwlen) != NULL) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Password contains a null byte");
++ RETURN_FALSE;
++ }
++
+ ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link);
+
+ if ((rc = ldap_bind_s(ld->link, ldap_bind_dn, ldap_bind_pw, LDAP_AUTH_SIMPLE)) != LDAP_SUCCESS) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/64_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,255 @@
+Fix for CVE-2014-3597
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=2fefae47716d501aec41c1102f3fd4531f070b05
+This patch was created by hand from the above community diff.
+
+
+--- php-5.2.17/ext/standard/dns.c_orig 2014-10-29 09:08:05.187565521 -0700
++++ php-5.2.17/ext/standard/dns.c 2014-11-04 10:54:59.065340474 -0800
+@@ -396,8 +396,14 @@
+ #define php_dns_free_res(__res__)
+ #endif
+
++#define CHECKCP(n) do { \
++ if (cp + n > end) { \
++ return NULL; \
++ } \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+ {
+ u_short type, class, dlen;
+ u_long ttl;
+@@ -409,16 +415,18 @@
+
+ *subarray = NULL;
+
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+
++ CHECKCP(10);
+ GETSHORT(type, cp);
+ GETSHORT(class, cp);
+ GETLONG(ttl, cp);
+ GETSHORT(dlen, cp);
++ CHECKCP(dlen);
+ if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ cp += dlen;
+ return cp;
+@@ -435,12 +443,14 @@
+ add_assoc_string(*subarray, "host", name, 1);
+ switch (type) {
+ case DNS_T_A:
++ CHECKCP(4);
+ add_assoc_string(*subarray, "type", "A", 1);
+ snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ add_assoc_string(*subarray, "ip", name, 1);
+ cp += dlen;
+ break;
+ case DNS_T_MX:
++ CHECKCP(2);
+ add_assoc_string(*subarray, "type", "MX", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -456,7 +466,7 @@
+ case DNS_T_PTR:
+ if (type == DNS_T_PTR)
+ add_assoc_string(*subarray, "type", "PTR", 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -466,51 +476,59 @@
+ case DNS_T_HINFO:
+ /* See RFC 1010 for values */
+ add_assoc_string(*subarray, "type", "HINFO", 1);
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "cpu", cp, n, 1);
+ cp += n;
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "os", cp, n, 1);
+ cp += n;
+ break;
+ case DNS_T_TXT:
+ {
+- int ll = 0;
++ int l1 = 0, l2 = 0;
+
+ add_assoc_string(*subarray, "type", "TXT", 1);
+ tp = emalloc(dlen + 1);
+
+- while (ll < dlen) {
+- n = cp[ll];
+- if ((ll + n) >= dlen) {
++ while (l1 < dlen) {
++ n = cp[l1];
++ if ((l1 + n) >= dlen) {
+ // Invalid chunk length, truncate
+- n = dlen - (ll + 1);
++ n = dlen - (l1 + 1);
+ }
+- memcpy(tp + ll , cp + ll + 1, n);
+- ll = ll + n + 1;
++ if (n) {
++ memcpy(tp + l2 , cp + l1 + 1, n);
++ }
++ l1 = l1 + n + 1;
++ l2 = l2 + n;
+ }
+- tp[dlen] = '\0';
++ tp[l2] = '\0';
+ cp += dlen;
+
+- add_assoc_stringl(*subarray, "txt", tp, dlen - 1, 0);
++ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ }
+ break;
+ case DNS_T_SOA:
+ add_assoc_string(*subarray, "type", "SOA", 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "mname", name, 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "rname", name, 1);
++ CHECKCP(5*4);
+ GETLONG(n, cp);
+ add_assoc_long(*subarray, "serial", n);
+ GETLONG(n, cp);
+@@ -524,6 +542,7 @@
+ break;
+ case DNS_T_AAAA:
+ tp = name;
++ CHECKCP(8*2);
+ for(i=0; i < 8; i++) {
+ GETSHORT(s, cp);
+ if (s != 0) {
+@@ -558,6 +577,7 @@
+ case DNS_T_A6:
+ p = cp;
+ add_assoc_string(*subarray, "type", "A6", 1);
++ CHECKCP(1);
+ n = ((int)cp[0]) & 0xFF;
+ cp++;
+ add_assoc_long(*subarray, "masklen", n);
+@@ -593,6 +613,7 @@
+ cp++;
+ }
+ for(i = (n+8)/16; i < 8; i++) {
++ CHECKCP(2);
+ GETSHORT(s, cp);
+ if (s != 0) {
+ if (tp > (u_char *)name) {
+@@ -622,7 +643,7 @@
+ tp[0] = '\0';
+ add_assoc_string(*subarray, "ipv6", name, 1);
+ if (cp < p + dlen) {
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -631,6 +652,7 @@
+ }
+ break;
+ case DNS_T_SRV:
++ CHECKCP(3*2);
+ add_assoc_string(*subarray, "type", "SRV", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -638,7 +660,7 @@
+ add_assoc_long(*subarray, "weight", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "port", n);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -646,21 +668,34 @@
+ add_assoc_string(*subarray, "target", name, 1);
+ break;
+ case DNS_T_NAPTR:
++ CHECKCP(2*2);
+ add_assoc_string(*subarray, "type", "NAPTR", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "order", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pref", n);
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "flags", ++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "flags", cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "services", ++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "services", cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "regex", ++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "regex", cp, n, 1);
+ cp += n;
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -833,7 +868,7 @@
+ while (an-- && cp && cp < end) {
+ zval *retval;
+
+- cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
+ if (retval != NULL && store_results) {
+ add_next_index_zval(return_value, retval);
+ }
+@@ -848,7 +883,7 @@
+ while (ns-- > 0 && cp && cp < end) {
+ zval *retval;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(authns, retval);
+ }
+@@ -857,7 +892,7 @@
+ while (ar-- > 0 && cp && cp < end) {
+ zval *retval;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(addtl, retval);
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_2/php-sapi/patches/65_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,18 @@
+Fix for CVE-2014-5120
+Based on code in php 5.3.29 from comments in:
+https://bugs.php.net/bug.php?id=67730
+
+
+--- php-5.2.17/ext/gd/gd_ctx.c_orig 2010-01-03 01:23:27.000000000 -0800
++++ php-5.2.17/ext/gd/gd_ctx.c 2014-11-04 15:12:01.612256878 -0800
+@@ -90,7 +90,9 @@
+ }
+
+ if (argc > 1 && (Z_TYPE_PP(file) != IS_NULL && ((argc == 2) || (argc > 2 && Z_STRLEN_PP(file))))) {
+-
++ if (strlen(Z_STRVAL_PP(file)) != Z_STRLEN_PP(file)) {
++ RETURN_FALSE;
++ }
+ PHP_GD_CHECK_OPEN_BASEDIR(fn, "Invalid filename");
+
+ fp = VCWD_FOPEN(fn, "wb");
--- a/components/php-5_3/Makefile Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_3/Makefile Tue Feb 03 15:20:15 2015 -0800
@@ -18,11 +18,11 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
#
include ../../make-rules/shared-macros.mk
-TPNO_PHP_5_3= 17137
+TPNO_PHP_5_3= 21389
TPNO_PHP_APC= 17127
TPNO_PHP_IDN= 17128
TPNO_PHP_MEMCACHE= 17130
@@ -125,7 +125,7 @@
# looks like i DO NEED the pear patches
COMPONENT_NAME= php
-COMPONENT_VERSION= 5.3.28
+COMPONENT_VERSION= 5.3.29
COMPONENT_PROJECT_URL= http://www.php.net/
COMPONENT_BUGDB= utility/php
--- a/components/php-5_3/common.mk Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_3/common.mk Tue Feb 03 15:20:15 2015 -0800
@@ -161,8 +161,8 @@
CONF_ENVLINE += \
LIBS="$(LIBS)" \
EXTENSION_DIR=$(MODULES_DIR) \
- PHP_PEAR_CACHE_DIR=/var/tmp/pear/cache \
- PHP_PEAR_DOWNLOAD_DIR=/var/tmp/pear/cache \
+ PHP_PEAR_CACHE_DIR=/var/cache/php-pear \
+ PHP_PEAR_DOWNLOAD_DIR=/tmp/pear/download \
PHP_PEAR_EXTENSION_DIR=/var/php/$(PHP_REL)/modules \
PHP_PEAR_INSTALL_DIR=/var/php/$(PHP_REL)/pear \
PHP_PEAR_SIG_BIN=/usr/gnu/bin/gpg \
--- a/components/php-5_3/php-cgi/Makefile Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_3/php-cgi/Makefile Tue Feb 03 15:20:15 2015 -0800
@@ -23,11 +23,11 @@
include ../../../make-rules/shared-macros.mk
COMPONENT_NAME= php
-COMPONENT_VERSION= 5.3.28
+COMPONENT_VERSION= 5.3.29
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.bz2
COMPONENT_ARCHIVE_HASH= \
- sha256:0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513
+ sha256:c4e1cf6972b2a9c7f2777a18497d83bf713cdbecabb65d3ff62ba441aebb0091
COMPONENT_ARCHIVE_URL= http://us.php.net/get/$(COMPONENT_ARCHIVE)/from/this/mirror
PATCH_DIR = ../php-sapi/patches
--- a/components/php-5_3/php-nsapi/Makefile Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_3/php-nsapi/Makefile Tue Feb 03 15:20:15 2015 -0800
@@ -24,11 +24,11 @@
include ../../../make-rules/shared-macros.mk
COMPONENT_NAME= php
-COMPONENT_VERSION= 5.3.28
+COMPONENT_VERSION= 5.3.29
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.bz2
COMPONENT_ARCHIVE_HASH= \
- sha256:0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513
+ sha256:c4e1cf6972b2a9c7f2777a18497d83bf713cdbecabb65d3ff62ba441aebb0091
COMPONENT_ARCHIVE_URL= http://us.php.net/get/$(COMPONENT_ARCHIVE)/from/this/mirror
COMPONENT_PROJECT_URL= http://www.php.net/
--- a/components/php-5_3/php-pear.p5m Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_3/php-pear.p5m Tue Feb 03 15:20:15 2015 -0800
@@ -18,7 +18,7 @@
#
# CDDL HEADER END
#
-# Copyright (c) 2012, 2014, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2012, 2015, Oracle and/or its affiliates. All rights reserved.
#
# All the files under /var/php are mode=0644
@@ -52,6 +52,7 @@
dir path=var/php/5.3/pear/.registry/.channel.__uri
dir path=var/php/5.3/pear/.registry/.channel.doc.php.net
dir path=var/php/5.3/pear/.registry/.channel.pecl.php.net
+dir path=var/cache/php-pear owner=webservd group=webservd
file path=etc/php/5.3/pear.conf mode=0644 preserve=renamenew
file path=usr/php/5.3/bin/pear mode=0555
@@ -219,7 +220,6 @@
file path=var/php/5.3/pear/peclcmd.php
file path=var/php/5.3/pear/test/Structures_Graph/tests/AllTests.php
file path=var/php/5.3/pear/test/Structures_Graph/tests/testCase/BasicGraph.php
-file path=var/php/5.3/pear/test/XML_Util/tests/AllTests.php
file path=var/php/5.3/pear/test/XML_Util/tests/testBasic_apiVersion.phpt
file \
path=var/php/5.3/pear/test/XML_Util/tests/testBasic_attributesToString.phpt
--- a/components/php-5_3/php-sapi/Makefile Tue Feb 03 13:51:23 2015 -0800
+++ b/components/php-5_3/php-sapi/Makefile Tue Feb 03 15:20:15 2015 -0800
@@ -29,11 +29,11 @@
# published from.
COMPONENT_NAME= php
-COMPONENT_VERSION= 5.3.28
+COMPONENT_VERSION= 5.3.29
COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)
COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.bz2
COMPONENT_ARCHIVE_HASH= \
- sha256:0cac960c651c4fbb3d21cf2f2b279a06e21948fb35a0d1439b97296cac1d8513
+ sha256:c4e1cf6972b2a9c7f2777a18497d83bf713cdbecabb65d3ff62ba441aebb0091
COMPONENT_ARCHIVE_URL= http://us.php.net/get/$(COMPONENT_ARCHIVE)/from/this/mirror
COMPONENT_PROJECT_URL= http://www.php.net/
--- a/components/php-5_3/php-sapi/patches/150_php_18083695.patch Tue Feb 03 13:51:23 2015 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,51 +0,0 @@
-Fix for CVE-2013-6712
-Patch:
-http://git.php.net/?p=php-src.git;a=patch;h=12fe4e90be7bfa2a763197079f68f5568a14e071
-Code:
-http://git.php.net/?p=php-src.git;a=commitdiff;h=12fe4e90be7bfa2a763197079f68f5568a14e071
-This patch is for php 5.4 code but works well enough on php 5.3 code.
-Verified by hand that it patches the correct code.
-Slightly modified by hand to remove unnecessary parts that fail to patch.
-
-
-From 12fe4e90be7bfa2a763197079f68f5568a14e071 Mon Sep 17 00:00:00 2001
-From: Remi Collet <[email protected]>
-Date: Wed, 27 Nov 2013 11:13:16 +0100
-Subject: [PATCH] Fixed bug #66060 (Heap buffer over-read in DateInterval)
-
----
- NEWS | 3 +++
- ext/date/lib/parse_iso_intervals.c | 4 ++--
- ext/date/lib/parse_iso_intervals.re | 2 +-
- 3 files changed, 6 insertions(+), 3 deletions(-)
-
-diff --git a/ext/date/lib/parse_iso_intervals.c b/ext/date/lib/parse_iso_intervals.c
-index bd1ad05..480ea38 100644
---- a/ext/date/lib/parse_iso_intervals.c
-+++ b/ext/date/lib/parse_iso_intervals.c
-@@ -415,7 +415,7 @@ yy6:
- break;
- }
- ptr++;
-- } while (*ptr);
-+ } while (!s->errors->error_count && *ptr);
- s->have_period = 1;
- TIMELIB_DEINIT;
- return TIMELIB_PERIOD;
-diff --git a/ext/date/lib/parse_iso_intervals.re b/ext/date/lib/parse_iso_intervals.re
-index 56aa34d..c5e9f67 100644
---- a/ext/date/lib/parse_iso_intervals.re
-+++ b/ext/date/lib/parse_iso_intervals.re
-@@ -383,7 +383,7 @@ isoweek = year4 "-"? "W" weekofyear;
- break;
- }
- ptr++;
-- } while (*ptr);
-+ } while (!s->errors->error_count && *ptr);
- s->have_period = 1;
- TIMELIB_DEINIT;
- return TIMELIB_PERIOD;
---
-1.8.4.3
-
-
--- a/components/php-5_3/php-sapi/patches/172_php_zlib.patch Tue Feb 03 13:51:23 2015 -0800
+++ /dev/null Thu Jan 01 00:00:00 1970 +0000
@@ -1,26 +0,0 @@
-Patch origin: upstream
-Patch status: unclear; patch attached to bug
-
-https://bugs.php.net/bug.php?id=53829
-
---- php-5.3.17/ext/zlib/zlib.c
-+++ php-5.3.17/ext/zlib/zlib.c
-@@ -58,6 +58,18 @@
- # endif
- #endif
-
-+/*
-+ * zlib include files can define the following preprocessor defines which rename
-+ * the corresponding PHP functions to gzopen64, gzseek64 and gztell64 and thereby
-+ * breaking some software, most notably PEAR's Archive_Tar, which halts execution
-+ * without error message on gzip compressed archivesa.
-+ *
-+ * This only seems to happen on 32bit systems with large file support.
-+ */
-+#undef gzopen
-+#undef gzseek
-+#undef gztell
-+
- #if defined(HAVE_UNISTD_H) && defined(PHP_WIN32)
- # undef HAVE_UNISTD_H
- #endif
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/180_php_zlib.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,26 @@
+Patch origin: upstream
+Patch status: unclear; patch attached to bug
+
+https://bugs.php.net/bug.php?id=53829
+
+--- php-5.3.17/ext/zlib/zlib.c
++++ php-5.3.17/ext/zlib/zlib.c
+@@ -58,6 +58,18 @@
+ # endif
+ #endif
+
++/*
++ * zlib include files can define the following preprocessor defines which rename
++ * the corresponding PHP functions to gzopen64, gzseek64 and gztell64 and thereby
++ * breaking some software, most notably PEAR's Archive_Tar, which halts execution
++ * without error message on gzip compressed archivesa.
++ *
++ * This only seems to happen on 32bit systems with large file support.
++ */
++#undef gzopen
++#undef gzseek
++#undef gztell
++
+ #if defined(HAVE_UNISTD_H) && defined(PHP_WIN32)
+ # undef HAVE_UNISTD_H
+ #endif
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/190_php_18857741.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,31 @@
+Fix for CVE-2014-2497
+Patch:
+http://git.php.net/?p=php-src.git;a=patch;h=cf4753691dc55999373d1c576f62ecb298723420
+Code:
+http://git.php.net/?p=php-src.git;a=commit;h=cf4753691dc55999373d1c576f62ecb298723420
+Verified by hand that it patches the correct code.
+
+
+diff --git a/ext/gd/libgd/gdxpm.c b/ext/gd/libgd/gdxpm.c
+index 73f86e5..b69414e 100644
+--- a/ext/gd/libgd/gdxpm.c
++++ b/ext/gd/libgd/gdxpm.c
+@@ -31,12 +31,17 @@ gdImagePtr gdImageCreateFromXpm (char *filename)
+ if (ret != XpmSuccess) {
+ return 0;
+ }
++ number = image.ncolors;
++ for(i = 0; i < number; i++) {
++ if (!image.colorTable[i].c_color) {
++ goto done;
++ }
++ }
+
+ if (!(im = gdImageCreate(image.width, image.height))) {
+ goto done;
+ }
+
+- number = image.ncolors;
+ colors = (int *) safe_emalloc(number, sizeof(int), 0);
+ for (i = 0; i < number; i++) {
+ switch (strlen (image.colorTable[i].c_color)) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/200_php_19796954.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,29 @@
+Fix for CVE-2014-8088
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff_plain;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Code:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=ed4de188dd1c15d278a8250e6be3cba142bba6af
+Verified by hand that it patches the correct code.
+
+
+diff --git a/ext/ldap/ldap.c b/ext/ldap/ldap.c
+index 10daa82..da5aa5f 100644
+--- a/ext/ldap/ldap.c
++++ b/ext/ldap/ldap.c
+@@ -399,6 +399,16 @@ PHP_FUNCTION(ldap_bind)
+ RETURN_FALSE;
+ }
+
++ if (ldap_bind_dn != NULL && memchr(ldap_bind_dn, '\0', ldap_bind_dnlen) != NULL) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "DN contains a null byte");
++ RETURN_FALSE;
++ }
++
++ if (ldap_bind_pw != NULL && memchr(ldap_bind_pw, '\0', ldap_bind_pwlen) != NULL) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Password contains a null byte");
++ RETURN_FALSE;
++ }
++
+ ZEND_FETCH_RESOURCE(ld, ldap_linkdata *, &link, -1, "ldap link", le_link);
+
+ if ((rc = ldap_bind_s(ld->link, ldap_bind_dn, ldap_bind_pw, LDAP_AUTH_SIMPLE)) != LDAP_SUCCESS) {
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/210_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,98 @@
+Fix for CVE-2014-3538
+Patch from PHP community:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=eeaec70758bfc0c0e2c0f8944c8dbeae02866206
+But this is for php 5.4.32.
+The website:
+http://permalink.gmane.org/gmane.linux.frugalware.scm/131282
+shows a patch for php 5.3.26 so I've hand crafted a patch
+based on both websites.
+
+
+--- php-5.3.29/ext/fileinfo/libmagic/softmagic.c_orig 2014-10-20 16:46:35.678013082 -0700
++++ php-5.3.29/ext/fileinfo/libmagic/softmagic.c 2014-10-22 13:51:20.141509243 -0700
+@@ -56,7 +56,7 @@
+ private int32_t moffset(struct magic_set *, struct magic *);
+ private void mdebug(uint32_t, const char *, size_t);
+ private int mcopy(struct magic_set *, union VALUETYPE *, int, int,
+- const unsigned char *, uint32_t, size_t, size_t);
++ const unsigned char *, uint32_t, size_t, struct magic *);
+ private int mconvert(struct magic_set *, struct magic *);
+ private int print_sep(struct magic_set *, int);
+ private int handle_annotation(struct magic_set *, struct magic *);
+@@ -898,7 +898,7 @@
+
+ private int
+ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+- const unsigned char *s, uint32_t offset, size_t nbytes, size_t linecnt)
++ const unsigned char *s, uint32_t offset, size_t nbytes, struct magic *m)
+ {
+ /*
+ * Note: FILE_SEARCH and FILE_REGEX do not actually copy
+@@ -918,15 +918,24 @@
+ const char *last; /* end of search region */
+ const char *buf; /* start of search region */
+ const char *end;
+- size_t lines;
++ size_t lines, linecnt, bytecnt;
++
++ linecnt = m->str_range;
++ bytecnt = linecnt * 80;
+
++ if (bytecnt == 0) {
++ bytecnt = 8192;
++ }
++ if (bytecnt > nbytes) {
++ bytecnt = nbytes;
++ }
+ if (s == NULL) {
+ ms->search.s_len = 0;
+ ms->search.s = NULL;
+ return 0;
+ }
+ buf = RCAST(const char *, s) + offset;
+- end = last = RCAST(const char *, s) + nbytes;
++ end = last = RCAST(const char *, s) + bytecnt;
+ /* mget() guarantees buf <= last */
+ for (lines = linecnt, b = buf; lines && b < end &&
+ ((b = CAST(const char *,
+@@ -939,7 +948,7 @@
+ b++;
+ }
+ if (lines)
+- last = RCAST(const char *, s) + nbytes;
++ last = RCAST(const char *, s) + bytecnt;
+
+ ms->search.s = buf;
+ ms->search.s_len = last - buf;
+@@ -1012,7 +1021,6 @@
+ int recursion_level)
+ {
+ uint32_t offset = ms->offset;
+- uint32_t count = m->str_range;
+ union VALUETYPE *p = &ms->ms_value;
+
+ if (recursion_level >= 20) {
+@@ -1020,10 +1028,13 @@
+ return -1;
+ }
+
+- if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset, nbytes, count) == -1)
++ if (mcopy(ms, p, m->type, m->flag & INDIR, s, offset,
++ (uint32_t)nbytes, m) == -1)
+ return -1;
+
+ if ((ms->flags & MAGIC_DEBUG) != 0) {
++ fprintf(stderr, "mget(type=%d, flag=%x, offset=%u, "
++ "nbytes=%zu)\n", m->type, m->flag, offset, nbytes);
+ mdebug(offset, (char *)(void *)p, sizeof(union VALUETYPE));
+ }
+
+@@ -1504,7 +1515,7 @@
+ if (m->flag & INDIROFFADD) {
+ offset += ms->c.li[cont_level-1].off;
+ }
+- if (mcopy(ms, p, m->type, 0, s, offset, nbytes, count) == -1)
++ if (mcopy(ms, p, m->type, 0, s, offset, nbytes, m) == -1)
+ return -1;
+ ms->offset = offset;
+
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/211_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,18 @@
+Fix for CVE-2014-3587
+Patch from PHP community:
+http://git.php.net/?p=php-src.git;a=blobdiff;f=ext/fileinfo/libmagic/cdf.c;h=2c0a2d9dfcd803e21fb40cd04c48a679aa09a6df;hp=429f3b952f68d1ef7f2ebb4925ef5b16c54b7833;hb=35f32637b08ca6397829138ed45a0768f592f262;hpb=eab42649ab9c6d949dc8e1ba9e31124e9cfb3b1b
+
+
+diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
+index 429f3b9..2c0a2d9 100644
+--- a/ext/fileinfo/libmagic/cdf.c
++++ b/ext/fileinfo/libmagic/cdf.c
+@@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
+ q = (const uint8_t *)(const void *)
+ ((const char *)(const void *)p + ofs
+ - 2 * sizeof(uint32_t));
+- if (q > e) {
++ if (q < p || q > e) {
+ DPRINTF(("Ran of the end %p > %p\n", q, e));
+ goto out;
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/212_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,267 @@
+Fixed Sec Bug #67717 segfault in dns_get_record CVE-2014-3597
+
+Incomplete fix for CVE-2014-4049
+
+Check possible buffer overflow
+- pass real buffer end to dn_expand calls
+- check buffer len before each read
+
+
+diff --git a/ext/standard/dns.c b/ext/standard/dns.c
+index 214a7dc..0b5e69c 100644
+--- a/ext/standard/dns.c
++++ b/ext/standard/dns.c
+@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record)
+
+ #if HAVE_FULL_DNS_FUNCS
+
++#define CHECKCP(n) do { \
++ if (cp + n > end) { \
++ return NULL; \
++ } \
++} while (0)
++
+ /* {{{ php_parserr */
+-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, zval **subarray)
++static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, zval **subarray)
+ {
+ u_short type, class, dlen;
+ u_long ttl;
+@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+
+ *subarray = NULL;
+
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+
++ CHECKCP(10);
+ GETSHORT(type, cp);
+ GETSHORT(class, cp);
+ GETLONG(ttl, cp);
+ GETSHORT(dlen, cp);
++ CHECKCP(dlen);
+ if (type_to_fetch != T_ANY && type != type_to_fetch) {
+ cp += dlen;
+ return cp;
+@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+
+ switch (type) {
+ case DNS_T_A:
++ CHECKCP(4);
+ add_assoc_string(*subarray, "type", "A", 1);
+ snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
+ add_assoc_string(*subarray, "ip", name, 1);
+ cp += dlen;
+ break;
+ case DNS_T_MX:
++ CHECKCP(2);
+ add_assoc_string(*subarray, "type", "MX", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ if (type == DNS_T_PTR) {
+ add_assoc_string(*subarray, "type", "PTR", 1);
+ }
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ case DNS_T_HINFO:
+ /* See RFC 1010 for values */
+ add_assoc_string(*subarray, "type", "HINFO", 1);
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
+ cp += n;
++ CHECKCP(1);
+ n = *cp & 0xFF;
+ cp++;
++ CHECKCP(n);
+ add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
+ cp += n;
+ break;
+ case DNS_T_TXT:
+ {
+- int ll = 0;
++ int l1 = 0, l2 = 0;
+ zval *entries = NULL;
+
+ add_assoc_string(*subarray, "type", "TXT", 1);
+@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ MAKE_STD_ZVAL(entries);
+ array_init(entries);
+
+- while (ll < dlen) {
+- n = cp[ll];
+- if ((ll + n) >= dlen) {
++ while (l1 < dlen) {
++ n = cp[l1];
++ if ((l1 + n) >= dlen) {
+ // Invalid chunk length, truncate
+- n = dlen - (ll + 1);
++ n = dlen - (l1 + 1);
++ }
++ if (n) {
++ memcpy(tp + l2 , cp + l1 + 1, n);
++ add_next_index_stringl(entries, cp + l1 + 1, n, 1);
+ }
+- memcpy(tp + ll , cp + ll + 1, n);
+- add_next_index_stringl(entries, cp + ll + 1, n, 1);
+- ll = ll + n + 1;
++ l1 = l1 + n + 1;
++ l2 = l2 + n;
+ }
+- tp[dlen] = '\0';
++ tp[l2] = '\0';
+ cp += dlen;
+
+- add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
++ add_assoc_stringl(*subarray, "txt", tp, l2, 0);
+ add_assoc_zval(*subarray, "entries", entries);
+ }
+ break;
+ case DNS_T_SOA:
+ add_assoc_string(*subarray, "type", "SOA", 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "mname", name, 1);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
+ if (n < 0) {
+ return NULL;
+ }
+ cp += n;
+ add_assoc_string(*subarray, "rname", name, 1);
++ CHECKCP(5*4);
+ GETLONG(n, cp);
+ add_assoc_long(*subarray, "serial", n);
+ GETLONG(n, cp);
+@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ break;
+ case DNS_T_AAAA:
+ tp = (u_char*)name;
++ CHECKCP(8*2);
+ for(i=0; i < 8; i++) {
+ GETSHORT(s, cp);
+ if (s != 0) {
+@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ case DNS_T_A6:
+ p = cp;
+ add_assoc_string(*subarray, "type", "A6", 1);
++ CHECKCP(1);
+ n = ((int)cp[0]) & 0xFF;
+ cp++;
+ add_assoc_long(*subarray, "masklen", n);
+@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ cp++;
+ }
+ for (i = (n + 8) / 16; i < 8; i++) {
++ CHECKCP(2);
+ GETSHORT(s, cp);
+ if (s != 0) {
+ if (tp > (u_char *)name) {
+@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ tp[0] = '\0';
+ add_assoc_string(*subarray, "ipv6", name, 1);
+ if (cp < p + dlen) {
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ }
+ break;
+ case DNS_T_SRV:
++ CHECKCP(3*2);
+ add_assoc_string(*subarray, "type", "SRV", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pri", n);
+@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ add_assoc_long(*subarray, "weight", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "port", n);
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
+ add_assoc_string(*subarray, "target", name, 1);
+ break;
+ case DNS_T_NAPTR:
++ CHECKCP(2*2);
+ add_assoc_string(*subarray, "type", "NAPTR", 1);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "order", n);
+ GETSHORT(n, cp);
+ add_assoc_long(*subarray, "pref", n);
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
+ cp += n;
++
++ CHECKCP(1);
+ n = (cp[0] & 0xFF);
+- add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
++ cp++;
++ CHECKCP(n);
++ add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
+ cp += n;
+- n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
++
++ n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
+ if (n < 0) {
+ return NULL;
+ }
+@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record)
+ while (an-- && cp && cp < end) {
+ zval *retval;
+
+- cp = php_parserr(cp, &answer, type_to_fetch, store_results, &retval);
++ cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, &retval);
+ if (retval != NULL && store_results) {
+ add_next_index_zval(return_value, retval);
+ }
+@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record)
+ while (ns-- > 0 && cp && cp < end) {
+ zval *retval = NULL;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(authns, retval);
+ }
+@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record)
+ while (ar-- > 0 && cp && cp < end) {
+ zval *retval = NULL;
+
+- cp = php_parserr(cp, &answer, DNS_T_ANY, 1, &retval);
++ cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, &retval);
+ if (retval != NULL) {
+ add_next_index_zval(addtl, retval);
+ }
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/213_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,60 @@
+Fix for CVE-2014-4670
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=df78c48354f376cf419d7a97f88ca07d572f00fb
+
+
+Fixed Bug #67538 (SPL Iterators use-after-free)
+---
+
+diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
+index 39a0733..0b44d41 100644
+--- a/ext/spl/spl_dllist.c
++++ b/ext/spl/spl_dllist.c
+@@ -43,12 +43,10 @@ PHPAPI zend_class_entry *spl_ce_SplStack;
+
+ #define SPL_LLIST_DELREF(elem) if(!--(elem)->rc) { \
+ efree(elem); \
+- elem = NULL; \
+ }
+
+ #define SPL_LLIST_CHECK_DELREF(elem) if((elem) && !--(elem)->rc) { \
+ efree(elem); \
+- elem = NULL; \
+ }
+
+ #define SPL_LLIST_ADDREF(elem) (elem)->rc++
+@@ -916,6 +914,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUnset)
+ llist->dtor(element TSRMLS_CC);
+ }
+
++ if (intern->traverse_pointer == element) {
++ SPL_LLIST_DELREF(element);
++ intern->traverse_pointer = NULL;
++ }
++
+ zval_ptr_dtor((zval **)&element->data);
+ element->data = NULL;
+
+diff --git a/ext/spl/tests/bug67538.phpt b/ext/spl/tests/bug67538.phpt
+new file mode 100644
+index 0000000..b6f3848
+--- /dev/null
++++ b/ext/spl/tests/bug67538.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #67538 (SPL Iterators use-after-free)
++--FILE--
++<?php
++$list = new SplDoublyLinkedList();
++$list->push('a');
++$list->push('b');
++
++$list->rewind();
++$list->offsetUnset(0);
++$list->push('b');
++$list->offsetUnset(0);
++$list->next();
++echo "okey";
++?>
++--EXPECTF--
++okey
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/components/php-5_3/php-sapi/patches/214_php_19556437.patch Tue Feb 03 15:20:15 2015 -0800
@@ -0,0 +1,47 @@
+Fix for CVE-2014-4698
+Patch:
+http://git.php.net/?p=php-src.git;a=commitdiff;h=22882a9d89712ff2b6ebc20a689a89452bba4dcd
+
+Hand crafted patch for php 5.3 from above due to context differences.
+
+--- php-5.3.29/ext/spl/spl_array.c_orig 2014-08-13 12:22:50.000000000 -0700
++++ php-5.3.29/ext/spl/spl_array.c 2014-11-04 14:31:14.198629945 -0800
+@@ -1843,6 +1843,7 @@
+ int buf_len;
+ spl_array_object *intern = (spl_array_object*)zend_object_store_get_object(getThis() TSRMLS_CC);
+ int was_in_unserialize = intern->unserialize_data != NULL;
++ HashTable *aht;
+
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
+ return;
+@@ -1853,6 +1854,12 @@
+ return;
+ }
+
++ aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
++ if (aht->nApplyCount > 0) {
++ zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
++ return;
++ }
++
+ if (!was_in_unserialize) {
+ intern->unserialize_data = emalloc(sizeof(php_unserialize_data_t));
+ PHP_VAR_UNSERIALIZE_INIT(*intern->unserialize_data);
+--- php-5.3.29/ext/spl/tests/bug67539.phpt_orig 2014-11-04 14:32:52.307769425 -0800
++++ php-5.3.29/ext/spl/tests/bug67539.phpt 2014-11-04 14:33:24.460710922 -0800
+@@ -0,0 +1,15 @@
++--TEST--
++Bug #67539 (ArrayIterator use-after-free due to object change during sorting)
++--FILE--
++<?php
++
++$it = new ArrayIterator(array_fill(0,2,'X'), 1 );
++
++function badsort($a, $b) {
++ $GLOBALS['it']->unserialize($GLOBALS['it']->serialize());
++ return TRUE;
++}
++
++$it->uksort('badsort');
++--EXPECTF--
++Warning: Modification of ArrayObject during sorting is prohibited in %sbug67539.php on line %d