From dea2989ab8ba87a6180af497b2efaf0527e985c5 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 7 Jul 2019 17:01:01 -0700
Subject: Fix bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)

---
 ext/exif/exif.c              |   2 +-
 ext/exif/tests/bug78222.jpg  | Bin 0 -> 91 bytes
 ext/exif/tests/bug78222.phpt |  11 +++++++++++
 3 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 ext/exif/tests/bug78222.jpg
 create mode 100644 ext/exif/tests/bug78222.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 605b37923f..cd7975a9f5 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3498,7 +3498,7 @@ static int exif_scan_thumbnail(image_info_type *ImageInfo)
 	size_t          length=2, pos=0;
 	jpeg_sof_info   sof_info;
 
-	if (!data) {
+	if (!data || ImageInfo->Thumbnail.size < 4) {
 		return FALSE; /* nothing to do here */
 	}
 	if (memcmp(data, "\xFF\xD8\xFF", 3)) {
diff --git a/ext/exif/tests/bug78222.jpg b/ext/exif/tests/bug78222.jpg
new file mode 100644
index 0000000000..a96e16be51
Binary files /dev/null and b/ext/exif/tests/bug78222.jpg differ
diff --git a/ext/exif/tests/bug78222.phpt b/ext/exif/tests/bug78222.phpt
new file mode 100644
index 0000000000..0e4ead33e4
--- /dev/null
+++ b/ext/exif/tests/bug78222.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78222 (heap-buffer-overflow on exif_scan_thumbnail)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+exif_read_data(__DIR__."/bug78222.jpg", 'THUMBNAIL', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
\ No newline at end of file
-- 
cgit v1.2.1


From aeb6d13185a2ea4f1496ede2697469faed98ce05 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 7 Jul 2019 17:39:59 -0700
Subject: Fix bug #78256 (heap-buffer-overflow on exif_process_user_comment)

---
 ext/exif/exif.c              |   6 +++---
 ext/exif/tests/bug78256.jpg  | Bin 0 -> 69 bytes
 ext/exif/tests/bug78256.phpt |  11 +++++++++++
 3 files changed, 14 insertions(+), 3 deletions(-)
 create mode 100644 ext/exif/tests/bug78256.jpg
 create mode 100644 ext/exif/tests/bug78256.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index cd7975a9f5..77e4427b48 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2619,7 +2619,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 {
 	int   a;
 	char  *decode;
-	size_t len;;
+	size_t len;
 
 	*pszEncoding = NULL;
 	/* Copy the comment */
@@ -2632,11 +2632,11 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
 			/* First try to detect BOM: ZERO WIDTH NOBREAK SPACE (FEFF 16)
 			 * since we have no encoding support for the BOM yet we skip that.
 			 */
-			if (!memcmp(szValuePtr, "\xFE\xFF", 2)) {
+			if (ByteCount >=2 && !memcmp(szValuePtr, "\xFE\xFF", 2)) {
 				decode = "UCS-2BE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
-			} else if (!memcmp(szValuePtr, "\xFF\xFE", 2)) {
+			} else if (ByteCount >=2 && !memcmp(szValuePtr, "\xFF\xFE", 2)) {
 				decode = "UCS-2LE";
 				szValuePtr = szValuePtr+2;
 				ByteCount -= 2;
diff --git a/ext/exif/tests/bug78256.jpg b/ext/exif/tests/bug78256.jpg
new file mode 100644
index 0000000000..56bf672629
Binary files /dev/null and b/ext/exif/tests/bug78256.jpg differ
diff --git a/ext/exif/tests/bug78256.phpt b/ext/exif/tests/bug78256.phpt
new file mode 100644
index 0000000000..37a3f1d824
--- /dev/null
+++ b/ext/exif/tests/bug78256.phpt
@@ -0,0 +1,11 @@
+--TEST--
+Bug #78256 (heap-buffer-overflow on exif_process_user_comment)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+@exif_read_data(__DIR__."/bug78256.jpg", 'COMMENT', FALSE, TRUE);
+?>
+DONE
+--EXPECTF--
+DONE
\ No newline at end of file
-- 
cgit v1.2.1


From 42e8b85d94ba11db13ca90b2dd53c17b2d6938df Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 29 Jul 2019 00:55:18 -0700
Subject: Update NEWS

---
 NEWS | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/NEWS b/NEWS
index d9c8771670..f2e22b62b6 100644
--- a/NEWS
+++ b/NEWS
@@ -5,6 +5,12 @@ PHP                                                                        NEWS
 - SQLite:
   . Upgraded to SQLite 3.28.0. (cmb)
 
+- EXIF:
+  . Fixed bug #78256 (heap-buffer-overflow on exif_process_user_comment).
+  (CVE-2019-11042) (Stas)
+  . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
+  (CVE-2019-11041) (Stas)
+
 30 May 2019, PHP 7.1.30
 
 - EXIF:
-- 
cgit v1.2.1


From cd1101e8c87aa175c2d5e87ddec656e50ef4ab5d Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 29 Jul 2019 16:08:03 +0200
Subject: Fix #77919: Potential UAF in Phar RSHUTDOWN

We have to properly clean up in case phar_flush() is failing.

We also make the expectation of the respective test case less liberal
to avoid missing such bugs in the future.
---
 NEWS                         | 3 +++
 ext/phar/phar_object.c       | 4 +++-
 ext/phar/tests/bug71488.phpt | 5 ++++-
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index f2e22b62b6..72e26f5924 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ PHP                                                                        NEWS
   (CVE-2019-11042) (Stas)
   . Fixed bug #78222 (heap-buffer-overflow on exif_scan_thumbnail).
   (CVE-2019-11041) (Stas)
+  
+- Phar:
+  . Fixed bug #77919 (Potential UAF in Phar RSHUTDOWN). (cmb)
 
 30 May 2019, PHP 7.1.30
 
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 6bd5c1dc33..c1ba97a195 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -2037,7 +2037,7 @@ static zend_object *phar_rename_archive(phar_archive_data **sphar, char *ext, ze
 	char *newname = NULL, *newpath = NULL;
 	zval ret, arg1;
 	zend_class_entry *ce;
-	char *error;
+	char *error = NULL;
 	const char *pcr_error;
 	int ext_len = ext ? strlen(ext) : 0;
 	size_t new_len, oldname_len;
@@ -2205,6 +2205,8 @@ its_ok:
 	phar_flush(phar, 0, 0, 1, &error);
 
 	if (error) {
+		zend_hash_str_del(&(PHAR_G(phar_fname_map)), newpath, phar->fname_len);
+		*sphar = NULL;
 		zend_throw_exception_ex(spl_ce_BadMethodCallException, 0, "%s", error);
 		efree(error);
 		efree(oldpath);
diff --git a/ext/phar/tests/bug71488.phpt b/ext/phar/tests/bug71488.phpt
index 9c58d89488..7f8f6c00af 100644
--- a/ext/phar/tests/bug71488.phpt
+++ b/ext/phar/tests/bug71488.phpt
@@ -15,4 +15,7 @@ DONE
 ?>
 --EXPECTF--
 Fatal error: Uncaught BadMethodCallException: tar-based phar "%s/bug71488.test" cannot be created, link "%s" is too long for format in %sbug71488.php:%d
-Stack trace:%A
\ No newline at end of file
+Stack trace:
+#0 %s(%d): PharData->decompress('test')
+#1 {main}
+  thrown in %s on line %d
-- 
cgit v1.2.1