From fd28010e20ae051e84884232c550c5ec428f632e Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 5 Aug 2014 21:03:35 -0700
Subject: 5.4.32 RC1

---
 NEWS               | 2 +-
 configure.in       | 2 +-
 main/php_version.h | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index d1c06a9420..473f96a35e 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2014, PHP 5.4.32
+07 Aug 2014, PHP 5.4.32 RC1
 
 - COM:
   . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
diff --git a/configure.in b/configure.in
index 9a3a964a4c..27030ea1f0 100644
--- a/configure.in
+++ b/configure.in
@@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=4
 PHP_RELEASE_VERSION=32
-PHP_EXTRA_VERSION="-dev"
+PHP_EXTRA_VERSION="RC1"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
 
diff --git a/main/php_version.h b/main/php_version.h
index c6aa024436..de525b89c3 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -4,6 +4,6 @@
 #define PHP_MINOR_VERSION 4
 #define PHP_RELEASE_VERSION 32
 
-#define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.4.32-dev"
+#define PHP_EXTRA_VERSION "RC1"
+#define PHP_VERSION "5.4.32RC1"
 #define PHP_VERSION_ID 50432
-- 
cgit v1.2.1


From 7ba1409a1aee5925180de546057ddd84ff267947 Mon Sep 17 00:00:00 2001
From: Remi Collet <rcollet@redhat.com>
Date: Thu, 14 Aug 2014 17:19:03 -0700
Subject: Fix bug #67716 - Segfault in cdf.c

---
 NEWS                        | 1 +
 ext/fileinfo/libmagic/cdf.c | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 473f96a35e..9805a719d3 100644
--- a/NEWS
+++ b/NEWS
@@ -8,6 +8,7 @@ PHP                                                                        NEWS
 - Fileinfo:
   . Fixed bug #67705 (extensive backtracking in rule regular expression).
     (CVE-2014-3538) (Remi)
+  . Fixed bug #67716 (Segfault in cdf.c). (CVE-2014-3587) (Remi)
 
 - GD:
   . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index 429f3b952f..2c0a2d9dfc 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -820,7 +820,7 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 		q = (const uint8_t *)(const void *)
 		    ((const char *)(const void *)p + ofs
 		    - 2 * sizeof(uint32_t));
-		if (q > e) {
+		if (q < p || q > e) {
 			DPRINTF(("Ran of the end %p > %p\n", q, e));
 			goto out;
 		}
-- 
cgit v1.2.1


From 529da0f74c1a230d0656799efc73a387392dbc10 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Aug 2014 22:37:25 -0700
Subject: Fixed bug #67717 - segfault in dns_get_record

---
 NEWS               |  5 +++-
 ext/standard/dns.c | 84 ++++++++++++++++++++++++++++++++++++++----------------
 2 files changed, 64 insertions(+), 25 deletions(-)

diff --git a/NEWS b/NEWS
index 9805a719d3..cd34e9e54e 100644
--- a/NEWS
+++ b/NEWS
@@ -2,8 +2,11 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 07 Aug 2014, PHP 5.4.32 RC1
 
+- Core:
+  . Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597) (Remi) 
+
 - COM:
-  . Fixed missing type checks in com_event_sink (Yussuf Khalil, Stas).
+  . Fixed missing type checks in com_event_sink. (Yussuf Khalil, Stas)
 
 - Fileinfo:
   . Fixed bug #67705 (extensive backtracking in rule regular expression).
diff --git a/ext/standard/dns.c b/ext/standard/dns.c
index 214a7dc7e9..0b5e69ca58 100644
--- a/ext/standard/dns.c
+++ b/ext/standard/dns.c
@@ -412,8 +412,14 @@ PHP_FUNCTION(dns_check_record)
 
 #if HAVE_FULL_DNS_FUNCS
 
+#define CHECKCP(n) do { \
+	if (cp + n > end) { \
+		return NULL; \
+	} \
+} while (0)
+
 /* {{{ php_parserr */
-static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
+static u_char *php_parserr(u_char *cp, u_char *end, querybuf *answer, int type_to_fetch, int store, int raw, zval **subarray)
 {
 	u_short type, class, dlen;
 	u_long ttl;
@@ -425,16 +431,18 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 
 	*subarray = NULL;
 
-	n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, sizeof(name) - 2);
+	n = dn_expand(answer->qb2, end, cp, name, sizeof(name) - 2);
 	if (n < 0) {
 		return NULL;
 	}
 	cp += n;
 
+	CHECKCP(10);
 	GETSHORT(type, cp);
 	GETSHORT(class, cp);
 	GETLONG(ttl, cp);
 	GETSHORT(dlen, cp);
+	CHECKCP(dlen);
 	if (type_to_fetch != T_ANY && type != type_to_fetch) {
 		cp += dlen;
 		return cp;
@@ -461,12 +469,14 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 
 	switch (type) {
 		case DNS_T_A:
+			CHECKCP(4);
 			add_assoc_string(*subarray, "type", "A", 1);
 			snprintf(name, sizeof(name), "%d.%d.%d.%d", cp[0], cp[1], cp[2], cp[3]);
 			add_assoc_string(*subarray, "ip", name, 1);
 			cp += dlen;
 			break;
 		case DNS_T_MX:
+			CHECKCP(2);
 			add_assoc_string(*subarray, "type", "MX", 1);
 			GETSHORT(n, cp);
 			add_assoc_long(*subarray, "pri", n);
@@ -485,7 +495,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 			if (type == DNS_T_PTR) {
 				add_assoc_string(*subarray, "type", "PTR", 1);
 			}
-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
 			if (n < 0) {
 				return NULL;
 			}
@@ -495,18 +505,22 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 		case DNS_T_HINFO:
 			/* See RFC 1010 for values */
 			add_assoc_string(*subarray, "type", "HINFO", 1);
+			CHECKCP(1);
 			n = *cp & 0xFF;
 			cp++;
+			CHECKCP(n);
 			add_assoc_stringl(*subarray, "cpu", (char*)cp, n, 1);
 			cp += n;
+			CHECKCP(1);
 			n = *cp & 0xFF;
 			cp++;
+			CHECKCP(n);
 			add_assoc_stringl(*subarray, "os", (char*)cp, n, 1);
 			cp += n;
 			break;
 		case DNS_T_TXT:
 			{
-				int ll = 0;
+				int l1 = 0, l2 = 0;
 				zval *entries = NULL;
 
 				add_assoc_string(*subarray, "type", "TXT", 1);
@@ -515,37 +529,41 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 				MAKE_STD_ZVAL(entries);
 				array_init(entries);
 				
-				while (ll < dlen) {
-					n = cp[ll];
-					if ((ll + n) >= dlen) {
+				while (l1 < dlen) {
+					n = cp[l1];
+					if ((l1 + n) >= dlen) {
 						// Invalid chunk length, truncate
-						n = dlen - (ll + 1);
+						n = dlen - (l1 + 1);
+					}
+					if (n) {
+						memcpy(tp + l2 , cp + l1 + 1, n);
+						add_next_index_stringl(entries, cp + l1 + 1, n, 1);
 					}
-					memcpy(tp + ll , cp + ll + 1, n);
-					add_next_index_stringl(entries, cp + ll + 1, n, 1);
-					ll = ll + n + 1;
+					l1 = l1 + n + 1;
+					l2 = l2 + n;
 				}
-				tp[dlen] = '\0';
+				tp[l2] = '\0';
 				cp += dlen;
 
-				add_assoc_stringl(*subarray, "txt", tp, (dlen>0)?dlen - 1:0, 0);
+				add_assoc_stringl(*subarray, "txt", tp, l2, 0);
 				add_assoc_zval(*subarray, "entries", entries);
 			}
 			break;
 		case DNS_T_SOA:
 			add_assoc_string(*subarray, "type", "SOA", 1);
-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
 			if (n < 0) {
 				return NULL;
 			}
 			cp += n;
 			add_assoc_string(*subarray, "mname", name, 1);
-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) -2);
+			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) -2);
 			if (n < 0) {
 				return NULL;
 			}
 			cp += n;
 			add_assoc_string(*subarray, "rname", name, 1);
+			CHECKCP(5*4);
 			GETLONG(n, cp);
 			add_assoc_long(*subarray, "serial", n);
 			GETLONG(n, cp);
@@ -559,6 +577,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 			break;
 		case DNS_T_AAAA:
 			tp = (u_char*)name;
+			CHECKCP(8*2);
 			for(i=0; i < 8; i++) {
 				GETSHORT(s, cp);
 				if (s != 0) {
@@ -593,6 +612,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 		case DNS_T_A6:
 			p = cp;
 			add_assoc_string(*subarray, "type", "A6", 1);
+			CHECKCP(1);
 			n = ((int)cp[0]) & 0xFF;
 			cp++;
 			add_assoc_long(*subarray, "masklen", n);
@@ -628,6 +648,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 				cp++;
 			}
 			for (i = (n + 8) / 16; i < 8; i++) {
+				CHECKCP(2);
 				GETSHORT(s, cp);
 				if (s != 0) {
 					if (tp > (u_char *)name) {
@@ -657,7 +678,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 			tp[0] = '\0';
 			add_assoc_string(*subarray, "ipv6", name, 1);
 			if (cp < p + dlen) {
-				n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+				n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
 				if (n < 0) {
 					return NULL;
 				}
@@ -666,6 +687,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 			}
 			break;
 		case DNS_T_SRV:
+			CHECKCP(3*2);
 			add_assoc_string(*subarray, "type", "SRV", 1);
 			GETSHORT(n, cp);
 			add_assoc_long(*subarray, "pri", n);
@@ -673,7 +695,7 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 			add_assoc_long(*subarray, "weight", n);
 			GETSHORT(n, cp);
 			add_assoc_long(*subarray, "port", n);
-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
 			if (n < 0) {
 				return NULL;
 			}
@@ -681,21 +703,35 @@ static u_char *php_parserr(u_char *cp, querybuf *answer, int type_to_fetch, int
 			add_assoc_string(*subarray, "target", name, 1);
 			break;
 		case DNS_T_NAPTR:
+			CHECKCP(2*2);
 			add_assoc_string(*subarray, "type", "NAPTR", 1);
 			GETSHORT(n, cp);
 			add_assoc_long(*subarray, "order", n);
 			GETSHORT(n, cp);
 			add_assoc_long(*subarray, "pref", n);
+
+			CHECKCP(1);
 			n = (cp[0] & 0xFF);
-			add_assoc_stringl(*subarray, "flags", (char*)++cp, n, 1);
+			cp++;
+			CHECKCP(n);
+			add_assoc_stringl(*subarray, "flags", (char*)cp, n, 1);
 			cp += n;
+
+			CHECKCP(1);
 			n = (cp[0] & 0xFF);
-			add_assoc_stringl(*subarray, "services", (char*)++cp, n, 1);
+			cp++;
+			CHECKCP(n);
+			add_assoc_stringl(*subarray, "services", (char*)cp, n, 1);
 			cp += n;
+
+			CHECKCP(1);
 			n = (cp[0] & 0xFF);
-			add_assoc_stringl(*subarray, "regex", (char*)++cp, n, 1);
+			cp++;
+			CHECKCP(n);
+			add_assoc_stringl(*subarray, "regex", (char*)cp, n, 1);
 			cp += n;
-			n = dn_expand(answer->qb2, answer->qb2+65536, cp, name, (sizeof name) - 2);
+
+			n = dn_expand(answer->qb2, end, cp, name, (sizeof name) - 2);
 			if (n < 0) {
 				return NULL;
 			}
@@ -888,7 +924,7 @@ PHP_FUNCTION(dns_get_record)
 			while (an-- && cp && cp < end) {
 				zval *retval;
 
-				cp = php_parserr(cp, &answer, type_to_fetch, store_results, raw, &retval);
+				cp = php_parserr(cp, end, &answer, type_to_fetch, store_results, raw, &retval);
 				if (retval != NULL && store_results) {
 					add_next_index_zval(return_value, retval);
 				}
@@ -901,7 +937,7 @@ PHP_FUNCTION(dns_get_record)
 				while (ns-- > 0 && cp && cp < end) {
 					zval *retval = NULL;
 
-					cp = php_parserr(cp, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
+					cp = php_parserr(cp, end, &answer, DNS_T_ANY, authns != NULL, raw, &retval);
 					if (retval != NULL) {
 						add_next_index_zval(authns, retval);
 					}
@@ -913,7 +949,7 @@ PHP_FUNCTION(dns_get_record)
 				while (ar-- > 0 && cp && cp < end) {
 					zval *retval = NULL;
 
-					cp = php_parserr(cp, &answer, DNS_T_ANY, 1, raw, &retval);
+					cp = php_parserr(cp, end, &answer, DNS_T_ANY, 1, raw, &retval);
 					if (retval != NULL) {
 						add_next_index_zval(addtl, retval);
 					}
-- 
cgit v1.2.1


From 706aefb78112a44d4932d4c9430c6a898696f51f Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Aug 2014 22:49:10 -0700
Subject: Fix bug #67730 - Null byte injection possible with imagexxx functions

---
 NEWS            | 2 ++
 ext/gd/gd_ctx.c | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/NEWS b/NEWS
index cd34e9e54e..a3a5268c07 100644
--- a/NEWS
+++ b/NEWS
@@ -16,6 +16,8 @@ PHP                                                                        NEWS
 - GD:
   . Fixed bug #66901 (php-gd 'c_color' NULL pointer dereference).
     (CVE-2014-2497) (Remi)
+  . Fixed bug #67730 (Null byte injection possible with imagexxx functions).
+    (CVE-2014-5120) (Ryan Mauger)
 
 - Milter:
   . Fixed bug #67715 (php-milter does not build and crashes randomly). (Mike)
diff --git a/ext/gd/gd_ctx.c b/ext/gd/gd_ctx.c
index bff691fad2..eafbab5896 100644
--- a/ext/gd/gd_ctx.c
+++ b/ext/gd/gd_ctx.c
@@ -124,6 +124,11 @@ static void _php_image_output_ctx(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 				RETURN_FALSE;
 			}
 		} else if (Z_TYPE_P(to_zval) == IS_STRING) {
+			if (CHECK_ZVAL_NULL_PATH(to_zval)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid 2nd parameter, filename must not contain null bytes");
+				RETURN_FALSE;
+			}
+
 			stream = php_stream_open_wrapper(Z_STRVAL_P(to_zval), "wb", REPORT_ERRORS|IGNORE_PATH|IGNORE_URL_WIN, NULL);
 			if (stream == NULL) {
 				RETURN_FALSE;
-- 
cgit v1.2.1


From 2b10db8e1010f55fd534672b8877a356e1118e33 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 18 Aug 2014 23:04:24 -0700
Subject: fix potentially missing NUL termination

---
 main/network.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/main/network.c b/main/network.c
index 59ce12ef20..5e44b0e6a8 100644
--- a/main/network.c
+++ b/main/network.c
@@ -989,6 +989,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize)
 		buf = estrdup(errstr);
 	} else {
 		strncpy(buf, errstr, bufsize);
+		buf[bufsize?(bufsize-1):0] = 0;
 	}
 	return buf;
 #else
@@ -1013,6 +1014,7 @@ PHPAPI char *php_socket_strerror(long err, char *buf, size_t bufsize)
 		buf = estrdup(sysbuf);
 	} else {
 		strncpy(buf, sysbuf, bufsize);
+		buf[bufsize?(bufsize-1):0] = 0;
 	}
 
 	if (free_it) {
-- 
cgit v1.2.1


From eb2360602e256c608ea0c5f6be0ec5ec085999f3 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 19 Aug 2014 00:40:27 -0700
Subject: 5.4.32

---
 NEWS               | 2 +-
 configure.in       | 2 +-
 main/php_version.h | 4 ++--
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index a3a5268c07..4c000d7936 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,6 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-07 Aug 2014, PHP 5.4.32 RC1
+07 Aug 2014, PHP 5.4.32
 
 - Core:
   . Fixed bug #67717 (segfault in dns_get_record). (CVE-2014-3597) (Remi) 
diff --git a/configure.in b/configure.in
index 27030ea1f0..1ccfd94887 100644
--- a/configure.in
+++ b/configure.in
@@ -120,7 +120,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=4
 PHP_RELEASE_VERSION=32
-PHP_EXTRA_VERSION="RC1"
+PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
 
diff --git a/main/php_version.h b/main/php_version.h
index de525b89c3..8d3d5b9e6c 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -4,6 +4,6 @@
 #define PHP_MINOR_VERSION 4
 #define PHP_RELEASE_VERSION 32
 
-#define PHP_EXTRA_VERSION "RC1"
-#define PHP_VERSION "5.4.32RC1"
+#define PHP_EXTRA_VERSION ""
+#define PHP_VERSION "5.4.32"
 #define PHP_VERSION_ID 50432
-- 
cgit v1.2.1