1 files changed, 53 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch
new file mode 100644
index 0000000000..700b99bd93
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch
@@ -0,0 +1,53 @@
+From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Dec 2019 01:14:38 -0800
+Subject: [PATCH] Fix bug #78793
+Upstream-Status: Accepted
+CVE-2019-11050
+   
+Reference to upstream patch:
+http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
+http://git.php.net/?p=php-src.git;a=commit;h=1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2
+---
+ ext/exif/exif.c              |  5 +++--
+ ext/exif/tests/bug78793.phpt | 12 ++++++++++++
+ 2 files changed, 15 insertions(+), 2 deletions(-)
+ create mode 100644 ext/exif/tests/bug78793.phpt
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index c0be05922f..7fe055f381 100644
+--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
+@@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
+        }
+ 
+        for (de=0;de<NumDirEntries;de++) {
+-               if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
+-                                                                 offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
+               size_t offset = 2 + 12 * de;
+               if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
+                                                                 offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
+                        return FALSE;
+                }
+        }
+diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
+new file mode 100644
+index 0000000000..033f255ace
+--- /dev/null
+++ b/ext/exif/tests/bug78793.phpt
+@@ -0,0 +1,12 @@
+--TEST--
+Bug #78793: Use-after-free in exif parsing under memory sanitizer
+--FILE--
+<?php
+$f = "ext/exif/tests/bug77950.tiff";
+for ($i = 0; $i < 10; $i++) {
+    @exif_read_data($f);
+}
+?>
+===DONE===
+--EXPECT--
+===DONE===
+-- 
+2.11.0

diff --git a/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch new file mode 100644 index 0000000000..700b99bd93 --- /dev/null +++ b/meta-oe/recipes-devtools/php/php/CVE-2019-11050.patch
@@ -0,0 +1,53 @@
	1	From c14eb8de974fc8a4d74f3515424c293bc7a40fba Mon Sep 17 00:00:00 2001
	2	From: Stanislav Malyshev <stas@php.net>
	3	Date: Mon, 16 Dec 2019 01:14:38 -0800
	4	Subject: [PATCH] Fix bug #78793
	5
	6	Upstream-Status: Accepted
	7	CVE-2019-11050
	8
	9	Reference to upstream patch:
	10	http://git.php.net/?p=php-src.git;a=commit;h=c14eb8de974fc8a4d74f3515424c293bc7a40fba
	11	http://git.php.net/?p=php-src.git;a=commit;h=1b3b4a0d367b6f0b67e9f73d82f53db6c6b722b2
	12	---
	13	ext/exif/exif.c \| 5 +++--
	14	ext/exif/tests/bug78793.phpt \| 12 ++++++++++++
	15	2 files changed, 15 insertions(+), 2 deletions(-)
	16	create mode 100644 ext/exif/tests/bug78793.phpt
	17
	18	diff --git a/ext/exif/exif.c b/ext/exif/exif.c
	19	index c0be05922f..7fe055f381 100644
	20	--- a/ext/exif/exif.c
	21	+++ b/ext/exif/exif.c
	22	@@ -3240,8 +3240,9 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type ImageInfo, char valu
	23	}
	24
	25	for (de=0;de<NumDirEntries;de++) {
	26	- if (!exif_process_IFD_TAG(ImageInfo, dir_start + 2 + 12 * de,
	27	- offset_base, data_len, displacement, section_index, 0, maker_note->tag_table)) {
	28	+ size_t offset = 2 + 12 * de;
	29	+ if (!exif_process_IFD_TAG(ImageInfo, dir_start + offset,
	30	+ offset_base, data_len - offset, displacement, section_index, 0, maker_note->tag_table)) {
	31	return FALSE;
	32	}
	33	}
	34	diff --git a/ext/exif/tests/bug78793.phpt b/ext/exif/tests/bug78793.phpt
	35	new file mode 100644
	36	index 0000000000..033f255ace
	37	--- /dev/null
	38	+++ b/ext/exif/tests/bug78793.phpt
	39	@@ -0,0 +1,12 @@
	40	+--TEST--
	41	+Bug #78793: Use-after-free in exif parsing under memory sanitizer
	42	+--FILE--
	43	+<?php
	44	+$f = "ext/exif/tests/bug77950.tiff";
	45	+for ($i = 0; $i < 10; $i++) {
	46	+ @exif_read_data($f);
	47	+}
	48	+?>
	49	+===DONE===
	50	+--EXPECT--
	51	+===DONE===
	52	--
	53	2.11.0