From: Stanislav Malyshev <stas@php.net>
Date: Sun, 6 Jan 2019 19:57:16 +0000 (-0800)
Subject: Merge branch 'PHP-7.1' into PHP-7.2
X-Git-Tag: php-7.3.2RC1~51^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=fe820fcba616a736b80e911cfc132388acd35ace;p=php

Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:
  Fix #77369 - memcpy with negative length via crafted DNS response
  Fix more issues with encodilng length
  Fix #77270: imagecolormatch Out Of Bounds Write on Heap
  Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
  Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
  Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
  Fix #77269: Potential unsigned underflow in gdImageScale
  Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
  Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
  Regenerate certs for openssl tests
---

fe820fcba616a736b80e911cfc132388acd35ace
diff --cc ext/gd/tests/bug77269.phpt
index 0000000000,3bdc23e80a..c89f674b8a
mode 000000,100644..100644
--- a/ext/gd/tests/bug77269.phpt
+++ b/ext/gd/tests/bug77269.phpt
@@@ -1,0 -1,21 +1,21 @@@
+ --TEST--
+ Bug #77269 (Potential unsigned underflow in gdImageScale)
+ --SKIPIF--
+ <?php
+ if (!extension_loaded('gd')) die('skip gd extension not available');
+ if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+ ?>
+ --INI--
+ memory_limit=2G
+ --FILE--
+ <?php
+ $im = imagecreate(2**28, 1);
+ if(is_resource($im)) {
+ 	imagescale($im, 1, 1, IMG_TRIANGLE);
+ }
+ ?>
+ ===DONE===
+ --EXPECTF--
 -Warning: imagecreate():%S product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
++Warning: imagescale():%S product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+  in %s on line %d
+ ===DONE===
diff --cc ext/mbstring/oniguruma/src/regparse.c
index 8153513202,fcfaf4378c..0c0b07804b
--- a/ext/mbstring/oniguruma/src/regparse.c
+++ b/ext/mbstring/oniguruma/src/regparse.c
@@@ -3581,20 -3574,18 +3584,23 @@@ fetch_token(OnigToken* tok, UChar** src
        break;
  
      default:
 -      PUNFETCH;
 -      num = fetch_escaped_value(&p, end, env);
 -      if (num < 0) return num;
 -      /* set_raw: */
 -      if (tok->u.c != num) {
 -	tok->type = TK_CODE_POINT;
 -	tok->u.code = (OnigCodePoint )num;
 -      }
 -      else { /* string */
 +      {
 +        OnigCodePoint c2;
 +
 +        PUNFETCH;
 +        num = fetch_escaped_value(&p, end, env, &c2);
 +        if (num < 0) return num;
 +        /* set_raw: */
 +        if (tok->u.c != c2) {
 +          tok->type = TK_CODE_POINT;
 +          tok->u.code = c2;
 +        }
 +        else { /* string */
 +          p = tok->backp + enclen(enc, tok->backp);
+           int len;
+           SAFE_ENC_LEN(enc, tok->backp, end, len);
+           p = tok->backp + len;
 +        }
        }
        break;
      }