From 481520d3819b0b68b65539ff59b4bd2f018d6e5f Mon Sep 17 00:00:00 2001
From: Joe Watkins <krakjoe@php.net>
Date: Wed, 28 Aug 2019 09:06:38 +0200
Subject: [PATCH 1/3] set versions for release

---
 NEWS               | 8 ++++++++
 configure.in       | 2 +-
 main/php_version.h | 6 +++---
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/NEWS b/NEWS
index 4587c5bae36..a46a8e01b8d 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,13 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+29 Aug 2019, PHP 7.1.32
+
+- mbstring:
+  . Fixed CVE-2019-13224 (don't allow different encodings for onig_new_deluxe) (stas)
+
+- pcre:
+  . Fixed bug #75457 (heap use-after-free in pcrelib) (cmb)
+
 01 Aug 2019, PHP 7.1.31
 
 - SQLite:
diff --git a/configure.in b/configure.in
index 09d43fecd03..9f05672eb0f 100644
--- a/configure.in
+++ b/configure.in
@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 
 PHP_MAJOR_VERSION=7
 PHP_MINOR_VERSION=1
-PHP_RELEASE_VERSION=31
+PHP_RELEASE_VERSION=32
 PHP_EXTRA_VERSION=""
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
diff --git a/main/php_version.h b/main/php_version.h
index e7dfcce9e17..829754b3bd1 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 7
 #define PHP_MINOR_VERSION 1
-#define PHP_RELEASE_VERSION 31
+#define PHP_RELEASE_VERSION 32
 #define PHP_EXTRA_VERSION ""
-#define PHP_VERSION "7.1.31"
-#define PHP_VERSION_ID 70131
+#define PHP_VERSION "7.1.32"
+#define PHP_VERSION_ID 70132

From fadd7f0f1e7a44d6209b5c5cf30870e4b73efa7d Mon Sep 17 00:00:00 2001
From: Joe Watkins <krakjoe@php.net>
Date: Wed, 28 Aug 2019 09:08:23 +0200
Subject: [PATCH 2/3] bump versions after release

---
 NEWS               | 4 ++++
 configure.in       | 4 ++--
 main/php_version.h | 8 ++++----
 3 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/NEWS b/NEWS
index a46a8e01b8d..48f862774dc 100644
--- a/NEWS
+++ b/NEWS
@@ -1,5 +1,9 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+?? ??? ????, PHP 7.1.33
+
+
+
 29 Aug 2019, PHP 7.1.32
 
 - mbstring:
diff --git a/configure.in b/configure.in
index 9f05672eb0f..24e1e0f25de 100644
--- a/configure.in
+++ b/configure.in
@@ -119,8 +119,8 @@ int zend_sprintf(char *buffer, const char *format, ...);
 
 PHP_MAJOR_VERSION=7
 PHP_MINOR_VERSION=1
-PHP_RELEASE_VERSION=32
-PHP_EXTRA_VERSION=""
+PHP_RELEASE_VERSION=33
+PHP_EXTRA_VERSION="dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
 
diff --git a/main/php_version.h b/main/php_version.h
index 829754b3bd1..8def7e0f43b 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 7
 #define PHP_MINOR_VERSION 1
-#define PHP_RELEASE_VERSION 32
-#define PHP_EXTRA_VERSION ""
-#define PHP_VERSION "7.1.32"
-#define PHP_VERSION_ID 70132
+#define PHP_RELEASE_VERSION 33
+#define PHP_EXTRA_VERSION "dev"
+#define PHP_VERSION "7.1.33"
+#define PHP_VERSION_ID 70133

From ab061f95ca966731b1c84cf5b7b20155c0a1c06a Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sat, 12 Oct 2019 15:56:16 +0100
Subject: [PATCH 3/3] Fix bug #78599 (env_path_info underflow can lead to RCE)
 (CVE-2019-11043)

---
 NEWS                                          |  4 +-
 sapi/fpm/fpm/fpm_main.c                       |  4 +-
 .../tests/bug78599-path-info-underflow.phpt   | 61 +++++++++++++++++++
 sapi/fpm/tests/tester.inc                     | 11 +++-
 4 files changed, 75 insertions(+), 5 deletions(-)
 create mode 100644 sapi/fpm/tests/bug78599-path-info-underflow.phpt

diff --git a/NEWS b/NEWS
index 48f862774dc..28b57bb2671 100644
--- a/NEWS
+++ b/NEWS
@@ -2,7 +2,9 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? ????, PHP 7.1.33
 
-
+- FPM:
+  . Fixed bug #78599 (env_path_info underflow in fpm_main.c can lead to RCE).
+    (CVE-2019-11043) (Jakub Zelenka)
 
 29 Aug 2019, PHP 7.1.32
 
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index 24a7e5d56ac..50f92981f1f 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -1209,8 +1209,8 @@ static void init_request_info(void)
 								path_info = script_path_translated + ptlen;
 								tflag = (slen != 0 && (!orig_path_info || strcmp(orig_path_info, path_info) != 0));
 							} else {
-								path_info = env_path_info ? env_path_info + pilen - slen : NULL;
-								tflag = (orig_path_info != path_info);
+								path_info = (env_path_info && pilen > slen) ? env_path_info + pilen - slen : NULL;
+								tflag = path_info && (orig_path_info != path_info);
 							}
 
 							if (tflag) {
diff --git a/sapi/fpm/tests/bug78599-path-info-underflow.phpt b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
new file mode 100644
index 00000000000..edd4e0d4969
--- /dev/null
+++ b/sapi/fpm/tests/bug78599-path-info-underflow.phpt
@@ -0,0 +1,61 @@
+--TEST--
+FPM: bug78599 - env_path_info underflow - CVE-2019-11043
+--SKIPIF--
+<?php include "skipif.inc"; ?>
+--FILE--
+<?php
+
+require_once "tester.inc";
+
+$cfg = <<<EOT
+[global]
+error_log = {{FILE:LOG}}
+[unconfined]
+listen = {{ADDR}}
+pm = dynamic
+pm.max_children = 5
+pm.start_servers = 1
+pm.min_spare_servers = 1
+pm.max_spare_servers = 3
+EOT;
+
+$code = <<<EOT
+<?php
+echo "Test Start\n";
+var_dump(\$_SERVER["PATH_INFO"]);
+echo "Test End\n";
+EOT;
+
+$tester = new FPM\Tester($cfg, $code);
+$tester->start();
+$tester->expectLogStartNotices();
+$uri = $tester->makeSourceFile();
+$tester
+    ->request(
+        '',
+        [
+            'SCRIPT_FILENAME' => $uri . "/" . str_repeat('A', 35),
+            'PATH_INFO'       => '',
+            'HTTP_HUI'        => str_repeat('PTEST', 1000),
+        ],
+        $uri
+    )
+    ->expectBody(
+        [
+            'Test Start',
+            'string(0) ""',
+            'Test End'
+        ]
+    );
+$tester->terminate();
+$tester->close();
+
+?>
+Done
+--EXPECT--
+Done
+--CLEAN--
+<?php
+require_once "tester.inc";
+FPM\Tester::clean();
+?>
diff --git a/sapi/fpm/tests/tester.inc b/sapi/fpm/tests/tester.inc
index 70c03ad70f1..3b6702866cc 100644
--- a/sapi/fpm/tests/tester.inc
+++ b/sapi/fpm/tests/tester.inc
@@ -513,7 +513,7 @@ class Tester
             return new Response(null, true);
         }
         if (is_null($uri)) {
-            $uri = $this->makeFile('src.php', $this->code);
+            $uri = $this->makeSourceFile();
         }
 
         $params = array_merge(
@@ -538,7 +538,6 @@ class Tester
             ],
             $headers
         );
-
         try {
             $this->response = new Response(
                 $this->getClient($address, $connKeepAlive)->request_data($params, false)
@@ -944,6 +943,14 @@ class Tester
         return $filePath;
     }
 
+    /**
+     * @return string
+     */
+    public function makeSourceFile()
+    {
+        return $this->makeFile('src.php', $this->code);
+    }
+
     /**
      * @param string|null $msg
      */