From 36239fee3638a8f4cfe3ca3aba597cb1699abd90 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 20 Feb 2018 15:34:43 -0800
Subject: [PATCH 1/2] Fix bug #75981: prevent reading beyond buffer start

---
 ext/standard/http_fopen_wrapper.c     |  4 ++--
 ext/standard/tests/http/bug75981.phpt | 32 +++++++++++++++++++++++++++
 2 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 ext/standard/tests/http/bug75981.phpt

diff --git a/ext/standard/http_fopen_wrapper.c b/ext/standard/http_fopen_wrapper.c
index ed6adc00398..78bd935a0e2 100644
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@@ -737,9 +737,9 @@ finish:
 								tmp_line, response_code);
 				}
 			}
-			if (tmp_line[tmp_line_len - 1] == '\n') {
+			if (tmp_line_len >= 1 && tmp_line[tmp_line_len - 1] == '\n') {
 				--tmp_line_len;
-				if (tmp_line[tmp_line_len - 1] == '\r') {
+				if (tmp_line_len >= 1 &&tmp_line[tmp_line_len - 1] == '\r') {
 					--tmp_line_len;
 				}
 			}
diff --git a/ext/standard/tests/http/bug75981.phpt b/ext/standard/tests/http/bug75981.phpt
new file mode 100644
index 00000000000..d415de66b90
--- /dev/null
+++ b/ext/standard/tests/http/bug75981.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #75981 (stack-buffer-overflow while parsing HTTP response)
+--INI--
+allow_url_fopen=1
+--SKIPIF--
+<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:12342'); ?>
+--FILE--
+<?php
+require 'server.inc';
+
+$options = [
+  'http' => [
+    'protocol_version' => '1.1',
+    'header' => 'Connection: Close'
+  ],
+];
+
+$ctx = stream_context_create($options);
+
+$responses = [
+	"data://text/plain,000000000100\xA\xA"
+];
+$pid = http_server('tcp://127.0.0.1:12342', $responses);
+
+echo @file_get_contents('http://127.0.0.1:12342/', false, $ctx);
+
+http_server_kill($pid);
+
+?>
+DONE
+--EXPECT--
+DONE

From b4e4788c4461449b4587e19ef1f474ce938e4980 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Tue, 27 Mar 2018 18:42:55 +0200
Subject: [PATCH 2/2] Fix #76130: Heap Buffer Overflow (READ: 1786) in
 exif_iif_add_value

The MakerNote is not necessarily null-terminated, so we must not use
`strlen()` to avoid OOB reads.  Instead `php_strnlen()` is the proper
way to handle this.
---
 ext/exif/exif.c               |   2 +-
 ext/exif/tests/bug76130.phpt  |  20 ++++++++++++++++++++
 ext/exif/tests/bug76130_1.jpg | Bin 0 -> 3396 bytes
 ext/exif/tests/bug76130_2.jpg | Bin 0 -> 1632 bytes
 4 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/exif/tests/bug76130.phpt
 create mode 100644 ext/exif/tests/bug76130_1.jpg
 create mode 100644 ext/exif/tests/bug76130_2.jpg

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 1c8772f76be..e535278fc96 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -1710,7 +1710,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
 		case TAG_FMT_UNDEFINED:
 			if (value) {
 				if (tag == TAG_MAKER_NOTE) {
-					length = MIN(length, strlen(value));
+					length = (int) php_strnlen(value, length);
 				}
 
 				/* do not recompute length here */
diff --git a/ext/exif/tests/bug76130.phpt b/ext/exif/tests/bug76130.phpt
new file mode 100644
index 00000000000..9c826af6292
--- /dev/null
+++ b/ext/exif/tests/bug76130.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value)
+--DESCRIPTION--
+This test is meant to exhibit memory issues with the `-m` option. Since a lot of
+notices and warnings are to be expected anyway, we suppress these, since the are
+not relevant for this test.
+--INI--
+error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76130_1.jpg');
+exif_read_data(__DIR__ . '/bug76130_2.jpg');
+?>
+===DONE===
+--EXPECT--
+===DONE===
diff --git a/ext/exif/tests/bug76130_1.jpg b/ext/exif/tests/bug76130_1.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..e063e46d22a897f1c7d10d375b672c03146c3350
GIT binary patch
literal 3396
zcmex=!+=4+00lhcHE^xSOk-g1^weVDU|?V{U;xX5Sgb${0)vIkhU6Yvu$fTJubBk(
nJIpR{V2l!@Aut*OqaiRF0;3@?8UmvsFd71*Aut*OBPRp^q!MLZ

literal 0
HcmV?d00001

diff --git a/ext/exif/tests/bug76130_2.jpg b/ext/exif/tests/bug76130_2.jpg
new file mode 100644
index 0000000000000000000000000000000000000000..a9e79dca5cf029b50c88dc4fea7ebbf8975f411b
GIT binary patch
literal 1632
zcmebD)MDUZU|`5$sF_sHAOd8`F)}cCF*1SJ|7Wo=Fl4qffrQ1lfy7d#LqKsxhA37B
zCK%wD1Xj!7#EB4t$&J#3I0U$;@3w~j|Nm3p)KL>hLtvzbfQ@}YMu7qlXXd4`YG_(3
z*xNB6i{&GUF@9x)12i>oapD>O4>1UGFs3jyFf$4=I0-N^2r~XZ!XOW<1sGUafdm||
SGjK0~R0TzBw-`7W!EyjwF)_*j

literal 0
HcmV?d00001