2 files changed, 57 insertions, 0 deletions
diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
new file mode 100644
index 0000000000..596244d6ba
--- /dev/null
+++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
@@ -0,0 +1,56 @@
+From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
+From: Li Zhou <li.zhou@windriver.com>
+Date: Sun, 11 Feb 2018 15:03:21 +0800
+Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
+ gdImageCreateFromGifCtx
+Due to a signedness confusion in `GetCode_` a corrupt GIF file can
+trigger an infinite loop.  Furthermore we make sure that a GIF without
+any palette entries is treated as invalid *after* open palette entries
+have been removed.
+Upstream-Status: Backport
+CVE: CVE-2018-5711
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ ext/gd/libgd/gd_gif_in.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 76ba152..7156e4b 100644
+--- a/ext/gd/libgd/gd_gif_in.c
+++ b/ext/gd/libgd/gd_gif_in.c
+@@ -261,10 +261,6 @@ terminated:
+        if (!im) {
+                return 0;
+        }
+-       if (!im->colorsTotal) {
+-               gdImageDestroy(im);
+-               return 0;
+-       }
+        /* Check for open colors at the end, so
+           we can reduce colorsTotal and ultimately
+           BitsPerPixel */
+@@ -275,6 +271,10 @@ terminated:
+                        break;
+                }
+        }
+       if (!im->colorsTotal) {
+               gdImageDestroy(im);
+               return 0;
+       }
+        return im;
+ }
+ /* }}} */
+@@ -375,7 +375,7 @@ static int
+ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroDataBlockP)
+ {
+        int           i, j, ret;
+-       unsigned char count;
+       int           count;
+ 
+        if (flag) {
+                scd->curbit = 0;
+-- 
+1.9.1
diff --git a/meta-oe/recipes-devtools/php/php_7.1.9.bb b/meta-oe/recipes-devtools/php/php_7.1.9.bb
index acf68a0594..1d9e35a9ce 100644
--- a/meta-oe/recipes-devtools/php/php_7.1.9.bb
+++ b/meta-oe/recipes-devtools/php/php_7.1.9.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c0af599f66d0461c5837c695fcbc5c1e"
 SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
            file://0001-Specify-tag-with-libtool.patch \
            file://CVE-2017-16642.patch \
+            file://CVE-2018-5711.patch \
           "
 SRC_URI[md5sum] = "2397be54f3281cdf30c7ef076b28f7d0"
 SRC_URI[sha256sum] = "314dcc10dfdd7c4443edb4fe1e133a44f2b2a8351be8c9eb6ab9222d45fd9bae"

diff --git a/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch new file mode 100644 index 0000000000..596244d6ba --- /dev/null +++ b/meta-oe/recipes-devtools/php/php-7.1.9/CVE-2018-5711.patch
@@ -0,0 +1,56 @@
		1	From b04cd19b76374ebce8f3326275bdfd7e9b9aeab5 Mon Sep 17 00:00:00 2001
		2	From: Li Zhou <li.zhou@windriver.com>
		3	Date: Sun, 11 Feb 2018 15:03:21 +0800
		4	Subject: [PATCH] Fixed bug #75571: Potential infinite loop in
		5	gdImageCreateFromGifCtx
		6
		7	Due to a signedness confusion in `GetCode_` a corrupt GIF file can
		8	trigger an infinite loop. Furthermore we make sure that a GIF without
		9	any palette entries is treated as invalid after open palette entries
		10	have been removed.
		11
		12	Upstream-Status: Backport
		13	CVE: CVE-2018-5711
		14	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		15	---
		16	ext/gd/libgd/gd_gif_in.c \| 10 +++++-----
		17	1 file changed, 5 insertions(+), 5 deletions(-)
		18
		19	diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
		20	index 76ba152..7156e4b 100644
		21	--- a/ext/gd/libgd/gd_gif_in.c
		22	+++ b/ext/gd/libgd/gd_gif_in.c
		23	@@ -261,10 +261,6 @@ terminated:
		24	if (!im) {
		25	return 0;
		26	}
		27	- if (!im->colorsTotal) {
		28	- gdImageDestroy(im);
		29	- return 0;
		30	- }
		31	/* Check for open colors at the end, so
		32	we can reduce colorsTotal and ultimately
		33	BitsPerPixel */
		34	@@ -275,6 +271,10 @@ terminated:
		35	break;
		36	}
		37	}
		38	+ if (!im->colorsTotal) {
		39	+ gdImageDestroy(im);
		40	+ return 0;
		41	+ }
		42	return im;
		43	}
		44	/* }}} */
		45	@@ -375,7 +375,7 @@ static int
		46	GetCode_(gdIOCtx fd, CODE_STATIC_DATA scd, int code_size, int flag, int *ZeroDataBlockP)
		47	{
		48	int i, j, ret;
		49	- unsigned char count;
		50	+ int count;
		51
		52	if (flag) {
		53	scd->curbit = 0;
		54	--
		55	1.9.1
		56


diff --git a/meta-oe/recipes-devtools/php/php_7.1.9.bb b/meta-oe/recipes-devtools/php/php_7.1.9.bb index acf68a0594..1d9e35a9ce 100644 --- a/meta-oe/recipes-devtools/php/php_7.1.9.bb +++ b/meta-oe/recipes-devtools/php/php_7.1.9.bb
@@ -5,6 +5,7 @@ LIC_FILES_CHKSUM = "file://LICENSE;md5=c0af599f66d0461c5837c695fcbc5c1e"
5	SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \	5	SRC_URI += "file://change-AC_TRY_RUN-to-AC_TRY_LINK.patch \
6	file://0001-Specify-tag-with-libtool.patch \	6	file://0001-Specify-tag-with-libtool.patch \
7	file://CVE-2017-16642.patch \	7	file://CVE-2017-16642.patch \
		8	file://CVE-2018-5711.patch \
8	"	9	"
9	SRC_URI[md5sum] = "2397be54f3281cdf30c7ef076b28f7d0"	10	SRC_URI[md5sum] = "2397be54f3281cdf30c7ef076b28f7d0"
10	SRC_URI[sha256sum] = "314dcc10dfdd7c4443edb4fe1e133a44f2b2a8351be8c9eb6ab9222d45fd9bae"	11	SRC_URI[sha256sum] = "314dcc10dfdd7c4443edb4fe1e133a44f2b2a8351be8c9eb6ab9222d45fd9bae"