From f51062523d03911cc141507112e3ce14b41f73a2 Mon Sep 17 00:00:00 2001
From: Alexander Kurilo <alex@kurilo.me>
Date: Mon, 31 Dec 2018 12:19:36 +0300
Subject: [PATCH 01/12] Regenerate certs for openssl tests

---
 ext/openssl/tests/bug54992-ca.pem             |  54 +++++++++---------
 ext/openssl/tests/bug54992.pem                |  28 ++++-----
 ext/openssl/tests/bug54992.phpt               |  42 ++++++++++++++
 ext/openssl/tests/bug65538.phar               | Bin 11278 -> 11278 bytes
 .../tests/openssl_peer_fingerprint_basic.phpt |  11 +++-
 5 files changed, 91 insertions(+), 44 deletions(-)

diff --git a/ext/openssl/tests/bug54992-ca.pem b/ext/openssl/tests/bug54992-ca.pem
index ac139176aa5..743a11e8fde 100644
--- a/ext/openssl/tests/bug54992-ca.pem
+++ b/ext/openssl/tests/bug54992-ca.pem
@@ -1,35 +1,35 @@
 -----BEGIN CERTIFICATE-----
-MIIGAzCCA+ugAwIBAgIUVL06vQzqQ1uRdJ7NAAZyylsKOpYwDQYJKoZIhvcNAQEL
+MIIGAzCCA+ugAwIBAgIUZ7ZvvfVqSEf1EswMT9LfMIPc/U8wDQYJKoZIhvcNAQEL
 BQAwgZAxCzAJBgNVBAYTAlBUMQ8wDQYDVQQIDAZMaXNib2ExDzANBgNVBAcMBkxp
 c2JvYTEXMBUGA1UECgwOUEhQIEZvdW5kYXRpb24xHjAcBgNVBAMMFVJvb3QgQ0Eg
 Zm9yIFBIUCBUZXN0czEmMCQGCSqGSIb3DQEJARYXaW50ZXJuYWxzQGxpc3RzLnBo
-cC5uZXQwHhcNMTgxMjAxMjEzNTUwWhcNMTgxMjMxMjEzNTUwWjCBkDELMAkGA1UE
+cC5uZXQwHhcNMTgxMjMxMDg0NDU3WhcNMjAwMjA0MDg0NDU3WjCBkDELMAkGA1UE
 BhMCUFQxDzANBgNVBAgMBkxpc2JvYTEPMA0GA1UEBwwGTGlzYm9hMRcwFQYDVQQK
 DA5QSFAgRm91bmRhdGlvbjEeMBwGA1UEAwwVUm9vdCBDQSBmb3IgUEhQIFRlc3Rz
 MSYwJAYJKoZIhvcNAQkBFhdpbnRlcm5hbHNAbGlzdHMucGhwLm5ldDCCAiIwDQYJ
-KoZIhvcNAQEBBQADggIPADCCAgoCggIBANVgTLlHH3bNkxx+XA1xhr842rf+lP5A
-XDhM5N9vRCXs/6FAB6iFAfnR+YVgcHD/ppgrrOlAIf6QF2J9EOA4h9oOtCrbhC9y
-3uKT/dnPWpa39NAdHDJMl2GndulhfyNzXoPmHR+UmVl8RIwJa2yzq8kfI28VZOdG
-4oW+L8hybO1r+7kewnI/3TQme+yxRMtI/RDAneBPUu4yx+VTy6gP1R7PMwEnMgLC
-msdBEJh2FR2rjboejZiBAHRG5cWbmRlYV0ApDZAgaKbKGCgken7FF9mImduv7c9H
-pHkSKAFdt5hYaeJJy48lh5wC7gMjBo62WKUnBqnV1gBBniWSfsgfNJKPV5a3EO32
-7KinHzzCH4V1C8tCU26om0CoRI+Bm/dpnwuDZWELzMnnyAeCmGWnPi2s/+QaWwKC
-sMXn0+3CFYtlZ+zEZm0KB10RMypRLhn9md9/TfxJNNjDIHCMCLJkxyxFnYOWqtCd
-zAA09r117AgM3tbRYY9NYvNzLw5hnPs2W3gB4vrUzqBcgdfIdVaE1QUyy8rWjMNI
-fIVJVFeyN2mcg3JQw2WmKINDQJWZxXFJR9BPgISpR93BF5zIfGZSSRPuBXaXQ6j/
-9aw+fnA8asietOL2wGa60zqX1WKopNYvRlt6CCIYkFcfRRkoEjcMRpyVsSn2U9Dd
-pFlDHq9iE6SLAgMBAAGjUzBRMB0GA1UdDgQWBBQKZYIWtrUo8Iv5zBWfBn40D7p9
-1DAfBgNVHSMEGDAWgBQKZYIWtrUo8Iv5zBWfBn40D7p91DAPBgNVHRMBAf8EBTAD
-AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAEJhZ6mMgRUJGF4dM5r+SfrwCTbNGDJkFz
-DSbeb6WMTtvzL1g2P5zHQ0OvlX+mvmqCRXM40sUFMHDLCQzIgKLpgd44yZM6k4wL
-hReX2okQ8tEwB73ahy/H3TaRr3B2l6s16kx4obDpyTsbrBZgiks515ru5EM2pv7x
-31Ya2sUlXBWt+Kc+Z/6UI2Eot7G4M11oeRGpWnFBqPFAIByEbnCR4NCPbAKl2t2q
-vhsQh0zAo9qB4uUyc/XblKKRtdupDnRceSCLg18ZwnBxrVZBuSK5oUCAwAFtE4BZ
-G793gbwIUeR0pFgNMKkfPnXy3Ii8OmPDc9CsxO0Qg4Xh2VXWpVI+N5xL5L/M3O1i
-UDDO2PeoaEVfz3htOCYo1U6BSQqMzg5JD2JifzKEscy3rFkpH21EHLg07Fv4ZSFo
-HG22zt00dJpNatyAzzaYHlMel4K1fwNrGrUH5M2OeRtvkUMlDKwp8qrKIDpTi6vT
-GW0woBoRlR1+qGGG9RHBqm937uhHJsLw8lFJmvO0ObqbdpdfW4nWugL8x1LZC9oz
-uaH7hwj5i0SKK/StuLxAPP6cl4RqQhXO5rxEz2iFjl4nwwtRH3KPEDEAvQcnNXpi
-2YV5z8C78j1amzbSJBlGpu3aoJNn+WPgjePmeBe7oE9t1/5kvIVIAj8kg6CaKfHz
-6hiK1Erl8g==
+KoZIhvcNAQEBBQADggIPADCCAgoCggIBAPVThsunmhda5hbNi+pXD3WF9ijryB9H
+JDnIbPW/vMffWcQgtiRzc+6aCykBygnhnN91NNRpxOsoLCb7OjUMM0TjhSE9DxKD
+aVLRoDcs5VSaddQjq3AwdkU6ek9InUOeDuZ8gatrpWlEyuQPwwnMAfR9NkcTajuF
+hGO0BlqkHg98GckQD0N5x6CrrDJt6RE6hf9gUZSGSWdPTiETBQUN8LTuxo/ybFSN
+hcpVNCF+r3eozATbSU8YvQU52RmPIZWHHmYb7KtMO3TEX4LnLJUOefUK4qk+ZJ0s
+f4JfnY7RhBlZGh2kIyE5jwqz8/KzKtxrutNaupdTFZO8nX09QSgmDCxVWVclrPaG
+q2ZFYpeauTy71pTm8DjF7PwQI/+PUrBdFIX0V6uxqUEG0pvPdb8zenVbaK4Jh39u
+w0V5tH/rbtd7zZX4vl3bmKo1Wk0SQxd83iXitxLiJnWNOsmrJcM/Hx91kE10+/ly
+zgL/w5A9HSA616kfPdNzny0laH1TXVLJsnyyV3DyfnU4O6VI0JG3WjhgRdMkgobn
+GvGJ2ZsZAxds9lBtT2y+gw5BU+jkSilPk3jM9MA7Kmyci93U9xxMuDNzyUzfcnXR
+UIq99dZWeMMy1LT3buZXrAWu1WRgPdQtDKcQHDIQaIkxlWsT8q2q/wIirb6fwxlw
+vXkFp+aEP35BAgMBAAGjUzBRMB0GA1UdDgQWBBR37F1+W1gcCp8bhZaFFi9JKQhu
+tTAfBgNVHSMEGDAWgBR37F1+W1gcCp8bhZaFFi9JKQhutTAPBgNVHRMBAf8EBTAD
+AQH/MA0GCSqGSIb3DQEBCwUAA4ICAQAYHqpISUI/x8UW33i35rYkFYNvXBMQDc8J
+v4G2eqEBNCOVmHg6P//lq1F2jrtAEr/saESN1uS1Q80sUsthlVsceV1z1isdpugG
+kMbfHxLe0QpthnP3PEChQw30TPB22BThuGVkteNSZKTCPGdzjSTPq2kOR6PCBZRd
+r0r/TW3lT/Ng3KgjT6g7E3ZUpAeFEQMlmNYr/eEOL7K+1jzQrbCLmXbs6rmtffr7
+n4p+wMPMPaSRqQoQ86ff9GPzxWuAQGlytVoiS5Xt3jotd/RWlOy0YQ2QSzOQvFUW
+4te5lwdOvOFnJTo43U3DqASqMcaazvIsN41zVlOyOyKEr9oZERju6FU1aZmuZtHQ
+wMCmXVj/Swj67Zp9tG+vVQenbEk314+8c2nenuOIFP1F2C/NG3vMLIpENRGxpmAm
+s5gIT6mXvJ4JCwWYc75zucOr2KVkDmEziJh/pARuOrOAPdc6NjKku8HBC9UI96+x
+Db4hG2SqXUzShkFX/px7vlCADvgO3FDk2aiyW02PFsItob2O6OB98VGsU26hgRO/
+Czz/jbjWTPHNOt6/fcL0m7XLwlJ+K9gRArY15DeJGumcHEq/Vd/Z8iPQKKdzgF4O
+9XFZvu+VHP82AS5TeiYHCddFJyzktQYcNu5/OBuxzO83d7rpqrLFETTEOL4cN8O7
+LJ7Q89hYAQ==
 -----END CERTIFICATE-----
diff --git a/ext/openssl/tests/bug54992.pem b/ext/openssl/tests/bug54992.pem
index 1a64a4e5b8a..f207c304481 100644
--- a/ext/openssl/tests/bug54992.pem
+++ b/ext/openssl/tests/bug54992.pem
@@ -1,26 +1,26 @@
 -----BEGIN CERTIFICATE-----
-MIID7jCCAdYCFBDKe4ra5M5zJIb81D7zwFRmyHQGMA0GCSqGSIb3DQEBCwUAMIGQ
+MIID7jCCAdYCFDw0rvm7q8y5HfispK5A2I2+RBqHMA0GCSqGSIb3DQEBCwUAMIGQ
 MQswCQYDVQQGEwJQVDEPMA0GA1UECAwGTGlzYm9hMQ8wDQYDVQQHDAZMaXNib2Ex
 FzAVBgNVBAoMDlBIUCBGb3VuZGF0aW9uMR4wHAYDVQQDDBVSb290IENBIGZvciBQ
 SFAgVGVzdHMxJjAkBgkqhkiG9w0BCQEWF2ludGVybmFsc0BsaXN0cy5waHAubmV0
-MB4XDTE4MTIwMTIxNDU0MloXDTE4MTIzMTIxNDU0MlowWjEXMBUGA1UEAxMOYnVn
+MB4XDTE4MTIzMTA4NDY0M1oXDTIwMDIwNDA4NDY0M1owWjEXMBUGA1UEAxMOYnVn
 NTQ5OTIubG9jYWwxCzAJBgNVBAYTAlBUMQ8wDQYDVQQHEwZMaXNib2ExDzANBgNV
 BAgTBkxpc2JvYTEQMA4GA1UEChMHcGhwLm5ldDCBnzANBgkqhkiG9w0BAQEFAAOB
 jQAwgYkCgYEAtUAVQKTgpUPgtFOJ3w3kDJETS45tWeT96kUg1NeYLKW+jNbFhxPo
 PJv7XhfemCaqh2tbq1cdYW906Wp1L+eNQvdTYA2IQG4EQBUlmfyIakOIMsN/RizV
 kF09vlNQwTpaMpqTv7wB8vvwbxb9jbC2ZhQUBEg6PIn18dSstbM9FZ0CAwEAATAN
-BgkqhkiG9w0BAQsFAAOCAgEAid90+ulRK+4ifB2tKnt2MyuqXZexv2yQ4u15EYmE
-NLOpP5ZWN8vSvRI3IGruNA00dX/F2EOT+u82ApOxzYyxceAx29Ytpt7PSd2nUqkN
-TbDAsDTUZdoDLUa6dGPe5Faaai00nfNJ3lqmC9xPbBPKyJ3hjz0Uj6gi51Lfi410
-4GZa4oIL3NEIKVtaK942EAYCjeWx1VT8AnsvK4Nqufo97sbZNHJhgY+ApM168kox
-kFA/RNYp/pNS0FCc8b9DwMnu38n2n33iDl3P54chpAcyuWJE5wL/kN2gnS6iMsLP
-14NtBg2mm++4XqBpt9glmWr56HZtvyFW0IhpDwQgRe4GSIwPES2g1s7iUs3T4VdJ
-aHkF4v8Bdl6DWXSVdbqIq8CpVZLhf7vt6pV/22YpVCjQFmiLtc8a4gWaYvpn6j+L
-nAajb9JpdkNeqNiBxmtfQwL7xtY+1goLd9OKtIO1b2517ZRgU9NkUfLKCTl2W2L8
-sMY7FPVs6Z1jfaXw+vIWKCJKe0thf0HMV4q11ptsqpzyIzAAjAfma1b/MM5ATHsa
-6h7Poh0yg+WMSdXurjhDWogOWrzPXSe0izUYpREkTVl1oLhzorxlEDh7vBLB2TS3
-TPAEdNxEbsIutMjoz5ql5dYxgZQGW7HARXrXhMbk6cBU8khNcGGqz1uzX1x7Vb2d
-hKs=
+BgkqhkiG9w0BAQsFAAOCAgEAKtSMguV5ZQ2KpdZ9MAFa+GiHL0APb58OrvwNK4BF
+6032UZLOWnsBZlo85WGLNnIT/GNzKKr7n9jHeuZcBVOFQLsebahSlfJZs9FPatlI
+9Md1tRzVoTKohjG86HeFhhL+gZQ69SdIcK40wpH1qNv7KyMGA8gnx6rRKbOxZqsx
+pkA/wS7CTqP9/DeOxh/MZPg7N/GZXW1QOz+SE537E9iyiRsbldNYFtwn5iaVfjpr
+xz09wYYW3HJpR+QKPCfJ79JxDhuMHMoUOpIy8vGFnt5zVTcFLa378Sy3vCT1Qwvt
+tTavFGHby4A7OqT6xu+9GTW37OaiV91UelLLV0+MoR4XiMVMX76mvqzmKCp6L9ae
+7RYHrrCtNxkYUKUSkOEc2VHnT+sENkJIZu7zzN7/QNlc0yE9Rtsmgy4QAxo2m9u0
+pUZLAulZ1lS7g/sr7/8Pp17RDvJiJh+oAPyVYZ7OoLF1IoHDHcZI0bqcqhDhiHZs
+PXYqyMCxyYzHFOAOgvbrEkmp8z/E8ATVwdUbAYN1dMrYHre1P4HFEtJh2QiGG2KE
+4jheuNhH1R25AizbwYbD33Kdp7ltCgBlfYqjl771SlgY45QYs0mUdc1Pv39SGIwf
+ZUm7mOWjaTBdYANrkvGM5NNT9kESjKkWykyTg4UF5rHV6nlyexR4b3fjabroi4BS
+v6w=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIICXgIBAAKBgQC1QBVApOClQ+C0U4nfDeQMkRNLjm1Z5P3qRSDU15gspb6M1sWH
diff --git a/ext/openssl/tests/bug54992.phpt b/ext/openssl/tests/bug54992.phpt
index 878cb4a8725..a3cb36deecb 100644
--- a/ext/openssl/tests/bug54992.phpt
+++ b/ext/openssl/tests/bug54992.phpt
@@ -6,6 +6,48 @@ if (!extension_loaded("openssl")) die("skip openssl not loaded");
 if (!function_exists("proc_open")) die("skip no proc_open");
 --FILE--
 <?php
+/*
+ How to generate bug54992.pem and bug54992-ca.pem and all dependants:
+
+ All the commands below assume you're in the root of php sources
+
+ Generate new key for CA:
+ $ openssl genrsa -out ./ext/openssl/tests/bug54992-ca.key 4096
+
+ Create new CA:
+ $ openssl req -new -x509 -key ./ext/openssl/tests/bug54992-ca.key \
+      -out ext/openssl/tests/bug54992-ca.pem \
+      -subj '/C=PT/ST=Lisboa/L=Lisboa/O=PHP Foundation/CN=Root CA for PHP Tests/emailAddress=internals@lists.php.net' \
+      -days 400
+
+ Extract private key from the bundle:
+ $ openssl rsa -in ext/openssl/tests/bug54992.pem > ext/openssl/tests/bug54992.key
+
+ Extract CSR from existing certificate:
+ $ openssl x509 -x509toreq -in ext/openssl/tests/bug54992.pem -out ext/openssl/tests/bug54992.csr -signkey ext/openssl/tests/bug54992.key
+
+ Sign the CSR:
+ $ openssl x509 -CA ext/openssl/tests/bug54992-ca.pem \
+        -CAcreateserial \
+        -CAkey ./ext/openssl/tests/bug54992-ca.key \
+        -req \
+        -in ext/openssl/tests/bug54992.csr \
+        -sha256 \
+        -days 400 \
+        -out ./ext/openssl/tests/bug54992.pem
+
+ Bundle certificate's private key with the certificate:
+ $ cat ext/openssl/tests/bug54992.key >> ext/openssl/tests/bug54992.pem\
+
+
+ Dependants:
+
+ 1. ext/openssl/tests/bug65538_003.phpt
+    Run the following to generate required phar:
+    php -d phar.readonly=Off -r '$phar = new Phar("ext/openssl/tests/bug65538.phar"); $phar->addFile("ext/openssl/tests/bug54992.pem", "bug54992.pem"); $phar->addFile("ext/openssl/tests/bug54992-ca.pem", "bug54992-ca.pem");'
+
+ 2. Update ext/openssl/tests/openssl_peer_fingerprint_basic.phpt (see instructions in there)
+ */
 $serverCode = <<<'CODE'
     $serverUri = "ssl://127.0.0.1:64321";
     $serverFlags = STREAM_SERVER_BIND | STREAM_SERVER_LISTEN;
diff --git a/ext/openssl/tests/bug65538.phar b/ext/openssl/tests/bug65538.phar
index 3e10d5e7fad0dcc250162c112e80c5c6a3942578..9215a78173c713fc05c23458fe5a9c266da0db49 100644
GIT binary patch
delta 2421
zcmZ{mIqNJ55y0Q7f%XdKZ^acgPzLP#;zixl=k)Y_&9nygG1GTX-xtVygH8Uh=CYxJ
zu%E(BObkp+L|8C4cUCa8psJv#f})CFQJ-BtyZlLdkN@j$zxZ|h-FNT4^LhT&7azU*
zuYCVyqbbEPnnr%v-s+FP_wL;{dEa>D^B?^9i?`ptCqD_uV4m+@XY+TM9~RZ2&v#We
zV$h}D{__6oAE~R#rI5zCsGr4}S}@B?q5s9+{`$$kpN8jT!_?GS65?5;<%jmdp}s)p
zMZdAM1e~}=jtn21)%)F#&2-GIJw6cOaVyy^ZL&tAVNJ8zRUaPbV?^qOtE!MwWHwK8
ztHJ@HceWl}Jm8)kCW%>eD6=G`OWaCYZrrDS<EDU0!?ADuir*&FSe8a*?iQ_;u@e@P
z0A!*Lu~k<}DNTuSX>yQ;uf(zMxzk8kJdxe$)D3LW_7lU&d51M!jXFEi`T(~`ur(ly
zTTeR*haSB>cE*Wpm%7fTiz8P3G~~dSr1~0>%Bbq7!(Xs-b3VEH?d~dAR~~{BGyr$(
zbZ@Stm9bSIW=JV-JYFo_PJzm<jB7uQS~#_dBLq6tTp-%C)0#W3p6|s~Z-gSyA%Sph
zZ{g%@B-}bR#T5c+Eap=N4~E;bi6CDfkC@iZ<wdBSjU=M>TjNEcf}Jvyo`41N@KFN$
zXiUgGxL|XIMz!*Q{SvaxHKEY_l8@^-KQ+Fl4|RWvRZv=Kxa48z09G5Yr)O}%8CtR#
z0w&74k!XAK+@LCyVCUkUPeZe99?EU^#>I5PlcAG{`bCyniCU(Qr~$-TJR!jlFl#c<
z6+1e}c1RbTbq_^p=ao^Sg-WXosnlDX)2K_Yt2%MozPbB7ZY~z!${kH7fqzrg4L&<)
zG<^szJ>yTXZ>2_Jj+_#k5+|FXT&|TrI8=vp;3DUJMBJCPT7dad3hg1}4HReJo}a##
zEtC}CgAb?iv8AFc2n8XhPl}mM!00e{Hq|`IR(X+Q{FMFw$)of3k57^3Rq9&Vc4cs-
zTpvYq6z{L4aMk7utD0O)oq!n=kz2>J+EMpvDJ2XLtU6dgihgAH9vnj6*5Jv8O$r*^
zVazITh;JUe!}*Z3Qz`<b8r`M!e1pt(%o+nV_+w@+DC8I{@<doCn?$c1Z<-w_&e0H)
zy|5jlLrUEuj3XOZ3D845==f;mfLe+wY2gql$)kbWGB<%Y)vDI6J$U2wGpQWlVmJHf
zc&;zeK=k!^zxO22VC`X14b=#3t1}-aMcnVSXzc6LpBPiDw$Xd!Hhvk=;xQ(m<yZO!
zT}{Nacio%?*9WlihF43X&$`f@oCk)wDAzG|r^aEp&+?#Q@b0~;^iAP=`VsI}F%g0b
zhe16Bqhtb$daN&A0oqGJkU>k2;$im8=dFqO5{0n?6(h~9nRHn&Uc)_tnuyNoS#EjF
z64$n7YGA-q*&*u7e8Nu0#lOZRzE82<BZ^mYHNWSl3~U)|(tDjTl9<p6rJN{<J<_gB
z6NeSxA}kXTySuo%ot44`Y}Y3_S4W1MQymq!5()FohY&*;<na+9I-#>P<%xrf5HBcn
z5IF8TSVV>I7?P%s1bC0nP)%OWOLaOZbZRmE6~?*SNu26f;ychwz<|mPQ&EyV6)+v3
zFG4U+2Tw96gt2kw!!5r`$0QL>+g^_5HP$8^)Y)m>bqY<$zU}(6z&p-sw^*!EItiRl
zq)E})l`-GG`ibxfw?O?|lO46;(mfwq1!oW$Iaq8by&Zn~^{2b)Fqp<&Ar*dHI7ePo
zPF^(bf3Yv&pN$_qmC;ty$-@H^QQ9PU5iNuVF_+E|V?;Qm_w%AD7%Kn-gd%Qm*8OH+
zgX%%yzIfIe*#SjuSCpP?=t8<pLCku(V4jCt6lQjHKLrCV7~xpS0IeqQXzkv^Q65<#
zQiOC9vS)Taq=8A$b|S|L1}&`wciK!Un<_F?+N?xxDUrSg-LL{}$$*PZ9-YphLGGrn
z8K?$EN@}1OTzuHn_k+#jD9O|LmRmzqCE8UOmj=&6?_RV$u<j7OT(3SVom%T)D#r17
zKauol<+4eY)Q79L@<z>~(2V%*Ik9jKQIfJZbUr$;xy<A1%!IQbO3{Wfq~1BiIvr^7
z#V4tUxktn9tva7Q=%79<?2@aVdLfB=?)F+aw#1nZZvbgsrM^Fo+FD*+#eLeP&c}!+
zHO^t+welnf6S?mi37T3JLmN+9<4~s?W-{vosp$y<+SeACsS4oACR1?eNsuyHn6$Y0
z^uplqV2sVX2BiKt3$Xl<I4KTfDC*)a<FZ@|2Ee#nyG=c=+jW<og3jpa9QAxzx6}^u
z6ytbH;zrC>gA=uXHG6{%OcMC<lp$s=iipAkSdrZ(Et6mi!I^xImTSbJsFJi~H6By8
zx?j7ZB1zb;(kq6W*8!^CB!-O{rEO7O?m*zyWUc!}_`zY5E2H)0EULJsIdsX}FLwQ{
z+?*711-zF$qN%pqYGDz2FT$vQ<QQuMGqHU6tDpbw+dusKA3juH;h~=YX8PmDe-7E-
P|1+|_^?Im8R%QPKE(IJ*

delta 2421
zcmZ`*InV3{6@4KM7z#xB9^y$rfn+J;ebKAD?;ejmUZJta+st^k#~VWP4<bch5q<_z
zr2GgP8qy%qAVsMuB9V?S6i{)Cdv%UZcaQG5p9Y@>f0EzgUw`)T?=C-l^X8}j!tF0V
zdh?(9$!kv@1&+})@=2G~KmO61H{a{NpU&lHUw!%VhqvTAPlt&4wD%|YVW%o-GEB5>
z)u<i2@Z~RWzxf5T8aH7#&+g)v7t=Twuh{r6_wv_w-#$&RIO~-xqltN6S1@4UwHzo6
z8FH|)a0UqY(!fo6wz*(D5F*18SCPpZ8w|bTBJ+o?D~91%F-lIHL`0>9BZHN6dz`o-
zDLHxr(1&(Dq>bfwF-n_ED)XvQAySh*sxsf6<{q?GE!&`5dlh9Xiy9-_-c$EnK`1Xe
zrV@a)KB!aWmK@;$B=6bMC<pX>sxxp~ZDUdnHqSH}Yq<|>TS4!<5rqZYq-88ZV-z|E
z)MLsDYKe$8GTf3jyG2))k!=aT_|K%atI&g(j*plk))GzPihI_OqDa?DojzvrLd!rW
z-yMw+(+MxbI8)UPqpA{LII=KqY)c@%<~D5KcyPh8&DD4EvB*tTvphUTg(Hdpq;_rO
zedlD%gE?yAT!d(Ah-;s=0<!fX?V9DmN4}u%M$>Fe#?_MFSXX2`fT!4BG!7Vzpn*V?
z6T_*Bz+H%HNMm8hHnz^z%Z9E~`f$!y)iiIsB69|(tM_$V#U?!Z{lulf&M*)?z%a=a
z20A5n7}93=oXuTd@UpQ+#77Gjn+JFA*-Me;O6tV|d~&yq8vL7KDnPDyswZZfiPV<@
zRZk1z*P3GTC)JPEKvZp-wF<@QY#L=nd{=TQava-wut6N0h}!|6;|0tchKk2)HXU_j
zkv_x(wD$q*Yi(zSvt3OD$0^}myyUihZ-v{%u)ED0od$7fJ_S0l;^m&c3WTG-Jm0@n
zPFfTy{xrBPrOf!w`Z?QR5KneA0P{@F7N#dVh9L2bU$FmQ4D&Dlc#k|^T@n$sQP{33
ziCAjj1L)+#!krUS;?=vj1H6-D3E>;(Y2J0XKrDQhPtb9$0<fOzp0fi3gGN_0WM1b^
zyHaR+SELxWMFw%l79A+<EI``(iJF9kCDFLt4l;U<?Ez(xXGM%KabK}E;k)fTCIcH4
z*ZYXW`0&651L<aR1yDGQk<qOJ)}KJ_0!9bIRS=<_NC`7wxXo;-^Ba-vEs;^!O-LHf
z#!Svi7_CAkqzC45JeAPSv~<s64|ls9f~3+kdwQmij&JNs=5TreQ_<3}>)=J~!_n~8
z<(P#LCjnz4Kq6_hNEXG-Y^W0p)6nj@)dU-=T&ZJi@fVsK*CTW)u%JY|!0$W-H1So(
z^@D*P;Va<s{1LITHWs{mN6YERg)Qtp3D!CF#$MnmkEqvt*M#x1p@VquWCRvuy?{t@
z#v(^-0a-$jeS)A=?aX-En0=2!xiYc})8KqD2WfC++(3?*J<WI5sCaGZsD98CzB^xu
z`3y)tw6tt%S2hgxk|fc#{ABx@M#)DhtE0Y9m8jP95jrM)l6GnCV~zhPbZUk5h@;yb
zc*HVUE;sxNIhuBGriZ>VmPK4D%<fNRaKwjI*paJvtFUHSCR;`|OW*}&K3y6!=&k?~
zdiYLpBz1%1dQY4WDqBh21C3kNY(U>CZkbhQY(};MJ;4Y3J}aKW+^Bm&aIu!lJ3y3I
z4HkxqDqjBlOYt4cYZ*4gxPkAgl29;D?u%&Gn|zX9z+ZjyelgC<YVs~*RBgbY1?&~?
z|Kq-Ze?5Klyrwh+J}O%Sv1`sElh#a#u|4`A%GMd#PS^v+g|HR?Q$KbV9{DCUJF~5z
ziZnb-=5-~(K}3Y(8GKL((;e46+}2CRtOy-W-9%bWiZpJ2H-U4)Gb4X?qqOC9Hzrca
z%J8Qc$MF?{n%4`8R(;LUtCg^pwy9`&+adQx6jvP9^D72J047B-)+#z`3X0}Uu|{Kv
zz=Yf_^H<nAQ%p0?8fNy7yrs!8iA-57ix6Zw116|@y8?HSIoM{{9Xiv2MD9W*Pnuth
z=7CZT(xB*-uTTreE@j7Dwui3@_@W=~CQ>vGaWzKW0$|LX*aE3*5X6F>?IyaYYJb29
zIhy88^dY6}_~lgC874W(VhIjXz$1BeNA!$&sS3pMUBqUJO)G-;1Lx_bNw4%2*Ljg%
z=HxsPop(Txu=BXvNvyB>bfIFb@Z)gq8sY}(K*PkhgjT!sZf3oCW!HMjPm4~jQwYLE
ztEco)o0KD*AUI4$cHz?I-OY84J6DL0=+tYtgrsPBBN4&3XC4O&I4i!!sagh2We&-P
zhxIVrO=I8foAR0@Hzu!RI5`*w&Ya~jel;R#wI#F_pl>*7@EC3-@3+O#A9gEnGU&Ry
zVP^~Xvsb~bUheI%Rsvs=Gpn=6*+GG`#R#dn3dx62c}&Kw-SNJ{({L@KljM^!V+TV}
z8p)lwur75k&5I=UJN(!KcqP3ANr6%uzxeHMKL7aVpIm<b$FI&`yPwhRci;Z)`S*W*
O{+;uK*M~}C4ffwDu^bQp

diff --git a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
index 39d62b29c90..3bca7cb640c 100644
--- a/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
+++ b/ext/openssl/tests/openssl_peer_fingerprint_basic.phpt
@@ -32,12 +32,17 @@ $clientCode = <<<'CODE'
 
     phpt_wait();
 
-    // should be: 3610606deda596b3ae3859d33c4ce1d9
-    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '3610606deda596b3ae3859d33c4ce1da');
+    // Run the following to get actual md5 (from sources root):
+    // openssl x509 -noout -fingerprint -md5 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
+    // Currently it's 4edbbaf40a6a4b6af22b6d6d9818378f
+    // One below is intentionally broken (compare the last character):
+    stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', '4edbbaf40a6a4b6af22b6d6d98183780');
     var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
 
+    // Run the following to get actual sha256 (from sources root):
+    // openssl x509 -noout -fingerprint -sha256 -inform pem -in ext/openssl/tests/bug54992.pem | cut -d '=' -f 2 | tr -d ':' | tr 'A-F' 'a-f'
     stream_context_set_option($clientCtx, 'ssl', 'peer_fingerprint', [
-        'sha256' => 'dffa72247ab7e44d94b2858528e3f67015925782148d2cf0b15cd82d1c931215',
+        'sha256' => 'b1d480a2f83594fa243d26378cf611f334d369e59558d87e3de1abe8f36cb997',
     ]);
     var_dump(stream_socket_client($serverUri, $errno, $errstr, 2, $clientFlags, $clientCtx));
 CODE;

From 4fc0bceb7c39be206c73f69993e3936ef329f656 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 29 Dec 2018 17:56:36 -0800
Subject: [PATCH 02/12] Fix bug #77242 (heap out of bounds read in
 xmlrpc_decode())

---
 ext/xmlrpc/libxmlrpc/xml_element.c |  3 +++
 ext/xmlrpc/tests/bug77242.phpt     | 10 ++++++++++
 2 files changed, 13 insertions(+)
 create mode 100644 ext/xmlrpc/tests/bug77242.phpt

diff --git a/ext/xmlrpc/libxmlrpc/xml_element.c b/ext/xmlrpc/libxmlrpc/xml_element.c
index 56642d46142..eeec5379bf6 100644
--- a/ext/xmlrpc/libxmlrpc/xml_element.c
+++ b/ext/xmlrpc/libxmlrpc/xml_element.c
@@ -723,6 +723,9 @@ xml_element* xml_elem_parse_buf(const char* in_buf, int len, XML_ELEM_INPUT_OPTI
          long byte_idx = XML_GetCurrentByteIndex(parser);
 /*         int byte_total = XML_GetCurrentByteCount(parser); */
          const char * error_str = XML_ErrorString(err_code);
+         if(byte_idx > len) {
+             byte_idx = len;
+         }
          if(byte_idx >= 0) {
              snprintf(buf, 
                       sizeof(buf),
diff --git a/ext/xmlrpc/tests/bug77242.phpt b/ext/xmlrpc/tests/bug77242.phpt
new file mode 100644
index 00000000000..542c06311f7
--- /dev/null
+++ b/ext/xmlrpc/tests/bug77242.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77242 (heap out of bounds read in xmlrpc_decode())
+--SKIPIF--
+<?php if (!extension_loaded("xmlrpc")) print "skip"; ?>
+--FILE--
+<?php
+var_dump(xmlrpc_decode(base64_decode("PD94bWwgdmVyc2lvbmVuY29kaW5nPSJJU084ODU5NyKkpKSkpKSkpKSkpKSkpKSkpKSkpKSk")));
+?>
+--EXPECT--
+NULL
\ No newline at end of file

From 428d8164ffcf6f75a6cc9d4056e54bfd450dac03 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 29 Dec 2018 18:25:37 -0800
Subject: [PATCH 03/12] Fix bug #77247 (heap buffer overflow in
 phar_detect_phar_fname_ext)

---
 ext/phar/phar.c              |  2 +-
 ext/phar/tests/bug77247.phpt | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 ext/phar/tests/bug77247.phpt

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 47ff8cd7907..6e5cec2462a 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2017,7 +2017,7 @@ next_extension:
 	}
 
 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
+		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
 		if (!pos) {
 			return FAILURE;
 		}
diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
new file mode 100644
index 00000000000..588975f9f2f
--- /dev/null
+++ b/ext/phar/tests/bug77247.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+var_dump(new Phar('a/.b', 0,'test.phar'));
+} catch(UnexpectedValueException $e) {
+	echo "OK";
+}
+?>
+--EXPECT--
+OK
\ No newline at end of file

From a918020c03880e12ac9f38e11a4a3789491a5f85 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Wed, 12 Dec 2018 16:00:59 +0100
Subject: [PATCH 04/12] Fix #77269: Potential unsigned underflow in
 gdImageScale

Belatedly, we're porting the respective upstream patch[1].

[1] <https://github.com/libgd/libgd/commit/60bfb401ad5a4a8ae995dcd36372fe15c71e1a35>
---
 ext/gd/libgd/gd_interpolation.c | 18 +++++++++---------
 ext/gd/tests/bug77269.phpt      | 21 +++++++++++++++++++++
 2 files changed, 30 insertions(+), 9 deletions(-)
 create mode 100644 ext/gd/tests/bug77269.phpt

diff --git a/ext/gd/libgd/gd_interpolation.c b/ext/gd/libgd/gd_interpolation.c
index 1c151b55090..d456c0a596d 100644
--- a/ext/gd/libgd/gd_interpolation.c
+++ b/ext/gd/libgd/gd_interpolation.c
@@ -880,8 +880,13 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
 {
 	unsigned int u = 0;
 	LineContribType *res;
-	int overflow_error = 0;
+	size_t weights_size;
 
+	if (overflow2(windows_size, sizeof(double))) {
+		return NULL;
+	} else {
+		weights_size = windows_size * sizeof(double);
+	}
 	res = (LineContribType *) gdMalloc(sizeof(LineContribType));
 	if (!res) {
 		return NULL;
@@ -898,15 +903,10 @@ static inline LineContribType * _gdContributionsAlloc(unsigned int line_length,
 		return NULL;
 	}
 	for (u = 0 ; u < line_length ; u++) {
-		if (overflow2(windows_size, sizeof(double))) {
-			overflow_error = 1;
-		} else {
-			res->ContribRow[u].Weights = (double *) gdMalloc(windows_size * sizeof(double));
-		}
-		if (overflow_error == 1 || res->ContribRow[u].Weights == NULL) {
+		res->ContribRow[u].Weights = (double *) gdMalloc(weights_size);
+		if (res->ContribRow[u].Weights == NULL) {
 			unsigned int i;
-			u--;
-			for (i=0;i<=u;i++) {
+			for (i=0;i<u;i++) {
 				gdFree(res->ContribRow[i].Weights);
 			}
 			gdFree(res->ContribRow);
diff --git a/ext/gd/tests/bug77269.phpt b/ext/gd/tests/bug77269.phpt
new file mode 100644
index 00000000000..3bdc23e80a7
--- /dev/null
+++ b/ext/gd/tests/bug77269.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #77269 (Potential unsigned underflow in gdImageScale)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (getenv("SKIP_SLOW_TESTS")) die("skip slow test");
+?>
+--INI--
+memory_limit=2G
+--FILE--
+<?php
+$im = imagecreate(2**28, 1);
+if(is_resource($im)) {
+	imagescale($im, 1, 1, IMG_TRIANGLE);
+}
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreate():%S product of memory allocation multiplication would exceed INT_MAX, failing operation gracefully
+ in %s on line %d
+===DONE===

From 20407d06ca3cb5eeb10f876a812b40c381574bcc Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 29 Dec 2018 19:51:24 -0800
Subject: [PATCH 05/12] Fix bug #77370 - check that we do not read past buffer
 end when parsing multibytes

---
 ext/mbstring/oniguruma/regparse.c |  9 +++++++++
 ext/mbstring/tests/bug77370.phpt  | 13 +++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 ext/mbstring/tests/bug77370.phpt

diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
index d2925f1e81b..252ca187120 100644
--- a/ext/mbstring/oniguruma/regparse.c
+++ b/ext/mbstring/oniguruma/regparse.c
@@ -246,6 +246,12 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
 }
 #endif
 
+#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+#else
+# define UNEXPECTED(condition) (condition)
+#endif
+
 /* scan pattern methods */
 #define PEND_VALUE   0
 
@@ -260,14 +266,17 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   pfetch_prev = p; \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 
 #define PINC_S     do { \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 #define PFETCH_S(c) do { \
   c = ONIGENC_MBC_TO_CODE(enc, p, end); \
   p += ONIGENC_MBC_ENC_LEN(enc, p); \
+  if(UNEXPECTED(p > end)) p = end; \
 } while (0)
 
 #define PPEEK        (p < end ? ONIGENC_MBC_TO_CODE(enc, p, end) : PEND_VALUE)
diff --git a/ext/mbstring/tests/bug77370.phpt b/ext/mbstring/tests/bug77370.phpt
new file mode 100644
index 00000000000..c4d25582fe3
--- /dev/null
+++ b/ext/mbstring/tests/bug77370.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #77370 (Buffer overflow on mb regex functions - fetch_token)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_split("   \xfd",""));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(0) ""
+}

From 28362ed4fae6969b5a8878591a5a06eadf114e03 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sat, 29 Dec 2018 20:06:08 -0800
Subject: [PATCH 06/12] Fix bug #77371 (heap buffer overflow in mb regex
 functions - compile_string_node)

---
 ext/mbstring/oniguruma/regcomp.c |  1 +
 ext/mbstring/tests/bug77371.phpt | 10 ++++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 ext/mbstring/tests/bug77371.phpt

diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
index 995e1d88615..4469f33a56d 100644
--- a/ext/mbstring/oniguruma/regcomp.c
+++ b/ext/mbstring/oniguruma/regcomp.c
@@ -524,6 +524,7 @@ compile_string_node(Node* node, regex_t* reg)
 
   for (; p < end; ) {
     len = enclen(enc, p);
+    if (p + len > end) len = end - p;
     if (len == prev_len) {
       slen++;
     }
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
new file mode 100644
index 00000000000..f23445bd091
--- /dev/null
+++ b/ext/mbstring/tests/bug77371.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
+?>
+--EXPECT--
+bool(false)
\ No newline at end of file

From 1cc2182bcc81e185c14837e659d12b268cb99d63 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Tue, 1 Jan 2019 17:15:20 -0800
Subject: [PATCH 07/12] Fix bug #77380  (Global out of bounds read in xmlrpc
 base64 code)

---
 ext/xmlrpc/libxmlrpc/base64.c  |  4 ++--
 ext/xmlrpc/tests/bug77380.phpt | 17 +++++++++++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 ext/xmlrpc/tests/bug77380.phpt

diff --git a/ext/xmlrpc/libxmlrpc/base64.c b/ext/xmlrpc/libxmlrpc/base64.c
index 5ebdf31f7ad..a4fa19327b7 100644
--- a/ext/xmlrpc/libxmlrpc/base64.c
+++ b/ext/xmlrpc/libxmlrpc/base64.c
@@ -77,7 +77,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
 
   while (!hiteof) {
     unsigned char igroup[3], ogroup[4];
-    int c, n;
+	int c, n;
 
     igroup[0] = igroup[1] = igroup[2] = 0;
     for (n = 0; n < 3; n++) {
@@ -169,7 +169,7 @@ void base64_decode_xmlrpc(struct buffer_st *bfr, const char *source, int length)
 		return;
 	    }
 
-	    if (dtable[c] & 0x80) {
+	    if (dtable[(unsigned char)c] & 0x80) {
 	      /*
 	      fprintf(stderr, "Offset %i length %i\n", offset, length);
 	      fprintf(stderr, "character '%c:%x:%c' in input file.\n", c, c, dtable[c]);
diff --git a/ext/xmlrpc/tests/bug77380.phpt b/ext/xmlrpc/tests/bug77380.phpt
new file mode 100644
index 00000000000..8559c07a5ae
--- /dev/null
+++ b/ext/xmlrpc/tests/bug77380.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #77380 (Global out of bounds read in xmlrpc base64 code)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+var_dump(xmlrpc_decode(base64_decode("PGJhc2U2ND7CkzwvYmFzZTY0Pgo=")));
+?>
+--EXPECT--
+object(stdClass)#1 (2) {
+  ["scalar"]=>
+  string(0) ""
+  ["xmlrpc_type"]=>
+  string(6) "base64"
+}

From 7a12dad4dd6c370835b13afae214b240082c7538 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Sun, 30 Dec 2018 13:59:26 +0100
Subject: [PATCH 08/12] Fix #77270: imagecolormatch Out Of Bounds Write on Heap

At least some of the image reading functions may return images which
use color indexes greater than or equal to im->colorsTotal.  We cater
to this by always using a buffer size which is sufficient for
`gdMaxColors` in `gdImageColorMatch()`.
---
 ext/gd/libgd/gd_color.c    |  4 ++--
 ext/gd/tests/bug77270.phpt | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 ext/gd/tests/bug77270.phpt

diff --git a/ext/gd/libgd/gd_color.c b/ext/gd/libgd/gd_color.c
index a4e56b1c401..e6f539bc75b 100644
--- a/ext/gd/libgd/gd_color.c
+++ b/ext/gd/libgd/gd_color.c
@@ -33,8 +33,8 @@ int gdImageColorMatch (gdImagePtr im1, gdImagePtr im2)
 		return -4; /* At least 1 color must be allocated */
 	}
 
-	buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * im2->colorsTotal, 0);
-	memset( buf, 0, sizeof(unsigned long) * 5 * im2->colorsTotal );
+	buf = (unsigned long *)safe_emalloc(sizeof(unsigned long), 5 * gdMaxColors, 0);
+	memset( buf, 0, sizeof(unsigned long) * 5 * gdMaxColors );
 
 	for (x=0; x<im1->sx; x++) {
 		for( y=0; y<im1->sy; y++ ) {
diff --git a/ext/gd/tests/bug77270.phpt b/ext/gd/tests/bug77270.phpt
new file mode 100644
index 00000000000..1c4555a64d7
--- /dev/null
+++ b/ext/gd/tests/bug77270.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #77270 (imagecolormatch Out Of Bounds Write on Heap)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.5', '<=')) die('skip upstream bugfix has not been released');
+?>
+--FILE--
+<?php
+$img1 = imagecreatetruecolor(0xfff, 0xfff);
+$img2 = imagecreate(0xfff, 0xfff);
+imagecolorallocate($img2, 0, 0, 0);
+imagesetpixel($img2, 0, 0, 255);
+imagecolormatch($img1, $img2);
+?>
+===DONE===
+--EXPECT--
+===DONE===

From c95daa9c75a7f4bd5e75702833611498c44cbeb6 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Wed, 2 Jan 2019 00:36:30 -0800
Subject: [PATCH 09/12] Fix more issues with encodilng length

Should fix bug #77381, bug #77382, bug #77385, bug #77394.
---
 ext/mbstring/oniguruma/enc/unicode.c |  1 +
 ext/mbstring/oniguruma/regcomp.c     | 11 +++++------
 ext/mbstring/oniguruma/regparse.c    | 10 +++-------
 ext/mbstring/oniguruma/regparse.h    | 12 ++++++++++++
 ext/mbstring/tests/bug77371.phpt     |  2 +-
 ext/mbstring/tests/bug77381.phpt     | 16 ++++++++++++++++
 6 files changed, 38 insertions(+), 14 deletions(-)
 create mode 100644 ext/mbstring/tests/bug77381.phpt

diff --git a/ext/mbstring/oniguruma/enc/unicode.c b/ext/mbstring/oniguruma/enc/unicode.c
index af7a86e0882..1b027c74945 100644
--- a/ext/mbstring/oniguruma/enc/unicode.c
+++ b/ext/mbstring/oniguruma/enc/unicode.c
@@ -10971,6 +10971,7 @@ onigenc_unicode_mbc_case_fold(OnigEncoding enc,
 
   code = ONIGENC_MBC_TO_CODE(enc, p, end);
   len = enclen(enc, p);
+  if (*pp + len > end) len = end - *pp;
   *pp += len;
 
 #ifdef USE_UNICODE_CASE_FOLD_TURKISH_AZERI
diff --git a/ext/mbstring/oniguruma/regcomp.c b/ext/mbstring/oniguruma/regcomp.c
index 4469f33a56d..136745e5e45 100644
--- a/ext/mbstring/oniguruma/regcomp.c
+++ b/ext/mbstring/oniguruma/regcomp.c
@@ -469,13 +469,13 @@ compile_length_string_node(Node* node, regex_t* reg)
   ambig = NSTRING_IS_AMBIG(node);
 
   p = prev = sn->s;
-  prev_len = enclen(enc, p);
+  SAFE_ENC_LEN(enc, p, sn->end, prev_len);
   p += prev_len;
   slen = 1;
   rlen = 0;
 
   for (; p < sn->end; ) {
-    len = enclen(enc, p);
+    SAFE_ENC_LEN(enc, p, sn->end, len);
     if (len == prev_len) {
       slen++;
     }
@@ -518,13 +518,12 @@ compile_string_node(Node* node, regex_t* reg)
   ambig = NSTRING_IS_AMBIG(node);
 
   p = prev = sn->s;
-  prev_len = enclen(enc, p);
+  SAFE_ENC_LEN(enc, p, end, prev_len);
   p += prev_len;
   slen = 1;
 
   for (; p < end; ) {
-    len = enclen(enc, p);
-    if (p + len > end) len = end - p;
+    SAFE_ENC_LEN(enc, p, end, len);
     if (len == prev_len) {
       slen++;
     }
@@ -3391,7 +3390,7 @@ expand_case_fold_string(Node* node, regex_t* reg)
       goto err;
     }
 
-    len = enclen(reg->enc, p);
+	SAFE_ENC_LEN(reg->enc, p, end, len);
 
     if (n == 0) {
       if (IS_NULL(snode)) {
diff --git a/ext/mbstring/oniguruma/regparse.c b/ext/mbstring/oniguruma/regparse.c
index 252ca187120..fcfaf4378c0 100644
--- a/ext/mbstring/oniguruma/regparse.c
+++ b/ext/mbstring/oniguruma/regparse.c
@@ -246,12 +246,6 @@ strdup_with_null(OnigEncoding enc, UChar* s, UChar* end)
 }
 #endif
 
-#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
-# define UNEXPECTED(condition) __builtin_expect(condition, 0)
-#else
-# define UNEXPECTED(condition) (condition)
-#endif
-
 /* scan pattern methods */
 #define PEND_VALUE   0
 
@@ -3589,7 +3583,9 @@ fetch_token(OnigToken* tok, UChar** src, UChar* end, ScanEnv* env)
 	tok->u.code = (OnigCodePoint )num;
       }
       else { /* string */
-	p = tok->backp + enclen(enc, tok->backp);
+          int len;
+          SAFE_ENC_LEN(enc, tok->backp, end, len);
+          p = tok->backp + len;
       }
       break;
     }
diff --git a/ext/mbstring/oniguruma/regparse.h b/ext/mbstring/oniguruma/regparse.h
index 0c5c2c936c0..bcab03ed589 100644
--- a/ext/mbstring/oniguruma/regparse.h
+++ b/ext/mbstring/oniguruma/regparse.h
@@ -348,4 +348,16 @@ extern int onig_print_names(FILE*, regex_t*);
 #endif
 #endif
 
+#if (defined (__GNUC__) && __GNUC__ > 2 ) && !defined(DARWIN) && !defined(__hpux) && !defined(_AIX)
+# define UNEXPECTED(condition) __builtin_expect(condition, 0)
+#else
+# define UNEXPECTED(condition) (condition)
+#endif
+
+#define SAFE_ENC_LEN(enc, p, end, res) do {  \
+    int __res = enclen(enc, p);              \
+    if (UNEXPECTED(p + __res > end)) __res = end - p;    \
+	res = __res;                             \
+} while(0);
+
 #endif /* REGPARSE_H */
diff --git a/ext/mbstring/tests/bug77371.phpt b/ext/mbstring/tests/bug77371.phpt
index f23445bd091..33e5fc115c9 100644
--- a/ext/mbstring/tests/bug77371.phpt
+++ b/ext/mbstring/tests/bug77371.phpt
@@ -4,7 +4,7 @@ Bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
 <?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
 --FILE--
 <?php
-var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""))
+var_dump(mb_ereg("()0\xfc00000\xfc00000\xfc00000\xfc",""));
 ?>
 --EXPECT--
 bool(false)
\ No newline at end of file
diff --git a/ext/mbstring/tests/bug77381.phpt b/ext/mbstring/tests/bug77381.phpt
new file mode 100644
index 00000000000..cb83759fc09
--- /dev/null
+++ b/ext/mbstring/tests/bug77381.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #77381 (heap buffer overflow in multibyte match_at)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+var_dump(mb_ereg("000||0\xfa","0"));
+var_dump(mb_ereg("(?i)000000000000000000000\xf0",""));
+var_dump(mb_ereg("0000\\"."\xf5","0"));
+var_dump(mb_ereg("(?i)FFF00000000000000000\xfd",""));
+?>
+--EXPECT--
+int(1)
+bool(false)
+bool(false)
+bool(false)

From b51eaf416672492270d117340fab3375d52dc359 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 6 Jan 2019 13:03:38 -0800
Subject: [PATCH 10/12] [ci skip] Add NEWS

---
 NEWS | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/NEWS b/NEWS
index ab9ef16e88a..245aecc2288 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,28 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 5.6.40
 
+- GD:
+  . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to 
+    use-after-free). (cmb)
+  . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
+
+- Mbstring:
+  . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
+  . Fixed bug #77371 (heap buffer overflow in mb regex functions 
+    - compile_string_node). (Stas)
+  . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
+  . Fixed bug #77382 (heap buffer overflow due to incorrect length in 
+    expand_case_fold_string). (Stas)
+  . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
+  . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
+
+- Phar:
+  . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
+
+- Xmlrpc:
+  . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
+  . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
+
 06 Dec 2018, PHP 5.6.39
 
 - Core:

From 08bb0ce4e496d21190a8cff676b4aad3a4549e06 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 6 Jan 2019 13:04:51 -0800
Subject: [PATCH 11/12] Add NEWS

---
 NEWS | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/NEWS b/NEWS
index e3d804837e7..f04449d2fe6 100644
--- a/NEWS
+++ b/NEWS
@@ -2,9 +2,34 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2018, PHP 7.1.26
 
+- Core:
+  . Fixed bug #77369 (memcpy with negative length via crafted DNS response). (Stas)
+
+- GD:
+  . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
+    use-after-free). (cmb)
+  . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
+
 - IMAP:
   . Fixed bug #77020 (null pointer dereference in imap_mail). (cmb)
 
+- Mbstring:
+  . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
+  . Fixed bug #77371 (heap buffer overflow in mb regex functions
+    - compile_string_node). (Stas)
+  . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
+  . Fixed bug #77382 (heap buffer overflow due to incorrect length in
+    expand_case_fold_string). (Stas)
+  . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
+  . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
+
+- Phar:
+  . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
+
+- Xmlrpc:
+  . Fixed bug #77242 (heap out of bounds read in xmlrpc_decode()). (cmb)
+  . Fixed bug #77380 (Global out of bounds read in xmlrpc base64 code). (Stas)
+
 06 Dec 2018, PHP 7.1.25
 
 - Core:

From 9d6c59eeea88a3e9d7039cb4fed5126ef704593a Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 6 Jan 2019 23:31:15 -0800
Subject: [PATCH 12/12] Fix bug #77418 - Heap overflow in utf32be_mbc_to_code

---
 NEWS                                  |  7 ++++---
 ext/mbstring/oniguruma/enc/utf16_be.c |  4 +++-
 ext/mbstring/oniguruma/enc/utf16_le.c |  3 ++-
 ext/mbstring/oniguruma/enc/utf32_be.c |  1 +
 ext/mbstring/oniguruma/enc/utf32_le.c |  1 +
 ext/mbstring/tests/bug77418.phpt      | 14 ++++++++++++++
 6 files changed, 25 insertions(+), 5 deletions(-)
 create mode 100644 ext/mbstring/tests/bug77418.phpt

diff --git a/NEWS b/NEWS
index 245aecc2288..53b26b7c5cf 100644
--- a/NEWS
+++ b/NEWS
@@ -3,19 +3,20 @@ PHP                                                                        NEWS
 ?? ??? 2018, PHP 5.6.40
 
 - GD:
-  . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to 
+  . Fixed bug #77269 (efree() on uninitialized Heap data in imagescale leads to
     use-after-free). (cmb)
   . Fixed bug #77270 (imagecolormatch Out Of Bounds Write on Heap). (cmb)
 
 - Mbstring:
   . Fixed bug #77370 (Buffer overflow on mb regex functions - fetch_token). (Stas)
-  . Fixed bug #77371 (heap buffer overflow in mb regex functions 
+  . Fixed bug #77371 (heap buffer overflow in mb regex functions
     - compile_string_node). (Stas)
   . Fixed bug #77381 (heap buffer overflow in multibyte match_at). (Stas)
-  . Fixed bug #77382 (heap buffer overflow due to incorrect length in 
+  . Fixed bug #77382 (heap buffer overflow due to incorrect length in
     expand_case_fold_string). (Stas)
   . Fixed bug #77385 (buffer overflow in fetch_token). (Stas)
   . Fixed bug #77394 (Buffer overflow in multibyte case folding - unicode). (Stas)
+  . Fixed bug #77418 (Heap overflow in utf32be_mbc_to_code). (Stas)
 
 - Phar:
   . Fixed bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext). (Stas)
diff --git a/ext/mbstring/oniguruma/enc/utf16_be.c b/ext/mbstring/oniguruma/enc/utf16_be.c
index 1e909ebbf29..9e2f73b0735 100644
--- a/ext/mbstring/oniguruma/enc/utf16_be.c
+++ b/ext/mbstring/oniguruma/enc/utf16_be.c
@@ -75,16 +75,18 @@ utf16be_is_mbc_newline(const UChar* p, const UChar* end)
 }
 
 static OnigCodePoint
-utf16be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16be_mbc_to_code(const UChar* p, const UChar* end)
 {
   OnigCodePoint code;
 
   if (UTF16_IS_SURROGATE_FIRST(*p)) {
+    if (end - p < 4) return 0;
     code = ((((p[0] - 0xd8) << 2) + ((p[1] & 0xc0) >> 6) + 1) << 16)
          + ((((p[1] & 0x3f) << 2) + (p[2] - 0xdc)) << 8)
          + p[3];
   }
   else {
+    if (end - p < 2) return 0;
     code = p[0] * 256 + p[1];
   }
   return code;
diff --git a/ext/mbstring/oniguruma/enc/utf16_le.c b/ext/mbstring/oniguruma/enc/utf16_le.c
index 5cc07591173..580f8dffa2f 100644
--- a/ext/mbstring/oniguruma/enc/utf16_le.c
+++ b/ext/mbstring/oniguruma/enc/utf16_le.c
@@ -81,13 +81,14 @@ utf16le_is_mbc_newline(const UChar* p, const UChar* end)
 }
 
 static OnigCodePoint
-utf16le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+utf16le_mbc_to_code(const UChar* p, const UChar* end)
 {
   OnigCodePoint code;
   UChar c0 = *p;
   UChar c1 = *(p+1);
 
   if (UTF16_IS_SURROGATE_FIRST(c1)) {
+    if (end - p < 4) return 0;
     code = ((((c1 - 0xd8) << 2) + ((c0  & 0xc0) >> 6) + 1) << 16)
          + ((((c0 & 0x3f) << 2) + (p[3] - 0xdc)) << 8)
          + p[2];
diff --git a/ext/mbstring/oniguruma/enc/utf32_be.c b/ext/mbstring/oniguruma/enc/utf32_be.c
index b4f822607c8..5295f26b1e5 100644
--- a/ext/mbstring/oniguruma/enc/utf32_be.c
+++ b/ext/mbstring/oniguruma/enc/utf32_be.c
@@ -60,6 +60,7 @@ utf32be_is_mbc_newline(const UChar* p, const UChar* end)
 static OnigCodePoint
 utf32be_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
 {
+  if (end - p < 4) return 0;
   return (OnigCodePoint )(((p[0] * 256 + p[1]) * 256 + p[2]) * 256 + p[3]);
 }
 
diff --git a/ext/mbstring/oniguruma/enc/utf32_le.c b/ext/mbstring/oniguruma/enc/utf32_le.c
index 8f413bfc74e..a78c4d0abcc 100644
--- a/ext/mbstring/oniguruma/enc/utf32_le.c
+++ b/ext/mbstring/oniguruma/enc/utf32_le.c
@@ -60,6 +60,7 @@ utf32le_is_mbc_newline(const UChar* p, const UChar* end)
 static OnigCodePoint
 utf32le_mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
 {
+  if (end - p < 4) return 0;
   return (OnigCodePoint )(((p[3] * 256 + p[2]) * 256 + p[1]) * 256 + p[0]);
 }
 
diff --git a/ext/mbstring/tests/bug77418.phpt b/ext/mbstring/tests/bug77418.phpt
new file mode 100644
index 00000000000..b4acc45c211
--- /dev/null
+++ b/ext/mbstring/tests/bug77418.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #77371 (Heap overflow in utf32be_mbc_to_code)
+--SKIPIF--
+<?php extension_loaded('mbstring') or die('skip mbstring not available'); ?>
+--FILE--
+<?php
+mb_regex_encoding("UTF-32");
+var_dump(mb_split("\x00\x00\x00\x5c\x00\x00\x00B","000000000000000000000000000000"));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(30) "000000000000000000000000000000"
+}