From ac56700125bfbc56602dfd60a8997bbc5fc41473 Mon Sep 17 00:00:00 2001
From: Lior Kaplan <kaplanlior@gmail.com>
Date: Mon, 4 Jul 2016 16:06:54 +0200
Subject: [PATCH 1/6] Update PHP 5.5 NEWS entries with CVE info

---
 NEWS | 41 ++++++++++++++++++++++++-----------------
 1 file changed, 24 insertions(+), 17 deletions(-)

diff --git a/NEWS b/NEWS
index b7d514b05a7..d2c3ad91cf3 100644
--- a/NEWS
+++ b/NEWS
@@ -16,45 +16,51 @@ PHP                                                                        NEWS
   . Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
 
 - GD:
-  . Fixed bug #66387 (Stack overflow with imagefilltoborder) (CVE-2015-8874).
+  . Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
     (cmb)
   . Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
-  . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in 
-    heap overflow). (Pierre)
+  . Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in heap
+    overflow). (CVE-2016-5766) (Pierre)
   . Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
   . Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
-    in heap overflow). (Pierre)
+    in heap overflow). (CVE-2016-5767) (Pierre)
 
 - mbstring:
-   . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
+  . Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free).
+    (CVE-2016-5768) (Stas)
 
 - mcrypt:
-   . Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
+  . Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
+    (Stas)
 
 - SPL:
-  . Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
+  . Fixed bug #72262 (int/size_t confusion in SplFileObject::fread).
+    (CVE-2016-5770) (Stas)
   . Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
-    unserialize). (Dmitry)
+    unserialize). (CVE-2016-5771) (Dmitry)
 
 - WDDX:
-  . Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
+  . Fixed bug #72340 (Double Free Courruption in wddx_deserialize).
+    (CVE-2016-5772) (Stas)
 
 - zip:
   . Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
-    algorithm and unserialize). (Dmitry)
+    algorithm and unserialize). (CVE-2016-5773) (Dmitry)
 
 26 May 2016, PHP 5.5.36
 
 - Core:
   . Fixed bug #72114 (Integer underflow / arbitrary null write in
-    fread/gzread). (Stas)
-  . Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)
+    fread/gzread). (CVE-2016-5096) (Stas)
+  . Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)
+    (Stas)
 
 - GD:
-   . Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
+   . Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456) (Stas)
 
 - Intl:
-   . Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)
+   . Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
+     (CVE-2016-5093) (Stas)
 
 - Phar:
   . Fixed bug #71331 (Uninitialized pointer in phar_make_dirstream()).
@@ -71,7 +77,7 @@ PHP                                                                        NEWS
     processing). (Stas)
 
 - GD:
-  . Fixed bug #71912 (libgd: signedness vulnerability) (CVE-2016-3074). (Stas)
+  . Fixed bug #71912 (libgd: signedness vulnerability). (CVE-2016-3074) (Stas)
 
 - Intl:
   . Fixed bug #72061 (Out-of-bounds reads in zif_grapheme_stripos with negative
@@ -136,11 +142,12 @@ PHP                                                                        NEWS
 
 - WDDX:
   . Fixed bug #71335 (Type Confusion in WDDX Packet Deserialization). (Stas)
-  
+
 07 Jan 2015, PHP 5.5.31
 
 - FPM:
-  . Fixed bug #70755 (fpm_log.c memory leak and buffer overflow). (Stas)
+  . Fixed bug #70755 (fpm_log.c memory leak and buffer overflow).
+    (CVE-2016-5114) (Stas)
 
 - GD:
   . Fixed bug #70976 (Memory Read via gdImageRotateInterpolated Array Index

From e1ba58f068f4bfc8ced75bb017cd31d8beddf3c2 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Mon, 28 Sep 2015 11:31:14 -0700
Subject: [PATCH 2/6] Fix bug #70480 (php_url_parse_ex() buffer overflow read)

(cherry picked from commit 629e4da7cc8b174acdeab84969cbfc606a019b31)
---
 ext/standard/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/standard/url.c b/ext/standard/url.c
index fc3f080a41b..b5739f0d7ae 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -320,7 +320,7 @@ PHPAPI php_url *php_url_parse_ex(char const *str, int length)
 	nohost:
 
 	if ((p = memchr(s, '?', (ue - s)))) {
-		pp = strchr(s, '#');
+		pp = memchr(s, '#', (ue - s));
 
 		if (pp && pp < p) {
 			if (pp - s) {

From 51b584b1596e390ea989b400ef2de392b560ee79 Mon Sep 17 00:00:00 2001
From: Julien Pauli <jpauli@php.net>
Date: Fri, 8 Jul 2016 14:35:43 +0200
Subject: [PATCH 3/6] Updated NEWS

---
 NEWS | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index d2c3ad91cf3..f253a43e361 100644
--- a/NEWS
+++ b/NEWS
@@ -4,7 +4,8 @@ PHP                                                                        NEWS
 
 ?? ?? 2016, PHP 5.5.38
 
-
+Core:
+   . Fix bug #70480 (php_url_parse_ex() buffer overflow read). (Stas)
 
 23 Jun 2016, PHP 5.5.37
 

From 82637e818776d4fe778fb1dbac26eeece02e900c Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmb@php.net>
Date: Fri, 3 Jul 2015 00:04:50 +0200
Subject: [PATCH 4/6] Fix #69975: PHP segfaults when accessing nvarchar(max)
 defined columns

The SQL Server Native Client 11.0 and maybe other ODBC drivers report
NVARCHAR(MAX) columns as SQL_WVARCHAR with size 0. This causes too small a
buffer to be emalloc'd, likely causing a segfault in the following. As we don't
know the real size of the column data, we treat such colums as
SQL_WLONGVARCHAR.

The related bug #67437 suggests that some drivers report a size of ~4GB. It is
not certain that this is really the case (there might be some integer overflow
involved, and anyway, there has been no feedback), so we do not cater for this
now. However, it would not be hard to treat all sizes above a certain threshold
in a similar way, i.e. as SQL_WLONGVARCHAR.

(cherry picked from commit 16db4d1462bf3eacb93c0cd940f799160a284b24)
(cherry picked from commit 344ff5dd4c538eaebea075f7705321f8b86d0b47)
---
 ext/odbc/php_odbc.c          |  7 +++++++
 ext/odbc/tests/bug69975.phpt | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)
 create mode 100644 ext/odbc/tests/bug69975.phpt

diff --git a/ext/odbc/php_odbc.c b/ext/odbc/php_odbc.c
index ddfbc4edbe5..1d70b7fd19f 100644
--- a/ext/odbc/php_odbc.c
+++ b/ext/odbc/php_odbc.c
@@ -1007,6 +1007,13 @@ int odbc_bindcols(odbc_result *result TSRMLS_DC)
 					rc = SQLColAttributes(result->stmt, (SQLUSMALLINT)(i+1), SQL_COLUMN_DISPLAY_SIZE,
 								NULL, 0, NULL, &displaysize);
 				}
+
+				/* Workaround for drivers that report NVARCHAR(MAX) columns as SQL_WVARCHAR with size 0 (bug #69975) */
+				if (result->values[i].coltype == SQL_WVARCHAR && displaysize == 0) {
+					result->values[i].coltype = SQL_WLONGVARCHAR;
+					result->values[i].value = NULL;
+					break;
+				}
 #endif
 				/* Workaround for Oracle ODBC Driver bug (#50162) when fetching TIMESTAMP column */
 				if (result->values[i].coltype == SQL_TIMESTAMP) {
diff --git a/ext/odbc/tests/bug69975.phpt b/ext/odbc/tests/bug69975.phpt
new file mode 100644
index 00000000000..eca75645198
--- /dev/null
+++ b/ext/odbc/tests/bug69975.phpt
@@ -0,0 +1,32 @@
+--TEST--
+Bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--FILE--
+<?php
+include 'config.inc';
+
+$conn = odbc_connect($dsn, $user, $pass);
+@odbc_exec($conn, 'CREATE DATABASE odbcTEST');
+odbc_exec($conn, 'CREATE TABLE FOO (ID INT, VARCHAR_COL NVARCHAR(MAX))');
+odbc_exec($conn, "INSERT INTO FOO VALUES (1, 'foo')");
+
+$result = odbc_exec($conn, "SELECT VARCHAR_COL FROM FOO");
+var_dump(odbc_fetch_array($result));
+
+echo "ready";
+?>
+--EXPECT--
+array(1) {
+  ["VARCHAR_COL"]=>
+  string(3) "foo"
+}
+ready
+--CLEAN--
+<?php
+include 'config.inc';
+
+$conn = odbc_connect($dsn, $user, $pass);
+odbc_exec($conn, 'DROP TABLE FOO');
+odbc_exec($conn, 'DROP DATABASE odbcTEST');
+?>

From bdf1b22da578f284b2c4d4221b2f2d04b0a58e8f Mon Sep 17 00:00:00 2001
From: Julien Pauli <jpauli@php.net>
Date: Fri, 8 Jul 2016 15:36:38 +0200
Subject: [PATCH 5/6] Updated NEWS

---
 NEWS | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index f253a43e361..f0bf71d3e5b 100644
--- a/NEWS
+++ b/NEWS
@@ -5,7 +5,10 @@ PHP                                                                        NEWS
 ?? ?? 2016, PHP 5.5.38
 
 Core:
-   . Fix bug #70480 (php_url_parse_ex() buffer overflow read). (Stas)
+   . Fixed bug #70480 (php_url_parse_ex() buffer overflow read). (Stas)
+
+ODBC:
+   . Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
 
 23 Jun 2016, PHP 5.5.37
 

From fe1d6feb3dfa1eebd69a82c8000d2095b4e8a531 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Thu, 14 Jul 2016 21:08:54 +0200
Subject: [PATCH 6/6] Extend libxml exports

These are needed to support libxslt 1.1.29 on Windows. This libxslt version
fixes CVE-2015-7995 and for this reason needs to be used.
---
 ext/libxml/php_libxml2.def | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ext/libxml/php_libxml2.def b/ext/libxml/php_libxml2.def
index 42a939ebb8d..905dbf386be 100644
--- a/ext/libxml/php_libxml2.def
+++ b/ext/libxml/php_libxml2.def
@@ -1544,3 +1544,5 @@ xmlXPtrNewRangePointNode
 xmlXPtrNewRangePoints
 xmlXPtrRangeToFunction
 xmlXPtrWrapLocationSet
+xmlBufContent
+xmlBufUse