From f0d611778616df1509c54be115726160f8303616 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Wed, 22 Jul 2020 10:09:26 +0800
Subject: [PATCH] fix CVE-2019-11048

---
 CVE-2019-11048.patch | 36 ++++++++++++++++++++++++++++++++++++
 php.spec             |  9 ++++++++-
 2 files changed, 44 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2019-11048.patch

diff --git a/CVE-2019-11048.patch b/CVE-2019-11048.patch
new file mode 100644
index 0000000..d5849a5
--- /dev/null
+++ b/CVE-2019-11048.patch
@@ -0,0 +1,36 @@
+From 1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Wed, 18 Mar 2020 10:26:53 +0100
+Subject: [PATCH] Fix #78875: Long filenames cause OOM and temp files are not
+ cleaned
+
+We must not cast `size_t` to `int` (unless the `size_t` value is
+guaranteed to be less than or equal to `INT_MAX`).  In this case we can
+declare `array_len` as `size_t` in the first place.
+---
+ main/rfc1867.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index bd01b34cf070..783eab4175d5 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -692,7 +692,8 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 	char *boundary, *s = NULL, *boundary_end = NULL, *start_arr = NULL, *array_index = NULL;
+ 	char *lbuf = NULL, *abuf = NULL;
+ 	zend_string *temp_filename = NULL;
+-	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0, array_len = 0;
++	int boundary_len = 0, cancel_upload = 0, is_arr_upload = 0;
++	size_t array_len = 0;
+ 	int64_t total_bytes = 0, max_file_size = 0;
+ 	int skip_upload = 0, anonindex = 0, is_anonymous;
+ 	HashTable *uploaded_files = NULL;
+@@ -1126,7 +1127,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ 			is_arr_upload =	(start_arr = strchr(param,'[')) && (param[strlen(param)-1] == ']');
+ 
+ 			if (is_arr_upload) {
+-				array_len = (int)strlen(start_arr);
++				array_len = strlen(start_arr);
+ 				if (array_index) {
+ 					efree(array_index);
+ 				}
diff --git a/php.spec b/php.spec
index d378001..097c9c2 100644
--- a/php.spec
+++ b/php.spec
@@ -28,7 +28,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       5
+Release:       6
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA
 URL:           http://www.php.net/
@@ -91,6 +91,7 @@ Patch6020:     CVE-2018-19518.patch
 Patch6021:     CVE-2019-6977.patch
 Patch6022:     CVE-2020-7064.patch
 Patch6023:     CVE-2020-7066.patch
+Patch6024:     CVE-2019-11048.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1151,6 +1152,12 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Tue Jul 21 2020 wangyue <wangyue92@huawei.com> - 7.2.10-6
+- Type:cves
+- ID:CVE-2019-11048
+- SUG:restart
+- DESC:fix CVE-2019-11048
+
 * Mon May 18 2020 wangchen <wangchen137@huawei.com> - 7.2.10-5
 - rebuild for php
 
-- 
Gitee