From 92fda526417bb0f04e1ce0f310e4dcc16c128a12 Mon Sep 17 00:00:00 2001
From: panxiaohe <panxh.life@foxmail.com>
Date: Wed, 9 Mar 2022 19:38:15 +0800
Subject: [PATCH] Fix CVE-2021-21708

---
 backport-CVE-2021-21708-Fix-81708.patch | 54 +++++++++++++++++++++++++
 php.spec                                |  6 ++-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-21708-Fix-81708.patch

diff --git a/backport-CVE-2021-21708-Fix-81708.patch b/backport-CVE-2021-21708-Fix-81708.patch
new file mode 100644
index 0000000..84095da
--- /dev/null
+++ b/backport-CVE-2021-21708-Fix-81708.patch
@@ -0,0 +1,54 @@
+From 82f1bf1b6bc3a43aba62214870e6d0931e93a6d9 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 31 Jan 2022 15:43:24 +0100
+Subject: [PATCH] Fix #81708: UAF due to php_filter_float() failing for ints
+
+We must only release the zval, if we actually assign a new zval.
+---
+ ext/filter/logical_filters.c   |  2 +-
+ ext/filter/tests/bug81708.phpt | 20 ++++++++++++++++++++
+ 2 files changed, 21 insertions(+), 1 deletion(-)
+ create mode 100644 ext/filter/tests/bug81708.phpt
+
+diff --git a/ext/filter/logical_filters.c b/ext/filter/logical_filters.c
+index 1bf7c00d13c6..95f7a99e34b1 100644
+--- a/ext/filter/logical_filters.c
++++ b/ext/filter/logical_filters.c
+@@ -436,10 +436,10 @@ void php_filter_float(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
+ 
+ 	switch (is_numeric_string(num, p - num, &lval, &dval, 0)) {
+ 		case IS_LONG:
+-			zval_ptr_dtor(value);
+ 			if ((min_range_set && (lval < min_range)) || (max_range_set && (lval > max_range))) {
+ 				goto error;
+ 			}
++			zval_ptr_dtor(value);
+ 			ZVAL_DOUBLE(value, (double)lval);
+ 			break;
+ 		case IS_DOUBLE:
+diff --git a/ext/filter/tests/bug81708.phpt b/ext/filter/tests/bug81708.phpt
+new file mode 100644
+index 000000000000..d0036af13682
+--- /dev/null
++++ b/ext/filter/tests/bug81708.phpt
+@@ -0,0 +1,20 @@
++--TEST--
++Bug #81708 (UAF due to php_filter_float() failing for ints)
++--SKIPIF--
++<?php
++if (!extension_loaded("filter")) die("skip filter extension not available");
++?>
++--INI--
++opcache.enable_cli=0
++--FILE--
++<?php
++$input = "+" . str_repeat("1", 2); // avoid string interning
++filter_var(
++    $input,
++    FILTER_VALIDATE_FLOAT,
++    ["options" => ['min_range' => -1, 'max_range' => 1]]
++);
++var_dump($input);
++?>
++--EXPECT--
++string(3) "+11"
diff --git a/php.spec b/php.spec
index a09517e..1c381f6 100644
--- a/php.spec
+++ b/php.spec
@@ -28,7 +28,7 @@
 
 Name:          php
 Version:       %{upver}%{?rcver:~%{rcver}}
-Release:       19
+Release:       20
 Summary:       PHP scripting language for creating dynamic web sites
 License:       PHP and Zend and BSD and MIT and ASL 1.0 and NCSA LGPL-2.1+ and Apache-2.0 and Artistic-1.0-Perl
 URL:           http://www.php.net/
@@ -115,6 +115,7 @@ Patch6041:     backport-CVE-2020-7067-Fix-bug-79465-use-unsigneds-as-indexes.pat
 Patch6042:     backport-CVE-2019-11038-Fix-77973-Uninitialized-read-in-gdImageCreateFromXbm.patch
 Patch6043:     backport-CVE-2019-11039-Fix-bug-78069-Out-of-bounds-read-in-iconv.c-_php_ico.patch
 Patch6044:     backport-CVE-2019-11040-Fix-bug-77988-heap-buffer-overflow-on-php_jpg_get16.patch
+Patch6045:     backport-CVE-2021-21708-Fix-81708.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9, httpd-devel >= 2.0.46-1, pam-devel, httpd-filesystem, nginx-filesystem
 BuildRequires: libstdc++-devel, openssl-devel, sqlite-devel >= 3.6.0, zlib-devel, smtpdaemon, libedit-devel
@@ -1176,6 +1177,9 @@ systemctl try-restart php-fpm.service >/dev/null 2>&1 || :
 
 
 %changelog
+* Wed Mar 9 2022 panxiaohe <panxh.life@foxmail.com> - 7.2.10-20
+- Fix CVE-2021-21708
+
 * Mon Feb 28 2022 wangchen <wangchen137@h-partners.com> - 7.2.10-19
 - Fix CVE-2019-11038 CVE-2019-11039 CVE-2019-11040
 
-- 
Gitee