Pullup ticket #3432 - requested by taca

lang/php53 security update

Revisions pulled up:
- lang/php53/Makefile                                           1.9
- lang/php53/distinfo                                           1.14
- lang/php53/patches/patch-ext_standard_string.c                1.1

---
   Module Name:	pkgsrc
   Committed By:	taca
   Date:		Mon May 16 13:08:45 UTC 2011

   Modified Files:
   	pkgsrc/lang/php53: Makefile distinfo
   Added Files:
   	pkgsrc/lang/php53/patches: patch-ext_standard_string.c

   Log Message:
   Add a patch to fix for CVE-2011-1148 (and more bugfix) from PHP's repository.

   Bump PKGREVISION.

3 files changed, 167 insertions, 5 deletions

diff --git a/lang/php53/Makefile b/lang/php53/Makefile
index 900c6b881b2..d573e8e7ee8 100644
--- a/lang/php53/Makefile
+++ b/lang/php53/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.8 2011/03/19 07:01:18 taca Exp $
+# $NetBSD: Makefile,v 1.8.2.1 2011/05/17 08:17:06 sbd Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
diff --git a/lang/php53/distinfo b/lang/php53/distinfo
index f288322d1a4..8c5a9fbbbf5 100644
--- a/lang/php53/distinfo
+++ b/lang/php53/distinfo
@@ -1,11 +1,8 @@
-$NetBSD: distinfo,v 1.13 2011/03/19 07:01:18 taca Exp $
+$NetBSD: distinfo,v 1.13.2.1 2011/05/17 08:17:07 sbd Exp $
 
 SHA1 (php-5.3.6/php-5.3.6.tar.bz2) = 0e0b9b4d9117f22080e2204afa9383469eb0dbbd
 RMD160 (php-5.3.6/php-5.3.6.tar.bz2) = 619bf96cf24bf6aa0988494186f8914fde94d44d
 Size (php-5.3.6/php-5.3.6.tar.bz2) = 10952171 bytes
-SHA1 (php-5.3.6/suhosin-patch-5.3.4-0.9.10.patch.gz) = a2ab4bd03a329ec56a1f8b99e12e59f1838e0da6
-RMD160 (php-5.3.6/suhosin-patch-5.3.4-0.9.10.patch.gz) = e5105397a9e41997ad11d2a0be01c7e3c9d06c6e
-Size (php-5.3.6/suhosin-patch-5.3.4-0.9.10.patch.gz) = 41092 bytes
 SHA1 (patch-aa) = b0dc6cd0b2103d5858280202506b33322a98496e
 SHA1 (patch-ab) = d08bb50cf074a6065ef0d1d67a713b7573cb2f5b
 SHA1 (patch-ac) = 07a3d6c9ee4c316033afd8c7db71eb21045a3afd
@@ -17,3 +14,4 @@ SHA1 (patch-ah) = b20c29c64b3099f77855a5ec28960dc1c4f65c83
 SHA1 (patch-ai) = d4766893a2c47a4e4a744248dda265b0a9a66a1f
 SHA1 (patch-aj) = d611d13fcc28c5d2b9e9586832ce4b8ae5707b48
 SHA1 (patch-al) = fbbee5502e0cd1c47c6e7c15e0d54746414ec32e
+SHA1 (patch-ext_standard_string.c) = fe16ffedd894a6d580f3c998b9f571f403f4a764
diff --git a/lang/php53/patches/patch-ext_standard_string.c b/lang/php53/patches/patch-ext_standard_string.c
new file mode 100644
index 00000000000..71104aee125
--- /dev/null
+++ b/lang/php53/patches/patch-ext_standard_string.c
@@ -0,0 +1,163 @@
+$NetBSD: patch-ext_standard_string.c,v 1.1.2.2 2011/05/17 08:17:07 sbd Exp $
+
+* Update to r310401 of PHP's repository, including fix for CVE-2011-1148.
+
+--- ext/standard/string.c.orig	2011-01-01 02:19:59.000000000 +0000
++++ ext/standard/string.c
+@@ -2352,20 +2352,35 @@ PHP_FUNCTION(substr_replace)
+ 
+ 		zend_hash_internal_pointer_reset_ex(Z_ARRVAL_PP(str), &pos_str);
+ 		while (zend_hash_get_current_data_ex(Z_ARRVAL_PP(str), (void **) &tmp_str, &pos_str) == SUCCESS) {
+-			convert_to_string_ex(tmp_str);
++			zval *orig_str;
++			zval dummy;
++			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++				dummy = **tmp_str;
++				orig_str = &dummy;
++				zval_copy_ctor(orig_str);
++				convert_to_string(orig_str);
++			} else {
++				orig_str = *tmp_str;
++			}
+ 
+ 			if (Z_TYPE_PP(from) == IS_ARRAY) {
+ 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(from), (void **) &tmp_from, &pos_from)) {
+-					convert_to_long_ex(tmp_from);
++					if(Z_TYPE_PP(tmp_from) != IS_LONG) {
++						zval dummy = **tmp_from;
++						zval_copy_ctor(&dummy);
++						convert_to_long(&dummy);
++						f = Z_LVAL(dummy);
++					} else {
++						f = Z_LVAL_PP(tmp_from);
++					}
+ 
+-					f = Z_LVAL_PP(tmp_from);
+ 					if (f < 0) {
+-						f = Z_STRLEN_PP(tmp_str) + f;
++						f = Z_STRLEN_P(orig_str) + f;
+ 						if (f < 0) {
+ 							f = 0;
+ 						}
+-					} else if (f > Z_STRLEN_PP(tmp_str)) {
+-						f = Z_STRLEN_PP(tmp_str);
++					} else if (f > Z_STRLEN_P(orig_str)) {
++						f = Z_STRLEN_P(orig_str);
+ 					}
+ 					zend_hash_move_forward_ex(Z_ARRVAL_PP(from), &pos_from);
+ 				} else {
+@@ -2374,72 +2389,92 @@ PHP_FUNCTION(substr_replace)
+ 			} else {
+ 				f = Z_LVAL_PP(from);
+ 				if (f < 0) {
+-					f = Z_STRLEN_PP(tmp_str) + f;
++					f = Z_STRLEN_P(orig_str) + f;
+ 					if (f < 0) {
+ 						f = 0;
+ 					}
+-				} else if (f > Z_STRLEN_PP(tmp_str)) {
+-					f = Z_STRLEN_PP(tmp_str);
++				} else if (f > Z_STRLEN_P(orig_str)) {
++					f = Z_STRLEN_P(orig_str);
+ 				}
+ 			}
+ 
+ 			if (argc > 3 && Z_TYPE_PP(len) == IS_ARRAY) {
+ 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(len), (void **) &tmp_len, &pos_len)) {
+-					convert_to_long_ex(tmp_len);
+-
+-					l = Z_LVAL_PP(tmp_len);
++					if(Z_TYPE_PP(tmp_len) != IS_LONG) {
++						zval dummy = **tmp_len;
++						zval_copy_ctor(&dummy);
++						convert_to_long(&dummy);
++						l = Z_LVAL(dummy);
++					} else {
++						l = Z_LVAL_PP(tmp_len);
++					}
+ 					zend_hash_move_forward_ex(Z_ARRVAL_PP(len), &pos_len);
+ 				} else {
+-					l = Z_STRLEN_PP(tmp_str);
++					l = Z_STRLEN_P(orig_str);
+ 				}
+ 			} else if (argc > 3) { 
+ 				l = Z_LVAL_PP(len);
+ 			} else {
+-				l = Z_STRLEN_PP(tmp_str);
++				l = Z_STRLEN_P(orig_str);
+ 			}
+ 
+ 			if (l < 0) {
+-				l = (Z_STRLEN_PP(tmp_str) - f) + l;
++				l = (Z_STRLEN_P(orig_str) - f) + l;
+ 				if (l < 0) {
+ 					l = 0;
+ 				}
+ 			}
+ 
+-			if ((f + l) > Z_STRLEN_PP(tmp_str)) {
+-				l = Z_STRLEN_PP(tmp_str) - f;
++			if ((f + l) > Z_STRLEN_P(orig_str)) {
++				l = Z_STRLEN_P(orig_str) - f;
+ 			}
+ 
+-			result_len = Z_STRLEN_PP(tmp_str) - l;
++			result_len = Z_STRLEN_P(orig_str) - l;
+ 
+ 			if (Z_TYPE_PP(repl) == IS_ARRAY) {
+ 				if (SUCCESS == zend_hash_get_current_data_ex(Z_ARRVAL_PP(repl), (void **) &tmp_repl, &pos_repl)) {
+-					convert_to_string_ex(tmp_repl);
+-					result_len += Z_STRLEN_PP(tmp_repl);
++					zval *repl_str;
++					zval zrepl;
++					if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++						zrepl = **tmp_repl;
++						repl_str = &zrepl;
++						zval_copy_ctor(repl_str);
++						convert_to_string(repl_str);
++					} else {
++						repl_str = *tmp_repl;
++					}
++
++					result_len += Z_STRLEN_P(repl_str);
+ 					zend_hash_move_forward_ex(Z_ARRVAL_PP(repl), &pos_repl);	
+ 					result = emalloc(result_len + 1);
+ 
+-					memcpy(result, Z_STRVAL_PP(tmp_str), f);
+-					memcpy((result + f), Z_STRVAL_PP(tmp_repl), Z_STRLEN_PP(tmp_repl));
+-					memcpy((result + f + Z_STRLEN_PP(tmp_repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++					memcpy(result, Z_STRVAL_P(orig_str), f);
++					memcpy((result + f), Z_STRVAL_P(repl_str), Z_STRLEN_P(repl_str));
++					memcpy((result + f + Z_STRLEN_P(repl_str)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
++					if(Z_TYPE_PP(tmp_repl) != IS_STRING) {
++						zval_dtor(repl_str);
++					}
+ 				} else {
+ 					result = emalloc(result_len + 1);
+ 	
+-					memcpy(result, Z_STRVAL_PP(tmp_str), f);
+-					memcpy((result + f), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++					memcpy(result, Z_STRVAL_P(orig_str), f);
++					memcpy((result + f), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ 				}
+ 			} else {
+ 				result_len += Z_STRLEN_PP(repl);
+ 
+ 				result = emalloc(result_len + 1);
+ 
+-				memcpy(result, Z_STRVAL_PP(tmp_str), f);
++				memcpy(result, Z_STRVAL_P(orig_str), f);
+ 				memcpy((result + f), Z_STRVAL_PP(repl), Z_STRLEN_PP(repl));
+-				memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_PP(tmp_str) + f + l, Z_STRLEN_PP(tmp_str) - f - l);
++				memcpy((result + f + Z_STRLEN_PP(repl)), Z_STRVAL_P(orig_str) + f + l, Z_STRLEN_P(orig_str) - f - l);
+ 			}
+ 
+ 			result[result_len] = '\0';
+ 			add_next_index_stringl(return_value, result, result_len, 0);
+-
++			if(Z_TYPE_PP(tmp_str) != IS_STRING) {
++				zval_dtor(orig_str);
++			}
+ 			zend_hash_move_forward_ex(Z_ARRVAL_PP(str), &pos_str);
+ 		} /*while*/
+ 	} /* if */