Add fix for CVE-2014-4698 and CVE-2014-4670.

Bump PKGREVISION.

4 files changed, 50 insertions, 2 deletions

diff --git a/lang/php55/Makefile b/lang/php55/Makefile
index c9d6c385cdb..77718501b91 100644
--- a/lang/php55/Makefile
+++ b/lang/php55/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.14 2014/06/27 11:34:19 taca Exp $
+# $NetBSD: Makefile,v 1.15 2014/07/13 15:23:42 taca Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
diff --git a/lang/php55/distinfo b/lang/php55/distinfo
index 683199454c4..9f83e7e5cd9 100644
--- a/lang/php55/distinfo
+++ b/lang/php55/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.25 2014/06/27 11:34:19 taca Exp $
+$NetBSD: distinfo,v 1.26 2014/07/13 15:23:42 taca Exp $
 
 SHA1 (php-5.5.14.tar.bz2) = 062d351da165aa0568e4d8cbc53a18d73b99f49a
 RMD160 (php-5.5.14.tar.bz2) = d3f87693d3118cfdc64a7b77e9b765ce4eb7ae60
@@ -16,6 +16,8 @@ SHA1 (patch-ext_pdo__mysql_config.m4) = 3526e737da25129710218e7141d5a05ae0a51390
 SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59
 SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba
 SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c
+SHA1 (patch-ext_spl_spl__array.c) = de3ac1ade2201fedb41fb23efb03887307de45bc
+SHA1 (patch-ext_spl_spl__dllist.c) = f98d5dc1199eb021e776599761e0823ce8463f2e
 SHA1 (patch-ext_sqlite3_libsqlite_sqlite3.c) = b384b9daa466f2a8a3e6cfd4ea6cff81f9342941
 SHA1 (patch-ext_standard_basic__functions.c) = f2a44998145306c2cb2d2f3822c0e7cc70c778b4
 SHA1 (patch-makedist) = 3f6b0621d30264824f2cb4c2903d15ba95be3937
diff --git a/lang/php55/patches/patch-ext_spl_spl__array.c b/lang/php55/patches/patch-ext_spl_spl__array.c
new file mode 100644
index 00000000000..592c8c6d699
--- /dev/null
+++ b/lang/php55/patches/patch-ext_spl_spl__array.c
@@ -0,0 +1,27 @@
+$NetBSD: patch-ext_spl_spl__array.c,v 1.1 2014/07/13 15:23:42 taca Exp $
+
+Fix for CVE-2014-4698.
+
+--- ext/spl/spl_array.c.orig	2014-06-25 13:06:23.000000000 +0000
++++ ext/spl/spl_array.c
+@@ -1733,6 +1733,7 @@ SPL_METHOD(Array, unserialize)
+ 	const unsigned char *p, *s;
+ 	php_unserialize_data_t var_hash;
+ 	zval *pmembers, *pflags = NULL;
++	HashTable *aht;
+ 	long flags;
+ 
+ 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &buf, &buf_len) == FAILURE) {
+@@ -1744,6 +1745,12 @@ SPL_METHOD(Array, unserialize)
+ 		return;
+ 	}
+ 
++	aht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
++	if (aht->nApplyCount > 0) {
++		zend_error(E_WARNING, "Modification of ArrayObject during sorting is prohibited");
++		return;
++	}
++
+ 	/* storage */
+ 	s = p = (const unsigned char*)buf;
+ 	PHP_VAR_UNSERIALIZE_INIT(var_hash);
diff --git a/lang/php55/patches/patch-ext_spl_spl__dllist.c b/lang/php55/patches/patch-ext_spl_spl__dllist.c
new file mode 100644
index 00000000000..32d0944c58b
--- /dev/null
+++ b/lang/php55/patches/patch-ext_spl_spl__dllist.c
@@ -0,0 +1,18 @@
+$NetBSD: patch-ext_spl_spl__dllist.c,v 1.1 2014/07/13 15:23:42 taca Exp $
+
+Fix for CVE-2014-4670.
+
+--- ext/spl/spl_dllist.c.orig	2014-06-25 13:06:23.000000000 +0000
++++ ext/spl/spl_dllist.c
+@@ -916,6 +916,11 @@ SPL_METHOD(SplDoublyLinkedList, offsetUn
+ 			llist->dtor(element TSRMLS_CC);
+ 		}
+ 
++		if (intern->traverse_pointer == element) {
++			SPL_LLIST_DELREF(element);
++			intern->traverse_pointer = NULL;
++		}
++
+ 		zval_ptr_dtor((zval **)&element->data);
+ 		element->data = NULL;
+