Apply changes by r308525 from PHP's repository to fix bug #54055

(buffer overrun with high values for precision ini setting).

It fixes one of security fixes by PHP 5.3.6.

Bump PKGREVISION.

5 files changed, 89 insertions, 3 deletions

diff --git a/lang/php5/Makefile b/lang/php5/Makefile
index 9fac3702858..543bd973497 100644
--- a/lang/php5/Makefile
+++ b/lang/php5/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.83 2011/02/21 16:25:33 taca Exp $
+# $NetBSD: Makefile,v 1.84 2011/03/21 16:34:28 taca Exp $
 
 PKGNAME=		php-${PHP_BASE_VERS}
-PKGREVISION=		2
+PKGREVISION=		3
 CATEGORIES=		lang
 HOMEPAGE=		http://www.php.net/
 COMMENT=		PHP Hypertext Preprocessor version 5
diff --git a/lang/php5/distinfo b/lang/php5/distinfo
index c520cb218fa..2cc3f88dadc 100644
--- a/lang/php5/distinfo
+++ b/lang/php5/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.88 2011/03/21 16:08:29 taca Exp $
+$NetBSD: distinfo,v 1.89 2011/03/21 16:34:28 taca Exp $
 
 SHA1 (php-5.2.17/php-5.2.17.tar.bz2) = d68f3b09f766990d815a3c4c63c157db8dab8095
 RMD160 (php-5.2.17/php-5.2.17.tar.bz2) = 567fa8d718b93fb83a89494c83a8bec224ac99e9
@@ -18,3 +18,6 @@ SHA1 (patch-ext_exif_exif.c) = 0a6ab268751e633510cb6b334b1bdb84a014b528
 SHA1 (patch-ext_shmop_shmop.c) = 6e11b87dd71ff26357b14b61df626c40b40a022d
 SHA1 (patch-ext_zip_lib_zip__name__locate.c) = 4030e37ae4f93dbcb1a3a937a5407c2c406a49d6
 SHA1 (patch-ext_zip_php__zip.c) = 134fa566a689d72d63a2fa0aa5c96c4595619089
+SHA1 (patch-main_snprintf.c) = cb112df0cadf84aaeee5987169a31460989995a8
+SHA1 (patch-main_snprintf.h) = 86ae4c1c8ae9183254e9914cb56d3df999f719cf
+SHA1 (patch-main_spprintf.c) = 0fe0888b612402c41f040c8781df7f1a7ca66275
diff --git a/lang/php5/patches/patch-main_snprintf.c b/lang/php5/patches/patch-main_snprintf.c
new file mode 100644
index 00000000000..e77da08b9ce
--- /dev/null
+++ b/lang/php5/patches/patch-main_snprintf.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-main_snprintf.c,v 1.1 2011/03/21 16:34:28 taca Exp $
+
+--- main/snprintf.c.orig	2010-01-03 09:23:27.000000000 +0000
++++ main/snprintf.c
+@@ -675,10 +675,6 @@ static int format_converter(register buf
+ 
+ 				/*
+ 				 * Check if a precision was specified
+-				 *
+-				 * XXX: an unreasonable amount of precision may be specified
+-				 * resulting in overflow of num_buf. Currently we
+-				 * ignore this possibility.
+ 				 */
+ 				if (*fmt == '.') {
+ 					adjust_precision = YES;
+@@ -692,6 +688,10 @@ static int format_converter(register buf
+ 							precision = 0;
+ 					} else
+ 						precision = 0;
++
++					if (precision > FORMAT_CONV_MAX_PRECISION) {
++						precision = FORMAT_CONV_MAX_PRECISION;
++					}
+ 				} else
+ 					adjust_precision = NO;
+ 			} else
diff --git a/lang/php5/patches/patch-main_snprintf.h b/lang/php5/patches/patch-main_snprintf.h
new file mode 100644
index 00000000000..2354dfa7dda
--- /dev/null
+++ b/lang/php5/patches/patch-main_snprintf.h
@@ -0,0 +1,31 @@
+$NetBSD: patch-main_snprintf.h,v 1.1 2011/03/21 16:34:28 taca Exp $
+
+--- main/snprintf.h.orig	2010-01-03 09:23:27.000000000 +0000
++++ main/snprintf.h
+@@ -12,7 +12,7 @@
+    | obtain it through the world-wide-web, please send a note to          |
+    | license@php.net so we can mail you a copy immediately.               |
+    +----------------------------------------------------------------------+
+-   | Author: Stig Sæther Bakken <ssb@php.net>                             |
++   | Author: Stig Sæther Bakken <ssb@php.net>                             |
+    |         Marcus Boerger <helly@php.net>                               |
+    +----------------------------------------------------------------------+
+ */
+@@ -148,6 +148,17 @@ extern char * ap_php_conv_10(register wi
+ extern char * ap_php_conv_p2(register u_wide_int num, register int nbits,
+ 		 char format, char *buf_end, register int *len);
+ 
++/* The maximum precision that's allowed for float conversion. Does not include
++ * decimal separator, exponent, sign, terminator. Currently does not affect
++ * the modes e/f, only g/k/H, as those have a different limit enforced at
++ * another level (see NDIG in php_conv_fp()).
++ * Applies to the formatting functions of both spprintf.c and snprintf.c, which
++ * use equally sized buffers of MAX_BUF_SIZE = 512 to hold the result of the
++ * call to php_gcvt().
++ * This should be reasonably smaller than MAX_BUF_SIZE (I think MAX_BUF_SIZE - 9
++ * should be enough, but let's give some more space) */
++#define FORMAT_CONV_MAX_PRECISION 500
++
+ #endif /* SNPRINTF_H */
+ 
+ /*
diff --git a/lang/php5/patches/patch-main_spprintf.c b/lang/php5/patches/patch-main_spprintf.c
new file mode 100644
index 00000000000..8c425552288
--- /dev/null
+++ b/lang/php5/patches/patch-main_spprintf.c
@@ -0,0 +1,26 @@
+$NetBSD: patch-main_spprintf.c,v 1.1 2011/03/21 16:34:28 taca Exp $
+
+--- main/spprintf.c.orig	2010-01-03 09:23:27.000000000 +0000
++++ main/spprintf.c
+@@ -282,10 +282,6 @@ static void xbuf_format_converter(smart_
+ 
+ 				/*
+ 				 * Check if a precision was specified
+-				 *
+-				 * XXX: an unreasonable amount of precision may be specified
+-				 * resulting in overflow of num_buf. Currently we
+-				 * ignore this possibility.
+ 				 */
+ 				if (*fmt == '.') {
+ 					adjust_precision = YES;
+@@ -299,6 +295,10 @@ static void xbuf_format_converter(smart_
+ 							precision = 0;
+ 					} else
+ 						precision = 0;
++
++					if (precision > FORMAT_CONV_MAX_PRECISION) {
++						precision = FORMAT_CONV_MAX_PRECISION;
++					}
+ 				} else
+ 					adjust_precision = NO;
+ 			} else