3 files changed, 141 insertions, 2 deletions

diff --git a/lang/php54/Makefile b/lang/php54/Makefile
index a9b12052ea1..e54046415c2 100644
--- a/lang/php54/Makefile
+++ b/lang/php54/Makefile
@@ -1,9 +1,10 @@
-# $NetBSD: Makefile,v 1.10 2013/07/29 16:21:07 taca Exp $
+# $NetBSD: Makefile,v 1.11 2013/07/29 16:22:38 taca Exp $
 
 #
 # We can't omit PKGNAME here to handle PKG_OPTIONS.
 #
 PKGNAME=		php-${PHP_BASE_VERS}
+PKGREVISION=		1
 CATEGORIES=		lang
 
 HOMEPAGE=		http://www.php.net/
diff --git a/lang/php54/distinfo b/lang/php54/distinfo
index 7a06b0b8d51..8b5dfcf9e36 100644
--- a/lang/php54/distinfo
+++ b/lang/php54/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2013/07/08 13:16:21 taca Exp $
+$NetBSD: distinfo,v 1.21 2013/07/29 16:22:38 taca Exp $
 
 SHA1 (php-5.4.17.tar.bz2) = 7151b2cef85aaf3c2109ee28e88d01ddb6274d5b
 RMD160 (php-5.4.17.tar.bz2) = b167420094885593f068bcd3a012452a0156bb5b
@@ -13,6 +13,7 @@ SHA1 (patch-ext_pdo_config.m4) = 26a4ad02e5c6b7a54c3c54a6d026a3ccfed62c59
 SHA1 (patch-ext_phar_Makefile.frag) = 1af23d9135557bc7ba2f3627b317d4cbef37aaba
 SHA1 (patch-ext_phar_phar_phar.php) = 011f2d68048dbc63f5efcab4e23062daa9e8e08c
 SHA1 (patch-ext_standard_basic__functions.c) = 563fe67eb78b786cd46195026381ef22128e0841
+SHA1 (patch-ext_xml_xml.c) = 77785dd4849efe07746061a0b385989b9f7cc1bd
 SHA1 (patch-main_streams_cast.c) = 955aee9efb4868e00fbfc443bb7d92c71844a853
 SHA1 (patch-php.ini-development) = 79512bd276adaed6bcf5f7f28e965f8a6b589add
 SHA1 (patch-php.ini-production) = f5d275abe7668a139999b3607e99f271450f56ae
diff --git a/lang/php54/patches/patch-ext_xml_xml.c b/lang/php54/patches/patch-ext_xml_xml.c
new file mode 100644
index 00000000000..d75ac5fca53
--- /dev/null
+++ b/lang/php54/patches/patch-ext_xml_xml.c
@@ -0,0 +1,137 @@
+$NetBSD: patch-ext_xml_xml.c,v 1.1 2013/07/29 16:22:38 taca Exp $
+
+Fix for CVE-2013-4113 as php 5.3.27.
+
+--- ext/xml/xml.c.orig	2013-07-03 06:10:53.000000000 +0000
++++ ext/xml/xml.c
+@@ -428,7 +428,7 @@ static void xml_parser_dtor(zend_rsrc_li
+ 	}
+ 	if (parser->ltags) {
+ 		int inx;
+-		for (inx = 0; inx < parser->level; inx++)
++		for (inx = 0; ((inx < parser->level) && (inx < XML_MAXLEVEL)); inx++)
+ 			efree(parser->ltags[ inx ]);
+ 		efree(parser->ltags);
+ 	}
+@@ -805,45 +805,50 @@ void _xml_startElementHandler(void *user
+ 		} 
+ 
+ 		if (parser->data) {
+-			zval *tag, *atr;
+-			int atcnt = 0;
++			if (parser->level <= XML_MAXLEVEL)  {
++				zval *tag, *atr;
++				int atcnt = 0;
+ 
+-			MAKE_STD_ZVAL(tag);
+-			MAKE_STD_ZVAL(atr);
++				MAKE_STD_ZVAL(tag);
++				MAKE_STD_ZVAL(atr);
+ 
+-			array_init(tag);
+-			array_init(atr);
++				array_init(tag);
++				array_init(atr);
+ 
+-			_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
++				_xml_add_to_info(parser,((char *) tag_name) + parser->toffset);
+ 
+-			add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
+-			add_assoc_string(tag,"type","open",1);
+-			add_assoc_long(tag,"level",parser->level);
++				add_assoc_string(tag,"tag",((char *) tag_name) + parser->toffset,1); /* cast to avoid gcc-warning */
++				add_assoc_string(tag,"type","open",1);
++				add_assoc_long(tag,"level",parser->level);
+ 
+-			parser->ltags[parser->level-1] = estrdup(tag_name);
+-			parser->lastwasopen = 1;
++				parser->ltags[parser->level-1] = estrdup(tag_name);
++				parser->lastwasopen = 1;
+ 
+-			attributes = (const XML_Char **) attrs;
++				attributes = (const XML_Char **) attrs;
+ 
+-			while (attributes && *attributes) {
+-				att = _xml_decode_tag(parser, attributes[0]);
+-				val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
+-				
+-				add_assoc_stringl(atr,att,val,val_len,0);
++				while (attributes && *attributes) {
++					att = _xml_decode_tag(parser, attributes[0]);
++					val = xml_utf8_decode(attributes[1], strlen(attributes[1]), &val_len, parser->target_encoding);
+ 
+-				atcnt++;
+-				attributes += 2;
++					add_assoc_stringl(atr,att,val,val_len,0);
+ 
+-				efree(att);
+-			}
++					atcnt++;
++					attributes += 2;
+ 
+-			if (atcnt) {
+-				zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
+-			} else {
+-				zval_ptr_dtor(&atr);
+-			}
++					efree(att);
++				}
++
++				if (atcnt) {
++					zend_hash_add(Z_ARRVAL_P(tag),"attributes",sizeof("attributes"),&atr,sizeof(zval*),NULL);
++				} else {
++					zval_ptr_dtor(&atr);
++				}
+ 
+-			zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
++				zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),(void *) &parser->ctag);
++			} else if (parser->level == (XML_MAXLEVEL + 1)) {
++				TSRMLS_FETCH();
++				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
++			}
+ 		}
+ 
+ 		efree(tag_name);
+@@ -895,7 +900,7 @@ void _xml_endElementHandler(void *userDa
+ 
+ 		efree(tag_name);
+ 
+-		if (parser->ltags) {
++		if ((parser->ltags) && (parser->level <= XML_MAXLEVEL)) {
+ 			efree(parser->ltags[parser->level-1]);
+ 		}
+ 
+@@ -979,18 +984,23 @@ void _xml_characterDataHandler(void *use
+ 						}
+ 					}
+ 
+-					MAKE_STD_ZVAL(tag);
+-					
+-					array_init(tag);
+-					
+-					_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
++					if (parser->level <= XML_MAXLEVEL) {
++						MAKE_STD_ZVAL(tag);
+ 
+-					add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
+-					add_assoc_string(tag,"value",decoded_value,0);
+-					add_assoc_string(tag,"type","cdata",1);
+-					add_assoc_long(tag,"level",parser->level);
++						array_init(tag);
+ 
+-					zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
++						_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
++
++						add_assoc_string(tag,"tag",parser->ltags[parser->level-1] + parser->toffset,1);
++						add_assoc_string(tag,"value",decoded_value,0);
++						add_assoc_string(tag,"type","cdata",1);
++						add_assoc_long(tag,"level",parser->level);
++
++						zend_hash_next_index_insert(Z_ARRVAL_P(parser->data),&tag,sizeof(zval*),NULL);
++					} else if (parser->level == (XML_MAXLEVEL + 1)) {
++						TSRMLS_FETCH();
++						php_error_docref(NULL TSRMLS_CC, E_WARNING, "Maximum depth exceeded - Results truncated");
++					}
+ 				}
+ 			} else {
+ 				efree(decoded_value);