From 4e60e86349c6e2724d8a8d0839a1ff2d08cf7851 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 12 Mar 2020 13:04:04 +0100
Subject: [PATCH 1/7] Fix #79371: mb_strtolower (UTF-32LE):
 stack-buffer-overflow

We make sure that negative values are properly compared.
---
 ext/mbstring/php_unicode.c       |  2 +-
 ext/mbstring/tests/bug79371.phpt | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 ext/mbstring/tests/bug79371.phpt

diff --git a/ext/mbstring/php_unicode.c b/ext/mbstring/php_unicode.c
index ac452b6a20776..acb16bf06e4cc 100644
--- a/ext/mbstring/php_unicode.c
+++ b/ext/mbstring/php_unicode.c
@@ -315,7 +315,7 @@ static int convert_case_filter(int c, void *void_data)
 
 	/* Handle invalid characters early, as we assign special meaning to
 	 * codepoints above 0xffffff. */
-	if (UNEXPECTED(c > 0xffffff)) {
+	if (UNEXPECTED((unsigned) c > 0xffffff)) {
 		(*data->next_filter->filter_function)(c, data->next_filter);
 		return 0;
 	}
diff --git a/ext/mbstring/tests/bug79371.phpt b/ext/mbstring/tests/bug79371.phpt
new file mode 100644
index 0000000000000..3014feba5369f
--- /dev/null
+++ b/ext/mbstring/tests/bug79371.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+?>
+--FILE--
+<?php
+$bytes = array(0xef, 0xbf, 0xbd, 0xef);
+$str = implode(array_map("chr", $bytes));
+var_dump(bin2hex(mb_strtolower($str, "UTF-32LE")));
+?>
+--EXPECT--
+string(8) "3f000000"

From ea6afe65a2d95c05231c89cc610efd34f8388c4f Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 2 Mar 2020 15:26:59 +0100
Subject: [PATCH 2/7] Fix #79283: Segfault in libmagic patch contains a buffer
 overflow

To solve this, we properly calculate the required string length upfront
instead of allocating an oversized string (`len * 4 + 4`).
---
 ext/fileinfo/libmagic.patch       | 62 +++++++++++++++++++------------
 ext/fileinfo/libmagic/softmagic.c | 18 ++++++++-
 ext/fileinfo/tests/bug79283.phpt  | 22 +++++++++++
 3 files changed, 76 insertions(+), 26 deletions(-)
 create mode 100644 ext/fileinfo/tests/bug79283.phpt

diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
index c3669d9d6e40e..c4728b94f8c9f 100644
--- a/ext/fileinfo/libmagic.patch
+++ b/ext/fileinfo/libmagic.patch
@@ -1,6 +1,6 @@
 diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
 --- libmagic.orig/apprentice.c	2019-02-20 03:35:27.000000000 +0100
-+++ libmagic/apprentice.c	2020-03-02 15:04:23.670412600 +0100
++++ libmagic/apprentice.c	2020-02-27 11:45:38.445854000 +0100
 @@ -29,6 +29,8 @@
   * apprentice - make one pass through /etc/magic, learning its secrets.
   */
@@ -974,7 +974,7 @@ diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
  	}
 diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
 --- libmagic.orig/ascmagic.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/ascmagic.c	2020-03-02 15:04:23.671413500 +0100
++++ libmagic/ascmagic.c	2020-02-26 23:18:22.605400700 +0100
 @@ -96,7 +96,7 @@
  		rv = file_ascmagic_with_encoding(ms, &bb,
  		    ubuf, ulen, code, type, text);
@@ -1005,7 +1005,7 @@ diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
  }
 diff -u libmagic.orig/buffer.c libmagic/buffer.c
 --- libmagic.orig/buffer.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/buffer.c	2020-03-02 15:04:23.672412500 +0100
++++ libmagic/buffer.c	2020-02-27 11:45:38.445854000 +0100
 @@ -31,19 +31,23 @@
  #endif	/* lint */
  
@@ -1062,7 +1062,7 @@ diff -u libmagic.orig/buffer.c libmagic/buffer.c
  
 diff -u libmagic.orig/cdf.c libmagic/cdf.c
 --- libmagic.orig/cdf.c	2019-02-20 03:35:27.000000000 +0100
-+++ libmagic/cdf.c	2020-03-02 15:04:23.674415200 +0100
++++ libmagic/cdf.c	2020-02-27 11:45:38.445854000 +0100
 @@ -43,7 +43,17 @@
  #include <err.h>
  #endif
@@ -1341,7 +1341,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
  #endif
 diff -u libmagic.orig/cdf.h libmagic/cdf.h
 --- libmagic.orig/cdf.h	2019-02-20 02:24:19.000000000 +0100
-+++ libmagic/cdf.h	2020-03-02 15:04:23.675416900 +0100
++++ libmagic/cdf.h	2020-02-27 11:45:38.445854000 +0100
 @@ -35,10 +35,10 @@
  #ifndef _H_CDF_
  #define _H_CDF_
@@ -1366,7 +1366,7 @@ diff -u libmagic.orig/cdf.h libmagic/cdf.h
  #define CDF_SECID_FREE					-1
 diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
 --- libmagic.orig/cdf_time.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/cdf_time.c	2020-03-02 15:04:23.676413000 +0100
++++ libmagic/cdf_time.c	2020-02-26 23:18:22.611402900 +0100
 @@ -23,6 +23,7 @@
   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   * POSSIBILITY OF SUCH DAMAGE.
@@ -1395,7 +1395,7 @@ diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
  	(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
 diff -u libmagic.orig/compress.c libmagic/compress.c
 --- libmagic.orig/compress.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/compress.c	2020-03-02 15:04:23.676413000 +0100
++++ libmagic/compress.c	2020-02-27 11:45:38.445854000 +0100
 @@ -45,13 +45,11 @@
  #endif
  #include <string.h>
@@ -1545,7 +1545,7 @@ diff -u libmagic.orig/compress.c libmagic/compress.c
 +#endif
 diff -u libmagic.orig/der.c libmagic/der.c
 --- libmagic.orig/der.c	2019-02-20 03:35:27.000000000 +0100
-+++ libmagic/der.c	2020-03-02 15:04:23.677412900 +0100
++++ libmagic/der.c	2020-02-27 11:45:38.445854000 +0100
 @@ -51,7 +51,9 @@
  #include "magic.h"
  #include "der.h"
@@ -1575,7 +1575,7 @@ diff -u libmagic.orig/der.c libmagic/der.c
  			snprintf(buf + z, blen - z, "%.2x", d[i]);
 diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
 --- libmagic.orig/elfclass.h	2019-02-20 02:30:19.000000000 +0100
-+++ libmagic/elfclass.h	2020-03-02 15:04:23.679414300 +0100
++++ libmagic/elfclass.h	2020-02-26 23:18:22.613401700 +0100
 @@ -41,7 +41,7 @@
  			return toomany(ms, "program headers", phnum);
  		flags |= FLAGS_IS_CORE;
@@ -1605,7 +1605,7 @@ diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
  		    CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
 diff -u libmagic.orig/encoding.c libmagic/encoding.c
 --- libmagic.orig/encoding.c	2019-04-15 18:48:41.000000000 +0200
-+++ libmagic/encoding.c	2020-03-02 15:04:23.680413600 +0100
++++ libmagic/encoding.c	2020-02-26 23:18:22.614402300 +0100
 @@ -89,13 +89,13 @@
  	*code_mime = "binary";
  
@@ -1636,7 +1636,7 @@ diff -u libmagic.orig/encoding.c libmagic/encoding.c
  }
 diff -u libmagic.orig/file.h libmagic/file.h
 --- libmagic.orig/file.h	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/file.h	2020-03-02 15:04:23.682414300 +0100
++++ libmagic/file.h	2020-02-27 11:45:38.445854000 +0100
 @@ -33,18 +33,9 @@
  #ifndef __file_h__
  #define __file_h__
@@ -1923,7 +1923,7 @@ diff -u libmagic.orig/file.h libmagic/file.h
  #endif
 diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
 --- libmagic.orig/fsmagic.c	2019-05-07 04:26:48.000000000 +0200
-+++ libmagic/fsmagic.c	2020-03-02 15:04:23.683417500 +0100
++++ libmagic/fsmagic.c	2020-02-26 23:18:22.616403500 +0100
 @@ -66,26 +66,10 @@
  # define minor(dev)  ((dev) & 0xff)
  #endif
@@ -2216,7 +2216,7 @@ diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
  	case S_IFSOCK:
 diff -u libmagic.orig/funcs.c libmagic/funcs.c
 --- libmagic.orig/funcs.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/funcs.c	2020-03-02 15:04:23.684415800 +0100
++++ libmagic/funcs.c	2020-02-27 11:45:38.445854000 +0100
 @@ -31,7 +31,6 @@
  #endif	/* lint */
  
@@ -2572,7 +2572,7 @@ diff -u libmagic.orig/funcs.c libmagic/funcs.c
  
 diff -u libmagic.orig/magic.c libmagic/magic.c
 --- libmagic.orig/magic.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/magic.c	2020-03-02 15:04:23.686413600 +0100
++++ libmagic/magic.c	2020-02-26 23:18:22.621402800 +0100
 @@ -25,11 +25,6 @@
   * SUCH DAMAGE.
   */
@@ -3036,8 +3036,8 @@ diff -u libmagic.orig/magic.c libmagic/magic.c
  public const char *
  magic_error(struct magic_set *ms)
 diff -u libmagic.orig/magic.h libmagic/magic.h
---- libmagic.orig/magic.h	2020-03-02 15:06:39.235737800 +0100
-+++ libmagic/magic.h	2020-03-02 15:04:23.686413600 +0100
+--- libmagic.orig/magic.h	2020-03-02 15:24:27.253951700 +0100
++++ libmagic/magic.h	2020-02-26 23:18:22.622402300 +0100
 @@ -124,6 +124,7 @@
  
  const char *magic_getpath(const char *, int);
@@ -3048,7 +3048,7 @@ diff -u libmagic.orig/magic.h libmagic/magic.h
  
 diff -u libmagic.orig/print.c libmagic/print.c
 --- libmagic.orig/print.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/print.c	2020-03-02 15:04:23.688414000 +0100
++++ libmagic/print.c	2020-02-26 23:18:22.625401800 +0100
 @@ -28,6 +28,7 @@
  /*
   * print.c - debugging printout routines
@@ -3122,7 +3122,7 @@ diff -u libmagic.orig/print.c libmagic/print.c
  		goto out;
 diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
 --- libmagic.orig/readcdf.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/readcdf.c	2020-03-02 15:04:23.689414500 +0100
++++ libmagic/readcdf.c	2020-02-27 11:45:38.445854000 +0100
 @@ -31,7 +31,11 @@
  
  #include <assert.h>
@@ -3241,7 +3241,7 @@ diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
  	if (i != -1)
 diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
 --- libmagic.orig/softmagic.c	2019-05-17 04:24:59.000000000 +0200
-+++ libmagic/softmagic.c	2020-03-02 15:04:23.690413500 +0100
++++ libmagic/softmagic.c	2020-03-02 15:23:10.176763300 +0100
 @@ -43,6 +43,10 @@
  #include <time.h>
  #include "der.h"
@@ -3414,18 +3414,32 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
  		return rv;
  
  	case FILE_USE:
-@@ -1926,6 +1904,47 @@
+@@ -1926,6 +1904,61 @@
  	return file_strncmp(a, b, len, flags);
  }
  
 +public void
 +convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
 +{
-+	int i, j=0;
++	int i, j;
 +	zend_string *t;
 +
-+	t = zend_string_alloc(len * 2 + 4, 0);
++	for (i = j = 0; i < len; i++) {
++		switch (val[i]) {
++			case '~':
++				j += 2;
++				break;
++			case '\0':
++				j += 4;
++				break;
++			default:
++				j++;
++				break;
++		}
++	}
++	t = zend_string_alloc(j + 4, 0);
 +
++	j = 0;
 +	ZSTR_VAL(t)[j++] = '~';
 +
 +	for (i = 0; i < len; i++, j++) {
@@ -3462,7 +3476,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
  private int
  magiccheck(struct magic_set *ms, struct magic *m)
  {
-@@ -2104,65 +2123,77 @@
+@@ -2104,65 +2137,77 @@
  		break;
  	}
  	case FILE_REGEX: {
@@ -3594,7 +3608,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
  	case FILE_INDIRECT:
 diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
 --- libmagic.orig/strcasestr.c	2014-09-11 17:05:33.000000000 +0200
-+++ libmagic/strcasestr.c	2019-04-02 11:56:06.853152400 +0200
++++ libmagic/strcasestr.c	2019-11-29 08:49:38.434136600 +0100
 @@ -39,6 +39,8 @@
  
  #include "file.h"
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 2b6d7642911c3..d71801cea5a86 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags)
 public void
 convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
 {
-	int i, j=0;
+	int i, j;
 	zend_string *t;
 
-	t = zend_string_alloc(len * 2 + 4, 0);
+	for (i = j = 0; i < len; i++) {
+		switch (val[i]) {
+			case '~':
+				j += 2;
+				break;
+			case '\0':
+				j += 4;
+				break;
+			default:
+				j++;
+				break;
+		}
+	}
+	t = zend_string_alloc(j + 4, 0);
 
+	j = 0;
 	ZSTR_VAL(t)[j++] = '~';
 
 	for (i = 0; i < len; i++, j++) {
diff --git a/ext/fileinfo/tests/bug79283.phpt b/ext/fileinfo/tests/bug79283.phpt
new file mode 100644
index 0000000000000..b32351bfb82de
--- /dev/null
+++ b/ext/fileinfo/tests/bug79283.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #79283 (Segfault in libmagic patch contains a buffer overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('fileinfo')) die('skip fileinfo extension not available');
+?>
+--FILE--
+<?php
+$magic_file = __DIR__ . '/bug79283.db';
+file_put_contents($magic_file, "
+0	regex	\\0\\0\\0\\0	Test
+");
+
+$finfo = new finfo(FILEINFO_NONE, $magic_file);
+var_dump($finfo->buffer("buffer\n"));
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . '/bug79283.db');
+?>
+--EXPECT--
+string(10) "ASCII text"

From 624b3a5f6703a5dc04103444253610cdbfc23b4a Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Thu, 12 Mar 2020 13:04:04 +0100
Subject: [PATCH 3/7] Fix #79371: mb_strtolower (UTF-32LE):
 stack-buffer-overflow

We make sure that negative values are properly compared.
---
 ext/mbstring/php_unicode.c       |  2 +-
 ext/mbstring/tests/bug79371.phpt | 14 ++++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 ext/mbstring/tests/bug79371.phpt

diff --git a/ext/mbstring/php_unicode.c b/ext/mbstring/php_unicode.c
index df16f20955f13..ba84dc55c7645 100644
--- a/ext/mbstring/php_unicode.c
+++ b/ext/mbstring/php_unicode.c
@@ -313,7 +313,7 @@ static int convert_case_filter(int c, void *void_data)
 
 	/* Handle invalid characters early, as we assign special meaning to
 	 * codepoints above 0xffffff. */
-	if (UNEXPECTED(c > 0xffffff)) {
+	if (UNEXPECTED((unsigned) c > 0xffffff)) {
 		(*data->next_filter->filter_function)(c, data->next_filter);
 		return 0;
 	}
diff --git a/ext/mbstring/tests/bug79371.phpt b/ext/mbstring/tests/bug79371.phpt
new file mode 100644
index 0000000000000..3014feba5369f
--- /dev/null
+++ b/ext/mbstring/tests/bug79371.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #79371 (mb_strtolower (UTF-32LE): stack-buffer-overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('mbstring')) die('skip mbstring extension not available');
+?>
+--FILE--
+<?php
+$bytes = array(0xef, 0xbf, 0xbd, 0xef);
+$str = implode(array_map("chr", $bytes));
+var_dump(bin2hex(mb_strtolower($str, "UTF-32LE")));
+?>
+--EXPECT--
+string(8) "3f000000"

From 39f23022afa2f97cc0db814aed535d9a018e6a42 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 2 Mar 2020 15:26:59 +0100
Subject: [PATCH 4/7] Fix #79283: Segfault in libmagic patch contains a buffer
 overflow

To solve this, we properly calculate the required string length upfront
instead of allocating an oversized string (`len * 4 + 4`).
---
 ext/fileinfo/libmagic.patch       | 62 +++++++++++++++++++------------
 ext/fileinfo/libmagic/softmagic.c | 18 ++++++++-
 ext/fileinfo/tests/bug79283.phpt  | 22 +++++++++++
 3 files changed, 76 insertions(+), 26 deletions(-)
 create mode 100644 ext/fileinfo/tests/bug79283.phpt

diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
index c3669d9d6e40e..c4728b94f8c9f 100644
--- a/ext/fileinfo/libmagic.patch
+++ b/ext/fileinfo/libmagic.patch
@@ -1,6 +1,6 @@
 diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
 --- libmagic.orig/apprentice.c	2019-02-20 03:35:27.000000000 +0100
-+++ libmagic/apprentice.c	2020-03-02 15:04:23.670412600 +0100
++++ libmagic/apprentice.c	2020-02-27 11:45:38.445854000 +0100
 @@ -29,6 +29,8 @@
   * apprentice - make one pass through /etc/magic, learning its secrets.
   */
@@ -974,7 +974,7 @@ diff -u libmagic.orig/apprentice.c libmagic/apprentice.c
  	}
 diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
 --- libmagic.orig/ascmagic.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/ascmagic.c	2020-03-02 15:04:23.671413500 +0100
++++ libmagic/ascmagic.c	2020-02-26 23:18:22.605400700 +0100
 @@ -96,7 +96,7 @@
  		rv = file_ascmagic_with_encoding(ms, &bb,
  		    ubuf, ulen, code, type, text);
@@ -1005,7 +1005,7 @@ diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
  }
 diff -u libmagic.orig/buffer.c libmagic/buffer.c
 --- libmagic.orig/buffer.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/buffer.c	2020-03-02 15:04:23.672412500 +0100
++++ libmagic/buffer.c	2020-02-27 11:45:38.445854000 +0100
 @@ -31,19 +31,23 @@
  #endif	/* lint */
  
@@ -1062,7 +1062,7 @@ diff -u libmagic.orig/buffer.c libmagic/buffer.c
  
 diff -u libmagic.orig/cdf.c libmagic/cdf.c
 --- libmagic.orig/cdf.c	2019-02-20 03:35:27.000000000 +0100
-+++ libmagic/cdf.c	2020-03-02 15:04:23.674415200 +0100
++++ libmagic/cdf.c	2020-02-27 11:45:38.445854000 +0100
 @@ -43,7 +43,17 @@
  #include <err.h>
  #endif
@@ -1341,7 +1341,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
  #endif
 diff -u libmagic.orig/cdf.h libmagic/cdf.h
 --- libmagic.orig/cdf.h	2019-02-20 02:24:19.000000000 +0100
-+++ libmagic/cdf.h	2020-03-02 15:04:23.675416900 +0100
++++ libmagic/cdf.h	2020-02-27 11:45:38.445854000 +0100
 @@ -35,10 +35,10 @@
  #ifndef _H_CDF_
  #define _H_CDF_
@@ -1366,7 +1366,7 @@ diff -u libmagic.orig/cdf.h libmagic/cdf.h
  #define CDF_SECID_FREE					-1
 diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
 --- libmagic.orig/cdf_time.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/cdf_time.c	2020-03-02 15:04:23.676413000 +0100
++++ libmagic/cdf_time.c	2020-02-26 23:18:22.611402900 +0100
 @@ -23,6 +23,7 @@
   * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
   * POSSIBILITY OF SUCH DAMAGE.
@@ -1395,7 +1395,7 @@ diff -u libmagic.orig/cdf_time.c libmagic/cdf_time.c
  	(void)snprintf(buf, 26, "*Bad* %#16.16" INT64_T_FORMAT "x\n",
 diff -u libmagic.orig/compress.c libmagic/compress.c
 --- libmagic.orig/compress.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/compress.c	2020-03-02 15:04:23.676413000 +0100
++++ libmagic/compress.c	2020-02-27 11:45:38.445854000 +0100
 @@ -45,13 +45,11 @@
  #endif
  #include <string.h>
@@ -1545,7 +1545,7 @@ diff -u libmagic.orig/compress.c libmagic/compress.c
 +#endif
 diff -u libmagic.orig/der.c libmagic/der.c
 --- libmagic.orig/der.c	2019-02-20 03:35:27.000000000 +0100
-+++ libmagic/der.c	2020-03-02 15:04:23.677412900 +0100
++++ libmagic/der.c	2020-02-27 11:45:38.445854000 +0100
 @@ -51,7 +51,9 @@
  #include "magic.h"
  #include "der.h"
@@ -1575,7 +1575,7 @@ diff -u libmagic.orig/der.c libmagic/der.c
  			snprintf(buf + z, blen - z, "%.2x", d[i]);
 diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
 --- libmagic.orig/elfclass.h	2019-02-20 02:30:19.000000000 +0100
-+++ libmagic/elfclass.h	2020-03-02 15:04:23.679414300 +0100
++++ libmagic/elfclass.h	2020-02-26 23:18:22.613401700 +0100
 @@ -41,7 +41,7 @@
  			return toomany(ms, "program headers", phnum);
  		flags |= FLAGS_IS_CORE;
@@ -1605,7 +1605,7 @@ diff -u libmagic.orig/elfclass.h libmagic/elfclass.h
  		    CAST(int, elf_getu16(swap, elfhdr.e_shstrndx)),
 diff -u libmagic.orig/encoding.c libmagic/encoding.c
 --- libmagic.orig/encoding.c	2019-04-15 18:48:41.000000000 +0200
-+++ libmagic/encoding.c	2020-03-02 15:04:23.680413600 +0100
++++ libmagic/encoding.c	2020-02-26 23:18:22.614402300 +0100
 @@ -89,13 +89,13 @@
  	*code_mime = "binary";
  
@@ -1636,7 +1636,7 @@ diff -u libmagic.orig/encoding.c libmagic/encoding.c
  }
 diff -u libmagic.orig/file.h libmagic/file.h
 --- libmagic.orig/file.h	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/file.h	2020-03-02 15:04:23.682414300 +0100
++++ libmagic/file.h	2020-02-27 11:45:38.445854000 +0100
 @@ -33,18 +33,9 @@
  #ifndef __file_h__
  #define __file_h__
@@ -1923,7 +1923,7 @@ diff -u libmagic.orig/file.h libmagic/file.h
  #endif
 diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
 --- libmagic.orig/fsmagic.c	2019-05-07 04:26:48.000000000 +0200
-+++ libmagic/fsmagic.c	2020-03-02 15:04:23.683417500 +0100
++++ libmagic/fsmagic.c	2020-02-26 23:18:22.616403500 +0100
 @@ -66,26 +66,10 @@
  # define minor(dev)  ((dev) & 0xff)
  #endif
@@ -2216,7 +2216,7 @@ diff -u libmagic.orig/fsmagic.c libmagic/fsmagic.c
  	case S_IFSOCK:
 diff -u libmagic.orig/funcs.c libmagic/funcs.c
 --- libmagic.orig/funcs.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/funcs.c	2020-03-02 15:04:23.684415800 +0100
++++ libmagic/funcs.c	2020-02-27 11:45:38.445854000 +0100
 @@ -31,7 +31,6 @@
  #endif	/* lint */
  
@@ -2572,7 +2572,7 @@ diff -u libmagic.orig/funcs.c libmagic/funcs.c
  
 diff -u libmagic.orig/magic.c libmagic/magic.c
 --- libmagic.orig/magic.c	2019-05-07 04:27:11.000000000 +0200
-+++ libmagic/magic.c	2020-03-02 15:04:23.686413600 +0100
++++ libmagic/magic.c	2020-02-26 23:18:22.621402800 +0100
 @@ -25,11 +25,6 @@
   * SUCH DAMAGE.
   */
@@ -3036,8 +3036,8 @@ diff -u libmagic.orig/magic.c libmagic/magic.c
  public const char *
  magic_error(struct magic_set *ms)
 diff -u libmagic.orig/magic.h libmagic/magic.h
---- libmagic.orig/magic.h	2020-03-02 15:06:39.235737800 +0100
-+++ libmagic/magic.h	2020-03-02 15:04:23.686413600 +0100
+--- libmagic.orig/magic.h	2020-03-02 15:24:27.253951700 +0100
++++ libmagic/magic.h	2020-02-26 23:18:22.622402300 +0100
 @@ -124,6 +124,7 @@
  
  const char *magic_getpath(const char *, int);
@@ -3048,7 +3048,7 @@ diff -u libmagic.orig/magic.h libmagic/magic.h
  
 diff -u libmagic.orig/print.c libmagic/print.c
 --- libmagic.orig/print.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/print.c	2020-03-02 15:04:23.688414000 +0100
++++ libmagic/print.c	2020-02-26 23:18:22.625401800 +0100
 @@ -28,6 +28,7 @@
  /*
   * print.c - debugging printout routines
@@ -3122,7 +3122,7 @@ diff -u libmagic.orig/print.c libmagic/print.c
  		goto out;
 diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
 --- libmagic.orig/readcdf.c	2019-03-12 21:43:05.000000000 +0100
-+++ libmagic/readcdf.c	2020-03-02 15:04:23.689414500 +0100
++++ libmagic/readcdf.c	2020-02-27 11:45:38.445854000 +0100
 @@ -31,7 +31,11 @@
  
  #include <assert.h>
@@ -3241,7 +3241,7 @@ diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
  	if (i != -1)
 diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
 --- libmagic.orig/softmagic.c	2019-05-17 04:24:59.000000000 +0200
-+++ libmagic/softmagic.c	2020-03-02 15:04:23.690413500 +0100
++++ libmagic/softmagic.c	2020-03-02 15:23:10.176763300 +0100
 @@ -43,6 +43,10 @@
  #include <time.h>
  #include "der.h"
@@ -3414,18 +3414,32 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
  		return rv;
  
  	case FILE_USE:
-@@ -1926,6 +1904,47 @@
+@@ -1926,6 +1904,61 @@
  	return file_strncmp(a, b, len, flags);
  }
  
 +public void
 +convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
 +{
-+	int i, j=0;
++	int i, j;
 +	zend_string *t;
 +
-+	t = zend_string_alloc(len * 2 + 4, 0);
++	for (i = j = 0; i < len; i++) {
++		switch (val[i]) {
++			case '~':
++				j += 2;
++				break;
++			case '\0':
++				j += 4;
++				break;
++			default:
++				j++;
++				break;
++		}
++	}
++	t = zend_string_alloc(j + 4, 0);
 +
++	j = 0;
 +	ZSTR_VAL(t)[j++] = '~';
 +
 +	for (i = 0; i < len; i++, j++) {
@@ -3462,7 +3476,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
  private int
  magiccheck(struct magic_set *ms, struct magic *m)
  {
-@@ -2104,65 +2123,77 @@
+@@ -2104,65 +2137,77 @@
  		break;
  	}
  	case FILE_REGEX: {
@@ -3594,7 +3608,7 @@ diff -u libmagic.orig/softmagic.c libmagic/softmagic.c
  	case FILE_INDIRECT:
 diff -u libmagic.orig/strcasestr.c libmagic/strcasestr.c
 --- libmagic.orig/strcasestr.c	2014-09-11 17:05:33.000000000 +0200
-+++ libmagic/strcasestr.c	2019-04-02 11:56:06.853152400 +0200
++++ libmagic/strcasestr.c	2019-11-29 08:49:38.434136600 +0100
 @@ -39,6 +39,8 @@
  
  #include "file.h"
diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
index 2b6d7642911c3..d71801cea5a86 100644
--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@@ -1907,11 +1907,25 @@ file_strncmp16(const char *a, const char *b, size_t len, uint32_t flags)
 public void
 convert_libmagic_pattern(zval *pattern, char *val, size_t len, uint32_t options)
 {
-	int i, j=0;
+	int i, j;
 	zend_string *t;
 
-	t = zend_string_alloc(len * 2 + 4, 0);
+	for (i = j = 0; i < len; i++) {
+		switch (val[i]) {
+			case '~':
+				j += 2;
+				break;
+			case '\0':
+				j += 4;
+				break;
+			default:
+				j++;
+				break;
+		}
+	}
+	t = zend_string_alloc(j + 4, 0);
 
+	j = 0;
 	ZSTR_VAL(t)[j++] = '~';
 
 	for (i = 0; i < len; i++, j++) {
diff --git a/ext/fileinfo/tests/bug79283.phpt b/ext/fileinfo/tests/bug79283.phpt
new file mode 100644
index 0000000000000..b32351bfb82de
--- /dev/null
+++ b/ext/fileinfo/tests/bug79283.phpt
@@ -0,0 +1,22 @@
+--TEST--
+Bug #79283 (Segfault in libmagic patch contains a buffer overflow)
+--SKIPIF--
+<?php
+if (!extension_loaded('fileinfo')) die('skip fileinfo extension not available');
+?>
+--FILE--
+<?php
+$magic_file = __DIR__ . '/bug79283.db';
+file_put_contents($magic_file, "
+0	regex	\\0\\0\\0\\0	Test
+");
+
+$finfo = new finfo(FILEINFO_NONE, $magic_file);
+var_dump($finfo->buffer("buffer\n"));
+?>
+--CLEAN--
+<?php
+unlink(__DIR__ . '/bug79283.db');
+?>
+--EXPECT--
+string(10) "ASCII text"

From eede3009162f074e80ed357668b6af9445e26ab9 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 15 Mar 2020 17:26:00 -0700
Subject: [PATCH 5/7] Fixed bug #79282

---
 ext/exif/exif.c              |  7 ++++++-
 ext/exif/tests/bug79282.phpt | 15 +++++++++++++++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 ext/exif/tests/bug79282.phpt

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index dfa7cb2d6e93c..2bb34d972b870 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -3642,6 +3642,11 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 	unsigned exif_value_2a, offset_of_ifd;
 	exif_offset_info info;
 
+	if (length < 2) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Missing TIFF alignment marker");
+		return;
+	}
+
 	/* set the thumbnail stuff to nothing so we can test to see if they get set up */
 	if (memcmp(CharBuf, "II", 2) == 0) {
 		ImageInfo->motorola_intel = 0;
@@ -3795,7 +3800,7 @@ static int exif_scan_JPEG_header(image_info_type *ImageInfo)
 			return FALSE;
 		}
 
-		sn = exif_file_sections_add(ImageInfo, marker, itemlen+1, NULL);
+		sn = exif_file_sections_add(ImageInfo, marker, itemlen, NULL);
 		Data = ImageInfo->file.list[sn].data;
 
 		/* Store first two pre-read bytes. */
diff --git a/ext/exif/tests/bug79282.phpt b/ext/exif/tests/bug79282.phpt
new file mode 100644
index 0000000000000..7b7e36565791f
--- /dev/null
+++ b/ext/exif/tests/bug79282.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #79282: Use-of-uninitialized-value in exif
+--FILE--
+<?php
+
+var_dump(exif_read_data('data://image/jpeg;base64,/9jhAAlFeGlmAAAg'));
+
+?>
+--EXPECTF--
+Warning: exif_read_data(): Invalid TIFF alignment marker in %s on line %d
+
+Warning: exif_read_data(): File structure corrupted in %s on line %d
+
+Warning: exif_read_data(): Invalid JPEG file in %s on line %d
+bool(false)

From 13ce85a3cc42d289c9a32cb72829c9145b3d7e81 Mon Sep 17 00:00:00 2001
From: Stanislav Malyshev <stas@php.net>
Date: Sun, 15 Mar 2020 17:30:44 -0700
Subject: [PATCH 6/7] Fix bug #79329 - get_headers should not accept \0

---
 ext/standard/url.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext/standard/url.c b/ext/standard/url.c
index c73818f08e1c9..26968ea97612a 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -669,7 +669,7 @@ PHP_FUNCTION(get_headers)
 	php_stream_context *context;
 
 	ZEND_PARSE_PARAMETERS_START(1, 3)
-		Z_PARAM_STRING(url, url_len)
+		Z_PARAM_PATH(url, url_len)
 		Z_PARAM_OPTIONAL
 		Z_PARAM_LONG(format)
 		Z_PARAM_RESOURCE_EX(zcontext, 1, 0)

From e87b2ad44657b8a1491a45328177ce9aa27da831 Mon Sep 17 00:00:00 2001
From: Razzwan <razvanlomov@gmail.com>
Date: Wed, 19 Aug 2020 10:07:17 +0300
Subject: [PATCH 7/7] How can I interview Stanislav Malyshev?

Please contact me in one of the suggested ways:
[email: razvanlomov@gmail.com](mailto:razvanlomov@gmail.com)
[telegram: https://t.me/Razzwan](https://t.me/Razzwan)
---
 CONTRIBUTING.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 142244cdf00ab..cf9a6f54aa199 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -426,3 +426,8 @@ New source code files should include the following header block:
 ```
 
 Thank you for contributing to PHP!
+
+## How can I interview [Stanislav Malyshev](https://github.com/smalyshev)?
+Please contact me in one of the suggested ways:
+[email: razvanlomov@gmail.com](mailto:razvanlomov@gmail.com)
+[telegram: https://t.me/Razzwan](https://t.me/Razzwan)