3 files changed, 182 insertions, 2 deletions
diff --git a/dev-lang/php/Manifest b/dev-lang/php/Manifest
index 3817c3166f7e..6d3971e8db51 100644
--- a/dev-lang/php/Manifest
+++ b/dev-lang/php/Manifest
@@ -1,5 +1,6 @@
 AUX 20php5-envd 145 BLAKE2B 06476b8fc04d1e835496b417ac752f0834ddbe8584e4fddc6db0aa5e6845b82cdea0a1355c77125375dcdd0f0a3c19de5f3a8a64ee93950f96c437a16f971567 SHA512 581aa86479e3cd584ee1bc6dc6d4a135fe8ec343fe5519566d728d81f7018cfb23658bd0c0368951d380982c75adbb4f45acf3c146868aaf4e4ec8e9f2fad1ce
 AUX php-7.2.13-intl-use-icu-namespace.patch 11499 BLAKE2B 0dca597d5afd0309595499e3ff860e2d83183e570d02f202a1e2966d430606f09b8dc7427c4007e791914c8ee093a2e7cbf7372baa7896ac06d1912f2e707c09 SHA512 1332eb76feda2100685e319ae046512cf12b55a0d2be537c2172ccf035b547d851f84fb7941389882d7e3d674d91441e018c7b8f1e3f0d4cced05c314d5821fe
+AUX php-7.2.34-use-after-free-bug76047.patch 5542 BLAKE2B ccdabbe7a45f10f7a6666afabf27f2ab18ed011989447d950debe703e5f210d86a728c11bf883c74dc4ce88d634a8f10d1c9130a6e2dfb486ab92ebc1fb15e3c SHA512 8e2cc3dab0e3f3d7ba9b4a8cf4a16daa9cd908a5c1dc42ee1dfc44be82b4faffbb46b5bb0a88d15252edf4c95e05b4877c94aeaa05e9c511f3a49adafbc62c73
 AUX php-7.4.13-issue80368.patch 746 BLAKE2B 1523fe9a451022dab7261c1e1866af702ff8bf9163f67cb99ec7617e3304e23f29ba8c54f36e5e154fc6e6563e660229b4bbf481263c4f34978a656e57f335f4 SHA512 744a9d81a7a0c6a7ac8ffd78678681a671c6a611ce36d56b53bb5fb4ed84a671e6eade85604c9adca4e2b48499ecc2046cd295dce4cdd4fa56952a4bae45c2e7
 AUX php-fpm_at-simple.service 316 BLAKE2B 0ba10f3e3b004fbf14956e1e4f04f59b8a127e6717fe6b92c09b9f931033a11551c75fbbee9010f6b694c5a8758ca0eec9eed457ae304ba0dea8f2c256c3b8d4 SHA512 7367a3f8d3874f8e0c76f331ba613a0250db02f60ad9f87affaf448dcb5bc34bcecb91d88f415764a12b24b46ae3d1b738a002af9f77a4b707e916e83a0021fd
 AUX php-fpm_at.service 317 BLAKE2B f13fc38fcc0575a8517ee8d07b120efda37eabd2355061d0fdc303604c6b02ad42d7301180d86c977d5e585f5dd685343c592e37a6e0f44933707be79e0b77e0 SHA512 27982f9e2d958bfa75c89c7d3531e48d17fc388b1cdcbc8e09051b236b1184ee2baabdfcc567c19d9fcd067d4b3b86f171015616d8da42fccdabd89432d865e8
@@ -9,7 +10,7 @@ DIST php-7.2.34.tar.xz 12309432 BLAKE2B 50522786d39296bc7411931c4f357d53c7a25da2
 DIST php-7.3.25.tar.xz 12136668 BLAKE2B b9bfb1de15a3f02bf5d228a2cf9b307c9eeadaea10cac22d40647db0147f4f93b41858ea4affa0701478dd397f0a87cae4e2f29a378f7c6730fdf7da5c48e0e8 SHA512 30b27deab12cf2544671afbbdaefd4bfea308eeed8e9c2150751c5bc9ece18d981bcc020eace35cbdbe88b45cffba8a1fca718fc4e74c3a7903d8b038015d31e
 DIST php-7.4.13.tar.xz 10319848 BLAKE2B c1da97eb605f1fc2b36190bfe92feb1fd527f4aaf1483865561a08cf990e70445f5520c8abcea7d9c6482dc47e500507644e0cd2cc756cfa99adfec0359cd795 SHA512 3525f4fd4ea6d97ed75ed8360d2a851e8577c09247ae3c6eb7e7b43265ee418297d91c1022bf5bbb64d1eecdebbbc2e0f6d42b560f584a741b475db2c6897ea7
 DIST php-8.0.0.tar.xz 10726788 BLAKE2B 16c4aa075ba5dee6d47086323cd152b33dc7b62ac6b3ab6637ec386c1048e256a160d72e72cbc88450af1e84389042ebf2d644d3361c9a34879cc494d5b9b64f SHA512 65630940c95436f3e3ecb71b9f1ca15bb4118267dbda604ed1ee009d528c21a3ec21f48a15e4dd3529fe9cd2b354c211a7b4975b5de43e1f2afa6656cabe1fd0
-EBUILD php-7.2.34.ebuild 22651 BLAKE2B 9431a6e26752b96101826946c969e4ac1a2a1c04b9b42ad7f2b8f4733d8e3ec0614b75dddb2a54c40868d76e7a9b3a46001dc0b2a5152ac540175b0875753603 SHA512 bb61083533a443fe07b76c30028a3b7b8657a7c51ece6003ebc44a5e53224a70e8cad6d82fadcd509ea1ae4e4383ddad1c8d7edea7f200c5d37e445a88913d41
+EBUILD php-7.2.34-r1.ebuild 22873 BLAKE2B 116336b7a675c939dd7eb690012ac49a4f47451caaa3ebab8f2aef2f1fd70bb971d51c4a4fc1995b66089d29abd0e358cc1fb9c21b21676ca308565c1cdf1b64 SHA512 1b82aa52cf0b9d53bd0b8753578c18ef88f999bf479f5c7ae2a9a6a43d8dc880169f485c11bc4fd4a53c153e3a5dfbad5f0bea369b9945dbeb067cd645a6306c
 EBUILD php-7.3.25.ebuild 22664 BLAKE2B 2191d27cc589cf5b0d85c33c3c81cddec0389719973c82b2665b4ae5be145e08c427fe4d59978ba07d04e3b3026f54c5471a51f20ce8ab02e55f4e6a269a3e47 SHA512 70a1783a530b13c38f1a9ecb8c381cd34ae9cad6124ff96cf7b28bdb97c447f133acbdd9bbe515b799eecfdc201d7d3524079a405fa989d07e7b9661916b374b
 EBUILD php-7.4.13.ebuild 21413 BLAKE2B 274ac296e7874ec14d3f458672156dc127c83d6627419856ddf762cd66e2ddb2b081a671d7f135e8827b5f718508b4cee016d52c93e759cc1dacb364f945cfdb SHA512 2be6393ecc2d877ccd13c7731794c1fbd817594ac33576e04e7d1510d8c6f1e8fbf49a6d4dd00e7e65e266853e12c9042fb94d1e4cf12d7ad2999fc1b85a4979
 EBUILD php-8.0.0.ebuild 21276 BLAKE2B e58d02e2c685bd56435360a6c3801c1c6e1f7d27f9614cac40737efefc62e8e62c168556a7c139b7e3b49171f6f3d2f65dc9f0de77848362dc8be0a7af22517b SHA512 5f4a494f280fd5079d80ea27ea25b6bf14a4cfc33380cefbdfd9f5b92367eb734bcc7fcf0cd4bc75740113e73531449d77b0af1c748701034845cbf19aaf1be4
diff --git a/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch b/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch
new file mode 100644
index 000000000000..b3a864ee82a8
--- /dev/null
+++ b/dev-lang/php/files/php-7.2.34-use-after-free-bug76047.patch
@@ -0,0 +1,174 @@
+Backport of https://git.php.net/?p=php-src.git;a=commit;h=ef1e4891b47949c8dc0f9482eef9454a0ecdfa1d
+
+--- a/Zend/tests/bug52361.phpt
++++ b/Zend/tests/bug52361.phpt
+@@ -25,9 +25,8 @@ try {
+ --EXPECTF--
+ 1. Exception: aaa in %sbug52361.php:5
+ Stack trace:
+-#0 %sbug52361.php(13): aaa->__destruct()
+-#1 %sbug52361.php(16): bbb()
+-#2 {main}
++#0 %sbug52361.php(16): aaa->__destruct()
++#1 {main}
+ 2. Exception: bbb in %sbug52361.php:13
+ Stack trace:
+ #0 %sbug52361.php(16): bbb()
+--- /dev/null
++++ b/Zend/tests/bug76047.phpt
+@@ -0,0 +1,68 @@
++--TEST--
++Bug #76047: Use-after-free when accessing already destructed backtrace arguments
++--FILE--
++<?php
++
++class Vuln {
++    public $a;
++    public function __destruct() {
++        unset($this->a);
++        $backtrace = (new Exception)->getTrace();
++        var_dump($backtrace);
++    }
++}
++
++function test($arg) {
++    $arg = str_shuffle(str_repeat('A', 79));
++    $vuln = new Vuln();
++    $vuln->a = $arg;
++}
++
++function test2($arg) {
++    $$arg = 1; // Trigger symbol table
++    $arg = str_shuffle(str_repeat('A', 79));
++    $vuln = new Vuln();
++    $vuln->a = $arg;
++}
++
++test('x');
++test2('x');
++
++?>
++--EXPECTF--
++array(1) {
++  [0]=>
++  array(6) {
++    ["file"]=>
++    string(%d) "%s"
++    ["line"]=>
++    int(%d)
++    ["function"]=>
++    string(10) "__destruct"
++    ["class"]=>
++    string(4) "Vuln"
++    ["type"]=>
++    string(2) "->"
++    ["args"]=>
++    array(0) {
++    }
++  }
++}
++array(1) {
++  [0]=>
++  array(6) {
++    ["file"]=>
++    string(%d) "%s"
++    ["line"]=>
++    int(%d)
++    ["function"]=>
++    string(10) "__destruct"
++    ["class"]=>
++    string(4) "Vuln"
++    ["type"]=>
++    string(2) "->"
++    ["args"]=>
++    array(0) {
++    }
++  }
++}
+--- a/Zend/zend_vm_def.h
++++ b/Zend/zend_vm_def.h
+@@ -2366,9 +2366,9 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 	uint32_t call_info = EX_CALL_INFO();
+ 
+ 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
+ 			zend_object *object = Z_OBJ(execute_data->This);
+ #if 0
+@@ -2394,12 +2394,12 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 		LOAD_NEXT_OPLINE();
+ 		ZEND_VM_LEAVE();
+ 	} else if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+ 		if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+ 			zend_clean_and_cache_symbol_table(EX(symbol_table));
+ 		}
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 
+ 		/* Free extra args before releasing the closure,
+ 		 * as that may free the op_array. */
+@@ -2449,6 +2449,7 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 		ZEND_VM_LEAVE();
+ 	} else {
+ 		if (EXPECTED((call_info & ZEND_CALL_CODE) == 0)) {
++			EG(current_execute_data) = EX(prev_execute_data);
+ 			i_free_compiled_variables(execute_data);
+ 			if (UNEXPECTED(call_info & (ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS))) {
+ 				if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+@@ -2456,7 +2457,6 @@ ZEND_VM_HELPER(zend_leave_helper, ANY, ANY)
+ 				}
+ 				zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+ 			}
+-			EG(current_execute_data) = EX(prev_execute_data);
+ 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
+ 				OBJ_RELEASE((zend_object*)EX(func)->op_array.prototype);
+ 			}
+--- a/Zend/zend_vm_execute.h
++++ b/Zend/zend_vm_execute.h
+@@ -434,9 +434,9 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 	uint32_t call_info = EX_CALL_INFO();
+ 
+ 	if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP|ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS|ZEND_CALL_ALLOCATED)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 		if (UNEXPECTED(call_info & ZEND_CALL_RELEASE_THIS)) {
+ 			zend_object *object = Z_OBJ(execute_data->This);
+ #if 0
+@@ -462,12 +462,12 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 		LOAD_NEXT_OPLINE();
+ 		ZEND_VM_LEAVE();
+ 	} else if (EXPECTED((call_info & (ZEND_CALL_CODE|ZEND_CALL_TOP)) == 0)) {
++		EG(current_execute_data) = EX(prev_execute_data);
+ 		i_free_compiled_variables(execute_data);
+ 
+ 		if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+ 			zend_clean_and_cache_symbol_table(EX(symbol_table));
+ 		}
+-		EG(current_execute_data) = EX(prev_execute_data);
+ 
+ 		/* Free extra args before releasing the closure,
+ 		 * as that may free the op_array. */
+@@ -517,6 +517,7 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 		ZEND_VM_LEAVE();
+ 	} else {
+ 		if (EXPECTED((call_info & ZEND_CALL_CODE) == 0)) {
++			EG(current_execute_data) = EX(prev_execute_data);
+ 			i_free_compiled_variables(execute_data);
+ 			if (UNEXPECTED(call_info & (ZEND_CALL_HAS_SYMBOL_TABLE|ZEND_CALL_FREE_EXTRA_ARGS))) {
+ 				if (UNEXPECTED(call_info & ZEND_CALL_HAS_SYMBOL_TABLE)) {
+@@ -524,7 +525,6 @@ static ZEND_OPCODE_HANDLER_RET ZEND_FASTCALL zend_leave_helper_SPEC(ZEND_OPCODE_
+ 				}
+ 				zend_vm_stack_free_extra_args_ex(call_info, execute_data);
+ 			}
+-			EG(current_execute_data) = EX(prev_execute_data);
+ 			if (UNEXPECTED(call_info & ZEND_CALL_CLOSURE)) {
+ 				OBJ_RELEASE((zend_object*)EX(func)->op_array.prototype);
+ 			}
+ 
diff --git a/dev-lang/php/php-7.2.34.ebuild b/dev-lang/php/php-7.2.34-r1.ebuild
index 07f0645b8d80..a534bc594e5f 100644
--- a/dev-lang/php/php-7.2.34.ebuild
+++ b/dev-lang/php/php-7.2.34-r1.ebuild
@@ -3,7 +3,7 @@
 
 EAPI="7"
 
-inherit flag-o-matic systemd autotools
+inherit flag-o-matic systemd autotools toolchain-funcs
 
 DESCRIPTION="The PHP language runtime engine"
 HOMEPAGE="https://www.php.net/"
@@ -157,6 +157,7 @@ RESTRICT="!test? ( test )"
 PATCHES=(
 	"${FILESDIR}/php-freetype-2.9.1.patch"
 	"${FILESDIR}/php-7.2.13-intl-use-icu-namespace.patch"
+	"${FILESDIR}/php-7.2.34-use-after-free-bug76047.patch"
 )
 
 PHP_MV="$(ver_cut 1)"
@@ -239,6 +240,10 @@ src_configure() {
 	addpredict /usr/share/snmp/mibs/.index #nowarn
 	addpredict /var/lib/net-snmp/mib_indexes #nowarn
 
+	# Fix building against >=ICU-68, https://bugs.php.net/80310
+	append-cflags -DU_DEFINE_FALSE_AND_TRUE=1
+	append-cxxflags -DU_DEFINE_FALSE_AND_TRUE=1
+
 	PHP_DESTDIR="${EPREFIX}/usr/$(get_libdir)/php${SLOT}"
 
 	# The php-fpm config file wants localstatedir to be ${EPREFIX}/var