+++ /dev/null
-
-https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=235028
-
---- php-5.1.6/ext/gd/libgd/gdft.c.cve0455
-+++ php-5.1.6/ext/gd/libgd/gdft.c
-@@ -967,7 +967,7 @@
- } else {
- ch = c & 0xFF; /* don't extend sign */
- }
-- next++;
-+ if (*next) next++;
- }
- break;
- case gdFTEX_Big5: {
+++ /dev/null
---- php-5.1.6/ext/gd/libgd/wbmp.c.cve1001
-+++ php-5.1.6/ext/gd/libgd/wbmp.c
-@@ -102,6 +102,8 @@
- return (0);
- }
-
-+#define SAFE_MULTIPLE(x,y) (x == 0 || y == 0 || (x > 0 && y > 0 && (x < INT_MAX / y)))
-+
- /* create wbmp
- ** -----------
- ** create an empty wbmp
-@@ -116,6 +118,12 @@
- if ((wbmp = (Wbmp *) gdMalloc (sizeof (Wbmp))) == NULL)
- return (NULL);
-
-+ if (!SAFE_MULTIPLE(width, height)) {
-+ php_gd_error("createwbmp: Integer overflow from WBMP image height/width (%d x %d)\n", width, height);
-+ gdFree(wbmp);
-+ return NULL;
-+ }
-+
- if ((wbmp->bitmap = (int *) safe_emalloc(sizeof(int), width * height, 0)) == NULL)
- {
- gdFree (wbmp);
-@@ -176,6 +184,13 @@
- printf ("W: %d, H: %d\n", wbmp->width, wbmp->height);
- #endif
-
-+ if (!SAFE_MULTIPLE(wbmp->width, wbmp->height)) {
-+ php_gd_error("readwbmp: Integer overflow from WBMP image height/width (%d x %d)\n",
-+ wbmp->width, wbmp->height);
-+ gdFree(wbmp);
-+ return (-1);
-+ }
-+
- if ((wbmp->bitmap = (int *) safe_emalloc(wbmp->width * wbmp->height, sizeof(int), 0)) == NULL)
- {
- gdFree (wbmp);
+++ /dev/null
---- php-5.1.6/ext/mbstring/mb_gpc.c.cve1286
-+++ php-5.1.6/ext/mbstring/mb_gpc.c
-@@ -206,9 +206,8 @@
- /* register_globals stuff
- * XXX: this feature is going to be deprecated? */
-
-- if (info->force_register_globals) {
-- prev_rg_state = PG(register_globals);
-- PG(register_globals) = 1;
-+ if (info->force_register_globals && !(prev_rg_state = PG(register_globals))) {
-+ zend_alter_ini_entry("register_globals", sizeof("register_globals"), "1", sizeof("1")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
- }
-
- if (!res || *res == '\0') {
-@@ -341,8 +340,8 @@
-
- out:
- /* register_global stuff */
-- if (info->force_register_globals) {
-- PG(register_globals) = prev_rg_state;
-+ if (info->force_register_globals && !prev_rg_state) {
-+ zend_alter_ini_entry("register_globals", sizeof("register_globals"), "0", sizeof("0")-1, PHP_INI_PERDIR, PHP_INI_STAGE_RUNTIME);
- }
-
- if (convd != NULL) {
+++ /dev/null
---- php-5.1.6/ext/standard/mail.c.cve1718
-+++ php-5.1.6/ext/standard/mail.c
-@@ -48,8 +48,8 @@
-
- #define SKIP_LONG_HEADER_SEP(str, pos) \
- if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) { \
-- pos += 3; \
-- while (str[pos] == ' ' || str[pos] == '\t') { \
-+ pos += 2; \
-+ while (str[pos + 1] == ' ' || str[pos + 1] == '\t') { \
- pos++; \
- } \
- continue; \