diff mbox

Add php

Message ID 8760nldeh0.fsf@kirby.i-did-not-set--mail-host-address--so-tickle-me
State New
Headers show

Commit Message

Marius Bakke Nov. 17, 2016, 8:43 p.m. UTC
Julien Lepiller <julien@lepiller.eu> writes:

>> >> Unfortunately that only fixed a handful of tests, the remaining
>> >> 50-something had to be disabled for a variety of reasons.
>> >> 
>> >> I've added a commentary to each disabled test. If you recognize
>> >> any of these errors/think you know what's going on, please update
>> >> the patch. It would be nice to know if the iconv and gd stuff is
>> >> expected, and if the two sqlite tests can really be ignored. The
>> >> curl one is strange too.  
>> >
>> > Just as I wanted to send a similar patch ;)
>> >
>> > I've been looking at some of them. The failing sqlite test is a bug
>> > in sqlite that has been fixed last august 
>> > (https://sqlite.org/src/info/ef360601). We currently have version 
>> > 3.14.1, when the latest upstream version is 3.15.1. Updating should
>> > fix the problem.
>> >
>> > 73159 has been fixed in gd:
>> > https://github.com/libgd/libgd/issues/289 (more recent than latest
>> > gd release unfortunately)
>> >
>> > 73155 has also been fixed in gd: 
>> > https://github.com/libgd/libgd/issues/309 (even more recent)
>> >
>> > 72482 is fixed here: 
>> > https://gist.github.com/anonymous/873314feb4f89bd8336711333299f748
>> > (a patch to the bundled libgd)
>> >
>> > 73213 is fixed here: 
>> > https://git.php.net/?p=php-src.git;a=blobdiff;f=ext/gd/libgd/gd.c;h=033d4fa5f0e9740e8b8c397a9038a115c617c419;hp=0b4b42fa27558fa32cc54e14dc297d9d0ba10832;hb=9acfb1a3a5268febb123b7e5fbd4eaf072c83537;hpb=c0219b323e0048440acbdd9ad74624c4bc33c335 
>> > (a patch to the bundled libgd)
>> >
>> > 72339 has a CVE id: 2016-5766, but it should be fixed in libgd
>> > 2.2.3 that we have according to the CVE description, and the
>> > failure is different from what the report says.
>> >
>> > 39780 has the unexpected output described in the bug report, so it 
>> > really fails. I don't think we can fix our libgd though, because
>> > the bundled one has some php_* functions that are used to get a
>> > warning instead of an error.
>> >
>> > we could include patches to our libgd to fix two (maybe four)
>> > issues. We should also upgrade our sqlite version, but many
>> > packages will then have to be rebuilt, or we could create a
>> > separate package for the newer version. What do you suggest?  
>> 
>> Wow, thanks for this list! Including the two upstream gd fixes in a
>> "gd-for-php" package should be fine, until a new release of gd is out.
>> I'm more vary about including the PHP-specific ones though.
>> 
>> If there are serious problems with using an external (vanilla) gd, I
>> think we either need to maintain a "gd-for-php" package indefinitely,
>> or bite the bullet and use the bundled one.
>> 
>> Do you think it's safe to use our gd? And if not, would you be willing
>> to keep up with PHP development and maintain the externalized gd
>> component with it?
>
> Failures in tests caused by external gd are not too serious to require
> us to switch to the bundled one I think. We may not even need to patch
> our libgd with php specific patches, since the failures are only slight
> deviation from the spec on corner cases. If you prefer that we apply
> these patches too, then we could, and I would still try to keep that up
> to date.

OK. Let's use external gd for now barring any serious issues.

>
> What I am more worried about are the iconv crashes. That may be due to
> lacking locales though.

You could try commenting them out and adding "glibc-locales" to
native-inputs. Not sure if they will get picked up by that however.

A better test may be to try out that particular functionality using the
installed version of php. If that works, we can be reasonably sure that
dropping the tests is fine.

Attached is the final product, after adding a "gd-for-php" variable with
the two upstream patches, as well as sqlite-3.15.1 (separate patch).

I'll push this tomorrow if there are no further comments. Thanks for
your perseverance :)

Comments

Julien Lepiller Nov. 18, 2016, 5:25 p.m. UTC | #1
On Thu, 17 Nov 2016 21:43:39 +0100
Marius Bakke <mbakke@fastmail.com> wrote:

> Julien Lepiller <julien@lepiller.eu> writes:
> 
> >> >> Unfortunately that only fixed a handful of tests, the remaining
> >> >> 50-something had to be disabled for a variety of reasons.
> >> >> 
> >> >> I've added a commentary to each disabled test. If you recognize
> >> >> any of these errors/think you know what's going on, please
> >> >> update the patch. It would be nice to know if the iconv and gd
> >> >> stuff is expected, and if the two sqlite tests can really be
> >> >> ignored. The curl one is strange too.  
> >> >
> >> > Just as I wanted to send a similar patch ;)
> >> >
> >> > I've been looking at some of them. The failing sqlite test is a
> >> > bug in sqlite that has been fixed last august 
> >> > (https://sqlite.org/src/info/ef360601). We currently have
> >> > version 3.14.1, when the latest upstream version is 3.15.1.
> >> > Updating should fix the problem.
> >> >
> >> > 73159 has been fixed in gd:
> >> > https://github.com/libgd/libgd/issues/289 (more recent than
> >> > latest gd release unfortunately)
> >> >
> >> > 73155 has also been fixed in gd: 
> >> > https://github.com/libgd/libgd/issues/309 (even more recent)
> >> >
> >> > 72482 is fixed here: 
> >> > https://gist.github.com/anonymous/873314feb4f89bd8336711333299f748
> >> > (a patch to the bundled libgd)
> >> >
> >> > 73213 is fixed here: 
> >> > https://git.php.net/?p=php-src.git;a=blobdiff;f=ext/gd/libgd/gd.c;h=033d4fa5f0e9740e8b8c397a9038a115c617c419;hp=0b4b42fa27558fa32cc54e14dc297d9d0ba10832;hb=9acfb1a3a5268febb123b7e5fbd4eaf072c83537;hpb=c0219b323e0048440acbdd9ad74624c4bc33c335 
> >> > (a patch to the bundled libgd)
> >> >
> >> > 72339 has a CVE id: 2016-5766, but it should be fixed in libgd
> >> > 2.2.3 that we have according to the CVE description, and the
> >> > failure is different from what the report says.
> >> >
> >> > 39780 has the unexpected output described in the bug report, so
> >> > it really fails. I don't think we can fix our libgd though,
> >> > because the bundled one has some php_* functions that are used
> >> > to get a warning instead of an error.
> >> >
> >> > we could include patches to our libgd to fix two (maybe four)
> >> > issues. We should also upgrade our sqlite version, but many
> >> > packages will then have to be rebuilt, or we could create a
> >> > separate package for the newer version. What do you suggest?  
> >> 
> >> Wow, thanks for this list! Including the two upstream gd fixes in a
> >> "gd-for-php" package should be fine, until a new release of gd is
> >> out. I'm more vary about including the PHP-specific ones though.
> >> 
> >> If there are serious problems with using an external (vanilla) gd,
> >> I think we either need to maintain a "gd-for-php" package
> >> indefinitely, or bite the bullet and use the bundled one.
> >> 
> >> Do you think it's safe to use our gd? And if not, would you be
> >> willing to keep up with PHP development and maintain the
> >> externalized gd component with it?
> >
> > Failures in tests caused by external gd are not too serious to
> > require us to switch to the bundled one I think. We may not even
> > need to patch our libgd with php specific patches, since the
> > failures are only slight deviation from the spec on corner cases.
> > If you prefer that we apply these patches too, then we could, and I
> > would still try to keep that up to date.
> 
> OK. Let's use external gd for now barring any serious issues.
> 
> >
> > What I am more worried about are the iconv crashes. That may be due
> > to lacking locales though.
> 
> You could try commenting them out and adding "glibc-locales" to
> native-inputs. Not sure if they will get picked up by that however.
> 
> A better test may be to try out that particular functionality using
> the installed version of php. If that works, we can be reasonably
> sure that dropping the tests is fine.
> 
> Attached is the final product, after adding a "gd-for-php" variable
> with the two upstream patches, as well as sqlite-3.15.1 (separate
> patch).
> 
> I'll push this tomorrow if there are no further comments. Thanks for
> your perseverance :)
Just one question: why defining gd-for-php with define, and not
define-public?

>
Marius Bakke Nov. 18, 2016, 6:09 p.m. UTC | #2
Julien Lepiller <julien@lepiller.eu> writes:

> On Thu, 17 Nov 2016 21:43:39 +0100
> Marius Bakke <mbakke@fastmail.com> wrote:
>
>> Julien Lepiller <julien@lepiller.eu> writes:
>> 
>> >> >> Unfortunately that only fixed a handful of tests, the remaining
>> >> >> 50-something had to be disabled for a variety of reasons.
>> >> >> 
>> >> >> I've added a commentary to each disabled test. If you recognize
>> >> >> any of these errors/think you know what's going on, please
>> >> >> update the patch. It would be nice to know if the iconv and gd
>> >> >> stuff is expected, and if the two sqlite tests can really be
>> >> >> ignored. The curl one is strange too.  
>> >> >
>> >> > Just as I wanted to send a similar patch ;)
>> >> >
>> >> > I've been looking at some of them. The failing sqlite test is a
>> >> > bug in sqlite that has been fixed last august 
>> >> > (https://sqlite.org/src/info/ef360601). We currently have
>> >> > version 3.14.1, when the latest upstream version is 3.15.1.
>> >> > Updating should fix the problem.
>> >> >
>> >> > 73159 has been fixed in gd:
>> >> > https://github.com/libgd/libgd/issues/289 (more recent than
>> >> > latest gd release unfortunately)
>> >> >
>> >> > 73155 has also been fixed in gd: 
>> >> > https://github.com/libgd/libgd/issues/309 (even more recent)
>> >> >
>> >> > 72482 is fixed here: 
>> >> > https://gist.github.com/anonymous/873314feb4f89bd8336711333299f748
>> >> > (a patch to the bundled libgd)
>> >> >
>> >> > 73213 is fixed here: 
>> >> > https://git.php.net/?p=php-src.git;a=blobdiff;f=ext/gd/libgd/gd.c;h=033d4fa5f0e9740e8b8c397a9038a115c617c419;hp=0b4b42fa27558fa32cc54e14dc297d9d0ba10832;hb=9acfb1a3a5268febb123b7e5fbd4eaf072c83537;hpb=c0219b323e0048440acbdd9ad74624c4bc33c335 
>> >> > (a patch to the bundled libgd)
>> >> >
>> >> > 72339 has a CVE id: 2016-5766, but it should be fixed in libgd
>> >> > 2.2.3 that we have according to the CVE description, and the
>> >> > failure is different from what the report says.
>> >> >
>> >> > 39780 has the unexpected output described in the bug report, so
>> >> > it really fails. I don't think we can fix our libgd though,
>> >> > because the bundled one has some php_* functions that are used
>> >> > to get a warning instead of an error.
>> >> >
>> >> > we could include patches to our libgd to fix two (maybe four)
>> >> > issues. We should also upgrade our sqlite version, but many
>> >> > packages will then have to be rebuilt, or we could create a
>> >> > separate package for the newer version. What do you suggest?  
>> >> 
>> >> Wow, thanks for this list! Including the two upstream gd fixes in a
>> >> "gd-for-php" package should be fine, until a new release of gd is
>> >> out. I'm more vary about including the PHP-specific ones though.
>> >> 
>> >> If there are serious problems with using an external (vanilla) gd,
>> >> I think we either need to maintain a "gd-for-php" package
>> >> indefinitely, or bite the bullet and use the bundled one.
>> >> 
>> >> Do you think it's safe to use our gd? And if not, would you be
>> >> willing to keep up with PHP development and maintain the
>> >> externalized gd component with it?
>> >
>> > Failures in tests caused by external gd are not too serious to
>> > require us to switch to the bundled one I think. We may not even
>> > need to patch our libgd with php specific patches, since the
>> > failures are only slight deviation from the spec on corner cases.
>> > If you prefer that we apply these patches too, then we could, and I
>> > would still try to keep that up to date.
>> 
>> OK. Let's use external gd for now barring any serious issues.
>> 
>> >
>> > What I am more worried about are the iconv crashes. That may be due
>> > to lacking locales though.
>> 
>> You could try commenting them out and adding "glibc-locales" to
>> native-inputs. Not sure if they will get picked up by that however.
>> 
>> A better test may be to try out that particular functionality using
>> the installed version of php. If that works, we can be reasonably
>> sure that dropping the tests is fine.
>> 
>> Attached is the final product, after adding a "gd-for-php" variable
>> with the two upstream patches, as well as sqlite-3.15.1 (separate
>> patch).
>> 
>> I'll push this tomorrow if there are no further comments. Thanks for
>> your perseverance :)
> Just one question: why defining gd-for-php with define, and not
> define-public?

It's to prevent it from showing up when people are searching for 'gd',
and also to prevent it from being included by other files.

It's only a temporary measure until the next version is released, so I
saw no reason to export it.

I'm on my way out, but will commit this tomorrow most likely :-)
Marius Bakke Nov. 20, 2016, 5:02 p.m. UTC | #3
Marius Bakke <mbakke@fastmail.com> writes:

>>> > Failures in tests caused by external gd are not too serious to
>>> > require us to switch to the bundled one I think. We may not even
>>> > need to patch our libgd with php specific patches, since the
>>> > failures are only slight deviation from the spec on corner cases.
>>> > If you prefer that we apply these patches too, then we could, and I
>>> > would still try to keep that up to date.
>>> 
>>> OK. Let's use external gd for now barring any serious issues.
>>> 
>>> >
>>> > What I am more worried about are the iconv crashes. That may be due
>>> > to lacking locales though.
>>> 
>>> You could try commenting them out and adding "glibc-locales" to
>>> native-inputs. Not sure if they will get picked up by that however.
>>> 
>>> A better test may be to try out that particular functionality using
>>> the installed version of php. If that works, we can be reasonably
>>> sure that dropping the tests is fine.
>>> 
>>> Attached is the final product, after adding a "gd-for-php" variable
>>> with the two upstream patches, as well as sqlite-3.15.1 (separate
>>> patch).
>>> 
>>> I'll push this tomorrow if there are no further comments. Thanks for
>>> your perseverance :)
>> Just one question: why defining gd-for-php with define, and not
>> define-public?
>
> It's to prevent it from showing up when people are searching for 'gd',
> and also to prevent it from being included by other files.
>
> It's only a temporary measure until the next version is released, so I
> saw no reason to export it.
>
> I'm on my way out, but will commit this tomorrow most likely :-)

Sorry for the delay, PHP is in master now!
Leo Famulari Nov. 20, 2016, 5:13 p.m. UTC | #4
On Sun, Nov 20, 2016 at 06:02:59PM +0100, Marius Bakke wrote:
> Sorry for the delay, PHP is in master now!

Wow, thanks to everyone who worked on this!
Ludovic Courtès Nov. 21, 2016, 8:46 a.m. UTC | #5
Marius Bakke <mbakke@fastmail.com> skribis:

> Marius Bakke <mbakke@fastmail.com> writes:
>
>>>> > Failures in tests caused by external gd are not too serious to
>>>> > require us to switch to the bundled one I think. We may not even
>>>> > need to patch our libgd with php specific patches, since the
>>>> > failures are only slight deviation from the spec on corner cases.
>>>> > If you prefer that we apply these patches too, then we could, and I
>>>> > would still try to keep that up to date.
>>>> 
>>>> OK. Let's use external gd for now barring any serious issues.
>>>> 
>>>> >
>>>> > What I am more worried about are the iconv crashes. That may be due
>>>> > to lacking locales though.
>>>> 
>>>> You could try commenting them out and adding "glibc-locales" to
>>>> native-inputs. Not sure if they will get picked up by that however.
>>>> 
>>>> A better test may be to try out that particular functionality using
>>>> the installed version of php. If that works, we can be reasonably
>>>> sure that dropping the tests is fine.
>>>> 
>>>> Attached is the final product, after adding a "gd-for-php" variable
>>>> with the two upstream patches, as well as sqlite-3.15.1 (separate
>>>> patch).
>>>> 
>>>> I'll push this tomorrow if there are no further comments. Thanks for
>>>> your perseverance :)
>>> Just one question: why defining gd-for-php with define, and not
>>> define-public?
>>
>> It's to prevent it from showing up when people are searching for 'gd',
>> and also to prevent it from being included by other files.
>>
>> It's only a temporary measure until the next version is released, so I
>> saw no reason to export it.
>>
>> I'm on my way out, but will commit this tomorrow most likely :-)
>
> Sorry for the delay, PHP is in master now!

Cool, thank you all!

Ludo’.
diff mbox

Patch

From ae98ee11b6eb2e0feb79c735497b8647ebf80d6f Mon Sep 17 00:00:00 2001
From: Marius Bakke <mbakke@fastmail.com>
Date: Thu, 17 Nov 2016 18:53:10 +0100
Subject: [PATCH 1/2] gnu: Add sqlite-3.15.1.

* gnu/packages/databases.scm (sqlite-3.15.1): New variable.
---
 gnu/packages/databases.scm | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/gnu/packages/databases.scm b/gnu/packages/databases.scm
index ab9c6d6..d6746f0 100644
--- a/gnu/packages/databases.scm
+++ b/gnu/packages/databases.scm
@@ -558,6 +558,26 @@  widely deployed SQL database engine in the world.  The source code for SQLite
 is in the public domain.")
    (license public-domain)))
 
+(define-public sqlite-3.15.1
+  (package (inherit sqlite)
+           (version "3.15.1")
+           (source (origin
+                     (method url-fetch)
+                     (uri (let ((numeric-version
+                                 (match (string-split version #\.)
+                                   ((first-digit other-digits ...)
+                                    (string-append first-digit
+                                                   (string-pad-right
+                                                    (string-concatenate
+                                                     (map (cut string-pad <> 2 #\0)
+                                                          other-digits))
+                                                    6 #\0))))))
+                            (string-append "https://sqlite.org/2016/sqlite-autoconf-"
+                                           numeric-version ".tar.gz")))
+                     (sha256
+                      (base32
+                       "1ig2d9jzzixiifmgqsl6kjcvy17jwxby3s24gfnc5qvyd6vqkyjx"))))))
+
 (define-public tdb
   (package
     (name "tdb")
-- 
2.10.2


From ff314d0b0646d0d3e5e371886eab69b28f9ef879 Mon Sep 17 00:00:00 2001
From: Julien Lepiller <julien@lepiller.eu>
Date: Fri, 11 Nov 2016 15:18:29 +0100
Subject: [PATCH 2/2] gnu: Add php.

* gnu/packages/php.scm: New file.
* gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch: New file.
* gnu/packages/patches/gd-fix-truecolor-format-correction.patch: New file.
* gnu/local.mk (GNU_SYSTEM_MODULES): Add php.
(dist_patch_DATA): Add gd patches.

Co-authored-by: Marius Bakke <mbakke@fastmail.com>
---
 gnu/local.mk                                       |   3 +
 .../patches/gd-fix-chunk-size-on-boundaries.patch  | 102 +++++++
 .../gd-fix-truecolor-format-correction.patch       |  95 ++++++
 gnu/packages/php.scm                               | 334 +++++++++++++++++++++
 4 files changed, 534 insertions(+)
 create mode 100644 gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
 create mode 100644 gnu/packages/patches/gd-fix-truecolor-format-correction.patch
 create mode 100644 gnu/packages/php.scm

diff --git a/gnu/local.mk b/gnu/local.mk
index ff8586e..6a472e1 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -295,6 +295,7 @@  GNU_SYSTEM_MODULES =				\
   %D%/packages/pem.scm				\
   %D%/packages/perl.scm				\
   %D%/packages/photo.scm			\
+  %D%/packages/php.scm				\
   %D%/packages/pkg-config.scm			\
   %D%/packages/plotutils.scm			\
   %D%/packages/polkit.scm			\
@@ -551,8 +552,10 @@  dist_patch_DATA =						\
   %D%/packages/patches/gcc-6-cross-environment-variables.patch	\
   %D%/packages/patches/gd-CVE-2016-7568.patch			\
   %D%/packages/patches/gd-CVE-2016-8670.patch			\
+  %D%/packages/patches/gd-fix-chunk-size-on-boundaries.patch	\
   %D%/packages/patches/gd-fix-gd2-read-test.patch		\
   %D%/packages/patches/gd-fix-tests-on-i686.patch		\
+  %D%/packages/patches/gd-fix-truecolor-format-correction.patch	\
   %D%/packages/patches/gegl-CVE-2012-4433.patch			\
   %D%/packages/patches/geoclue-config.patch			\
   %D%/packages/patches/ghostscript-CVE-2013-5653.patch		\
diff --git a/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch b/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
new file mode 100644
index 0000000..e395c66
--- /dev/null
+++ b/gnu/packages/patches/gd-fix-chunk-size-on-boundaries.patch
@@ -0,0 +1,102 @@ 
+This fixes PHP bug #73155: https://bugs.php.net/bug.php?id=73155
+
+Patch adapted from upstream source repository:
+
+https://github.com/libgd/libgd/commit/8067a8ac336dfe0acbe96ec2eb24572209a7f279
+
+(.gitignore change removed)
+
+From 8067a8ac336dfe0acbe96ec2eb24572209a7f279 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Fri, 23 Sep 2016 18:29:52 +0200
+Subject: [PATCH] Fix #309: gdImageGd2() writes wrong chunk sizes on boundaries
+
+(cherry picked from commit bb1998a16e30d542ab22eba5501911a9aa066edb)
+---
+ src/gd_gd2.c             |  4 ++--
+ tests/gd2/CMakeLists.txt |  1 +
+ tests/gd2/Makemodule.am  |  1 +
+ tests/gd2/bug00309.c     | 37 +++++++++++++++++++++++++++++++++++++
+ 4 files changed, 41 insertions(+), 2 deletions(-)
+ create mode 100644 tests/gd2/bug00309.c
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 75e5e1f..b9b2f93 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -938,8 +938,8 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ 	};
+ 
+ 	/* Work out number of chunks. */
+-	ncx = im->sx / cs + 1;
+-	ncy = im->sy / cs + 1;
++	ncx = (im->sx + cs - 1) / cs;
++	ncy = (im->sy + cs - 1) / cs;
+ 
+ 	/* Write the standard header. */
+ 	_gd2PutHeader (im, out, cs, fmt, ncx, ncy);
+diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
+index 3b650ad..247b466 100644
+--- a/tests/gd2/CMakeLists.txt
++++ b/tests/gd2/CMakeLists.txt
+@@ -1,5 +1,6 @@
+ SET(TESTS_FILES
+ 	bug_289
++	bug00309
+ 	gd2_empty_file
+ 	gd2_im2im
+ 	gd2_null
+diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
+index b8ee946..d69aee0 100644
+--- a/tests/gd2/Makemodule.am
++++ b/tests/gd2/Makemodule.am
+@@ -1,5 +1,6 @@
+ libgd_test_programs += \
+ 	gd2/bug_289 \
++	gd2/bug00309 \
+ 	gd2/gd2_empty_file \
+ 	gd2/php_bug_72339 \
+ 	gd2/gd2_read_corrupt
+diff --git a/tests/gd2/bug00309.c b/tests/gd2/bug00309.c
+new file mode 100644
+index 0000000..b649cdc
+--- /dev/null
++++ b/tests/gd2/bug00309.c
+@@ -0,0 +1,37 @@
++/**
++ * Regression test for <https://github.com/libgd/libgd/issues/309>.
++ *
++ * We test that an image with 64x64 pixels reports only a single chunk in the
++ * GD2 image header when the chunk size is 64.
++ */
++
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++int main()
++{
++    gdImagePtr im;
++    unsigned char *buf;
++    int size, word;
++
++    im = gdImageCreate(64, 64);
++    gdImageColorAllocate(im, 0, 0, 0);
++
++    buf = gdImageGd2Ptr(im, 64, 1, &size);
++
++    gdImageDestroy(im);
++
++    word = buf[10] << 8 | buf[11];
++    gdTestAssertMsg(word == 64, "chunk size is %d, but expected 64\n", word);
++    word = buf[14] << 8 | buf[15];
++    gdTestAssertMsg(word == 1, "x chunk count is %d, but expected 1\n", word);
++    word = buf[16] << 8 | buf[17];
++    gdTestAssertMsg(word == 1, "y chunk count is %d, but expected 1\n", word);
++    gdTestAssertMsg(size == 5145, "file size is %d, but expected 5145\n", size);
++
++    gdFree(buf);
++
++    return gdNumFailures();
++}
diff --git a/gnu/packages/patches/gd-fix-truecolor-format-correction.patch b/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
new file mode 100644
index 0000000..be3eff9
--- /dev/null
+++ b/gnu/packages/patches/gd-fix-truecolor-format-correction.patch
@@ -0,0 +1,95 @@ 
+This fixes PHP bug #73159: https://bugs.php.net/bug.php?id=73159
+
+Patch lifted from upstream source repository:
+
+https://github.com/libgd/libgd/commit/e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5
+
+From e1f61a4141d2e0937a13b8bfb1992b9f29eb05f5 Mon Sep 17 00:00:00 2001
+From: "Christoph M. Becker" <cmbecker69@gmx.de>
+Date: Mon, 15 Aug 2016 17:49:40 +0200
+Subject: [PATCH] Fix #289: Passing unrecognized formats to gdImageGd2 results
+ in corrupted files
+
+We must not apply the format correction twice for truecolor images.
+
+(cherry picked from commit 09090c125658e23a4ae2a2e002646bb7278bd89e)
+---
+ src/gd_gd2.c             |  2 +-
+ tests/gd2/CMakeLists.txt |  1 +
+ tests/gd2/Makemodule.am  |  1 +
+ tests/gd2/bug_289.c      | 33 +++++++++++++++++++++++++++++++++
+ 4 files changed, 36 insertions(+), 1 deletion(-)
+ create mode 100644 tests/gd2/bug_289.c
+
+diff --git a/src/gd_gd2.c b/src/gd_gd2.c
+index 86c881e..75e5e1f 100644
+--- a/src/gd_gd2.c
++++ b/src/gd_gd2.c
+@@ -918,7 +918,7 @@ _gdImageGd2 (gdImagePtr im, gdIOCtx * out, int cs, int fmt)
+ 	/* Force fmt to a valid value since we don't return anything. */
+ 	/* */
+ 	if ((fmt != GD2_FMT_RAW) && (fmt != GD2_FMT_COMPRESSED)) {
+-		fmt = im->trueColor ? GD2_FMT_TRUECOLOR_COMPRESSED : GD2_FMT_COMPRESSED;
++		fmt = GD2_FMT_COMPRESSED;
+ 	};
+ 	if (im->trueColor) {
+ 		fmt += 2;
+diff --git a/tests/gd2/CMakeLists.txt b/tests/gd2/CMakeLists.txt
+index 8aecacc..3b650ad 100644
+--- a/tests/gd2/CMakeLists.txt
++++ b/tests/gd2/CMakeLists.txt
+@@ -1,4 +1,5 @@
+ SET(TESTS_FILES
++	bug_289
+ 	gd2_empty_file
+ 	gd2_im2im
+ 	gd2_null
+diff --git a/tests/gd2/Makemodule.am b/tests/gd2/Makemodule.am
+index 754a284..b8ee946 100644
+--- a/tests/gd2/Makemodule.am
++++ b/tests/gd2/Makemodule.am
+@@ -1,4 +1,5 @@
+ libgd_test_programs += \
++	gd2/bug_289 \
+ 	gd2/gd2_empty_file \
+ 	gd2/php_bug_72339 \
+ 	gd2/gd2_read_corrupt
+diff --git a/tests/gd2/bug_289.c b/tests/gd2/bug_289.c
+new file mode 100644
+index 0000000..ad311e9
+--- /dev/null
++++ b/tests/gd2/bug_289.c
+@@ -0,0 +1,33 @@
++/**
++ * Passing an unrecognized format to gdImageGd2() should result in
++ * GD2_FMT_TRUECOLOR_COMPRESSED for truecolor images.
++ *
++ * See <https://github.com/libgd/libgd/issues/289>.
++ */
++
++#include "gd.h"
++#include "gdtest.h"
++
++
++#define GD2_FMT_UNRECOGNIZED 0
++#define GD2_FMT_TRUECOLOR_COMPRESSED 4
++
++#define MSG "expected %s byte to be %d, but got %d\n"
++
++
++int main()
++{
++    gdImagePtr im;
++    char *buffer;
++    int size;
++
++    im = gdImageCreateTrueColor(10, 10);
++    gdTestAssert(im != NULL);
++    buffer = (char *) gdImageGd2Ptr(im, 128, GD2_FMT_UNRECOGNIZED, &size);
++    gdTestAssert(buffer != NULL);
++    gdImageDestroy(im);
++    gdTestAssertMsg(buffer[12] == 0, MSG, "1st", 0, buffer[12]);
++    gdTestAssertMsg(buffer[13] == GD2_FMT_TRUECOLOR_COMPRESSED, MSG, "2nd", GD2_FMT_TRUECOLOR_COMPRESSED, buffer[13]);
++
++    return gdNumFailures();
++}
diff --git a/gnu/packages/php.scm b/gnu/packages/php.scm
new file mode 100644
index 0000000..0b47d7f
--- /dev/null
+++ b/gnu/packages/php.scm
@@ -0,0 +1,334 @@ 
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2016 Julien Lepiller <julien@lepiller.eu>
+;;; Copyright © 2016 Marius Bakke <mbakke@fastmail.com>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu packages php)
+  #:use-module (gnu packages)
+  #:use-module (gnu packages algebra)
+  #:use-module (gnu packages aspell)
+  #:use-module (gnu packages base)
+  #:use-module (gnu packages bison)
+  #:use-module (gnu packages compression)
+  #:use-module (gnu packages curl)
+  #:use-module (gnu packages cyrus-sasl)
+  #:use-module (gnu packages databases)
+  #:use-module (gnu packages fontutils)
+  #:use-module (gnu packages gd)
+  #:use-module (gnu packages gettext)
+  #:use-module (gnu packages glib)
+  #:use-module (gnu packages gnupg)
+  #:use-module (gnu packages image)
+  #:use-module (gnu packages linux)
+  #:use-module (gnu packages multiprecision)
+  #:use-module (gnu packages openldap)
+  #:use-module (gnu packages pcre)
+  #:use-module (gnu packages pkg-config)
+  #:use-module (gnu packages readline)
+  #:use-module (gnu packages textutils)
+  #:use-module (gnu packages tls)
+  #:use-module (gnu packages web)
+  #:use-module (gnu packages xml)
+  #:use-module (gnu packages xorg)
+  #:use-module (gnu packages zip)
+  #:use-module (guix packages)
+  #:use-module (guix download)
+  #:use-module (guix build-system gnu)
+  #:use-module ((guix licenses) #:prefix license:))
+
+;; This fixes PHP bugs 73155 and 73159. Remove when gd
+;; is updated to > 2.2.3.
+(define gd-for-php
+  (package (inherit gd)
+           (source
+            (origin
+              (inherit (package-source gd))
+              (patches (search-patches
+                        "gd-fix-truecolor-format-correction.patch"
+                        "gd-fix-chunk-size-on-boundaries.patch"))))))
+
+(define-public php
+  (package
+    (name "php")
+    (version "7.0.13")
+    (home-page "https://secure.php.net/")
+    (source (origin
+              (method url-fetch)
+              (uri (string-append home-page "distributions/"
+                                  name "-" version ".tar.xz"))
+              (sha256
+               (base32
+                "1gzihbpcp51jc587gs1ryn59hsnr7vf5427dmcvdimvm77wsfyrm"))
+              (modules '((guix build utils)))
+              (snippet
+               '(with-directory-excursion "ext"
+                  (for-each delete-file-recursively
+                            ;; Some of the bundled libraries have no proper upstream.
+                            ;; Ideally we'd extract these out as separate packages:
+                            ;;"mbstring/libmbfl"
+                            ;;"date/lib"
+                            ;;"bcmath/libbcmath"
+                            ;;"fileinfo/libmagic" ; This is a patched version of libmagic.
+                            '("gd/libgd"
+                              "mbstring/oniguruma"
+                              "pcre/pcrelib"
+                              "sqlite3/libsqlite"
+                              "xmlrpc/libxmlrpc"
+                              "zip/lib"))))))
+    (build-system gnu-build-system)
+    (arguments
+     '(#:configure-flags
+       (let-syntax ((with (syntax-rules ()
+                            ((_ option input)
+                             (string-append option "="
+                                            (assoc-ref %build-inputs input))))))
+         (list (with "--with-bz2" "bzip2")
+               (with "--with-curl" "curl")
+               (with "--with-freetype-dir" "freetype")
+               (with "--with-gd" "gd")
+               (with "--with-gdbm" "gdbm")
+               (with "--with-gettext" "glibc") ; libintl.h
+               (with "--with-gmp" "gmp")
+               (with "--with-jpeg-dir" "libjpeg")
+               (with "--with-ldap" "openldap")
+               (with "--with-ldap-sasl" "cyrus-sasl")
+               (with "--with-libzip" "zip")
+               (with "--with-libxml-dir" "libxml2")
+               (with "--with-onig" "oniguruma")
+               (with "--with-pcre-dir" "pcre")
+               (with "--with-pcre-regex" "pcre")
+               (with "--with-pdo-pgsql" "postgresql")
+               (with "--with-pdo-sqlite" "sqlite")
+               (with "--with-pgsql" "postgresql")
+               (with "--with-png-dir" "libpng")
+               ;; PHP’s Pspell extension, while retaining its current name,
+               ;; now uses the Aspell library.
+               (with "--with-pspell" "aspell")
+               (with "--with-readline" "readline")
+               (with "--with-sqlite3" "sqlite")
+               (with "--with-tidy" "tidy")
+               (with "--with-webp-dir" "libwebp")
+               (with "--with-xpm-dir" "libxpm")
+               (with "--with-xsl" "libxslt")
+               (with "--with-zlib-dir" "zlib")
+               ;; We could add "--with-snmp", but it requires netsnmp that
+               ;; we don't have a package for. It is used to build the snmp
+               ;; extension of php.
+               "--with-iconv"
+               "--with-openssl"
+               "--with-pdo-mysql"
+               "--with-zlib"
+               "--enable-calendar"
+               "--enable-dba=shared"
+               "--enable-exif"
+               "--enable-flatfile"
+               "--enable-fpm"
+               "--enable-ftp"
+               "--enable-inifile"
+               "--enable-mbstring"
+               "--enable-pcntl"
+               "--enable-sockets"
+               "--enable-threads"))
+       #:phases
+       (modify-phases %standard-phases
+         (add-after 'unpack 'do-not-record-build-flags
+           (lambda _
+             ;; Prevent configure flags from being stored and causing
+             ;; unnecessary runtime dependencies.
+             (substitute* "scripts/php-config.in"
+               (("@CONFIGURE_OPTIONS@") "")
+               (("@PHP_LDFLAGS@") ""))
+             ;; This file has ISO-8859-1 encoding.
+             (with-fluids ((%default-port-encoding "ISO-8859-1"))
+               (substitute* "main/build-defs.h.in"
+                 (("@CONFIGURE_COMMAND@") "(omitted)")))
+             #t))
+         (add-before 'build 'patch-/bin/sh
+           (lambda _
+             (substitute* '("run-tests.php" "ext/standard/proc_open.c")
+               (("/bin/sh") (which "sh")))
+             #t))
+         (add-before 'check 'prepare-tests
+           (lambda _
+             ;; Some of these files have ISO-8859-1 encoding, whereas others
+             ;; use ASCII, so we can't use a "catch-all" find-files here.
+             (with-fluids ((%default-port-encoding "ISO-8859-1"))
+               (substitute* '("ext/mbstring/tests/mb_send_mail02.phpt"
+                              "ext/mbstring/tests/mb_send_mail04.phpt"
+                              "ext/mbstring/tests/mb_send_mail05.phpt"
+                              "ext/mbstring/tests/mb_send_mail06.phpt")
+                 (("/bin/cat") (which "cat"))))
+             (substitute* '("ext/mbstring/tests/mb_send_mail01.phpt"
+                            "ext/mbstring/tests/mb_send_mail03.phpt"
+                            "ext/mbstring/tests/bug52861.phpt"
+                            "ext/standard/tests/general_functions/bug34794.phpt"
+                            "ext/standard/tests/general_functions/bug44667.phpt"
+                            "ext/standard/tests/general_functions/proc_open.phpt")
+               (("/bin/cat") (which "cat")))
+             ;; The encoding of this file is not recognized, so we simply drop it.
+             (delete-file "ext/mbstring/tests/mb_send_mail07.phpt")
+
+             (substitute* "ext/standard/tests/streams/bug60602.phpt"
+               (("'ls'") (string-append "'" (which "ls") "'")))
+
+             ;; Drop tests that are known to fail.
+             (for-each delete-file
+                       '("ext/posix/tests/posix_getgrgid.phpt"    ; Requires /etc/group.
+                         "ext/sockets/tests/bug63000.phpt"        ; Fails to detect OS.
+                         "ext/sockets/tests/socket_shutdown.phpt" ; Requires DNS.
+                         "ext/sockets/tests/socket_send.phpt"     ; Likewise.
+                         "ext/sockets/tests/mcast_ipv4_recv.phpt" ; Requires multicast.
+                         ;; These needs /etc/services.
+                         "ext/standard/tests/general_functions/getservbyname_basic.phpt"
+                         "ext/standard/tests/general_functions/getservbyport_basic.phpt"
+                         "ext/standard/tests/general_functions/getservbyport_variation1.phpt"
+                         ;; And /etc/protocols.
+                         "ext/standard/tests/network/getprotobyname_basic.phpt"
+                         "ext/standard/tests/network/getprotobynumber_basic.phpt"
+                         ;; And exotic locales.
+                         "ext/standard/tests/strings/setlocale_basic1.phpt"
+                         "ext/standard/tests/strings/setlocale_basic2.phpt"
+                         "ext/standard/tests/strings/setlocale_basic3.phpt"
+                         "ext/standard/tests/strings/setlocale_variation1.phpt"
+
+                         ;; XXX: These gd tests fails.  Likely because our version
+                         ;; is different from the (patched) bundled one.
+                         ;; Here, gd quits immediately after "fatal libpng error"; while the
+                         ;; test expects it to additionally return a "setjmp" error and warning.
+                         "ext/gd/tests/bug39780_extern.phpt"
+                         "ext/gd/tests/libgd00086_extern.phpt"
+                         ;; Extra newline in gd-png output.
+                         "ext/gd/tests/bug45799.phpt"
+                         ;; Different error message than expected from imagecrop().
+                         "ext/gd/tests/bug66356.phpt"
+                         ;; Similarly for imagecreatefromgd2().
+                         "ext/gd/tests/bug72339.phpt"
+                         ;; Call to undefined function imageantialias().  They are
+                         ;; supposed to fail anyway.
+                         "ext/gd/tests/bug72482.phpt"
+                         "ext/gd/tests/bug72482_2.phpt"
+                         "ext/gd/tests/bug73213.phpt"
+                         ;; Test expects generic "gd warning" but gets the actual function name.
+                         "ext/gd/tests/createfromwbmp2_extern.phpt"
+                         ;; TODO: Enable these when libgd is built with xpm support.
+                         "ext/gd/tests/xpm2gd.phpt"
+                         "ext/gd/tests/xpm2jpg.phpt"
+                         "ext/gd/tests/xpm2png.phpt"
+
+                         ;; XXX: These iconv tests have the expected outcome,
+                         ;; but with different error messages.
+                         ;; Expects "illegal character", instead gets "unknown error (84)".
+                         "ext/iconv/tests/bug52211.phpt"
+                         ;; Expects "wrong charset", gets unknown error (22).
+                         "ext/iconv/tests/iconv_mime_decode_variation3.phpt"
+                         "ext/iconv/tests/iconv_strlen_error2.phpt"
+                         "ext/iconv/tests/iconv_strlen_variation2.phpt"
+                         "ext/iconv/tests/iconv_substr_error2.phpt"
+                         ;; Expects conversion error, gets "error condition Termsig=11".
+                         "ext/iconv/tests/iconv_strpos_error2.phpt"
+                         "ext/iconv/tests/iconv_strrpos_error2.phpt"
+                         ;; Similar, but iterating over multiple values.
+                         ;; iconv breaks the loop after the first error with Termsig=11.
+                         "ext/iconv/tests/iconv_strpos_variation4.phpt"
+                         "ext/iconv/tests/iconv_strrpos_variation3.phpt"
+
+                         ;; XXX: These test failures appear legitimate, needs investigation.
+                         ;; open_basedir() restriction failure.
+                         "ext/curl/tests/bug61948.phpt"
+                         ;; Expects a false boolean, gets empty array from glob().
+                         "ext/standard/tests/file/bug41655_1.phpt"
+                         "ext/standard/tests/file/glob_variation5.phpt"
+                         ;; Test output is correct, but in wrong order.
+                         "ext/standard/tests/streams/proc_open_bug64438.phpt"
+                         ;; The test expects an Array, but instead get the contents(?).
+                         "ext/gd/tests/bug43073.phpt"
+                         ;; imagettftext() returns wrong coordinates.
+                         "ext/gd/tests/bug48732.phpt"
+                         ;; Similarly for imageftbbox().
+                         "ext/gd/tests/bug48801.phpt"
+                         ;; Different expected output from imagecolorallocate().
+                         "ext/gd/tests/bug53504.phpt"
+                         ;; Wrong image size after scaling an image.
+                         "ext/gd/tests/bug73272.phpt"
+                         ;; Expects iconv to detect illegal characters, instead gets
+                         ;; "unknown error (84)" and heap corruption(!).
+                         "ext/iconv/tests/bug48147.phpt"
+                         ;; Expects illegal character ".", gets "=?utf-8?Q?."
+                         "ext/iconv/tests/bug51250.phpt"
+                         ;; @iconv() does not return expected output.
+                         "ext/iconv/tests/iconv003.phpt"
+                         ;; iconv throws "buffer length exceeded" on some string checks.
+                         "ext/iconv/tests/iconv_mime_encode.phpt"
+                         ;; file_get_contents(): iconv stream filter
+                         ;; ("ISO-8859-1"=>"UTF-8") unknown error.
+                         "ext/standard/tests/file/bug43008.phpt"
+                         ;; Table data not created in sqlite(?).
+                         "ext/pdo_sqlite/tests/bug_42589.phpt"))
+
+             ;; Skip tests requiring network access.
+             (setenv "SKIP_ONLINE_TESTS" "1")
+             ;; Without this variable, `make test' passes regardless of failures.
+             (setenv "REPORT_EXIT_STATUS" "1")
+             #t)))
+       #:test-target "test"))
+    (inputs
+     `(("aspell" ,aspell)
+       ("bzip2" ,bzip2)
+       ("curl" ,curl)
+       ("cyrus-sasl" ,cyrus-sasl)
+       ("freetype" ,freetype)
+       ("gd" ,gd-for-php)
+       ("gdbm" ,gdbm)
+       ("glibc" ,glibc)
+       ("gmp" ,gmp)
+       ("libgcrypt" ,libgcrypt)
+       ("libjpeg" ,libjpeg)
+       ("libpng" ,libpng)
+       ("libwebp" ,libwebp)
+       ("libxml2" ,libxml2)
+       ("libxpm" ,libxpm)
+       ("libxslt" ,libxslt)
+       ("libx11" ,libx11)
+       ("oniguruma" ,oniguruma)
+       ("openldap" ,openldap)
+       ("openssl" ,openssl)
+       ("pcre" ,pcre)
+       ("postgresql" ,postgresql)
+       ("readline" ,readline)
+       ("sqlite" ,sqlite-3.15.1)
+       ("tidy" ,tidy)
+       ("zip" ,zip)
+       ("zlib" ,zlib)))
+    (native-inputs
+     `(("pkg-config" ,pkg-config)
+       ("bison" ,bison)
+       ("intltool" ,intltool)
+       ("procps" ,procps)))         ; For tests.
+    (synopsis "PHP programming language")
+    (description
+      "PHP (PHP Hypertext Processor) is a server-side (CGI) scripting
+language designed primarily for web development but is also used as
+a general-purpose programming language.  PHP code may be embedded into
+HTML code, or it can be used in combination with various web template
+systems, web content management systems and web frameworks." )
+    (license (list
+              (license:non-copyleft "file://LICENSE")       ; The PHP license.
+              (license:non-copyleft "file://Zend/LICENSE")  ; The Zend license.
+              license:lgpl2.1                               ; ext/mbstring/libmbfl
+              license:lgpl2.1+                              ; ext/bcmath/libbcmath
+              license:bsd-2                                 ; ext/fileinfo/libmagic
+              license:expat))))                             ; ext/date/lib
-- 
2.10.2