Commit 970f6c71 authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 5.6.27+dfsg

parent 260c6bf5
; http://editorconfig.org/
root = true
[*.{c,h}]
charset = UTF-8
end_of_line = LF
indent_size = 4
indent_style = tab
insert_final_newline = true
tab_width = 4
trim_trailing_whitespace = true
[*.yml]
indent_size = 2
indent_style = space
......@@ -181,8 +181,8 @@ STATUS: Working
SINCE: 5.1
-------------------------------------------------------------------------------
EXTENSION: pdo_dblib
PRIMARY MAINTAINER: Unknown
MAINTENANCE: Odd fixes
PRIMARY MAINTAINER: Adam Baratz <adambaratz@php.net>
MAINTENANCE: Maintained
STATUS: Working
SINCE: 5.1
-------------------------------------------------------------------------------
......
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
13 Oct 2016, PHP 5.6.27
- Core:
. Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of
zend_virtual_cwd.c). (cmb)
. Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
. Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by
password_verify). (Anatol)
. Fixed bug #73189 (Memcpy negative size parameter php_resolve_path). (Stas)
. Fixed bug #73147 (Use After Free in unserialize()). (Stas)
- BCmath:
. Fixed bug #73190 (memcpy negative parameter _bc_new_num_ex). (Stas)
- DOM:
. Fixed bug #73150 (missing NULL check in dom_document_save_html). (Stas)
- Ereg:
. Fixed bug #73284 (heap overflow in php_ereg_replace function). (Stas)
- Filter:
. Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
FILTER_FLAG_NO_PRIV_RANGE). (julien)
. Fixed bug #67167 (Wrong return value from FILTER_VALIDATE_BOOLEAN,
FILTER_NULL_ON_FAILURE). (levim, cmb)
. Fixed bug #73054 (default option ignored when object passed to int filter).
(cmb)
- GD:
. Fixed bug #67325 (imagetruecolortopalette: white is duplicated in palette).
(cmb)
. Fixed bug #50194 (imagettftext broken on transparent background w/o
alphablending). (cmb)
. Fixed bug #73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab,
cmb)
. Fixed bug #53504 (imagettfbbox gives incorrect values for bounding box).
(Mark Plomer, cmb)
. Fixed bug #73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
. Fixed bug #73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
. Fixed bug #73159 (imagegd2(): unrecognized formats may result in corrupted
files). (cmb)
. Fixed bug #73161 (imagecreatefromgd2() may leak memory). (cmb)
- Intl:
. Fixed bug #73218 (add mitigation for ICU int overflow). (Stas)
- Imap:
. Fixed bug #73208 (integer overflow in imap_8bit caused heap corruption).
(Stas)
- Mbstring:
. Fixed bug #72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
. Fixed bug #66964 (mb_convert_variables() cannot detect recursion). (Yasuo)
. Fixed bug #72992 (mbstring.internal_encoding doesn't inherit default_charset).
(Yasuo)
. Fixed bug #73082 (string length overflow in mb_encode_* function). (Stas)
- PCRE:
. Fixed bug #73174 (heap overflow in php_pcre_replace_impl). (Stas)
- Opcache:
. Fixed bug #72590 (Opcache restart with kill_all_lockers does not work).
(Keyur) (julien backport)
- OpenSSL:
. Fixed bug #73072 (Invalid path SNI_server_certs causes segfault).
(Jakub Zelenka)
. Fixed bug #73275 (crash in openssl_encrypt function). (Stas)
. Fixed bug #73276 (crash in openssl_random_pseudo_bytes function). (Stas)
- Session:
. Fixed bug #68015 (Session does not report invalid uid for files save handler).
(Yasuo)
. Fixed bug #73100 (session_destroy null dereference in ps_files_path_create).
(cmb)
- SimpleXML:
. Fixed bug #73293 (NULL pointer dereference in SimpleXMLElement::asXML()).
(Stas)
- SPL:
. Fixed bug #73073 (CachingIterator null dereference when convert to string).
(Stas)
- Standard:
. Fixed bug #73240 (Write out of bounds at number_format). (Stas)
. Fixed bug #73017 (memory corruption in wordwrap function). (Stas)
- Stream:
. Fixed bug #73069 (readfile() mangles files larger than 2G). (Laruence)
- Zip:
. Fixed bug #70752 (Depacking with wrong password leaves 0 length files).
(cmb)
15 Sep 2016, PHP 5.6.26
- Core:
......
--TEST--
Next free element may overflow in array literals
--FILE--
<?php
$i = PHP_INT_MAX;
$array = [$i => 42, new stdClass];
var_dump($array);
const FOO = [PHP_INT_MAX => 42, "foo"];
var_dump(FOO);
?>
--EXPECTF--
Warning: Cannot add element to the array as the next element is already occupied in %s on line %d
array(1) {
[%d]=>
int(42)
}
Warning: Cannot add element to the array as the next element is already occupied in %s on line %d
array(1) {
[%d]=>
int(42)
}
--TEST--
Constexpr arrays should be able to handle resource keys
--FILE--
<?php
const FOO = [STDIN => 42];
var_dump(FOO);
?>
--EXPECTF--
Strict Standards: Resource ID#%d used as offset, casting to integer (%d) in %s on line %d
array(1) {
[%d]=>
int(42)
}
......@@ -1805,6 +1805,12 @@ ZEND_API int zend_startup_module_ex(zend_module_entry *module TSRMLS_DC) /* {{{
}
/* }}} */
static int zend_startup_module_int(zend_module_entry *module TSRMLS_DC) /* {{{ */
{
return (zend_startup_module_ex(module TSRMLS_CC) == SUCCESS) ? ZEND_HASH_APPLY_KEEP : ZEND_HASH_APPLY_REMOVE;
}
/* }}} */
static void zend_sort_modules(void *base, size_t count, size_t siz, compare_func_t compare TSRMLS_DC) /* {{{ */
{
Bucket **b1 = base;
......@@ -1921,7 +1927,7 @@ ZEND_API void zend_collect_module_handlers(TSRMLS_D) /* {{{ */
ZEND_API int zend_startup_modules(TSRMLS_D) /* {{{ */
{
zend_hash_sort(&module_registry, zend_sort_modules, NULL, 0 TSRMLS_CC);
zend_hash_apply(&module_registry, (apply_func_t)zend_startup_module_ex TSRMLS_CC);
zend_hash_apply(&module_registry, (apply_func_t)zend_startup_module_int TSRMLS_CC);
return SUCCESS;
}
/* }}} */
......@@ -3770,6 +3776,30 @@ ZEND_API void zend_update_property(zend_class_entry *scope, zval *object, const
}
/* }}} */
ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
{
zval *property;
zend_class_entry *old_scope = EG(scope);
EG(scope) = scope;
if (!Z_OBJ_HT_P(object)->unset_property) {
const char *class_name;
zend_uint class_name_len;
zend_get_object_classname(object, &class_name, &class_name_len TSRMLS_CC);
zend_error(E_CORE_ERROR, "Property %s of class %s cannot be unset", name, class_name);
}
MAKE_STD_ZVAL(property);
ZVAL_STRINGL(property, name, name_length, 1);
Z_OBJ_HT_P(object)->unset_property(object, property, 0 TSRMLS_CC);
zval_ptr_dtor(&property);
EG(scope) = old_scope;
}
/* }}} */
ZEND_API void zend_update_property_null(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC) /* {{{ */
{
zval *tmp;
......
......@@ -330,6 +330,7 @@ ZEND_API void zend_update_property_long(zend_class_entry *scope, zval *object, c
ZEND_API void zend_update_property_double(zend_class_entry *scope, zval *object, const char *name, int name_length, double value TSRMLS_DC);
ZEND_API void zend_update_property_string(zend_class_entry *scope, zval *object, const char *name, int name_length, const char *value TSRMLS_DC);
ZEND_API void zend_update_property_stringl(zend_class_entry *scope, zval *object, const char *name, int name_length, const char *value, int value_length TSRMLS_DC);
ZEND_API void zend_unset_property(zend_class_entry *scope, zval *object, const char *name, int name_length TSRMLS_DC);
ZEND_API int zend_update_static_property(zend_class_entry *scope, const char *name, int name_length, zval *value TSRMLS_DC);
ZEND_API int zend_update_static_property_null(zend_class_entry *scope, const char *name, int name_length TSRMLS_DC);
......@@ -664,7 +665,7 @@ END_EXTERN_C()
} \
RETURN_FALSE; \
} \
RETVAL_STRINGL((s), __len, (dup)); \
RETVAL_STRINGL((s), (int)__len, (dup)); \
} while (0)
......
......@@ -2735,9 +2735,9 @@ static void alloc_globals_ctor(zend_alloc_globals *alloc_globals TSRMLS_DC)
alloc_globals->mm_heap = malloc(sizeof(struct _zend_mm_heap));
memset(alloc_globals->mm_heap, 0, sizeof(struct _zend_mm_heap));
alloc_globals->mm_heap->use_zend_alloc = 0;
alloc_globals->mm_heap->_malloc = malloc;
alloc_globals->mm_heap->_malloc = __zend_malloc;
alloc_globals->mm_heap->_free = free;
alloc_globals->mm_heap->_realloc = realloc;
alloc_globals->mm_heap->_realloc = __zend_realloc;
} else {
alloc_globals->mm_heap = zend_mm_startup();
}
......
......@@ -5929,7 +5929,7 @@ void zend_do_add_array_element(znode *result, const znode *expr, const znode *of
}
/* }}} */
void zend_do_add_static_array_element(zval *result, zval *offset, const zval *expr) /* {{{ */
void zend_do_add_static_array_element(zval *result, zval *offset, zval *expr) /* {{{ */
{
if (offset) {
switch (Z_TYPE_P(offset)) {
......@@ -5940,6 +5940,9 @@ void zend_do_add_static_array_element(zval *result, zval *offset, const zval *ex
case IS_NULL:
zend_symtable_update(Z_ARRVAL_P(result), "", 1, &expr, sizeof(zval *), NULL);
break;
case IS_RESOURCE:
zend_error(E_STRICT, "Resource ID#%ld used as offset, casting to integer (%ld)", Z_LVAL_P(offset), Z_LVAL_P(offset));
/* break missing intentionally */
case IS_LONG:
case IS_BOOL:
zend_hash_index_update(Z_ARRVAL_P(result), Z_LVAL_P(offset), &expr, sizeof(zval *), NULL);
......@@ -5952,7 +5955,10 @@ void zend_do_add_static_array_element(zval *result, zval *offset, const zval *ex
break;
}
} else {
zend_hash_next_index_insert(Z_ARRVAL_P(result), &expr, sizeof(zval *), NULL);
if (zend_hash_next_index_insert(Z_ARRVAL_P(result), &expr, sizeof(zval *), NULL) == FAILURE) {
zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
zval_ptr_dtor(&expr);
}
}
}
/* }}} */
......
......@@ -598,7 +598,7 @@ void zend_do_shell_exec(znode *result, const znode *cmd TSRMLS_DC);
void zend_do_init_array(znode *result, const znode *expr, const znode *offset, zend_bool is_ref TSRMLS_DC);
void zend_do_add_array_element(znode *result, const znode *expr, const znode *offset, zend_bool is_ref TSRMLS_DC);
void zend_do_add_static_array_element(zval *result, zval *offset, const zval *expr);
void zend_do_add_static_array_element(zval *result, zval *offset, zval *expr);
void zend_do_list_init(TSRMLS_D);
void zend_do_list_end(znode *result, znode *expr TSRMLS_DC);
void zend_do_add_list_element(const znode *element TSRMLS_DC);
......
......@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct)
/* {{{ proto Exception::__wakeup()
Exception unserialize checks */
#define CHECK_EXC_TYPE(name, type) \
value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
zval *tmp; \
MAKE_STD_ZVAL(tmp); \
ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
zval_ptr_dtor(&tmp); \
zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
}
ZEND_METHOD(exception, __wakeup)
......@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup)
CHECK_EXC_TYPE("file", IS_STRING);
CHECK_EXC_TYPE("line", IS_LONG);
CHECK_EXC_TYPE("trace", IS_ARRAY);
CHECK_EXC_TYPE("previous", IS_OBJECT);
value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT ||
!instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) ||
value == object)) {
zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
}
}
/* }}} */
......@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString)
zval_dtor(&file);
zval_dtor(&line);
exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
Z_OBJPROP_P(exception)->nApplyCount++;
exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
exception = NULL;
}
if (trace) {
zval_ptr_dtor(&trace);
......@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString)
}
zval_dtor(&fname);
/* Reset apply counts */
exception = getThis();
while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
if(Z_OBJPROP_P(exception)->nApplyCount) {
Z_OBJPROP_P(exception)->nApplyCount--;
} else {
break;
}
exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
}
/* We store the result in the private property string so we can access
* the result in uncaught exception handlers without memleaks. */
zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);
......
......@@ -1896,7 +1896,7 @@ CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /*
#else /* Unix */
CWD_API FILE *virtual_popen(const char *command, const char *type TSRMLS_DC) /* {{{ */
{
int command_length;
size_t command_length;
int dir_length, extra = 0;
char *command_line;
char *ptr, *dir;
......
......@@ -3879,7 +3879,10 @@ ZEND_VM_C_LABEL(num_index):
}
FREE_OP2();
} else {
zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL);
if (zend_hash_next_index_insert(Z_ARRVAL(EX_T(opline->result.var).tmp_var), &expr_ptr, sizeof(zval *), NULL) == FAILURE) {
zend_error(E_WARNING, "Cannot add element to the array as the next element is already occupied");
zval_ptr_dtor(&expr_ptr);
}
}
if ((OP1_TYPE == IS_VAR || OP1_TYPE == IS_CV) && opline->extended_value) {
FREE_OP1_VAR_PTR();
......
This diff is collapsed.
......@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=26
PHP_RELEASE_VERSION=27
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
......@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=26
PHP_RELEASE_VERSION=27
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
......
......@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
int length, scale, persistent;
{
bc_num temp;
/* PHP Change: add length check */
if ((size_t)length+(size_t)scale > INT_MAX) {
zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
}
/* PHP Change: malloc() -> pemalloc(), removed free_list code */
temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
#if 0
......
......@@ -41,6 +41,5 @@
void bc_out_of_memory (void)
{
(void) fprintf (stderr, "bcmath: out of memory!\n");
exit (1);
zend_error(E_ERROR, "bcmath: out of memory!");
}
......@@ -137,7 +137,10 @@ ZEND_METHOD(CURLFile, setPostFilename)
Unserialization handler */
ZEND_METHOD(CURLFile, __wakeup)
{
zend_update_property_string(curl_CURLFile_class, getThis(), "name", sizeof("name")-1, "" TSRMLS_CC);
zval *_this = getThis();
zend_unset_property(curl_CURLFile_class, _this, "name", sizeof("name")-1 TSRMLS_CC);
zend_update_property_string(curl_CURLFile_class, _this, "name", sizeof("name")-1, "" TSRMLS_CC);
zend_throw_exception(NULL, "Unserialization of CURLFile instances is not allowed", 0 TSRMLS_CC);
}
/* }}} */
......
--TEST--
Bug #73147: Use After Free in PHP7 unserialize()
--SKIPIF--
<?php
if (!extension_loaded("curl")) {
exit("skip curl extension not loaded");
}
?>
--FILE--
<?php
$poc = 'a:1:{i:0;O:8:"CURLFile":1:{s:4:"name";R:1;}}';
try {
var_dump(unserialize($poc));
} catch(Exception $e) {
echo $e->getMessage();
}
?>
--EXPECT--
Unserialization of CURLFile instances is not allowed
......@@ -1792,7 +1792,7 @@ PHP_FUNCTION(dom_document_savexml)
if (options & LIBXML_SAVE_NOEMPTYTAG) {
xmlSaveNoEmptyTags = saveempty;
}
if (!size) {
if (!size || !mem) {
RETURN_FALSE;
}
RETVAL_STRINGL(mem, size, 1);
......@@ -2327,7 +2327,7 @@ PHP_FUNCTION(dom_document_save_html)
#else
htmlDocDumpMemory(docp, &mem, &size);
#endif
if (!size) {
if (!size || !mem) {
RETVAL_FALSE;
} else {
RETVAL_STRINGL((const char*) mem, size, 1);
......
......@@ -14,7 +14,7 @@
+----------------------------------------------------------------------+
| Authors: Rasmus Lerdorf <rasmus@php.net> |
| Jim Winstead <jimw@php.net> |
| Jaakko Hyvtti <jaakko@hyvatti.iki.fi> |
| Jaakko Hyvtti <jaakko@hyvatti.iki.fi> |
+----------------------------------------------------------------------+
*/
/* $Id$ */
......@@ -29,7 +29,7 @@
/* {{{ arginfo */
ZEND_BEGIN_ARG_INFO_EX(arginfo_ereg, 0, 0, 2)
ZEND_ARG_INFO(0, pattern)
ZEND_ARG_INFO(0, string)
ZEND_ARG_INFO(0, string)
ZEND_ARG_INFO(1, registers) /* ARRAY_INFO(1, registers, 1) */
ZEND_END_ARG_INFO()
......@@ -41,8 +41,8 @@ ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO_EX(arginfo_split, 0, 0, 2)
ZEND_ARG_INFO(0, pattern)
ZEND_ARG_INFO(0, string)
ZEND_ARG_INFO(0, limit)
ZEND_ARG_INFO(0, string)
ZEND_ARG_INFO(0, limit)
ZEND_END_ARG_INFO()
ZEND_BEGIN_ARG_INFO(arginfo_sql_regcase, 0)
......@@ -204,7 +204,7 @@ static int _php_regcomp(regex_t *preg, const char *pattern, int cflags TSRMLS_DC
}
/* }}} */
static void _free_ereg_cache(reg_cache *rc)
static void _free_ereg_cache(reg_cache *rc)
{
regfree(&rc->preg);
}
......@@ -309,7 +309,7 @@ static void php_ereg(INTERNAL_FUNCTION_PARAMETERS, int icase)
if (icase) {
copts |= REG_ICASE;
}
if (argc == 2) {
copts |= REG_NOSUB;
}
......@@ -337,7 +337,7 @@ static void php_ereg(INTERNAL_FUNCTION_PARAMETERS, int icase)
/* allocate storage for (sub-)expression-matches */
subs = (regmatch_t *)ecalloc(sizeof(regmatch_t),re.re_nsub+1);
/* actually execute the regular expression */
err = regexec(&re, string, re.re_nsub+1, subs, 0);
if (err && err != REG_NOMATCH) {
......@@ -409,8 +409,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
*nbuf, /* nbuf is used when we grow the buffer */
*walkbuf; /* used to walk buf when replacing backrefs */
const char *walk; /* used to walk replacement string for backrefs */
int buf_len;
int pos, tmp, string_len, new_l;
size_t buf_len, new_l;
int pos, tmp, string_len;
int err, copts = 0;
string_len = strlen(string);
......@@ -434,8 +434,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
/* start with a buffer that is twice the size of the stringo
we're doing replacements in */
buf = safe_emalloc(string_len, 2, 1);
buf_len = 2 * string_len + 1;
buf = safe_emalloc(buf_len, sizeof(char), 0);
err = pos = 0;
buf[0] = '\0';
......@@ -472,8 +472,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
}
}
if (new_l + 1 > buf_len) {
nbuf = safe_emalloc(new_l + 1, 2, buf_len);
buf_len = 1 + buf_len + 2 * new_l;
nbuf = emalloc(buf_len);
strncpy(nbuf, buf, buf_len - 1);
nbuf[buf_len - 1] = '\0';
efree(buf);
......@@ -491,7 +491,7 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
if (subs[walk[1] - '0'].rm_so > -1 && subs[walk[1] - '0'].rm_eo > -1
/* this next case shouldn't happen. it does. */
&& subs[walk[1] - '0'].rm_so <= subs[walk[1] - '0'].rm_eo) {
tmp = subs[walk[1] - '0'].rm_eo - subs[walk[1] - '0'].rm_so;
memcpy (walkbuf, &string[pos + subs[walk[1] - '0'].rm_so], tmp);
walkbuf += tmp;
......@@ -510,8 +510,8 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
}
new_l = strlen (buf) + 1;
if (new_l + 1 > buf_len) {
nbuf = safe_emalloc(new_l + 1, 2, buf_len);
buf_len = 1 + buf_len + 2 * new_l;
nbuf = safe_emalloc(buf_len, sizeof(char), 0);
strncpy(nbuf, buf, buf_len-1);
efree(buf);
buf = nbuf;
......@@ -526,7 +526,7 @@ PHP_EREG_API char *php_ereg_replace(const char *pattern, const char *replace, co
new_l = strlen(buf) + strlen(&string[pos]);
if (new_l + 1 > buf_len) {
buf_len = new_l + 1; /* now we know exactly how long it is */
nbuf = safe_emalloc(buf_len, sizeof(char), 0);
nbuf = safe_emalloc(new_l, 1, 1);
strncpy(nbuf, buf, buf_len-1);
efree(buf);
buf = nbuf;
......@@ -556,7 +556,7 @@ static void php_do_ereg_replace(INTERNAL_FUNCTION_PARAMETERS, int icase)
char *replace;
char *ret;
int arg_string_len;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ZZs", &arg_pattern, &arg_replace, &arg_string, &arg_string_len) == FAILURE) {
return;
}
......@@ -598,7 +598,7 @@ static void php_do_ereg_replace(INTERNAL_FUNCTION_PARAMETERS, int icase)
if (ret == (char *) -1) {
RETVAL_FALSE;
} else {
RETVAL_STRING(ret, 1);
RETVAL_STRINGL_CHECK(ret, strlen(ret), 1);
STR_FREE(ret);
}
......@@ -664,9 +664,9 @@ static void php_split(INTERNAL_FUNCTION_PARAMETERS, int icase)
} else if (subs[0].rm_so == 0 && subs[0].rm_eo == 0) {
/* No more matches */
regfree(&re);
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Regular Expression");
zend_hash_destroy(Z_ARRVAL_P(return_value));
efree(Z_ARRVAL_P(return_value));
RETURN_FALSE;
......@@ -675,7 +675,7 @@ static void php_split(INTERNAL_FUNCTION_PARAMETERS, int icase)
/* make a copy of the substring */
size = subs[0].rm_so;
/* add it to the array */
add_next_index_stringl(return_value, strp, size, 1);
......@@ -701,7 +701,7 @@ static void php_split(INTERNAL_FUNCTION_PARAMETERS, int icase)
/* otherwise we just have one last element to add to the array */
size = endp - strp;
add_next_index_stringl(return_value, strp, size, 1);
regfree(&re);
......@@ -738,9 +738,9 @@ PHP_EREG_API PHP_FUNCTION(sql_regcase)
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &string, &string_len) == FAILURE) {
return;
}
tmp = safe_emalloc(string_len, 4, 1);
for (i = j = 0; i < string_len; i++) {
c = (unsigned char) string[i];
if ( j >= INT_MAX - 1 || (isalpha(c) && j >= INT_MAX - 4)) {
......
......@@ -380,8 +380,14 @@ static void php_zval_filter(zval **value, long filter, long flags, zval *options
ce = Z_OBJCE_PP(value);
if (!ce->__tostring) {
ZVAL_FALSE(*value);
return;
zval_dtor(*value);
/* #67167: doesn't return null on failure for objects */
if (flags & FILTER_NULL_ON_FAILURE) {
ZVAL_NULL(*value);
} else {
ZVAL_FALSE(*value);
}
goto handle_default;
}
}
......@@ -390,6 +396,7 @@ static void php_zval_filter(zval **value, long filter, long flags, zval *options
filter_func.function(*value, flags, options, charset TSRMLS_CC);
handle_default:
if (
options && (Z_TYPE_P(options) == IS_ARRAY || Z_TYPE_P(options) == IS_OBJECT) &&
((flags & FILTER_NULL_ON_FAILURE && Z_TYPE_PP(value) == IS_NULL) ||
......
......@@ -704,8 +704,7 @@ void php_filter_validate_ip(PHP_INPUT_FILTER_PARAM_DECL) /* {{{ */
if (flags & FILTER_FLAG_NO_PRIV_RANGE) {
if (
(ip[0] == 10) ||
(ip[0] == 169 && ip[1] == 254) ||
(ip[0] == 172 && (ip[1] >= 16 && ip[1] <= 31)) ||
(ip[0] == 172 && ip[1] >= 16 && ip[1] <= 31) ||
(ip[0] == 192 && ip[1]