Commit d258b143 authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 5.6.24+dfsg

parent ff5df72b
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
21 Jul 2016, PHP 5.6.24
- Core:
. Fixed bug #71936 (Segmentation fault destroying HTTP_RAW_POST_DATA).
(mike dot laspina at gmail dot com, Remi)
. Fixed bug #72496 (Cannot declare public method with signature incompatible
with parent private method). (Pedro Magalhães)
. Fixed bug #72138 (Integer Overflow in Length of String-typed ZVAL). (Stas)
. Fixed bug #72513 (Stack-based buffer overflow vulnerability in
virtual_file_ex). (loianhtuan at gmail dot com)
. Fixed bug #72562 (Use After Free in unserialize() with Unexpected Session
Deserialization). (taoguangchen at icloud dot com)
. Fixed bug #72573 (HTTP_PROXY is improperly trusted by some PHP libraries and
applications). (CVE-2016-5385) (Stas)
- bz2:
. Fixed bug #72447 (Type Confusion in php_bz2_filter_create()). (gogil at
stealien dot com).
. Fixed bug #72613 (Inadequate error handling in bzread()). (Stas)
- EXIF:
. Fixed bug #50845 (exif_read_data() returns corrupted exif headers).
(Bartosz Dziewoński)
- EXIF:
. Fixed bug #72603 (Out of bound read in exif_process_IFD_in_MAKERNOTE).
(Stas)
. Fixed bug #72618 (NULL Pointer Dereference in exif_process_user_comment).
(Stas)
- GD:
. Fixed bug #43475 (Thick styled lines have scrambled patterns). (cmb)
. Fixed bug #53640 (XBM images require width to be multiple of 8). (cmb)
. Fixed bug #64641 (imagefilledpolygon doesn't draw horizontal line). (cmb)
. Fixed bug #72512 (gdImageTrueColorToPaletteBody allows arbitrary write/read
access). (Pierre)
. Fixed bug #72519 (imagegif/output out-of-bounds access). (Pierre)
. Fixed bug #72558 (Integer overflow error within _gdContributionsAlloc()).
(CVE-2016-6207) (Pierre)
- Intl:
. Fixed bug #72533 (locale_accept_from_http out-of-bounds access). (Stas)
- ODBC:
. Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined columns)
- OpenSSL:
. Fixed bug #71915 (openssl_random_pseudo_bytes is not fork-safe).
(Jakub Zelenka)
. Fixed bug #72336 (openssl_pkey_new does not fail for invalid DSA params).
(Jakub Zelenka)
- SNMP:
. Fixed bug #72479 (Use After Free Vulnerability in SNMP with GC and
unserialize()). (taoguangchen at icloud dot com)
- SPL:
. Fixed bug #55701 (GlobIterator throws LogicException). (Valentin VĂLCIU)
- SQLite3:
. Fixed bug #70628 (Clearing bindings on an SQLite3 statement doesn't work).
(cmb)
- Streams:
. Fixed bug #72439 (Stream socket with remote address leads to a segmentation
fault). (Laruence)
- Xmlrpc:
. Fixed bug #72606 (heap-buffer-overflow (write) simplestring_addn simplestring.c).
(Stas)
- Zip:
. Fixed bug #72520 (Stack-based buffer overflow vulnerability in
php_stream_zip_opener). (loianhtuan at gmail dot com)
23 Jun 2016, PHP 5.6.23
- Core:
. Fixed bug #72268 (Integer Overflow in nl2br()). (Stas)
. Fixed bug #72275 (Integer Overflow in json_encode()/json_decode()/
json_utf8_to_utf16()). (Stas)
. Fixed bug #72400 (Integer Overflow in addcslashes/addslashes). (Stas)
. Fixed bug #72403 (Integer Overflow in Length of String-typed ZVAL). (Stas)
- Date:
. Fixed bug #63740 (strtotime seems to use both sunday and monday as start of
week). (Derick)
- GD:
. Fixed bug #66387 (Stack overflow with imagefilltoborder). (CVE-2015-8874)
(cmb)
. Fixed bug #72298 (pass2_no_dither out-of-bounds access). (Stas)
. Fixed bug #72337 (invalid dimensions can lead to crash) (Pierre)
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (Pierre)
. Fixed bug #72337 (invalid dimensions can lead to crash). (Pierre)
. Fixed bug #72339 (Integer Overflow in _gd2GetHeader() resulting in
heap overflow). (CVE-2016-5766) (Pierre)
. Fixed bug #72407 (NULL Pointer Dereference at _gdScaleVert). (Stas)
. Fixed bug #72446 (Integer Overflow in gdImagePaletteToTrueColor() resulting
in heap overflow). (Pierre)
in heap overflow). (CVE-2016-5767) (Pierre)
- Intl:
. Fixed bug #70484 (selectordinal doesn't work with named parameters).
(Anatol)
- mbstring:
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free). (Stas)
. Fixed bug #72402 (_php_mb_regex_ereg_replace_exec - double free).
(CVE-2016-5768) (Stas)
- mcrypt:
. Fixed bug #72455 (Heap Overflow due to integer overflows). (Stas)
. Fixed bug #72455 (Heap Overflow due to integer overflows). (CVE-2016-5769)
(Stas)
- OpenSSL:
. Fixed bug #72140 (segfault after calling ERR_free_strings()).
(Jakub Zelenka)
- Phar:
. Fixed bug #72321 (invalid free in phar_extract_file()).
(hji at dyntopia dot com)
- SPL:
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread). (Stas)
. Fixed bug #72262 (int/size_t confusion in SplFileObject::fread).
(CVE-2016-5770) (Stas)
. Fixed bug #72433 (Use After Free Vulnerability in PHP's GC algorithm and
unserialize). (Dmitry)
- OpenSSL:
. Fixed bug #72140 (segfault after calling ERR_free_strings()).
(Jakub Zelenka)
unserialize). (CVE-2016-5771) (Dmitry)
- WDDX:
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize). (Stas)
. Fixed bug #72340 (Double Free Courruption in wddx_deserialize).
(CVE-2016-5772) (Stas)
- zip:
. Fixed bug #72434 (ZipArchive class Use After Free Vulnerability in PHP's GC
algorithm and unserialize). (Dmitry)
algorithm and unserialize). (CVE-2016-5773) (Dmitry)
26 May 2016, PHP 5.6.22
......@@ -53,22 +138,24 @@ PHP NEWS
. Fixed bug #72172 (zend_hex_strtod should not use strlen).
(bwitz at hotmail dot com )
. Fixed bug #72114 (Integer underflow / arbitrary null write in
fread/gzread). (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (Stas)
fread/gzread). (CVE-2016-5096) (Stas)
. Fixed bug #72135 (Integer Overflow in php_html_entities). (CVE-2016-5094)
(Stas)
- GD:
. Fixed bug #72227 (imagescale out-of-bounds read). (Stas)
. Fixed bug #72227 (imagescale out-of-bounds read). (CVE-2013-7456) (Stas)
- Intl
. Fixed bug #64524 (Add intl.use_exceptions to php.ini-*). (Anatol)
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read). (Stas)
. Fixed bug #72241 (get_icu_value_internal out-of-bounds read).
(CVE-2016-5093) (Stas)
- Postgres:
. Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
. Fixed bug #72151 (mysqli_fetch_object changed behaviour). (Anatol)
28 Apr 2016, PHP 5.6.21
- Core:
- Core:
. Fixed bug #69537 (__debugInfo with empty string for key gives error).
(krakjoe)
. Fixed bug #71841 (EG(error_zval) is not handled well). (Laruence)
......@@ -82,8 +169,6 @@ PHP NEWS
(Michael Sierks)
- Date:
. Fixed bug #63740 (strtotime seems to use both sunday and monday as start of
week). (Derick)
. Fixed bug #71889 (DateInterval::format Segmentation fault). (Thomas Punt)
- EXIF:
......
--TEST--
Bug #72496 (declare public method with signature incompatible with parent private method should not throw a warning)
--FILE--
<?php
class Foo
{
private function getFoo()
{
return 'Foo';
}
private function getBar()
{
return 'Bar';
}
private function getBaz()
{
return 'Baz';
}
}
class Bar extends Foo
{
public function getFoo($extraArgument)
{
return $extraArgument;
}
protected function getBar($extraArgument)
{
return $extraArgument;
}
private function getBaz($extraArgument)
{
return $extraArgument;
}
}
echo "OK\n";
--EXPECT--
OK
......@@ -3252,8 +3252,8 @@ static zend_bool zend_do_perform_implementation_check(const zend_function *fe, c
return 1;
}
/* If both methods are private do not enforce a signature */
if ((fe->common.fn_flags & ZEND_ACC_PRIVATE) && (proto->common.fn_flags & ZEND_ACC_PRIVATE)) {
/* If the prototype method is private do not enforce a signature */
if (proto->common.fn_flags & ZEND_ACC_PRIVATE) {
return 1;
}
......
......@@ -651,14 +651,14 @@ CWD_API void realpath_cache_del(const char *path, int path_len TSRMLS_DC) /* {{{
memcmp(path, (*bucket)->path, path_len) == 0) {
realpath_cache_bucket *r = *bucket;
*bucket = (*bucket)->next;
/* if the pointers match then only subtract the length of the path */
if(r->path == r->realpath) {
CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1;
} else {
CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1 + r->realpath_len + 1;
}
free(r);
return;
} else {
......@@ -734,7 +734,7 @@ static inline realpath_cache_bucket* realpath_cache_find(const char *path, int p
realpath_cache_bucket *r = *bucket;
*bucket = (*bucket)->next;
/* if the pointers match then only subtract the length of the path */
/* if the pointers match then only subtract the length of the path */
if(r->path == r->realpath) {
CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1;
} else {
......@@ -1190,7 +1190,7 @@ CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func
int add_slash;
void *tmp;
if (path_length == 0 || path_length >= MAXPATHLEN-1) {
if (path_length <= 0 || path_length >= MAXPATHLEN-1) {
#ifdef TSRM_WIN32
# if _MSC_VER < 1300
errno = EINVAL;
......
......@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=23
PHP_RELEASE_VERSION=24
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
......@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=23
PHP_RELEASE_VERSION=24
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
......
......@@ -15,7 +15,7 @@
| Author: Sterling Hughes <sterling@php.net> |
+----------------------------------------------------------------------+
*/
/* $Id$ */
#ifdef HAVE_CONFIG_H
......@@ -138,29 +138,33 @@ struct php_bz2_stream_data_t {
static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
{
struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract;
size_t ret;
ret = BZ2_bzread(self->bz_file, buf, count);
int bz2_ret;
bz2_ret = BZ2_bzread(self->bz_file, buf, count);
if (ret == 0) {
if (bz2_ret < 0) {
stream->eof = 1;
return -1;
}
if (bz2_ret == 0) {
stream->eof = 1;
}
return ret;
return (size_t)bz2_ret;
}
static size_t php_bz2iop_write(php_stream *stream, const char *buf, size_t count TSRMLS_DC)
{
struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract;
return BZ2_bzwrite(self->bz_file, (char*)buf, count);
return BZ2_bzwrite(self->bz_file, (char*)buf, count);
}
static int php_bz2iop_close(php_stream *stream, int close_handle TSRMLS_DC)
{
struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *)stream->abstract;
int ret = EOF;
if (close_handle) {
BZ2_bzclose(self->bz_file);
}
......@@ -196,7 +200,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open_from_BZFILE(BZFILE *bz,
const char *mode, php_stream *innerstream STREAMS_DC TSRMLS_DC)
{
struct php_bz2_stream_data_t *self;
self = emalloc(sizeof(*self));
self->stream = innerstream;
......@@ -227,7 +231,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
virtual_filepath_ex(path, &path_copy, NULL TSRMLS_CC);
#else
path_copy = path;
#endif
#endif
if (php_check_open_basedir(path_copy TSRMLS_CC)) {
#ifdef VIRTUAL_DIR
......@@ -235,7 +239,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
#endif
return NULL;
}
/* try and open it directly first */
bz_file = BZ2_bzopen(path_copy, mode);
......@@ -246,11 +250,11 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
efree(path_copy);
#endif
path_copy = NULL;
if (bz_file == NULL) {
/* that didn't work, so try and get something from the network/wrapper */
stream = php_stream_open_wrapper(path, mode, options | STREAM_WILL_CAST, opened_path);
if (stream) {
php_socket_t fd;
if (SUCCESS == php_stream_cast(stream, PHP_STREAM_AS_FD, (void **) &fd, REPORT_ERRORS)) {
......@@ -265,7 +269,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
VCWD_UNLINK(*opened_path);
}
}
if (bz_file) {
retstream = _php_stream_bz2open_from_BZFILE(bz_file, mode, stream STREAMS_REL_CC TSRMLS_CC);
if (retstream) {
......@@ -341,7 +345,7 @@ static PHP_FUNCTION(bzread)
if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|l", &bz, &len)) {
RETURN_FALSE;
}
php_stream_from_zval(stream, &bz);
if ((len + 1) < 1) {
......@@ -351,13 +355,13 @@ static PHP_FUNCTION(bzread)
Z_STRVAL_P(return_value) = emalloc(len + 1);
Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
if (Z_STRLEN_P(return_value) < 0) {
efree(Z_STRVAL_P(return_value));
php_error_docref(NULL TSRMLS_CC, E_WARNING, "could not read valid bz2 data from stream");
RETURN_FALSE;
RETURN_FALSE;
}
Z_STRVAL_P(return_value)[Z_STRLEN_P(return_value)] = 0;
Z_TYPE_P(return_value) = IS_STRING;
}
......@@ -373,7 +377,7 @@ static PHP_FUNCTION(bzopen)
BZFILE *bz; /* The compressed file stream */
php_stream *stream = NULL;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zs", &file, &mode, &mode_len) == FAILURE) {
return;
}
......@@ -389,15 +393,15 @@ static PHP_FUNCTION(bzopen)
php_error_docref(NULL TSRMLS_CC, E_WARNING, "filename cannot be empty");
RETURN_FALSE;
}
if (CHECK_ZVAL_NULL_PATH(*file)) {
RETURN_FALSE;
}
stream = php_stream_bz2open(NULL,
Z_STRVAL_PP(file),
mode,
REPORT_ERRORS,
Z_STRVAL_PP(file),
mode,
REPORT_ERRORS,
NULL);
} else if (Z_TYPE_PP(file) == IS_RESOURCE) {
/* If it is a resource, than its a stream resource */
......@@ -406,7 +410,7 @@ static PHP_FUNCTION(bzopen)
php_stream_from_zval(stream, file);
stream_mode_len = strlen(stream->mode);
if (stream_mode_len != 1 && !(stream_mode_len == 2 && memchr(stream->mode, 'b', 2))) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot use stream opened in mode '%s'", stream->mode);
RETURN_FALSE;
......@@ -440,7 +444,7 @@ static PHP_FUNCTION(bzopen)
if (FAILURE == php_stream_cast(stream, PHP_STREAM_AS_FD, (void *) &fd, REPORT_ERRORS)) {
RETURN_FALSE;
}
bz = BZ2_bzdopen(fd, mode);
stream = php_stream_bz2open_from_BZFILE(bz, mode, stream);
......@@ -494,7 +498,7 @@ static PHP_FUNCTION(bzcompress)
work_factor = 0, /* Work factor for compression algorithm */
argc; /* Argument count */
int source_len; /* Length of the source data */
unsigned int dest_len; /* Length of the destination buffer */
unsigned int dest_len; /* Length of the destination buffer */
argc = ZEND_NUM_ARGS();
......@@ -503,19 +507,19 @@ static PHP_FUNCTION(bzcompress)
}
/* Assign them to easy to use variables, dest_len is initially the length of the data
+ .01 x length of data + 600 which is the largest size the results of the compression
could possibly be, at least that's what the libbz2 docs say (thanks to jeremy@nirvani.net
+ .01 x length of data + 600 which is the largest size the results of the compression
could possibly be, at least that's what the libbz2 docs say (thanks to jeremy@nirvani.net
for pointing this out). */
dest_len = (unsigned int) (source_len + (0.01 * source_len) + 600);
/* Allocate the destination buffer */
dest = emalloc(dest_len + 1);
/* Handle the optional arguments */
if (argc > 1) {
block_size = zblock_size;
}
if (argc > 2) {
work_factor = zwork_factor;
}
......@@ -565,7 +569,7 @@ static PHP_FUNCTION(bzdecompress)
/* in most cases bz2 offers at least 2:1 compression, so we use that as our base */
bzs.avail_out = source_len * 2;
bzs.next_out = dest = emalloc(bzs.avail_out + 1);
while ((error = BZ2_bzDecompress(&bzs)) == BZ_OK && bzs.avail_in > 0) {
/* compression is better then 2:1, need to allocate more memory */
bzs.avail_out = source_len;
......@@ -591,13 +595,13 @@ static PHP_FUNCTION(bzdecompress)
/* {{{ php_bz2_error()
The central error handling interface, does the work for bzerrno, bzerrstr and bzerror */
static void php_bz2_error(INTERNAL_FUNCTION_PARAMETERS, int opt)
{
{
zval *bzp; /* BZip2 Resource Pointer */
php_stream *stream;
const char *errstr; /* Error string */
int errnum; /* Error number */
struct php_bz2_stream_data_t *self;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &bzp) == FAILURE) {
return;
}
......@@ -609,10 +613,10 @@ static void php_bz2_error(INTERNAL_FUNCTION_PARAMETERS, int opt)
}
self = (struct php_bz2_stream_data_t *) stream->abstract;
/* Fetch the error information */
errstr = BZ2_bzerror(self->bz_file, &errnum);
/* Determine what to return */
switch (opt) {
case PHP_BZ_ERRNO:
......@@ -623,7 +627,7 @@ static void php_bz2_error(INTERNAL_FUNCTION_PARAMETERS, int opt)
break;
case PHP_BZ_ERRBOTH:
array_init(return_value);
add_assoc_long (return_value, "errno", errnum);
add_assoc_string(return_value, "errstr", (char*)errstr, 1);
break;
......
......@@ -396,7 +396,7 @@ static php_stream_filter *php_bz2_filter_create(const char *filtername, zval *fi
zval_copy_ctor(&tmp);
convert_to_long(&tmp);
if (Z_LVAL(tmp) < 1 || Z_LVAL(tmp) > 9) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL_PP(tmpzval));
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid parameter given for number of blocks to allocate. (%ld)", Z_LVAL(tmp));
} else {
blockSize100k = Z_LVAL(tmp);
}
......
--TEST--
Bug #72447: Type Confusion in php_bz2_filter_create()
--SKIPIF--
<?php if (!extension_loaded("bz2")) print "skip"; ?>
--FILE--
<?php
$input = "AAAAAAAA";
$param = array('blocks' => $input);
$fp = fopen('testfile', 'w');
stream_filter_append($fp, 'bzip2.compress', STREAM_FILTER_WRITE, $param);
fclose($fp);
?>
--EXPECTF--
Warning: stream_filter_append(): Invalid parameter given for number of blocks to allocate. (0) in %s%ebug72447.php on line %d
--TEST--
Bug #72613 (Inadequate error handling in bzread())
--SKIPIF--
<?php if (!extension_loaded("bz2")) print "skip"; ?>
--FILE--
<?php
$fp = bzopen(__DIR__.'/72613.bz2', 'r');
if ($fp === FALSE) {
exit("ERROR: bzopen()");
}
$data = "";
while (!feof($fp)) {
$res = bzread($fp);
if ($res === FALSE) {
exit("ERROR: bzread()");
}
$data .= $res;
}
bzclose($fp);
?>
DONE
--EXPECT--
DONE
\ No newline at end of file
This diff is collapsed.
This source diff could not be displayed because it is too large. You can view the blob instead.
......@@ -2059,6 +2059,7 @@ static void date_register_classes(TSRMLS_D)
date_object_handlers_immutable.clone_obj = date_object_clone_date;
date_object_handlers_immutable.compare_objects = date_object_compare_date;
date_object_handlers_immutable.get_properties = date_object_get_properties;
date_object_handlers_immutable.get_gc = date_object_get_gc;
zend_class_implements(date_ce_immutable TSRMLS_CC, 1, date_ce_interface);
INIT_CLASS_ENTRY(ce_timezone, "DateTimeZone", date_funcs_timezone);
......@@ -2225,7 +2226,7 @@ static HashTable *date_object_get_properties(zval *object TSRMLS_DC)
props = zend_std_get_properties(object TSRMLS_CC);
if (!dateobj->time || GC_G(gc_active)) {
if (!dateobj->time) {
return props;
}
......@@ -4941,7 +4942,7 @@ static HashTable *date_object_get_properties_period(zval *object TSRMLS_DC)
props = zend_std_get_properties(object TSRMLS_CC);
if (!period_obj->start || GC_G(gc_active)) {
if (!period_obj->start) {
return props;
}
......
......@@ -49,9 +49,9 @@ print "TZ=Asia/Baku - wrong day.\n";
date_default_timezone_set("Asia/Baku");
$tStamp = mktime (17, 17, 17, 1, 8299, 1970);
print "tStamp=". date("l Y-m-d H:i:s T I", $tStamp). "\n";
$strtotime_tstamp = strtotime("next Sunday", $tStamp);
$strtotime_tstamp = strtotime("second Monday", $tStamp);
print "result=".date("l Y-m-d H:i:s T I", $strtotime_tstamp)."\n";
print "wanted=Sunday 00:00:00\n\n";
print "wanted=Monday 00:00:00\n\n";
print "TZ=America/Noronha - wrong day.\n";
date_default_timezone_set("America/Noronha");
......@@ -227,8 +227,8 @@ wanted=Thursday 00:00:00
TZ=Asia/Baku - wrong day.
tStamp=Sunday 1992-09-20 17:17:17 AZST 1
result=Sunday 1992-09-27 00:00:00 AZT 0
wanted=Sunday 00:00:00
result=Monday 1992-09-28 00:00:00 AZT 0
wanted=Monday 00:00:00
TZ=America/Noronha - wrong day.
tStamp=Friday 1999-10-01 17:17:17 FNT 0
......
......@@ -2613,6 +2613,7 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
*pszEncoding = NULL;
/* Copy the comment */
if (ByteCount>=8) {
const zend_encoding *from, *to;
if (!memcmp(szValuePtr, "UNICODE\0", 8)) {
*pszEncoding = estrdup((const char*)szValuePtr);
szValuePtr = szValuePtr+8;
......@@ -2633,14 +2634,16 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
} else {
decode = ImageInfo->decode_unicode_le;
}
to = zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC);
from = zend_multibyte_fetch_encoding(decode TSRMLS_CC);
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
zend_multibyte_fetch_encoding(decode TSRMLS_CC)
to,
from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
......@@ -2655,13 +2658,15 @@ static int exif_process_user_comment(image_info_type *ImageInfo, char **pszInfoP
szValuePtr = szValuePtr+8;
ByteCount -= 8;
/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */
if (zend_multibyte_encoding_converter(
to = zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC);
from = zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC);
if (!to || !from || zend_multibyte_encoding_converter(
(unsigned char**)pszInfoPtr,
&len,
(unsigned char*)szValuePtr,
ByteCount,
zend_multibyte_fetch_encoding(ImageInfo->encode_jis TSRMLS_CC),
zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_jis_be : ImageInfo->decode_jis_le TSRMLS_CC)
to,
from
TSRMLS_CC) == (size_t)-1) {
len = exif_process_string_raw(pszInfoPtr, szValuePtr, ByteCount);
}
......@@ -2732,6 +2737,12 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
break;
}
if (maker_note->offset >= value_len) {
/* Do not go past the value end */
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X offset 0x%04X", value_len, maker_note->offset);
return FALSE;
}
dir_start = value_ptr + maker_note->offset;
#ifdef EXIF_DEBUG
......@@ -2760,10 +2771,19 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
offset_base = value_ptr;
break;
case MN_OFFSET_GUESS:
if (maker_note->offset + 10 + 4 >= value_len) {
/* Can not read dir_start+10 since it's beyond value end */
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data too short: 0x%04X", value_len);
return FALSE;
}
offset_diff = 2 + NumDirEntries*12 + 4 - php_ifd_get32u(dir_start+10, ImageInfo->motorola_intel);
#ifdef EXIF_DEBUG
exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_NOTICE, "Using automatic offset correction: 0x%04X", ((int)dir_start-(int)offset_base+maker_note->offset+displacement) + offset_diff);
#endif
if (offset_diff < 0 || offset_diff >= value_len ) {
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "IFD data bad offset: 0x%04X length 0x%04X", offset_diff, value_len);
return FALSE;
}
offset_base = value_ptr + offset_diff;
break;
default:
......@@ -2772,7 +2792,7 @@ static int exif_process_IFD_in_MAKERNOTE(image_info_type *ImageInfo, char * valu
}
if ((2+NumDirEntries*12) > value_len) {
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + x%04X*12 = x%04X > x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size: 2 + 0x%04X*12 = 0x%04X > 0x%04X", NumDirEntries, 2+NumDirEntries*12, value_len);
return FALSE;
}
......@@ -2878,11 +2898,11 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
}
fpos = php_stream_tell(ImageInfo->infile);
php_stream_seek(ImageInfo->infile, offset_val, SEEK_SET);