Commit e397fbee authored by Ondrej Sury's avatar Ondrej Sury

Imported Upstream version 5.6.28+dfsg

parent a876e83f
PHP NEWS
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
10 Nov 2016, PHP 5.6.28
- Core:
. Fixed bug #73337 (try/catch not working with two exceptions inside a same
operation). (Dmitry)
- Bz2:
. Fixed bug #73356 (crash in bzcompress function). (Stas)
-GD:
. Fixed bug #73213 (Integer overflow in imageline() with antialiasing). (cmb)
. Fixed bug #73272 (imagescale() is not affected by, but affects
imagesetinterpolation()). (cmb)
. Fixed bug #73279 (Integer overflow in gdImageScaleBilinearPalette()). (cmb)
. Fixed bug #73280 (Stack Buffer Overflow in GD dynamicGetbuf). (cmb)
. Fixed bug #72482 (Illegal write/read access caused by gdImageAALine overflow).
(cmb)
. Fixed bug #72696 (imagefilltoborder stackoverflow on truecolor images). (cmb)
- Imap:
. Fixed bug #73418 (Integer Overflow in "_php_imap_mail" leads Heap Overflow).
(Anatol)
- SPL:
. Fixed bug #73144 (Use-after-free in ArrayObject Deserialization). (Stas)
- SOAP:
. Fixed bug #73037 (SoapServer reports Bad Request when gzipped). (Anatol)
- SQLite3:
. Fixed bug #73333 (2147483647 is fetched as string). (cmb)
- Standard:
. Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
. Fixed bug #73188 (use after free in userspace streams). (Sara)
- Wddx:
. Fixed bug #73331 (NULL Pointer Dereference in WDDX Packet Deserialization
with PDORow). (Stas)
13 Oct 2016, PHP 5.6.27
- Core:
......@@ -250,6 +290,8 @@ PHP NEWS
. Fixed bug #72697 (select_colors write out-of-bounds). (Stas)
. Fixed bug #72709 (imagesetstyle() causes OOB read for empty $styles). (cmb)
. Fixed bug #72730 (imagegammacorrect allows arbitrary write access). (Stas)
. Fixed bug #72494 (imagecropauto out-of-bounds access). (Fernando, Pierre,
cmb)
- Intl:
. Partially fixed #72506 (idn_to_ascii for UTS #46 incorrect for long domain
......
--TEST--
Bug #73337 (try/catch not working with two exceptions inside a same operation)
--FILE--
<?php
class d { function __destruct() { throw new Exception; } }
try { new d + new d; } catch (Exception $e) { print "Exception properly caught\n"; }
?>
--EXPECTF--
Notice: Object of class d could not be converted to int in %sbug73337.php on line 3
Notice: Object of class d could not be converted to int in %sbug73337.php on line 3
Exception properly caught
......@@ -667,6 +667,7 @@ END_EXTERN_C()
} \
RETVAL_STRINGL((s), (int)__len, (dup)); \
} while (0)
#define RETURN_STRINGL_CHECK(s, len, dup) { RETVAL_STRINGL_CHECK(s, len, dup); return; }
#define SET_VAR_STRING(n, v) { \
......
......@@ -909,11 +909,10 @@ static void zend_error_va(int type, const char *file, uint lineno, const char *f
ZEND_API void zend_exception_error(zval *exception, int severity TSRMLS_DC) /* {{{ */
{
zend_class_entry *ce_exception = Z_OBJCE_P(exception);
EG(exception) = NULL;
if (instanceof_function(ce_exception, default_exception_ce TSRMLS_CC)) {
zval *str, *file, *line;
EG(exception) = NULL;
zend_call_method_with_0_params(&exception, ce_exception, NULL, "__tostring", &str);
if (!EG(exception)) {
if (Z_TYPE_P(str) != IS_STRING) {
......@@ -952,6 +951,7 @@ ZEND_API void zend_exception_error(zval *exception, int severity TSRMLS_DC) /* {
} else {
zend_error(severity, "Uncaught exception '%s'", ce_exception->name);
}
zval_ptr_dtor(&exception);
}
/* }}} */
......
......@@ -826,7 +826,10 @@ int zend_call_function(zend_fcall_info *fci, zend_fcall_info_cache *fci_cache TS
if (EG(active_op_array)->fn_flags & ZEND_ACC_GENERATOR) {
*fci->retval_ptr_ptr = zend_generator_create_zval(EG(active_op_array) TSRMLS_CC);
} else {
const zend_op *current_opline_before_exception = EG(opline_before_exception);
zend_execute(EG(active_op_array) TSRMLS_CC);
EG(opline_before_exception) = current_opline_before_exception;
}
if (!fci->symbol_table && EG(active_symbol_table)) {
......
......@@ -3672,7 +3672,7 @@ ac_config_headers="$ac_config_headers main/php_config.h"
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=27
PHP_RELEASE_VERSION=28
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr $PHP_MAJOR_VERSION \* 10000 + $PHP_MINOR_VERSION \* 100 + $PHP_RELEASE_VERSION`
......@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
PHP_MAJOR_VERSION=5
PHP_MINOR_VERSION=6
PHP_RELEASE_VERSION=27
PHP_RELEASE_VERSION=28
PHP_EXTRA_VERSION=""
PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
......
......@@ -513,7 +513,7 @@ static PHP_FUNCTION(bzcompress)
dest_len = (unsigned int) (source_len + (0.01 * source_len) + 600);
/* Allocate the destination buffer */
dest = emalloc(dest_len + 1);
dest = safe_emalloc(dest_len, 1, 1);
/* Handle the optional arguments */
if (argc > 1) {
......@@ -533,7 +533,7 @@ static PHP_FUNCTION(bzcompress)
so we erealloc() the buffer to the proper size */
dest = erealloc(dest, dest_len + 1);
dest[dest_len] = 0;
RETURN_STRINGL(dest, dest_len, 0);
RETURN_STRINGL_CHECK(dest, dest_len, 0);
}
}
/* }}} */
......
/* Generated by re2c 0.15.3 on Sun Jul 24 14:49:45 2016 */
/* Generated by re2c 0.15.3 on Fri Sep 30 20:18:29 2016 */
/*
* The MIT License (MIT)
*
......@@ -395,8 +395,12 @@ static timelib_sll timelib_meridian(char **ptr, timelib_sll h)
}
++*ptr;
if (**ptr == '.') {
*ptr += 3;
} else {
++*ptr;
}
if (**ptr == 'M' || **ptr == 'm') {
++*ptr;
}
if (**ptr == '.') {
++*ptr;
}
return retval;
......
......@@ -394,8 +394,12 @@ static timelib_sll timelib_meridian(char **ptr, timelib_sll h)
}
++*ptr;
if (**ptr == '.') {
*ptr += 3;
} else {
++*ptr;
}
if (**ptr == 'M' || **ptr == 'm') {
++*ptr;
}
if (**ptr == '.') {
++*ptr;
}
return retval;
......
This diff is collapsed.
......@@ -75,8 +75,8 @@ result = Monday 1983-04-18 01:00:00 CEST
wanted = Monday 00:00:00
Asia/Yerevan
ts = Monday 2037-10-19 17:17:17 AMT
result = Monday 2037-10-26 00:00:00 AMT
ts = Monday 2037-10-19 17:17:17 +04
result = Monday 2037-10-26 00:00:00 +04
wanted = Monday 00:00:00
America/Curacao
......@@ -115,8 +115,8 @@ result = Monday 1971-04-05 00:00:00 AST
wanted = Monday 00:00:00
Asia/Baku
ts = Friday 1971-01-01 17:17:17 BAKT
result = Monday 1971-01-04 00:00:00 BAKT
ts = Friday 1971-01-01 17:17:17 +04
result = Monday 1971-01-04 00:00:00 +04
wanted = Monday 00:00:00
Europe/Sarajevo
......@@ -165,6 +165,6 @@ result = Monday 1980-04-07 00:00:00 CEST
wanted = Monday 00:00:00
Asia/Baku
ts = Monday 1995-12-25 17:17:17 AZT
result = Monday 1996-01-01 00:00:00 AZT
ts = Monday 1995-12-25 17:17:17 +04
result = Monday 1996-01-01 00:00:00 +04
wanted = Monday 00:00:00
......@@ -226,8 +226,8 @@ result=Thursday 1980-04-10 00:00:00 CEST 1
wanted=Thursday 00:00:00
TZ=Asia/Baku - wrong day.
tStamp=Sunday 1992-09-20 17:17:17 AZST 1
result=Monday 1992-09-28 00:00:00 AZT 0
tStamp=Sunday 1992-09-20 17:17:17 +04 1
result=Monday 1992-09-28 00:00:00 +04 0
wanted=Monday 00:00:00
TZ=America/Noronha - wrong day.
......
......@@ -28,6 +28,6 @@ result=Monday 1990-10-22 00:00:00 WART 0
wanted=Monday 00:00:00
TZ=Asia/Tbilisi - Is it OK for this to be 2 AM?
tStamp=Sunday 2005-03-20 17:17:17 GET 0
result=Sunday 2005-03-27 00:00:00 GET 0
tStamp=Sunday 2005-03-20 17:17:17 +03 0
result=Sunday 2005-03-27 00:00:00 +03 0
wanted=Sunday 00:00:00
......@@ -5175,7 +5175,7 @@ PHP_FUNCTION(imagescale)
gdImagePtr im_scaled = NULL;
int new_width, new_height;
long tmp_w, tmp_h=-1, tmp_m = GD_BILINEAR_FIXED;
gdInterpolationMethod method;
gdInterpolationMethod method, old_method;
if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rl|ll", &IM, &tmp_w, &tmp_h, &tmp_m) == FAILURE) {
return;
......@@ -5202,9 +5202,12 @@ PHP_FUNCTION(imagescale)
new_width = tmp_w;
new_height = tmp_h;
/* gdImageGetInterpolationMethod() is only available as of GD 2.1.1 */
old_method = im->interpolation_id;
if (gdImageSetInterpolationMethod(im, method)) {
im_scaled = gdImageScale(im, new_width, new_height);
}
gdImageSetInterpolationMethod(im, old_method);
if (im_scaled == NULL) {
RETURN_FALSE;
......
......@@ -1117,7 +1117,7 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
}
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im))) {
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
......@@ -1298,58 +1298,13 @@ inline static void gdImageSetAAPixelColor(gdImagePtr im, int x, int y, int color
void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
{
/* keep them as 32bits */
long x, y, inc;
long x, y, inc, frac;
long dx, dy,tmp;
if (y1 < 0 && y2 < 0) {
return;
}
if (y1 < 0) {
x1 += (y1 * (x1 - x2)) / (y2 - y1);
y1 = 0;
}
if (y2 < 0) {
x2 += (y2 * (x1 - x2)) / (y2 - y1);
y2 = 0;
}
/* bottom edge */
if (y1 >= im->sy && y2 >= im->sy) {
return;
}
if (y1 >= im->sy) {
x1 -= ((im->sy - y1) * (x1 - x2)) / (y2 - y1);
y1 = im->sy - 1;
}
if (y2 >= im->sy) {
x2 -= ((im->sy - y2) * (x1 - x2)) / (y2 - y1);
y2 = im->sy - 1;
}
/* left edge */
if (x1 < 0 && x2 < 0) {
return;
}
if (x1 < 0) {
y1 += (x1 * (y1 - y2)) / (x2 - x1);
x1 = 0;
}
if (x2 < 0) {
y2 += (x2 * (y1 - y2)) / (x2 - x1);
x2 = 0;
}
/* right edge */
if (x1 >= im->sx && x2 >= im->sx) {
/* 2.0.10: Nick Atty: clip to edges of drawing rectangle, return if no points need to be drawn */
if (!clip_1d(&x1,&y1,&x2,&y2,gdImageSX(im)-1) || !clip_1d(&y1,&x1,&y2,&x2,gdImageSY(im)-1)) {
return;
}
if (x1 >= im->sx) {
y1 -= ((im->sx - x1) * (y1 - y2)) / (x2 - x1);
x1 = im->sx - 1;
}
if (x2 >= im->sx) {
y2 -= ((im->sx - x2) * (y1 - y2)) / (x2 - x1);
x2 = im->sx - 1;
}
dx = x2 - x1;
dy = y2 - y1;
......@@ -1368,16 +1323,22 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
dx = x2 - x1;
dy = y2 - y1;
}
x = x1 << 16;
y = y1 << 16;
y = y1;
inc = (dy * 65536) / dx;
while ((x >> 16) <= x2) {
gdImageSetAAPixelColor(im, x >> 16, y >> 16, col, (y >> 8) & 0xFF);
if ((y >> 16) + 1 < im->sy) {
gdImageSetAAPixelColor(im, x >> 16, (y >> 16) + 1,col, (~y >> 8) & 0xFF);
frac = 0;
for (x = x1; x <= x2; x++) {
gdImageSetAAPixelColor(im, x, y, col, (frac >> 8) & 0xFF);
if (y + 1 < im->sy) {
gdImageSetAAPixelColor(im, x, y + 1, col, (~frac >> 8) & 0xFF);
}
frac += inc;
if (frac >= 65536) {
frac -= 65536;
y++;
} else if (frac < 0) {
frac += 65536;
y--;
}
x += (1 << 16);
y += inc;
}
} else {
if (dy < 0) {
......@@ -1390,16 +1351,22 @@ void gdImageAALine (gdImagePtr im, int x1, int y1, int x2, int y2, int col)
dx = x2 - x1;
dy = y2 - y1;
}
x = x1 << 16;
y = y1 << 16;
x = x1;
inc = (dx * 65536) / dy;
while ((y>>16) <= y2) {
gdImageSetAAPixelColor(im, x >> 16, y >> 16, col, (x >> 8) & 0xFF);
if ((x >> 16) + 1 < im->sx) {
gdImageSetAAPixelColor(im, (x >> 16) + 1, (y >> 16),col, (~x >> 8) & 0xFF);
frac = 0;
for (y = y1; y <= y2; y++) {
gdImageSetAAPixelColor(im, x, y, col, (frac >> 8) & 0xFF);
if (x + 1 < im->sx) {
gdImageSetAAPixelColor(im, x + 1, y, col, (~frac >> 8) & 0xFF);
}
frac += inc;
if (frac >= 65536) {
frac -= 65536;
x++;
} else if (frac < 0) {
frac += 65536;
x--;
}
x += inc;
y += (1<<16);
}
}
}
......@@ -1780,7 +1747,7 @@ void gdImageFillToBorder (gdImagePtr im, int x, int y, int border, int color)
int leftLimit = -1, rightLimit;
int i, restoreAlphaBlending = 0;
if (border < 0) {
if (border < 0 || color < 0) {
/* Refuse to fill to a non-solid border */
return;
}
......
......@@ -243,6 +243,10 @@ gdImagePtr gdImageCropThreshold(gdImagePtr im, const unsigned int color, const f
return NULL;
}
if (!gdImageTrueColor(im) && color >= gdImageColorsTotal(im)) {
return NULL;
}
/* TODO: Add gdImageGetRowPtr and works with ptr at the row level
* for the true color and palette images
* new formats will simply work with ptr
......
......@@ -1331,10 +1331,10 @@ static gdImagePtr gdImageScaleBilinearPalette(gdImagePtr im, const unsigned int
f_a4 = gd_itofx(gdTrueColorGetAlpha(pixel4));
{
const char red = (char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
const char green = (char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
const char blue = (char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
const char alpha = (char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
const unsigned char red = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_r1) + gd_mulfx(f_w2, f_r2) + gd_mulfx(f_w3, f_r3) + gd_mulfx(f_w4, f_r4));
const unsigned char green = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_g1) + gd_mulfx(f_w2, f_g2) + gd_mulfx(f_w3, f_g3) + gd_mulfx(f_w4, f_g4));
const unsigned char blue = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_b1) + gd_mulfx(f_w2, f_b2) + gd_mulfx(f_w3, f_b3) + gd_mulfx(f_w4, f_b4));
const unsigned char alpha = (unsigned char) gd_fxtoi(gd_mulfx(f_w1, f_a1) + gd_mulfx(f_w2, f_a2) + gd_mulfx(f_w3, f_a3) + gd_mulfx(f_w4, f_a4));
new_img->tpixels[dst_offset_v][dst_offset_h] = gdTrueColorAlpha(red, green, blue, alpha);
}
......
......@@ -237,7 +237,7 @@ static int dynamicGetbuf (gdIOCtxPtr ctx, void *buf, int len)
if (remain >= len) {
rlen = len;
} else {
if (remain == 0) {
if (remain <= 0) {
return EOF;
}
rlen = remain;
......
--TEST--
Bug #72482 (Ilegal write/read access caused by gdImageAALine overflow)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
$img = imagecreatetruecolor(13, 1007);
imageantialias($img, true);
imageline($img, 0, 0, 1073745919, 1073745919, 4096);
$img = imagecreatetruecolor(100, 100);
imageantialias($img, true);
imageline($img, 1094795585, 0, 2147483647, 255, 0xff);
?>
===DONE===
--EXPECT--
===DONE===
--TEST--
Bug 72482 (Ilegal write/read access caused by gdImageAALine overflow)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
$im = imagecreatetruecolor(10, 10);
imagefilledrectangle($im, 0, 0, 9, 9, imagecolorallocate($im, 255, 255, 255));
imageantialias($im, true);
imageline($im, 0, 0, 10, 10, imagecolorallocate($im, 0, 0, 0));
test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug72482_2.png', $im);
?>
===DONE===
--EXPECT--
The images are equal.
===DONE===
--TEST--
Bug #72494 (imagecropauto out-of-bounds access)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
$im = imagecreate(10,10);
imagecropauto($im, IMG_CROP_THRESHOLD, 0, 1337);
?>
===DONE===
--EXPECTF--
Warning: imagecropauto(): Color argument missing with threshold mode in %s on line %d
===DONE===
--TEST--
Bug #72696 (imagefilltoborder stackoverflow on truecolor images)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
$im = imagecreatetruecolor(10, 10);
imagefilltoborder($im, 0, 0, 1, -2);
?>
===DONE===
--EXPECT--
===DONE===
--TEST--
Bug #73213 (Integer overflow in imageline() with antialiasing)
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
$im = imagecreatetruecolor(32768, 1);
$black = imagecolorallocate($im, 0, 0, 0);
imageantialias($im, true);
imageline($im, 0,0, 32767,0, $black);
test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug73213.png', $im);
?>
===DONE===
--EXPECT--
The images are equal.
===DONE===
--TEST--
Bug #73272 (imagescale() is not affected by, but affects imagesetinterpolation())
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
?>
--FILE--
<?php
require_once __DIR__ . DIRECTORY_SEPARATOR . 'func.inc';
$src = imagecreatetruecolor(100, 100);
imagefilledrectangle($src, 0,0, 99,99, 0xFFFFFF);
imageellipse($src, 49,49, 40,40, 0x000000);
imagesetinterpolation($src, IMG_NEAREST_NEIGHBOUR);
imagescale($src, 200, 200, IMG_BILINEAR_FIXED);
$dst = imagerotate($src, 60, 0xFFFFFF);
test_image_equals_file(__DIR__ . DIRECTORY_SEPARATOR . 'bug73272.png', $dst);
?>
===DONE===
--EXPECT--
The images are equal.
===DONE===
--TEST--
Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
if (!GD_BUNDLED && version_compare(GD_VERSION, '2.2.4', '<')) {
die('skip only for bundled libgd or external libgd >= 2.2.4');
}
?>
--FILE--
<?php
$src = imagecreate(100, 100);
imagecolorallocate($src, 255, 255, 255);
$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);
printf("color: %x\n", imagecolorat($dst, 99, 99));
?>
===DONE===
--EXPECT--
color: ffffff
===DONE===
--TEST--
Bug #73279 (Integer overflow in gdImageScaleBilinearPalette())
--SKIPIF--
<?php
if (!extension_loaded('gd')) die('skip gd extension not available');
if (GD_BUNDLED || version_compare(GD_VERSION, '2.2.4', '>=')) {
die('skip only for external libgd < 2.2.4');
}
?>
--FILE--
<?php
$src = imagecreate(100, 100);
imagecolorallocate($src, 255, 255, 255);
$dst = imagescale($src, 200, 200, IMG_BILINEAR_FIXED);
printf("color: %x\n", imagecolorat($dst, 99, 99));
?>
===DONE===
--XFAIL--
Bug #330 has not yet been fixed
--EXPECT--
color: ffffff
===DONE===
......@@ -2491,7 +2491,7 @@ PHP_NAMED_FUNCTION(php_if_iconv)
&out_buffer, &out_len, out_charset, in_charset);
_php_iconv_show_error(err, out_charset, in_charset TSRMLS_CC);
if (err == PHP_ICONV_ERR_SUCCESS && out_buffer != NULL) {
RETVAL_STRINGL(out_buffer, out_len, 0);
RETVAL_STRINGL_CHECK(out_buffer, out_len, 0);
} else {
if (out_buffer != NULL) {
efree(out_buffer);
......
......@@ -3900,7 +3900,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
char *tsm_errmsg = NULL;
ADDRESS *addr;
char *bufferTo = NULL, *bufferCc = NULL, *bufferBcc = NULL, *bufferHeader = NULL;
int offset, bufferLen = 0;
size_t offset, bufferLen = 0;
size_t bt_len;
if (headers) {
......@@ -3916,7 +3916,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
#define PHP_IMAP_CLEAN if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
#define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
bufferHeader = (char *)emalloc(bufferLen + 1);
bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
memset(bufferHeader, 0, bufferLen);
if (to && *to) {
strlcat(bufferHeader, "To: ", bufferLen + 1);
......
......@@ -182,7 +182,7 @@ static void _breakiterator_parts_move_forward(zend_object_iterator *iter TSRMLS_
}
assert(next <= slen && next >= cur);
len = next - cur;
res = static_cast<char*>(emalloc(len + 1));
res = static_cast<char*>(safe_emalloc(len, 1, 1));
memcpy(res, &s[cur], len);
res[len] = '\0';
......
......@@ -49,7 +49,7 @@ void intl_convert_utf8_to_utf16(
UErrorCode* status )
{
UChar* dst_buf = NULL;
int32_t dst_len = 0;
uint32_t dst_len = 0;
/* If *target is NULL determine required destination buffer size (pre-flighting).
* Otherwise, attempt to convert source string; if *target buffer is not large enough
......
......@@ -263,6 +263,9 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
int32_t buflen = 512;
UErrorCode status = U_ZERO_ERROR;
if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
return NULL;
}
if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
/* Handle grandfathered languages */
......@@ -395,7 +398,7 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
}
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
/* Call ICU get */
......@@ -702,6 +705,8 @@ PHP_FUNCTION( locale_get_keywords )
RETURN_FALSE;
}
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
}
......@@ -1109,6 +1114,8 @@ PHP_FUNCTION(locale_parse)
RETURN_FALSE;
}
INTL_CHECK_LOCALE_LEN(strlen(loc_name));
if(loc_name_len == 0) {
loc_name = intl_locale_get_default(TSRMLS_C);
}
......
......@@ -80,10 +80,10 @@ msgformat_data* msgformat_data_create( TSRMLS_D )
/* }}} */
#ifdef MSG_FORMAT_QUOTE_APOS
int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
{
if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
uint32_t npattern_len;
npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
efree(*spattern);
......