Fix bug #73190: memcpy negative parameter _bc_new_num_ex

diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index fda4d21e032bfc5191b2f74b61ec99dd3d83c2d0..e656575446477c53fc8fa2149de389d354abb04f 100644 (file)
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct)
 /* {{{ proto Exception::__wakeup()
    Exception unserialize checks */
 #define CHECK_EXC_TYPE(name, type) \
-       value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
+       value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
        if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
-               zval *tmp; \
-               MAKE_STD_ZVAL(tmp); \
-               ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
-               Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
-               zval_ptr_dtor(&tmp); \
+               zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
        }
 
 ZEND_METHOD(exception, __wakeup)
@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup)
        CHECK_EXC_TYPE("file", IS_STRING);
        CHECK_EXC_TYPE("line", IS_LONG);
        CHECK_EXC_TYPE("trace", IS_ARRAY);
-       CHECK_EXC_TYPE("previous", IS_OBJECT);
+       value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+       if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT ||
+                       !instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) ||
+                       value == object)) {
+               zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
+       }
 }
 /* }}} */
 
@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString)
                zval_dtor(&file);
                zval_dtor(&line);
 
-               exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
+               Z_OBJPROP_P(exception)->nApplyCount++;
+               exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+               if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
+                       exception = NULL;
+               }
 
                if (trace) {
                        zval_ptr_dtor(&trace);
@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString)
        }
        zval_dtor(&fname);
 
+       /* Reset apply counts */
+       exception = getThis();
+       while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
+               if(Z_OBJPROP_P(exception)->nApplyCount) {
+                       Z_OBJPROP_P(exception)->nApplyCount--;
+               } else {
+                       break;
+               }
+               exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+       }
+
        /* We store the result in the private property string so we can access
         * the result in uncaught exception handlers without memleaks. */
        zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);

diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
index 986ad1df2416abc70ed90023c5c26c492f8f03db..c51133be73767ea296c6aa27baaa4b27e46a499e 100644 (file)
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
      int length, scale, persistent;
 {
   bc_num temp;
-
+  /* PHP Change:  add length check */
+  if ((size_t)length+(size_t)scale > INT_MAX) {
+   zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+  }
   /* PHP Change:  malloc() -> pemalloc(), removed free_list code */
   temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
 #if 0

diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c
index 799a32d2ae6c5796e08efa0c7ccbdaaffe5562f3..05fa484e11f32e1ea167e865885ed0bf6a89cf94 100644 (file)
--- a/ext/bcmath/libbcmath/src/outofmem.c
+++ b/ext/bcmath/libbcmath/src/outofmem.c
@@ -41,6 +41,5 @@
 
 void bc_out_of_memory (void)
 {
-  (void) fprintf (stderr, "bcmath: out of memory!\n");
-  exit (1);
+  zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
 }

diff --git a/main/php_version.h b/main/php_version.h
index 1868cf0c38bf1921bac73356cb77b8f6262744dc..8fa4040c5e2c6553b144587c0ad907f324cfc62c 100644 (file)
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 6
-#define PHP_RELEASE_VERSION 27
+#define PHP_RELEASE_VERSION 26
 #define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.6.27-dev"
-#define PHP_VERSION_ID 50627
+#define PHP_VERSION "5.6.26-dev"
+#define PHP_VERSION_ID 50626