Merge branch 'PHP-5.6.19' into PHP-7.0.4

* PHP-5.6.19:
  fix test file
  Fix version
  update NEWS
  Update NEWS
  Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()
  fix ts buld
  prep for 5.6.19RC1
  5.6.20 is next
  Fixed bug #71587 - Use-After-Free / Double-Free in WDDX Deserialize

Conflicts:
	configure.in
	ext/wddx/wddx.c
	main/php_version.h

diff --cc ext/phar/zip.c
Simple merge

diff --cc ext/wddx/wddx.c
index ca7b7116821f1c8ed3d1a0b83924d503dea580bf,22ff535c63739b99da7e87cc2244ef5d701986d3..539ed576624d4c5424978bbdf75d346be57bbff6
--- 1/ext/wddx/wddx.c
--- 2/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@@ -870,18 -927,31 +870,28 @@@ static void php_wddx_pop_element(void *
                return;
        }
  
 -      if (!strcmp(name, EL_STRING) || !strcmp(name, EL_NUMBER) ||
 -              !strcmp(name, EL_BOOLEAN) || !strcmp(name, EL_NULL) ||
 -              !strcmp(name, EL_ARRAY) || !strcmp(name, EL_STRUCT) ||
 -              !strcmp(name, EL_RECORDSET) || !strcmp(name, EL_BINARY) ||
 -              !strcmp(name, EL_DATETIME)) {
 +      if (!strcmp((char *)name, EL_STRING) || !strcmp((char *)name, EL_NUMBER) ||
 +              !strcmp((char *)name, EL_BOOLEAN) || !strcmp((char *)name, EL_NULL) ||
 +              !strcmp((char *)name, EL_ARRAY) || !strcmp((char *)name, EL_STRUCT) ||
 +              !strcmp((char *)name, EL_RECORDSET) || !strcmp((char *)name, EL_BINARY) ||
 +              !strcmp((char *)name, EL_DATETIME)) {
                wddx_stack_top(stack, (void**)&ent1);
  
 -              if (!strcmp(name, EL_BINARY)) {
 -                      int new_len=0;
 -                      unsigned char *new_str;
 -
 -                      new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
 -                      STR_FREE(Z_STRVAL_P(ent1->data));
 -                      Z_STRVAL_P(ent1->data) = new_str;
 -                      Z_STRLEN_P(ent1->data) = new_len;
+               if (!ent1->data) {
+                       if (stack->top > 1) {
+                               stack->top--;
+                       } else {
+                               stack->done = 1;
+                       }
+                       efree(ent1);
+                       return;
+               }
+ 
 +              if (!strcmp((char *)name, EL_BINARY)) {
 +                      zend_string *new_str = php_base64_decode(
 +                              (unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
 +                      zval_ptr_dtor(&ent1->data);
 +                      ZVAL_STR(&ent1->data, new_str);
                }
  
                /* Call __wakeup() method on the object. */
@@@ -962,9 -1038,10 +972,10 @@@
                } else {
                        stack->done = 1;
                }
 -      } else if (!strcmp(name, EL_VAR) && stack->varname) {
 +      } else if (!strcmp((char *)name, EL_VAR) && stack->varname) {
                efree(stack->varname);
 -      } else if (!strcmp(name, EL_FIELD)) {
+               stack->varname = NULL;
 +      } else if (!strcmp((char *)name, EL_FIELD)) {
                st_entry *ent;
                wddx_stack_top(stack, (void **)&ent);
                efree(ent);
@@@ -1000,16 -1094,16 +1011,16 @@@ static void php_wddx_process_data(void 
                                break;
  
                        case ST_BOOLEAN:
 -                              if (!strcmp(s, "true")) {
 -                                      Z_LVAL_P(ent->data) = 1;
 -                              } else if (!strcmp(s, "false")) {
 -                                      Z_LVAL_P(ent->data) = 0;
 +                              if (!strcmp((char *)s, "true")) {
 +                                      Z_LVAL(ent->data) = 1;
 +                              } else if (!strcmp((char *)s, "false")) {
 +                                      Z_LVAL(ent->data) = 0;
                                } else {
-                                       stack->top--;
                                        zval_ptr_dtor(&ent->data);
-                                       if (ent->varname)
+                                       if (ent->varname) {
                                                efree(ent->varname);
-                                       efree(ent);
+                                       }
+                                       ent->data = NULL;
                                }
                                break;
  

diff --cc sapi/cli/php_cli_server.c
Simple merge