Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0:
  Fix bug #73190: memcpy negative parameter _bc_new_num_ex

(cherry picked from commit af1bf873fe4fc70be17fa9f270e8f30666f2d2db)

diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index dc073de63391bbd5056143b638bf0020128f96ef..4f156c0bcccc05bdb6d5b50c1352143694ff063d 100644 (file)
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -306,10 +306,7 @@ ZEND_METHOD(exception, __construct)
 #define CHECK_EXC_TYPE(id, type) \
        pvalue = zend_read_property_ex(i_get_exception_base(object), (object), CG(known_strings)[id], 1, &value); \
        if (Z_TYPE_P(pvalue) != IS_NULL && Z_TYPE_P(pvalue) != type) { \
-               zval tmp; \
-               ZVAL_STR_COPY(&tmp, CG(known_strings)[id]); \
-               Z_OBJ_HANDLER_P(object, unset_property)(object, &tmp, NULL); \
-               zval_ptr_dtor(&tmp); \
+               zend_unset_property(i_get_exception_base(object), object, ZEND_STR_PREVIOUS, sizeof(ZEND_STR_PREVIOUS)-1); \
        }
 
 ZEND_METHOD(exception, __wakeup)
@@ -323,6 +320,12 @@ ZEND_METHOD(exception, __wakeup)
        CHECK_EXC_TYPE(ZEND_STR_LINE,     IS_LONG);
        CHECK_EXC_TYPE(ZEND_STR_TRACE,    IS_ARRAY);
        CHECK_EXC_TYPE(ZEND_STR_PREVIOUS, IS_OBJECT);
+       pvalue = zend_read_property(i_get_exception_base(object), object, ZEND_STR_PREVIOUS, sizeof(ZEND_STR_PREVIOUS)-1, 1, &value);
+       if (pvalue && Z_TYPE_P(pvalue) != IS_NULL && (Z_TYPE_P(pvalue) != IS_OBJECT ||
+                       !instanceof_function(Z_OBJCE_P(pvalue), i_get_exception_base(object)) ||
+                       pvalue == object)) {
+               zend_unset_property(i_get_exception_base(object), object, ZEND_STR_PREVIOUS, sizeof(ZEND_STR_PREVIOUS)-1);
+       }
 }
 /* }}} */
 
@@ -735,10 +738,24 @@ ZEND_METHOD(exception, __toString)
                zend_string_release(file);
                zval_ptr_dtor(&trace);
 
+               Z_OBJPROP_P(exception)->u.v.nApplyCount++;
                exception = GET_PROPERTY(exception, ZEND_STR_PREVIOUS);
+               if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->u.v.nApplyCount > 0) {
+                       exception = NULL;
+               }
        }
        zend_string_release(fname);
 
+       /* Reset apply counts */
+       while (exception && Z_TYPE_P(exception) == IS_OBJECT && (base_ce = i_get_exception_base(exception)) && instanceof_function(Z_OBJCE_P(exception), base_ce)) {
+               if(Z_OBJPROP_P(exception)->u.v.nApplyCount) {
+                       Z_OBJPROP_P(exception)->u.v.nApplyCount--;
+               } else {
+                       break;
+               }
+               exception = GET_PROPERTY(exception, ZEND_STR_PREVIOUS);
+       }
+
        exception = getThis();
        base_ce = i_get_exception_base(exception);
 

diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
index e1aeeddf890b5f6c8283773fc391498ffe07f70b..d3a2e580e5edefde2579c468e20523ff2891d1f1 100644 (file)
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
      int length, scale, persistent;
 {
   bc_num temp;
-
+  /* PHP Change:  add length check */
+  if ((size_t)length+(size_t)scale > INT_MAX) {
+   zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+  }
   /* PHP Change:  malloc() -> pemalloc(), removed free_list code */
   temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
 #if 0

diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c
index bcbf4cfd1d314aec8e9260372178dbfe91c84eb2..05a85b76ea1d13d8e2b41efd201bf93ba1646aef 100644 (file)
--- a/ext/bcmath/libbcmath/src/outofmem.c
+++ b/ext/bcmath/libbcmath/src/outofmem.c
@@ -41,6 +41,5 @@
 
 void bc_out_of_memory (void)
 {
-  (void) fprintf (stderr, "bcmath: out of memory!\n");
-  exit (1);
+  zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
 }