Merge branch 'PHP-5.6' into PHP-7.0

diff --cc NEWS
index 0848c2e96479787651cb3f9badedd245b1637158,fae5b65ccd3993275f23e375e920a34180c8a0ac..d4b78736831679d703d2ea8980a761a744f416a2
--- 1/NEWS
--- 2/NEWS
+++ b/NEWS
@@@ -1,29 -1,18 +1,32 @@@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 -?? ??? 2016, PHP 5.6.28
 +?? ??? 2016 PHP 7.0.13
 +
 +- Core:
 +  . Fixed bug #73181 (parse_str() without a second argument leads to crash).
 +    (Nikita)
  
 -13 Oct 2016, PHP 5.6.27
+ - Standard:
+   . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
+ 
 +13 Oct 2016 PHP 7.0.12
  
  - Core:
 +  . Fixed bug #73067 (__debugInfo crashes when throwing an exception).
 +    (Laruence)
    . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of
      zend_virtual_cwd.c). (cmb)
 -  . Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
    . Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by
      password_verify). (Anatol)
 +  . Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
 +  . Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
 +  . Fixed bug #73156 (segfault on undefined function). (Dmitry)
 +  . Fixed bug #73163 (PHP hangs if error handler throws while accessing undef
 +    const in default value). (Nikita)
 +  . Fixed bug #73172 (parse error: Invalid numeric literal). (Nikita, Anatol)
 +
 +- COM:
 +  . Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
  
  - Filter:
    . Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and

diff --cc ext/standard/exec.c
index a73d0b4e6e017f2a8165d207efc1c316f5ecc0e5,e0ca9140f7f353af3031b7752ca09e5bd09e25af..7bd3ef9f7fcc5ca2f1cc3a8e7ff7db6ae5f6c23b
--- 1/ext/standard/exec.c
--- 2/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@@ -361,12 -370,12 +361,12 @@@ PHPAPI zend_string *php_escape_shell_cm
  
                }
        }
 -      cmd[y] = '\0';
 +      ZSTR_VAL(cmd)[y] = '\0';
  
-       if (y - 1 > cmd_max_len) {
+       if (y > cmd_max_len + 1) {
 -              php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
 -              efree(cmd);
 -              return NULL;
 +              php_error_docref(NULL, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
 +              zend_string_release(cmd);
 +              return ZSTR_EMPTY_ALLOC();
        }
  
        if ((estimate - y) > 4096) {
@@@ -444,16 -453,16 +444,16 @@@ PHPAPI zend_string *php_escape_shell_ar
                }
        }
  
 -      cmd[y++] = '"';
 +      ZSTR_VAL(cmd)[y++] = '"';
  #else
 -      cmd[y++] = '\'';
 +      ZSTR_VAL(cmd)[y++] = '\'';
  #endif
 -      cmd[y] = '\0';
 +      ZSTR_VAL(cmd)[y] = '\0';
  
-       if (y - 1 > cmd_max_len) {
+       if (y > cmd_max_len + 1) {
 -              php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
 -              efree(cmd);
 -              return NULL;
 +              php_error_docref(NULL, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
 +              zend_string_release(cmd);
 +              return ZSTR_EMPTY_ALLOC();
        }
  
        if ((estimate - y) > 4096) {