From: Christoph M. Becker Date: Thu, 28 Jul 2016 16:24:13 +0000 (+0200) Subject: Merge branch 'PHP-5.6' into PHP-7.0 X-Git-Tag: php-7.0.10RC1~20 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=1693eb9d2a4f8964079934d10712442cd8ed14b2;p=php Merge branch 'PHP-5.6' into PHP-7.0 --- 1693eb9d2a4f8964079934d10712442cd8ed14b2 diff --cc NEWS index 2ee6fdcc01,b03e691a33..f5c4d9377d --- a/NEWS +++ b/NEWS @@@ -1283,278 -696,468 +1283,278 @@@ PH . Fixed bug #68714 (copy 'n paste error). (cmb) . Fixed bug #66339 (PHP segfaults in imagexbm). (cmb) . Fixed bug #70047 (gd_info() doesn't report WebP support). (cmb) + . Replace libvpx with libwebp for bundled libgd. (cmb, Anatol) + . Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb) + . Made fontFetch's path parser thread-safe. (Sara) + . Removed T1Lib support. (Kalle) -- ODBC: - . Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined - columns). (CVE-2015-8879) (cmb) +- GMP: + . Fixed bug #70284 (Use after free vulnerability in unserialize() with GMP). + (stas) -- OpenSSL: - . Fixed bug #69882 (OpenSSL error "key values mismatch" after - openssl_pkcs12_read with extra cert). (Tomasz Sawicki) - . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically - secure). (CVE-2015-8867) (Stas) +- hash: + . Fixed bug #70312 (HAVAL gives wrong hashes in specific cases). (letsgolee + at naver dot com) -- Phar: - . Improved fix for bug #69441. (Anatol Belski) - . Fixed bug #70019 (Files extracted from archive may be placed outside of - destination directory). (CVE-2015-6833) (Anatol Belski) +- IMAP: + . Fixed bug #70158 (Building with static imap fails). (cmb) + . Fixed bug #69998 (curl multi leaking memory). (Pierrick) -- SOAP: - . Fixed bug #70081 (SoapClient info leak / null pointer dereference via - multiple type confusions). (Stas) +- Intl: + . Fixed bug #70453 (IntlChar::foldCase() incorrect arguments and missing + constants). (cmb) + . Fixed bug #70454 (IntlChar::forDigit second parameter should be optional). + (cmb, colinodell) + . Removed deprecated aliases datefmt_set_timezone_id() and + IntlDateFormatter::setTimeZoneID(). (Nikita) -- SPL: - . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject - items). (CVE-2015-6832) (sean.heelan) - . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with - SPLArrayObject). (CVE-2015-6831) (taoguangchen at icloud dot com) - . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with - SplObjectStorage). (CVE-2015-6831) (taoguangchen at icloud dot com) - . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with - SplDoublyLinkedList). (CVE-2015-6831) (taoguangchen at icloud dot com) +- JSON: + . Fixed bug #62010 (json_decode produces invalid byte-sequences). + (Jakub Zelenka) + . Fixed bug #68546 (json_decode() Fatal error: Cannot access property + started with '\0'). (Jakub Zelenka) + . Replace non-free JSON parser with a parser from Jsond extension, fixes #63520 + (JSON extension includes a problematic license statement). (Jakub Zelenka) + . Fixed bug #68938 (json_decode() decodes empty string without error). + (jeremy at bat-country dot us) -- Standard: - . Fixed bug #70096 (Repeated iptcembed() adds superfluous FF bytes). (cmb) +- LDAP: + . Fixed bug #47222 (Implement LDAP_OPT_DIAGNOSTIC_MESSAGE). (Andreas Heigl) -09 Jul 2015, PHP 5.6.11 +- LiteSpeed: + . Updated LiteSpeed SAPI code from V5.5 to V6.6. (George Wang) -- Core: - . Fixed bug #69768 (escapeshell*() doesn't cater to !). (cmb) - . Fixed bug #69703 (Use __builtin_clzl on PowerPC). - (dja at axtens dot net, Kalle) - . Fixed bug #69732 (can induce segmentation fault with basic php code). - (Dmitry) - . Fixed bug #69642 (Windows 10 reported as Windows 8). - (Christian Wenz, Anatol Belski) - . Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation - fault). (Christoph M. Becker) - . Fixed bug #69781 (phpinfo() reports Professional Editions of Windows - 7/8/8.1/10 as "Business"). (Christian Wenz) - . Fixed bug #69740 (finally in generator (yield) swallows exception in - iteration). (Nikita) - . Fixed bug #69835 (phpinfo() does not report many Windows SKUs). - (Christian Wenz) - . Fixed bug #69892 (Different arrays compare indentical due to integer key - truncation). (Nikita) - . Fixed bug #69874 (Can't set empty additional_headers for mail()), regression - from fix to bug #68776. (Yasuo) +- libxml: + . Fixed handling of big lines in error messages with libxml >= 2.9.0. + (Christoph M. Becker) -- GD: - . Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb) +- Mcrypt: + . Fixed bug #70625 (mcrypt_encrypt() won't return data when no IV was + specified under RC4). (Nikita) + . Fixed bug #69833 (mcrypt fd caching not working). (Anatol) + . Fixed possible read after end of buffer and use after free. (Dmitry) + . Removed mcrypt_generic_end() alias. (Nikita) + . Removed mcrypt_ecb(), mcrypt_cbc(), mcrypt_cfb(), mcrypt_ofb(). (Nikita) -- GMP: - . Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP - number). (Nikita) +- Mysqli: + . Fixed bug #32490 (constructor of mysqli has wrong name). (cmb) - Mysqlnd: - . Fixed bug #69669 (mysqlnd is vulnerable to BACKRONYM). (CVE-2015-3152) - (Andrey) - -- PCRE: - . Fixed Bug #53823 (preg_replace: * qualifier on unicode replace garbles the - string). (cmb) - . Fixed bug #69864 (Segfault in preg_replace_callback) (cmb, ab) - -- PDO_pgsql: - . Fixed bug #69752 (PDOStatement::execute() leaks memory with DML - Statements when closeCuror() is u). (Philip Hofstetter) - . Fixed bug #69362 (PDO-pgsql fails to connect if password contains a - leading single quote). (Matteo) - . Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps). - (Matteo) - -- Phar: - . Fixed bug #69958 (Segfault in Phar::convertToData on invalid file). - (CVE-2015-5589) (Stas) - . Fixed bug #69923 (Buffer overflow and stack smashing error in - phar_fix_filepath). (CVE-2015-5590) (Stas) - -- SimpleXML: - . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty - node name). (Christoph Michael Becker) - -- SPL: - . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error). - (Stas) - . Fixed bug #67805 (SplFileObject setMaxLineLength). (Willian Gustavo Veiga). - . Fixed bug #69970 (Use-after-free vulnerability in - spl_recursive_it_move_forward_ex()). (Laruence) - -- Sqlite3: - . Fixed bug #69972 (Use-after-free vulnerability in - sqlite3SafetyCheckSickOrOk()). (Laruence) - -11 Jun 2015, PHP 5.6.10 - -- Core: - . Fixed bug #66048 (temp. directory is cached during multiple requests). - (Julien) - . Fixed bug #69566 (Conditional jump or move depends on uninitialised value - in extension trait). (jbboehr at gmail dot com) - . Fixed bug #69599 (Strange generator+exception+variadic crash). (Nikita) - . Fixed bug #69628 (complex GLOB_BRACE fails on Windows). - (Christoph M. Becker) - . Fixed POST data processing slowdown due to small input buffer size - on Windows. (Jorge Oliveira, Anatol) - . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg). - (CVE-2015-4642) (Anatol Belski) - . Fixed bug #69719 (Incorrect handling of paths with NULs). (CVE-2015-4598) - (Stas) - -- FTP - . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in - heap overflow). (CVE-2015-4643) (Max Spelsberg) - -- GD: - . Fixed bug #69479 (GD fails to build with newer libvpx). (Remi) - -- Iconv: - . Fixed bug #48147 (iconv with //IGNORE cuts the string). (Stas) - -- Litespeed SAPI: - . Fixed bug #68812 (Unchecked return value). (George Wang) - -- Mail: - . Fixed bug #68776 (mail() does not have mail header injection prevention for - additional headers). (Yasuo) - -- MCrypt: - . Added file descriptor caching to mcrypt_create_iv() (Leigh) - -- Opcache - . Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF). - (Laruence, Dmitry) - -- PCRE - . Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326) - -- Phar: - . Fixed bug #69680 (phar symlink in binary directory broken). - (Matteo Bernardini, Remi) - -- Postgres: - . Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644) (Remi) - -- Sqlite3: - . Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415, - CVE-2015-3416) (Kaplan) - -14 May 2015, PHP 5.6.9 - -- Core: - . Fixed bug #69467 (Wrong checked for the interface by using Trait). + . Fixed bug #70949 (SQL Result Sets With NULL Can Cause Fatal Memory Errors). (Laruence) - . Fixed bug #69420 (Invalid read in zend_std_get_method). (Laruence) - . Fixed bug #60022 ("use statement [...] has no effect" depends on leading - backslash). (Nikita) - . Fixed bug #67314 (Segmentation fault in gc_remove_zval_from_buffer). - (Dmitry) - . Fixed bug #68652 (segmentation fault in destructor). (Dmitry) - . Fixed bug #69419 (Returning compatible sub generator produces a warning). - (Nikita) - . Fixed bug #69472 (php_sys_readlink ignores misc errors from - GetFinalPathNameByHandleA). (Jan Starke) - . Fixed bug #69364 (PHP Multipart/form-data remote dos Vulnerability). - (CVE-2015-4024) (Stas) - . Fixed bug #69403 (str_repeat() sign mismatch based memory corruption). - (Stas) - . Fixed bug #69418 (CVE-2006-7243 fix regressions in 5.4+). (CVE-2015-4025) - (Stas) - . Fixed bug #69522 (heap buffer overflow in unpack()). (Stas) + . Fixed bug #70384 (mysqli_real_query():Unknown type 245 sent by the server). + (Andrey) + . Fixed bug #70456 (mysqlnd doesn't activate TCP keep-alive when connecting to + a server). (Sergei Turchanov) + . Fixed bug #70572 segfault in mysqlnd_connect. (Andrey, Remi) + . Fixed Bug #69796 (mysqli_stmt::fetch doesn't assign null values to + bound variables). (Laruence) -- FTP: - . Fixed bug #69545 (Integer overflow in ftp_genlist() resulting in heap - overflow). (CVE-2015-4022) (Stas) +- OCI8: + . Fixed memory leak with LOBs. (Senthil) + . Fixed bug #68298 (OCI int overflow) (Senthil). + . Corrected oci8 hash destructors to prevent segfaults, and a few other fixes. + (Cameron Porter) - ODBC: - . Fixed bug #69354 (Incorrect use of SQLColAttributes with ODBC 3.0). + . Fixed bug #69975 (PHP segfaults when accessing nvarchar(max) defined - columns). (cmb) ++ columns). (CVE-2015-8879) (cmb) + +- Opcache: + . Fixed bug #70656 (require() statement broken after opcache_reset() or a + few hours of use). (Laruence) + . Fixed bug #70843 (Segmentation fault on MacOSX with + opcache.file_cache_only=1). (Laruence) + . Fixed bug #70724 (Undefined Symbols from opcache.so on Mac OS X 10.10). + (Laruence) + . Fixed compatibility with Windows 10 (see also bug #70652). (Anatol) + . Attmpt to fix "Unable to reattach to base address" problem. (Matt Ficken) + . Fixed bug #70423 (Warning Internal error: wrong size calculation). (Anatol) + . Fixed bug #70237 (Empty while and do-while segmentation fault with opcode + on CLI enabled). (Dmitry, Laruence) + . Fixed bug #70111 (Segfault when a function uses both an explicit return + type and an explicit cast). (Laruence) + . Fixed bug #70058 (Build fails when building for i386). (Laruence) + . Fixed bug #70022 (Crash with opcache using opcache.file_cache_only=1). (Anatol) - . Fixed bug #69474 (ODBC: Query with same field name from two tables returns - incorrect result). (Anatol) - . Fixed bug #69381 (out of memory with sage odbc driver). (Frederic Marchall, - Anatol Belski) + . Removed opcache.load_comments configuration directive. Now doc comments + loading costs nothing and always enabled. (Dmitry) + . Fixed bug #69838 (Wrong size calculation for function table). (Anatol) + . Fixed bug #69688 (segfault with eval and opcache fast shutdown). + (Laruence) + . Added experimental (disabled by default) file based opcode cache. + (Dmitry, Laruence, Anatol) + . Fixed bug with try blocks being removed when extended_info opcode + generation is turned on. (Laruence) + . Fixed bug #68644 (strlen incorrect : mbstring + func_overload=2 +UTF-8 + + Opcache). (Laruence) - OpenSSL: - . Fixed bug #69402 (Reading empty SSL stream hangs until timeout). - (Daniel Lowrey) - -- PCNTL: - . Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026) - (Stas) - -- Phar: - . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry - filename starts with null). (CVE-2015-4021) (Stas) - -16 Apr 2015, PHP 5.6.8 - -- Core: - . Fixed bug #66609 (php crashes with __get() and ++ operator in some cases). - (Dmitry, Laruence) - . Fixed bug #68021 (get_browser() browser_name_regex returns non-utf-8 - characters). (Tjerk) - . Fixed bug #68917 (parse_url fails on some partial urls). (Wei Dai) - . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM - configuration options). (Anatol Belski) - . Additional fix for bug #69152 (Type confusion vulnerability in - exception::getTraceAsString). (Stas) - . Fixed bug #69210 (serialize function return corrupted data when sleep has - non-string values). (Juan Basso) - . Fixed bug #69212 (Leaking VIA_HANDLER func when exception thrown in - __call/... arg passing). (Nikita) - . Fixed bug #69221 (Segmentation fault when using a generator in combination - with an Iterator). (Nikita) - . Fixed bug #69337 (php_stream_url_wrap_http_ex() type-confusion - vulnerability). (Stas) - . Fixed bug #69353 (Missing null byte checks for paths in various PHP - extensions). (Stas) - -- Apache2handler: - . Fixed bug #69218 (potential remote code execution with apache 2.4 - apache2handler). (Gerrit Venema) - -- cURL: - . Implemented FR#69278 (HTTP2 support). (Masaki Kagaya) - . Fixed bug #68739 (Missing break / control flow). (Laruence) - . Fixed bug #69316 (Use-after-free in php_curl related to - CURLOPT_FILE/_INFILE/_WRITEHEADER). (Laruence) - -- Date: - . Fixed bug #69336 (Issues with "last day of "). (Derick Rethans) - -- Enchant: - . Fixed bug #65406 (Enchant broker plugins are in the wrong place in windows - builds). (Anatol) + . Require at least OpenSSL version 0.9.8. (Jakub Zelenka) + . Fixed bug #68312 (Lookup for openssl.cnf causes a message box). (Anatol) + . Fixed bug #55259 (openssl extension does not get the DH parameters from + DH key resource). (Jakub Zelenka) + . Fixed bug #70395 (Missing ARG_INFO for openssl_seal()). (cmb) + . Fixed bug #60632 (openssl_seal fails with AES). (Jakub Zelenka) + . Implemented FR #70438 (Add IV parameter for openssl_seal and openssl_open) + (Jakub Zelenka) + . Fixed bug #70014 (openssl_random_pseudo_bytes() is not cryptographically + secure). (CVE-2015-8867) (Stas) + . Fixed bug #69882 (OpenSSL error "key values mismatch" after + openssl_pkcs12_read with extra cert). (Tomasz Sawicki) + . Added "alpn_protocols" SSL context option allowing encrypted client/server + streams to negotiate alternative protocols using the ALPN TLS extension when + built against OpenSSL 1.0.2 or newer. Negotiated protocol information is + accessible through stream_get_meta_data() output. + . Removed "CN_match" and "SNI_server_name" SSL context options. Use automatic + detection or the "peer_name" option instead. (Nikita) + +- Pcntl: + . Fixed bug #70386 (Can't compile on NetBSD because of missing WCONTINUED + and WIFCONTINUED). (Matteo) + . Fixed bug #60509 (pcntl_signal doesn't decrease ref-count of old handler + when setting SIG_DFL). (Julien) + . Implemented FR #68505 (Added wifcontinued and wcontinued). (xilon-jul) + . Added rusage support to pcntl_wait() and pcntl_waitpid(). (Anton Stepanenko, + Tony) -- Ereg: - . Fixed bug #68740 (NULL Pointer Dereference). (Laruence) +- PCRE: + . Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string + match). (cmb) + . Fixed bug #70345 (Multiple vulnerabilities related to PCRE functions). + (Anatol Belski) + . Fixed bug #70232 (Incorrect bump-along behavior with \K and empty string + match). (cmb) + . Fixed bug #53823 (preg_replace: * qualifier on unicode replace garbles the + string). (cmb) + . Fixed bug #69864 (Segfault in preg_replace_callback). (cmb, ab) -- Fileinfo: - . Fixed bug #68819 (Fileinfo on specific file causes spurious OOM and/or - segfault). (Anatol Belski) +- PDO: + . Fixed bug #70861 (Segmentation fault in pdo_parse_params() during Drupal 8 + test suite). (Anatol) + . Fixed bug #70389 (PDO constructor changes unrelated variables). (Laruence) + . Fixed bug #70272 (Segfault in pdo_mysql). (Laruence) + . Fixed bug #70221 (persistent sqlite connection + custom function + segfaults). (Laruence) + . Removed support for the /e (PREG_REPLACE_EVAL) modifier. (Nikita) + . Fixed bug #59450 (./configure fails with "Cannot find php_pdo_driver.h"). + (maxime dot besson at smile dot fr) -- Filter: - . Fixed bug #69202 (FILTER_FLAG_STRIP_BACKTICK ignored unless other - flags are used). (Jeff Welch) - . Fixed bug #69203 (FILTER_FLAG_STRIP_HIGH doesn't strip ASCII 127). (Jeff - Welch) +- PDO_DBlib: + . Fixed bug #69757 (Segmentation fault on nextRowset). + (miracle at rpz dot name) -- Mbstring: - . Fixed bug #68846 (False detection of CJK Unified Ideographs Extension E). - (Masaki Kagaya) +- PDO_mysql: + . Fixed bug #68424 (Add new PDO mysql connection attr to control multi + statements option). (peter dot wolanin at acquia dot com) -- OPCache: - . Fixed bug #69297 (function_exists strange behavior with OPCache on - disabled function). (Laruence) - . Fixed bug #69281 (opcache_is_script_cached no longer works). (danack) - . Fixed bug #68677 (Use After Free). (CVE-2015-1351) (Laruence) +- PDO_OCI: + . Fixed bug #70308 (PDO::ATTR_PREFETCH is ignored). (Chris Jones) -- OpenSSL: - . Fixed bugs #68853, #65137 (Buffered crypto stream data breaks IO polling - in stream_select() contexts) (Chris Wright) - . Fixed bug #69197 (openssl_pkcs7_sign handles default value incorrectly) - (Daniel Lowrey) - . Fixed bug #69215 (Crypto servers should send client CA list) - (Daniel Lowrey) - . Add a check for RAND_egd to allow compiling against LibreSSL (Leigh) +- PDO_pgsql: + . Fixed bug #69752 (PDOStatement::execute() leaks memory with DML + Statements when closeCuror() is u). (Philip Hofstetter) + . Removed PGSQL_ATTR_DISABLE_NATIVE_PREPARED_STATEMENT attribute in favor of + ATTR_EMULATE_PREPARES). (Nikita) - Phar: - . Fixed bug #64343 (PharData::extractTo fails for tarball created by BSD tar). - (Mike) - . Fixed bug #64931 (phar_add_file is too restrictive on filename). (Mike) - . Fixed bug #65467 (Call to undefined method cli_arg_typ_string). (Mike) - . Fixed bug #67761 (Phar::mapPhar fails for Phars inside a path containing - ".tar"). (Mike) - . Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar). (Stas) - . Fixed bug #69441 (Buffer Overflow when parsing tar/zip/phar in - phar_set_inode). (Stas) - -- Postgres: - . Fixed bug #68741 (Null pointer dereference). (CVE-2015-1352) (Laruence) - -- SOAP: - . Fixed bug #69152 (Type Confusion Infoleak Vulnerability in unserialize() - with SoapFault). (Dmitry) - . Fixed bug #69293 (NEW segfault when using SoapClient::__setSoapHeader - (bisected, regression)). (Laruence) - -- SPL: - . Fixed bug #69227 (Use after free in zval_scan caused by - spl_object_storage_get_gc). (adam dot scarr at 99designs dot com) - -- Sqlite3: - . Fixed bug #68760 (SQLITE segfaults if custom collator throws an exception). - (Dan Ackroyd) - . Fixed bug #69287 (Upgrade bundled libsqlite to 3.8.8.3). (Anatol) - . Fixed bug #66550 (SQLite prepared statement use-after-free). (Sean Heelan) - -19 Mar 2015, PHP 5.6.7 - -- Core: - . Fixed bug #69174 (leaks when unused inner class use traits precedence). - (Laruence) - . Fixed bug #69139 (Crash in gc_zval_possible_root on unserialize). - (Laruence) - . Fixed bug #69121 (Segfault in get_current_user when script owner is not - in passwd with ZTS build). (dan at syneto dot net) - . Fixed bug #65593 (Segfault when calling ob_start from output buffering - callback). (Mike) - . Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file - not validated in memory.c). (nayana at ddproperty dot com) - . Fixed bug #68166 (Exception with invalid character causes segv). (Rasmus) - . Fixed bug #69141 (Missing arguments in reflection info for some builtin - functions). (kostyantyn dot lysyy at oracle dot com) - . Fixed bug #68976 (Use After Free Vulnerability in unserialize()). - (CVE-2015-2787) (Stas) - . Fixed bug #69134 (Per Directory Values overrides PHP_INI_SYSTEM - configuration options). (Anatol Belski) - . Fixed bug #69207 (move_uploaded_file allows nulls in path). (CVE-2015-2348) - (Stas) - -- CGI: - . Fixed bug #69015 (php-cgi's getopt does not see $argv). (Laruence) - -- CLI: - . Fixed bug #67741 (auto_prepend_file messes up __LINE__). (Reeze Xia) - -- cURL: - . Fixed bug #69088 (PHP_MINIT_FUNCTION does not fully initialize cURL on - Win32). (Grant Pannell) - . Add CURLPROXY_SOCKS4A and CURLPROXY_SOCKS5_HOSTNAME constants if supported - by libcurl. (Linus Unneback) - -- Ereg: - . Fixed bug #69248 (heap overflow vulnerability in regcomp.c). (CVE-2015-2305) - (Stas) - -- FPM: - . Fixed bug #68822 (request time is reset too early). (honghu069 at 163 dot com) - -- ODBC: - . Fixed bug #68964 (Allowed memory size exhausted with odbc_exec). (Anatol) - -- Opcache: - . Fixed bug #69159 (Opcache causes problem when passing a variable variable - to a function). (Dmitry, Laruence) - . Fixed bug #69125 (Array numeric string as key). (Laruence) - . Fixed bug #69038 (switch(SOMECONSTANT) misbehaves). (Laruence) + . Fixed bug #69720 (Null pointer dereference in phar_get_fp_offset()). (Stas) + . FIxed bug #70433 (Uninitialized pointer in phar_make_dirstream when zip + entry filename is "/"). (Stas) + . Improved fix for bug #69441. (Anatol Belski) + . Fixed bug #70019 (Files extracted from archive may be placed outside of + destination directory). (Anatol Belski) -- OpenSSL: - . Fixed bug #68912 (Segmentation fault at openssl_spki_new). (Laruence) - . Fixed bug #61285, #68329, #68046, #41631 (encrypted streams don't observe - socket timeouts). (Brad Broerman) - . Fixed bug #68920 (use strict peer_fingerprint input checks) - (Daniel Lowrey) - . Fixed bug #68879 (IP Address fields in subjectAltNames not used) - (Daniel Lowrey) - . Fixed bug #68265 (SAN match fails with trailing DNS dot) (Daniel Lowrey) - . Fixed bug #67403 (Add signatureType to openssl_x509_parse) (Daniel Lowrey) - . Fixed bug (#69195 Inconsistent stream crypto values across versions) - (Daniel Lowrey) +- Phpdbg: + . Fixed bug #70614 (incorrect exit code in -rr mode with Exceptions). (Bob) + . Fixed bug #70532 (phpdbg must respect set_exception_handler). (Bob) + . Fixed bug #70531 (Run and quit mode (-qrr) should not fallback to + interactive mode). (Bob) + . Fixed bug #70533 (Help overview (-h) does not rpint anything under Windows). + (Anatol) + . Fixed bug #70449 (PHP won't compile on 10.4 and 10.5 because of missing + constants). (Bob) + . Fixed bug #70214 (FASYNC not defined, needs sys/file.h include). (Bob) + . Fixed bug #70138 (Segfault when displaying memory leaks). (Bob) -- pgsql: - . Fixed bug #68638 (pg_update() fails to store infinite values). - (william dot welter at 4linux dot com dot br, Laruence) +- Reflection: + . Fixed bug #70650 (Wrong docblock assignment). (Marcio) + . Fixed bug #70674 (ReflectionFunction::getClosure() leaks memory when used + for internal functions). (Dmitry, Bob) + . Fixed bug causing bogus traces for ReflectionGenerator::getTrace(). (Bob) + . Fixed inheritance chain of Reflector interface. (Tjerk) + . Added ReflectionGenerator class. (Bob) + . Added reflection support for return types and type declarations. (Sara, + Matteo) -- Readline: - . Fixed bug #69054 (Null dereference in readline_(read|write)_history() without - parameters). (Laruence) +- Session: + . Fixed bug #70876 (Segmentation fault when regenerating session id with + strict mode). (Laruence) + . Fixed bug #70529 (Session read causes "String is not zero-terminated" error). + (Yasuo) + . Fixed bug #70013 (Reference to $_SESSION is lost after a call to + session_regenerate_id()). (Yasuo) + . Fixed bug #69952 (Data integrity issues accessing superglobals by + reference). (Bob) + . Fixed bug #67694 (Regression in session_regenerate_id()). (Tjerk) + . Fixed bug #68941 (mod_files.sh is a bash-script). (bugzilla at ii.nl, Yasuo) - SOAP: - . Fixed bug #69085 (SoapClient's __call() type confusion through - unserialize()). (CVE-2015-4147, CVE-2015-4148) (andrea dot palazzo at truel - dot it, Laruence) - -- SPL: - . Fixed bug #69108 ("Segmentation fault" when (de)serializing - SplObjectStorage). (Laruence) - . Fixed bug #68557 (RecursiveDirectoryIterator::seek(0) broken after - calling getChildren()). (Julien) - -- ZIP: - . Fixed bug #69253 (ZIP Integer Overflow leads to writing past heap - boundary). (CVE-2015-2331) (Stas) - -19 Feb 2015, PHP 5.6.6 - -- Core: - . Removed support for multi-line headers, as the are deprecated by RFC 7230. + . Fixed bug #70940 (Segfault in soap / type_to_string). (Remi) + . Fixed bug #70900 (SoapClient systematic out of memory error). (Dmitry) + . Fixed bug #70875 (Segmentation fault if wsdl has no targetNamespace + attribute). (Matteo) + . Fixed bug #70715 (Segmentation fault inside soap client). (Laruence) + . Fixed bug #70709 (SOAP Client generates Segfault). (Laruence) + . Fixed bug #70388 (SOAP serialize_function_call() type confusion / RCE). (Stas) - . Fixed bug #67068 (getClosure returns somethings that's not a closure). - (Danack at basereality dot com) - . Fixed bug #68942 (Use after free vulnerability in unserialize() with - DateTimeZone). (CVE-2015-0273) (Stas) - . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname - buffer overflow). (Stas) - . Fixed Bug #67988 (htmlspecialchars() does not respect default_charset - specified by ini_set) (Yasuo) - . Added NULL byte protection to exec, system and passthru. (Yasuo) - -- Dba: - . Fixed bug #68711 (useless comparisons). (bugreports at internot dot info) - -- Enchant: - . Fixed bug #68552 (heap buffer overflow in enchant_broker_request_dict()). - (CVE-2014-9705) (Antony) - -- Fileinfo: - . Fixed bug #68827 (Double free with disabled ZMM). (Joshua Rogers) - . Fixed bug #67647 (Bundled libmagic 5.17 does not detect quicktime files - correctly). (Anatol) - . Fixed bug #68731 (finfo_buffer doesn't extract the correct mime with some - gifs). (Anatol) - -- FPM: - . Fixed bug #66479 (Wrong response to FCGI_GET_VALUES). (Frank Stolle) - . Fixed bug #68571 (core dump when webserver close the socket). - (redfoxli069 at gmail dot com, Laruence) - -- JSON: - . Fixed bug #50224 (json_encode() does not always encode a float as a float) - by adding JSON_PRESERVE_ZERO_FRACTION. (Juan Basso) - -- LIBXML: - . Fixed bug #64938 (libxml_disable_entity_loader setting is shared - between threads). (Martin Jansen) - -- Mysqli: - . Fixed bug #68114 (linker error on some OS X machines with fixed - width decimal support) (Keyur Govande) - . Fixed bug #68657 (Reading 4 byte floats with Mysqli and libmysqlclient - has rounding errors) (Keyur Govande) - -- Opcache: - . Fixed bug with try blocks being removed when extended_info opcode - generation is turned on. (Laruence) - -- PDO_mysql: - . Fixed bug #68750 (PDOMysql with mysqlnd does not allow the usage of - named pipes). (steffenb198 at aol dot com) - -- Phar: - . Fixed bug #68901 (use after free). (CVE-2015-2301) - (bugreports at internot dot info) - -- Pgsql: - . Fixed Bug #65199 (pg_copy_from() modifies input array variable) (Yasuo) + . Fixed bug #70081 (SoapClient info leak / null pointer dereference via + multiple type confusions). (Stas) + . Fixed bug #70079 (Segmentation fault after more than 100 SoapClient + calls). (Laruence) + . Fixed bug #70032 (make_http_soap_request calls + zend_hash_get_current_key_ex(,,,NULL). (Laruence) + . Fixed bug #68361 (Segmentation fault on SoapClient::__getTypes). (Laruence) -- Session: - . Fixed bug #68941 (mod_files.sh is a bash-script) (bugzilla at ii.nl, Yasuo) - . Fixed Bug #66623 (no EINTR check on flock) (Yasuo) - . Fixed bug #68063 (Empty session IDs do still start sessions) (Yasuo) +- SPL: + . Fixed bug #70959 (ArrayObject unserialize does not restore protected + fields). (Laruence) + . Fixed bug #70853 (SplFixedArray throws exception when using ref variable + as index). (Laruence) + . Fixed bug #70868 (PCRE JIT and pattern reuse segfault). (Laruence) + . Fixed bug #70730 (Incorrect ArrayObject serialization if unset is called + in serialize()). (Laruence) + . Fixed bug #70573 (Cloning SplPriorityQueue leads to memory leaks). (Dmitry) + . Fixed bug #70303 (Incorrect constructor reflection for ArrayObject). (cmb) + . Fixed bug #70068 (Dangling pointer in the unserialization of ArrayObject + items). (sean.heelan) + . Fixed bug #70166 (Use After Free Vulnerability in unserialize() with + SPLArrayObject). (taoguangchen at icloud dot com) + . Fixed bug #70168 (Use After Free Vulnerability in unserialize() with + SplObjectStorage). (taoguangchen at icloud dot com) + . Fixed bug #70169 (Use After Free Vulnerability in unserialize() with + SplDoublyLinkedList). (taoguangchen at icloud dot com) + . Fixed bug #70053 (MutlitpleIterator array-keys incompatible change in + PHP 7). (Tjerk) + . Fixed bug #69970 (Use-after-free vulnerability in + spl_recursive_it_move_forward_ex()). (Laruence) + . Fixed bug #69845 (ArrayObject with ARRAY_AS_PROPS broken). (Dmitry) + . Changed ArrayIterator implementation using zend_hash_iterator_... API. + Allowed modification of iterated ArrayObject using the same behavior + as proposed in `Fix "foreach" behavior`. Removed "Array was modified + outside object and internal position is no longer valid" hack. (Dmitry) + . Implemented FR #67886 (SplPriorityQueue/SplHeap doesn't expose extractFlags + nor curruption state). (Julien) + . Fixed bug #66405 (RecursiveDirectoryIterator::CURRENT_AS_PATHNAME + breaks the RecursiveIterator). (Paul Garvin) -- Sqlite3: - . Fixed bug #68260 (SQLite3Result::fetchArray declares wrong +- SQLite3: + . Fixed bug #70571 (Memory leak in sqlite3_do_callback). (Adam) + . Fixed bug #69972 (Use-after-free vulnerability in + sqlite3SafetyCheckSickOrOk()). (Laruence) + . Fixed bug #69897 (segfault when manually constructing SQLite3Result). + (Kalle) + . Fixed bug #68260 (SQLite3Result::fetchArray declares wrong required_num_args). (Julien) - Standard: