From: Stanislav Malyshev <stas@php.net>
Date: Tue, 24 May 2016 23:35:12 +0000 (-0700)
Subject: Merge branch 'PHP-5.5' into PHP-5.6.22
X-Git-Tag: php-5.6.22~3
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=544940c48a6b39226d4af6a9033a53b2086de709;p=php

Merge branch 'PHP-5.5' into PHP-5.6.22

* PHP-5.5:
  Fix memory leak in imagescale()
  Update NEWS
  Better fix for bug #72135
  Fixed bug #72227: imagescale out-of-bounds read
  Fix bug #72241: get_icu_value_internal out-of-bounds read
  Fix bug #72135 - don't create strings with lengths outside int range
  Add check for string overflow to all string add operations
  Fix bug #72114 - int/size_t confusion in fread
  Updated NEWS
  Fixed bug #71331 - Uninitialized pointer in phar_make_dirstream()

Conflicts:
	Zend/zend_operators.c
	ext/phar/dirstream.c
	ext/phar/tests/bug71331.phpt
---

544940c48a6b39226d4af6a9033a53b2086de709
diff --cc Zend/zend_operators.c
index b8a8b5f234,2f1394f78d..450153ffec
--- a/Zend/zend_operators.c
+++ b/Zend/zend_operators.c
@@@ -1397,8 -1252,18 +1397,14 @@@ ZEND_API int shift_right_function(zval 
  ZEND_API int add_char_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
  {
  	int length = Z_STRLEN_P(op1) + 1;
- 	char *buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
+ 	char *buf;
+ 
+ 	if (UNEXPECTED(length < 0)) {
+ 		zend_error(E_ERROR, "String size overflow");
+ 	}
+ 
 -	if (IS_INTERNED(Z_STRVAL_P(op1))) {
 -		buf = (char *) emalloc(length + 1);
 -		memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
 -	} else {
 -		buf = (char *) erealloc(Z_STRVAL_P(op1), length + 1);
 -	}
++	buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
 +
  	buf[length - 1] = (char) Z_LVAL_P(op2);
  	buf[length] = 0;
  	ZVAL_STRINGL(result, buf, length, 0);
@@@ -1410,8 -1275,17 +1416,14 @@@
  ZEND_API int add_string_to_string(zval *result, const zval *op1, const zval *op2) /* {{{ */
  {
  	int length = Z_STRLEN_P(op1) + Z_STRLEN_P(op2);
- 	char *buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
+ 	char *buf;
+ 
+ 	if (UNEXPECTED(length < 0)) {
+ 		zend_error(E_ERROR, "String size overflow");
+ 	}
 -	if (IS_INTERNED(Z_STRVAL_P(op1))) {
 -		buf = (char *) emalloc(length+1);
 -		memcpy(buf, Z_STRVAL_P(op1), Z_STRLEN_P(op1));
 -	} else {
 -		buf = (char *) erealloc(Z_STRVAL_P(op1), length+1);
 -	}
++
++	buf = str_erealloc(Z_STRVAL_P(op1), length + 1);
 +
  	memcpy(buf + Z_STRLEN_P(op1), Z_STRVAL_P(op2), Z_STRLEN_P(op2));
  	buf[length] = 0;
  	ZVAL_STRINGL(result, buf, length, 0);