From: Stanislav Malyshev <stas@php.net>
Date: Tue, 29 Mar 2016 06:55:05 +0000 (-0700)
Subject: Merge branch 'PHP-5.5' into PHP-7.0.5
X-Git-Tag: php-7.0.5~5
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=67fbb0631109bf0dd82986a93838de0907a86869;p=php

Merge branch 'PHP-5.5' into PHP-7.0.5

* PHP-5.5:
  Fixed bug #71704 php_snmp_error() Format String Vulnerability
  Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
  Fixed bug #71906: AddressSanitizer: negative-size-param (-1) in mbfl_strcut
  Fix bug #71798 - Integer Overflow in php_raw_url_encode
  Fix bug #71860: Require valid paths for phar filenames
  Going for 5.5.34

Conflicts:
	configure.in
	ext/phar/phar_object.c
	ext/phar/tests/badparameters.phpt
	ext/phar/tests/create_path_error.phpt
	ext/phar/tests/pharfileinfo_construct.phpt
	ext/snmp/snmp.c
	ext/standard/url.c
	main/php_version.h
---

67fbb0631109bf0dd82986a93838de0907a86869
diff --cc ext/phar/phar.c
index 08f480d303,17b0affd86..860f5132d4
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@@ -2194,12 -2259,12 +2194,16 @@@ int phar_split_fname(const char *filena
  #ifdef PHP_WIN32
  	char *save;
  #endif
 -	int ext_len, free_filename = 0;
 +	int ext_len;
 +
 +	if (CHECK_NULL_PATH(filename, filename_len)) {
 +		return FAILURE;
 +	}
  
+ 	if (CHECK_NULL_PATH(filename, filename_len)) {
+ 		return FAILURE;
+ 	}
+ 
  	if (!strncasecmp(filename, "phar://", 7)) {
  		filename += 7;
  		filename_len -= 7;
diff --cc ext/standard/url.c
index 0138e4203f,27a216a5e0..b7fd188699
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@@ -606,27 -597,27 +606,27 @@@ PHPAPI size_t php_url_decode(char *str
  
  /* {{{ php_raw_url_encode
   */
 -PHPAPI char *php_raw_url_encode(char const *s, int len, int *new_length)
 +PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len)
  {
- 	register int x, y;
+ 	register size_t x, y;
 -	unsigned char *str;
 +	zend_string *str;
  
 -	str = (unsigned char *) safe_emalloc(3, len, 1);
 +	str = zend_string_alloc(3 * len, 0);
  	for (x = 0, y = 0; len--; x++, y++) {
 -		str[y] = (unsigned char) s[x];
 +		ZSTR_VAL(str)[y] = (unsigned char) s[x];
  #ifndef CHARSET_EBCDIC
 -		if ((str[y] < '0' && str[y] != '-' && str[y] != '.') ||
 -			(str[y] < 'A' && str[y] > '9') ||
 -			(str[y] > 'Z' && str[y] < 'a' && str[y] != '_') ||
 -			(str[y] > 'z' && str[y] != '~')) {
 -			str[y++] = '%';
 -			str[y++] = hexchars[(unsigned char) s[x] >> 4];
 -			str[y] = hexchars[(unsigned char) s[x] & 15];
 +		if ((ZSTR_VAL(str)[y] < '0' && ZSTR_VAL(str)[y] != '-' && ZSTR_VAL(str)[y] != '.') ||
 +			(ZSTR_VAL(str)[y] < 'A' && ZSTR_VAL(str)[y] > '9') ||
 +			(ZSTR_VAL(str)[y] > 'Z' && ZSTR_VAL(str)[y] < 'a' && ZSTR_VAL(str)[y] != '_') ||
 +			(ZSTR_VAL(str)[y] > 'z' && ZSTR_VAL(str)[y] != '~')) {
 +			ZSTR_VAL(str)[y++] = '%';
 +			ZSTR_VAL(str)[y++] = hexchars[(unsigned char) s[x] >> 4];
 +			ZSTR_VAL(str)[y] = hexchars[(unsigned char) s[x] & 15];
  #else /*CHARSET_EBCDIC*/
 -		if (!isalnum(str[y]) && strchr("_-.~", str[y]) != NULL) {
 -			str[y++] = '%';
 -			str[y++] = hexchars[os_toascii[(unsigned char) s[x]] >> 4];
 -			str[y] = hexchars[os_toascii[(unsigned char) s[x]] & 15];
 +		if (!isalnum(ZSTR_VAL(str)[y]) && strchr("_-.~", ZSTR_VAL(str)[y]) != NULL) {
 +			ZSTR_VAL(str)[y++] = '%';
 +			ZSTR_VAL(str)[y++] = hexchars[os_toascii[(unsigned char) s[x]] >> 4];
 +			ZSTR_VAL(str)[y] = hexchars[os_toascii[(unsigned char) s[x]] & 15];
  #endif /*CHARSET_EBCDIC*/
  		}
  	}