From: Stanislav Malyshev Date: Tue, 21 Jun 2016 07:01:48 +0000 (-0700) Subject: Merge branch 'PHP-5.5' into PHP-5.6.23 X-Git-Tag: php-5.6.23~6 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7dde353ee79fcee73873cc19e1124704b94bd366;p=php Merge branch 'PHP-5.5' into PHP-5.6.23 * PHP-5.5: Fixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow update NEWS fix tests fix build Fix bug #72455: Heap Overflow due to integer overflows Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize Fix bug #72407: NULL Pointer Dereference at _gdScaleVert Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free Fix bug #72298 pass2_no_dither out-of-bounds access Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow Fix bug #72262 - do not overflow int Fix bug #72400 and #72403 - prevent signed int overflows for string lengths Fix bug #72275: don't allow smart_str to overflow int Fix bug #72340: Double Free Courruption in wddx_deserialize update NEWS Fix #66387: Stack overflow with imagefilltoborder Skip test which is 64bits only 5.5.37 now Conflicts: configure.in ext/mcrypt/mcrypt.c ext/spl/spl_directory.c main/php_version.h --- 7dde353ee79fcee73873cc19e1124704b94bd366 diff --cc ext/spl/spl_directory.c index e60078a539,7718fe42d7..73a2d70acc --- a/ext/spl/spl_directory.c +++ b/ext/spl/spl_directory.c @@@ -2608,14 -2585,8 +2608,14 @@@ SPL_METHOD(SplFileObject, fgetcsv char delimiter = intern->u.file.delimiter, enclosure = intern->u.file.enclosure, escape = intern->u.file.escape; char *delim = NULL, *enclo = NULL, *esc = NULL; int d_len = 0, e_len = 0, esc_len = 0; - + if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "|sss", &delim, &d_len, &enclo, &e_len, &esc, &esc_len) == SUCCESS) { + + if(!intern->u.file.stream) { + zend_throw_exception_ex(spl_ce_RuntimeException, 0 TSRMLS_CC, "Object not initialized"); + return; + } + switch(ZEND_NUM_ARGS()) { case 3: @@@ -2996,14 -2919,9 +3000,14 @@@ SPL_METHOD(SplFileObject, seek if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "l", &line_pos) == FAILURE) { return; } + if(!intern->u.file.stream) { + zend_throw_exception_ex(spl_ce_RuntimeException, 0 TSRMLS_CC, "Object not initialized"); + return; + } + if (line_pos < 0) { zend_throw_exception_ex(spl_ce_LogicException, 0 TSRMLS_CC, "Can't seek file %s to negative line %ld", intern->file_name, line_pos); - RETURN_FALSE; + RETURN_FALSE; } spl_filesystem_file_rewind(getThis(), intern TSRMLS_CC); @@@ -3058,12 -2976,11 +3062,12 @@@ ZEND_BEGIN_ARG_INFO_EX(arginfo_file_obj ZEND_ARG_INFO(0, allowable_tags) ZEND_END_ARG_INFO() -ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fscanf, 1, 0, 1) +ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fscanf, 0, 0, 1) ZEND_ARG_INFO(0, format) + ZEND_ARG_VARIADIC_INFO(1, vars) ZEND_END_ARG_INFO() - ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fwrite, 0, 0, 1) + ZEND_BEGIN_ARG_INFO_EX(arginfo_file_object_fwrite, 0, 0, 1) ZEND_ARG_INFO(0, str) ZEND_ARG_INFO(0, length) ZEND_END_ARG_INFO() diff --cc ext/standard/url.c index b34f16a518,fc3f080a41..4b52000f64 --- a/ext/standard/url.c +++ b/ext/standard/url.c @@@ -314,13 -314,13 +314,13 @@@ PHPAPI php_url *php_url_parse_ex(char c if (e == ue) { return ret; } - + s = e; - + nohost: - + if ((p = memchr(s, '?', (ue - s)))) { - pp = strchr(s, '#'); + pp = memchr(s, '#', (ue - s)); if (pp && pp < p) { if (pp - s) {