From: Stanislav Malyshev <stas@php.net>
Date: Wed, 2 Mar 2016 07:01:48 +0000 (-0800)
Subject: Merge branch 'PHP-5.6.19' into PHP-7.0.4
X-Git-Tag: php-7.0.4~2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=90a0cbd59470dcc81f57c66698f05158149d2980;p=php

Merge branch 'PHP-5.6.19' into PHP-7.0.4

* PHP-5.6.19:
  fix test file
  Fix version
  update NEWS
  Update NEWS
  Fix bug #71498: Out-of-Bound Read in phar_parse_zipfile()
  fix ts buld
  prep for 5.6.19RC1
  5.6.20 is next
  Fixed bug #71587 - Use-After-Free / Double-Free in WDDX Deserialize

Conflicts:
	configure.in
	ext/wddx/wddx.c
	main/php_version.h
---

90a0cbd59470dcc81f57c66698f05158149d2980
diff --cc ext/wddx/wddx.c
index ca7b711682,22ff535c63..539ed57662
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@@ -870,18 -927,31 +870,28 @@@ static void php_wddx_pop_element(void *
  		return;
  	}
  
 -	if (!strcmp(name, EL_STRING) || !strcmp(name, EL_NUMBER) ||
 -		!strcmp(name, EL_BOOLEAN) || !strcmp(name, EL_NULL) ||
 -	  	!strcmp(name, EL_ARRAY) || !strcmp(name, EL_STRUCT) ||
 -		!strcmp(name, EL_RECORDSET) || !strcmp(name, EL_BINARY) ||
 -		!strcmp(name, EL_DATETIME)) {
 +	if (!strcmp((char *)name, EL_STRING) || !strcmp((char *)name, EL_NUMBER) ||
 +		!strcmp((char *)name, EL_BOOLEAN) || !strcmp((char *)name, EL_NULL) ||
 +	  	!strcmp((char *)name, EL_ARRAY) || !strcmp((char *)name, EL_STRUCT) ||
 +		!strcmp((char *)name, EL_RECORDSET) || !strcmp((char *)name, EL_BINARY) ||
 +		!strcmp((char *)name, EL_DATETIME)) {
  		wddx_stack_top(stack, (void**)&ent1);
  
+ 		if (!ent1->data) {
+ 			if (stack->top > 1) {
+ 				stack->top--;
+ 			} else {
+ 				stack->done = 1;
+ 			}
+ 			efree(ent1);
+ 			return;
+ 		}
+ 
 -		if (!strcmp(name, EL_BINARY)) {
 -			int new_len=0;
 -			unsigned char *new_str;
 -
 -			new_str = php_base64_decode(Z_STRVAL_P(ent1->data), Z_STRLEN_P(ent1->data), &new_len);
 -			STR_FREE(Z_STRVAL_P(ent1->data));
 -			Z_STRVAL_P(ent1->data) = new_str;
 -			Z_STRLEN_P(ent1->data) = new_len;
 +		if (!strcmp((char *)name, EL_BINARY)) {
 +			zend_string *new_str = php_base64_decode(
 +				(unsigned char *)Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));
 +			zval_ptr_dtor(&ent1->data);
 +			ZVAL_STR(&ent1->data, new_str);
  		}
  
  		/* Call __wakeup() method on the object. */
@@@ -962,9 -1038,10 +972,10 @@@
  		} else {
  			stack->done = 1;
  		}
 -	} else if (!strcmp(name, EL_VAR) && stack->varname) {
 +	} else if (!strcmp((char *)name, EL_VAR) && stack->varname) {
  		efree(stack->varname);
+ 		stack->varname = NULL;
 -	} else if (!strcmp(name, EL_FIELD)) {
 +	} else if (!strcmp((char *)name, EL_FIELD)) {
  		st_entry *ent;
  		wddx_stack_top(stack, (void **)&ent);
  		efree(ent);
@@@ -1000,16 -1094,16 +1011,16 @@@ static void php_wddx_process_data(void 
  				break;
  
  			case ST_BOOLEAN:
 -				if (!strcmp(s, "true")) {
 -					Z_LVAL_P(ent->data) = 1;
 -				} else if (!strcmp(s, "false")) {
 -					Z_LVAL_P(ent->data) = 0;
 +				if (!strcmp((char *)s, "true")) {
 +					Z_LVAL(ent->data) = 1;
 +				} else if (!strcmp((char *)s, "false")) {
 +					Z_LVAL(ent->data) = 0;
  				} else {
- 					stack->top--;
  					zval_ptr_dtor(&ent->data);
- 					if (ent->varname)
+ 					if (ent->varname) {
  						efree(ent->varname);
- 					efree(ent);
+ 					}
+ 					ent->data = NULL;
  				}
  				break;