From: Stanislav Malyshev <stas@php.net>
Date: Tue, 20 Jan 2015 18:41:59 +0000 (-0800)
Subject: Merge branch 'PHP-5.6'
X-Git-Tag: PRE_PHP7_REMOVALS~25^2~69
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b16fdebcf8f59e5aa09c11782c05224762ca835e;p=php

Merge branch 'PHP-5.6'

* PHP-5.6:
  5.4.38 next
  Updated NEWS
  Updated NEWS
  Fix bug #68711 Remove useless checks. 'num' is unsigned and cannot be <0.
  Fix bug #68799: Free called on unitialized pointer
  Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize())

Conflicts:
	ext/exif/exif.c
	ext/standard/var_unserializer.c
	ext/standard/var_unserializer.re
---

b16fdebcf8f59e5aa09c11782c05224762ca835e
diff --cc ext/exif/exif.c
index d889db06fd,5504545b9b..0e25a05cf2
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@@ -2692,19 -2689,19 +2692,19 @@@ static int exif_process_user_comment(im
  
  /* {{{ exif_process_unicode
   * Process unicode field in IFD. */
 -static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
 +static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount)
  {
 -	xp_field->tag = tag;	
 +	xp_field->tag = tag;
- 
+ 	xp_field->value = NULL;
  	/* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX   */
  	if (zend_multibyte_encoding_converter(
 -			(unsigned char**)&xp_field->value, 
 -			&xp_field->size, 
 +			(unsigned char**)&xp_field->value,
 +			&xp_field->size,
  			(unsigned char*)szValuePtr,
  			ByteCount,
 -			zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC),
 -			zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC)
 -			TSRMLS_CC) == (size_t)-1) {
 +			zend_multibyte_fetch_encoding(ImageInfo->encode_unicode),
 +			zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le)
 +			) == (size_t)-1) {
  		xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount);
  	}
  	return xp_field->size;