From: Stanislav Malyshev Date: Tue, 20 Jan 2015 18:41:59 +0000 (-0800) Subject: Merge branch 'PHP-5.6' X-Git-Tag: PRE_PHP7_REMOVALS~25^2~69 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=b16fdebcf8f59e5aa09c11782c05224762ca835e;p=php Merge branch 'PHP-5.6' * PHP-5.6: 5.4.38 next Updated NEWS Updated NEWS Fix bug #68711 Remove useless checks. 'num' is unsigned and cannot be <0. Fix bug #68799: Free called on unitialized pointer Fix for bug #68710 (Use After Free Vulnerability in PHP's unserialize()) Conflicts: ext/exif/exif.c ext/standard/var_unserializer.c ext/standard/var_unserializer.re --- b16fdebcf8f59e5aa09c11782c05224762ca835e diff --cc ext/exif/exif.c index d889db06fd,5504545b9b..0e25a05cf2 --- a/ext/exif/exif.c +++ b/ext/exif/exif.c @@@ -2692,19 -2689,19 +2692,19 @@@ static int exif_process_user_comment(im /* {{{ exif_process_unicode * Process unicode field in IFD. */ -static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC) +static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount) { - xp_field->tag = tag; + xp_field->tag = tag; - + xp_field->value = NULL; /* XXX this will fail again if encoding_converter returns on error something different than SIZE_MAX */ if (zend_multibyte_encoding_converter( - (unsigned char**)&xp_field->value, - &xp_field->size, + (unsigned char**)&xp_field->value, + &xp_field->size, (unsigned char*)szValuePtr, ByteCount, - zend_multibyte_fetch_encoding(ImageInfo->encode_unicode TSRMLS_CC), - zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le TSRMLS_CC) - TSRMLS_CC) == (size_t)-1) { + zend_multibyte_fetch_encoding(ImageInfo->encode_unicode), + zend_multibyte_fetch_encoding(ImageInfo->motorola_intel ? ImageInfo->decode_unicode_be : ImageInfo->decode_unicode_le) + ) == (size_t)-1) { xp_field->size = exif_process_string_raw(&xp_field->value, szValuePtr, ByteCount); } return xp_field->size;