From: Christoph M. Becker <cmbecker69@gmx.de>
Date: Fri, 30 Sep 2016 09:40:10 +0000 (+0200)
Subject: Merge branch 'PHP-5.6' into PHP-7.0
X-Git-Tag: php-7.1.0RC4~106^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=dd937129113fb0cc435c579e8308218d119d9726;p=php

Merge branch 'PHP-5.6' into PHP-7.0
---

dd937129113fb0cc435c579e8308218d119d9726
diff --cc NEWS
index 0848c2e964,fae5b65ccd..d4b7873683
--- a/NEWS
+++ b/NEWS
@@@ -1,29 -1,18 +1,32 @@@
  PHP                                                                        NEWS
  |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 -?? ??? 2016, PHP 5.6.28
 +?? ??? 2016 PHP 7.0.13
 +
 +- Core:
 +  . Fixed bug #73181 (parse_str() without a second argument leads to crash).
 +    (Nikita)
  
+ - Standard:
+   . Fixed bug #73203 (passing additional_parameters causes mail to fail). (cmb)
+ 
 -13 Oct 2016, PHP 5.6.27
 +13 Oct 2016 PHP 7.0.12
  
  - Core:
 +  . Fixed bug #73067 (__debugInfo crashes when throwing an exception).
 +    (Laruence)
    . Fixed bug #73025 (Heap Buffer Overflow in virtual_popen of
      zend_virtual_cwd.c). (cmb)
 -  . Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
    . Fixed bug #72703 (Out of bounds global memory read in BF_crypt triggered by
      password_verify). (Anatol)
 +  . Fixed bug #73058 (crypt broken when salt is 'too' long). (Anatol)
 +  . Fixed bug #69579 (Invalid free in extension trait). (John Boehr)
 +  . Fixed bug #73156 (segfault on undefined function). (Dmitry)
 +  . Fixed bug #73163 (PHP hangs if error handler throws while accessing undef
 +    const in default value). (Nikita)
 +  . Fixed bug #73172 (parse error: Invalid numeric literal). (Nikita, Anatol)
 +
 +- COM:
 +  . Fixed bug #73126 (Cannot pass parameter 1 by reference). (Anatol)
  
  - Filter:
    . Fixed bug #72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and
diff --cc ext/standard/exec.c
index a73d0b4e6e,e0ca9140f7..7bd3ef9f7f
--- a/ext/standard/exec.c
+++ b/ext/standard/exec.c
@@@ -361,12 -370,12 +361,12 @@@ PHPAPI zend_string *php_escape_shell_cm
  
  		}
  	}
 -	cmd[y] = '\0';
 +	ZSTR_VAL(cmd)[y] = '\0';
  
- 	if (y - 1 > cmd_max_len) {
+ 	if (y > cmd_max_len + 1) {
 -		php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
 -		efree(cmd);
 -		return NULL;
 +		php_error_docref(NULL, E_ERROR, "Escaped command exceeds the allowed length of %d bytes", cmd_max_len);
 +		zend_string_release(cmd);
 +		return ZSTR_EMPTY_ALLOC();
  	}
  
  	if ((estimate - y) > 4096) {
@@@ -444,16 -453,16 +444,16 @@@ PHPAPI zend_string *php_escape_shell_ar
  		}
  	}
  
 -	cmd[y++] = '"';
 +	ZSTR_VAL(cmd)[y++] = '"';
  #else
 -	cmd[y++] = '\'';
 +	ZSTR_VAL(cmd)[y++] = '\'';
  #endif
 -	cmd[y] = '\0';
 +	ZSTR_VAL(cmd)[y] = '\0';
  
- 	if (y - 1 > cmd_max_len) {
+ 	if (y > cmd_max_len + 1) {
 -		php_error_docref(NULL TSRMLS_CC, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
 -		efree(cmd);
 -		return NULL;
 +		php_error_docref(NULL, E_ERROR, "Escaped argument exceeds the allowed length of %d bytes", cmd_max_len);
 +		zend_string_release(cmd);
 +		return ZSTR_EMPTY_ALLOC();
  	}
  
  	if ((estimate - y) > 4096) {