]> granicus.if.org Git - php/log
php
7 years agoPatch from the upstream git
Remi Collet [Tue, 30 May 2017 13:40:32 +0000 (15:40 +0200)]
Patch from the upstream git
https://github.com/kkos/oniguruma/issues/60 (CVE-2017-9228)

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

7 years agoPatch from the upstream git
Remi Collet [Tue, 30 May 2017 13:39:21 +0000 (15:39 +0200)]
Patch from the upstream git
https://github.com/kkos/oniguruma/issues/59 (CVE-2017-9229)
b690371bbf97794b4a1d3f295d4fb9a8b05d402d Modified for onig 5.9.6

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

7 years agoPatch from the upstream git
Remi Collet [Tue, 30 May 2017 13:38:17 +0000 (15:38 +0200)]
Patch from the upstream git
https://github.com/kkos/oniguruma/issues/58 (CVE-2017-9227)

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

7 years agoPatch from the upstream git
Remi Collet [Tue, 30 May 2017 13:37:11 +0000 (15:37 +0200)]
Patch from the upstream git
https://github.com/kkos/oniguruma/issues/57 (CVE-2017-9224)

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

7 years agoPatch from the upstream git
Remi Collet [Tue, 30 May 2017 13:35:42 +0000 (15:35 +0200)]
Patch from the upstream git
https://github.com/kkos/oniguruma/issues/55 (CVE-2017-9226)
b4bf968ad52afe14e60a2dc8a95d3555c543353a Modified for onig 5.9.6
f015fbdd95f76438cd86366467bb2b39870dd7c6 Modified for onig 5.9.6

Thanks to Mamoru TASAKA <mtasaka@fedoraproject.org>

7 years agoImprove fix for #74145
Stanislav Malyshev [Wed, 5 Jul 2017 04:10:08 +0000 (21:10 -0700)]
Improve fix for #74145

7 years agoFix tests
Stanislav Malyshev [Wed, 5 Jul 2017 03:12:57 +0000 (20:12 -0700)]
Fix tests

7 years agoUpdate NEWS
Stanislav Malyshev [Wed, 5 Jul 2017 02:30:29 +0000 (19:30 -0700)]
Update NEWS

7 years agoFix bug #74087
Stanislav Malyshev [Wed, 5 Jul 2017 02:21:28 +0000 (19:21 -0700)]
Fix bug #74087

Ported from https://vcs.pcre.org/pcre/code/trunk/pcre_jit_compile.c?r1=1676&r2=1680&view=patch

7 years agoFixed parsing of strange formats with mixed month/day and time strings
Derick Rethans [Mon, 3 Jul 2017 11:37:11 +0000 (12:37 +0100)]
Fixed parsing of strange formats with mixed month/day and time strings

7 years agoFix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
Stanislav Malyshev [Sun, 2 Jul 2017 21:25:54 +0000 (14:25 -0700)]
Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV

7 years agoFixed bug #74111
Nikita Popov [Sun, 25 Jun 2017 19:15:26 +0000 (21:15 +0200)]
Fixed bug #74111

7 years agoFix #74435: Buffer over-read into uninitialized memory
Christoph M. Becker [Tue, 20 Jun 2017 14:45:42 +0000 (16:45 +0200)]
Fix #74435: Buffer over-read into uninitialized memory

The stack allocated color map buffers were not zeroed before usage, and
so undefined palette indexes could cause information leakage.

7 years agoFix bug #74603 - use correct buffer size
Stanislav Malyshev [Tue, 20 Jun 2017 07:09:01 +0000 (00:09 -0700)]
Fix bug #74603 - use correct buffer size

7 years agoFix bug #74651 - check EVP_SealInit as it can return -1
Stanislav Malyshev [Tue, 20 Jun 2017 06:06:24 +0000 (23:06 -0700)]
Fix bug #74651 - check EVP_SealInit as it can return -1

7 years agoUpdate NEWS
Stanislav Malyshev [Sun, 25 Jun 2017 06:32:59 +0000 (23:32 -0700)]
Update NEWS

7 years agoFix bug #73807
Nikita Popov [Thu, 2 Feb 2017 15:04:02 +0000 (16:04 +0100)]
Fix bug #73807

7 years agofix test for 32bits (int -> float)
Remi Collet [Wed, 1 Feb 2017 09:25:30 +0000 (10:25 +0100)]
fix test for 32bits (int -> float)

(cherry picked from commit 0f1ae93bfa2feb3d0fd0b8d3036148df8ef856e2)

8 years agoupdate NEWS
Ferenc Kovacs [Thu, 19 Jan 2017 00:16:31 +0000 (01:16 +0100)]
update NEWS

8 years agoFix #73869: Signed Integer Overflow gd_io.c
Christoph M. Becker [Sat, 17 Dec 2016 16:06:58 +0000 (17:06 +0100)]
Fix #73869: Signed Integer Overflow gd_io.c

GD2 stores the number of horizontal and vertical chunks as words (i.e. 2
byte unsigned). These values are multiplied and assigned to an int when
reading the image, what can cause integer overflows. We have to avoid
that, and also make sure that either chunk count is actually greater
than zero. If illegal chunk counts are detected, we bail out from
reading the image.

(cherry picked from commit 5b5d9db3988b829e0b121b74bb3947f01c2796a1)

8 years agoFix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()
Christoph M. Becker [Tue, 16 Aug 2016 16:23:36 +0000 (18:23 +0200)]
Fix #73868: DOS vulnerability in gdImageCreateFromGd2Ctx()

We must not pretend that there are image data if there are none. Instead
we fail reading the image file gracefully.

(cherry picked from commit cdb648dc4115ce0722f3cc75e6a65115fc0e56ab)

8 years agoAdd additional serialize tests for fixed bugs
Nikita Popov [Mon, 16 Jan 2017 12:24:13 +0000 (13:24 +0100)]
Add additional serialize tests for fixed bugs

These have been fixed as a side-effect of the delayed __wakeup
patch.

8 years agoFix typo
Stanislav Malyshev [Mon, 16 Jan 2017 08:23:06 +0000 (00:23 -0800)]
Fix typo

8 years agoFix test
Stanislav Malyshev [Mon, 16 Jan 2017 02:42:22 +0000 (18:42 -0800)]
Fix test

8 years agoUpdate more functions with path check
Stanislav Malyshev [Mon, 16 Jan 2017 01:31:08 +0000 (17:31 -0800)]
Update more functions with path check

8 years agoFix glob-wrapper.phpt to not fail in Windows
Mitch Hagstrand [Tue, 10 Jan 2017 19:51:55 +0000 (11:51 -0800)]
Fix glob-wrapper.phpt to not fail in Windows

8 years agoFix open_basedir check for glob:// opendir wrapper
Sara Golemon [Mon, 9 Jan 2017 19:02:50 +0000 (11:02 -0800)]
Fix open_basedir check for glob:// opendir wrapper

php_check_open_basedir() expects a local filesystem path,
but we're handing it a `glob://...` URI instead.

Move the check to after the path trim so that we're checking
a meaningful pathspec.

8 years agoadd skip when json not loaded
Remi Collet [Fri, 6 Jan 2017 05:23:59 +0000 (06:23 +0100)]
add skip when json not loaded

8 years ago5.6.31 is next
Ferenc Kovacs [Fri, 6 Jan 2017 00:43:11 +0000 (01:43 +0100)]
5.6.31 is next

8 years agoFix printf modifier
Nikita Popov [Thu, 5 Jan 2017 10:37:06 +0000 (11:37 +0100)]
Fix printf modifier

8 years agoAdd tests for delayed __wakeup()
Nikita Popov [Wed, 4 Jan 2017 23:20:56 +0000 (00:20 +0100)]
Add tests for delayed __wakeup()

8 years agoImplement delayed __wakeup
Nikita Popov [Wed, 4 Jan 2017 23:19:26 +0000 (00:19 +0100)]
Implement delayed __wakeup

8 years agoMerge branch 'PHP-5.6.30' into PHP-5.6
Stanislav Malyshev [Tue, 3 Jan 2017 04:56:32 +0000 (20:56 -0800)]
Merge branch 'PHP-5.6.30' into PHP-5.6

* PHP-5.6.30:
  Fix bug #73737 FPE when parsing a tag format
  Fix bug #73773 - Seg fault when loading hostile phar
  Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
  Fix bug #73768 - Memory corruption when loading hostile phar
  Fix int overflows in phar (bug #73764)

8 years agoFIx bug #70213
Nikita Popov [Sun, 1 Jan 2017 13:10:49 +0000 (14:10 +0100)]
FIx bug #70213

8 years agoFix bug #73737 FPE when parsing a tag format
Stanislav Malyshev [Sun, 1 Jan 2017 03:31:49 +0000 (19:31 -0800)]
Fix bug #73737 FPE when parsing a tag format

8 years agoFix bug #73773 - Seg fault when loading hostile phar
Stanislav Malyshev [Sun, 1 Jan 2017 02:47:50 +0000 (18:47 -0800)]
Fix bug #73773 - Seg fault when loading hostile phar

8 years agoFix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
Stanislav Malyshev [Sat, 31 Dec 2016 00:59:46 +0000 (16:59 -0800)]
Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()

8 years agoFix bug #73768 - Memory corruption when loading hostile phar
Stanislav Malyshev [Fri, 30 Dec 2016 23:57:24 +0000 (15:57 -0800)]
Fix bug #73768 - Memory corruption when loading hostile phar

8 years agoFix int overflows in phar (bug #73764)
Stanislav Malyshev [Fri, 30 Dec 2016 23:34:46 +0000 (15:34 -0800)]
Fix int overflows in phar (bug #73764)

8 years agoRevert "Fix #73530: Unsetting result set may reset other result set"
Christoph M. Becker [Thu, 29 Dec 2016 11:41:39 +0000 (12:41 +0100)]
Revert "Fix #73530: Unsetting result set may reset other result set"

This reverts commit eb570294a289b45d0dd38efc71065d6b0d314c4b.

That commit caused a regression, so it's probably best to revert it, and
to tackle the issue for the next minor release.

8 years agofix C89 compat
Anatol Belski [Sat, 17 Dec 2016 19:43:32 +0000 (20:43 +0100)]
fix C89 compat

8 years agoSkip tests when secure_file_priv dir not writable
Matteo Beccati [Thu, 15 Dec 2016 08:31:00 +0000 (09:31 +0100)]
Skip tests when secure_file_priv dir not writable

8 years agoupdate NEWS
Ferenc Kovacs [Thu, 8 Dec 2016 06:05:32 +0000 (07:05 +0100)]
update NEWS

8 years agofix leak, take 2
Anatol Belski [Tue, 6 Dec 2016 15:12:39 +0000 (16:12 +0100)]
fix leak, take 2

8 years agofix leak, take on 5.6
Anatol Belski [Tue, 6 Dec 2016 13:34:27 +0000 (14:34 +0100)]
fix leak, take on 5.6

8 years agoThis still leaks memory, I don't have enough knowledge in WDDX code to fix them :(
Stanislav Malyshev [Tue, 6 Dec 2016 06:32:59 +0000 (22:32 -0800)]
This still leaks memory, I don't have enough knowledge in WDDX code to fix them :(

8 years agoFix bug #73631 - Invalid read when wddx decodes empty boolean element
Stanislav Malyshev [Tue, 6 Dec 2016 05:40:55 +0000 (21:40 -0800)]
Fix bug #73631 - Invalid read when wddx decodes empty boolean element

8 years agoFix minor typo
Adrien Crivelli [Wed, 30 Nov 2016 09:19:35 +0000 (18:19 +0900)]
Fix minor typo

8 years agoWorkaround for GCC-4.9.2 bug
Dmitry Stogov [Thu, 1 Dec 2016 12:46:52 +0000 (15:46 +0300)]
Workaround for GCC-4.9.2 bug

8 years agooops, changed in wrong place
Stanislav Malyshev [Mon, 28 Nov 2016 00:11:41 +0000 (16:11 -0800)]
oops, changed in wrong place

8 years agoadd NEWS
Stanislav Malyshev [Sun, 27 Nov 2016 23:38:09 +0000 (15:38 -0800)]
add NEWS

8 years agoMerge branch 'pull-request/1974' into PHP-5.6
Stanislav Malyshev [Sun, 27 Nov 2016 23:11:17 +0000 (15:11 -0800)]
Merge branch 'pull-request/1974' into PHP-5.6

* pull-request/1974:
  Fix #68447: grapheme_extract take an extra trailing character

8 years agoFix #73549: Use after free when stream is passed to imagepng
Christoph M. Becker [Thu, 17 Nov 2016 12:44:30 +0000 (13:44 +0100)]
Fix #73549: Use after free when stream is passed to imagepng

If a stream is passed to imagepng() or other image output functions,
opposed to a filename, we must not close this stream.

8 years agoFix occasionaly failing test
Matteo Beccati [Sun, 27 Nov 2016 09:20:13 +0000 (10:20 +0100)]
Fix occasionaly failing test

8 years agoAdded missing array key to $JUNIT
Matteo Beccati [Sun, 27 Nov 2016 09:07:05 +0000 (10:07 +0100)]
Added missing array key to $JUNIT

8 years agoacinclude.m4: fix krb5-config detection and usage in PHP_SETUP_KERBEROS.
Michael Orlitzky [Fri, 30 Sep 2016 23:47:20 +0000 (19:47 -0400)]
acinclude.m4: fix krb5-config detection and usage in PHP_SETUP_KERBEROS.

When building with kerberos support (--with-kerberos), a few libraries
and flags need to be added to various parts of the build system. The
most reliable way to get those flags is through the krb5-config
program that ships with both major implementations of kerberos. The
PHP_SETUP_KERBEROS macro in acinclude.m4 attempts to detect
krb5-config, and use it.

However, there's a bug in that macro. The --with-kerberos parameter
accepts a directory where the kerberos libraries can be found. When a
directory is given, it is stored in the PHP_KERBEROS variable. The
following test,

  if test "$PHP_KERBEROS" = "yes" && test -x "$KRB5_CONFIG"; then

thus fails whenever a directory is passed to --with-kerberos, since it
compares a directory name against the string "yes". This causes
krb5-config to go unused, and some unreliable fallback logic is
attempted instead. One consequence of this is that the Heimdal
kerberos implementation cannot be substituted for the MIT one, at
least when a directory is passed to --with-kerberos.

This commit reverses the logic and checks for "$PHP_KERBEROS" != "no".
To confirm that this fixes the issue, one can inspect the "-l" library
flags that get appended to the command-line. On a machine with Heimdal
and the unmodified acinclude.m4, running

  ./configure --with-openssl --with-kerberos=/usr

will log (for example) to config.log,

  configure:18082: checking for krb5-config
  configure:18101: found /usr/bin/krb5-config
  configure:18114: result: /usr/bin/krb5-config
  configure:18450: checking for RAND_egd
  configure:18450: cc ... conftest.c ... -lgssapi_krb5 -lkrb5 ...

which are the library names for the MIT implementation. After patching
acinclude.m4 to negate the logic, the same command on the same machine
outputs (to config.log):

  configure:18450: cc ... conftest.c -lgssapi -lheimntlm ...

These are the correct library names for the Heimdal implementation.

PHP-Bug: 73214

8 years agoAdd more mbfl string size checks (bug #73505)
Stanislav Malyshev [Sat, 26 Nov 2016 22:44:58 +0000 (14:44 -0800)]
Add more mbfl string size checks (bug #73505)

8 years agoFix #73582: Failing ext/gd/tests/imagettftext_charmap_order.phpt
Christoph M. Becker [Fri, 25 Nov 2016 22:02:34 +0000 (23:02 +0100)]
Fix #73582: Failing ext/gd/tests/imagettftext_charmap_order.phpt

This test is not supposed to work with JIS-mapped Japanese font support
enabled.

8 years agoUpdated to version 2016.10 (2016j)
Derick Rethans [Thu, 24 Nov 2016 10:40:11 +0000 (10:40 +0000)]
Updated to version 2016.10 (2016j)

8 years ago5.6.30 will be next
Ferenc Kovacs [Thu, 24 Nov 2016 00:54:23 +0000 (01:54 +0100)]
5.6.30 will be next

8 years agoMake php_url_parse_ex() respect length argument
Nikita Popov [Fri, 18 Nov 2016 15:41:13 +0000 (16:41 +0100)]
Make php_url_parse_ex() respect length argument

This should fix all out-of-bounds reads that could previously
occur if the string passed to php_url_parse_ex() is not NUL
terminated.

8 years agoCleanup parse_url() query/fragment handling
Nikita Popov [Fri, 18 Nov 2016 16:00:56 +0000 (17:00 +0100)]
Cleanup parse_url() query/fragment handling

The query/fragment handling was pretty convoluted, with many parts
being duplicated. Simplify by checking for fragment, then for query,
then for path.

8 years agoCleanup parse_url() gotos
Nikita Popov [Thu, 17 Nov 2016 22:18:05 +0000 (23:18 +0100)]
Cleanup parse_url() gotos

Simplify some unnecessarily complicated code. In particular the
length updates are unnecessary (length is only used at the very
start) and we're goto'ing around a bit too much.

8 years agoupdate libs versions.txt
Anatol Belski [Tue, 22 Nov 2016 11:36:51 +0000 (12:36 +0100)]
update libs versions.txt

8 years agoupdate NEWS
Anatol Belski [Mon, 21 Nov 2016 23:57:18 +0000 (00:57 +0100)]
update NEWS

8 years agoFix bug #73498
Craig Duncan [Sun, 20 Nov 2016 20:48:21 +0000 (20:48 +0000)]
Fix bug #73498

Postgres uses the DELIMITER keyword since 7.3
And WITH is no longer required/used

8 years agoAdd a test for bug 73498
Craig Duncan [Mon, 21 Nov 2016 19:49:18 +0000 (19:49 +0000)]
Add a test for bug 73498

8 years agoupdate php.ini-* according to changes for bug #69090
Anatol Belski [Mon, 21 Nov 2016 21:52:03 +0000 (22:52 +0100)]
update php.ini-* according to changes for bug #69090

8 years agoupdate NEWS
Anatol Belski [Mon, 21 Nov 2016 18:56:09 +0000 (19:56 +0100)]
update NEWS

8 years agoadd test for bug #73452
Anatol Belski [Mon, 21 Nov 2016 14:25:46 +0000 (15:25 +0100)]
add test for bug #73452

8 years agoBackport 15ac4904 to 5.6
Anatol Belski [Mon, 21 Nov 2016 14:20:03 +0000 (15:20 +0100)]
Backport 15ac4904 to 5.6

8 years agoFix the lchwon error test for Travis CI.
Mitch Hagstrand [Fri, 11 Nov 2016 23:40:30 +0000 (15:40 -0800)]
Fix the lchwon error test for Travis CI.

The E_WARNING message from the PHP function lchown is passed
from the system function lchown. The error message returned
from lchown can be filesystem dependent.

8 years agoFix #64526: Add missing mysqlnd.* parameters to php.ini-*
Christoph M. Becker [Fri, 18 Nov 2016 13:17:19 +0000 (14:17 +0100)]
Fix #64526: Add missing mysqlnd.* parameters to php.ini-*

8 years agoFixed test
Dmitry Stogov [Thu, 17 Nov 2016 12:57:40 +0000 (15:57 +0300)]
Fixed test

8 years agoUpdated NEWS
Julien Pauli [Thu, 17 Nov 2016 10:37:13 +0000 (11:37 +0100)]
Updated NEWS

8 years agoImprovement for bug73297
Julien Pauli [Thu, 17 Nov 2016 10:33:36 +0000 (11:33 +0100)]
Improvement for bug73297

8 years agoSimplify ext/standard/tests/http/bug73297.phpt
Rowan Collins [Mon, 24 Oct 2016 18:01:17 +0000 (18:01 +0000)]
Simplify ext/standard/tests/http/bug73297.phpt

8 years agohttp_fopen_wrapper.c - bug#73297 Skip past "100 Continue" responses
Rowan Collins [Sun, 23 Oct 2016 18:24:58 +0000 (18:24 +0000)]
http_fopen_wrapper.c - bug#73297 Skip past "100 Continue" responses

8 years agoAdd failing test for bug#73297
Rowan Collins [Tue, 11 Oct 2016 21:12:18 +0000 (21:12 +0000)]
Add failing test for bug#73297

8 years agoAccorate handling of too big inodes of chroot directories
Dmitry Stogov [Wed, 16 Nov 2016 22:08:42 +0000 (01:08 +0300)]
Accorate handling of too big inodes of chroot directories

8 years ago"opcache.validate_root" is useless on Windows
Dmitry Stogov [Wed, 16 Nov 2016 20:15:14 +0000 (23:15 +0300)]
"opcache.validate_root" is useless on Windows

8 years agoUse full path
Dmitry Stogov [Wed, 16 Nov 2016 20:01:40 +0000 (23:01 +0300)]
Use full path

8 years agoFixed ZTS build
Dmitry Stogov [Wed, 16 Nov 2016 13:43:57 +0000 (16:43 +0300)]
Fixed ZTS build

8 years agoFix #73530: Unsetting result set may reset other result set
Christoph M. Becker [Wed, 16 Nov 2016 10:49:04 +0000 (11:49 +0100)]
Fix #73530: Unsetting result set may reset other result set

Calling sqlite3_reset() when a result set object is freed can cause
undesired and maybe even hard to track interference with other result
sets. Furthermore, there is no need to call sqlite3_reset(), because
that is implicitly called on SQLite3Stmt::execute(), and users are
encouraged to explicitly call either SQLite3Result::finalize() or
SQLite3Stmt::reset() anyway.

8 years agoFixed bug #69090 (check cached files permissions)
Dmitry Stogov [Wed, 16 Nov 2016 09:43:10 +0000 (12:43 +0300)]
Fixed bug #69090 (check cached files permissions)

8 years agoadd missing NEWS entry
Anatol Belski [Wed, 9 Nov 2016 20:32:44 +0000 (21:32 +0100)]
add missing NEWS entry

8 years agoadd missing NEWS entries
Ferenc Kovacs [Wed, 9 Nov 2016 01:12:16 +0000 (02:12 +0100)]
add missing NEWS entries

8 years agofix memory leak
Anatol Belski [Tue, 8 Nov 2016 11:12:58 +0000 (12:12 +0100)]
fix memory leak

8 years agoMerge remote-tracking branch 'phpsec/PHP-5.6.28' into PHP-5.6
Anatol Belski [Tue, 8 Nov 2016 10:06:52 +0000 (11:06 +0100)]
Merge remote-tracking branch 'phpsec/PHP-5.6.28' into PHP-5.6

8 years agoFix bug #72776 (Invalid parameter in memcpy function trough openssl_pbkdf2)
Jakub Zelenka [Sun, 6 Nov 2016 20:40:51 +0000 (20:40 +0000)]
Fix bug #72776 (Invalid parameter in memcpy function trough openssl_pbkdf2)

8 years agoadd missing RETURN_STRINGL_CHECK
Anatol Belski [Sun, 6 Nov 2016 16:51:25 +0000 (17:51 +0100)]
add missing RETURN_STRINGL_CHECK

As RETVAL_STRINGL_CHECK is already there, this one is needed for
completion. One place in ext/bz2 is missing that, so it will likely
be useful for other possible fixes.

8 years agofix dir separator in test
Anatol Belski [Fri, 4 Nov 2016 17:29:54 +0000 (18:29 +0100)]
fix dir separator in test

8 years agoAdd length check for bzcompress too - fix for bug #73356
Stanislav Malyshev [Fri, 4 Nov 2016 05:10:22 +0000 (22:10 -0700)]
Add length check for bzcompress too - fix for bug #73356

8 years agoMore string length checks & fixes
Stanislav Malyshev [Fri, 4 Nov 2016 03:36:52 +0000 (20:36 -0700)]
More string length checks & fixes

8 years agoUpdated to version 2016.9 (2016i)
Derick Rethans [Thu, 3 Nov 2016 17:57:28 +0000 (13:57 -0400)]
Updated to version 2016.9 (2016i)

8 years agoFixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
Anatol Belski [Thu, 3 Nov 2016 16:03:23 +0000 (17:03 +0100)]
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash

8 years agoFix #73436: Setting allow_url_fopen to Off makes several tests fail
Christoph M. Becker [Tue, 1 Nov 2016 19:13:53 +0000 (20:13 +0100)]
Fix #73436: Setting allow_url_fopen to Off makes several tests fail

We make sure that these tests run with allow_url_fopen=1.

8 years agoFix #72696: imagefilltoborder stackoverflow on truecolor images
Christoph M. Becker [Tue, 25 Oct 2016 11:23:16 +0000 (13:23 +0200)]
Fix #72696: imagefilltoborder stackoverflow on truecolor images

We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.

8 years agoFix #72482: Ilegal write/read access caused by gdImageAALine overflow
Christoph M. Becker [Tue, 25 Oct 2016 13:14:22 +0000 (15:14 +0200)]
Fix #72482: Ilegal write/read access caused by gdImageAALine overflow

Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.

8 years agoFixed bug #73402 (Opcache segfault when using class constant to call a method)
Xinchen Hui [Sat, 29 Oct 2016 15:41:51 +0000 (23:41 +0800)]
Fixed bug #73402 (Opcache segfault when using class constant to call a method)