* PHP-7.0: (27 commits)
fix #72519, possible OOB using imagegif
fix #72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not allow reading past error read
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
update NEWS
Fixed bug #72570 Segmentation fault when binding parameters on a query without placeholders
Fix bug #72562 - destroy var_hash properly
Fix bug #72551 and bug #72552 - check before converting size_t->int
Fix bug #72541 - size_t overflow lead to heap corruption
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
...
* PHP-5.6:
fix #72519, possible OOB using imagegif
fix #72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
5.6.24RC1
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
* PHP-7.0.9:
Partial fix for bug #72613 - do not allow reading past error read
update NEWS
Fixed bug #72570 Segmentation fault when binding parameters on a query without placeholders
Fix bug #72551 and bug #72552 - check before converting size_t->int
Fix bug #72541 - size_t overflow lead to heap corruption
fix possible optimization bug
set versions
* PHP-5.5:
fix #72519, possible OOB using imagegif
fix #72512, invalid read or write for palette image when invalid transparent index is used
Apparently some envs miss SIZE_MAX
Fix tests
Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
Fix bug #72562 - destroy var_hash properly
Fix bug #72533 (locale_accept_from_http out-of-bounds access)
Fix fir bug #72520
Fix for bug #72513
CS fix and comments with bug ID
Fix for HTTP_PROXY issue.
add tests for bug #72512
Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
Fixed bug #72479 - same as #72434
Fix #70315: 500 Server Error but page is fully rendered
That happens because the external libgd uses other error codes than PHP
(and the bundled libgd), but the libgd error codes are simply forwarded
to php_verror(). We fix that by properly mapping libgd errors to PHP errors.
From 3/8 to 3/4. I was thinking in terms of nTableSize, where a
requirement > 1/2 is not tenable. However, we're actually working
with nNumUsed, in which case more than 1/4 tombstones should be
quite unusual.
* rng-fixes:
Fix legacy mode RAND_RANGE and 32/64-bit consistency
Fix crypt salt not being converted to b64
Make mode selection part of mt_srand()
Use zend_bitset
Improve array_rand distribution
Fix some insecure usages of php_rand
Alias rand to mt_rand
Fix RAND_RANGE for mt_rand
Fix mt_rand impl. Provide legacy impl. access.
Split rand and mt_rand into separate files
The code was storing the created object in a property on the
created object, creating a trivial cycle. This cycle cannot be
collected (even if sxe->tmp is exposed via get_gc), because it
is never rooted (and we cannot safely manually root it).
Change the code to store the created object on the parent node
instead.
The only reason this is not showing up as a leak is that sxe->tmp
is dtor'ed in the dtor handler, which means that these objects
do get collected on shutdown -- but never earlier.
The __construct function name was leaked. Avoid this by simply
throwing directly from row_get_ctor instead of indirecting through
an actual __construct function.
libgd substitutes unallowed characters of XBM names (but not filenames),
depending on the locale. As we're interested in the filenames in this case
we simply ignore these differences.
When we decrement the refcount of a node's document, we state that we
won't need it anymore. Therefore we can *always* set the pointer to the
document to NULL, what avoids invalid memory accesses for some edge cases
as demonstrated with the PHPT.
projects / php / log