Merge branch 'PHP-5.6' into PHP-7.0

smalyshev · smalyshev · commit 0496f5407f88 · 2017-07-04T19:44:51.000-07:00
* PHP-5.6:
  Update NEWS
  Fix bug #74087
  Fixed parsing of strange formats with mixed month/day and time strings
  Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
  Fixed bug #74111
  Fix #74435: Buffer over-read into uninitialized memory
  Fix bug #74603 - use correct buffer size
  Fix bug #74651 - check EVP_SealInit as it can return -1
  Update NEWS
  Fix bug #73807
diff --git a/ext/date/lib/parse_date.c b/ext/date/lib/parse_date.c
diff --git a/ext/date/lib/parse_date.re b/ext/date/lib/parse_date.re
@@ -899,7 +899,7 @@ datefull         = day ([ \t.-])* monthtext ([ \t.-])* year;
 datenoday        = monthtext ([ .\t-])* year4;
 datenodayrev     = year4 ([ .\t-])* monthtext;
 datetextual      = monthtext ([ .\t-])* day [,.stndrh\t ]+ year;
-datenoyear       = monthtext ([ .\t-])* day [,.stndrh\t ]*;
+datenoyear       = monthtext ([ .\t-])* day ([,.stndrh\t ]+|[\000]);
 datenoyearrev    = day ([ .\t-])* monthtext;
 datenocolon      = year4 monthlz daylz;
 
diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
@@ -147,6 +147,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	int haveGlobalColormap;
 	gdImagePtr im = 0;
 
+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
 	/*1.4//imageNumber = 1; */
 	if (! ReadOK(fd,buf,6)) {
 		return 0;
diff --git a/ext/gd/tests/bug74435.gif b/ext/gd/tests/bug74435.gif
diff --git a/ext/gd/tests/bug74435.phpt b/ext/gd/tests/bug74435.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #74435 (Buffer over-read into uninitialized memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
+var_dump($im);
+$width = imagesx($im);
+$height = imagesy($im);
+for ($i = 0; $i < $width; $i += 16) {
+    for ($j = 0; $j < $height; $j += 16) {
+        if (($index = imagecolorat($im, $i, $j)) >= 2) {
+            list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
+            if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
+                echo "unexpected color at ($i, $j)\n";
+            }
+        }
+    }
+}
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===
diff --git a/ext/pcre/pcrelib/pcre_jit_compile.c b/ext/pcre/pcrelib/pcre_jit_compile.c
@@ -7307,7 +7307,7 @@ if (opcode == OP_COND || opcode == OP_SCOND)
 
     if (*matchingpath == OP_FAIL)
       stacksize = 0;
-    if (*matchingpath == OP_RREF)
+    else if (*matchingpath == OP_RREF)
       {
       stacksize = GET2(matchingpath, 1);
       if (common->currententry == NULL)
diff --git a/ext/standard/tests/serialize/bug74111.phpt b/ext/standard/tests/serialize/bug74111.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #74111: Heap buffer overread (READ: 1) finish_nested_data from unserialize
+--FILE--
+<?php
+$s = 'O:8:"stdClass":00000000';
+var_dump(unserialize($s));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 25 of 23 bytes in %s on line %d
+bool(false)
diff --git a/ext/wddx/tests/bug74145.phpt b/ext/wddx/tests/bug74145.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$data = file_get_contents(__DIR__ . '/bug74145.xml');
+$wddx = wddx_deserialize($data);
+var_dump($wddx);
+?>
+DONE
+--EXPECTF--
+NULL
+DONE
diff --git a/ext/wddx/tests/bug74145.xml b/ext/wddx/tests/bug74145.xml
@@ -0,0 +1,9 @@
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <var Name="name">
+                <boolean ></boolean>
+            </var>
+        </array>
+    </wddxPacket>
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
@@ -761,20 +761,20 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
 	} else if (!strcmp((char *)name, EL_BOOLEAN)) {
 		int i;
 
+		ALLOC_ZVAL(ent.data);
+		INIT_PZVAL(ent.data);
+		Z_TYPE_P(ent.data) = IS_BOOL;
+		ent.type = ST_BOOLEAN;
+		SET_STACK_VARNAME;
 		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp((char *)atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
-				ent.type = ST_BOOLEAN;
-				SET_STACK_VARNAME;
-
 				ZVAL_TRUE(&ent.data);
 				wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 				php_wddx_process_data(user_data, atts[i+1], strlen((char *)atts[i+1]));
 				break;
 			}
 		} else {
-			ent.type = ST_BOOLEAN;
-			SET_STACK_VARNAME;
-			ZVAL_FALSE(&ent.data);
+			ZVAL_FALSE(ent.data);
 			wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 		}
 	} else if (!strcmp((char *)name, EL_NULL)) {

Original file line number	Diff line number	Diff line change
`@@ -7307,7 +7307,7 @@ if (opcode == OP_COND \|\| opcode == OP_SCOND)`
`7307`	`7307`
`7308`	`7308`	`if (*matchingpath == OP_FAIL)`
`7309`	`7309`	`stacksize = 0;`
`7310`		`- if (*matchingpath == OP_RREF)`
	`7310`	`+ else if (*matchingpath == OP_RREF)`
`7311`	`7311`	`{`
`7312`	`7312`	`stacksize = GET2(matchingpath, 1);`
`7313`	`7313`	`if (common->currententry == NULL)`