Merge branch 'PHP-5.6' of git.php.net:php-src into PHP-5.6

* 'PHP-5.6' of git.php.net:php-src: (129 commits)
  NEWS
  cleanup NEWS
  removing the NEWS entry as we had to revert this fix for now
  Revert "Merge branch 'PHP-5.5' into PHP-5.6"
  Revert "fix TS build"
  Revert "Merge branch 'PHP-5.4' into PHP-5.5"
  Revert "Bug #67965: Fix blocking behavior in non-blocking crypto streams"
  Revert "Bug #41631: Fix regression from first attempt (6569db8)"
  NEWS
  Fixed Bug #65171 imagescale() fails
  Fixed bug #68234
  Revert "Bug #41631: Observe socket read timeouts in SSL streams"
  PHP-5.6.3 is next
  update NEWS, 5.6.2 will be a security-only release
  Fix return code (merges are hard :( )
  Fix bug #68113 (Heap corruption in exif_thumbnail())
  Fix bug #68089 - do not accept options with embedded \0
  Fixed bug #68044: Integer overflow in unserialize() (32-bits only)
  Fix bug #68027 - fix date parsing in XMLRPC lib
  Fix bug #68113 (Heap corruption in exif_thumbnail())
  ...

Author: rlerdorf

.gitignore

@@ -19,6 +19,7 @@
 *.tgz
 *.tar.gz
 *.tar.bz2
+*.tar.xz
 .FBCIndex
 .FBCLockFolder
 .deps

EXTENSIONS

@@ -385,6 +385,12 @@ MAINTENANCE:         Maintained
 STATUS:              Working
 SINCE:               4.0.4
 -------------------------------------------------------------------------------
+EXTENSION:           hash
+PRIMARY MAINTAINER:  Sara Golemon <pollita@php.net>, Mike Wallner <mike@php.net>, Anatol Belski <ab@php.net>
+MAINTENANCE:         Maintained
+STATUS:              Working
+SINCE:               5.1.2
+-------------------------------------------------------------------------------
 EXTENSION:           iconv
 PRIMARY MAINTAINER:  Moriyoshi Koizumi <moriyoshi@php.net>
 MAINTENANCE:         Maintained
@@ -438,6 +444,12 @@ PRIMARY MAINTAINER:  Frank M. Kromann
 MAINTENANCE:         Unknown
 STATUS:              Experimental
 -------------------------------------------------------------------------------
+EXTENSION:           opcache
+PRIMARY MAINTAINER:  Dmitry Stogov <dmitry@zend.com>, Xinchen Hui <laruence@php.net>
+MAINTENANCE:         Maintained
+STATUS:              Working
+SINCE:               5.5.0
+-------------------------------------------------------------------------------
 EXTENSION:           openssl
 PRIMARY MAINTAINER:  Wez Furlong <wez@php.net>, Pierre-Alain Joye <pajoye@php.net>
 MAINTENANCE:         Maintained

NEWS

@@ -1,7 +1,71 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+?? ??? 2014, PHP 5.6.3
 
-?? ??? 2014, PHP 5.6.1
+- Core:
+  . Fixed bug #67739 (Windows 8.1/Server 2012 R2 OS build number reported
+    as 6.2 (instead of 6.3)). (Christian Wenz)
+  . Fixed bug #67633 (A foreach on an array returned from a function not doing
+    copy-on-write). (Nikita)
+  . Fixed bug #51800 (proc_open on Windows hangs forever). (Anatol)
+  . Fixed bug #68118 ($a->foo .= 'test'; can leave $a->foo undefined). (Nikita)
+  . Fixed bug #68129 (parse_url() - incomplete support for empty usernames 
+    and passwords) (Tjerk)
+  . Fixed bug #67949 (DOMNodeList elements should be accessible through
+    array notation) (Florian)
+  . Implemented 64-bit format codes for pack() and unpack(). (Leigh)
+
+- Fileinfo:
+  . Fixed bug #66242 (libmagic: don't assume char is signed). (ArdB)
+
+- FPM:
+  . Fixed bug #65641 (PHP-FPM incorrectly defines the SCRIPT_NAME variable
+    when using Apache, mod_proxy-fcgi and ProxyPass). (Remi)
+  . Implemented FR #55508 (listen and listen.allowed_clients should take IPv6
+    addresses). (Robin Gloster)
+
+- GD:
+  . Fixed bug #65171 (imagescale() fails without height param). (Remi)
+
+- GMP:
+  . Implemented gmp_random_range() and gmp_random_bits(). (Leigh)
+
+- Reflection:
+  . Fixed bug #68103 (Duplicate entry in Reflection for class alias). (Remi)
+
+- OpenSSL:
+  . Fixed bug #68074 (Allow to use system cipher list instead of hardcoded
+    value). (Remi)
+
+- Mysqli:
+  . Fixed bug #68114 (linker error on some OS X machines with fixed width
+    decimal support) (Keyur Govande)
+
+- ODBC:
+  . Fixed bug #68087 (ODBC not correctly reading DATE column when preceded by
+    a VARCHAR column) (Keyur Govande)
+
+- SPL:
+  . Fixed bug #68128 (Regression in RecursiveRegexIterator) (Tjerk)
+
+16 Oct 2014, PHP 5.6.2
+
+- Core:
+  . Fixed bug #68044 (Integer overflow in unserialize() (32-bits only)).
+    (CVE-2014-3669) (Stas)
+
+- cURL:
+  . Fixed bug #68089 (NULL byte injection - cURL lib). (Stas)
+
+- EXIF:
+  . Fixed bug #68113 (Heap corruption in exif_thumbnail()). (CVE-2014-3670)
+    (Stas)
+
+- XMLRPC:
+  . Fixed bug #68027 (Global buffer overflow in mkgmtime() function).
+    (CVE-2014-3668) (Stas)
+
+02 Oct 2014, PHP 5.6.1
 
 - Core:
   . Implemented FR #38409 (parse_ini_file() looses the type of booleans). (Tjerk)
@@ -10,6 +74,13 @@ PHP                                                                        NEWS
   . Fixed bug #67878 (program_prefix not honoured in man pages). (Remi)
   . Fixed bug #67938 (Segfault when extending interface method with variadic).
     (Nikita)
+  . Fixed bug #67985 (Incorrect last used array index copied to new array after
+    unset). (Tjerk)
+  . Fixed bug #68088 (New Posthandler Potential Illegal efree() vulnerability).
+    (Mike) (CVE-2014-3622)
+
+- DOM:
+  . Made DOMNode::textContent writeable. (Tjerk)
 
 - Fileinfo:
   . Fixed bug #67731 (finfo::file() returns invalid mime type
@@ -32,12 +103,19 @@ PHP                                                                        NEWS
   . Fixed bug #67850 (extension won't build if openssl compiled without SSLv3).
     (Daniel Lowrey)
 
-- DOM:
-  . Made DOMNode::textContent writeable. (Tjerk)
+- phpdbg:
+  . Fixed issue krakjoe/phpdbg#111 (compile error without ZEND_SIGNALS). (Bob)
 
 - SOAP:
   . Fixed bug #67955 (SoapClient prepends 0-byte to cookie names). (Philip Hofstetter)
 
+- Session:
+  . Fixed bug #67972 (SessionHandler Invalid memory read create_sid()). (Adam)
+
+- Sysvsem:
+  . Implemented FR #67990 (Add optional nowait argument to sem_acquire).
+    (Matteo)
+
 28 Aug 2014, PHP 5.6.0
 
 - Apache2 Handler SAPI:
@@ -63,6 +141,7 @@ PHP                                                                        NEWS
   . Fixed bug #66431 (Special Character via COM Interface (CP_UTF8)). (Anatol)
 
 - Core:
+  . Improved phpinfo() stylesheets. (Colin Viebrock)
   . Fixed bug #67693 (incorrect push to the empty array). (Tjerk)
   . Removed inconsistency regarding behaviour of array in constants at
     run-time. (Bob)

UPGRADING

@@ -217,6 +217,7 @@ PHP 5.6 UPGRADE NOTES
 
 - Strings:
   substr_compare() now allows $length to be zero.
+  pack() and unpack() now support 64-bit format specifiers: q, Q, J and P.
 
 - Crypt:
   crypt() will now raise an E_NOTICE error if the salt parameter is omitted.
@@ -269,6 +270,7 @@ PHP 5.6 UPGRADE NOTES
   Added gmp_root($a, $nth) and gmp_rootrem($a, $nth) for calculating nth roots.
   Added gmp_import($data, $word_size = 1, $options = GMP_MSW_FIRST | GMP_NATIVE_ENDIAN) in PHP 5.6.1.
   Added gmp_export($gmpnumber, $word_size = 1, $options = GMP_MSW_FIRST | GMP_NATIVE_ENDIAN) in PHP 5.6.1.
+  Added gmp_random_range() and gmp_random_bits() in PHP 5.6.3.
 
 - Hash
   Added hash_equals($known_string, $user_string)

Zend/tests/bug67633.phpt

@@ -0,0 +1,44 @@
+--TEST--
+Bug #67633: A foreach on an array returned from a function not doing copy-on-write
+--FILE--
+<?php
+
+function id($x) {
+    return $x;
+}
+
+function &ref_id(&$x) {
+    return $x;
+}
+
+$c = 'c';
+$array = ['a', 'b', $c];
+
+foreach(id($array) as &$v) {
+    $v .= 'q';
+}
+var_dump($array);
+
+foreach(ref_id($array) as &$v) {
+    $v .= 'q';
+}
+var_dump($array);
+
+?>
+--EXPECT--
+array(3) {
+  [0]=>
+  string(1) "a"
+  [1]=>
+  string(1) "b"
+  [2]=>
+  string(1) "c"
+}
+array(3) {
+  [0]=>
+  string(2) "aq"
+  [1]=>
+  string(2) "bq"
+  [2]=>
+  &string(2) "cq"
+}

Zend/tests/bug67985.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #67985 - Last used array index not copied to new array at assignment
+--FILE--
+<?php
+
+$a = ['zero', 'one', 'two'];
+unset($a[2]);
+$b = $a;
+$a[] = 'three';
+$b[] = 'three';
+
+var_dump($a === $b);
+
+?>
+--EXPECT--
+bool(true)

Zend/tests/bug68118.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Bug #68118: $a->foo .= 'test'; can leave $a->foo undefined
+--FILE--
+<?php
+
+set_error_handler(function() {
+    $obj = new stdClass;
+    $obj->test = 'meow';
+    return true;
+});
+ 
+$a = new stdClass;
+$a->undefined .= 'test';
+var_dump($a);
+
+?>
+--EXPECT--
+object(stdClass)#2 (1) {
+  ["undefined"]=>
+  string(4) "test"
+}

Zend/zend.c

@@ -901,7 +901,7 @@ ZEND_API void _zend_bailout(char *filename, uint lineno) /* {{{ */
 /* }}} */
 END_EXTERN_C()
 
-void zend_append_version_info(const zend_extension *extension) /* {{{ */
+ZEND_API void zend_append_version_info(const zend_extension *extension) /* {{{ */
 {
 	char *new_info;
 	uint new_info_length;

Zend/zend_API.c

@@ -2499,7 +2499,7 @@ ZEND_API void zend_post_deactivate_modules(TSRMLS_D) /* {{{ */
 /* }}} */
 
 /* return the next free module number */
-int zend_next_free_module(void) /* {{{ */
+ZEND_API int zend_next_free_module(void) /* {{{ */
 {
 	return zend_hash_num_elements(&module_registry) + 1;
 }

Zend/zend_API.h

@@ -233,7 +233,7 @@ typedef struct _zend_fcall_info_cache {
 
 #define ZEND_FCI_INITIALIZED(fci) ((fci).size != 0)
 
-int zend_next_free_module(void);
+ZEND_API int zend_next_free_module(void);
 
 BEGIN_EXTERN_C()
 ZEND_API int zend_get_parameters(int ht, int param_count, ...);

Zend/zend_compile.c

@@ -6337,6 +6337,15 @@ void zend_do_foreach_begin(znode *foreach_token, znode *open_brackets_token, zno
 		/* save the location of FETCH_W instruction(s) */
 		open_brackets_token->u.op.opline_num = get_next_op_number(CG(active_op_array));
 		zend_do_end_variable_parse(array, BP_VAR_W, 0 TSRMLS_CC);
+
+		if (zend_is_function_or_method_call(array)) {
+			opline = get_next_op(CG(active_op_array) TSRMLS_CC);
+			opline->opcode = ZEND_SEPARATE;
+			SET_NODE(opline->op1, array);
+			SET_UNUSED(opline->op2);
+			opline->result_type = IS_VAR;
+			opline->result.var = opline->op1.var;
+		}
 	} else {
 		is_variable = 0;
 		open_brackets_token->u.op.opline_num = get_next_op_number(CG(active_op_array));

Zend/zend_extensions.h

@@ -111,7 +111,7 @@ END_EXTERN_C()
 ZEND_API extern zend_llist zend_extensions;
 
 void zend_extension_dtor(zend_extension *extension);
-void zend_append_version_info(const zend_extension *extension);
+ZEND_API void zend_append_version_info(const zend_extension *extension);
 int zend_startup_extensions_mechanism(void);
 int zend_startup_extensions(void);
 void zend_shutdown_extensions(TSRMLS_D);

Zend/zend_object_handlers.c

@@ -786,9 +786,6 @@ static zval **zend_std_get_property_ptr_ptr(zval *object, zval *member, int type
 			/* we don't have access controls - will just add it */
 			new_zval = &EG(uninitialized_zval);
 
-			if(UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
-				zend_error(E_NOTICE, "Undefined property: %s::$%s", zobj->ce->name, Z_STRVAL_P(member));
-			}
 			Z_ADDREF_P(new_zval);
 			if (EXPECTED((property_info->flags & ZEND_ACC_STATIC) == 0) &&
 			    property_info->offset >= 0) {
@@ -808,6 +805,12 @@ static zval **zend_std_get_property_ptr_ptr(zval *object, zval *member, int type
 				}
 				zend_hash_quick_update(zobj->properties, property_info->name, property_info->name_length+1, property_info->h, &new_zval, sizeof(zval *), (void **) &retval);
 			}
+
+			/* Notice is thrown after creation of the property, to avoid EG(std_property_info)
+			 * being overwritten in an error handler. */
+			if (UNEXPECTED(type == BP_VAR_RW || type == BP_VAR_R)) {
+				zend_error(E_NOTICE, "Undefined property: %s::$%s", zobj->ce->name, Z_STRVAL_P(member));
+			}
 		} else {
 			/* we do have getter - fail and let it try again with usual get/set */
 			retval = NULL;

Zend/zend_variables.c

@@ -138,6 +138,7 @@ ZEND_API void _zval_copy_ctor_func(zval *zvalue ZEND_FILE_LINE_DC)
 				ALLOC_HASHTABLE_REL(tmp_ht);
 				zend_hash_init(tmp_ht, zend_hash_num_elements(original_ht), NULL, ZVAL_PTR_DTOR, 0);
 				zend_hash_copy(tmp_ht, original_ht, (copy_ctor_func_t) zval_add_ref, (void *) &tmp, sizeof(zval *));
+				tmp_ht->nNextFreeElement = original_ht->nNextFreeElement;
 				zvalue->value.ht = tmp_ht;
 			}
 			break;

configure.in

@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=6
-PHP_RELEASE_VERSION=1
+PHP_RELEASE_VERSION=3
 PHP_EXTRA_VERSION="-dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`
@@ -787,7 +787,12 @@ if test "$PHP_GCOV" = "yes"; then
     AC_MSG_ERROR([ccache must be disabled when --enable-gcov option is used. You can disable ccache by setting environment variable CCACHE_DISABLE=1.])
   fi
 
-  ltp_version_list="1.5 1.6 1.7 1.9 1.10"
+  dnl min: 1.5 (i.e. 105, major * 100 + minor for easier comparison)
+  ltp_version_min="105"
+  dnl non-working versions, e.g. "1.8 1.18";
+  dnl remove "none" when introducing the first incompatible LTP version an 
+  dnl separate any following additions by spaces
+  ltp_version_exclude="1.8"
 
   AC_CHECK_PROG(LTP, lcov, lcov)
   AC_CHECK_PROG(LTP_GENHTML, genhtml, genhtml)
@@ -797,21 +802,30 @@ if test "$PHP_GCOV" = "yes"; then
   if test "$LTP"; then
     AC_CACHE_CHECK([for ltp version], php_cv_ltp_version, [
       php_cv_ltp_version=invalid
-      ltp_version=`$LTP -v 2>/dev/null | $SED -e 's/^.* //'`
-      for ltp_check_version in $ltp_version_list; do
-        if test "$ltp_version" = "$ltp_check_version"; then
-          php_cv_ltp_version="$ltp_check_version (ok)"
+      ltp_version_vars=`$LTP -v 2>/dev/null | $SED -e 's/^.* //' -e 's/\./ /g' | tr -d a-z`
+      if test -n "$ltp_version_vars"; then
+        set $ltp_version_vars
+        ltp_version="${1}.${2}"
+        ltp_version_num="`expr ${1} \* 100 + ${2}`"
+        if test $ltp_version_num -ge $ltp_version_min; then
+          php_cv_ltp_version="$ltp_version (ok)"
+          for ltp_check_version in $ltp_version_exclude; do
+            if test "$ltp_version" = "$ltp_check_version"; then
+              php_cv_ltp_version=invalid
+              break
+            fi
+          done
         fi
-      done
+      fi
     ])
   else
-    ltp_msg="To enable code coverage reporting you must have one of the following LTP versions installed: $ltp_version_list"      
+    ltp_msg="To enable code coverage reporting you must have LTP installed"      
     AC_MSG_ERROR([$ltp_msg])
   fi
 
   case $php_cv_ltp_version in
     ""|invalid[)]
-      ltp_msg="You must have one of the following versions of LTP: $ltp_version_list (found: $ltp_version)."
+      ltp_msg="This LTP version is not supported (found: $ltp_version, min: $ltp_version_min, excluded: $ltp_version_exclude)."
       AC_MSG_ERROR([$ltp_msg])
       LTP="exit 0;"
       ;;