Merge branch 'PHP-5.5' of git.php.net:php-src into PHP-5.5

* 'PHP-5.5' of git.php.net:php-src: (27 commits)
  bump version
  Remove compile warning:    warning: unused variable ‘j’ [-Wunused-variable]
  Remove compile warnings:   warning: variable ‘lastch’ set but not used [-Wunused-but-set-variable]   warning: variable ‘buf’ set but not used [-Wunused-but-set-variable]
  Remove compile warning: variable ‘streamp’ set but not used [-Wunused-but-set-variable]
  Remove compile warnings:   variable ‘obj_cnt’ set but not used [-Wunused-but-set-variable]   unused variable ‘last’ [-Wunused-variable]   unused variable ‘j’ [-Wunused-variable]
  Remove compile warning "variable ‘mekeylen’ set but not used"
  Reduce (some more) compile noise of 'unused variable' and 'may be used uninitialized' warnings.
  Update NEWS
  Update NEWS
  fix bug #65481 (shutdown segfault due to serialize)
  Track created curl_slist structs by option so they can be updated in situ.
  Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse').
  Fixed bug #64503 (Compilation fails with error: conflicting types for 'zendparse').
  added new glob() test
  fix using wrong buffer pointer
  Fix bug #65470	Segmentation fault in zend_error() with --enable-dtrace
  Fix for php bug #64802 includes test case
  Use in preg_replace_callback() using variables by reference and test for bug #64979
  https://bugs.php.net/bug.php?id=64979
  add CVE-2011-4718
  ...

Author: Yasuo Ohgaki

NEWS

@@ -1,10 +1,25 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2013, PHP 5.5.3
+?? ??? 2013, PHP 5.5.4
 
 - Core:
+  . Fixed bug #65470 (Segmentation fault in zend_error() with
+    --enable-dtrace). (Chris Jones, Kris Van Hees)
+  . Fixed bug #65225 (PHP_BINARY incorrectly set). (Patrick Allaert)
   . Fixed bug #62692 (PHP fails to build with DTrace). (Chris Jones, Kris Van Hees)
 
+- cURL:
+  . Fixed bug #65458 (curl memory leak). (Adam)
+
+- Openssl:
+  . Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in
+    some cases). (Mark Jones)
+
+22 Aug 2013, PHP 5.5.3
+
+- Openssl:
+  . Fixed UMR in fix for CVE-2013-4248.
+
 15 Aug 2013, PHP 5.5.2
 
 - Core:
@@ -52,7 +67,7 @@ PHP                                                                        NEWS
 - Sessions:
   . Implemented strict sessions RFC (https://wiki.php.net/rfc/strict_sessions)
     which protects against session fixation attacks and session collisions.    
-    (Yasuo Ohgaki)
+    (CVE-2011-4718). (Yasuo Ohgaki)
   . Fixed possible buffer overflow under Windows. Note: Not a security fix.
     (Yasuo)
   . Changed session.auto_start to PHP_INI_PERDIR. (Yasuo)

Zend/tests/bug64979.phpt

@@ -0,0 +1,32 @@
+--TEST--
+Bug #64578 (Closures with static variables can be generators)
+--XFAIL--
+Bug #64979 not fixed yet.
+--FILE--
+<?php
+
+function new_closure_gen() {
+	return function() { 
+		static $foo = 0; 
+		yield ++$foo; 
+	};
+}
+
+$closure1 = new_closure_gen();
+$closure2 = new_closure_gen();
+
+$gen1 = $closure1();
+$gen2 = $closure1();
+$gen3 = $closure2();
+
+foreach (array($gen1, $gen2, $gen3) as $gen) {
+  foreach ($gen as $val) {
+    print "$val\n";
+  }
+}
+
+?>
+--EXPECT--
+int(1)
+int(2)
+int(1)

Zend/tests/closure_047.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Closure 047: Use in preg_replace_callback() using variables by reference
+--FILE--
+<?php
+
+function replace_variables($text, $params) {
+	
+	preg_replace_callback( '/(\?)/', function($matches) use (&$params, &$text) {
+	
+		$text = preg_replace( '/(\?)/', array_shift( $params ), $text, 1 );
+	
+	}, $text );
+	
+	return $text;
+}
+
+echo replace_variables('a=?', array('0')) . "\n";
+echo replace_variables('a=?, b=?', array('0', '1')) . "\n";
+echo replace_variables('a=?, b=?, c=?', array('0', '1', '2')) . "\n";
+echo "Done\n";
+?>
+--EXPECT--
+a=0
+a=0, b=1
+a=0, b=1, c=2
+Done

Zend/tests/closure_048.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Closure 048: Use in preg_replace_callback() using variables by reference
+--FILE--
+<?php
+
+function replace_variables($text, $params) {
+	
+	$c = function($matches) use (&$params, &$text) {
+		$text = preg_replace( '/(\?)/', array_shift( $params ), $text, 1 );
+	};
+
+	preg_replace_callback( '/(\?)/', $c, $text );
+	
+	return $text;
+}
+
+echo replace_variables('a=?', array('0')) . "\n";
+echo replace_variables('a=?, b=?', array('0', '1')) . "\n";
+echo replace_variables('a=?, b=?, c=?', array('0', '1', '2')) . "\n";
+echo "Done\n";
+?>
+--EXPECT--
+a=0
+a=0, b=1
+a=0, b=1, c=2
+Done

Zend/zend.c

@@ -1092,17 +1092,19 @@ ZEND_API void zend_error(int type, const char *format, ...) /* {{{ */
 		error_filename = "Unknown";
 	}
 
-	va_start(args, format);
-
 #ifdef HAVE_DTRACE
 	if(DTRACE_ERROR_ENABLED()) {
 		char *dtrace_error_buffer;
+		va_start(args, format);
 		zend_vspprintf(&dtrace_error_buffer, 0, format, args);
 		DTRACE_ERROR(dtrace_error_buffer, (char *)error_filename, error_lineno);
 		efree(dtrace_error_buffer);
+		va_end(args);
 	}
 #endif /* HAVE_DTRACE */
 
+	va_start(args, format);
+
 	/* if we don't have a user defined error handler */
 	if (!EG(user_error_handler)
 		|| !(EG(user_error_handler_error_reporting) & type)

configure.in

@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=5
-PHP_RELEASE_VERSION=2
+PHP_RELEASE_VERSION=4
 PHP_EXTRA_VERSION="-dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`

ext/bz2/bz2_filter.c

@@ -215,15 +215,13 @@ static php_stream_filter_status_t php_bz2_compress_filter(
 	size_t consumed = 0;
 	int status;
 	php_stream_filter_status_t exit_status = PSFS_FEED_ME;
-	bz_stream *streamp;
 
 	if (!thisfilter || !thisfilter->abstract) {
 		/* Should never happen */
 		return PSFS_ERR_FATAL;
 	}
 
 	data = (php_bz2_filter_data *)(thisfilter->abstract);
-	streamp = &(data->strm);
 
 	while (buckets_in->head) {
 		size_t bin = 0, desired;

ext/curl/interface.c

@@ -1717,9 +1717,9 @@ static void curl_free_post(void **post)
 
 /* {{{ curl_free_slist
  */
-static void curl_free_slist(void **slist)
+static void curl_free_slist(void *slist)
 {
-	curl_slist_free_all((struct curl_slist *) *slist);
+	curl_slist_free_all(*((struct curl_slist **) slist));
 }
 /* }}} */
 
@@ -1790,9 +1790,11 @@ static void alloc_curl_handle(php_curl **ch)
 	(*ch)->handlers->read->stream = NULL;
 
 	zend_llist_init(&(*ch)->to_free->str,   sizeof(char *),            (llist_dtor_func_t) curl_free_string, 0);
-	zend_llist_init(&(*ch)->to_free->slist, sizeof(struct curl_slist), (llist_dtor_func_t) curl_free_slist,  0);
 	zend_llist_init(&(*ch)->to_free->post,  sizeof(struct HttpPost),   (llist_dtor_func_t) curl_free_post,   0);
 	(*ch)->safe_upload = 0; /* for now, for BC reason we allow unsafe API */
+
+	(*ch)->to_free->slist = emalloc(sizeof(HashTable));
+	zend_hash_init((*ch)->to_free->slist, 4, NULL, curl_free_slist, 0);
 }
 /* }}} */
 
@@ -2043,6 +2045,7 @@ PHP_FUNCTION(curl_copy_handle)
 	}
 #endif
 
+	efree(dupch->to_free->slist);
 	efree(dupch->to_free);
 	dupch->to_free = ch->to_free;
 
@@ -2438,7 +2441,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 
 			ph = HASH_OF(*zvalue);
 			if (!ph) {
-				char *name;
+				char *name = NULL;
 				switch (option) {
 					case CURLOPT_HTTPHEADER:
 						name = "CURLOPT_HTTPHEADER";
@@ -2488,7 +2491,7 @@ static int _php_curl_setopt(php_curl *ch, long option, zval **zvalue, zval *retu
 					return 1;
 				}
 			}
-			zend_llist_add_element(&ch->to_free->slist, &slist);
+			zend_hash_index_update(ch->to_free->slist, (ulong) option, &slist, sizeof(struct curl_slist *), NULL);
 
 			error = curl_easy_setopt(ch->cp, option, slist);
 
@@ -3266,8 +3269,9 @@ static void _php_curl_close_ex(php_curl *ch TSRMLS_DC)
 	/* cURL destructors should be invoked only by last curl handle */
 	if (Z_REFCOUNT_P(ch->clone) <= 1) {
 		zend_llist_clean(&ch->to_free->str);
-		zend_llist_clean(&ch->to_free->slist);
 		zend_llist_clean(&ch->to_free->post);
+		zend_hash_destroy(ch->to_free->slist);
+		efree(ch->to_free->slist);
 		efree(ch->to_free);
 		FREE_ZVAL(ch->clone);
 	} else {

ext/curl/php_curl.h

@@ -168,7 +168,7 @@ struct _php_curl_send_headers {
 struct _php_curl_free {
 	zend_llist str;
 	zend_llist post;
-	zend_llist slist;
+	HashTable *slist;
 };
 
 typedef struct {

ext/curl/tests/bug65458.phpt

@@ -0,0 +1,25 @@
+--TEST--
+Bug #65458 (curl memory leak)
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) exit("skip curl extension not loaded");
+?>
+--FILE--
+<?php
+$ch = curl_init();
+$init = memory_get_usage();
+for ($i = 0; $i < 10000; $i++) {
+    curl_setopt($ch, CURLOPT_HTTPHEADER, [ "SOAPAction: getItems" ]);
+}
+
+$preclose = memory_get_usage();
+curl_close($ch);
+
+// This is a slightly tricky heuristic, but basically, we want to ensure
+// $preclose - $init has a delta in the order of bytes, not megabytes. Given
+// the number of iterations in the loop, if we're wasting memory here, we
+// should have megs and megs of extra allocations.
+var_dump(($preclose - $init) < 10000);
+?>
+--EXPECT--
+bool(true)

ext/ftp/ftp.c

@@ -790,7 +790,6 @@ int
 ftp_get(ftpbuf_t *ftp, php_stream *outstream, const char *path, ftptype_t type, long resumepos TSRMLS_DC)
 {
 	databuf_t		*data = NULL;
-	int			lastch;
 	size_t			rcvd;
 	char			arg[11];
 
@@ -828,7 +827,6 @@ ftp_get(ftpbuf_t *ftp, php_stream *outstream, const char *path, ftptype_t type,
 		goto bail;
 	}
 
-	lastch = 0;
 	while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) {
 		if (rcvd == -1) {
 			goto bail;
@@ -1187,12 +1185,9 @@ ftp_readline(ftpbuf_t *ftp)
 int
 ftp_getresp(ftpbuf_t *ftp)
 {
-	char *buf;
-
 	if (ftp == NULL) {
 		return 0;
 	}
-	buf = ftp->inbuf;
 	ftp->resp = 0;
 
 	while (1) {

ext/intl/calendar/calendar_methods.cpp

@@ -184,7 +184,6 @@ U_CFUNC PHP_FUNCTION(intlcal_get_keyword_values_for_locale)
 
 U_CFUNC PHP_FUNCTION(intlcal_get_now)
 {
-	UErrorCode	status			= U_ZERO_ERROR;
 	intl_error_reset(NULL TSRMLS_CC);
 
 	if (zend_parse_parameters_none() == FAILURE) {

ext/intl/calendar/gregoriancalendar_methods.cpp

@@ -38,7 +38,6 @@ static inline GregorianCalendar *fetch_greg(Calendar_object *co) {
 
 static void _php_intlgregcal_constructor_body(INTERNAL_FUNCTION_PARAMETERS)
 {
-	zval		*object		= getThis();
 	zval		**tz_object	= NULL;
 	zval		**args_a[6] = {0},
 				***args		= &args_a[0];
@@ -84,7 +83,7 @@ static void _php_intlgregcal_constructor_body(INTERNAL_FUNCTION_PARAMETERS)
 	}
 
 	// instantion of ICU object
-	GregorianCalendar *gcal;
+	GregorianCalendar *gcal = NULL;
 
 	if (variant <= 2) {
 		// From timezone and locale (0 to 2 arguments)

ext/intl/msgformat/msgformat_helpers.cpp

@@ -487,7 +487,7 @@ U_CFUNC void umsg_format_helper(MessageFormatter_object *mfo,
 				}
 			case Formattable::kLong:
 				{
-					int32_t tInt32;
+					int32_t tInt32 = 0;
 retry_klong:
 					if (Z_TYPE_PP(elem) == IS_DOUBLE) {
 						if (Z_DVAL_PP(elem) > (double)INT32_MAX ||
@@ -517,7 +517,7 @@ U_CFUNC void umsg_format_helper(MessageFormatter_object *mfo,
 				}
 			case Formattable::kInt64:
 				{
-					int64_t tInt64;
+					int64_t tInt64 = 0;
 retry_kint64:
 					if (Z_TYPE_PP(elem) == IS_DOUBLE) {
 						if (Z_DVAL_PP(elem) > (double)U_INT64_MAX ||

ext/intl/resourcebundle/resourcebundle_class.c

@@ -163,7 +163,6 @@ static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_
 {
 	int32_t     meindex = 0;
 	char *      mekey = NULL;
-	long        mekeylen;
     zend_bool    is_numeric = 0;
 	char         *pbuf;
 	ResourceBundle_object *rb;
@@ -177,7 +176,6 @@ static void resourcebundle_array_fetch(zval *object, zval *offset, zval *return_
 		rb->child = ures_getByIndex( rb->me, meindex, rb->child, &INTL_DATA_ERROR_CODE(rb) );
 	} else if(Z_TYPE_P(offset) == IS_STRING) {
 		mekey = Z_STRVAL_P(offset);
-		mekeylen = Z_STRLEN_P(offset);
 		rb->child = ures_getByKey(rb->me, mekey, rb->child, &INTL_DATA_ERROR_CODE(rb) );
 	} else {
 		intl_errors_set(INTL_DATA_ERROR_P(rb), U_ILLEGAL_ARGUMENT_ERROR,