Merge branch 'PHP-5.6' of git.php.net:/php-src into PHP-5.6

* 'PHP-5.6' of git.php.net:/php-src:
  update NEWS
  Fixed bug #71559 Built-in HTTP server, we can downlaod file in web by bug
  Check length of string before comparing to :memory:
  Fix bounds check in strip_tags()
  Fix test description
  FIx bug #71569

Author: laruence

NEWS

@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #71523 (Copied handle with new option CURLOPT_HTTPHEADER crashes
     while curl_multi_exec). (Laruence)
 
+- CLI server:
+  . Bug #71559 (Built-in HTTP server, we can download file in web by bug).
+    (Johannes, Anatol)
+
 - Date:
   . Fixed bug #68078 (Datetime comparisons ignore microseconds). (Willem-Jan
     Zijderveld)
@@ -17,6 +21,9 @@ PHP                                                                        NEWS
   . Fixed bug #62172 (FPM not working with Apache httpd 2.4 balancer/fcgi
     setup). (Matt Haught, Remi)
 
+- PDO MySQL:
+  . Fixed bug #71569 (#70389 fix causes segmentation fault). (Nikita)
+
 - Standard:
   . Fixed bug #70720 (strip_tags improper php code parsing). (Julien)
 

ext/pdo_mysql/mysql_driver.c

@@ -658,31 +658,31 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options TSRMLS_
 		init_cmd = pdo_attr_strval(driver_options, PDO_MYSQL_ATTR_INIT_COMMAND, NULL TSRMLS_CC);
 		if (init_cmd) {
 			if (mysql_options(H->server, MYSQL_INIT_COMMAND, (const char *)init_cmd)) {
-				efree(init_cmd);
+				str_efree(init_cmd);
 				pdo_mysql_error(dbh);
 				goto cleanup;
 			}
-			efree(init_cmd);
+			str_efree(init_cmd);
 		}
 #ifndef PDO_USE_MYSQLND		
 		default_file = pdo_attr_strval(driver_options, PDO_MYSQL_ATTR_READ_DEFAULT_FILE, NULL TSRMLS_CC);
 		if (default_file) {
 			if (mysql_options(H->server, MYSQL_READ_DEFAULT_FILE, (const char *)default_file)) {
-				efree(default_file);
+				str_efree(default_file);
 				pdo_mysql_error(dbh);
 				goto cleanup;
 			}
-			efree(default_file);
+			str_efree(default_file);
 		}
 
 		default_group= pdo_attr_strval(driver_options, PDO_MYSQL_ATTR_READ_DEFAULT_GROUP, NULL TSRMLS_CC);
 		if (default_group) {
 			if (mysql_options(H->server, MYSQL_READ_DEFAULT_GROUP, (const char *)default_group)) {
-				efree(default_group);
+				str_efree(default_group);
 				pdo_mysql_error(dbh);
 				goto cleanup;
 			}
-			efree(default_group);
+			str_efree(default_group);
 		}
 #endif
 		compress = pdo_attr_lval(driver_options, PDO_MYSQL_ATTR_COMPRESS, 0 TSRMLS_CC);
@@ -702,19 +702,19 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options TSRMLS_
 		if (ssl_key || ssl_cert || ssl_ca || ssl_capath || ssl_cipher) {
 			mysql_ssl_set(H->server, ssl_key, ssl_cert, ssl_ca, ssl_capath, ssl_cipher);
 			if (ssl_key) {
-				efree(ssl_key);
+				str_efree(ssl_key);
 			}
 			if (ssl_cert) {
-				efree(ssl_cert);
+				str_efree(ssl_cert);
 			}
 			if (ssl_ca) {
-				efree(ssl_ca);
+				str_efree(ssl_ca);
 			}
 			if (ssl_capath) {
-				efree(ssl_capath);
+				str_efree(ssl_capath);
 			}
 			if (ssl_cipher) {
-				efree(ssl_cipher);
+				str_efree(ssl_cipher);
 			}
 		}
 
@@ -724,10 +724,10 @@ static int pdo_mysql_handle_factory(pdo_dbh_t *dbh, zval *driver_options TSRMLS_
 			if (public_key) {
 				if (mysql_options(H->server, MYSQL_SERVER_PUBLIC_KEY, public_key)) {
 					pdo_mysql_error(dbh);
-					efree(public_key);
+					str_efree(public_key);
 					goto cleanup;
 				}
-				efree(public_key);
+				str_efree(public_key);
 			}
 		}
 #endif

ext/pdo_mysql/tests/bug71569.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Bug #71569 (#70389 fix causes segmentation fault)
+--SKIPIF--
+<?php
+require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'skipif.inc');
+require_once(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'mysql_pdo_test.inc');
+MySQLPDOTest::skip();
+?>
+--FILE--
+<?php
+require(dirname(__FILE__). DIRECTORY_SEPARATOR . 'config.inc');
+
+try {
+    new PDO(PDO_MYSQL_TEST_DSN, PDO_MYSQL_TEST_USER, PDO_MYSQL_TEST_PASS, [
+        PDO::MYSQL_ATTR_INIT_COMMAND => null,
+    ]);
+} catch (PDOException $e) {
+    echo $e->getMessage();
+}
+
+?>
+--EXPECT--
+SQLSTATE[42000] [1065] Query was empty

ext/sqlite3/sqlite3.c

@@ -123,7 +123,8 @@ PHP_METHOD(sqlite3, open)
 	if (strlen(filename) != filename_len) {
 		return;
 	}
-	if (memcmp(filename, ":memory:", sizeof(":memory:")) != 0) {
+	if (filename_len != sizeof(":memory:")-1 ||
+			memcmp(filename, ":memory:", sizeof(":memory:")-1) != 0) {
 		if (!(fullpath = expand_filepath(filename, NULL TSRMLS_CC))) {
 			zend_throw_exception(zend_exception_get_default(TSRMLS_C), "Unable to expand filepath", 0 TSRMLS_CC);
 			return;

ext/standard/string.c

@@ -4822,7 +4822,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 				 * state == 2 (PHP). Switch back to HTML.
 				 */
 
-				if (state == 2 && p > buf+2 && strncasecmp(p-4, "<?xm", 4) == 0) {
+				if (state == 2 && p > buf+4 && strncasecmp(p-4, "<?xm", 4) == 0) {
 					state = 1; is_xml=1;
 					break;
 				}

sapi/cli/php_cli_server.c

@@ -2058,6 +2058,19 @@ static int php_cli_server_begin_send_static(php_cli_server *server, php_cli_serv
 		return php_cli_server_send_error_page(server, client, 400 TSRMLS_CC);
 	}
 
+#ifdef PHP_WIN32
+	/* The win32 namespace will cut off trailing dots and spaces. Since the
+	   VCWD functionality isn't used here, a sophisticated functionality
+	   would have to be reimplemented to know ahead there are no files
+	   with invalid names there. The simplest is just to forbid invalid
+	   filenames, which is done here. */
+	if (client->request.path_translated &&
+		('.' == client->request.path_translated[client->request.path_translated_len-1] ||
+		 ' ' == client->request.path_translated[client->request.path_translated_len-1])) {
+		return php_cli_server_send_error_page(server, client, 500);
+	}
+#endif
+
 	fd = client->request.path_translated ? open(client->request.path_translated, O_RDONLY): -1;
 	if (fd < 0) {
 		return php_cli_server_send_error_page(server, client, 404 TSRMLS_CC);