Merge branch 'PHP-5.3' of https://git.php.net/push/php-src into PHP-5.3

* 'PHP-5.3' of https://git.php.net/push/php-src: (23 commits)
  Merge PHP 5.3.27 NEWS
  add test for bug #65236
  truncate results at depth of 255 to prevent corruption
  fix assembly of safe_address() for x86 and x86_64
  Add bison 2.6.4 to the list of supported versions
  Update git rules (5.5 is stable, 5.3 sec only)
  This will be PHP 5.3.28
  Fixed bug #63186 (compile failure on netbsd)
  ensure the error_reporting level to get expected notice
  fixed tests
  missing tests for bug #53437
  missing colon
  Backported the fix for bug #53437
  Fixed test script
  Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 64-bits systems)
  Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
  Fixed bug #64934 Apache2 TS crash with get_browser()
  Add NEWS for PHP 5.3.26
  Fixed bug #64960 (Segfault in gc_zval_possible_root)
  fix CVE-2013-2110 - use correct formula to calculate string size
  ...

Author: Stanley Sufficool

NEWS

@@ -1,6 +1,18 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2013, PHP 5.3.27
+?? ??? 2013, PHP 5.3.28
+
+11 Jul 2013, PHP 5.3.27
+
+- Core:
+  . Fixed bug #64966 (segfault in zend_do_fcall_common_helper_SPEC). (Laruence)
+  . Fixed bug #64960 (Segfault in gc_zval_possible_root). (Laruence)
+  . Fixed bug #64934 (Apache2 TS crash with get_browser()). (Anatol)
+  . Fixed bug #63186 (compile failure on netbsd). (Matteo)
+
+- DateTime:
+  . Fixed bug #53437 (Crash when using unserialized DatePeriod instance).
+    (Gustavo, Derick, Anatol)
 
 - PDO_firebird:
   . Fixed bug #64037 (Firebird return wrong value for numeric field).
@@ -11,9 +23,21 @@ PHP                                                                        NEWS
 - PDO_pgsql:
   . Fixed bug #64949 (Buffer overflow in _pdo_pgsql_error). (Remi)
 
-?? ??? 2013, PHP 5.3.26
+- pgsql:
+  . Fixed bug #64609 (pg_convert enum type support). (Matteo)
 
-### DO NOT ADD ENTRIES HERE, ADD THEM ABOVE FOR 5.3.27 ###
+- SPL:
+  . Fixed bug #64997 (Segfault while using RecursiveIteratorIterator on 
+    64-bits systems). (Laruence)
+
+- XML:
+  . Fixed bug #65236 (heap corruption in xml parser). (Rob)
+
+06 Jun 2013, PHP 5.3.26
+
+- Core:
+  . Fixed bug #64879 (Heap based buffer overflow in quoted_printable_encode,
+    CVE 2013-2110). (Stas)
 
 - Calendar:
   . Fixed bug #64895 (Integer overflow in SndToJewish). (Remi)

README.GIT-RULES

@@ -45,14 +45,17 @@ Currently we have the following branches in use::
 
   master    The active development branch. 
 
-  PHP-5.4   Is used to release the PHP 5.4.x series. It still allows for
-            larger enhancements.
+  PHP-5.5   Is used to release the PHP 5.5.x series. This is a current
+            stable version and is open for bugfixes only.
 
-  PHP-5.3   Is used to release the PHP 5.3.x series. This is current 
+  PHP-5.4   Is used to release the PHP 5.4.x series. This is a current
             stable version and is open for bugfixes only.
 
-  PHP-5.2   Is used to release the PHP 5.2.x series. It is closed for 
-            changes now.
+  PHP-5.3   Is used to release the PHP 5.3.x series. This is currently 
+            in extended support and open forsecurity fixes only. Triaged
+            via security@php.net
+
+  PHP-5.2   This branch is closed.
 
   PHP-5.1   This branch is closed.
 

Zend/acinclude.m4

@@ -4,7 +4,7 @@ dnl This file contains local autoconf functions.
 
 AC_DEFUN([LIBZEND_BISON_CHECK],[
   # we only support certain bison versions
-  bison_version_list="1.28 1.35 1.75 1.875 2.0 2.1 2.2 2.3 2.4 2.4.1 2.4.2 2.4.3 2.5 2.5.1 2.6 2.6.1 2.6.2"
+  bison_version_list="1.28 1.35 1.75 1.875 2.0 2.1 2.2 2.3 2.4 2.4.1 2.4.2 2.4.3 2.5 2.5.1 2.6 2.6.1 2.6.2 2.6.4"
 
   # for standalone build of Zend Engine
   test -z "$SED" && SED=sed

Zend/tests/bug64960.phpt

@@ -0,0 +1,40 @@
+--TEST--
+Bug #64960 (Segfault in gc_zval_possible_root)
+--FILE--
+<?php
+// this makes ob_end_clean raise an error
+ob_end_flush();
+
+class ExceptionHandler {
+	public function __invoke (Exception $e)
+	{
+		// this triggers the custom error handler
+		ob_end_clean();
+	}
+}
+
+// this must be a class, closure does not trigger segfault
+set_exception_handler(new ExceptionHandler());
+
+// exception must be throwed from error handler.
+set_error_handler(function()
+{
+	$e = new Exception;
+	$e->_trace = debug_backtrace();
+	
+	throw $e;
+});
+
+// trigger error handler
+$a['waa'];
+?>
+--EXPECTF--
+Notice: ob_end_flush(): failed to delete and flush buffer. No buffer to delete or flush in %sbug64960.php on line 3
+
+Fatal error: Uncaught exception 'Exception' in %sbug64960.php:19
+Stack trace:
+#0 [internal function]: {closure}(8, 'ob_end_clean():...', '%s', 9, Array)
+#1 %sbug64960.php(9): ob_end_clean()
+#2 [internal function]: ExceptionHandler->__invoke(Object(Exception))
+#3 {main}
+  thrown in %sbug64960.php on line 19

Zend/tests/bug64966.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #64966 (segfault in zend_do_fcall_common_helper_SPEC)
+--FILE--
+<?php
+error_reporting(E_ALL);
+set_error_handler(function($error) { throw new Exception(); }, E_RECOVERABLE_ERROR);
+
+function test($func) {
+	$a = $func("");
+	return true;
+}
+class A {
+	public function b() {
+		test("strlen");
+		test("iterator_apply");
+	}
+}
+
+$a = new A();
+$a->b();
+?>
+--EXPECTF--
+Fatal error: Uncaught exception 'Exception' in %sbug64966.php:3
+Stack trace:
+#0 [internal function]: {closure}(4096, 'Argument 1 pass...', '%s', 6, Array)
+#1 %sbug64966.php(6): iterator_apply('')
+#2 %sbug64966.php(12): test('iterator_apply')
+#3 %sbug64966.php(17): A->b()
+#4 {main}
+  thrown in %sbug64966.php on line 3

Zend/zend_alloc.c

@@ -2386,7 +2386,7 @@ static inline size_t safe_address(size_t nmemb, size_t size, size_t offset)
 	size_t res = nmemb;
 	unsigned long overflow = 0;
 
-	__asm__ ("mull %3\n\taddl %4,%0\n\tadcl %1,%1"
+	__asm__ ("mull %3\n\taddl %4,%0\n\tadcl $0,%1"
 	     : "=&a"(res), "=&d" (overflow)
 	     : "%0"(res),
 	       "rm"(size),
@@ -2406,7 +2406,7 @@ static inline size_t safe_address(size_t nmemb, size_t size, size_t offset)
         size_t res = nmemb;
         unsigned long overflow = 0;
 
-        __asm__ ("mulq %3\n\taddq %4,%0\n\tadcq %1,%1"
+        __asm__ ("mulq %3\n\taddq %4,%0\n\tadcq $0,%1"
              : "=&a"(res), "=&d" (overflow)
              : "%0"(res),
                "rm"(size),

Zend/zend_execute_API.c

@@ -263,15 +263,13 @@ void shutdown_executor(TSRMLS_D) /* {{{ */
 		if (EG(user_error_handler)) {
 			zeh = EG(user_error_handler);
 			EG(user_error_handler) = NULL;
-			zval_dtor(zeh);
-			FREE_ZVAL(zeh);
+			zval_ptr_dtor(&zeh);
 		}
 
 		if (EG(user_exception_handler)) {
 			zeh = EG(user_exception_handler);
 			EG(user_exception_handler) = NULL;
-			zval_dtor(zeh);
-			FREE_ZVAL(zeh);
+			zval_ptr_dtor(&zeh);
 		}
 
 		zend_stack_destroy(&EG(user_error_handlers_error_reporting));

Zend/zend_vm_def.h

@@ -2327,6 +2327,8 @@ ZEND_VM_HELPER(zend_do_fcall_common_helper, ANY, ANY)
 			if (!RETURN_VALUE_USED(opline)) {
 				zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 			}
+		} else if (RETURN_VALUE_USED(opline)) {
+			EX_T(opline->result.u.var).var.ptr = NULL;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		EX(original_return_value) = EG(return_value_ptr_ptr);

Zend/zend_vm_execute.h

@@ -327,6 +327,8 @@ static int ZEND_FASTCALL zend_do_fcall_common_helper_SPEC(ZEND_OPCODE_HANDLER_AR
 			if (!RETURN_VALUE_USED(opline)) {
 				zval_ptr_dtor(&EX_T(opline->result.u.var).var.ptr);
 			}
+		} else if (RETURN_VALUE_USED(opline)) {
+			EX_T(opline->result.u.var).var.ptr = NULL;
 		}
 	} else if (EX(function_state).function->type == ZEND_USER_FUNCTION) {
 		EX(original_return_value) = EG(return_value_ptr_ptr);

configure.in

@@ -41,7 +41,7 @@ AC_CONFIG_HEADER(main/php_config.h)
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=3
-PHP_RELEASE_VERSION=27
+PHP_RELEASE_VERSION=28
 PHP_EXTRA_VERSION="-dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`