Merge branch 'PHP-5.4' of https://git.php.net/push/php-src into PHP-5.4

* 'PHP-5.4' of https://git.php.net/push/php-src: (140 commits)
  Copy dba_*() keys before converting to string.
  Fix the broken sh syntax in ext/imap/config.m4.
  Revert "EmptyIterator now implements Countable; fixes bug 60577"
  RFC 6598 reserved ip range starts at 100.64.0.0
  fix a very rare case of use of uninitialized value combined with a memleak
  NEWS for added reserved ip addresses according to RFC 6598
  Add RFC 6598 IPs to reserved addresses
  NEWS for #60577
  NEWS for bug #64441
  Fix bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names)
  EmptyIterator now implements Countable; fixes bug 60577
  News for bugfix #64157
  Bug 64157 Changed error message to make sense
  Tinker with the wording of the short_open_tag description.
  Handle CLI server request headers case insensitively.
  5.4.21 now
  Typo....
  Add a XFAIL test for #64896
  Fixed Bug #65564 stack-buffer-overflow in DateTimeZone stuff caught by AddressSanitizer
  Fixed bug #60598 (cli/apache sapi segfault on objects manipulation)
  ...

Author: Stanley Sufficool

Makefile.global

@@ -10,7 +10,7 @@ all: $(all_targets)
 	@echo "Build complete."
 	@echo "Don't forget to run 'make test'."
 	@echo
-	
+
 build-modules: $(PHP_MODULES) $(PHP_ZEND_EX)
 
 build-binaries: $(PHP_BINARIES)
@@ -116,7 +116,7 @@ clean:
 	rm -f libphp$(PHP_MAJOR_VERSION).la $(SAPI_CLI_PATH) $(OVERALL_TARGET) modules/* libs/*
 
 distclean: clean
-	rm -f Makefile config.cache config.log config.status Makefile.objects Makefile.fragments libtool main/php_config.h stamp-h sapi/apache/libphp$(PHP_MAJOR_VERSION).module buildmk.stamp
+	rm -f Makefile config.cache config.log config.status Makefile.objects Makefile.fragments libtool main/php_config.h stamp-h sapi/apache/libphp$(PHP_MAJOR_VERSION).module buildmk.stamp Zend/zend_dtrace_gen.h Zend/zend_dtrace_gen.h.bak
 	$(EGREP) define'.*include/php' $(top_srcdir)/configure | $(SED) 's/.*>//'|xargs rm -f
 
 .PHONY: all clean install distclean test

NEWS

@@ -1,8 +1,119 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2013, PHP 5.4.18
+?? ??? 2013, PHP 5.4.21
+
+- CLI server:
+  . Fixed bug #65633 (built-in server treat some http headers as
+    case-sensitive). (Adam)
+
+- Datetime:
+  . Fixed bug #64157 (DateTime::createFromFormat() reports confusing error
+    message). (Boro Sitnikovski)
+
+- DBA extension:
+  . Fixed bug #65708 (dba functions cast $key param to string in-place,
+    bypassing copy on write). (Adam)
+
+- Filter:
+  . Add RFC 6598 IPs to reserved addresses. (Sebastian Nohn)
+  . Fixed bug #64441 (FILTER_VALIDATE_URL rejects fully qualified domain names).
+    (Syra)
+
+- IMAP:
+  . Fixed bug #65721 (configure script broken in 5.5.4 and 5.4.20 when enabling
+    imap). (ryotakatsuki at gmail dot com)
+
+?? ??? 2013, PHP 5.4.20
+
+- Core:
+  . Fixed bug #60598 (cli/apache sapi segfault on objects manipulation).
+    (Laruence)
+  . Fixed bug #65579 (Using traits with get_class_methods causes segfault).
+    (Adam)
+  . Fixed bug #65490 (Duplicate calls to get lineno & filename for 
+    DTRACE_FUNCTION_*). (Chris Jones)
+  . Fixed bug #65483 (quoted-printable encode stream filter incorrectly encoding
+    spaces). (Michael M Slusarz)
+  . Fixed bug #65481 (shutdown segfault due to serialize) (Mike)
+  . Fixed bug #65470 (Segmentation fault in zend_error() with 
+    --enable-dtrace). (Chris Jones, Kris Van Hees)
+  . Fixed bug #65372 (Segfault in gc_zval_possible_root when return reference
+    fails). (Laruence)
+  . Fixed bug #65304 (Use of max int in array_sum). (Laruence)
+  . Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very
+    limited case). (Arpad)
+  . Fixed bug #65225 (PHP_BINARY incorrectly set). (Patrick Allaert)
+  . Improved fix for bug #63186 (compile failure on netbsd). (Matteo)
+  . Fixed bug #62692 (PHP fails to build with DTrace). (Chris Jones, Kris Van Hees)
+  . Fixed bug #61759 (class_alias() should accept classes with leading
+    backslashes). (Julien)
+  . Fixed bug #61345 (CGI mode - make install don't work). (Michael Heimpold)
+  . Cherry-picked some DTrace build commits (allowing builds on Linux,
+    bug #62691, and bug #63706) from PHP 5.5 branch
+  . Fixed bug #61268 (--enable-dtrace leads make to clobber
+    Zend/zend_dtrace.d) (Chris Jones)
+
+- cURL:
+  . Fixed bug #65458 (curl memory leak). (Adam)
+
+- Datetime:
+  . Fixed bug #65554 (createFromFormat broken when weekday name is followed 
+    by some delimiters). (Valentin Logvinskiy, Stas).
+  . Fixed bug #65564 (stack-buffer-overflow in DateTimeZone stuff caught
+    by AddressSanitizer). (Remi).
+
+- Openssl:
+  . Fixed bug #64802 (openssl_x509_parse fails to parse subject properly in 
+    some cases). (Mark Jones)
+
+- Session:
+  . Fixed bug #62129 (rfc1867 crashes php even though turned off). (gxd305 at
+    gmail dot com)
+  . Fixed bug #50308 (session id not appended properly for empty anchor tags).
+    (Arpad)
+  . Fixed possible buffer overflow under Windows. Note: Not a security fix.
+    (Yasuo)
+  . Changed session.auto_start to PHP_INI_PERDIR. (Yasuo)
+
+- SOAP:
+  . Fixed bug #65018 (SoapHeader problems with SoapServer). (Dmitry)
+
+- SPL:
+  . Fixed bug #65328 (Segfault when getting SplStack object Value). (Laruence)
+
+- PDO:
+  . Fixed bug #64953 (Postgres prepared statement positional parameter 
+    casting). (Mike)
+
+- Phar:
+  . Fixed bug #65028 (Phar::buildFromDirectory creates corrupt archives for 
+    some specific contents). (Stas)
+
+- Pgsql:
+  . Fixed bug #65336 (pg_escape_literal/identifier() silently returns false).
+    (Yasuo)
+  . Fixed bug #62978 (Disallow possible SQL injections with pg_select()/pg_update()
+    /pg_delete()/pg_insert()). (Yasuo)
+
+- Zlib:
+  . Fixed bug #65391 (Unable to send vary header user-agent when 
+    ob_start('ob_gzhandler') is called) (Mike)
+
+22 Aug 2013, PHP 5.4.19
 
 - Core:
+  . Fixed bug #64503 (Compilation fails with error: conflicting types for
+    'zendparse'). (Laruence)
+
+- Openssl:
+  . Fixed UMR in fix for CVE-2013-4248.
+
+15 Aug 2013, PHP 5.4.18
+
+- Core:
+  . Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was
+    erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value). (Andrey 
+    avp200681 gmail com).
   . Fixed bug #65254 (Exception not catchable when exception thrown in autoload
     with a namespace). (Laruence)
   . Fixed bug #65108 (is_callable() triggers Fatal Error). 
@@ -24,6 +135,9 @@ PHP                                                                        NEWS
   . Fixed bug #65066 (Cli server not responsive when responding with 422 http
     status code). (Adam)
 
+- CURL:
+  . Fixed bug #62665 (curl.cainfo doesn't appear in php.ini). (Lior Kaplan)
+
 - FPM:
   . Fixed bug #63983 (enabling FPM borks compile on FreeBSD).
     (chibisuke at web dot de, Felipe)
@@ -51,10 +165,18 @@ PHP                                                                        NEWS
   . Fixed bug #61387 (NULL valued anonymous column causes segfault in 
     odbc_fetch_array). (Brandon Kirsch)
 
+- Openssl:
+  . Fixed handling null bytes in subjectAltName (CVE-2013-4248).
+    (Christian Heimes)
+
 - PDO:
   . Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
     (Chris Jones)
 
+- PDO_dblib:
+  . Fixed bug #65219 (PDO/dblib not working anymore ("use dbName" not sent)). 
+    (Stanley Sufficool)
+
 - PDO_pgsql:
   . Fixed meta data retrieve when OID is larger than 2^31. (Yasuo)
 
@@ -80,6 +202,9 @@ PHP                                                                        NEWS
   . Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0,
     keys are strings). (Adam)
 
+- XML:
+  . Fixed bug #65236 (heap corruption in xml parser, CVE-2013-4113). (Rob)
+
 04 Jul 2013, PHP 5.4.17
 
 - Core:

TSRM/tsrm_win32.c

@@ -625,7 +625,7 @@ TSRM_API int shmget(int key, int size, int flags)
 	shm->info	 = info_handle;
 	shm->descriptor = MapViewOfFileEx(shm->info, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
 
-	if (created) {
+	if (NULL != shm->descriptor && created) {
 		shm->descriptor->shm_perm.key	= key;
 		shm->descriptor->shm_segsz		= size;
 		shm->descriptor->shm_ctime		= time(NULL);
@@ -639,8 +639,10 @@ TSRM_API int shmget(int key, int size, int flags)
 		shm->descriptor->shm_perm.mode	= shm->descriptor->shm_perm.seq	= 0;
 	}
 
-	if (shm->descriptor->shm_perm.key != key || size > shm->descriptor->shm_segsz ) {
-		CloseHandle(shm->segment);
+	if (NULL != shm->descriptor && (shm->descriptor->shm_perm.key != key || size > shm->descriptor->shm_segsz)) {
+		if (NULL != shm->segment) {
+			CloseHandle(shm->segment);
+		}
 		UnmapViewOfFile(shm->descriptor);
 		CloseHandle(shm->info);
 		return -1;

Zend/README.ZEND_VM

@@ -6,7 +6,7 @@ fields and using different execution methods (call threading, switch threading
 and direct threading). As a result ZE2 got more than 20% speedup on raw PHP
 code execution (with specialized executor and direct threading execution
 method). As in most PHP applications raw execution speed isn't the limiting
-factor but system calls and database callls are, your mileage with this patch
+factor but system calls and database calls are, your mileage with this patch
 will vary.
 
 Most parts of the old zend_execute.c go into zend_vm_def.h. Here you can

Zend/ZEND_CHANGES

@@ -1136,7 +1136,7 @@ Changes in the Zend Engine 1.0
       (supports breakpoints, expression evaluation, step-in/over,
       function call backtrace, and more).
 
-  The Zend Engine claims 100% compatability with the engine of PHP
+  The Zend Engine claims 100% compatibility with the engine of PHP
   3.0, and is shamelessly lying about it. Here's why:
 
     * Static variable initializers only accept scalar values
@@ -1161,6 +1161,6 @@ Changes in the Zend Engine 1.0
       printed the letter { and the contents of the variable $somevar in
       PHP 3.0), it will result in a parse error with the Zend Engine.
       In this case, you would have to change the code to print
-      "\{$somevar"; This incompatability is due to the full variable
+      "\{$somevar"; This incompatibility is due to the full variable
       reference within quoted strings feature added in the Zend
       Engine.

Zend/tests/bug60598.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #60598 (cli/apache sapi segfault on objects manipulation)
+--FILE--
+<?php
+define('OBJECT_COUNT', 10000);
+
+$containers = array();
+
+class Object {
+    protected $_guid = 0;
+    public function __construct() {
+		global $containers;
+		$this->guid = 1;
+        $containers[spl_object_hash($this)] = $this;
+    }
+    public function __destruct() {
+		global $containers;
+        $containers[spl_object_hash($this)] = NULL;
+    }
+}
+
+for ($i = 0; $i < OBJECT_COUNT; ++$i) {
+    new Object();
+}
+
+// You probably won't see this because of the "zend_mm_heap corrupted"
+?>
+If you see this, try to increase OBJECT_COUNT to 100,000
+--EXPECT--
+If you see this, try to increase OBJECT_COUNT to 100,000

Zend/tests/bug60771.phpt

@@ -0,0 +1,47 @@
+--TEST--
+Bug #64896 (Segfault with gc_collect_cycles using unserialize on certain objects)
+--XFAIL--
+We can not fix this bug without a significant (performace slow down) change to gc
+--FILE--
+<?php
+$bar = NULL;
+class bad
+{
+	private $_private = array();
+
+	public function __construct()
+	{
+		$this->_private[] = 'php';
+	}
+
+	public function __destruct()
+	{
+		global $bar;
+		$bar = $this;
+	}
+}
+
+$foo = new stdclass;
+$foo->foo = $foo;
+$foo->bad = new bad;
+
+gc_disable();
+
+unserialize(serialize($foo));
+gc_collect_cycles();
+var_dump($bar); 
+/*  will output:
+object(bad)#4 (1) {
+  ["_private":"bad":private]=>
+  &UNKNOWN:0
+}
+*/
+?>
+--EXPECTF--
+bject(bad)#%d (1) {
+  ["_private":"bad":private]=>
+  array(1) {
+    [0]=>
+    string(3) "php"
+  }
+}

Zend/tests/bug64896.phpt

@@ -0,0 +1,25 @@
+--TEST--
+Bug #65291 - get_defined_constants() causes PHP to crash in a very limited case.
+--FILE--
+<?php
+
+trait TestTrait
+{
+	public static function testStaticFunction()
+	{
+		return __CLASS__;
+	}
+}
+class Tester
+{
+	use TestTrait;
+}
+
+$foo = Tester::testStaticFunction();
+get_defined_constants();
+get_defined_constants(true);
+
+echo $foo;
+?>
+--EXPECT--
+Tester

Zend/tests/bug65291.phpt

@@ -0,0 +1,40 @@
+--TEST--
+Bug #65372 (Segfault in gc_zval_possible_root when return reference fails)
+--FILE--
+<?php
+
+class ParentClass
+{
+    private static $_OBJECTS;
+
+    public static function Get()
+    {
+        self::$_OBJECTS[1] = new ChildClass();
+        return self::$_OBJECTS[1];    
+    }
+}
+
+class ChildClass extends ParentClass
+{
+    public $Manager;
+
+    function __construct()
+    {
+        $this->Manager = $this;
+    }
+
+    public static function &GetCurrent()
+    {
+        return ChildClass::Get();
+    }
+
+    public static function &Get()
+    {
+        return parent::Get();
+    }
+}
+
+$staff = ChildClass::GetCurrent();
+?>
+--EXPECTF--
+Notice: Only variable references should be returned by reference in %sbug65372.php on line 30