Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4

# By Anatol Belski (8) and others
# Via Anatol Belski (2) and others
* 'PHP-5.4' of https://git.php.net/repository/php-src: (44 commits)
  fixed possible null deref
  - addressed bug #65159, Misleading configure help text for --with-mysql-sock
  Update news for FILTER_SANITIZE_FULL_SPECIAL_CHARS fix
  Wrong value for FILTER_SANITIZE_FULL_SPECIAL_CHARS in REGISTER_LONG_CONSTANT
  Fixed bug #65304 (Use of max int in array_sum)
  Reorder NEWS
  Fixed bug #65291 - get_defined_constants() crash with __CLASS__ in trait
  Fixed bug #65291 - get_defined_constants() crash with __CLASS__ in trait
  Properly fixed bug #63186 on NetBSD == 6.0
  Improve php.ini-* documentation
  5.4.19 is next
  Fixed bug #50308 - session id not appended properly for empty anchor tags
  Fix bug #62129 - rfc1867 crashes php even though turned off
  add news for xml fix
  fix TS build
  added sapi check for dl() test
  Make zval2myslqnd implementations aware of inheritance
  Fixed typo ensuring header str is \0 terminated
  fix buffer overrun
  fix invalid variable name at ext/spl/internal/multipleiterator.inc (key() method, too)
  ...

Author: cjbj

NEWS

@@ -1,8 +1,27 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
+?? ??? 2013, PHP 5.4.19
+
+- Core.
+  . Fixed bug #65304 (Use of max int in array_sum). (Laruence)
+  . Fixed bug #65291 (get_defined_constants() causes PHP to crash in a very
+    limited case). (Arpad)
+  . Improve fix for bug #63186 (compile failure on netbsd). (Matteo)
+
+- Session:
+  . Fixed bug #62129 (rfc1867 crashes php even though turned off). (gxd305 at
+    gmail dot com)
+  . Fixed bug #50308 (session id not appended properly for empty anchor tags).
+    (Arpad)
+
 ?? ??? 2013, PHP 5.4.18
 
 - Core:
+  . Fixed value of FILTER_SANITIZE_FULL_SPECIAL_CHARS constant (previously was
+    erroneously set to FILTER_SANITIZE_SPECIAL_CHARS value). (Andrey 
+    avp200681 gmail com).
+  . Fixed bug #65254 (Exception not catchable when exception thrown in autoload
+    with a namespace). (Laruence)
   . Fixed bug #65108 (is_callable() triggers Fatal Error). 
     (David Soria Parra, Laruence)
   . Fixed bug #65088 (Generated configure script is malformed on OpenBSD).
@@ -13,6 +32,7 @@ PHP                                                                        NEWS
   . Fixed bug #62475 (variant_* functions causes crash when null given as an 
     argument). (Felipe)
   . Fixed bug #60732 (php_error_docref links to invalid pages). (Jakub Vrana)
+  . Fixed bug #65226 (chroot() does not get enabled). (Anatol)
 
 - CGI:
   . Fixed Bug #65143 (Missing php-cgi man page). (Remi)
@@ -21,10 +41,20 @@ PHP                                                                        NEWS
   . Fixed bug #65066 (Cli server not responsive when responding with 422 http
     status code). (Adam)
 
+- CURL:
+  . Fixed bug #62665 (curl.cainfo doesn't appear in php.ini). (Lior Kaplan)
+
 - FPM:
   . Fixed bug #63983 (enabling FPM borks compile on FreeBSD).
     (chibisuke at web dot de, Felipe)
 
+- FTP:
+  . Fixed bug #65228 (FTPs memory leak with SSL).
+    (marco dot beierer at mbsecurity dot ch)
+    
+- GMP:
+  . Fixed bug #65227 (Memory leak in gmp_cmp second parameter). (Felipe)
+
 - Imap:
   . Fixed bug #64467 (Segmentation fault after imap_reopen failure).
     (askalski at gmail dot com)
@@ -45,6 +75,13 @@ PHP                                                                        NEWS
   . Allowed PDO_OCI to compile with Oracle Database 12c client libraries.
     (Chris Jones)
 
+- PDO_dblib:
+  . Fixed bug #65219 (PDO/dblib not working anymore ("use dbName" not sent)). 
+    (Stanley Sufficool)
+
+- PDO_pgsql:
+  . Fixed meta data retrieve when OID is larger than 2^31. (Yasuo)
+
 - Phar:
   . Fixed Bug #65142 (Missing phar man page). (Remi)
 
@@ -67,7 +104,10 @@ PHP                                                                        NEWS
   . Fixed bug #60560 (SplFixedArray un-/serialize, getSize(), count() return 0,
     keys are strings). (Adam)
 
-?? ??? 2013, PHP 5.4.17
+- XML:
+  . Fixed bug #65236 (heap corruption in xml parser, CVE-2013-4113). (Rob)
+
+04 Jul 2013, PHP 5.4.17
 
 - Core:
   . Fixed bug #64988 (Class loading order affects E_STRICT warning). (Laruence)

TSRM/tsrm_win32.c

@@ -625,7 +625,7 @@ TSRM_API int shmget(int key, int size, int flags)
 	shm->info	 = info_handle;
 	shm->descriptor = MapViewOfFileEx(shm->info, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
 
-	if (created) {
+	if (NULL != shm->descriptor && created) {
 		shm->descriptor->shm_perm.key	= key;
 		shm->descriptor->shm_segsz		= size;
 		shm->descriptor->shm_ctime		= time(NULL);
@@ -639,8 +639,10 @@ TSRM_API int shmget(int key, int size, int flags)
 		shm->descriptor->shm_perm.mode	= shm->descriptor->shm_perm.seq	= 0;
 	}
 
-	if (shm->descriptor->shm_perm.key != key || size > shm->descriptor->shm_segsz ) {
-		CloseHandle(shm->segment);
+	if (NULL != shm->descriptor && (shm->descriptor->shm_perm.key != key || size > shm->descriptor->shm_segsz)) {
+		if (NULL != shm->segment) {
+			CloseHandle(shm->segment);
+		}
 		UnmapViewOfFile(shm->descriptor);
 		CloseHandle(shm->info);
 		return -1;

Zend/README.ZEND_VM

@@ -6,7 +6,7 @@ fields and using different execution methods (call threading, switch threading
 and direct threading). As a result ZE2 got more than 20% speedup on raw PHP
 code execution (with specialized executor and direct threading execution
 method). As in most PHP applications raw execution speed isn't the limiting
-factor but system calls and database callls are, your mileage with this patch
+factor but system calls and database calls are, your mileage with this patch
 will vary.
 
 Most parts of the old zend_execute.c go into zend_vm_def.h. Here you can

Zend/ZEND_CHANGES

@@ -1136,7 +1136,7 @@ Changes in the Zend Engine 1.0
       (supports breakpoints, expression evaluation, step-in/over,
       function call backtrace, and more).
 
-  The Zend Engine claims 100% compatability with the engine of PHP
+  The Zend Engine claims 100% compatibility with the engine of PHP
   3.0, and is shamelessly lying about it. Here's why:
 
     * Static variable initializers only accept scalar values
@@ -1161,6 +1161,6 @@ Changes in the Zend Engine 1.0
       printed the letter { and the contents of the variable $somevar in
       PHP 3.0), it will result in a parse error with the Zend Engine.
       In this case, you would have to change the code to print
-      "\{$somevar"; This incompatability is due to the full variable
+      "\{$somevar"; This incompatibility is due to the full variable
       reference within quoted strings feature added in the Zend
       Engine.

Zend/tests/bug65254.phpt

@@ -0,0 +1,21 @@
+--TEST--
+Bug #65254 (Exception not catchable when exception thrown in autoload with a namespace)
+--FILE--
+<?php
+function __autoload($class)
+{
+    eval("namespace ns_test; class test {}");
+
+    throw new \Exception('abcd');
+}
+
+try
+{
+    \ns_test\test::go();
+}
+catch (Exception $e)
+{
+    echo 'caught';
+}
+--EXPECT--
+caught

Zend/tests/bug65291.phpt

@@ -0,0 +1,25 @@
+--TEST--
+Bug #65291 - get_defined_constants() causes PHP to crash in a very limited case.
+--FILE--
+<?php
+
+trait TestTrait
+{
+	public static function testStaticFunction()
+	{
+		return __CLASS__;
+	}
+}
+class Tester
+{
+	use TestTrait;
+}
+
+$foo = Tester::testStaticFunction();
+get_defined_constants();
+get_defined_constants(true);
+
+echo $foo;
+?>
+--EXPECT--
+Tester

Zend/tests/closure_044.phpt

@@ -3,7 +3,7 @@ Closure 044: Scope/bounding combination invariants; non static closures
 --FILE--
 <?php
 /* A non-static closure has a bound instance if it has a scope
- * and does't have an instance if it has no scope */
+ * and doesn't have an instance if it has no scope */
 
 $nonstaticUnscoped = function () { var_dump(isset(A::$priv)); var_dump(isset($this)); };
 

Zend/zend_builtin_functions.c

@@ -1926,6 +1926,11 @@ static int add_constant_info(zend_constant *constant, void *arg TSRMLS_DC)
 	zval *name_array = (zval *)arg;
 	zval *const_val;
 
+	if (!constant->name) {
+		/* skip special constants */
+		return 0;
+	}
+
 	MAKE_STD_ZVAL(const_val);
 	*const_val = constant->value;
 	zval_copy_ctor(const_val);
@@ -1993,11 +1998,16 @@ ZEND_FUNCTION(get_defined_constants)
 		while (zend_hash_get_current_data_ex(EG(zend_constants), (void **) &val, &pos) != FAILURE) {
 			zval *const_val;
 
+			if (!val->name) {
+				/* skip special constants */
+				goto next_constant;
+			}
+
 			if (val->module_number == PHP_USER_CONSTANT) {
 				module_number = i;
 			} else if (val->module_number > i || val->module_number < 0) {
 				/* should not happen */
-				goto bad_module_id;
+				goto next_constant;
 			} else {
 				module_number = val->module_number;
 			}
@@ -2014,7 +2024,7 @@ ZEND_FUNCTION(get_defined_constants)
 			INIT_PZVAL(const_val);
 
 			add_assoc_zval_ex(modules[module_number], val->name, val->name_len, const_val);
-bad_module_id:
+next_constant:
 			zend_hash_move_forward_ex(EG(zend_constants), &pos);
 		}
 		efree(module_names);

Zend/zend_compile.c

@@ -3911,7 +3911,7 @@ static void zend_traits_init_trait_structures(zend_class_entry *ce TSRMLS_DC) /*
 				/** With the other traits, we are more permissive.
 					We do not give errors for those. This allows to be more
 					defensive in such definitions.
-					However, we want to make sure that the insteadof declartion
+					However, we want to make sure that the insteadof declaration
 					is consistent in itself.
 				 */
 				j = 0;

Zend/zend_vm_def.h

@@ -2229,9 +2229,11 @@ ZEND_VM_HANDLER(113, ZEND_INIT_STATIC_METHOD_CALL, CONST|VAR, CONST|TMP|VAR|UNUS
 			ce = CACHED_PTR(opline->op1.literal->cache_slot);
 		} else {
 			ce = zend_fetch_class_by_name(Z_STRVAL_P(opline->op1.zv), Z_STRLEN_P(opline->op1.zv), opline->op1.literal + 1, opline->extended_value TSRMLS_CC);
+			if (UNEXPECTED(EG(exception) != NULL)) {
+				HANDLE_EXCEPTION();
+			}
 			if (UNEXPECTED(ce == NULL)) {
-				CHECK_EXCEPTION();
-				ZEND_VM_NEXT_OPCODE();
+				zend_error_noreturn(E_ERROR, "Class '%s' not found", Z_STRVAL_P(opline->op1.zv));
 			}
 			CACHE_PTR(opline->op1.literal->cache_slot, ce);
 		}
@@ -2414,9 +2416,11 @@ ZEND_VM_HANDLER(59, ZEND_INIT_FCALL_BY_NAME, ANY, CONST|TMP|VAR|CV)
 
 			if (Z_TYPE_PP(obj) == IS_STRING) {
 				ce = zend_fetch_class_by_name(Z_STRVAL_PP(obj), Z_STRLEN_PP(obj), NULL, 0 TSRMLS_CC);
+				if (UNEXPECTED(EG(exception) != NULL)) {
+					HANDLE_EXCEPTION();
+				}
 				if (UNEXPECTED(ce == NULL)) {
-					CHECK_EXCEPTION();
-					ZEND_VM_NEXT_OPCODE();
+					zend_error_noreturn(E_ERROR, "Class '%s' not found", Z_STRVAL_PP(obj));
 				}
 				EX(called_scope) = ce;
 				EX(object) = NULL;
@@ -3498,9 +3502,11 @@ ZEND_VM_HANDLER(99, ZEND_FETCH_CONSTANT, VAR|CONST|UNUSED, CONST)
 				ce = CACHED_PTR(opline->op1.literal->cache_slot);
 			} else {
 				ce = zend_fetch_class_by_name(Z_STRVAL_P(opline->op1.zv), Z_STRLEN_P(opline->op1.zv), opline->op1.literal + 1, opline->extended_value TSRMLS_CC);
+				if (UNEXPECTED(EG(exception) != NULL)) {
+					HANDLE_EXCEPTION();
+				}
 				if (UNEXPECTED(ce == NULL)) {
-					CHECK_EXCEPTION();
-					ZEND_VM_NEXT_OPCODE();
+					zend_error_noreturn(E_ERROR, "Class '%s' not found", Z_STRVAL_P(opline->op1.zv));
 				}
 				CACHE_PTR(opline->op1.literal->cache_slot, ce);
 			}
@@ -3887,15 +3893,17 @@ ZEND_VM_HANDLER(74, ZEND_UNSET_VAR, CONST|TMP|VAR|CV, UNUSED|CONST|VAR)
 				ce = CACHED_PTR(opline->op2.literal->cache_slot);
 			} else {
 				ce = zend_fetch_class_by_name(Z_STRVAL_P(opline->op2.zv), Z_STRLEN_P(opline->op2.zv), opline->op2.literal + 1, 0 TSRMLS_CC);
-				if (UNEXPECTED(ce == NULL)) {
+				if (UNEXPECTED(EG(exception) != NULL)) {
 					if (OP1_TYPE != IS_CONST && varname == &tmp) {
 						zval_dtor(&tmp);
 					} else if (OP1_TYPE == IS_VAR || OP1_TYPE == IS_CV) {
 						zval_ptr_dtor(&varname);
 					}
 					FREE_OP1();
-					CHECK_EXCEPTION();
-					ZEND_VM_NEXT_OPCODE();
+					HANDLE_EXCEPTION();
+				}
+				if (UNEXPECTED(ce == NULL)) {
+					zend_error_noreturn(E_ERROR, "Class '%s' not found", Z_STRVAL_P(opline->op2.zv));
 				}
 				CACHE_PTR(opline->op2.literal->cache_slot, ce);
 			}