Merge branch 'PHP-5.6.30' into PHP-5.6

* PHP-5.6.30:
  Fix bug #73737 FPE when parsing a tag format
  Fix bug #73773 - Seg fault when loading hostile phar
  Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()
  Fix bug #73768 - Memory corruption when loading hostile phar
  Fix int overflows in phar (bug #73764)

Author: smalyshev

ext/exif/exif.c

@@ -1303,7 +1303,7 @@ static size_t exif_convert_any_to_int(void *value, int format, int motorola_inte
 			if (s_den == 0) {
 				return 0;
 			} else {
-				return php_ifd_get32s(value, motorola_intel) / s_den;
+				return (size_t)((double)php_ifd_get32s(value, motorola_intel) / s_den);
 			}
 
 		case TAG_FMT_SSHORT:    return php_ifd_get16u(value, motorola_intel);

ext/exif/tests/bug73737.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #73737 (Crash when parsing a tag format)
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+	$exif = exif_thumbnail(__DIR__ . '/bug73737.tiff');
+	var_dump($exif);
+?>
+--EXPECTF--
+Warning: exif_thumbnail(bug73737.tiff): Error in TIFF: filesize(x0030) less than start of IFD dir(x10102) in %s line %d
+bool(false)

ext/exif/tests/bug73737.tiff

@@ -981,15 +981,14 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 		/* if the alias is stored we enforce it (implicit overrides explicit) */
 		if (alias && alias_len && (alias_len != (int)tmp_len || strncmp(alias, buffer, tmp_len)))
 		{
-			buffer[tmp_len] = '\0';
 			php_stream_close(fp);
 
 			if (signature) {
 				efree(signature);
 			}
 
 			if (error) {
-				spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%s\" under different alias \"%s\"", fname, buffer, alias);
+				spprintf(error, 0, "cannot load phar \"%s\" with implicit alias \"%.*s\" under different alias \"%s\"", fname, tmp_len, buffer, alias);
 			}
 
 			efree(savebuf);
@@ -1055,7 +1054,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	entry.is_persistent = mydata->is_persistent;
 
 	for (manifest_index = 0; manifest_index < manifest_count; ++manifest_index) {
-		if (buffer + 4 > endbuffer) {
+		if (buffer + 28 > endbuffer) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)")
 		}
 
@@ -1069,7 +1068,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.manifest_pos = manifest_index;
 		}
 
-		if (entry.filename_len + 20 > endbuffer - buffer) {
+		if (entry.filename_len > endbuffer - buffer - 24) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
 		}
 

ext/phar/phar.c

@@ -0,0 +1,16 @@
+--TEST--
+Phar: PHP bug #73764: Crash while loading hostile phar archive
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$p = Phar::LoadPhar('bug73764.phar', 'alias.phar');
+echo "OK\n";
+} catch(PharException $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+internal corruption of phar "%sbug73764.phar" (truncated manifest entry)

ext/phar/tests/bug73764.phar

@@ -0,0 +1,16 @@
+--TEST--
+Phar: PHP bug #73768: Memory corruption when loading hostile phar
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+chdir(__DIR__);
+try {
+$p = Phar::LoadPhar('bug73768.phar', 'alias.phar');
+echo "OK\n";
+} catch(PharException $e) {
+	echo $e->getMessage();
+}
+?>
+--EXPECTF--
+cannot load phar "%sbug73768.phar" with implicit alias "" under different alias "alias.phar"

ext/phar/tests/bug73764.phpt

@@ -0,0 +1,12 @@
+--TEST--
+Bug #73825 Heap out of bounds read on unserialize in finish_nested_data()
+--FILE--
+<?php
+$obj = unserialize('O:8:"00000000":');
+var_dump($obj);
+?>
+--EXPECTF--
+Warning: Bad unserialize data in %sbug73825.php on line %d
+
+Notice: unserialize(): Error at offset 13 of 15 bytes in %sbug73825.php on line %d
+bool(false)