A bug with imagerotate() using an angle -27, -90, 90 and 180

EXTENSIONS

@@ -205,7 +205,7 @@ STATUS:              Working
 SINCE:               5.1
 -------------------------------------------------------------------------------
 EXTENSION:           pdo_oci
-PRIMARY MAINTAINER:  Unknown
+PRIMARY MAINTAINER:  Christopher Jones <sixd@php.net>
 MAINTENANCE:         Odd fixes
 STATUS:              Working
 SINCE:               5.1

TSRM/tsrm_win32.c

@@ -616,6 +616,12 @@ TSRM_API int shmget(int key, int size, int flags)
 		}
 	} else {
 		if (flags & IPC_EXCL) {
+			if (shm_handle) {
+				CloseHandle(shm_handle);
+			}
+			if (info_handle) {
+				CloseHandle(info_handle);
+			}
 			return -1;
 		}
 	}
@@ -654,17 +660,27 @@ TSRM_API int shmget(int key, int size, int flags)
 TSRM_API void *shmat(int key, const void *shmaddr, int flags)
 {
 	shm_pair *shm = shm_get(key, NULL);
+	int err;
 
 	if (!shm->segment) {
 		return (void*)-1;
 	}
 
+	shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
+
+	err = GetLastError();
+	if (err) {
+		/* Catch more errors */
+		if (ERROR_NOT_ENOUGH_MEMORY == err) {
+			_set_errno(ENOMEM);
+		}
+		return (void*)-1;
+	}
+
 	shm->descriptor->shm_atime = time(NULL);
 	shm->descriptor->shm_lpid  = getpid();
 	shm->descriptor->shm_nattch++;
 
-	shm->addr = MapViewOfFileEx(shm->segment, FILE_MAP_ALL_ACCESS, 0, 0, 0, NULL);
-
 	return shm->addr;
 }
 

UPGRADING

@@ -218,6 +218,9 @@ PHP 5.6 UPGRADE NOTES
     . CURLOPT_KRBLEVEL
     . CURLOPT_KRB4LEVEL
 
+  curl_getinfo($ch, CURLINFO_CERTINFO) returns certificate Subject and Issuer
+  as a string (PHP >= 5.6.25)
+
 - Strings:
   substr_compare() now allows $length to be zero.
   pack() and unpack() now support 64-bit format specifiers: q, Q, J and P.
@@ -400,6 +403,9 @@ PHP 5.6 UPGRADE NOTES
 - CURL:
   CURL_HTTP_VERSION_2_0 and CURL_VERSION_HTTP2 (>= 5.6.8)
 
+- GD:
+  IMG_WEBP (>= 5.6.25)
+
 - LDAP:
   LDAP_ESCAPE_FILTER int(1)
   LDAP_ESCAPE_DN     int(2)

Zend/tests/bug72907.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Bug #72907 (null pointer deref, segfault in gc_remove_zval_from_buffer (zend_gc.c:260))
+--FILE--
+<?php
+
+$a = 0;
+
+($a->a = &$E) + ($b = $a->b->i -= 0);
+
+?>
+--EXPECTF--
+Warning: Attempt to modify property of non-object in %sbug72907.php on line %d
+
+Warning: Attempt to modify property of non-object in %sbug72907.php on line %d
+
+Warning: Creating default object from empty value in %sbug72907.php on line %d
+
+Notice: Undefined property: stdClass::$i in %sbug72907.php on line %d

Zend/zend_API.h

@@ -447,7 +447,7 @@ ZEND_API int add_property_zval_ex(zval *arg, const char *key, uint key_len, zval
 #define add_property_double(__arg, __key, __d) add_property_double_ex(__arg, __key, strlen(__key)+1, __d TSRMLS_CC)
 #define add_property_string(__arg, __key, __str, __duplicate) add_property_string_ex(__arg, __key, strlen(__key)+1, __str, __duplicate TSRMLS_CC)
 #define add_property_stringl(__arg, __key, __str, __length, __duplicate) add_property_stringl_ex(__arg, __key, strlen(__key)+1, __str, __length, __duplicate TSRMLS_CC)
-#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)       
+#define add_property_zval(__arg, __key, __value) add_property_zval_ex(__arg, __key, strlen(__key)+1, __value TSRMLS_CC)
 
 
 ZEND_API int call_user_function(HashTable *function_table, zval **object_pp, zval *function_name, zval *retval_ptr, zend_uint param_count, zval *params[] TSRMLS_DC);
@@ -458,7 +458,7 @@ ZEND_API extern const zend_fcall_info_cache empty_fcall_info_cache;
 
 /** Build zend_call_info/cache from a zval*
  *
- * Caller is responsible to provide a return value, otherwise the we will crash. 
+ * Caller is responsible to provide a return value, otherwise the we will crash.
  * fci->retval_ptr_ptr = NULL;
  * In order to pass parameters the following members need to be set:
  * fci->param_count = 0;
@@ -578,6 +578,9 @@ END_EXTERN_C()
 		const char *__s=(s);				\
 		zval *__z = (z);					\
 		Z_STRLEN_P(__z) = strlen(__s);		\
+		if (UNEXPECTED(Z_STRLEN_P(__z) < 0)) { \
+			zend_error(E_ERROR, "String size overflow"); \
+		}									\
 		Z_STRVAL_P(__z) = (duplicate?estrndup(__s, Z_STRLEN_P(__z)):(char*)__s);\
 		Z_TYPE_P(__z) = IS_STRING;			\
 	} while (0)

Zend/zend_exceptions.c

@@ -230,7 +230,7 @@ ZEND_METHOD(exception, __construct)
    Exception unserialize checks */
 #define CHECK_EXC_TYPE(name, type) \
 	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
-	if(value && Z_TYPE_P(value) != type) { \
+	if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
 		zval *tmp; \
 		MAKE_STD_ZVAL(tmp); \
 		ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \

Zend/zend_execute.c

@@ -522,9 +522,7 @@ static void zend_assign_to_variable_reference(zval **variable_ptr_ptr, zval **va
 	zval *variable_ptr = *variable_ptr_ptr;
 	zval *value_ptr = *value_ptr_ptr;
 
-	if (variable_ptr == &EG(error_zval) || value_ptr == &EG(error_zval)) {
-		variable_ptr_ptr = &EG(uninitialized_zval_ptr);
-	} else if (variable_ptr != value_ptr) {
+	if (variable_ptr != value_ptr) {
 		if (!PZVAL_IS_REF(value_ptr)) {
 			/* break it away */
 			Z_DELREF_P(value_ptr);

Zend/zend_virtual_cwd.c

@@ -651,14 +651,14 @@ CWD_API void realpath_cache_del(const char *path, int path_len TSRMLS_DC) /* {{{
 					memcmp(path, (*bucket)->path, path_len) == 0) {
 			realpath_cache_bucket *r = *bucket;
 			*bucket = (*bucket)->next;
-		   
+
 			/* if the pointers match then only subtract the length of the path */
 		   	if(r->path == r->realpath) {
 				CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1;
 			} else {
 				CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1 + r->realpath_len + 1;
 			}
-		   
+
 			free(r);
 			return;
 		} else {
@@ -734,7 +734,7 @@ static inline realpath_cache_bucket* realpath_cache_find(const char *path, int p
 			realpath_cache_bucket *r = *bucket;
 			*bucket = (*bucket)->next;
 
-			/* if the pointers match then only subtract the length of the path */		   
+			/* if the pointers match then only subtract the length of the path */
 		   	if(r->path == r->realpath) {
 				CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1;
 			} else {
@@ -1190,7 +1190,7 @@ CWD_API int virtual_file_ex(cwd_state *state, const char *path, verify_path_func
 	int add_slash;
 	void *tmp;
 
-	if (path_length == 0 || path_length >= MAXPATHLEN-1) {
+	if (path_length <= 0 || path_length >= MAXPATHLEN-1) {
 #ifdef TSRM_WIN32
 # if _MSC_VER < 1300
 		errno = EINVAL;

Zend/zend_vm_def.h

@@ -1817,11 +1817,14 @@ ZEND_VM_HANDLER(39, ZEND_ASSIGN_REF, VAR|CV, VAR|CV)
 	if ((OP2_TYPE == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
 	    (OP1_TYPE == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
 		zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
-	}
-	zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
-
-	if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
-		Z_DELREF_PP(variable_ptr_ptr);
+	} else if ((OP2_TYPE == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
+		(OP1_TYPE == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
+		variable_ptr_ptr = &EG(uninitialized_zval_ptr);
+	} else {
+		zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
+		if (OP2_TYPE == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
+			Z_DELREF_PP(variable_ptr_ptr);
+		}
 	}
 
 	if (RETURN_VALUE_USED(opline)) {

Zend/zend_vm_execute.h

@@ -20408,11 +20408,14 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_REF_SPEC_VAR_VAR_HANDLER(ZEND_OPCODE_HANDL
 	if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
 	    (IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
 		zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
-	}
-	zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
-
-	if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
-		Z_DELREF_PP(variable_ptr_ptr);
+	} else if ((IS_VAR == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
+		(IS_VAR == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
+		variable_ptr_ptr = &EG(uninitialized_zval_ptr);
+	} else {
+		zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
+		if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
+			Z_DELREF_PP(variable_ptr_ptr);
+		}
 	}
 
 	if (RETURN_VALUE_USED(opline)) {
@@ -23903,11 +23906,14 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_REF_SPEC_VAR_CV_HANDLER(ZEND_OPCODE_HANDLE
 	if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
 	    (IS_VAR == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
 		zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
-	}
-	zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
-
-	if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
-		Z_DELREF_PP(variable_ptr_ptr);
+	} else if ((IS_CV == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
+		(IS_VAR == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
+		variable_ptr_ptr = &EG(uninitialized_zval_ptr);
+	} else {
+		zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
+		if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
+			Z_DELREF_PP(variable_ptr_ptr);
+		}
 	}
 
 	if (RETURN_VALUE_USED(opline)) {
@@ -37721,11 +37727,14 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_REF_SPEC_CV_VAR_HANDLER(ZEND_OPCODE_HANDLE
 	if ((IS_VAR == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
 	    (IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
 		zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
-	}
-	zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
-
-	if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
-		Z_DELREF_PP(variable_ptr_ptr);
+	} else if ((IS_VAR == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
+		(IS_CV == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
+		variable_ptr_ptr = &EG(uninitialized_zval_ptr);
+	} else {
+		zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
+		if (IS_VAR == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
+			Z_DELREF_PP(variable_ptr_ptr);
+		}
 	}
 
 	if (RETURN_VALUE_USED(opline)) {
@@ -40929,11 +40938,14 @@ static int ZEND_FASTCALL  ZEND_ASSIGN_REF_SPEC_CV_CV_HANDLER(ZEND_OPCODE_HANDLER
 	if ((IS_CV == IS_VAR && UNEXPECTED(value_ptr_ptr == NULL)) ||
 	    (IS_CV == IS_VAR && UNEXPECTED(variable_ptr_ptr == NULL))) {
 		zend_error_noreturn(E_ERROR, "Cannot create references to/from string offsets nor overloaded objects");
-	}
-	zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
-
-	if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
-		Z_DELREF_PP(variable_ptr_ptr);
+	} else if ((IS_CV == IS_VAR && UNEXPECTED(*value_ptr_ptr == &EG(error_zval))) ||
+		(IS_CV == IS_VAR && UNEXPECTED(*variable_ptr_ptr == &EG(error_zval)))) {
+		variable_ptr_ptr = &EG(uninitialized_zval_ptr);
+	} else {
+		zend_assign_to_variable_reference(variable_ptr_ptr, value_ptr_ptr TSRMLS_CC);
+		if (IS_CV == IS_VAR && opline->extended_value == ZEND_RETURNS_NEW) {
+			Z_DELREF_PP(variable_ptr_ptr);
+		}
 	}
 
 	if (RETURN_VALUE_USED(opline)) {

configure.in

@@ -119,8 +119,8 @@ int zend_sprintf(char *buffer, const char *format, ...);
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=6
-PHP_RELEASE_VERSION=24
-PHP_EXTRA_VERSION="RC1"
+PHP_RELEASE_VERSION=26
+PHP_EXTRA_VERSION="-dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`