From bb198ec9a6d37cd467795199d33c8fa4e0d754e6 Mon Sep 17 00:00:00 2001
From: Kalle Sommer Nielsen <kalle@php.net>
Date: Sun, 3 Apr 2016 02:27:25 +0200
Subject: [PATCH 1/3] Fix compiler warnings in mysqlnd

---
 ext/mysqlnd/mysqlnd_ps.c           | 2 +-
 ext/mysqlnd/mysqlnd_result.c       | 2 +-
 ext/mysqlnd/mysqlnd_wireprotocol.h | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/ext/mysqlnd/mysqlnd_ps.c b/ext/mysqlnd/mysqlnd_ps.c
index 4c3ee8b2a45..432bc78ade7 100644
--- a/ext/mysqlnd/mysqlnd_ps.c
+++ b/ext/mysqlnd/mysqlnd_ps.c
@@ -1028,7 +1028,7 @@ MYSQLND_METHOD(mysqlnd_stmt, use_result)(MYSQLND_STMT * s)
 
 /* {{{ mysqlnd_fetch_row_cursor */
 enum_func_status
-mysqlnd_fetch_stmt_row_cursor(MYSQLND_RES * result, void * param, unsigned int flags, zend_bool * fetched_anything)
+mysqlnd_fetch_stmt_row_cursor(MYSQLND_RES * result, void * param, const unsigned int flags, zend_bool * fetched_anything)
 {
 	enum_func_status ret;
 	MYSQLND_STMT * s = (MYSQLND_STMT *) param;
diff --git a/ext/mysqlnd/mysqlnd_result.c b/ext/mysqlnd/mysqlnd_result.c
index fa80ca1ca64..c4aa537eb07 100644
--- a/ext/mysqlnd/mysqlnd_result.c
+++ b/ext/mysqlnd/mysqlnd_result.c
@@ -1475,7 +1475,7 @@ MYSQLND_METHOD(mysqlnd_res, store_result)(MYSQLND_RES * result,
 		} else if (flags & MYSQLND_STORE_COPY) {
 			MYSQLND_RES_BUFFERED_C * set = (MYSQLND_RES_BUFFERED_C *) result->stored_data;
 			set->current_row = 0;
-			set->initialized = mnd_pecalloc((set->row_count / 8) + 1, sizeof(zend_uchar), set->persistent); /* +1 for safety */
+			set->initialized = mnd_pecalloc((unsigned int) ((set->row_count / 8) + 1), sizeof(zend_uchar), set->persistent); /* +1 for safety */
 		}
 	}
 
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.h b/ext/mysqlnd/mysqlnd_wireprotocol.h
index 234e3c8f088..337143fb9f0 100644
--- a/ext/mysqlnd/mysqlnd_wireprotocol.h
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.h
@@ -297,7 +297,7 @@ typedef struct  st_mysqlnd_packet_sha256_pk_request_response {
 
 
 zend_ulong		php_mysqlnd_net_field_length(const zend_uchar **packet);
-zend_uchar *	php_mysqlnd_net_store_length(zend_uchar *packet, uint64_t length);
+zend_uchar *	php_mysqlnd_net_store_length(zend_uchar *packet, const uint64_t length);
 size_t			php_mysqlnd_net_store_length_size(uint64_t length);
 
 PHPAPI const extern char * const mysqlnd_empty_string;

From fcc6bdebc29687c78538a3ec0268e31ba54c84fa Mon Sep 17 00:00:00 2001
From: Kalle Sommer Nielsen <kalle@php.net>
Date: Sun, 3 Apr 2016 02:28:39 +0200
Subject: [PATCH 2/3] Added missing zend_parse_parameters_none() to
 mb_list_encodings()

---
 ext/mbstring/mbstring.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/ext/mbstring/mbstring.c b/ext/mbstring/mbstring.c
index 796c4828652..514c4fc1b68 100644
--- a/ext/mbstring/mbstring.c
+++ b/ext/mbstring/mbstring.c
@@ -3443,6 +3443,10 @@ PHP_FUNCTION(mb_list_encodings)
 	const mbfl_encoding *encoding;
 	int i;
 
+	if (zend_parse_parameters_none() == FAILURE) {
+		return;
+	}
+
 	array_init(return_value);
 	i = 0;
 	encodings = mbfl_get_supported_encodings();

From e7730fece6bc68bc3c2835c3fd3da4999496878c Mon Sep 17 00:00:00 2001
From: Dmitry Stogov <dmitry@zend.com>
Date: Mon, 4 Apr 2016 09:35:48 +0300
Subject: [PATCH 3/3] Fised possible use-after-free

---
 .../yield_from_iterator_agregate.phpt           | 17 +++++++++++++++++
 Zend/zend_generators.c                          |  5 +++--
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 Zend/tests/generators/yield_from_iterator_agregate.phpt

diff --git a/Zend/tests/generators/yield_from_iterator_agregate.phpt b/Zend/tests/generators/yield_from_iterator_agregate.phpt
new file mode 100644
index 00000000000..3bd61e0b5a7
--- /dev/null
+++ b/Zend/tests/generators/yield_from_iterator_agregate.phpt
@@ -0,0 +1,17 @@
+--TEST--
+yield from with an IteratorAggregate
+--FILE--
+<?php
+class foo implements \IteratorAggregate {
+  public $prop = 1;
+  function getIterator() {
+    var_dump($this->prop);
+    yield;
+  }
+}
+(function(){
+  yield from new foo;
+})()->next();
+?>
+--EXPECT--
+int(1)
diff --git a/Zend/zend_generators.c b/Zend/zend_generators.c
index 8dfa2a97545..cbcc774c5e5 100644
--- a/Zend/zend_generators.c
+++ b/Zend/zend_generators.c
@@ -334,8 +334,9 @@ ZEND_API void zend_generator_create_zval(zend_execute_data *call, zend_op_array
 
 	object_init_ex(return_value, zend_ce_generator);
 
-	if (ZEND_CALL_INFO(call) & ZEND_CALL_RELEASE_THIS) {
-		Z_ADDREF(call->This);
+	if (Z_TYPE(EX(This)) == IS_OBJECT && !(EX_CALL_INFO() & ZEND_CALL_CLOSURE)) {
+		ZEND_ADD_CALL_FLAG(execute_data, ZEND_CALL_RELEASE_THIS);
+		Z_ADDREF(EX(This));
 	}
 
 	/* Save execution context in generator object. */