diff --git a/Zend/tests/bug71914.phpt b/Zend/tests/bug71914.phpt
index 8f825f89ece..a43eb56bbd6 100644
--- a/Zend/tests/bug71914.phpt
+++ b/Zend/tests/bug71914.phpt
@@ -11,15 +11,30 @@ function bug(&$value) {
}
}
+function returnArray() {
+ $array = array();
+ $array["str"] = "xxxx";
+ return $array;
+}
+
+class Foo {
+ public $array = array("str" => "xxxx");
+}
function test($arr, &$dummy) {
bug($arr["str"]);
var_dump($arr["str"]);
}
+$foo = new Foo();
+$arr = returnArray();
$array = array("str" => "xxxx");
test($array, $array["str"]);
+test($arr, $arr["str"]);
+test($foo->array, $foo->array["str"]);
?>
--EXPECT--
bool(true)
+bool(true)
+bool(true)
diff --git a/ext/fileinfo/libmagic/funcs.c b/ext/fileinfo/libmagic/funcs.c
index c6699d5147e..6ade713efaf 100644
--- a/ext/fileinfo/libmagic/funcs.c
+++ b/ext/fileinfo/libmagic/funcs.c
@@ -403,7 +403,7 @@ file_check_mem(struct magic_set *ms, unsigned int level)
size_t len;
if (level >= ms->c.len) {
- len = (ms->c.len += 20) * sizeof(*ms->c.li);
+ len = (ms->c.len += 20 + level) * sizeof(*ms->c.li);
ms->c.li = CAST(struct level_info *, (ms->c.li == NULL) ?
emalloc(len) :
erealloc(ms->c.li, len));
diff --git a/ext/fileinfo/tests/bug68996.phpt b/ext/fileinfo/tests/bug68996.phpt
index 9fa21903079..da208d35bcc 100644
--- a/ext/fileinfo/tests/bug68996.phpt
+++ b/ext/fileinfo/tests/bug68996.phpt
@@ -1,14 +1,11 @@
--TEST--
Bug #68996 (Invalid free of CG(interned_empty_string))
--SKIPIF--
-
--INI--
html_errors=1
+--ENV--
+USE_ZEND_ALLOC=0
--FILE--
Warning: : failed to open stream: No such file or directory in %sbug68996.php on line %d
-Warning: finfo_open(): in %sbug68996.php on line %d
+Warning: finfo_open(): Failed to load magic database at '%s�c'. in %sbug68996.php on line %d
diff --git a/ext/fileinfo/tests/bug71527.magic b/ext/fileinfo/tests/bug71527.magic
new file mode 100644
index 00000000000..14d77817be2
--- /dev/null
+++ b/ext/fileinfo/tests/bug71527.magic
@@ -0,0 +1 @@
+>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
\ No newline at end of file
diff --git a/ext/fileinfo/tests/bug71527.phpt b/ext/fileinfo/tests/bug71527.phpt
new file mode 100644
index 00000000000..f5b1d860e80
--- /dev/null
+++ b/ext/fileinfo/tests/bug71527.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #71527 Buffer over-write in finfo_open with malformed magic file
+--SKIPIF--
+
+--EXPECTF--
+Warning: finfo_open(): Failed to load magic database at '%sbug71527.magic'. in %sbug71527.php on line %d
+
+Warning: finfo_file() expects parameter 1 to be resource, boolean given in %sbug71527.php on line %d
+bool(false)
diff --git a/ext/mbstring/libmbfl/mbfl/mbfilter.c b/ext/mbstring/libmbfl/mbfl/mbfilter.c
index 27602d02277..4986472b9b2 100644
--- a/ext/mbstring/libmbfl/mbfl/mbfilter.c
+++ b/ext/mbstring/libmbfl/mbfl/mbfilter.c
@@ -1501,7 +1501,7 @@ mbfl_strcut(
if (encoding->flag & (MBFL_ENCTYPE_WCS2BE | MBFL_ENCTYPE_WCS2LE)) {
from &= -2;
- if (from + length >= string->len) {
+ if (length >= string->len - from) {
length = string->len - from;
}
@@ -1510,14 +1510,14 @@ mbfl_strcut(
} else if (encoding->flag & (MBFL_ENCTYPE_WCS4BE | MBFL_ENCTYPE_WCS4LE)) {
from &= -4;
- if (from + length >= string->len) {
+ if (length >= string->len - from) {
length = string->len - from;
}
start = string->val + from;
end = start + (length & -4);
} else if ((encoding->flag & MBFL_ENCTYPE_SBCS)) {
- if (from + length >= string->len) {
+ if (length >= string->len - from) {
length = string->len - from;
}
@@ -1539,7 +1539,7 @@ mbfl_strcut(
start = p;
/* search end position */
- if ((start - string->val) + length >= (int)string->len) {
+ if (length >= (int)string->len - (start - string->val)) {
end = string->val + string->len;
} else {
for (q = p + length; p < q; p += (m = mbtab[*p]));
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 72880c79d4e..2b65a54ed9d 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2186,6 +2186,14 @@ int phar_split_fname(const char *filename, int filename_len, char **arch, int *a
#endif
int ext_len;
+ if (CHECK_NULL_PATH(filename, filename_len)) {
+ return FAILURE;
+ }
+
+ if (CHECK_NULL_PATH(filename, filename_len)) {
+ return FAILURE;
+ }
+
if (!strncasecmp(filename, "phar://", 7)) {
filename += 7;
filename_len -= 7;
diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
index 249fbff4dea..ebacc88db14 100644
--- a/ext/phar/phar_object.c
+++ b/ext/phar/phar_object.c
@@ -450,7 +450,7 @@ PHP_METHOD(Phar, mount)
size_t path_len, actual_len;
phar_archive_data *pphar;
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &path, &path_len, &actual, &actual_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &path, &path_len, &actual, &actual_len) == FAILURE) {
return;
}
@@ -929,7 +929,7 @@ PHP_METHOD(Phar, createDefaultStub)
zend_string *stub;
size_t index_len = 0, webindex_len = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "|ss", &index, &index_len, &webindex, &webindex_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "|pp", &index, &index_len, &webindex, &webindex_len) == FAILURE) {
return;
}
@@ -973,7 +973,7 @@ PHP_METHOD(Phar, loadPhar)
char *fname, *alias = NULL, *error;
size_t fname_len, alias_len = 0;
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s!", &fname, &fname_len, &alias, &alias_len) == FAILURE) {
return;
}
@@ -1053,7 +1053,7 @@ PHP_METHOD(Phar, isValidPharFilename)
int ext_len, is_executable;
zend_bool executable = 1;
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|b", &fname, &fname_len, &executable) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|b", &fname, &fname_len, &executable) == FAILURE) {
return;
}
@@ -1120,11 +1120,11 @@ PHP_METHOD(Phar, __construct)
is_data = instanceof_function(Z_OBJCE_P(zobj), phar_ce_data);
if (is_data) {
- if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) {
+ if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p|ls!l", &fname, &fname_len, &flags, &alias, &alias_len, &format) == FAILURE) {
return;
}
} else {
- if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) {
+ if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p|ls!", &fname, &fname_len, &flags, &alias, &alias_len) == FAILURE) {
return;
}
}
@@ -1292,7 +1292,7 @@ PHP_METHOD(Phar, unlinkArchive)
int zname_len, arch_len, entry_len;
phar_archive_data *phar;
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &fname, &fname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
RETURN_FALSE;
}
@@ -1707,7 +1707,7 @@ PHP_METHOD(Phar, buildFromDirectory)
return;
}
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &dir, &dir_len, ®ex, ®ex_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &dir, &dir_len, ®ex, ®ex_len) == FAILURE) {
RETURN_FALSE;
}
@@ -2554,7 +2554,7 @@ PHP_METHOD(Phar, delete)
return;
}
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &fname, &fname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
RETURN_FALSE;
}
@@ -3368,7 +3368,7 @@ PHP_METHOD(Phar, copy)
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "pp", &oldfile, &oldfile_len, &newfile, &newfile_len) == FAILURE) {
return;
}
@@ -3468,7 +3468,7 @@ PHP_METHOD(Phar, offsetExists)
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &fname, &fname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
return;
}
@@ -3506,7 +3506,7 @@ PHP_METHOD(Phar, offsetGet)
zend_string *sfname;
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &fname, &fname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
return;
}
@@ -3653,8 +3653,8 @@ PHP_METHOD(Phar, offsetSet)
return;
}
- if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS(), "sr", &fname, &fname_len, &zresource) == FAILURE
- && zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) {
+ if (zend_parse_parameters_ex(ZEND_PARSE_PARAMS_QUIET, ZEND_NUM_ARGS(), "pr", &fname, &fname_len, &zresource) == FAILURE
+ && zend_parse_parameters(ZEND_NUM_ARGS(), "ps", &fname, &fname_len, &cont_str, &cont_len) == FAILURE) {
return;
}
@@ -3692,7 +3692,7 @@ PHP_METHOD(Phar, offsetUnset)
return;
}
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &fname, &fname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
return;
}
@@ -3739,7 +3739,7 @@ PHP_METHOD(Phar, addEmptyDir)
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &dirname, &dirname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &dirname, &dirname_len) == FAILURE) {
return;
}
@@ -3764,7 +3764,7 @@ PHP_METHOD(Phar, addFile)
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|s", &fname, &fname_len, &localname, &localname_len) == FAILURE) {
return;
}
@@ -3799,7 +3799,7 @@ PHP_METHOD(Phar, addFromString)
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "ps", &localname, &localname_len, &cont_str, &cont_len) == FAILURE) {
return;
}
@@ -4214,7 +4214,7 @@ PHP_METHOD(Phar, extractTo)
PHAR_ARCHIVE_OBJECT();
- if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) {
+ if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|z!b", &pathto, &pathto_len, &zval_files, &overwrite) == FAILURE) {
return;
}
@@ -4346,7 +4346,7 @@ PHP_METHOD(PharFileInfo, __construct)
phar_archive_data *phar_data;
zval *zobj = getThis(), arg1;
- if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "s", &fname, &fname_len) == FAILURE) {
+ if (zend_parse_parameters_throw(ZEND_NUM_ARGS(), "p", &fname, &fname_len) == FAILURE) {
return;
}
diff --git a/ext/phar/tests/badparameters.phpt b/ext/phar/tests/badparameters.phpt
index a1a9fb78a0f..4d0887f66f9 100644
--- a/ext/phar/tests/badparameters.phpt
+++ b/ext/phar/tests/badparameters.phpt
@@ -147,19 +147,19 @@ echo $e->getMessage() . "\n";
--EXPECTF--
Warning: Phar::mungServer() expects parameter 1 to be array, %string given in %sbadparameters.php on line %d
-Warning: Phar::createDefaultStub() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: Phar::createDefaultStub() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
-Warning: Phar::loadPhar() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: Phar::loadPhar() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
Warning: Phar::canCompress() expects parameter 1 to be integer, %string given in %sbadparameters.php on line %d
-Exception: Phar::__construct() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Exception: Phar::__construct() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
Warning: Phar::convertToExecutable() expects parameter 1 to be integer, array given in %sbadparameters.php on line %d
Warning: Phar::convertToData() expects parameter 1 to be integer, array given in %sbadparameters.php on line %d
-Warning: PharData::delete() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: PharData::delete() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
Cannot write out phar archive, phar is read-only
Entry oops does not exist and cannot be deleted
%sfiles/frontcontroller10.phar
@@ -186,18 +186,18 @@ Phar is readonly, cannot change compression
Warning: Phar::copy() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d
Cannot copy "a" to "b", phar is read-only
-Warning: Phar::offsetExists() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: Phar::offsetExists() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
-Warning: Phar::offsetGet() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: Phar::offsetGet() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
Warning: Phar::offsetSet() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d
-Warning: PharData::offsetUnset() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: PharData::offsetUnset() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
Write operations disabled by the php.ini setting phar.readonly
-Warning: Phar::addEmptyDir() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: Phar::addEmptyDir() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
-Warning: Phar::addFile() expects parameter 1 to be %string, array given in %sbadparameters.php on line %d
+Warning: Phar::addFile() expects parameter 1 to be a valid path, array given in %sbadparameters.php on line %d
Warning: Phar::addFromString() expects exactly 2 parameters, 1 given in %sbadparameters.php on line %d
Write operations disabled by the php.ini setting phar.readonly
diff --git a/ext/phar/tests/bug64931/bug64931.phpt b/ext/phar/tests/bug64931/bug64931.phpt
index 9c1f9dcaf1d..29e0c7b4e32 100644
--- a/ext/phar/tests/bug64931/bug64931.phpt
+++ b/ext/phar/tests/bug64931/bug64931.phpt
@@ -48,11 +48,12 @@ try {
---EXPECT--
+--EXPECTF--
Test
CAUGHT: Cannot create any files in magic ".phar" directory
CAUGHT: Cannot create any files in magic ".phar" directory
CAUGHT: Cannot create any files in magic ".phar" directory
CAUGHT: Cannot create any files in magic ".phar" directory
-CAUGHT: Cannot create any files in magic ".phar" directory
+
+Warning: Phar::addFromString() expects parameter 1 to be a valid path, string given in %s/bug64931.php on line %d
===DONE===
\ No newline at end of file
diff --git a/ext/phar/tests/create_path_error.phpt b/ext/phar/tests/create_path_error.phpt
index fe2cd3e22bc..3449b07fc63 100644
--- a/ext/phar/tests/create_path_error.phpt
+++ b/ext/phar/tests/create_path_error.phpt
@@ -80,6 +80,5 @@ string(5) "query"
11:Error: file_put_contents(phar://%s): failed to open stream: phar error: invalid path "%s" contains illegal character
12:Error: file_put_contents(phar://%s): failed to open stream: phar error: invalid path "%s" contains illegal character
13:Error: file_put_contents(phar://%s): failed to open stream: phar error: invalid path "%s" contains illegal character
-Exception: Entry a does not exist and cannot be created: phar error: invalid path "a" contains illegal character
-===DONE===
+Error: Phar::offsetSet() expects parameter 1 to be a valid path, string given===DONE===
diff --git a/ext/phar/tests/phar_extract.phpt b/ext/phar/tests/phar_extract.phpt
index bc545236fd8..f7d1403d599 100644
--- a/ext/phar/tests/phar_extract.phpt
+++ b/ext/phar/tests/phar_extract.phpt
@@ -138,7 +138,7 @@ string(3) "hi2"
bool(false)
Invalid argument, expected a filename (string) or array of filenames
-Warning: Phar::extractTo() expects parameter 1 to be %string, array given in %sphar_extract.php on line %d
+Warning: Phar::extractTo() expects parameter 1 to be a valid path, array given in %sphar_extract.php on line %d
Invalid argument, extraction path must be non-zero length
Unable to use path "%soops" for extraction, it is a file, must be a directory
Invalid argument, array of filenames to extract contains non-string value
diff --git a/ext/phar/tests/phar_isvalidpharfilename.phpt b/ext/phar/tests/phar_isvalidpharfilename.phpt
index dee9b7dc03e..da07bec2876 100644
--- a/ext/phar/tests/phar_isvalidpharfilename.phpt
+++ b/ext/phar/tests/phar_isvalidpharfilename.phpt
@@ -76,7 +76,7 @@ var_dump(Phar::isValidPharFilename('dir.phar.php', false));
"
phar archive "%sphar_unlinkarchive.phar" has open file handles or objects. fclose() all file handles, and unset() all objects prior to calling unlinkArchive()
diff --git a/ext/phar/tests/pharfileinfo_construct.phpt b/ext/phar/tests/pharfileinfo_construct.phpt
index 1f4f6177b07..53ee5143cf0 100644
--- a/ext/phar/tests/pharfileinfo_construct.phpt
+++ b/ext/phar/tests/pharfileinfo_construct.phpt
@@ -50,7 +50,7 @@ echo $e->getMessage() . "\n";
--EXPECTF--
Cannot open phar file 'phar://%spharfileinfo_construct.phar/oops': internal corruption of phar "%spharfileinfo_construct.phar" (truncated entry)
-PharFileInfo::__construct() expects parameter 1 to be string, array given
+PharFileInfo::__construct() expects parameter 1 to be a valid path, array given
Cannot access phar file entry '%s' in archive '%s'
Cannot call constructor twice
'%s' is not a valid phar archive URL (must have at least phar://filename.phar)
diff --git a/ext/snmp/snmp.c b/ext/snmp/snmp.c
index d6a5680e7d9..38d82db670f 100644
--- a/ext/snmp/snmp.c
+++ b/ext/snmp/snmp.c
@@ -527,7 +527,7 @@ static void php_snmp_error(zval *object, const char *docref, int type, const cha
}
if (object && (snmp_object->exceptions_enabled & type)) {
- zend_throw_exception_ex(php_snmp_exception_ce, type, snmp_object->snmp_errstr);
+ zend_throw_exception_ex(php_snmp_exception_ce, type, "%s", snmp_object->snmp_errstr);
} else {
va_start(args, format);
php_verror(docref, "", E_WARNING, format, args);
diff --git a/ext/standard/url.c b/ext/standard/url.c
index b83814422b4..d69c11f1c11 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -621,7 +621,7 @@ PHPAPI size_t php_url_decode(char *str, size_t len)
*/
PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len)
{
- register int x, y;
+ register size_t x, y;
zend_string *str;
str = zend_string_safe_alloc(3, len, 0, 0);