From 3248b3c4d8a30458d3e61b3598c3aaedb7b03d5b Mon Sep 17 00:00:00 2001
From: Julien Pauli <jpauli@php.net>
Date: Thu, 12 Dec 2013 17:15:43 +0100
Subject: [PATCH 1/4] Update NEWS for 5.5.7 release

---
 NEWS | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 12132d16b47..861a948d92d 100644
--- a/NEWS
+++ b/NEWS
@@ -41,7 +41,7 @@ PHP                                                                        NEWS
   . Fixed bug #49634 (Segfault throwing an exception in a XSL registered
     function). (Mike)
 
-?? ??? 2013, PHP 5.5.7
+12 Dec 2013, PHP 5.5.7
 
 - CLI server:
   . Added some MIME types to the CLI web server (Chris Jones)
@@ -62,6 +62,10 @@ PHP                                                                        NEWS
 - readline
   . Fixed Bug #65714 (PHP cli forces the tty to cooked mode). (Remi)
 
+- Openssl:
+  . Fixed memory corruption in openssl_x509_parse() (CVE-2013-6420).
+    (Stefan Esser).
+
 14 Nov 2013, PHP 5.5.6
 
 - Core:

From 54213b462d725aa10088909feceac63aaa1896d8 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 13 Dec 2013 01:44:54 +0800
Subject: [PATCH 2/4] Disallowed JMP into a finally block.

---
 NEWS               |  1 +
 Zend/zend_opcode.c | 15 ++++++++++-----
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 861a948d92d..d9dcac91a5b 100644
--- a/NEWS
+++ b/NEWS
@@ -3,6 +3,7 @@ PHP                                                                        NEWS
 ?? ??? 2013, PHP 5.5.8
 
 - Core:
+  . Disallowed JMP into a finally block. (Laruence)
   . Added validation of class names in the autoload process. (Dmitry)
   . Fixed invalid C code in zend_strtod.c. (Lior Kaplan)
   . Fixed bug #66041 (list() fails to unpack yielded ArrayAccess object).
diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index 41b4bd25710..c47168757d4 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -489,17 +489,22 @@ static void zend_check_finally_breakout(zend_op_array *op_array, zend_uint op_nu
 	zend_uint i;
 
 	for (i = 0; i < op_array->last_try_catch; i++) {
-		if (op_array->try_catch_array[i].try_op > op_num) {
-			break;
-		}
-		if ((op_num >= op_array->try_catch_array[i].finally_op 
+		if ((op_num < op_array->try_catch_array[i].finally_op ||
+					op_num >= op_array->try_catch_array[i].finally_end)
+				&& (dst_num >= op_array->try_catch_array[i].finally_op &&
+					 dst_num <= op_array->try_catch_array[i].finally_end)) {
+			CG(in_compilation) = 1;
+			CG(active_op_array) = op_array;
+			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
+			zend_error(E_COMPILE_ERROR, "jump into a finally block is disallowed");
+		} else if ((op_num >= op_array->try_catch_array[i].finally_op 
 					&& op_num <= op_array->try_catch_array[i].finally_end)
 				&& (dst_num > op_array->try_catch_array[i].finally_end 
 					|| dst_num < op_array->try_catch_array[i].finally_op)) {
 			CG(in_compilation) = 1;
 			CG(active_op_array) = op_array;
 			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
-			zend_error(E_COMPILE_ERROR, "jump out of a finally block is disallowed");
+			zend_error_noreturn(E_COMPILE_ERROR, "jump out of a finally block is disallowed");
 		}
 	} 
 }

From dde552f2ee921550646c4236471c1252a9534b52 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Fri, 13 Dec 2013 01:45:45 +0800
Subject: [PATCH 3/4] Add Tests for #65784 in 5.5

---
 Zend/tests/bug65784.phpt | 62 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)
 create mode 100644 Zend/tests/bug65784.phpt

diff --git a/Zend/tests/bug65784.phpt b/Zend/tests/bug65784.phpt
new file mode 100644
index 00000000000..adc34113a55
--- /dev/null
+++ b/Zend/tests/bug65784.phpt
@@ -0,0 +1,62 @@
+--TEST--
+Fixed Bug #65784 (Segfault with finally)
+--XFAIL--
+This bug is not fixed in 5.5 due to ABI BC
+--FILE--
+<?php
+function foo1() {
+	try {
+		throw new Exception("not catch");
+		return true;
+	} finally {
+		try {
+			throw new Exception("catched");
+		} catch (Exception $e) {
+		}
+	}
+}
+try {
+	$foo = foo1();
+	var_dump($foo);
+} catch (Exception $e) {
+	do {
+		var_dump($e->getMessage());
+	} while ($e = $e->getPrevious());
+}
+
+function foo2() {
+	try  {
+		try {
+			throw new Exception("catched");
+			return true;
+		} finally {
+			try {
+				throw new Exception("catched");
+			} catch (Exception $e) {
+			}
+		}
+	} catch (Exception $e) {
+	}
+}
+
+$foo = foo2();
+var_dump($foo);
+
+function foo3() {
+	try {
+		throw new Exception("not catched");
+		return true;
+	} finally {
+		try {
+			throw new NotExists();
+		} catch (Exception $e) {
+		}
+	}
+}
+
+$bar = foo3();
+--EXPECTF--
+string(9) "not catch"
+NULL
+
+Fatal error: Class 'NotExists' not found in %sbug65784.php on line %d

From ef73f85079e7563cb82afde35f0e89321257f0d9 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@php.net>
Date: Fri, 13 Dec 2013 10:56:35 +0800
Subject: [PATCH 4/4] Use zend_error_noreturn here

---
 Zend/zend_opcode.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Zend/zend_opcode.c b/Zend/zend_opcode.c
index c47168757d4..2dfa9848b69 100644
--- a/Zend/zend_opcode.c
+++ b/Zend/zend_opcode.c
@@ -496,7 +496,7 @@ static void zend_check_finally_breakout(zend_op_array *op_array, zend_uint op_nu
 			CG(in_compilation) = 1;
 			CG(active_op_array) = op_array;
 			CG(zend_lineno) = op_array->opcodes[op_num].lineno;
-			zend_error(E_COMPILE_ERROR, "jump into a finally block is disallowed");
+			zend_error_noreturn(E_COMPILE_ERROR, "jump into a finally block is disallowed");
 		} else if ((op_num >= op_array->try_catch_array[i].finally_op 
 					&& op_num <= op_array->try_catch_array[i].finally_end)
 				&& (dst_num > op_array->try_catch_array[i].finally_end