eca84946a4
Fixed bug #73350 (Exception::__toString() cause circular references)
2016-10-22 14:50:21 +08:00
9f2ab75b10
Fixed bug #73329 (Float)"Nano" == NAN
...
The special cases (float)"inf", etc. were never intended and are
caused by the updated strtod lib. While it might be nice as an
easy way to produce Inf and NaN special values, it was never
documented and cause BC breaches.
2016-10-18 19:11:18 +02:00
8b177f6a2a
Fixed bug #73338 (Exception thrown from error handler may crash)
2016-10-18 14:14:24 +02:00
7bd4e7208e
Merge branch 'PHP-5.6' into PHP-7.0
...
* PHP-5.6:
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation)
2016-10-18 15:04:49 +03:00
6558559bcc
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation)
2016-10-18 14:48:01 +03:00
5ba9eab436
missed piece for renaming
2016-10-13 15:39:02 +02:00
730288ae41
rename publicly exposed symbol to avoid name conflicts
2016-10-13 15:23:50 +02:00
3104882cf8
Revert "export symbol missing by phpdbg"
...
This reverts commit 611ab7fe5b
2016-10-13 09:50:32 +02:00
9c50ba42d6
Fix potential overflows in php_pcre_replace_impl
2016-10-12 23:07:47 -07:00
5b429fef42
Fix line number of implicit return in pseudo-main scope
2016-10-12 22:25:41 +02:00
611ab7fe5b
export symbol missing by phpdbg
2016-10-12 22:18:41 +02:00
74b5662536
Fix bug #73190 : memcpy negative parameter _bc_new_num_ex
...
(cherry picked from commit 40e7baab3c
2016-10-12 19:48:25 +02:00
f42cbd749c
Fix bug #73147 : Use After Free in PHP7 unserialize()
...
(cherry picked from commit 0e6fe3a4c9
2016-10-12 17:51:15 +02:00
1bdb30a429
Merge branch 'PHP-7.0.12' into PHP-7.0
...
* PHP-7.0.12:
set versions and release date
sync NEWS
Revert "Fixed bug #73067 (__debugInfo crashes when throwing an exception)"
Fix for #73240 - Write out of bounds at number_format
Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
set versions
Fix bug #73091 - Unserializing DateInterval object may lead to __toString invocation
2016-10-11 16:46:51 -07:00
689a9b8def
Merge branch 'PHP-5.6.27' into PHP-5.6
...
* PHP-5.6.27:
Fix tests
fix tsrm
Fix bug #73284 - heap overflow in php_ereg_replace function
Fix bug #73276 - crash in openssl_random_pseudo_bytes function
Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
fix bug #73275 - crash in openssl_encrypt function
Fix for #73240 - Write out of bounds at number_format
Bug #73218 : add mitigation for ICU int overflow
Add more locale length checks, due to ICU bugs.
Fix bug #73208 - another missing length check
Fix bug #73190 : memcpy negative parameter _bc_new_num_ex
Fix bug #73189 - Memcpy negative size parameter php_resolve_path
Fixed bug #73174 - heap overflow in php_pcre_replace_impl
Fix bug #73150 : missing NULL check in dom_document_save_html
Fix bug #73147 : Use After Free in PHP7 unserialize()
Fix bug #73082
Fix bug #73073 - CachingIterator null dereference when convert to string
2016-10-11 16:26:35 -07:00
96a8cf8e1b
Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
2016-10-11 13:30:52 -07:00
8c9f639a1d
Revert "Fixed bug #73067 (__debugInfo crashes when throwing an exception)"
...
This reverts commit 2d8ab51576
2016-10-11 11:24:08 +02:00
2a75f5026a
Fix bug #66773 , #66862
...
This a partial backport of 8754b19
2016-10-08 17:00:27 +02:00
40e7baab3c
Fix bug #73190 : memcpy negative parameter _bc_new_num_ex
2016-10-03 00:09:02 -07:00
f9d4b1a3f1
Fix leak in zend_exception_error
...
Only occurs if a non-fatal severity level is used, e.g. when using
interactive mode.
2016-10-01 19:04:31 +02:00
e7f4355d9b
Better fix for bug #72854 (avoid extra copy and creating reference to stack variable)
2016-09-29 10:56:01 +03:00
e520b9e127
Merge branch 'PHP-5.6' into PHP-7.0
2016-09-28 23:22:11 +02:00
1f5412982c
Handle resource keys in constexpr arrays
2016-09-28 23:11:02 +02:00
40b8105cca
Fix the constant array case as well
2016-09-28 23:05:21 +02:00
437942d972
Merge branch 'PHP-5.6' into PHP-7.0
2016-09-28 22:36:58 +02:00
99bf19c177
Check next_index_insert failure in ADD_ARRAY_ELEMENT
2016-09-28 22:35:27 +02:00
b7cbaa7f43
Fix bug #73181
2016-09-27 19:47:48 +02:00
39e5991705
Fixed bug #73172 parse error: Invalid numeric literal
2016-09-26 18:47:30 +02:00
d279118422
Fixed bug #73156 (segfault on undefined function)
2016-09-26 14:14:57 +03:00
0e6fe3a4c9
Fix bug #73147 : Use After Free in PHP7 unserialize()
2016-09-25 19:53:59 -07:00
bc22582cf7
Merge branch 'PHP-5.6' into PHP-7.0
2016-09-24 18:05:21 +02:00
c596b02a5b
Merge branch 'pull-request/2120' into PHP-5.6
2016-09-24 17:52:15 +02:00
8831a12da1
Fixed bug #73163
2016-09-24 13:18:43 +02:00
68e602ff0a
Fix bug #69579
2016-09-22 12:38:07 +02:00
3c16384ea2
Merge branch 'PHP-5.6' into PHP-7.0
...
* PHP-5.6:
Fixed inconsistent meaning of zend_startup_module_ex() return value used in zend_hash_apply()
2016-09-20 12:34:40 +03:00
4dd70b6e2f
Fixed inconsistent meaning of zend_startup_module_ex() return value used in zend_hash_apply()
2016-09-20 12:29:57 +03:00
896814e139
Make zval_ptr_dtor / _zval_dtor_func more robust
...
In particular, allow arrays with refcount>1, like we already allow
for all other types. _zval_dtor_func is now the same as
_zval_dtor_func_for_ptr with an extra refcount decrement check at
the start. At this point we might as well drop it...
Cherry-pick of ded69ee6e6
2016-09-17 22:33:41 +02:00
0e76cafaf1
Disable add/sub asm for gcc 4.9 pic/pie builds
2016-09-16 21:06:02 +02:00
8fd0e0285f
missed semicolon
2016-09-13 10:50:44 +02:00
363c2524dd
fix C89 conformity
2016-09-13 10:43:51 +02:00
6a7cc8ff85
Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction
2016-09-12 21:04:23 -07:00
19866fb76c
Fix various int size overflows.
...
Add function for detection of string zvals with length that does not fit
INT_MAX.
2016-09-12 21:04:23 -07:00
2d8ab51576
Fixed bug #73067 (__debugInfo crashes when throwing an exception)
2016-09-13 10:58:57 +08:00
d690014bf3
Remove zpp fallback code (always use Fast ZPP)
...
Squashed commit of the following:
commit 3e27fbb3d2ajf@ajf.me >
Date: Sun Sep 11 19:14:37 2016 +0100
Keep dummy FAST_ZPP macro for compatibility
commit 8a7cfd00deajf@ajf.me >
Date: Mon Sep 5 22:36:03 2016 +0100
Remove FAST_ZPP macro and plain zpp fallback code
2016-09-11 22:44:46 +01:00
5880428dac
Fix potential memory issue with USE_ZEND_ALLOC=0
...
The PHP core and extensions are written with the assumption that memory
allocation either succeeds, or the allocator bails out (i.e. the allocator
is infallible). Therefore the result of emalloc() and friends are not checked
for NULL values.
However, with USE_ZEND_ALLOC=0, malloc() and friends are used as allocators,
but these are fallible, i.e. they return NULL instead of bailing out if they
fail. This easily leads to invalid memory accesses in the following, such as
in <https://bugs.php.net/73032 >. Some of these cases may constitute
exploitable vulnerabilities.
Therefore we make the infallible __zend_alloc() and friends the default for
USE_ZEND_ALLOC=0.
2016-09-07 22:50:53 +02:00
af3031d755
Merge branch 'PHP-5.6' into PHP-7.0
2016-09-06 12:11:24 +02:00
dad793630d
Fix #73025 : Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c
...
`command_length` is retrieved via strlen() and later passed to emalloc()
and memcpy(), so the appropriate type is `size_t`.
We don't add a regression test, because that would need to allocate a string
of at least 2 GiB.
2016-09-06 12:05:58 +02:00
b66039db33
Fixed bug #72944 (Null pointer deref in zval_delref_p).
2016-08-29 12:02:50 +03:00
986d0f87ec
Fixed bug #72936 (Zend API's zend_symtable_str_update() asserts key should end with '\0')
2016-08-29 00:10:31 +08:00
c67fa3c91d
Fixed bug #72943 (assign_dim on string doesn't reset hval)
2016-08-26 18:30:08 +08:00
Xinchen Hui