Merge branch 'PHP-7.3' into PHP-7.4

Zend/tests/bug77738.phpt

@@ -0,0 +1,8 @@
+--TEST--
+Bug #77738 (Nullptr deref in zend_compile_expr)
+--FILE--
+<?php
+__COMPILER_HALT_OFFSET__;
+; // <- important
+--EXPECTF--
+Warning: Use of undefined constant __COMPILER_HALT_OFFSET__ - assumed '__COMPILER_HALT_OFFSET__' %sbug77738.php on line %d

Zend/zend_compile.c

@@ -7704,11 +7704,11 @@ void zend_compile_const(znode *result, zend_ast *ast) /* {{{ */
 	if (zend_string_equals_literal(resolved_name, "__COMPILER_HALT_OFFSET__") || (name_ast->attr != ZEND_NAME_RELATIVE && zend_string_equals_literal(orig_name, "__COMPILER_HALT_OFFSET__"))) {
 		zend_ast *last = CG(ast);
 
-		while (last->kind == ZEND_AST_STMT_LIST) {
+		while (last && last->kind == ZEND_AST_STMT_LIST) {
 			zend_ast_list *list = zend_ast_get_list(last);
 			last = list->child[list->children-1];
 		}
-		if (last->kind == ZEND_AST_HALT_COMPILER) {
+		if (last && last->kind == ZEND_AST_HALT_COMPILER) {
 			result->op_type = IS_CONST;
 			ZVAL_LONG(&result->u.constant, Z_LVAL_P(zend_ast_get_zval(last->child[0])));
 			zend_string_release_ex(resolved_name, 0);

ext/bcmath/libbcmath/src/num2long.c

@@ -53,12 +53,19 @@ bc_num2long (num)
   /* Extract the int value, ignore the fraction. */
   val = 0;
   nptr = num->n_value;
-  for (index=num->n_len; (index>0) && (val<=(LONG_MAX/BASE)); index--)
-    val = val*BASE + *nptr++;
+  for (index = num->n_len; index > 0; index--) {
+    char n = *nptr++;
 
-  /* Check for overflow.  If overflow, return zero. */
-  if (index>0) val = 0;
-  if (val < 0) val = 0;
+    if (val > LONG_MAX/BASE) {
+      return 0;
+    }
+    val *= BASE;
+
+    if (val > LONG_MAX - n) {
+      return 0;
+    }
+    val += n;
+  }
 
   /* Return the value. */
   if (num->n_sign == PLUS)