Merge branch 'PHP-7.1'

* PHP-7.1:
  Add length check for bzcompress too - fix for bug #73356
  More string length checks & fixes
  More string length checks & fixes

ext/imap/php_imap.c

@@ -3950,7 +3950,7 @@ int _php_imap_mail(char *to, char *subject, char *message, char *headers, char *
 #define PHP_IMAP_CLEAN	if (bufferTo) efree(bufferTo); if (bufferCc) efree(bufferCc); if (bufferBcc) efree(bufferBcc); if (bufferHeader) efree(bufferHeader);
 #define PHP_IMAP_BAD_DEST PHP_IMAP_CLEAN; efree(tempMailTo); return (BAD_MSG_DESTINATION);
 
-	bufferHeader = (char *)emalloc(bufferLen + 1);
+	bufferHeader = (char *)safe_emalloc(bufferLen, 1, 1);
 	memset(bufferHeader, 0, bufferLen);
 	if (to && *to) {
 		strlcat(bufferHeader, "To: ", bufferLen + 1);

ext/intl/intl_convert.c

@@ -53,7 +53,7 @@ void intl_convert_utf8_to_utf16(
 	UErrorCode* status )
 {
 	UChar*      dst_buf = NULL;
-	int32_t     dst_len = 0;
+	uint32_t    dst_len = 0;
 
 	/* If *target is NULL determine required destination buffer size (pre-flighting).
 	 * Otherwise, attempt to convert source string; if *target buffer is not large enough

ext/intl/locale/locale_methods.c

@@ -268,6 +268,9 @@ static zend_string* get_icu_value_internal( const char* loc_name , char* tag_nam
 	int32_t      buflen         = 512;
 	UErrorCode   status         = U_ZERO_ERROR;
 
+	if (strlen(loc_name) > INTL_MAX_LOCALE_LEN) {
+		return NULL;
+	}
 
 	if( strcmp(tag_name, LOC_CANONICALIZE_TAG) != 0 ){
 		/* Handle  grandfathered languages */
@@ -713,6 +716,8 @@ PHP_FUNCTION( locale_get_keywords )
         RETURN_FALSE;
     }
 
+	INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
     if(loc_name_len == 0) {
         loc_name = intl_locale_get_default();
     }
@@ -1116,6 +1121,8 @@ PHP_FUNCTION(locale_parse)
         RETURN_FALSE;
     }
 
+    INTL_CHECK_LOCALE_LEN(strlen(loc_name));
+
     if(loc_name_len == 0) {
         loc_name = intl_locale_get_default();
     }

ext/intl/msgformat/msgformat_data.c

@@ -83,7 +83,7 @@ msgformat_data* msgformat_data_create( void )
 int msgformat_fix_quotes(UChar **spattern, uint32_t *spattern_len, UErrorCode *ec)
 {
 	if(*spattern && *spattern_len && u_strchr(*spattern, (UChar)'\'')) {
-		UChar *npattern = emalloc(sizeof(UChar)*(2*(*spattern_len)+1));
+		UChar *npattern = safe_emalloc(sizeof(UChar)*2, *spattern_len, sizeof(UChar));
 		uint32_t npattern_len;
 		npattern_len = umsg_autoQuoteApostrophe(*spattern, *spattern_len, npattern, 2*(*spattern_len)+1, ec);
 		efree(*spattern);

ext/standard/exec.c

@@ -325,7 +325,7 @@ PHPAPI zend_string *php_escape_shell_cmd(char *str)
 				ZSTR_VAL(cmd)[y++] = str[x];
 				break;
 #else
-			/* % is Windows specific for environmental variables, ^%PATH% will 
+			/* % is Windows specific for environmental variables, ^%PATH% will
 				output PATH while ^%PATH^% will not. escapeshellcmd->val will escape all % and !.
 			*/
 			case '%':

ext/xmlrpc/libxmlrpc/base64.c

@@ -32,6 +32,9 @@ void buffer_new(struct buffer_st *b)
 
 void buffer_add(struct buffer_st *b, char c)
 {
+  if ((INT_MAX - b->length) <= 512) {
+		return;
+  }
   *(b->ptr++) = c;
   b->offset++;
   if (b->offset == b->length) {
@@ -80,7 +83,7 @@ void base64_encode_xmlrpc(struct buffer_st *b, const char *source, int length)
     for (n = 0; n < 3; n++) {
       c = *(source++);
       offset++;
-      if (offset > length) {
+      if (offset > length || offset <= 0) {
 	hiteof = 1;
 	break;
       }

ext/xmlrpc/libxmlrpc/simplestring.c

@@ -81,6 +81,7 @@ static const char rcsid[] = "#(@) $Id$";
 
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include "simplestring.h"
 
 #define my_free(thing)  if(thing) {efree(thing); thing = 0;}
@@ -201,7 +202,7 @@ void simplestring_addn(simplestring* target, const char* source, size_t add_len)
          simplestring_init_str(target);
       }
 
-      if((SIZE_MAX - add_len) < target->len || (SIZE_MAX - add_len - 1) < target->len) {
+      if((INT_MAX - add_len) < target->len || (INT_MAX - add_len - 1) < target->len) {
     	  /* check for overflows, if there's a potential overflow do nothing */
     	  return;
       }

ext/zip/php_zip.c

@@ -1590,7 +1590,7 @@ static ZIPARCHIVE_METHOD(addEmptyDir)
 	}
 
 	if (dirname[dirname_len-1] != '/') {
-		s=(char *)emalloc(dirname_len+2);
+		s=(char *)safe_emalloc(dirname_len, 1, 2);
 		strcpy(s, dirname);
 		s[dirname_len] = '/';
 		s[dirname_len+1] = '\0';
@@ -1805,14 +1805,14 @@ static ZIPARCHIVE_METHOD(addFromString)
 
 	ze_obj = Z_ZIP_P(self);
 	if (ze_obj->buffers_cnt) {
-		ze_obj->buffers = (char **)erealloc(ze_obj->buffers, sizeof(char *) * (ze_obj->buffers_cnt+1));
+		ze_obj->buffers = (char **)safe_erealloc(ze_obj->buffers, sizeof(char *), (ze_obj->buffers_cnt+1), 0);
 		pos = ze_obj->buffers_cnt++;
 	} else {
 		ze_obj->buffers = (char **)emalloc(sizeof(char *));
 		ze_obj->buffers_cnt++;
 		pos = 0;
 	}
-	ze_obj->buffers[pos] = (char *)emalloc(ZSTR_LEN(buffer) + 1);
+	ze_obj->buffers[pos] = (char *)safe_emalloc(ZSTR_LEN(buffer), 1, 1);
 	memcpy(ze_obj->buffers[pos], ZSTR_VAL(buffer), ZSTR_LEN(buffer) + 1);
 
 	zs = zip_source_buffer(intern, ze_obj->buffers[pos], ZSTR_LEN(buffer), 0);