base64_encode used safe_emalloc, but one of the arguments was derived from a
multiplication, thus making the allocation unsafe again.
There was a size check in place, but it was off by a factor of two as it
didn't account for the signedness of the integer type.
The unsafe allocation is not exploitable, but still causes funny behavior
when the sized overflows into a negative number.
To fix the issue the *4 factor is moved into the size argument (where it is
known to be safe), so safe_emalloc can carry out the multiplication.
The size check is removed as it doesn't really make sense once safe_emalloc
works correctly. (Would only cause base64_encode to silently return false
instead of throwing an error. Also could cause problems with other uses of
the base64 encoding API, which all don't check for a NULL return value.)
Furthermore the (length + 2) < 0 check is replaced with just length < 0.
Allowing lengths -2 and -1 doesn't make sense semantically and also is not
honored in the following code (negative length would access unallocated
memory.)
Actually the length < 0 check doesn't make sense altogether, but I left it
there just to be safe.
json_encode() now returns bool(false) for all possible errors, throws the
respective warning and also sets the respective json_last_error() error
code. Three new error codes have been added:
* JSON_ERROR_RECURSION
* JSON_ERROR_INF_OR_NAN
* JSON_ERROR_UNSUPPORTED_TYPE
To get a partial JSON output instead of bool(false) the option
JSON_PARTIAL_OUTPUT_ON_ERROR can be specified. In this case the invalid
segments will be replaced either by null (for recursion, unsupported type
and invalid JSON) or 0 (for Inf and NaN).
The warning for invalid UTF-8 stays intact and is thrown also with
display_errors = On. If this behavior is undesired this can be remedied
later.
Travis will always build all branches. As we just have a .travis.yml
on master, travis will go ahead and checkout PHP-5.3. It fails and
then sends mails. We really don't want to get spammed, so we add
a .travis.yml that is just silent.
Modify the scanner to check if the first char of the raw data is an opening " in which case we
need to find the closing one. Otherwise just search for the next end of value char [\r\n;\000]
Ressurected and limited to ICU 4.8 in the hope that the sort keys
will remain stable in more recent ICU versions. I have only tested
with ICU 4.8 so far.