Christoph M. Becker
eb570294a2
Fix #73530 : Unsetting result set may reset other result set
...
Calling sqlite3_reset() when a result set object is freed can cause
undesired and maybe even hard to track interference with other result
sets. Furthermore, there is no need to call sqlite3_reset(), because
that is implicitly called on SQLite3Stmt::execute(), and users are
encouraged to explicitly call either SQLite3Result::finalize() or
SQLite3Stmt::reset() anyway.
2016-11-16 11:49:04 +01:00
Dmitry Stogov
ecba563f2f
Fixed bug #69090 (check cached files permissions)
2016-11-16 12:43:10 +03:00
Anatol Belski
e922d89f66
add missing NEWS entry
2016-11-09 21:32:44 +01:00
Ferenc Kovacs
87673d6e99
add missing NEWS entries
2016-11-09 02:12:16 +01:00
Anatol Belski
d6d08f97cd
fix memory leak
2016-11-08 12:12:58 +01:00
Anatol Belski
33766347cb
Merge remote-tracking branch 'phpsec/PHP-5.6.28' into PHP-5.6
2016-11-08 11:06:52 +01:00
Jakub Zelenka
493b2bff02
Fix bug #72776 (Invalid parameter in memcpy function trough openssl_pbkdf2)
2016-11-06 20:40:51 +00:00
Anatol Belski
b044a7429e
add missing RETURN_STRINGL_CHECK
...
As RETVAL_STRINGL_CHECK is already there, this one is needed for
completion. One place in ext/bz2 is missing that, so it will likely
be useful for other possible fixes.
2016-11-06 17:51:25 +01:00
Anatol Belski
617f38b0e0
fix dir separator in test
2016-11-04 18:29:54 +01:00
Stanislav Malyshev
40f7fea897
Add length check for bzcompress too - fix for bug #73356
2016-11-03 22:10:22 -07:00
Stanislav Malyshev
1fd18821e0
More string length checks & fixes
2016-11-03 21:35:09 -07:00
Derick Rethans
ccb91cde94
Updated to version 2016.9 (2016i)
2016-11-03 13:57:28 -04:00
Anatol Belski
99b242a6d0
Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash
2016-11-03 17:03:23 +01:00
Christoph M. Becker
2eacb53fc4
Fix #73436 : Setting allow_url_fopen to Off makes several tests fail
...
We make sure that these tests run with allow_url_fopen=1.
2016-11-01 20:13:53 +01:00
Christoph M. Becker
863d37ea66
Fix #72696 : imagefilltoborder stackoverflow on truecolor images
...
We must not allow negative color values be passed to
gdImageFillToBorder(), because that can lead to infinite recursion
since the recursion termination condition will not necessarily be met.
2016-10-30 14:31:29 -07:00
Christoph M. Becker
6499581af7
Fix #72482 : Ilegal write/read access caused by gdImageAALine overflow
...
Instead of rolling our own bounds check we use clip_1d() as it's done
in gdImageLine() and in external libgd. We must not pass the image
width and height, respectively, but rather the largest ordinate value
that is allowed to be accessed, i.e. width-1 and height-1,
respectively.
2016-10-30 14:28:23 -07:00
Xinchen Hui
ef75ddd4f9
Fixed bug #73402 (Opcache segfault when using class constant to call a method)
2016-10-29 23:41:51 +08:00
Ferenc Kovacs
9b3a1e00ab
5.6.29 will be next
2016-10-27 23:10:59 +02:00
Christoph M. Becker
cd13d0260a
Fix #72494 : imagecropauto out-of-bounds access
...
This issue has actually already been fixed with commit 46f2c690. We're
adding a regression test and a NEWS entry, and also port the fix in
gdImageCropThreshold() from libgd:
* <https://github.com/libgd/libgd/commit/b347e034 >
* <https://github.com/libgd/libgd/commit/46f2c690 >
2016-10-25 14:29:48 +02:00
Derick Rethans
4f5a755b9d
Updated to version 2016.8 (2016h)
2016-10-24 10:37:07 +01:00
Stanislav Malyshev
f74d7d92c8
Fix bug #73144 and bug #73341 - remove extra dtor
2016-10-23 22:03:16 -07:00
Stanislav Malyshev
6045de69c7
Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle
...
Proper soltion would be to call serialize/unserialize and deal with the result,
but this requires more work that should be done by wddx maintainer (not me).
2016-10-23 20:09:23 -07:00
Dmitry Stogov
6558559bcc
Fixed bug #73337 (try/catch not working with two exceptions inside a same operation)
2016-10-18 14:48:01 +03:00
Christoph M. Becker
86e603a664
Fix #73333 : 2147483647 is fetched as string
...
We return all integers that can be represented as such by PHP as
integers, and only those that exceed the possible range as strings.
On builds which represent integers with 64 bits, the range check is
unnecessary and might cause code checkers to complain, so we skip this
special casing via the preprocessor according to
<http://git.php.net/?p=php-src.git;a=commit;h=99d087e5 >.
2016-10-17 23:34:41 +02:00
Remi Collet
e1f5b6d8df
use zend_error instead of zend_error_noreturn
2016-10-14 10:53:40 +02:00
Ferenc Kovacs
f7bf9650aa
add missing NEWS entries for 5.6.27
2016-10-14 08:06:14 +02:00
Christoph M. Becker
cc08cbc84d
Fix #73280 : Stack Buffer Overflow in GD dynamicGetbuf
...
We make sure to never pass a negative `rlen` as size to memcpy().
Cf. <https://github.com/libgd/libgd/commit/53110871 >.
2016-10-13 11:10:02 +02:00
Sara Golemon
43ccf23d70
Clear FG(user_stream_current_filename) when bailing out
...
If a userwrapper opener E_ERRORs then FG(user_stream_current_filename)
would remain set until the next request and would not be pointing
at unallocated memory.
Catch the bailout, clear the variable, then continue bailing.
Closes https://bugs.php.net/bug.php?id=73188
2016-10-11 21:55:01 -07:00
Stanislav Malyshev
689a9b8def
Merge branch 'PHP-5.6.27' into PHP-5.6
...
* PHP-5.6.27:
Fix tests
fix tsrm
Fix bug #73284 - heap overflow in php_ereg_replace function
Fix bug #73276 - crash in openssl_random_pseudo_bytes function
Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
fix bug #73275 - crash in openssl_encrypt function
Fix for #73240 - Write out of bounds at number_format
Bug #73218 : add mitigation for ICU int overflow
Add more locale length checks, due to ICU bugs.
Fix bug #73208 - another missing length check
Fix bug #73190 : memcpy negative parameter _bc_new_num_ex
Fix bug #73189 - Memcpy negative size parameter php_resolve_path
Fixed bug #73174 - heap overflow in php_pcre_replace_impl
Fix bug #73150 : missing NULL check in dom_document_save_html
Fix bug #73147 : Use After Free in PHP7 unserialize()
Fix bug #73082
Fix bug #73073 - CachingIterator null dereference when convert to string
2016-10-11 16:26:35 -07:00
Stanislav Malyshev
082d1f2375
Fix tests
2016-10-11 16:18:08 -07:00
Stanislav Malyshev
c1112ff323
fix tsrm
2016-10-11 14:39:16 -07:00
Stanislav Malyshev
21452a5401
Fix bug #73284 - heap overflow in php_ereg_replace function
2016-10-11 14:16:51 -07:00
Stanislav Malyshev
85a22a0af0
Fix bug #73276 - crash in openssl_random_pseudo_bytes function
2016-10-11 13:37:47 -07:00
Stanislav Malyshev
96a8cf8e1b
Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
2016-10-11 13:30:52 -07:00
Stanislav Malyshev
8822f7c9f0
fix bug #73275 - crash in openssl_encrypt function
2016-10-11 13:19:20 -07:00
Stanislav Malyshev
8259130b6b
Fix for #73240 - Write out of bounds at number_format
2016-10-10 23:42:50 -07:00
Anatol Belski
4165d97606
update NEWS
2016-10-10 20:55:44 +02:00
Anatol Belski
256b150a96
add test for bug #73037
2016-10-10 15:59:52 +02:00
Christoph M. Becker
fc989fc6e7
Fix #73279 : Integer overflow in gdImageScaleBilinearPalette()
...
The color components are supposed to be in range 0..255, so we must not
cast them to `signed char`, what can be the default for `char`.
Port of <https://github.com/libgd/libgd/commit/77c8d359 >.
2016-10-10 11:41:39 +02:00
Christoph M. Becker
b92216b97d
Fix #73272 : imagescale() affects imagesetinterpolation()
...
We must not permanently change the interpolation method, but rather
have to restore the old method after we're done with scaling the image.
2016-10-09 15:10:34 +02:00
Anatol Belski
3c5742ebd7
fix leak
2016-10-08 19:07:35 +02:00
Nikita Popov
b061fa909d
Fix bug #73192
2016-10-08 01:04:22 +02:00
Nikita Popov
bc3a0b82b8
Revert "Fixed test"
...
This reverts commit a10d03ac16
.
2016-10-08 00:43:36 +02:00
Nikita Popov
1c468ee044
Revert "Added validation to parse_url() to prohibit restricted characters inside login/pass components based on RFC3986"
...
This reverts commit 085dfca02b
.
2016-10-08 00:43:17 +02:00
Anatol Belski
07546496b1
Fix bug #73037 , second round
2016-10-05 14:54:06 +02:00
Stanislav Malyshev
d946d10293
Bug #73218 : add mitigation for ICU int overflow
2016-10-04 22:40:43 -07:00
Stanislav Malyshev
d3eb58332a
Add more locale length checks, due to ICU bugs.
2016-10-04 21:28:40 -07:00
Ilia Alshanetsky
a10d03ac16
Fixed test
2016-10-04 21:20:38 -07:00
Ilia Alshanetsky
085dfca02b
Added validation to parse_url() to prohibit restricted characters inside login/pass components based on RFC3986
2016-10-04 21:20:31 -07:00
Stanislav Malyshev
8ea01d5f19
Apparently negative wordwrap is a thing and should work as length = 0.
...
I'll leave it as is for now.
2016-10-03 19:17:42 -07:00