Update copyright headers to 2017

Merge branch 'PHP-7.1'

Merge branch 'PHP-7.0' into PHP-7.1

Merge branch 'PHP-5.6' into PHP-7.0

FIx bug #70213

Fix bug #73825 - Heap out of bounds read on unserialize in finish_nested_data()

Merge branch 'DedupNANINF'

Fix bug #73052 - Memory Corruption in During Deserialized-object Destruction

Followup for bug #72785

Fix incorrect handling of nesting ... need to reset to the old
value afterwards.

Fix bug #72785 - allowed_classes only applies to outermost unserialize()

Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0: (48 commits)
Update NEWs
Unused label
Fixed bug #72853 (stream_set_blocking doesn't work)
fix test
Bug #72663 - p

Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0: (48 commits)
Update NEWs
Unused label
Fixed bug #72853 (stream_set_blocking doesn't work)
fix test
Bug #72663 - part 3
Bug #72663 - part 2
Bug #72663 - part 1
Update NEWS
BLock test with memory leak
fix tests
Fix TSRM build
Fix bug #72850 - integer overflow in uuencode
Fixed bug #72849 - integer overflow in urlencode
Fix bug #72848 - integer overflow in quoted_printable_encode caused heap corruption
Fix bug #72838 - Integer overflow lead to heap corruption in sql_regcase
Fix bug #72837 - integer overflow in bzdecompress caused heap corruption
Fix bug #72836 - integer overflow in base64_decode caused heap corruption
Fix for bug #72807 - do not produce strings with negative length
Fix for bug #72790 and bug #72799
Fix bug #72730 - imagegammacorrect allows arbitrary write access
...

Conflicts:
ext/standard/var_unserializer.c

show more ...

Bug #72663 - part 2

If a (nested) unserialize() call fails, we remove all the values
that were inserted into var_hash during that call. This prevents
their use in other unserializati

Bug #72663 - part 2

If a (nested) unserialize() call fails, we remove all the values
that were inserted into var_hash during that call. This prevents
their use in other unserializations in the same context.

show more ...

Bug #72663 - part 1

Don't call __destruct() on an unserialized object that has a
__wakeup() method if either
a) unserialization of its properties fails or
b) the __wakeup() call

Bug #72663 - part 1

Don't call __destruct() on an unserialized object that has a
__wakeup() method if either
a) unserialization of its properties fails or
b) the __wakeup() call fails (e.g. by throwing).

This basically treats __wakeup() as a form of constructor and
aligns us with the usual behavior that if the constructor call
fails the destructor should not be called.

The security aspect here is that people use __wakeup() to prevent
unserialization of objects with dangerous __destruct() methods,
but this is ineffective if __destruct() can still be called while
__wakeup() was skipped.

show more ...

Improve fix for #72663

Fix bug #72663 - destroy broken object when unserializing

Hide (un)serialize data from ABI

The (UN)SERIALIZE_INIT/DESTROY macros now go through non-inlined
functions, so any changes to them will apply to extensions without
rebuilds.

Hide (un)serialize data from ABI

The (UN)SERIALIZE_INIT/DESTROY macros now go through non-inlined
functions, so any changes to them will apply to extensions without
rebuilds.

Additionally, the (un)serialize_data structures are now no longer
exported.

This means that we are allowed to change these structures in patch
releases without breaking the ABI.

show more ...

Added ZEND_ATTRIBUTE_FORMAT to some middind functions.
"%p" replaced by ZEND_LONG_FMT to avoid compilation warnings.
Fixed most incorrect use cases of format specifiers.

Use zend_string_safe_alloc

Improved fix for #71940

Fixed bug #71940 (Unserialize crushes on restore object reference)

Deduplicate NAN/INF portability, move to Zend

Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
Fixed bug #71841 (EG(error_zval) is not handled well)
Fixed bug #71840 (Unserialize accepts wrongly data)

Conflicts:

Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
Fixed bug #71841 (EG(error_zval) is not handled well)
Fixed bug #71840 (Unserialize accepts wrongly data)

Conflicts:
Zend/zend_vm_def.h
Zend/zend_vm_execute.h
ext/standard/var_unserializer.c

show more ...

Fixed bug #71840 (Unserialize accepts wrongly data)

Eliminate usages of _PP macros

These are either in debug code (fix them), commented out (drop
them) or in dead compatibility macros (drop them).

One usage was in php_stream_get_

Eliminate usages of _PP macros

These are either in debug code (fix them), commented out (drop
them) or in dead compatibility macros (drop them).

One usage was in php_stream_get_from_zval(), which we have not used
since at least PHP 5.2 and, judging from the fact that nobody
complained about it causing compile errors in PHP 7, nobody else
uses it either, so drop it.

There are still remaining uses in mysqli embedded and odbc birdstep.
These probably need to be dropped outright.

show more ...

Fixed bug #71311: Use-after-free vulnerability in SPL(ArrayObject, unserialize)