Fix #77391: 1bpp BMPs may fail to be loaded

We port the upstream fix[1].

[1] <https://github.com/libgd/libgd/commit/d0859134fcbd8817f87895bd1cb158096568a7a2>

[ci skip] Update NEWS

Fix #77360: class_uses causes segfault

Fix #77359: spl_autoload causes segfault

Use the correct function to free the string.

Implement ZEND_ARRAY_KEY_EXISTS opcode to speed up array_key_exists()

Update NEWS [ci skip]

Update NEWS [ci skip]

Update NEWS [ci skip]

Fixed bug #77338

Set preg_options to 0 in php_pcre_get_compiled_regex(_ex). These
options are intended to be passed to pcre2_match. However, we do
not have any flags that actually ne

Fixed bug #77338

Set preg_options to 0 in php_pcre_get_compiled_regex(_ex). These
options are intended to be passed to pcre2_match. However, we do
not have any flags that actually need to be set during matching
(all relevant flags are set during compilation), and the preg_flags
value is used for PHP-specific flags instead.

This parameter should be removed entirely in master to avoid confusion.

show more ...

Merge branch 'PHP-7.2' into PHP-7.3

* PHP-7.2:
Fixed bug #77339 (__callStatic may get incorrect arguments)

Fixed bug #77339 (__callStatic may get incorrect arguments)

Fix #77298: segfault occurs when add property to unserialized empty ArrayObject

[ci skip] Add missing entry for bug 77020

missing entry for #77020

bump to 7.2.15-dev

[ci skip] Fix release date

Prepare main branch for 7.3.2

Fix #77297: SodiumException segfaults on PHP 7.3

Instead of trying to clean the argument arrays from the backtrace, we
overwrite them with empty arrays.

Fix #77291: magic methods inherited from a trait may be ignored

When adding methods from a trait, we must not assume that a method name
with the same length as the name of the using clas

Fix #77291: magic methods inherited from a trait may be ignored

When adding methods from a trait, we must not assume that a method name
with the same length as the name of the using class is either a PHP 4
style constructor, or not a magic method at all – it may well be
another magic method.

We mostly preserve the spirit of the optimization which caused this
regression, and avoid string comparisons for all method names which can
never be magic methods.

show more ...

Implement SQLite3Stmt::getSQL method, returning the original statement SQL, eventually expanded

Allow empty $escape to eschew escaping CSV

Albeit CSV is still a widespread data exchange format, it has never been
officially standardized. There exists, however, the “informational” R

Allow empty $escape to eschew escaping CSV

Albeit CSV is still a widespread data exchange format, it has never been
officially standardized. There exists, however, the “informational” RFC
4180[1] which has no notion of escape characters, but rather defines
`escaped` as strings enclosed in double-quotes where contained
double-quotes have to be doubled. While this concept is supported by
PHP's implementation (`$enclosure`), the `$escape` sometimes interferes,
so that `fgetcsv()` is unable to correctly parse externally generated
CSV, and `fputcsv()` is sometimes generating non-compliant CSV. Since
PHP's `$escape` concept is availble for many years, we cannot drop it
for BC reasons (even though many consider it as bug). Instead we allow
to pass an empty string as `$escape` parameter to the respective
functions, which results in ignoring/omitting any escaping, and as such
is more inline with RFC 4180. It is noteworthy that this is almost no
userland BC break, since formerly most functions did not accept an empty
string, and failed in this case. The only exception was `str_getcsv()`
which did accept an empty string, and used a backslash as escape
character then (which appears to be unintended behavior, anyway).

The changed functions are `fputcsv()`, `fgetcsv()` and `str_getcsv()`,
and also the `::setCsvControl()`, `::getCsvControl()`, `::fputcsv()`,
and `::fgetcsv()` methods of `SplFileObject`.

The implementation also changes the type of the escape parameter of the
PHP_APIs `php_fgetcsv()` and `php_fputcsv()` from `char` to `int`, where
`PHP_CSV_NO_ESCAPE` means to ignore/omit escaping. The parameter
accepts the same values as `isalpha()` and friends, i.e. “the value of
which shall be representable as an `unsigned char` or shall equal the
value of the macro `EOF`. If the argument has any other value, the
behavior is undefined.” This is a subtle BC break, since the character
`chr(128)` has the value `-1` if `char` is signed, and so likely would
be confused with `EOF` when converted to `int`. We consider this BC
break to be acceptable, since it's rather unlikely that anybody uses
`chr(128)` as escape character, and it easily can be fixed by casting
all `escape` arguments to `unsigned char`.

This patch implements the feature requests 38301[2] and 51496[3].

[1] <https://tools.ietf.org/html/rfc4180>
[2] <https://bugs.php.net/bug.php?id=38301>
[3] <https://bugs.php.net/bug.php?id=51496>

show more ...

Resolve imagecropauto() default $mode quirk

The `$mode` parameter of `imagecropauto()` defaults to `-1`. However,
`-1` is changed to `GD_CROP_DEFAULT` right away, so basically the
d

Resolve imagecropauto() default $mode quirk

The `$mode` parameter of `imagecropauto()` defaults to `-1`. However,
`-1` is changed to `GD_CROP_DEFAULT` right away, so basically the
default is `GD_CROP_DEFAULT`, which is rather confusing and
unnecessary.

Therefore, we change the default to `IMG_CROP_DEFAULT`, but still allow
an explicit `-1` to be passed for BC reasons, in which case we trigger
a deprecation notice, so we can rid the `-1` support eventually.

show more ...

Implement FR #72510: systemd service should be hardened

Update NEWS

Fixed bug #77275

Instead of juggling with this problem during literal compaction,
make sure that we always initialize Z_EXTRA for literals, which
seems like the more robust solution.