Fix bug #72724

Merge branch 'PHP-7.0' into PHP-7.1

Merge branch 'PHP-5.6' into PHP-7.0

Fix #72709: imagesetstyle() causes OOB read for empty $styles

Calling imagesetstyle() with an empty $styles array caused gdImageSetStyle()
to be called with `noOfPixels==0`, what could h

Fix #72709: imagesetstyle() causes OOB read for empty $styles

Calling imagesetstyle() with an empty $styles array caused gdImageSetStyle()
to be called with `noOfPixels==0`, what could have lead to OOB reads.
Actually, this issue will be fixed in libgd, but to avoid issues when older
libgd is in use, we simply disallow passing an empty $styles array to
imagesetstyle(), what wouldn't serve a useful purpose anyway.

show more ...

update NEWS

prepare next

update NEWS

update NEWS

Merge branch 'PHP-5.6' into PHP-7.0

Revert "Fixed bug #71219"

This reverts commit 14d674442ef86ad4e862228a1ff5ecd322ae7759.

I misread the discussion on the bug -- this is not the correct
fix. However the other pro

Revert "Fixed bug #71219"

This reverts commit 14d674442ef86ad4e862228a1ff5ecd322ae7759.

I misread the discussion on the bug -- this is not the correct
fix. However the other proposed fix does not work either, so just
reverting for now.

show more ...

Merge branch 'PHP-5.6' into PHP-7.0

Fixed bug #71219

Fix incorrect merge

Forgot to amend the merge fixes...

Merge branch 'PHP-7.0' into PHP-7.1

Fixed bug #72142

Merge branch 'PHP-7.0' into PHP-7.1

Merge branch 'PHP-5.6' into PHP-7.0

fixes bad address given to onig_error_code_to_str

Closes bug #72710

(cherry picked from commit 0fb7eb6723bcc6fd98053911543e801edb5ab763)

Fix memory unsafety in array_walk()

Fixes bugs #61967, #62607, #69068, #70713.

The primary changes are:
a) Use the ht_iterator mechanism to ensure safety not only if the

Fix memory unsafety in array_walk()

Fixes bugs #61967, #62607, #69068, #70713.

The primary changes are:
a) Use the ht_iterator mechanism to ensure safety not only if the
iterated array itself changes, but also if it is replaced (and
potentially destroyed) entirely. We use the same semantics for
behavior under modification as foreach-by-reference. In
particular, we advance to the next element before processing it.
If the iterated entity is exchanged we iterate the new one from
the start. If it is not an array/object we warn and abort.
b) Always create a reference to the current value. Previously the
code kept the value as a non-reference and updated it to the
reference value produced by the user callback. However this is
unsafe, as the array may have been reallocated in the meantime,
so the previous value pointer is no longer value.
c) Around a recursive walk, incref the reference containing the
array. This ensures that the location where the currently
iterated value is stored cannot be freed.

One problem I was not able to solve is that we cannot decrement
the apply count if the array is exchanged during a recursive walk.

show more ...

update NEWS

Merge branch 'PHP-7.0' into PHP-7.1

Merge branch 'PHP-5.6' into PHP-7.0

# Resolved conflicts:
# ext/calendar/calendar.c

Fix #71894: AddressSanitizer: global-buffer-overflow in zif_cal_from_jd

Julian days < 347998 denote invalid Jewish calendar dates, so
cal_from_jd($jd, CAL_JEWISH) and jdmonthname($jd, CA

Fix #71894: AddressSanitizer: global-buffer-overflow in zif_cal_from_jd

Julian days < 347998 denote invalid Jewish calendar dates, so
cal_from_jd($jd, CAL_JEWISH) and jdmonthname($jd, CAL_MONTH_JEWISH) should
actually fail. For BC we don't yet let them though, but we fix the OOB read
that happens in this case, and we also adjust cal_from_jd()'s return value
to have empty strings for "abbrevdayname" and "dayname" instead of "Sun"/
"Sunday" and NULL for "dow" instead of 0, which doesn't make any sense.

show more ...

Merge branch 'PHP-7.0' into PHP-7.1

Merge branch 'PHP-5.6' into PHP-7.0