From 654c8aedd12c217987191c83e6e93c8e756c1a6e Mon Sep 17 00:00:00 2001
From: Bob Weinand <bobwei9@hotmail.com>
Date: Tue, 5 Jan 2016 16:27:18 +0100
Subject: [PATCH 1/5] Fixed bug #71275 (Bad method called on cloning an object
 having a trait)

---
 NEWS                     |  2 ++
 Zend/tests/bug71275.phpt | 27 +++++++++++++++++++++++++++
 Zend/zend_inheritance.c  | 22 +++++++++++-----------
 3 files changed, 40 insertions(+), 11 deletions(-)
 create mode 100644 Zend/tests/bug71275.phpt

diff --git a/NEWS b/NEWS
index cc43981a502..9ab53baf858 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,8 @@ PHP                                                                        NEWS
     ob_start). (hugh at allthethings dot co dot nz)
   . Fixed bug #71201 (round() segfault on 64-bit builds). (Anatol)
   . Added support for new HTTP 451 code. (Julien)
+  . Fixed Bug #71275 (Bad method called on cloning an object having a trait).
+    (Bob)
 
 - CURL:
   . Fixed bug #71225 (curl_setopt() fails to set CURLOPT_POSTFIELDS with
diff --git a/Zend/tests/bug71275.phpt b/Zend/tests/bug71275.phpt
new file mode 100644
index 00000000000..52443734b76
--- /dev/null
+++ b/Zend/tests/bug71275.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #71275 (Bad method called on cloning an object having a trait)
+--FILE--
+<?php
+
+trait MyTrait {
+	public function _() {
+		throw new RuntimeException('Should not be called');
+	}
+}
+
+
+class MyClass {
+	use MyTrait;
+
+	public function __clone() {
+		echo "I'm working hard to clone";
+	}
+}
+
+
+$instance = new MyClass();
+clone $instance;
+
+?>
+--EXPECT--
+I'm working hard to clone
diff --git a/Zend/zend_inheritance.c b/Zend/zend_inheritance.c
index 69473b75158..ac98627b10b 100644
--- a/Zend/zend_inheritance.c
+++ b/Zend/zend_inheritance.c
@@ -1026,34 +1026,34 @@ static zend_bool zend_traits_method_compatibility_check(zend_function *fn, zend_
 
 static void zend_add_magic_methods(zend_class_entry* ce, zend_string* mname, zend_function* fe) /* {{{ */
 {
-	if (!strncmp(ZSTR_VAL(mname), ZEND_CLONE_FUNC_NAME, ZSTR_LEN(mname))) {
+	if (zend_string_equals_literal(mname, ZEND_CLONE_FUNC_NAME)) {
 		ce->clone = fe; fe->common.fn_flags |= ZEND_ACC_CLONE;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_CONSTRUCTOR_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_CONSTRUCTOR_FUNC_NAME)) {
 		if (ce->constructor && (!ce->parent || ce->constructor != ce->parent->constructor)) {
 			zend_error_noreturn(E_COMPILE_ERROR, "%s has colliding constructor definitions coming from traits", ZSTR_VAL(ce->name));
 		}
 		ce->constructor = fe; fe->common.fn_flags |= ZEND_ACC_CTOR;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_DESTRUCTOR_FUNC_NAME,  ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_DESTRUCTOR_FUNC_NAME)) {
 		ce->destructor = fe; fe->common.fn_flags |= ZEND_ACC_DTOR;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_GET_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_GET_FUNC_NAME)) {
 		ce->__get = fe;
 		ce->ce_flags |= ZEND_ACC_USE_GUARDS;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_SET_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_SET_FUNC_NAME)) {
 		ce->__set = fe;
 		ce->ce_flags |= ZEND_ACC_USE_GUARDS;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_CALL_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_CALL_FUNC_NAME)) {
 		ce->__call = fe;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_UNSET_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_UNSET_FUNC_NAME)) {
 		ce->__unset = fe;
 		ce->ce_flags |= ZEND_ACC_USE_GUARDS;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_ISSET_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_ISSET_FUNC_NAME)) {
 		ce->__isset = fe;
 		ce->ce_flags |= ZEND_ACC_USE_GUARDS;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_CALLSTATIC_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_CALLSTATIC_FUNC_NAME)) {
 		ce->__callstatic = fe;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_TOSTRING_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_TOSTRING_FUNC_NAME)) {
 		ce->__tostring = fe;
-	} else if (!strncmp(ZSTR_VAL(mname), ZEND_DEBUGINFO_FUNC_NAME, ZSTR_LEN(mname))) {
+	} else if (zend_string_equals_literal(mname, ZEND_DEBUGINFO_FUNC_NAME)) {
 		ce->__debugInfo = fe;
 	} else if (ZSTR_LEN(ce->name) == ZSTR_LEN(mname)) {
 		zend_string *lowercase_name = zend_string_tolower(ce->name);

From 9a07245b728714de09361ea16b9c6fcf70cb5685 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 5 Jan 2016 18:53:04 +0100
Subject: [PATCH 2/5] Fixed bug #71273 A wrong ext directory setup in php.ini
 leads to crash

---
 main/main.c               | 19 ++++++++++++++++---
 tests/basic/bug71273.phpt | 21 +++++++++++++++++++++
 2 files changed, 37 insertions(+), 3 deletions(-)
 create mode 100644 tests/basic/bug71273.phpt

diff --git a/main/main.c b/main/main.c
index dfba949351c..bc978d9ae31 100644
--- a/main/main.c
+++ b/main/main.c
@@ -723,9 +723,20 @@ PHPAPI ZEND_COLD void php_verror(const char *docref, const char *params, int typ
 
 	if (PG(html_errors)) {
 		replace_buffer = php_escape_html_entities((unsigned char*)buffer, buffer_len, 0, ENT_COMPAT, NULL);
+		/* Retry with substituting invalid chars on fail. */
+		if (!replace_buffer) {
+			replace_buffer = php_escape_html_entities((unsigned char*)buffer, buffer_len, 0, ENT_COMPAT | ENT_HTML_SUBSTITUTE_ERRORS, NULL);
+		}
+
 		efree(buffer);
-		buffer = ZSTR_VAL(replace_buffer);
-		buffer_len = (int)ZSTR_LEN(replace_buffer);
+
+		if (replace_buffer) {
+			buffer = ZSTR_VAL(replace_buffer);
+			buffer_len = (int)ZSTR_LEN(replace_buffer);
+		} else {
+			buffer = "";
+			buffer_len = 0;
+		}
 	}
 
 	/* which function caused the problem if any at all */
@@ -878,7 +889,9 @@ PHPAPI ZEND_COLD void php_verror(const char *docref, const char *params, int typ
 	if (replace_buffer) {
 		zend_string_free(replace_buffer);
 	} else {
-		efree(buffer);
+		if (buffer_len > 0) {
+			efree(buffer);
+		}
 	}
 
 	php_error(type, "%s", message);
diff --git a/tests/basic/bug71273.phpt b/tests/basic/bug71273.phpt
new file mode 100644
index 00000000000..d0cd72577ec
--- /dev/null
+++ b/tests/basic/bug71273.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #71273 A wrong ext directory setup in php.ini leads to crash
+--SKIPIF--
+<?php
+	if ("cli" != php_sapi_name()) {
+		die("skip CLI only");
+	}
+?>
+--FILE--
+<?php
+	/* NOTE this file is required to be encoded in iso-8859-1 */
+
+	$cmd = getenv('TEST_PHP_EXECUTABLE') . " -n -d html_errors=on -d extension_dir=a/é/w -d extension=php_kartoffelbrei.dll -v 2>&1";
+	$out = shell_exec($cmd);
+
+	var_dump(preg_match(",.+a[\\/].+[\\/]w.php_kartoffelbrei.dll.+,s", $out));
+?>
+==DONE==
+--EXPECTF--
+int(1)
+==DONE==

From 8d630f7d15fead8a76a96d56c97e5ca2852207b1 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 5 Jan 2016 18:57:38 +0100
Subject: [PATCH 3/5] update NEWS

---
 NEWS | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/NEWS b/NEWS
index 9ab53baf858..ba72162447b 100644
--- a/NEWS
+++ b/NEWS
@@ -9,6 +9,8 @@ PHP                                                                        NEWS
   . Added support for new HTTP 451 code. (Julien)
   . Fixed Bug #71275 (Bad method called on cloning an object having a trait).
     (Bob)
+  . Fixed bug #71273 (A wrong ext directory setup in php.ini leads to crash).
+    (Anatol)
 
 - CURL:
   . Fixed bug #71225 (curl_setopt() fails to set CURLOPT_POSTFIELDS with

From 1dc395c8c45a6b5f69eff8319cd8b9a1b0a88894 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Tue, 5 Jan 2016 20:03:05 +0100
Subject: [PATCH 4/5] improve fix for bug #71273

---
 main/main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main/main.c b/main/main.c
index bc978d9ae31..77a2f64b40a 100644
--- a/main/main.c
+++ b/main/main.c
@@ -724,7 +724,7 @@ PHPAPI ZEND_COLD void php_verror(const char *docref, const char *params, int typ
 	if (PG(html_errors)) {
 		replace_buffer = php_escape_html_entities((unsigned char*)buffer, buffer_len, 0, ENT_COMPAT, NULL);
 		/* Retry with substituting invalid chars on fail. */
-		if (!replace_buffer) {
+		if (!replace_buffer || ZSTR_LEN(replace_buffer) < 1) {
 			replace_buffer = php_escape_html_entities((unsigned char*)buffer, buffer_len, 0, ENT_COMPAT | ENT_HTML_SUBSTITUTE_ERRORS, NULL);
 		}
 

From 69112d7e9715c01f5276b2fb5c31f7aab6aaeef9 Mon Sep 17 00:00:00 2001
From: George Wang <gwang@php.net>
Date: Thu, 19 Nov 2015 17:01:26 -0500
Subject: [PATCH 5/5] Fixed runtime php.ini override, ini name length is off by
 1.

(cherry picked from commit 5bcb7a7019a49c2f80eda7d2aa947efebeee0034)
---
 sapi/litespeed/lsapi_main.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sapi/litespeed/lsapi_main.c b/sapi/litespeed/lsapi_main.c
index 5b799285334..b0ea105a885 100644
--- a/sapi/litespeed/lsapi_main.c
+++ b/sapi/litespeed/lsapi_main.c
@@ -602,11 +602,12 @@ static int alter_ini( const char * pKey, int keyLen, const char * pValue, int va
         else
 		{
 #if PHP_MAJOR_VERSION >= 7
-			psKey = zend_string_init(pKey, keyLen, 1);
+            --keyLen;
+            psKey = zend_string_init(pKey, keyLen, 1);
             zend_alter_ini_entry_chars(psKey,
                              (char *)pValue, valLen,
                              type, PHP_INI_STAGE_ACTIVATE);
-			zend_string_release(psKey);
+            zend_string_release(psKey);
 #else
             zend_alter_ini_entry((char *)pKey, keyLen,
                              (char *)pValue, valLen,