Merge branch 'PHP-7.1'

* PHP-7.1:
  Improve fix for #74145
  Fix wddx
  Fix tests
  Fixed bug #74111
  Fix bug #74603 - use correct buffer size
  Fix bug #74651 - check EVP_SealInit as it can return -1
  Update NEWS
  Fix bug #74087
  Fixed parsing of strange formats with mixed month/day and time strings
  Fix bug #74145 - wddx parsing empty boolean tag leads to SIGSEGV
  Fixed bug #74111
  Fix #74435: Buffer over-read into uninitialized memory
  Fix bug #74603 - use correct buffer size
  Fix bug #74651 - check EVP_SealInit as it can return -1
  Update NEWS
  Fix bug #73807

Zend/tests/bug74603.ini

@@ -0,0 +1 @@
+0=0&~2000000000

Zend/tests/bug74603.phpt

@@ -0,0 +1,15 @@
+--TEST--
+Bug #74603 (PHP INI Parsing Stack Buffer Overflow Vulnerability)
+--SKIPIF--
+<?php
+if (PHP_INT_MAX !== 2147483647)
+        die('skip for 32-bit only');
+--FILE--
+<?php
+var_dump(parse_ini_file(__DIR__ . "/bug74603.ini", true, INI_SCANNER_NORMAL));
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  string(1) "0"
+}

Zend/zend_ini_parser.y

@@ -55,7 +55,7 @@ static void zend_ini_do_op(char type, zval *result, zval *op1, zval *op2)
 	int i_result;
 	int i_op1, i_op2;
 	int str_len;
-	char str_result[MAX_LENGTH_OF_LONG];
+	char str_result[MAX_LENGTH_OF_LONG+1];
 
 	i_op1 = atoi(Z_STRVAL_P(op1));
 	zend_string_free(Z_STR_P(op1));

ext/date/lib/parse_date.re

@@ -913,7 +913,7 @@ datefull         = day ([ \t.-])* monthtext ([ \t.-])* year;
 datenoday        = monthtext ([ .\t-])* year4;
 datenodayrev     = year4 ([ .\t-])* monthtext;
 datetextual      = monthtext ([ .\t-])* day [,.stndrh\t ]+ year;
-datenoyear       = monthtext ([ .\t-])* day [,.stndrh\t ]*;
+datenoyear       = monthtext ([ .\t-])* day ([,.stndrh\t ]+|[\000]);
 datenoyearrev    = day ([ .\t-])* monthtext;
 datenocolon      = year4 monthlz daylz;
 

ext/date/tests/date-time-modify-times.phpt

@@ -34,14 +34,14 @@ foreach ( $tests as $start => $data )
 echo "\n";
 ?>
 --EXPECT--
-Sat, 23 Oct 2010 00:00:00 +0000
+Fri, 15 Oct 2010 23:00:00 +0000
 Wed, 15 Dec 2010 16:15:00 +0000
 Mon, 20 Dec 2010 00:00:00 +0000
 Mon, 20 Dec 2010 10:00:00 +0000
 Tue, 21 Dec 2010 12:00:00 +0000
 Mon, 03 Jan 2011 00:00:00 +0000
 Mon, 03 Jan 2011 09:00:00 +0000
-Sat, 23 Oct 2010 00:00:00 +0100
+Fri, 15 Oct 2010 23:00:00 +0100
 Sun, 28 Mar 2010 00:15:00 +0000
 Sun, 28 Mar 2010 02:15:00 +0100
 Sun, 28 Mar 2010 02:15:00 +0100

ext/gd/libgd/gd_gif_in.c

@@ -148,6 +148,9 @@ gdImagePtr gdImageCreateFromGifCtx(gdIOCtxPtr fd) /* {{{ */
 	int haveGlobalColormap;
 	gdImagePtr im = 0;
 
+	memset(ColorMap, 0, 3 * MAXCOLORMAPSIZE);
+	memset(localColorMap, 0, 3 * MAXCOLORMAPSIZE);
+
 	/*1.4//imageNumber = 1; */
 	if (! ReadOK(fd,buf,6)) {
 		return 0;

ext/gd/tests/bug74435.phpt

@@ -0,0 +1,27 @@
+--TEST--
+Bug #74435 (Buffer over-read into uninitialized memory)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+$im = imagecreatefromgif(__DIR__ . DIRECTORY_SEPARATOR . 'bug74435.gif');
+var_dump($im);
+$width = imagesx($im);
+$height = imagesy($im);
+for ($i = 0; $i < $width; $i += 16) {
+    for ($j = 0; $j < $height; $j += 16) {
+        if (($index = imagecolorat($im, $i, $j)) >= 2) {
+            list($red, $green, $blue, $alpha) = array_values(imagecolorsforindex($im, $index));
+            if ($red !== 0 || $green !== 0 || $blue !== 0 || $alpha !== 0) {
+                echo "unexpected color at ($i, $j)\n";
+            }
+        }
+    }
+}
+?>
+===DONE===
+--EXPECTF--
+resource(%d) of type (gd)
+===DONE===

ext/openssl/openssl.c

@@ -6057,7 +6057,7 @@ PHP_FUNCTION(openssl_seal)
 	buf = emalloc(data_len + EVP_CIPHER_CTX_block_size(ctx));
 	EVP_CIPHER_CTX_cleanup(ctx);
 
-	if (!EVP_SealInit(ctx, cipher, eks, eksl, &iv_buf[0], pkeys, nkeys) ||
+	if (EVP_SealInit(ctx, cipher, eks, eksl, &iv_buf[0], pkeys, nkeys) <= 0 ||
 			!EVP_SealUpdate(ctx, buf, &len1, (unsigned char *)data, (int)data_len) ||
 			!EVP_SealFinal(ctx, buf + len1, &len2)) {
 		efree(buf);

ext/openssl/tests/74651.pem

@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIEoDCCBAmgAwIBAgIBJzANBgkqhkiG9w0BAQQFADCBkDELMAkGA1UEFhMCUk8x
+EDAOBgNVBAgTB1JvbWFuaWExEDAOBgNVBAcTB0NyYWlvdmExDzANBgNVBAoTBlNl
+cmdpdTETMBEGA1UECxMKU2VyZ2l1IFNSTDESMBAGA1UEAxMJU2VyZ2l1IENBMSMw
+IQYJKoZIhvcNAQkBFhRuX3NlcmdpdUBob3RtYWlsLmNvbTAeFw0wNDA1MTQxMzM0
+NTZaFw0wNTA1MTQxMzM0NTZaMIGaMQswCQYDVQQGEwJSTzEQMA4GA1UECBMHUm9t
+YW5pYTEQMA4GA1UEBxMHQ3JhaW92YTETMBEGA1UEChMKU2VyZ2l1IFNSTDETMBEG
+A1UECxMKU2VyZ2l1IFNSTDEYMBYGA1UEAxMPU2VyZ2l1IHBlcnNvbmFsMSMwIQYJ
+KoZIhvcNAQkBFhRuX3NlcmdpdUBob3RtYWlsLmNvbTCBnzANBgkqhkiG9w0BAQEF
+AAOBjQAwgYkCgYEApNj7XXz8T8FcLIWpBniPYom3QcT6T7u0xRPHqtqzj5oboBYp
+DJe5d354/y0gJTpiLt8+fTrPgWXnbHm3pOHgXzTcX6Arani0GDU0/xDi4VkCRGcS
+YqX2sJpcDzAbmK9UDMt3xf/O1B8AJan3RfO0Bm3ozTEPziLMkmsiYr5b/L4CAwEA
+AaOCAfwwggH4MAkGA1UdEwQCMAAwNQYJYIZIAYb4QgENBCgWJkZvciBHcmlkIHVz
+ZSBvbmx5OyByZXF1ZXN0IHRhZyB1c2VyVGFnMBEGCWCGSAGG+EIBAQQEAwIF4DA/
+BgNVHR8EODA2MDSgMqAwhi5odHRwOi8vbW9iaWxlLmJsdWUtc29mdHdhcmUucm86
+OTAvY2EvY3JsLnNodG1sMDUGCWCGSAGG+EIBCAQoFiZodHRwOi8vbW9iaWxlLmJs
+dWUtc29mdHdhcmUucm86OTAvcHViLzAhBgNVHREEGjAYgRZzZXJnaXVAYmx1ZXNv
+ZnR3YXJlLnJvMB0GA1UdDgQWBBSwp//5QRXeIzm93TEPl6CyonTg/DCBpwYDVR0j
+BIGfMIGcoYGWpIGTMIGQMQswCQYDVQQGEwJSTzEQMA4GA1UECBMHUm9tYW5pYTEQ
+MA4GA1UEBxMHQ3JhaW92YTEPMA0GA1UEChMGU2VyZ2l1MRMwEQYDVQQLEwpTZXJn
+aXUgU1JMMRIwEAYDVQQDEwlTZXJnaXUgQ0ExIzAhBgkqhkiG9w0BCQEWFG5fc2Vy
+Z2l1QGhvdG1haWwuY29tggEAMAsGA1UdDwQEAwIE8DAjBglghkgBhvhCAQIEFhYU
+aHR0cDovLzYyLjIzMS45OC41Mi8wCwYDKgMEBAQ+52I0MA0GCSqGSIb3DQEBBAUA
+A4GBAIBIOJ+iiLyQfNJEY+IMefayQea0nmuXYY+F+L1DFjSC7xChytgYoPNnKkhh
+3dWPtxbswiqKYUnGi6y3Hi4UhDsOaDW29t2S305hSc2qgjOiNtRYQIVYQ8EHG1k7
+Fl63S7uCOhnVJt+4MnUK1N6/pwgsp+Z2GvEsDG1qCKnvNpf6
+-----END CERTIFICATE-----

ext/openssl/tests/bug74651.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal()
+--SKIPIF--
+<?php
+if (!extension_loaded("openssl")) die("skip openssl not loaded");
+?>
+--FILE--
+<?php
+
+$inputstr = file_get_contents(__DIR__ . "/74651.pem");
+$pub_key_id = openssl_get_publickey($inputstr);
+var_dump($pub_key_id);
+var_dump(openssl_seal($inputstr, $sealed, $ekeys, array($pub_key_id, $pub_key_id), 'AES-128-ECB'));
+?>
+--EXPECTF--
+resource(%d) of type (OpenSSL key)
+bool(false)

ext/pcre/pcrelib/pcre_jit_compile.c

@@ -7307,7 +7307,7 @@ if (opcode == OP_COND || opcode == OP_SCOND)
 
     if (*matchingpath == OP_FAIL)
       stacksize = 0;
-    if (*matchingpath == OP_RREF)
+    else if (*matchingpath == OP_RREF)
       {
       stacksize = GET2(matchingpath, 1);
       if (common->currententry == NULL)

ext/standard/tests/serialize/bug25378.phpt

@@ -42,7 +42,7 @@ bool(false)
 Notice: unserialize(): Error at offset 17 of 33 bytes in %sbug25378.php on line %d
 bool(false)
 
-Notice: unserialize(): Error at offset 33 of 32 bytes in %sbug25378.php on line %d
+Notice: unserialize(): Error at offset 32 of 32 bytes in %sbug25378.php on line %d
 bool(false)
 
 Notice: unserialize(): Error at offset 2 of 13 bytes in %sbug25378.php on line %d

ext/standard/tests/serialize/bug74111.phpt

@@ -0,0 +1,10 @@
+--TEST--
+Bug #74111: Heap buffer overread (READ: 1) finish_nested_data from unserialize
+--FILE--
+<?php
+$s = 'O:8:"stdClass":00000000';
+var_dump(unserialize($s));
+?>
+--EXPECTF--
+Notice: unserialize(): Error at offset 25 of 23 bytes in %s on line %d
+bool(false)

ext/standard/tests/strings/bug70436.phpt

@@ -48,7 +48,7 @@ DONE
 --EXPECTF--
 Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d
 
-Notice: unserialize(): Error at offset 17 of 17 bytes in %sbug70436.php on line %d
+Notice: unserialize(): Error at offset 16 of 17 bytes in %sbug70436.php on line %d
 
 Notice: unserialize(): Error at offset 93 of 94 bytes in %sbug70436.php on line %d
 bool(false)

ext/standard/tests/strings/bug72663_3.phpt

@@ -14,5 +14,5 @@ unserialize($poc);
 ?>
 DONE
 --EXPECTF--
-Notice: unserialize(): Error at offset 51 of 50 bytes in %sbug72663_3.php on line %d
+Notice: unserialize(): Error at offset 50 of 50 bytes in %sbug72663_3.php on line %d
 DONE

ext/standard/var_unserializer.re

@@ -474,13 +474,12 @@ string_key:
 
 static inline int finish_nested_data(UNSERIALIZE_PARAMETER)
 {
-	if (*((*p)++) == '}')
-		return 1;
+	if (*p >= max || **p != '}') {
+		return 0;
+	}
 
-#if SOMETHING_NEW_MIGHT_LEAD_TO_CRASH_ENABLE_IF_YOU_ARE_BRAVE
-	zval_ptr_dtor(rval);
-#endif
-	return 0;
+	(*p)++;
+	return 1;
 }
 
 static inline int object_custom(UNSERIALIZE_PARAMETER, zend_class_entry *ce)

ext/wddx/tests/bug74145.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #74145 (wddx parsing empty boolean tag leads to SIGSEGV)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$data = file_get_contents(__DIR__ . '/bug74145.xml');
+$wddx = wddx_deserialize($data);
+var_dump($wddx);
+?>
+DONE
+--EXPECTF--
+NULL
+DONE

ext/wddx/tests/bug74145.xml

@@ -0,0 +1,9 @@
+<?xml version='1.0' ?>
+    <!DOCTYPE et SYSTEM 'w'>
+    <wddxPacket ven='1.0'>
+        <array>
+            <var Name="name">
+                <boolean ></boolean>
+            </var>
+        </array>
+    </wddxPacket>

ext/wddx/wddx.c

@@ -761,19 +761,16 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
 	} else if (!strcmp((char *)name, EL_BOOLEAN)) {
 		int i;
 
+		ent.type = ST_BOOLEAN;
+		SET_STACK_VARNAME;
 		if (atts) for (i = 0; atts[i]; i++) {
 			if (!strcmp((char *)atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
-				ent.type = ST_BOOLEAN;
-				SET_STACK_VARNAME;
-
 				ZVAL_TRUE(&ent.data);
 				wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 				php_wddx_process_data(user_data, atts[i+1], strlen((char *)atts[i+1]));
 				break;
 			}
 		} else {
-			ent.type = ST_BOOLEAN;
-			SET_STACK_VARNAME;
 			ZVAL_FALSE(&ent.data);
 			wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
 		}