From acc574d76b60d23b48f8fa561084eb859c2e0766 Mon Sep 17 00:00:00 2001
From: Davey Shafik <me@daveyshafik.com>
Date: Tue, 13 Sep 2016 19:38:39 -0700
Subject: [PATCH 1/2] Sync NEWS

---
 NEWS | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/NEWS b/NEWS
index b3788e9ad60..8a80d0e5f67 100644
--- a/NEWS
+++ b/NEWS
@@ -66,6 +66,7 @@ PHP                                                                        NEWS
 - Intl:
   . Fixed bug #65732 (grapheme_*() is not Unicode compliant on CR LF
     sequence). (cmb)
+  . Fixed bug #73007 (add locale length check). (Stas)
 
 - JSON:
   . Implemented earlier return when json_encode fails, fixes bugs #68992
@@ -82,6 +83,12 @@ PHP                                                                        NEWS
   . Implemented stringify 'uniqueidentifier' fields.
     (Alexander Zhuravlev, Adam Baratz)
 
+- Phar:
+  . Fixed bug #72928 (Out of bound when verify signature of zip phar in
+    phar_parse_zipfile). (Stas)
+  . Fixed bug #73035 (Out of bound when verify signature of tar phar in
+    phar_parse_tarfile). (Stas)
+
 - Reflection:
   . Reverted prepending \ for class names. (Trowski)
 
@@ -182,6 +189,7 @@ PHP                                                                        NEWS
 
 - SPL:
   . Fixed bug #72888 (Segfault on clone on splFileObject). (Laruence)
+  . Fixed bug #73029 (Missing type check when unserializing SplArray). (Stas)
 
 - SQLite3:
   . Updated to SQLite3 3.14.0. (cmb)
@@ -305,6 +313,8 @@ PHP                                                                        NEWS
     (Stas)
   . Fixed bug #72799 (wddx_deserialize null dereference in
     php_wddx_pop_element). (Stas)
+  . Fixed bug #72860 (wddx_deserialize use-after-free). (Stas)
+  . Fixed bug #73065 (Out-Of-Bounds Read in php_wddx_push_element). (Stas)
 
 - XMLRPC:
   . Fixed bug #72647 (xmlrpc_encode() unexpected output after referencing

From 001fbbb94f6a182e9db1ddcbad73ce7f4076f117 Mon Sep 17 00:00:00 2001
From: Anatol Belski <ab@php.net>
Date: Wed, 14 Sep 2016 12:07:38 +0200
Subject: [PATCH 2/2] fix erroneous resource destruction

---
 ext/phar/tar.c | 20 ++------------------
 1 file changed, 2 insertions(+), 18 deletions(-)

diff --git a/ext/phar/tar.c b/ext/phar/tar.c
index b3dfad8be73..3a601913ace 100644
--- a/ext/phar/tar.c
+++ b/ext/phar/tar.c
@@ -1002,6 +1002,8 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
 			efree(entry.filename);
 			return EOF;
 		}
+		/* At this point the entry is saved into the manifest. The manifest destroy
+			routine will care about any resources to be freed. */
 	} else {
 		zend_hash_str_del(&phar->manifest, ".phar/alias.txt", sizeof(".phar/alias.txt")-1);
 	}
@@ -1015,12 +1017,6 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
 				if (error) {
 					spprintf(error, 0, "unable to access resource to copy stub to new tar-based phar \"%s\"", phar->fname);
 				}
-				if (entry.fp) {
-					php_stream_close(entry.fp);
-				}
-				if (entry.filename) {
-					efree(entry.filename);
-				}
 				return EOF;
 			}
 			if (len == -1) {
@@ -1048,12 +1044,6 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
 				if (error) {
 					spprintf(error, 0, "unable to read resource to copy stub to new tar-based phar \"%s\"", phar->fname);
 				}
-				if (entry.fp) {
-					php_stream_close(entry.fp);
-				}
-				if (entry.filename) {
-					efree(entry.filename);
-				}
 				return EOF;
 			}
 			free_user_stub = 1;
@@ -1070,12 +1060,6 @@ int phar_tar_flush(phar_archive_data *phar, char *user_stub, zend_long len, int
 			if (free_user_stub) {
 				efree(user_stub);
 			}
-			if (entry.fp) {
-				php_stream_close(entry.fp);
-			}
-			if (entry.filename) {
-				efree(entry.filename);
-			}
 			return EOF;
 		}
 		pos = user_stub + (pos - tmp);