Merge branch 'PHP-5.6' into PHP-5.6.30

16 files changed, 216 insertions, 16 deletions

diff --git a/ext/curl/curl_file.c b/ext/curl/curl_file.c
index 029a58a914..979249221d 100644
--- a/ext/curl/curl_file.c
+++ b/ext/curl/curl_file.c
@@ -35,7 +35,7 @@ static void curlfile_ctor(INTERNAL_FUNCTION_PARAMETERS)
 	int fname_len, mime_len, postname_len;
 	zval *cf = return_value;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|ss", &fname, &fname_len, &mime, &mime_len, &postname, &postname_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|ss", &fname, &fname_len, &mime, &mime_len, &postname, &postname_len) == FAILURE) {
 		return;
 	}
 
diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index 3663b3f226..1c8772f76b 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -4210,7 +4210,7 @@ PHP_FUNCTION(exif_imagetype)
 	php_stream * stream;
  	int itype = 0;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &imagefile, &imagefile_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &imagefile, &imagefile_len) == FAILURE) {
 		return;
 	}
 
diff --git a/ext/exif/tests/exif_imagetype_variation1.phpt b/ext/exif/tests/exif_imagetype_variation1.phpt
index 767ed5fecb..d33217c5f8 100644
--- a/ext/exif/tests/exif_imagetype_variation1.phpt
+++ b/ext/exif/tests/exif_imagetype_variation1.phpt
@@ -142,23 +142,23 @@ Warning: exif_imagetype(0.5): failed to open stream: No such file or directory i
 bool(false)
 -- Iteration 10 --
 
-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
+Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL
 -- Iteration 11 --
 
-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
+Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL
 -- Iteration 12 --
 
-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
+Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL
 -- Iteration 13 --
 
-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
+Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL
 -- Iteration 14 --
 
-Warning: exif_imagetype() expects parameter 1 to be string, array given in %s on line %d
+Warning: exif_imagetype() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL
 -- Iteration 15 --
 
@@ -198,7 +198,7 @@ Warning: exif_imagetype(obj'ct): failed to open stream: No such file or director
 bool(false)
 -- Iteration 24 --
 
-Warning: exif_imagetype() expects parameter 1 to be string, resource given in %s on line %d
+Warning: exif_imagetype() expects parameter 1 to be a valid path, resource given in %s on line %d
 NULL
 -- Iteration 25 --
 
diff --git a/ext/gd/libgd/gd_gd2.c b/ext/gd/libgd/gd_gd2.c
index d06f328425..3eba6b3054 100644
--- a/ext/gd/libgd/gd_gd2.c
+++ b/ext/gd/libgd/gd_gd2.c
@@ -136,6 +136,10 @@ static int _gd2GetHeader(gdIOCtxPtr in, int *sx, int *sy, int *cs, int *vers, in
 	GD2_DBG(php_gd_error("%d Chunks vertically", *ncy));
 
 	if (gd2_compressed(*fmt)) {
+		if (*ncx <= 0 || *ncy <= 0 || *ncx > INT_MAX / *ncy) {
+			GD2_DBG(printf ("Illegal chunk counts: %d * %d\n", *ncx, *ncy));
+			goto fail1;
+		}
 		nc = (*ncx) * (*ncy);
 		GD2_DBG(php_gd_error("Reading %d chunk index entries", nc));
 		if (overflow2(sizeof(t_chunk_info), nc)) {
@@ -340,12 +344,16 @@ gdImagePtr gdImageCreateFromGd2Ctx (gdIOCtxPtr in)
 					for (x = xlo; x < xhi; x++) {
 						if (im->trueColor) {
 							if (!gdGetInt(&im->tpixels[y][x], in)) {
-								im->tpixels[y][x] = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 						} else {
 							int ch;
 							if (!gdGetByte(&ch, in)) {
-								ch = 0;
+								php_gd_error("gd2: EOF while reading\n");
+								gdImageDestroy(im);
+								return NULL;
 							}
 							im->pixels[y][x] = ch;
 						}
diff --git a/ext/gd/tests/bug73868.gd2 b/ext/gd/tests/bug73868.gd2
new file mode 100644
index 0000000000..1c797d1acf
--- /dev/null
+++ b/ext/gd/tests/bug73868.gd2
diff --git a/ext/gd/tests/bug73868.phpt b/ext/gd/tests/bug73868.phpt
new file mode 100644
index 0000000000..135be7917b
--- /dev/null
+++ b/ext/gd/tests/bug73868.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug 73868 (DOS vulnerability in gdImageCreateFromGd2Ctx())
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73868.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): gd2: EOF while reading
+ in %s on line %d
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===
diff --git a/ext/gd/tests/bug73869.phpt b/ext/gd/tests/bug73869.phpt
new file mode 100644
index 0000000000..3cc10a4201
--- /dev/null
+++ b/ext/gd/tests/bug73869.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #73869 (Signed Integer Overflow gd_io.c)
+--SKIPIF--
+<?php
+if (!extension_loaded('gd')) die('skip gd extension not available');
+?>
+--FILE--
+<?php
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869a.gd2'));
+var_dump(imagecreatefromgd2(__DIR__ . DIRECTORY_SEPARATOR . 'bug73869b.gd2'));
+?>
+===DONE===
+--EXPECTF--
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+
+Warning: imagecreatefromgd2(): '%s' is not a valid GD2 file in %s on line %d
+bool(false)
+===DONE===
\ No newline at end of file
diff --git a/ext/gd/tests/bug73869a.gd2 b/ext/gd/tests/bug73869a.gd2
new file mode 100644
index 0000000000..5060bfde3a
--- /dev/null
+++ b/ext/gd/tests/bug73869a.gd2
diff --git a/ext/gd/tests/bug73869b.gd2 b/ext/gd/tests/bug73869b.gd2
new file mode 100644
index 0000000000..8600126bec
--- /dev/null
+++ b/ext/gd/tests/bug73869b.gd2
diff --git a/ext/intl/collator/collator.h b/ext/intl/collator/collator.h
index 96e7aa097b..5ceca2f84a 100644
--- a/ext/intl/collator/collator.h
+++ b/ext/intl/collator/collator.h
@@ -16,7 +16,7 @@
  */
 
 #ifndef COLLATOR_COLLATOR_H
-#define CCOLLATOR_COLLATOR_H
+#define COLLATOR_COLLATOR_H
 
 #include <php.h>
 
diff --git a/ext/standard/tests/serialize/bug69425.phpt b/ext/standard/tests/serialize/bug69425.phpt
new file mode 100644
index 0000000000..bfa8b9b369
--- /dev/null
+++ b/ext/standard/tests/serialize/bug69425.phpt
@@ -0,0 +1,63 @@
+--TEST--
+Bug #69425: Use After Free in unserialize()
+--FILE--
+<?php
+
+// POC 1
+class test
+{
+	var $ryat;
+	
+	function __wakeup()
+	{
+		$this->ryat = 1;
+	}
+}
+
+$data = unserialize('a:2:{i:0;O:4:"test":1:{s:4:"ryat";R:1;}i:1;i:2;}');
+var_dump($data);
+
+// POC 2
+$data = unserialize('a:2:{i:0;O:12:"DateInterval":1:{s:1:"y";R:1;}i:1;i:2;}');
+var_dump($data);
+
+?>
+--EXPECT--
+int(1)
+array(2) {
+  [0]=>
+  object(DateInterval)#1 (15) {
+    ["y"]=>
+    int(-1)
+    ["m"]=>
+    int(-1)
+    ["d"]=>
+    int(-1)
+    ["h"]=>
+    int(-1)
+    ["i"]=>
+    int(-1)
+    ["s"]=>
+    int(-1)
+    ["weekday"]=>
+    int(-1)
+    ["weekday_behavior"]=>
+    int(-1)
+    ["first_last_day_of"]=>
+    int(-1)
+    ["invert"]=>
+    int(0)
+    ["days"]=>
+    int(-1)
+    ["special_type"]=>
+    int(0)
+    ["special_amount"]=>
+    int(-1)
+    ["have_weekday_relative"]=>
+    int(0)
+    ["have_special_relative"]=>
+    int(0)
+  }
+  [1]=>
+  int(2)
+}
diff --git a/ext/standard/tests/serialize/bug70513.phpt b/ext/standard/tests/serialize/bug70513.phpt
new file mode 100644
index 0000000000..2ac4ef6626
--- /dev/null
+++ b/ext/standard/tests/serialize/bug70513.phpt
@@ -0,0 +1,39 @@
+--TEST--
+Bug #70513: GMP Deserialization Type Confusion Vulnerability
+--SKIPIF--
+<?php if (!extension_loaded('gmp')) die('skip requires gmp');
+--FILE--
+<?php
+
+class obj
+{
+	var $ryat;
+	
+	function __wakeup()
+	{
+		$this->ryat = 1;
+	}
+}
+
+$obj = new stdClass;
+$obj->aa = 1;
+$obj->bb = 2;
+
+$inner = 's:1:"1";a:3:{s:2:"aa";s:2:"hi";s:2:"bb";s:2:"hi";i:0;O:3:"obj":1:{s:4:"ryat";R:2;}}';
+$exploit = 'a:1:{i:0;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}';
+$x = unserialize($exploit);
+var_dump($x);
+var_dump($obj);
+
+?>
+--EXPECT--
+array(1) {
+  [0]=>
+  int(1)
+}
+object(stdClass)#1 (2) {
+  ["aa"]=>
+  int(1)
+  ["bb"]=>
+  int(2)
+}
diff --git a/ext/standard/tests/serialize/bug72731.phpt b/ext/standard/tests/serialize/bug72731.phpt
new file mode 100644
index 0000000000..3d7d1e7af3
--- /dev/null
+++ b/ext/standard/tests/serialize/bug72731.phpt
@@ -0,0 +1,18 @@
+--TEST--
+Bug #72731: Type Confusion in Object Deserialization
+--FILE--
+<?php
+
+class obj {
+	var $ryat;
+	function __wakeup() {
+		$this->ryat = 0x1122334455;
+	}
+}
+
+$poc = 'O:8:"stdClass":1:{i:0;O:3:"obj":1:{s:4:"ryat";R:1;}}';
+var_dump(unserialize($poc));
+
+?>
+--EXPECT--
+int(73588229205)
diff --git a/ext/standard/tests/streams/glob-wrapper.phpt b/ext/standard/tests/streams/glob-wrapper.phpt
new file mode 100644
index 0000000000..0e4438fdcc
--- /dev/null
+++ b/ext/standard/tests/streams/glob-wrapper.phpt
@@ -0,0 +1,35 @@
+--TEST--
+Glob wrapper bypasses open_basedir
+--INI--
+open_basedir=/does_not_exist
+--SKIPIF--
+<?php
+if (!in_array("glob", stream_get_wrappers())) echo "skip";
+--FILE--
+<?php
+
+foreach ( [ __DIR__, "glob://".__DIR__ ] as $spec) {
+  echo "** Opening $spec\n";
+  $dir = opendir($spec);
+  if (!$dir) {
+    echo "Failed to open $spec\n";
+    continue;
+  }
+  if (false === readdir($dir)) {
+    echo "No files in $spec\n";
+    continue;
+  }
+}
+--EXPECTF--
+** Opening %s
+
+Warning: opendir(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (/does_not_exist) in %s%eglob-wrapper.php on line 5
+
+Warning: opendir(%s): failed to open dir: Operation not permitted in %s%eglob-wrapper.php on line 5
+Failed to open %s
+** Opening glob://%s
+
+Warning: opendir(): open_basedir restriction in effect. File(%s) is not within the allowed path(s): (/does_not_exist) in %s%eglob-wrapper.php on line 5
+
+Warning: opendir(glob://%s): failed to open dir: operation failed in %s%eglob-wrapper.php on line 5
+Failed to open glob://%s
diff --git a/ext/zip/php_zip.c b/ext/zip/php_zip.c
index 9f2b3768d3..52f058c708 100644
--- a/ext/zip/php_zip.c
+++ b/ext/zip/php_zip.c
@@ -2662,7 +2662,7 @@ static ZIPARCHIVE_METHOD(extractTo)
 		RETURN_FALSE;
 	}
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|z", &pathto, &pathto_len, &zval_files) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|z", &pathto, &pathto_len, &zval_files) == FAILURE) {
 		return;
 	}
 
diff --git a/main/streams/glob_wrapper.c b/main/streams/glob_wrapper.c
index 8405bef73c..90d7bef0fd 100644
--- a/main/streams/glob_wrapper.c
+++ b/main/streams/glob_wrapper.c
@@ -213,10 +213,6 @@ static php_stream *php_glob_stream_opener(php_stream_wrapper *wrapper, const cha
 	int ret;
 	const char *tmp, *pos;
 
-	if (((options & STREAM_DISABLE_OPEN_BASEDIR) == 0) && php_check_open_basedir(path TSRMLS_CC)) {
-		return NULL;
-	}
-
 	if (!strncmp(path, "glob://", sizeof("glob://")-1)) {
 		path += sizeof("glob://")-1;
 		if (opened_path) {
@@ -224,6 +220,10 @@ static php_stream *php_glob_stream_opener(php_stream_wrapper *wrapper, const cha
 		}
 	}
 
+	if (((options & STREAM_DISABLE_OPEN_BASEDIR) == 0) && php_check_open_basedir(path TSRMLS_CC)) {
+		return NULL;
+	}
+
 	pglob = ecalloc(sizeof(*pglob), 1);
 	
 	if (0 != (ret = glob(path, pglob->flags & GLOB_FLAGMASK, NULL, &pglob->glob))) {