Merge branch 'PHP-5.5' of git.php.net:php-src into PHP-5.5

* 'PHP-5.5' of git.php.net:php-src:
  Conflicts: 	main/streams/memory.c

2 files changed, 6 insertions, 0 deletions

diff --git a/NEWS b/NEWS
index 50f36ba68a..dd20fa9bd7 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ PHP                                                                        NEWS
 ?? ??? 2015, PHP 5.5.22
 
 - Core:
+  . Fixed bug #68986 (pointer returned by php_stream_fopen_temporary_file
+    not validated in memory.c). (nayana at ddproperty dot com)
   . Fixed bug #67068 (getClosure returns somethings that's not a closure). 
     (Danack at basereality dot com)
   . Fixed bug #68925 (Mitigation for CVE-2015-0235 – GHOST: glibc gethostbyname
diff --git a/main/streams/memory.c b/main/streams/memory.c
index 0d00505664..d0f2511aa7 100644
--- a/main/streams/memory.c
+++ b/main/streams/memory.c
@@ -374,6 +374,10 @@ static size_t php_stream_temp_write(php_stream *stream, const char *buf, size_t
 
 		if (memsize + count >= ts->smax) {
 			php_stream *file = php_stream_fopen_tmpfile();
+			if (file == NULL) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Unable to create temporary file, Check permissions in temporary files directory.");
+				return 0;
+			}
 			php_stream_write(file, membuf, memsize);
 			php_stream_free_enclosed(ts->innerstream, PHP_STREAM_FREE_CLOSE);
 			ts->innerstream = file;