Merge branch 'PHP-5.4' into PHP-5.5

* PHP-5.4:
  5.4.30
  Better fix for bug #67072 with more BC provisions
  Fix bug #67498 - phpinfo() Type Confusion Information Leak Vulnerability
  update CVE
  Fix bug #67492: unserialize() SPL ArrayObject / SPLObjectStorage Type Confusion
  Fix bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
  Fix bug #67349: Locale::parseLocale Double Free
  add CVEs
  Fix potential segfault in dns_get_record()
  Fix bug #66127 (Segmentation fault with ArrayObject unset)
  5.4.30 rc1

Conflicts:
	ext/intl/locale/locale_methods.c

8 files changed, 62 insertions, 12 deletions

diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 21b5847f2d..f1e184914d 100644
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -269,8 +269,7 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
 		grOffset =  findOffset( LOC_GRANDFATHERED , loc_name );
 		if( grOffset >= 0 ){
 			if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
-				tag_value = estrdup(loc_name);
-				return tag_value;
+				return estrdup(loc_name);
 			} else {
 				/* Since Grandfathered , no value , do nothing , retutn NULL */
 				return NULL;
@@ -280,8 +279,8 @@ static char* get_icu_value_internal( const char* loc_name , char* tag_name, int*
 	if( fromParseLocale==1 ){
 		/* Handle singletons */
 		if( strcmp(tag_name , LOC_LANG_TAG)==0 ){
-			if( strlen(loc_name)>1 && (isIDPrefix(loc_name) ==1 ) ){
-				return (char *)loc_name;
+			if( strlen(loc_name)>1 && (isIDPrefix(loc_name) == 1) ){
+				return estrdup(loc_name);
 			}
 		}
 
@@ -498,6 +497,14 @@ static void get_icu_disp_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAME
 		RETURN_FALSE;
 	}
 
+    if(loc_name_len > ULOC_FULLNAME_CAPACITY) {
+        /* See bug 67397: overlong locale names cause trouble in uloc_getDisplayName */
+		spprintf(&msg , 0, "locale_get_display_%s : name too long", tag_name );
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,  msg , 1 TSRMLS_CC );
+		efree(msg);
+		RETURN_FALSE;
+    }
+
 	if(loc_name_len == 0) {
 		loc_name = intl_locale_get_default(TSRMLS_C);
 	}
diff --git a/ext/intl/tests/bug67397.phpt b/ext/intl/tests/bug67397.phpt
new file mode 100644
index 0000000000..b2b2911f8a
--- /dev/null
+++ b/ext/intl/tests/bug67397.phpt
@@ -0,0 +1,21 @@
+--TEST--
+Bug #67397 (Buffer overflow in locale_get_display_name->uloc_getDisplayName (libicu 4.8.1))
+--SKIPIF--
+<?php if( !extension_loaded( 'intl' ) ) print 'skip'; ?>
+--FILE--
+<?php
+
+function ut_main()
+{
+    $ret = var_export(ut_loc_get_display_name(str_repeat('*', 256), 'en_us'), true);
+    $ret .= "\n";
+    $ret .= var_export(intl_get_error_message(), true);
+    return $ret;
+}
+
+include_once( 'ut_common.inc' );
+ut_run();
+?>
+--EXPECTF--
+false
+'locale_get_display_name : name too long: U_ILLEGAL_ARGUMENT_ERROR'
diff --git a/ext/intl/tests/locale_parse_locale2.phpt b/ext/intl/tests/locale_parse_locale2.phpt
index 6012862a48..30cc8cc0ae 100644
--- a/ext/intl/tests/locale_parse_locale2.phpt
+++ b/ext/intl/tests/locale_parse_locale2.phpt
@@ -63,7 +63,8 @@ function ut_main()
 //Some Invalid Tags:
         'de-419-DE',
         'a-DE',
-        'ar-a-aaa-b-bbb-a-ccc'
+        'ar-a-aaa-b-bbb-a-ccc',
+	'x-AAAAAA',
     );
 
 
@@ -201,3 +202,6 @@ No values found from Locale parsing.
 ---------------------
 ar-a-aaa-b-bbb-a-ccc:
 language : 'ar' ,
+---------------------
+x-AAAAAA:
+private0 : 'AAAAAA' ,
diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
index 8d3b4048a7..8392e72714 100644
--- a/ext/spl/spl_array.c
+++ b/ext/spl/spl_array.c
@@ -1796,7 +1796,7 @@ SPL_METHOD(Array, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 1a706f7642..da9110bf14 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -898,7 +898,7 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	++p;
 
 	ALLOC_INIT_ZVAL(pmembers);
-	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC)) {
+	if (!php_var_unserialize(&pmembers, &p, s + buf_len, &var_hash TSRMLS_CC) || Z_TYPE_P(pmembers) != IS_ARRAY) {
 		zval_ptr_dtor(&pmembers);
 		goto outexcept;
 	}
diff --git a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
index a525317093..8f0676de3b 100644
--- a/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
+++ b/ext/spl/tests/SplObjectStorage_unserialize_bad.phpt
@@ -7,6 +7,7 @@ $badblobs = array(
 'x:i:2;i:0;,i:1;;i:0;,i:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};R:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
 'x:i:3;O:8:"stdClass":0:{},O:8:"stdClass":0:{};r:2;,i:1;;O:8:"stdClass":0:{},r:2;;m:a:0:{}',
+'x:i:1;O:8:"stdClass":0:{},N;;m:s:40:"1234567890123456789012345678901234567890"',
 );
 foreach($badblobs as $blob) {
 try {
@@ -17,6 +18,7 @@ try {
 	echo $e->getMessage()."\n";
 }
 }
+echo "DONE\n";
 --EXPECTF--
 Error at offset 6 of 34 bytes
 Error at offset 46 of 89 bytes
@@ -42,4 +44,5 @@ object(SplObjectStorage)#2 (1) {
     }
   }
 }
-
+Error at offset 79 of 78 bytes
+DONE
diff --git a/ext/standard/info.c b/ext/standard/info.c
index a4996b6bfc..2c44a8260f 100644
--- a/ext/standard/info.c
+++ b/ext/standard/info.c
@@ -866,16 +866,16 @@ PHPAPI void php_print_info(int flag TSRMLS_DC)
 
 		php_info_print_table_start();
 		php_info_print_table_header(2, "Variable", "Value");
-		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_SELF", sizeof("PHP_SELF"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_SELF", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_TYPE", sizeof("PHP_AUTH_TYPE"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_TYPE", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_USER", sizeof("PHP_AUTH_USER"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_USER", Z_STRVAL_PP(data));
 		}
-		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE) {
+		if (zend_hash_find(&EG(symbol_table), "PHP_AUTH_PW", sizeof("PHP_AUTH_PW"), (void **) &data) != FAILURE && Z_TYPE_PP(data) == IS_STRING) {
 			php_info_print_table_row(2, "PHP_AUTH_PW", Z_STRVAL_PP(data));
 		}
 		php_print_gpcse_array(ZEND_STRL("_REQUEST") TSRMLS_CC);
diff --git a/ext/standard/tests/general_functions/bug67498.phpt b/ext/standard/tests/general_functions/bug67498.phpt
new file mode 100644
index 0000000000..5b5951b0f8
--- /dev/null
+++ b/ext/standard/tests/general_functions/bug67498.phpt
@@ -0,0 +1,15 @@
+--TEST--
+phpinfo() Type Confusion Information Leak Vulnerability
+--FILE--
+<?php
+$PHP_SELF = 1;
+phpinfo(INFO_VARIABLES);
+
+?>
+==DONE==
+--EXPECTF--
+phpinfo()
+
+PHP Variables
+%A
+==DONE==