Merge branch 'PHP-5.6.27' into PHP-5.6

* PHP-5.6.27:
  Fix tests
  fix tsrm
  Fix bug #73284 - heap overflow in php_ereg_replace function
  Fix bug #73276 - crash in openssl_random_pseudo_bytes function
  Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
  fix bug #73275 - crash in openssl_encrypt function
  Fix for #73240 - Write out of bounds at number_format
  Bug #73218: add mitigation for ICU int overflow
  Add more locale length checks, due to ICU bugs.
  Fix bug #73208 - another missing length check
  Fix bug #73190: memcpy negative parameter _bc_new_num_ex
  Fix bug #73189 - Memcpy negative size parameter php_resolve_path
  Fixed bug #73174 - heap overflow in php_pcre_replace_impl
  Fix bug #73150: missing NULL check in dom_document_save_html
  Fix bug #73147: Use After Free in PHP7 unserialize()
  Fix bug #73082
  Fix bug #73073 - CachingIterator null dereference when convert to string

1 files changed, 24 insertions, 8 deletions

diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index 95d18f45fb..f219687335 100644
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct)
 /* {{{ proto Exception::__wakeup()
    Exception unserialize checks */
 #define CHECK_EXC_TYPE(name, type) \
-	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
+	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
 	if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
-		zval *tmp; \
-		MAKE_STD_ZVAL(tmp); \
-		ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
-		Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
-		zval_ptr_dtor(&tmp); \
+		zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
 	}
 
 ZEND_METHOD(exception, __wakeup)
@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup)
 	CHECK_EXC_TYPE("file", IS_STRING);
 	CHECK_EXC_TYPE("line", IS_LONG);
 	CHECK_EXC_TYPE("trace", IS_ARRAY);
-	CHECK_EXC_TYPE("previous", IS_OBJECT);
+	value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+	if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT ||
+			!instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) ||
+			value == object)) {
+		zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
+	}
 }
 /* }}} */
 
@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString)
 		zval_dtor(&file);
 		zval_dtor(&line);
 
-		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
+		Z_OBJPROP_P(exception)->nApplyCount++;
+		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+		if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
+			exception = NULL;
+		}
 
 		if (trace) {
 			zval_ptr_dtor(&trace);
@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString)
 	}
 	zval_dtor(&fname);
 
+	/* Reset apply counts */
+	exception = getThis();
+	while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
+		if(Z_OBJPROP_P(exception)->nApplyCount) {
+			Z_OBJPROP_P(exception)->nApplyCount--;
+		} else {
+			break;
+		}
+		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+	}
+
 	/* We store the result in the private property string so we can access
 	 * the result in uncaught exception handlers without memleaks. */
 	zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);