Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5:
  Fix memory leak
  Fix bug #72099: xml_parse_into_struct segmentation fault
  5.5.36 now
  Fix bug #72094 - Out of bounds heap read access in exif header processing
  Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
  Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
  Fix for bug #71912 (libgd: signedness vulnerability)
  Typo in NEWS

Conflicts:
	configure.in
	main/php_version.h

6 files changed, 76 insertions, 2 deletions

diff --git a/ext/exif/exif.c b/ext/exif/exif.c
index f94e075e5a..db007ca2e6 100644
--- a/ext/exif/exif.c
+++ b/ext/exif/exif.c
@@ -2955,7 +2955,7 @@ static int exif_process_IFD_TAG(image_info_type *ImageInfo, char *dir_entry, cha
 						/* When there are any characters after the first NUL */
 						ImageInfo->CopyrightPhotographer  = estrdup(value_ptr);
 						ImageInfo->CopyrightEditor        = estrndup(value_ptr+length+1, byte_count-length-1);
-						spprintf(&ImageInfo->Copyright, 0, "%s, %s", value_ptr, value_ptr+length+1);
+						spprintf(&ImageInfo->Copyright, 0, "%s, %s", ImageInfo->CopyrightPhotographer, ImageInfo->CopyrightEditor);
 						/* format = TAG_FMT_UNDEFINED; this musn't be ASCII         */
 						/* but we are not supposed to change this                   */
 						/* keep in mind that image_info does not store editor value */
@@ -3124,6 +3124,11 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
 
 	ImageInfo->sections_found |= FOUND_IFD0;
 
+	if ((dir_start + 2) >= (offset_base+IFDlength)) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
+		return FALSE;
+	}
+
 	NumDirEntries = php_ifd_get16u(dir_start, ImageInfo->motorola_intel);
 
 	if ((dir_start+2+NumDirEntries*12) > (offset_base+IFDlength)) {
@@ -3147,6 +3152,10 @@ static int exif_process_IFD_in_JPEG(image_info_type *ImageInfo, char *dir_start,
 	 * Hack to make it process IDF1 I hope
 	 * There are 2 IDFs, the second one holds the keys (0x0201 and 0x0202) to the thumbnail
 	 */
+	if ((dir_start+2+12*de + 4) >= (offset_base+IFDlength)) {
+		exif_error_docref("exif_read_data#error_ifd" EXIFERR_CC, ImageInfo, E_WARNING, "Illegal IFD size");
+		return FALSE;
+	}
 	NextDirOffset = php_ifd_get32u(dir_start+2+12*de, ImageInfo->motorola_intel);
 	if (NextDirOffset) {
 		/* the next line seems false but here IFDlength means length of all IFDs */
@@ -3196,9 +3205,13 @@ static void exif_process_TIFF_in_JPEG(image_info_type *ImageInfo, char *CharBuf,
 	}
 
 	/* Check the next two values for correctness. */
+	if (length < 8) {
+		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
+		return;
+	}
 	exif_value_2a = php_ifd_get16u(CharBuf+2, ImageInfo->motorola_intel);
 	offset_of_ifd = php_ifd_get32u(CharBuf+4, ImageInfo->motorola_intel);
-	if ( exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
+	if (exif_value_2a != 0x2a || offset_of_ifd < 0x08) {
 		exif_error_docref(NULL EXIFERR_CC, ImageInfo, E_WARNING, "Invalid TIFF start (1)");
 		return;
 	}
diff --git a/ext/exif/tests/bug72094.phpt b/ext/exif/tests/bug72094.phpt
new file mode 100644
index 0000000000..17674d0d9a
--- /dev/null
+++ b/ext/exif/tests/bug72094.phpt
@@ -0,0 +1,61 @@
+--TEST--
+Bug #72094: Out of bounds heap read access in exif header processing
+--SKIPIF--
+<?php if (!extension_loaded('exif')) print 'skip exif extension not available';?>
+--FILE--
+<?php
+print_r(exif_read_data(__DIR__ . '/bug72094_1.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_2.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_3.jpg'));
+print_r(exif_read_data(__DIR__ . '/bug72094_4.jpg'));
+?>
+DONE
+--EXPECTF--
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Process tag(x8298=Copyright  ): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Illegal IFD offset in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_1.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): Illegal IFD size in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_2.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Process tag(x3030=UndefinedTa): Illegal format code 0x3030, suppose BYTE in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Illegal IFD size in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_3.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): Invalid TIFF start (1) in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): File structure corrupted in %s/bug72094.php on line %d
+
+Warning: exif_read_data(bug72094_4.jpg): Invalid JPEG file in %s/bug72094.php on line %d
+DONE
\ No newline at end of file
diff --git a/ext/exif/tests/bug72094_1.jpg b/ext/exif/tests/bug72094_1.jpg
new file mode 100644
index 0000000000..d21382b44b
--- /dev/null
+++ b/ext/exif/tests/bug72094_1.jpg
diff --git a/ext/exif/tests/bug72094_2.jpg b/ext/exif/tests/bug72094_2.jpg
new file mode 100644
index 0000000000..ec414ce02b
--- /dev/null
+++ b/ext/exif/tests/bug72094_2.jpg
diff --git a/ext/exif/tests/bug72094_3.jpg b/ext/exif/tests/bug72094_3.jpg
new file mode 100644
index 0000000000..8b05314b67
--- /dev/null
+++ b/ext/exif/tests/bug72094_3.jpg
diff --git a/ext/exif/tests/bug72094_4.jpg b/ext/exif/tests/bug72094_4.jpg
new file mode 100644
index 0000000000..ca6d453c2c
--- /dev/null
+++ b/ext/exif/tests/bug72094_4.jpg