Merge branch 'PHP-7.1' into PHP-7.2

* PHP-7.1:
  Fix #77369 - memcpy with negative length via crafted DNS response
  Fix more issues with encodilng length
  Fix #77270: imagecolormatch Out Of Bounds Write on Heap
  Fix bug #77380  (Global out of bounds read in xmlrpc base64 code)
  Fix bug #77371 (heap buffer overflow in mb regex functions - compile_string_node)
  Fix bug #77370 - check that we do not read past buffer end when parsing multibytes
  Fix #77269: Potential unsigned underflow in gdImageScale
  Fix bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
  Fix bug #77242 (heap out of bounds read in xmlrpc_decode())
  Regenerate certs for openssl tests

2 files changed, 15 insertions, 1 deletions

diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 90649bd288..5a13ea4369 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -2008,7 +2008,7 @@ next_extension:
 	}
 
 	while (pos != filename && (*(pos - 1) == '/' || *(pos - 1) == '\0')) {
-		pos = memchr(pos + 1, '.', filename_len - (pos - filename) + 1);
+		pos = memchr(pos + 1, '.', filename_len - (pos - filename) - 1);
 		if (!pos) {
 			return FAILURE;
 		}
diff --git a/ext/phar/tests/bug77247.phpt b/ext/phar/tests/bug77247.phpt
new file mode 100644
index 0000000000..588975f9f2
--- /dev/null
+++ b/ext/phar/tests/bug77247.phpt
@@ -0,0 +1,14 @@
+--TEST--
+PHP bug #77247 (heap buffer overflow in phar_detect_phar_fname_ext)
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+try {
+var_dump(new Phar('a/.b', 0,'test.phar'));
+} catch(UnexpectedValueException $e) {
+	echo "OK";
+}
+?>
+--EXPECT--
+OK
\ No newline at end of file