Merge branch 'PHP-5.6' into PHP-7.0

* PHP-5.6:
  Fix memory leak
  Fix bug #72099: xml_parse_into_struct segmentation fault
  5.5.36 now
  Fix bug #72094 - Out of bounds heap read access in exif header processing
  Fix bug #72093: bcpowmod accepts negative scale and corrupts _one_ definition
  Fix bug #72061 - Out-of-bounds reads in zif_grapheme_stripos with negative offset
  Fix for bug #71912 (libgd: signedness vulnerability)
  Typo in NEWS

2 files changed, 47 insertions, 30 deletions

diff --git a/ext/xml/tests/bug72099.phpt b/ext/xml/tests/bug72099.phpt
new file mode 100644
index 0000000000..50173a6a4c
--- /dev/null
+++ b/ext/xml/tests/bug72099.phpt
@@ -0,0 +1,17 @@
+--TEST--
+Bug #72099: xml_parse_into_struct segmentation fault
+--SKIPIF--
+<?php
+require_once("skipif.inc");
+?>
+--FILE--
+<?php
+$var1=xml_parser_create_ns();
+$var2=str_repeat("a", 10);
+$var3=[];
+$var4=[];
+xml_parse_into_struct($var1, $var2, $var3, $var4);
+var_dump($var3);
+--EXPECT--
+array(0) {
+}
\ No newline at end of file
diff --git a/ext/xml/xml.c b/ext/xml/xml.c
index 439d9df082..6c5c9e39b2 100644
--- a/ext/xml/xml.c
+++ b/ext/xml/xml.c
@@ -286,7 +286,7 @@ xml_encoding xml_encodings[] = {
 static XML_Memory_Handling_Suite php_xml_mem_hdlrs;
 
 /* True globals, no need for thread safety */
-static int le_xml_parser; 
+static int le_xml_parser;
 
 /* }}} */
 
@@ -349,7 +349,7 @@ PHP_MINIT_FUNCTION(xml)
 	REGISTER_LONG_CONSTANT("XML_OPTION_SKIP_WHITE", PHP_XML_OPTION_SKIP_WHITE, CONST_CS|CONST_PERSISTENT);
 
 	/* this object should not be pre-initialised at compile time,
-	   as the order of members may vary */  
+	   as the order of members may vary */
 
 	php_xml_mem_hdlrs.malloc_fcn = php_xml_malloc_wrapper;
 	php_xml_mem_hdlrs.realloc_fcn = php_xml_realloc_wrapper;
@@ -397,7 +397,7 @@ static void _xml_xmlchar_zval(const XML_Char *s, int len, const XML_Char *encodi
 static void xml_parser_dtor(zend_resource *rsrc)
 {
 	xml_parser *parser = (xml_parser *)rsrc->ptr;
-	
+
 	if (parser->parser) {
 		XML_ParserFree(parser->parser);
 	}
@@ -899,7 +899,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 					} else {
 						add_assoc_str(parser->ctag, "value", decoded_value);
 					}
-					
+
 				} else {
 					zval tag;
 					zval *curtag, *mytype, *myval;
@@ -920,7 +920,7 @@ void _xml_characterDataHandler(void *userData, const XML_Char *s, int len)
 						break;
 					} ZEND_HASH_FOREACH_END();
 
-					if (parser->level <= XML_MAXLEVEL) {
+					if (parser->level <= XML_MAXLEVEL && parser->level > 0) {
 						array_init(&tag);
 
 						_xml_add_to_info(parser,parser->ltags[parser->level-1] + parser->toffset);
@@ -977,8 +977,8 @@ void _xml_defaultHandler(void *userData, const XML_Char *s, int len)
 /* }}} */
 
 /* {{{ _xml_unparsedEntityDeclHandler() */
-void _xml_unparsedEntityDeclHandler(void *userData, 
-										 const XML_Char *entityName, 
+void _xml_unparsedEntityDeclHandler(void *userData,
+										 const XML_Char *entityName,
 										 const XML_Char *base,
 										 const XML_Char *systemId,
 										 const XML_Char *publicId,
@@ -1146,15 +1146,15 @@ static void php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAMETERS, int ns_supp
 }
 /* }}} */
 
-/* {{{ proto resource xml_parser_create([string encoding]) 
+/* {{{ proto resource xml_parser_create([string encoding])
    Create an XML parser */
 PHP_FUNCTION(xml_parser_create)
 {
-	php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);	
+	php_xml_parser_create_impl(INTERNAL_FUNCTION_PARAM_PASSTHRU, 0);
 }
 /* }}} */
 
-/* {{{ proto resource xml_parser_create_ns([string encoding [, string sep]]) 
+/* {{{ proto resource xml_parser_create_ns([string encoding [, string sep]])
    Create an XML parser */
 PHP_FUNCTION(xml_parser_create_ns)
 {
@@ -1162,7 +1162,7 @@ PHP_FUNCTION(xml_parser_create_ns)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_object(resource parser, object &obj) 
+/* {{{ proto int xml_set_object(resource parser, object &obj)
    Set up object which should be used for callbacks */
 PHP_FUNCTION(xml_set_object)
 {
@@ -1184,7 +1184,7 @@ PHP_FUNCTION(xml_set_object)
 
 	/* please leave this commented - or ask thies@thieso.net before doing it (again) */
 /* #ifdef ZEND_ENGINE_2
-	zval_add_ref(&parser->object); 
+	zval_add_ref(&parser->object);
 #endif */
 
 	ZVAL_COPY(&parser->object, mythis);
@@ -1193,7 +1193,7 @@ PHP_FUNCTION(xml_set_object)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_element_handler(resource parser, string shdl, string ehdl) 
+/* {{{ proto int xml_set_element_handler(resource parser, string shdl, string ehdl)
    Set up start and end element handlers */
 PHP_FUNCTION(xml_set_element_handler)
 {
@@ -1215,7 +1215,7 @@ PHP_FUNCTION(xml_set_element_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_character_data_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_character_data_handler(resource parser, string hdl)
    Set up character data handler */
 PHP_FUNCTION(xml_set_character_data_handler)
 {
@@ -1236,7 +1236,7 @@ PHP_FUNCTION(xml_set_character_data_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_processing_instruction_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_processing_instruction_handler(resource parser, string hdl)
    Set up processing instruction (PI) handler */
 PHP_FUNCTION(xml_set_processing_instruction_handler)
 {
@@ -1257,7 +1257,7 @@ PHP_FUNCTION(xml_set_processing_instruction_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_default_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_default_handler(resource parser, string hdl)
    Set up default handler */
 PHP_FUNCTION(xml_set_default_handler)
 {
@@ -1278,7 +1278,7 @@ PHP_FUNCTION(xml_set_default_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_unparsed_entity_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_unparsed_entity_decl_handler(resource parser, string hdl)
    Set up unparsed entity declaration handler */
 PHP_FUNCTION(xml_set_unparsed_entity_decl_handler)
 {
@@ -1299,7 +1299,7 @@ PHP_FUNCTION(xml_set_unparsed_entity_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_notation_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_notation_decl_handler(resource parser, string hdl)
    Set up notation declaration handler */
 PHP_FUNCTION(xml_set_notation_decl_handler)
 {
@@ -1320,7 +1320,7 @@ PHP_FUNCTION(xml_set_notation_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_external_entity_ref_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_external_entity_ref_handler(resource parser, string hdl)
    Set up external entity reference handler */
 PHP_FUNCTION(xml_set_external_entity_ref_handler)
 {
@@ -1341,7 +1341,7 @@ PHP_FUNCTION(xml_set_external_entity_ref_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_start_namespace_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_start_namespace_decl_handler(resource parser, string hdl)
    Set up character data handler */
 PHP_FUNCTION(xml_set_start_namespace_decl_handler)
 {
@@ -1362,7 +1362,7 @@ PHP_FUNCTION(xml_set_start_namespace_decl_handler)
 }
 /* }}} */
 
-/* {{{ proto int xml_set_end_namespace_decl_handler(resource parser, string hdl) 
+/* {{{ proto int xml_set_end_namespace_decl_handler(resource parser, string hdl)
    Set up character data handler */
 PHP_FUNCTION(xml_set_end_namespace_decl_handler)
 {
@@ -1442,7 +1442,7 @@ PHP_FUNCTION(xml_parse_into_struct)
 	if (info) {
 		ZVAL_COPY_VALUE(&parser->info, info);
 	}
-	
+
 	parser->level = 0;
 	parser->ltags = safe_emalloc(XML_MAXLEVEL, sizeof(char *), 0);
 
@@ -1458,7 +1458,7 @@ PHP_FUNCTION(xml_parse_into_struct)
 }
 /* }}} */
 
-/* {{{ proto int xml_get_error_code(resource parser) 
+/* {{{ proto int xml_get_error_code(resource parser)
    Get XML parser error code */
 PHP_FUNCTION(xml_get_error_code)
 {
@@ -1495,7 +1495,7 @@ PHP_FUNCTION(xml_error_string)
 }
 /* }}} */
 
-/* {{{ proto int xml_get_current_line_number(resource parser) 
+/* {{{ proto int xml_get_current_line_number(resource parser)
    Get current line number for an XML parser */
 PHP_FUNCTION(xml_get_current_line_number)
 {
@@ -1533,7 +1533,7 @@ PHP_FUNCTION(xml_get_current_column_number)
 }
 /* }}} */
 
-/* {{{ proto int xml_get_current_byte_index(resource parser) 
+/* {{{ proto int xml_get_current_byte_index(resource parser)
    Get current byte index for an XML parser */
 PHP_FUNCTION(xml_get_current_byte_index)
 {
@@ -1552,7 +1552,7 @@ PHP_FUNCTION(xml_get_current_byte_index)
 }
 /* }}} */
 
-/* {{{ proto int xml_parser_free(resource parser) 
+/* {{{ proto int xml_parser_free(resource parser)
    Free an XML parser */
 PHP_FUNCTION(xml_parser_free)
 {
@@ -1580,7 +1580,7 @@ PHP_FUNCTION(xml_parser_free)
 }
 /* }}} */
 
-/* {{{ proto int xml_parser_set_option(resource parser, int option, mixed value) 
+/* {{{ proto int xml_parser_set_option(resource parser, int option, mixed value)
    Set options in an XML parser */
 PHP_FUNCTION(xml_parser_set_option)
 {
@@ -1629,7 +1629,7 @@ PHP_FUNCTION(xml_parser_set_option)
 }
 /* }}} */
 
-/* {{{ proto int xml_parser_get_option(resource parser, int option) 
+/* {{{ proto int xml_parser_get_option(resource parser, int option)
    Get options from an XML parser */
 PHP_FUNCTION(xml_parser_get_option)
 {
@@ -1662,7 +1662,7 @@ PHP_FUNCTION(xml_parser_get_option)
 }
 /* }}} */
 
-/* {{{ proto string utf8_encode(string data) 
+/* {{{ proto string utf8_encode(string data)
    Encodes an ISO-8859-1 string to UTF-8 */
 PHP_FUNCTION(utf8_encode)
 {
@@ -1682,7 +1682,7 @@ PHP_FUNCTION(utf8_encode)
 }
 /* }}} */
 
-/* {{{ proto string utf8_decode(string data) 
+/* {{{ proto string utf8_decode(string data)
    Converts a UTF-8 encoded string to ISO-8859-1 */
 PHP_FUNCTION(utf8_decode)
 {