Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | 5.5.38 is the last release. EOLingPHP-5.5 | Julien Pauli | 2016-07-20 | 3 | -5/+5 |
| | |||||
* | Update NEWS | Stanislav Malyshev | 2016-07-19 | 1 | -2/+39 |
| | |||||
* | Improve fix for #72520 | Stanislav Malyshev | 2016-07-19 | 1 | -2/+2 |
| | |||||
* | improve fix #72558, while (u>=0) with unsigned int will always be true | Pierre Joye | 2016-07-19 | 1 | -3/+4 |
| | |||||
* | Fix memory leak | Stanislav Malyshev | 2016-07-19 | 1 | -0/+1 |
| | |||||
* | Merge branch 'PHP-5.5' of git.php.net:php-src into PHP-5.5 | Stanislav Malyshev | 2016-07-19 | 0 | -0/+0 |
|\ | | | | | | | | | * 'PHP-5.5' of git.php.net:php-src: fix #72519, possible OOB using imagegif | ||||
| * | fix #72519, possible OOB using imagegif | Pierre Joye | 2016-07-19 | 1 | -2/+16 |
| | | | | | | | | fix #72519, possible OOB using imagegif | ||||
* | | fix #72519, possible OOB using imagegif | Pierre Joye | 2016-07-19 | 1 | -2/+16 |
| | | |||||
* | | fix #72512, invalid read or write for palette image when invalid transparent ↵ | Pierre Joye | 2016-07-19 | 3 | -3/+26 |
| | | | | | | | | | | | | | | index is used Conflicts: ext/gd/libgd/gd.c | ||||
* | | Apparently some envs miss SIZE_MAX | Stanislav Malyshev | 2016-07-19 | 1 | -0/+3 |
| | | |||||
* | | Merge branch 'PHP-5.5.38' into PHP-5.5 | Stanislav Malyshev | 2016-07-18 | 28 | -228/+538 |
|\ \ | |/ |/| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * PHP-5.5.38: Fix tests Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c Fix for bug #72558, Integer overflow error within _gdContributionsAlloc() Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE Fix bug #72562 - destroy var_hash properly Fix bug #72533 (locale_accept_from_http out-of-bounds access) Fix fir bug #72520 Fix for bug #72513 CS fix and comments with bug ID Fix for HTTP_PROXY issue. add tests for bug #72512 Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access Fixed bug #72479 - same as #72434 | ||||
| * | Fix tests | Stanislav Malyshev | 2016-07-18 | 2 | -7/+5 |
| | | |||||
| * | Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment | Stanislav Malyshev | 2016-07-18 | 3 | -6/+22 |
| | | |||||
| * | Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t | Stanislav Malyshev | 2016-07-18 | 3 | -38/+65 |
| | | |||||
| * | Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c | Stanislav Malyshev | 2016-07-18 | 2 | -25/+38 |
| | | |||||
| * | Fix for bug #72558, Integer overflow error within _gdContributionsAlloc() | Stanislav Malyshev | 2016-07-18 | 2 | -48/+70 |
| | | |||||
| * | Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE | Stanislav Malyshev | 2016-07-17 | 3 | -2/+31 |
| | | |||||
| * | Fix bug #72562 - destroy var_hash properly | Stanislav Malyshev | 2016-07-12 | 2 | -1/+46 |
| | | |||||
| * | Fix bug #72533 (locale_accept_from_http out-of-bounds access) | Stanislav Malyshev | 2016-07-12 | 2 | -0/+48 |
| | | |||||
| * | Fix fir bug #72520 | Stanislav Malyshev | 2016-07-12 | 1 | -4/+4 |
| | | |||||
| * | Fix for bug #72513 | Stanislav Malyshev | 2016-07-12 | 1 | -4/+4 |
| | | |||||
| * | CS fix and comments with bug ID | Stanislav Malyshev | 2016-07-12 | 2 | -3/+4 |
| | | |||||
| * | Fix for HTTP_PROXY issue. | Stanislav Malyshev | 2016-07-10 | 4 | -48/+76 |
| | | | | | | | | | | | | | | | | | | The following changes are made: - _SERVER/_ENV only has HTTP_PROXY if the local environment has it, and only one from the environment. - getenv('HTTP_PROXY') only returns one from the local environment - getenv has optional second parameter, telling it to only consider local environment | ||||
| * | add tests for bug #72512 | Anatol Belski | 2016-07-06 | 2 | -0/+36 |
| | | |||||
| * | Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read ↵ | Pierre Joye | 2016-07-04 | 1 | -5/+8 |
| | | | | | | | | access | ||||
| * | Fixed bug #72479 - same as #72434 | Stanislav Malyshev | 2016-06-26 | 2 | -40/+84 |
| | | |||||
* | | Extend libxml exports | Anatol Belski | 2016-07-14 | 1 | -0/+2 |
| | | | | | | | | | | These are needed to support libxslt 1.1.29 on Windows. This libxslt version fixes CVE-2015-7995 and for this reason needs to be used. | ||||
* | | Updated NEWS | Julien Pauli | 2016-07-08 | 1 | -1/+4 |
| | | |||||
* | | Fix #69975: PHP segfaults when accessing nvarchar(max) defined columns | Christoph M. Becker | 2016-07-08 | 2 | -0/+39 |
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The SQL Server Native Client 11.0 and maybe other ODBC drivers report NVARCHAR(MAX) columns as SQL_WVARCHAR with size 0. This causes too small a buffer to be emalloc'd, likely causing a segfault in the following. As we don't know the real size of the column data, we treat such colums as SQL_WLONGVARCHAR. The related bug #67437 suggests that some drivers report a size of ~4GB. It is not certain that this is really the case (there might be some integer overflow involved, and anyway, there has been no feedback), so we do not cater for this now. However, it would not be hard to treat all sizes above a certain threshold in a similar way, i.e. as SQL_WLONGVARCHAR. (cherry picked from commit 16db4d1462bf3eacb93c0cd940f799160a284b24) (cherry picked from commit 344ff5dd4c538eaebea075f7705321f8b86d0b47) | ||||
* | | Updated NEWS | Julien Pauli | 2016-07-08 | 1 | -1/+2 |
| | | |||||
* | | Merge branch 'pull-request/1982' into PHP-5.5 | Julien Pauli | 2016-07-08 | 1 | -17/+24 |
|\ \ | | | | | | | | | | | | | * pull-request/1982: Update PHP 5.5 NEWS entries with CVE info | ||||
| * | | Update PHP 5.5 NEWS entries with CVE info | Lior Kaplan | 2016-07-04 | 1 | -17/+24 |
| | | | |||||
* | | | Fix bug #70480 (php_url_parse_ex() buffer overflow read) | Stanislav Malyshev | 2016-07-05 | 1 | -1/+1 |
|/ / | | | | | | | (cherry picked from commit 629e4da7cc8b174acdeab84969cbfc606a019b31) | ||||
* | | Fix the fix for #72403 on nl2br | Stanislav Malyshev | 2016-06-27 | 1 | -1/+1 |
|/ | |||||
* | 5.5.38 now | Julien Pauli | 2016-06-21 | 3 | -5/+9 |
| | |||||
* | remove the huge test file, generate it on the fly instead | Anatol Belski | 2016-06-21 | 2 | -1/+23 |
| | |||||
* | Now the right bug # | Stanislav Malyshev | 2016-06-21 | 1 | -1/+1 |
| | |||||
* | Fix NEWS | Stanislav Malyshev | 2016-06-21 | 1 | -2/+2 |
| | |||||
* | iFixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() ↵ | Stanislav Malyshev | 2016-06-20 | 2 | -9/+15 |
| | | | | resulting in heap overflow | ||||
* | update NEWS | Stanislav Malyshev | 2016-06-20 | 1 | -1/+30 |
| | |||||
* | Merge branch 'PHP-5.5.37' into PHP-5.5 | Stanislav Malyshev | 2016-06-20 | 20 | -246/+449 |
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * PHP-5.5.37: fix tests fix build Fix bug #72455: Heap Overflow due to integer overflows Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize Fix bug #72407: NULL Pointer Dereference at _gdScaleVert Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free Fix bug #72298 pass2_no_dither out-of-bounds access Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow Fix bug #72262 - do not overflow int Fix bug #72400 and #72403 - prevent signed int overflows for string lengths Fix bug #72275: don't allow smart_str to overflow int Fix bug #72340: Double Free Courruption in wddx_deserialize | ||||
| * | fix tests | Stanislav Malyshev | 2016-06-20 | 1 | -1/+1 |
| | | |||||
| * | fix build | Stanislav Malyshev | 2016-06-20 | 1 | -1/+1 |
| | | |||||
| * | Fix bug #72455: Heap Overflow due to integer overflows | Stanislav Malyshev | 2016-06-20 | 1 | -42/+50 |
| | | |||||
| * | Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC ↵ | Stanislav Malyshev | 2016-06-20 | 2 | -0/+42 |
| | | | | | | | | algorithm and unserialize | ||||
| * | Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and ↵ | Stanislav Malyshev | 2016-06-20 | 3 | -1/+44 |
| | | | | | | | | unserialize | ||||
| * | Fix bug #72407: NULL Pointer Dereference at _gdScaleVert | Stanislav Malyshev | 2016-06-18 | 1 | -0/+3 |
| | | |||||
| * | Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free | Stanislav Malyshev | 2016-06-18 | 2 | -33/+49 |
| | | |||||
| * | Fix bug #72298 pass2_no_dither out-of-bounds access | Stanislav Malyshev | 2016-06-18 | 2 | -7/+22 |
| | | |||||
| * | Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow | Pierre Joye | 2016-06-18 | 3 | -0/+18 |
| | |