summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* 5.6.28php-5.6.28PHP-5.6.28Ferenc Kovacs2016-11-092-3/+3
|
* update NEWSFerenc Kovacs2016-11-091-1/+18
|
* fix memory leakAnatol Belski2016-11-091-0/+1
|
* add missing RETURN_STRINGL_CHECKAnatol Belski2016-11-091-0/+1
| | | | | | As RETVAL_STRINGL_CHECK is already there, this one is needed for completion. One place in ext/bz2 is missing that, so it will likely be useful for other possible fixes.
* fix dir separator in testAnatol Belski2016-11-091-1/+1
|
* Add length check for bzcompress too - fix for bug #73356Stanislav Malyshev2016-11-091-1/+1
|
* More string length checks & fixesStanislav Malyshev2016-11-0913-28/+41
|
* Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crashAnatol Belski2016-11-091-1/+1
|
* Fix #72696: imagefilltoborder stackoverflow on truecolor imagesChristoph M. Becker2016-11-092-1/+15
| | | | | | We must not allow negative color values be passed to gdImageFillToBorder(), because that can lead to infinite recursion since the recursion termination condition will not necessarily be met.
* Fix #72482: Ilegal write/read access caused by gdImageAALine overflowChristoph M. Becker2016-11-094-48/+43
| | | | | | | | Instead of rolling our own bounds check we use clip_1d() as it's done in gdImageLine() and in external libgd. We must not pass the image width and height, respectively, but rather the largest ordinate value that is allowed to be accessed, i.e. width-1 and height-1, respectively.
* Fix bug #73144 and bug #73341 - remove extra dtorStanislav Malyshev2016-11-092-1/+25
|
* Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handleStanislav Malyshev2016-11-095-34/+55
| | | | | Proper soltion would be to call serialize/unserialize and deal with the result, but this requires more work that should be done by wddx maintainer (not me).
* 5.6.28RC1php-5.6.28RC1Ferenc Kovacs2016-10-273-4/+4
|
* Fix #72494: imagecropauto out-of-bounds accessChristoph M. Becker2016-10-253-0/+21
| | | | | | | | This issue has actually already been fixed with commit 46f2c690. We're adding a regression test and a NEWS entry, and also port the fix in gdImageCropThreshold() from libgd: * <https://github.com/libgd/libgd/commit/b347e034> * <https://github.com/libgd/libgd/commit/46f2c690>
* Updated to version 2016.8 (2016h)Derick Rethans2016-10-241-456/+458
|
* Fixed bug #73337 (try/catch not working with two exceptions inside a same ↵Dmitry Stogov2016-10-183-0/+19
| | | | operation)
* Fix #73333: 2147483647 is fetched as stringChristoph M. Becker2016-10-175-4/+40
| | | | | | | | | We return all integers that can be represented as such by PHP as integers, and only those that exceed the possible range as strings. On builds which represent integers with 64 bits, the range check is unnecessary and might cause code checkers to complain, so we skip this special casing via the preprocessor according to <http://git.php.net/?p=php-src.git;a=commit;h=99d087e5>.
* use zend_error instead of zend_error_noreturnRemi Collet2016-10-141-1/+1
|
* add missing NEWS entries for 5.6.27Ferenc Kovacs2016-10-141-0/+36
|
* Fix #73280: Stack Buffer Overflow in GD dynamicGetbufChristoph M. Becker2016-10-132-1/+2
| | | | | | We make sure to never pass a negative `rlen` as size to memcpy(). Cf. <https://github.com/libgd/libgd/commit/53110871>.
* Clear FG(user_stream_current_filename) when bailing outSara Golemon2016-10-113-6/+28
| | | | | | | | | | If a userwrapper opener E_ERRORs then FG(user_stream_current_filename) would remain set until the next request and would not be pointing at unallocated memory. Catch the bailout, clear the variable, then continue bailing. Closes https://bugs.php.net/bug.php?id=73188
* Merge branch 'PHP-5.6.27' into PHP-5.6Stanislav Malyshev2016-10-1123-310/+443
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * PHP-5.6.27: Fix tests fix tsrm Fix bug #73284 - heap overflow in php_ereg_replace function Fix bug #73276 - crash in openssl_random_pseudo_bytes function Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML() fix bug #73275 - crash in openssl_encrypt function Fix for #73240 - Write out of bounds at number_format Bug #73218: add mitigation for ICU int overflow Add more locale length checks, due to ICU bugs. Fix bug #73208 - another missing length check Fix bug #73190: memcpy negative parameter _bc_new_num_ex Fix bug #73189 - Memcpy negative size parameter php_resolve_path Fixed bug #73174 - heap overflow in php_pcre_replace_impl Fix bug #73150: missing NULL check in dom_document_save_html Fix bug #73147: Use After Free in PHP7 unserialize() Fix bug #73082 Fix bug #73073 - CachingIterator null dereference when convert to string
| * Fix testsStanislav Malyshev2016-10-114-10/+2
| |
| * fix tsrmStanislav Malyshev2016-10-111-2/+2
| |
| * Fix bug #73284 - heap overflow in php_ereg_replace functionStanislav Malyshev2016-10-111-22/+22
| |
| * Fix bug #73276 - crash in openssl_random_pseudo_bytes functionStanislav Malyshev2016-10-111-5/+5
| |
| * Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()Stanislav Malyshev2016-10-112-11/+24
| |
| * fix bug #73275 - crash in openssl_encrypt functionStanislav Malyshev2016-10-111-3/+7
| |
| * Fix for #73240 - Write out of bounds at number_formatStanislav Malyshev2016-10-101-48/+60
| |
| * Bug #73218: add mitigation for ICU int overflowStanislav Malyshev2016-10-041-15/+27
| |
| * Add more locale length checks, due to ICU bugs.Stanislav Malyshev2016-10-041-0/+8
| |
| * Fix bug #73208 - another missing length checkStanislav Malyshev2016-10-031-1/+1
| |
| * Fix bug #73190: memcpy negative parameter _bc_new_num_exStanislav Malyshev2016-10-034-14/+32
| |
| * Fix bug #73189 - Memcpy negative size parameter php_resolve_pathStanislav Malyshev2016-09-281-7/+8
| |
| * Fixed bug #73174 - heap overflow in php_pcre_replace_implStanislav Malyshev2016-09-281-8/+14
| |
| * Fix bug #73150: missing NULL check in dom_document_save_htmlStanislav Malyshev2016-09-251-2/+2
| |
| * Fix bug #73147: Use After Free in PHP7 unserialize()Stanislav Malyshev2016-09-254-1/+49
| |
| * Fix bug #73082Stanislav Malyshev2016-09-251-48/+48
| |
| * Fix bug #73073 - CachingIterator null dereference when convert to stringStanislav Malyshev2016-09-202-122/+141
| |
* | update NEWSAnatol Belski2016-10-101-0/+3
| |
* | add test for bug #73037Anatol Belski2016-10-101-0/+180
| |
* | Fix #73279: Integer overflow in gdImageScaleBilinearPalette()Christoph M. Becker2016-10-104-4/+47
| | | | | | | | | | | | | | The color components are supposed to be in range 0..255, so we must not cast them to `signed char`, what can be the default for `char`. Port of <https://github.com/libgd/libgd/commit/77c8d359>.
* | Fix #73272: imagescale() affects imagesetinterpolation()Christoph M. Becker2016-10-094-1/+30
| | | | | | | | | | We must not permanently change the interpolation method, but rather have to restore the old method after we're done with scaling the image.
* | fix leakAnatol Belski2016-10-081-0/+1
| |
* | Fix bug #73192Nikita Popov2016-10-0811-56/+49
| |
* | Revert "Fixed test"Nikita Popov2016-10-081-2/+32
| | | | | | | | This reverts commit a10d03ac166daba646b6023e0f12e9ee8040c909.
* | Revert "Added validation to parse_url() to prohibit restricted characters ↵Nikita Popov2016-10-0811-46/+52
| | | | | | | | | | | | inside login/pass components based on RFC3986" This reverts commit 085dfca02b64588317a233eb191d07a75511fff2.
* | Fix bug #73037, second roundAnatol Belski2016-10-051-1/+5
| |
* | Fixed testIlia Alshanetsky2016-10-041-32/+2
| |
* | Added validation to parse_url() to prohibit restricted characters inside ↵Ilia Alshanetsky2016-10-0411-52/+46
| | | | | | | | login/pass components based on RFC3986
View Lorry Controller Status