Commit message (Collapse) | Author | Age | Files | Lines | |
---|---|---|---|---|---|
* | 5.6.28php-5.6.28PHP-5.6.28 | Ferenc Kovacs | 2016-11-09 | 2 | -3/+3 |
| | |||||
* | update NEWS | Ferenc Kovacs | 2016-11-09 | 1 | -1/+18 |
| | |||||
* | fix memory leak | Anatol Belski | 2016-11-09 | 1 | -0/+1 |
| | |||||
* | add missing RETURN_STRINGL_CHECK | Anatol Belski | 2016-11-09 | 1 | -0/+1 |
| | | | | | | As RETVAL_STRINGL_CHECK is already there, this one is needed for completion. One place in ext/bz2 is missing that, so it will likely be useful for other possible fixes. | ||||
* | fix dir separator in test | Anatol Belski | 2016-11-09 | 1 | -1/+1 |
| | |||||
* | Add length check for bzcompress too - fix for bug #73356 | Stanislav Malyshev | 2016-11-09 | 1 | -1/+1 |
| | |||||
* | More string length checks & fixes | Stanislav Malyshev | 2016-11-09 | 13 | -28/+41 |
| | |||||
* | Fixed bug #73418 Integer Overflow in "_php_imap_mail" leads to crash | Anatol Belski | 2016-11-09 | 1 | -1/+1 |
| | |||||
* | Fix #72696: imagefilltoborder stackoverflow on truecolor images | Christoph M. Becker | 2016-11-09 | 2 | -1/+15 |
| | | | | | | We must not allow negative color values be passed to gdImageFillToBorder(), because that can lead to infinite recursion since the recursion termination condition will not necessarily be met. | ||||
* | Fix #72482: Ilegal write/read access caused by gdImageAALine overflow | Christoph M. Becker | 2016-11-09 | 4 | -48/+43 |
| | | | | | | | | Instead of rolling our own bounds check we use clip_1d() as it's done in gdImageLine() and in external libgd. We must not pass the image width and height, respectively, but rather the largest ordinate value that is allowed to be accessed, i.e. width-1 and height-1, respectively. | ||||
* | Fix bug #73144 and bug #73341 - remove extra dtor | Stanislav Malyshev | 2016-11-09 | 2 | -1/+25 |
| | |||||
* | Fix bug #73331 - do not try to serialize/unserialize objects wddx can not handle | Stanislav Malyshev | 2016-11-09 | 5 | -34/+55 |
| | | | | | Proper soltion would be to call serialize/unserialize and deal with the result, but this requires more work that should be done by wddx maintainer (not me). | ||||
* | 5.6.28RC1php-5.6.28RC1 | Ferenc Kovacs | 2016-10-27 | 3 | -4/+4 |
| | |||||
* | Fix #72494: imagecropauto out-of-bounds access | Christoph M. Becker | 2016-10-25 | 3 | -0/+21 |
| | | | | | | | | This issue has actually already been fixed with commit 46f2c690. We're adding a regression test and a NEWS entry, and also port the fix in gdImageCropThreshold() from libgd: * <https://github.com/libgd/libgd/commit/b347e034> * <https://github.com/libgd/libgd/commit/46f2c690> | ||||
* | Updated to version 2016.8 (2016h) | Derick Rethans | 2016-10-24 | 1 | -456/+458 |
| | |||||
* | Fixed bug #73337 (try/catch not working with two exceptions inside a same ↵ | Dmitry Stogov | 2016-10-18 | 3 | -0/+19 |
| | | | | operation) | ||||
* | Fix #73333: 2147483647 is fetched as string | Christoph M. Becker | 2016-10-17 | 5 | -4/+40 |
| | | | | | | | | | We return all integers that can be represented as such by PHP as integers, and only those that exceed the possible range as strings. On builds which represent integers with 64 bits, the range check is unnecessary and might cause code checkers to complain, so we skip this special casing via the preprocessor according to <http://git.php.net/?p=php-src.git;a=commit;h=99d087e5>. | ||||
* | use zend_error instead of zend_error_noreturn | Remi Collet | 2016-10-14 | 1 | -1/+1 |
| | |||||
* | add missing NEWS entries for 5.6.27 | Ferenc Kovacs | 2016-10-14 | 1 | -0/+36 |
| | |||||
* | Fix #73280: Stack Buffer Overflow in GD dynamicGetbuf | Christoph M. Becker | 2016-10-13 | 2 | -1/+2 |
| | | | | | | We make sure to never pass a negative `rlen` as size to memcpy(). Cf. <https://github.com/libgd/libgd/commit/53110871>. | ||||
* | Clear FG(user_stream_current_filename) when bailing out | Sara Golemon | 2016-10-11 | 3 | -6/+28 |
| | | | | | | | | | | If a userwrapper opener E_ERRORs then FG(user_stream_current_filename) would remain set until the next request and would not be pointing at unallocated memory. Catch the bailout, clear the variable, then continue bailing. Closes https://bugs.php.net/bug.php?id=73188 | ||||
* | Merge branch 'PHP-5.6.27' into PHP-5.6 | Stanislav Malyshev | 2016-10-11 | 23 | -310/+443 |
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * PHP-5.6.27: Fix tests fix tsrm Fix bug #73284 - heap overflow in php_ereg_replace function Fix bug #73276 - crash in openssl_random_pseudo_bytes function Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML() fix bug #73275 - crash in openssl_encrypt function Fix for #73240 - Write out of bounds at number_format Bug #73218: add mitigation for ICU int overflow Add more locale length checks, due to ICU bugs. Fix bug #73208 - another missing length check Fix bug #73190: memcpy negative parameter _bc_new_num_ex Fix bug #73189 - Memcpy negative size parameter php_resolve_path Fixed bug #73174 - heap overflow in php_pcre_replace_impl Fix bug #73150: missing NULL check in dom_document_save_html Fix bug #73147: Use After Free in PHP7 unserialize() Fix bug #73082 Fix bug #73073 - CachingIterator null dereference when convert to string | ||||
| * | Fix tests | Stanislav Malyshev | 2016-10-11 | 4 | -10/+2 |
| | | |||||
| * | fix tsrm | Stanislav Malyshev | 2016-10-11 | 1 | -2/+2 |
| | | |||||
| * | Fix bug #73284 - heap overflow in php_ereg_replace function | Stanislav Malyshev | 2016-10-11 | 1 | -22/+22 |
| | | |||||
| * | Fix bug #73276 - crash in openssl_random_pseudo_bytes function | Stanislav Malyshev | 2016-10-11 | 1 | -5/+5 |
| | | |||||
| * | Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML() | Stanislav Malyshev | 2016-10-11 | 2 | -11/+24 |
| | | |||||
| * | fix bug #73275 - crash in openssl_encrypt function | Stanislav Malyshev | 2016-10-11 | 1 | -3/+7 |
| | | |||||
| * | Fix for #73240 - Write out of bounds at number_format | Stanislav Malyshev | 2016-10-10 | 1 | -48/+60 |
| | | |||||
| * | Bug #73218: add mitigation for ICU int overflow | Stanislav Malyshev | 2016-10-04 | 1 | -15/+27 |
| | | |||||
| * | Add more locale length checks, due to ICU bugs. | Stanislav Malyshev | 2016-10-04 | 1 | -0/+8 |
| | | |||||
| * | Fix bug #73208 - another missing length check | Stanislav Malyshev | 2016-10-03 | 1 | -1/+1 |
| | | |||||
| * | Fix bug #73190: memcpy negative parameter _bc_new_num_ex | Stanislav Malyshev | 2016-10-03 | 4 | -14/+32 |
| | | |||||
| * | Fix bug #73189 - Memcpy negative size parameter php_resolve_path | Stanislav Malyshev | 2016-09-28 | 1 | -7/+8 |
| | | |||||
| * | Fixed bug #73174 - heap overflow in php_pcre_replace_impl | Stanislav Malyshev | 2016-09-28 | 1 | -8/+14 |
| | | |||||
| * | Fix bug #73150: missing NULL check in dom_document_save_html | Stanislav Malyshev | 2016-09-25 | 1 | -2/+2 |
| | | |||||
| * | Fix bug #73147: Use After Free in PHP7 unserialize() | Stanislav Malyshev | 2016-09-25 | 4 | -1/+49 |
| | | |||||
| * | Fix bug #73082 | Stanislav Malyshev | 2016-09-25 | 1 | -48/+48 |
| | | |||||
| * | Fix bug #73073 - CachingIterator null dereference when convert to string | Stanislav Malyshev | 2016-09-20 | 2 | -122/+141 |
| | | |||||
* | | update NEWS | Anatol Belski | 2016-10-10 | 1 | -0/+3 |
| | | |||||
* | | add test for bug #73037 | Anatol Belski | 2016-10-10 | 1 | -0/+180 |
| | | |||||
* | | Fix #73279: Integer overflow in gdImageScaleBilinearPalette() | Christoph M. Becker | 2016-10-10 | 4 | -4/+47 |
| | | | | | | | | | | | | | | The color components are supposed to be in range 0..255, so we must not cast them to `signed char`, what can be the default for `char`. Port of <https://github.com/libgd/libgd/commit/77c8d359>. | ||||
* | | Fix #73272: imagescale() affects imagesetinterpolation() | Christoph M. Becker | 2016-10-09 | 4 | -1/+30 |
| | | | | | | | | | | We must not permanently change the interpolation method, but rather have to restore the old method after we're done with scaling the image. | ||||
* | | fix leak | Anatol Belski | 2016-10-08 | 1 | -0/+1 |
| | | |||||
* | | Fix bug #73192 | Nikita Popov | 2016-10-08 | 11 | -56/+49 |
| | | |||||
* | | Revert "Fixed test" | Nikita Popov | 2016-10-08 | 1 | -2/+32 |
| | | | | | | | | This reverts commit a10d03ac166daba646b6023e0f12e9ee8040c909. | ||||
* | | Revert "Added validation to parse_url() to prohibit restricted characters ↵ | Nikita Popov | 2016-10-08 | 11 | -46/+52 |
| | | | | | | | | | | | | inside login/pass components based on RFC3986" This reverts commit 085dfca02b64588317a233eb191d07a75511fff2. | ||||
* | | Fix bug #73037, second round | Anatol Belski | 2016-10-05 | 1 | -1/+5 |
| | | |||||
* | | Fixed test | Ilia Alshanetsky | 2016-10-04 | 1 | -32/+2 |
| | | |||||
* | | Added validation to parse_url() to prohibit restricted characters inside ↵ | Ilia Alshanetsky | 2016-10-04 | 11 | -52/+46 |
| | | | | | | | | login/pass components based on RFC3986 |