From 13fc7f20a44cf3563030ba54b22d67c3bad81870 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Fri, 6 Feb 2015 16:53:01 +0100
Subject: Invalid free of CG(interned_empty_string)

On failure php_escape_html_entities returns STR_EMPTY_ALLOC which is an
alias of CG(interned_empty_string) if interned strings are enabled.
Make sure we don't free this.
---
 ext/soap/soap.c | 4 ++--
 ext/wddx/wddx.c | 4 ++--
 main/main.c     | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ext/soap/soap.c b/ext/soap/soap.c
index 6a250baf58..b739d338d9 100644
--- a/ext/soap/soap.c
+++ b/ext/soap/soap.c
@@ -4004,7 +4004,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
 				} else {	
 					xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len);
 				}
-				efree(str);
+				str_efree(str);
 			}
 			if (zend_hash_find(prop, "faultstring", sizeof("faultstring"), (void**)&tmp) == SUCCESS) {
 				xmlNodePtr node = master_to_xml(get_conversion(IS_STRING), *tmp, SOAP_LITERAL, param TSRMLS_CC);
@@ -4029,7 +4029,7 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
 				} else {	
 					xmlNodeSetContentLen(node, BAD_CAST(str), (int)new_len);
 				}
-				efree(str);
+				str_efree(str);
 			}
 			if (zend_hash_find(prop, "faultstring", sizeof("faultstring"), (void**)&tmp) == SUCCESS) {
 				xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Reason"), NULL);
diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
index 4e91c18d59..0e96b364f9 100644
--- a/ext/wddx/wddx.c
+++ b/ext/wddx/wddx.c
@@ -409,7 +409,7 @@ static void php_wddx_serialize_string(wddx_packet *packet, zval *var TSRMLS_DC)
 
 		php_wddx_add_chunk_ex(packet, buf, buf_len);
 
-		efree(buf);
+		str_efree(buf);
 	}
 	php_wddx_add_chunk_static(packet, WDDX_STRING_E);
 }
@@ -635,7 +635,7 @@ void php_wddx_serialize_var(wddx_packet *packet, zval *var, char *name, int name
 		snprintf(tmp_buf, name_esc_len + sizeof(WDDX_VAR_S), WDDX_VAR_S, name_esc);
 		php_wddx_add_chunk(packet, tmp_buf);
 		efree(tmp_buf);
-		efree(name_esc);
+		str_efree(name_esc);
 	}
 	
 	switch(Z_TYPE_P(var)) {
diff --git a/main/main.c b/main/main.c
index 16dc370ca1..331849cfc2 100644
--- a/main/main.c
+++ b/main/main.c
@@ -918,7 +918,7 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
 	} else {
 		spprintf(&message, 0, "%s: %s", origin, buffer);
 	}
-	efree(origin);
+	str_efree(origin);
 	if (docref_buf) {
 		efree(docref_buf);
 	}
-- 
cgit v1.2.1


From c90cd09331c193ee34794ca1a73e821c31be2d1f Mon Sep 17 00:00:00 2001
From: George Wang <gwang@php.net>
Date: Sat, 7 Feb 2015 12:16:54 -0500
Subject: Fixed #68790 (Missing return)

---
 sapi/litespeed/lsapi_main.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sapi/litespeed/lsapi_main.c b/sapi/litespeed/lsapi_main.c
index 92a371d560..5978100c27 100644
--- a/sapi/litespeed/lsapi_main.c
+++ b/sapi/litespeed/lsapi_main.c
@@ -489,7 +489,7 @@ static sapi_module_struct lsapi_sapi_module =
 };
 /* }}} */
 
-static int init_request_info( TSRMLS_D )
+static void init_request_info( TSRMLS_D )
 {
     char * pContentType = LSAPI_GetHeader( H_CONTENT_TYPE );
     char * pAuth;
-- 
cgit v1.2.1


From 3550cc5fd975971403d40199427c7598a05b9b08 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Sat, 7 Feb 2015 18:52:26 +0100
Subject: add tests for #68996

---
 ext/soap/tests/bug68996.phpt             | 45 ++++++++++++++++++++++++++++++++
 ext/standard/tests/strings/bug68996.phpt | 16 ++++++++++++
 ext/wddx/tests/bug68996.phpt             | 15 +++++++++++
 3 files changed, 76 insertions(+)
 create mode 100644 ext/soap/tests/bug68996.phpt
 create mode 100644 ext/standard/tests/strings/bug68996.phpt
 create mode 100644 ext/wddx/tests/bug68996.phpt

diff --git a/ext/soap/tests/bug68996.phpt b/ext/soap/tests/bug68996.phpt
new file mode 100644
index 0000000000..e503d80239
--- /dev/null
+++ b/ext/soap/tests/bug68996.phpt
@@ -0,0 +1,45 @@
+--TEST--
+Bug #68996 (Invalid free of CG(interned_empty_string))
+--SKIPIF--
+<?php
+if (getenv("USE_ZEND_ALLOC") !== "0")
+    print "skip Need Zend MM disabled";
+?>
+--FILE--
+<?php
+$s = new SoapServer(NULL, [
+    'uri' => 'http://foo',
+]);
+
+function foo() {
+  return new SoapFault("\xfc\x63", "some msg");
+}
+$s->addFunction("foo");
+
+// soap 1.1
+$HTTP_RAW_POST_DATA = <<<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
+  <SOAP-ENV:Body>
+    <SOAP-ENV:foo />
+  </SOAP-ENV:Body>
+</SOAP-ENV:Envelope>
+EOF;
+$s->handle($HTTP_RAW_POST_DATA);
+
+// soap 1.2
+$HTTP_RAW_POST_DATA = <<<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope">
+  <env:Body>
+    <env:foo />
+  </env:Body>
+</env:Envelope>
+EOF;
+$s->handle($HTTP_RAW_POST_DATA);
+?>
+--EXPECTF--
+<?xml version="1.0" encoding="UTF-8"?>
+<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode></faultcode><faultstring>some msg</faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
+<?xml version="1.0" encoding="UTF-8"?>
+<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap-envelope"><env:Body><env:Fault><env:Code><env:Value></env:Value></env:Code><env:Reason><env:Text>some msg</env:Text></env:Reason></env:Fault></env:Body></env:Envelope>
diff --git a/ext/standard/tests/strings/bug68996.phpt b/ext/standard/tests/strings/bug68996.phpt
new file mode 100644
index 0000000000..30ba147f8f
--- /dev/null
+++ b/ext/standard/tests/strings/bug68996.phpt
@@ -0,0 +1,16 @@
+--TEST--
+Bug #68996 (Invalid free of CG(interned_empty_string))
+--SKIPIF--
+<?php
+if (getenv("USE_ZEND_ALLOC") !== "0")
+    print "skip Need Zend MM disabled";
+?>
+--INI--
+html_errors=1
+--FILE--
+<?php
+fopen("\xfc\x63", "r");
+?>
+--EXPECTF--
+<br />
+<b>Warning</b>:  : failed to open stream: No such file or directory in <b>%sbug68996.php</b> on line <b>2</b><br />
diff --git a/ext/wddx/tests/bug68996.phpt b/ext/wddx/tests/bug68996.phpt
new file mode 100644
index 0000000000..fc4ecbc731
--- /dev/null
+++ b/ext/wddx/tests/bug68996.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #68996 (Invalid free of CG(interned_empty_string))
+--SKIPIF--
+<?php
+if (getenv("USE_ZEND_ALLOC") !== "0")
+    print "skip Need Zend MM disabled";
+?>
+--FILE--
+<?php
+echo wddx_serialize_value("\xfc\x63") . "\n";
+echo wddx_serialize_value([ "\xfc\x63" => "foo" ]) . "\n";
+?>
+--EXPECTF--
+<wddxPacket version='1.0'><header/><data><string></string></data></wddxPacket>
+<wddxPacket version='1.0'><header/><data><struct><var name=''><string>foo</string></var></struct></data></wddxPacket>
-- 
cgit v1.2.1


From cc13d8696fbe08561c3b01ef8d29214fa2b09343 Mon Sep 17 00:00:00 2001
From: manuel <manuel@mausz.at>
Date: Sat, 7 Feb 2015 19:17:31 +0100
Subject: Fix another invalid free of CG(interned_empty_string)

Fixes #68214
---
 ext/standard/tests/strings/bug68996.phpt | 7 +++++++
 main/main.c                              | 2 +-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/ext/standard/tests/strings/bug68996.phpt b/ext/standard/tests/strings/bug68996.phpt
index 30ba147f8f..af40274983 100644
--- a/ext/standard/tests/strings/bug68996.phpt
+++ b/ext/standard/tests/strings/bug68996.phpt
@@ -10,7 +10,14 @@ html_errors=1
 --FILE--
 <?php
 fopen("\xfc\x63", "r");
+finfo_open(FILEINFO_MIME_TYPE, "\xfc\x63");
 ?>
 --EXPECTF--
 <br />
 <b>Warning</b>:  : failed to open stream: No such file or directory in <b>%sbug68996.php</b> on line <b>2</b><br />
+<br />
+<b>Warning</b>:  : failed to open stream: No such file or directory in <b>%sbug68996.php</b> on line <b>3</b><br />
+<br />
+<b>Warning</b>:  : failed to open stream: No such file or directory in <b>%sbug68996.php</b> on line <b>3</b><br />
+<br />
+<b>Warning</b>:  finfo_open():  in <b>/%sbug68996.php</b> on line <b>3</b><br />
diff --git a/main/main.c b/main/main.c
index 331849cfc2..a98aff0755 100644
--- a/main/main.c
+++ b/main/main.c
@@ -935,7 +935,7 @@ PHPAPI void php_verror(const char *docref, const char *params, int type, const c
 			zend_hash_update(EG(active_symbol_table), "php_errormsg", sizeof("php_errormsg"), (void **) &tmp, sizeof(zval *), NULL);
 		}
 	}
-	efree(buffer);
+	str_efree(buffer);
 
 	php_error(type, "%s", message);
 	efree(message);
-- 
cgit v1.2.1