Merge branch 'PHP-5.4.40' into PHP-5.5.24

* PHP-5.4.40:
  Additional fix for bug #69324
  More fixes for bug #69152
  Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions)
  Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar)
  Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER)
  Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4)
  Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault)
  Fixed bug #68901 (use after free)
  Fixed bug #68740 (NULL Pointer Dereference)
  Fix bug #66550 (SQLite prepared statement use-after-free)
  Better fix for #68601 for perf 81e9a993f2
  Fix bug #68601 buffer read overflow in gd_gif_in.c
  Revert "Merge branch 'PHP-5.4' of https://git.php.net/repository/php-src into PHP-5.4"
  Fixed bug #69293
  Add ZEND_ARG_CALLABLE_INFO to allow internal function to type hint against callable.

Zend/zend_exceptions.c

@@ -591,6 +591,9 @@ ZEND_METHOD(exception, getTraceAsString)
 	str = &res;
 
 	trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC);
+	if(Z_TYPE_P(trace) != IS_ARRAY) {
+		RETURN_FALSE;
+	}
 	zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num);
 
 	s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1);

ext/curl/interface.c

@@ -1354,6 +1354,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx)
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION");
 				length = -1;
 			} else if (retval_ptr) {
+				_php_curl_verify_handlers(ch, 1 TSRMLS_CC);
 				if (Z_TYPE_P(retval_ptr) != IS_LONG) {
 					convert_to_long_ex(&retval_ptr);
 				}
@@ -1497,6 +1498,7 @@ static size_t curl_progress(void *clientp, double dltotal, double dlnow, double
 			if (error == FAILURE) {
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION");
 			} else if (retval_ptr) {
+				_php_curl_verify_handlers(ch, 1 TSRMLS_CC);
 				if (Z_TYPE_P(retval_ptr) != IS_LONG) {
 					convert_to_long_ex(&retval_ptr);
 				}
@@ -1574,6 +1576,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx)
 				length = CURL_READFUNC_ABORT;
 #endif
 			} else if (retval_ptr) {
+				_php_curl_verify_handlers(ch, 1 TSRMLS_CC);
 				if (Z_TYPE_P(retval_ptr) == IS_STRING) {
 					length = MIN((int) (size * nmemb), Z_STRLEN_P(retval_ptr));
 					memcpy(data, Z_STRVAL_P(retval_ptr), length);
@@ -1648,6 +1651,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx
 				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION");
 				length = -1;
 			} else if (retval_ptr) {
+				_php_curl_verify_handlers(ch, 1 TSRMLS_CC);
 				if (Z_TYPE_P(retval_ptr) != IS_LONG) {
 					convert_to_long_ex(&retval_ptr);
 				}

ext/curl/tests/bug69316.phpt

@@ -0,0 +1,41 @@
+--TEST--
+Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
+--SKIPIF--
+<?php 
+if (!extension_loaded("curl")) exit("skip curl extension not loaded");
+if (false === getenv('PHP_CURL_HTTP_REMOTE_SERVER'))  exit("skip PHP_CURL_HTTP_REMOTE_SERVER env variable is not defined");
+?>
+--FILE--
+<?php
+  function hdr_callback($ch, $data) {
+      // close the stream, causing the FILE structure to be free()'d
+      if($GLOBALS['f_file']) {
+          fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;
+
+          // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
+          $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238);
+          curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1));
+      }
+      return strlen($data);
+  }
+  $host = getenv('PHP_CURL_HTTP_REMOTE_SERVER');
+  
+  $temp_file = dirname(__FILE__) . '/body.tmp';
+  $url = "{$host}/get.php?test=getpost";
+  $ch = curl_init();
+  $f_file = fopen($temp_file, "w") or die("failed to open file\n");
+  curl_setopt($ch, CURLOPT_BUFFERSIZE, 10);
+  curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback");
+  curl_setopt($ch, CURLOPT_FILE, $f_file);
+  curl_setopt($ch, CURLOPT_URL, $url);
+  curl_exec($ch);
+  curl_close($ch);
+?>
+===DONE===
+--CLEAN--
+<?php
+unlink(dirname(__FILE__) . '/body.tmp');
+?>
+--EXPECTF--
+Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
+===DONE===

ext/dom/document.c

@@ -1580,6 +1580,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc
 	xmlInitParser();
 
 	if (mode == DOM_LOAD_FILE) {
+		if (CHECK_NULL_PATH(source, source_len)) {
+			return NULL;
+		}
 		char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN  TSRMLS_CC);
 		if (file_dest) {
 			ctxt = xmlCreateFileParserCtxt(file_dest);
@@ -2176,7 +2179,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
 	
 	id = getThis();
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
 		return;
 	}
 

ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt

@@ -13,6 +13,11 @@ assert.bail=true
 $doc = new DOMDocument();
 $result = $doc->loadHTMLFile("");
 assert('$result === false');
+$doc = new DOMDocument();
+$result = $doc->loadHTMLFile("text.html\0something");
+assert('$result === null');
 ?>
 --EXPECTF--
 %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s
+
+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s

ext/ereg/regex/regcomp.c

@@ -1284,6 +1284,10 @@ int c;
 	register int ncols = (g->ncsets+(CHAR_BIT-1)) / CHAR_BIT;
 	register unsigned uc = (unsigned char)c;
 
+	if (!g->setbits) {
+		return(0);
+	}
+
 	for (i = 0, col = g->setbits; i < ncols; i++, col += g->csetsize)
 		if (col[uc] != 0)
 			return(1);

ext/fileinfo/fileinfo.c

@@ -506,6 +506,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime
 				RETVAL_FALSE;
 				goto clean;
 			}
+			if (CHECK_NULL_PATH(buffer, buffer_len)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+				RETVAL_FALSE;
+				goto clean;
+			}
 
 			wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC);
 

ext/fileinfo/libmagic/softmagic.c

@@ -1037,6 +1037,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 			if (bytecnt > nbytes) {
 				bytecnt = nbytes;
 			}
+			if (offset > bytecnt) {
+				offset = bytecnt;
+			}
 			if (s == NULL) {
 				ms->search.s_len = 0;
 				ms->search.s = NULL;

ext/fileinfo/tests/bug68819_002.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2
+--SKIPIF--
+<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
+--FILE--
+<?php
+
+$string = '';
+
+// These two in any order
+$string .= "\r\n";
+$string .= "''''";
+
+// Total string length > 8192
+$string .= str_repeat(chr(rand(32, 127)), 8184);
+
+// Ending in this string
+$string .= "say";
+
+$finfo = new finfo();
+$type = $finfo->buffer($string);
+var_dump($type);
+
+?>
+--EXPECT--
+string(60) "ASCII text, with very long lines, with CRLF line terminators"

ext/fileinfo/tests/finfo_file_basic.phpt

@@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n";
 var_dump( finfo_file( $finfo, __FILE__) );
 var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
 var_dump( finfo_file( $finfo, $magicFile ) );
+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );
 
 ?>
 ===DONE===
@@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) );
 string(28) "text/x-php; charset=us-ascii"
 string(22) "PHP script, ASCII text"
 string(25) "text/plain; charset=utf-8"
+
+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
+bool(false)
 ===DONE===

ext/gd/gd.c

@@ -1417,7 +1417,7 @@ PHP_FUNCTION(imageloadfont)
 	gdFontPtr font;
 	php_stream *stream;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) {
 		return;
 	}
 
@@ -2354,7 +2354,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 	long ignore_warning;
 
 	if (image_type == PHP_GDIMG_TYPE_GD2PART) {
-		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
 			return;
 		}
 		if (width < 1 || height < 1) {
@@ -2362,7 +2362,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 			RETURN_FALSE;
 		}
 	} else {
-		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
+		if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
 			return;
 		}
 	}
@@ -4031,7 +4031,7 @@ PHP_FUNCTION(imagepsencodefont)
 	char *enc, **enc_vector;
 	int enc_len, *f_ind;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) {
 		return;
 	}
 

ext/hash/hash.c

@@ -143,6 +143,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_
 	}
 	if (isfilename) {
 		if (CHECK_NULL_PATH(data, data_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
 			RETURN_FALSE;
 		}
 		stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
@@ -258,6 +259,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename,
 		RETURN_FALSE;
 	}
 	if (isfilename) {
+		if (CHECK_NULL_PATH(data, data_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+			RETURN_FALSE;
+		}
 		stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
 		if (!stream) {
 			/* Stream will report errors opening file */
@@ -462,7 +467,7 @@ PHP_FUNCTION(hash_update_file)
 	char *filename, buf[1024];
 	int filename_len, n;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
 		return;
 	}
 

ext/hash/tests/hash_hmac_file_error.phpt

@@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg);
 echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
 hash_hmac_file('foo', $file, $key, TRUE);
 
+echo "\n-- Testing hash_hmac_file() function with bad path --\n";
+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
+
 ?>
 ===Done===
 --EXPECTF--
@@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d
 -- Testing hash_hmac_file() function with invalid hash algorithm --
 
 Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
+
+-- Testing hash_hmac_file() function with bad path --
+
+Warning: hash_hmac_file(): Invalid path in %s on line %d
 ===Done===

ext/pgsql/pgsql.c

@@ -3014,7 +3014,7 @@ PHP_FUNCTION(pg_trace)
 	php_stream *stream;
 	id = PGG(default_link);
 
-	if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+	if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
 		return;
 	}
 

ext/phar/phar.c

@@ -598,52 +598,41 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
  *
  * Meta-data is in this format:
  * [len32][data...]
- * 
+ *
  * data is the serialized zval
  */
-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */
+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
 {
-	const unsigned char *p;
-	php_uint32 buf_len;
 	php_unserialize_data_t var_hash;
 
-	if (!zip_metadata_len) {
-		PHAR_GET_32(*buffer, buf_len);
-	} else {
-		buf_len = zip_metadata_len;
-	}
-
-	if (buf_len) {
+	if (zip_metadata_len) {
+		const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len);
+		p = p_buff;
 		ALLOC_ZVAL(*metadata);
 		INIT_ZVAL(**metadata);
-		p = (const unsigned char*) *buffer;
 		PHP_VAR_UNSERIALIZE_INIT(var_hash);
 
-		if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) {
+		if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
+			efree(p_buff);
 			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 			zval_ptr_dtor(metadata);
 			*metadata = NULL;
 			return FAILURE;
 		}
-
+		efree(p_buff);
 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 
 		if (PHAR_G(persist)) {
 			/* lazy init metadata */
 			zval_ptr_dtor(metadata);
-			*metadata = (zval *) pemalloc(buf_len, 1);
-			memcpy(*metadata, *buffer, buf_len);
-			*buffer += buf_len;
+			*metadata = (zval *) pemalloc(zip_metadata_len, 1);
+			memcpy(*metadata, *buffer, zip_metadata_len);
 			return SUCCESS;
 		}
 	} else {
 		*metadata = NULL;
 	}
 
-	if (!zip_metadata_len) {
-		*buffer += buf_len;
-	}
-
 	return SUCCESS;
 }
 /* }}}*/
@@ -653,7 +642,7 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR
  *
  * Parse a new one and add it to the cache, returning either SUCCESS or
  * FAILURE, and setting pphar to the pointer to the manifest entry
- * 
+ *
  * This is used by phar_open_from_filename to process the manifest, but can be called
  * directly.
  */
@@ -664,6 +653,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	phar_entry_info entry;
 	php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
 	php_uint16 manifest_ver;
+	php_uint32 len;
 	long offset;
 	int sig_len, register_alias = 0, temp_alias = 0;
 	char *signature = NULL;
@@ -1029,16 +1019,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	mydata->is_persistent = PHAR_G(persist);
 
 	/* check whether we have meta data, zero check works regardless of byte order */
+	PHAR_GET_32(buffer, len);
 	if (mydata->is_persistent) {
-		PHAR_GET_32(buffer, mydata->metadata_len);
-		if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) {
-			MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
-		}
-	} else {
-		if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) {
-			MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+		mydata->metadata_len = len;
+		if(!len) {
+			/* FIXME: not sure why this is needed but removing it breaks tests */
+			PHAR_GET_32(buffer, len);
 		}
 	}
+	if(len > endbuffer - buffer) {
+		MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
+	}
+	if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
+		MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+	}
+	buffer += len;
 
 	/* set up our manifest */
 	zend_hash_init(&mydata->manifest, manifest_count,
@@ -1073,7 +1068,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.manifest_pos = manifest_index;
 		}
 
-		if (buffer + entry.filename_len + 20 > endbuffer) {
+		if (entry.filename_len + 20 > endbuffer - buffer) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
 		}
 
@@ -1109,19 +1104,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.flags |= PHAR_ENT_PERM_DEF_DIR;
 		}
 
+		PHAR_GET_32(buffer, len);
 		if (entry.is_persistent) {
-			PHAR_GET_32(buffer, entry.metadata_len);
-			if (!entry.metadata_len) buffer -= 4;
-			if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) {
-				pefree(entry.filename, entry.is_persistent);
-				MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
-			}
+			entry.metadata_len = len;
 		} else {
-			if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) {
-				pefree(entry.filename, entry.is_persistent);
-				MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
-			}
+			entry.metadata_len = 0;
 		}
+		if (len > endbuffer - buffer) {
+			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+		}
+		if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
+			pefree(entry.filename, entry.is_persistent);
+			MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+		}
+		buffer += len;
 
 		entry.offset = entry.offset_abs = offset;
 		offset += entry.compressed_filesize;
@@ -2239,7 +2235,7 @@ last_time:
 
 /**
  * Process a phar stream name, ensuring we can handle any of:
- * 
+ *
  * - whatever.phar
  * - whatever.phar.gz
  * - whatever.phar.bz2

ext/phar/phar_internal.h

@@ -597,7 +597,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
 char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC);
 char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC);
 phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC);
-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC);
+int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
 void destroy_phar_manifest_entry(void *pDest);
 int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
 php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);

ext/phar/tests/bug69324.phpt

@@ -0,0 +1,17 @@
+--TEST--
+Bug #69324: Buffer Over-read in unserialize when parsing Phar
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+?>
+--FILE--
+<?php
+try {
+$p = new Phar(dirname(__FILE__).'/bug69324.phar', 0);
+$meta=$p->getMetadata();
+var_dump($meta);
+} catch(Exception $e) {
+	echo $e->getMessage();
+}
+--EXPECTF--
+internal corruption of phar "%s" (truncated manifest entry)

ext/sqlite3/sqlite3.c

@@ -1279,6 +1279,8 @@ PHP_METHOD(sqlite3stmt, paramCount)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1295,6 +1297,8 @@ PHP_METHOD(sqlite3stmt, close)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1313,6 +1317,8 @@ PHP_METHOD(sqlite3stmt, reset)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1333,6 +1339,8 @@ PHP_METHOD(sqlite3stmt, clear)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1354,6 +1362,8 @@ PHP_METHOD(sqlite3stmt, readOnly)
 	php_sqlite3_stmt *stmt_obj;
 	zval *object = getThis();
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
@@ -1421,6 +1431,8 @@ PHP_METHOD(sqlite3stmt, bindParam)
 	zval *object = getThis();
 	struct php_sqlite3_bound_param param = {0};
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	param.param_number = -1;
 	param.type = SQLITE3_TEXT;
@@ -1452,6 +1464,8 @@ PHP_METHOD(sqlite3stmt, bindValue)
 	zval *object = getThis();
 	struct php_sqlite3_bound_param param = {0};
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
+	
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
 
 	param.param_number = -1;
 	param.type = SQLITE3_TEXT;
@@ -1487,6 +1501,8 @@ PHP_METHOD(sqlite3stmt, execute)
 
 	stmt_obj = (php_sqlite3_stmt *)zend_object_store_get_object(object TSRMLS_CC);
 
+	SQLITE3_CHECK_INITIALIZED(stmt_obj->db_obj, stmt_obj->initialised, SQLite3)
+
 	if (zend_parse_parameters_none() == FAILURE) {
 		return;
 	}

ext/sqlite3/tests/bug66550.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Bug #66550 (SQLite prepared statement use-after-free)
+--SKIPIF--
+<?php
+if (!extension_loaded('sqlite3')) die('skip');
+?>
+--FILE--
+<?php
+
+$db = new SQLite3(':memory:');
+
+$db->exec('CREATE TABLE foo (id INTEGER, bar STRING)');
+
+$stmt = $db->prepare('SELECT bar FROM foo WHERE id=:id');
+// Close the database connection and free the internal sqlite3_stmt object
+$db->close();
+// Access the sqlite3_stmt object via the php_sqlite3_stmt container
+$stmt->reset();
+?>
+==DONE==
+--EXPECTF--
+Warning: SQLite3Stmt::reset(): The SQLite3 object has not been correctly initialised in %s
+==DONE==

ext/standard/link.c

@@ -59,7 +59,7 @@ PHP_FUNCTION(readlink)
 	char buff[MAXPATHLEN];
 	int ret;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) {
 		return;
 	}
 

ext/standard/streamsfuncs.c

@@ -1549,7 +1549,7 @@ PHP_FUNCTION(stream_resolve_include_path)
 	char *filename, *resolved_path;
 	int filename_len;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) {
 		return;
 	}
 

ext/standard/tests/serialize/bug69152.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
+--FILE--
+<?php
+$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
+echo $x;
+$x =  unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
+$x->test();
+
+?>
+--EXPECTF--
+exception 'Exception' in %s:%d
+Stack trace:
+#0 {main}
+
+Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition  in %s on line %d

ext/xmlwriter/php_xmlwriter.c

@@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity)
 /* }}} */
 #endif
 
-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
+/* {{{ proto resource xmlwriter_open_uri(string source)
 Create new xmlwriter using source uri for output */
 static PHP_FUNCTION(xmlwriter_open_uri)
 {
@@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri)
 	void *ioctx;
 #endif
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) {
 		return;
 	}
 	

ext/zlib/zlib.c

@@ -593,7 +593,7 @@ static PHP_FUNCTION(gzopen)
 	php_stream *stream;
 	long use_include_path = 0;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
 		return;
 	}
 
@@ -621,7 +621,7 @@ static PHP_FUNCTION(readgzfile)
 	int size;
 	long use_include_path = 0;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) {
 		return;
 	}
 

sapi/apache2handler/sapi_apache2.c

@@ -688,6 +688,7 @@ zend_first_try {
 } zend_end_try();
 		}
 		apr_brigade_cleanup(brigade);
+		apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
 	} else {
 		ctx->r = parent_req;
 	}