Merge remote-tracking branch 'phpsec/PHP-7.0' into PHP-7.0

* phpsec/PHP-7.0:
  add NEWS entries for 7.0.2
  re-apply the patch from 1785d2b805
  Improve fix for bug #70976
  Fix bug #70976: fix boundary check on gdImageRotateInterpolated
  Fixed bug #70755: fpm_log.c memory leak and buffer overflow
  fix merge mistake
  Fixed #70728
  Fixed bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)

ext/gd/libgd/gd_interpolation.c

@@ -2162,7 +2162,7 @@ gdImagePtr gdImageRotateInterpolated(const gdImagePtr src, const float angle, in
 {
 	const int angle_rounded = (int)floor(angle * 100);
 
-	if (bgcolor < 0) {
+	if (bgcolor < 0 || (!src->trueColor && bgcolor >= gdMaxColors)) {
 		return NULL;
 	}
 

ext/gd/tests/bug70976.phpt

@@ -0,0 +1,13 @@
+--TEST--
+Bug #70976 (Memory Read via gdImageRotateInterpolated Array Index Out of Bounds)
+--SKIPIF--
+<?php
+	if(!extension_loaded('gd')){ die('skip gd extension not available'); }
+?>
+--FILE--
+<?php
+$img = imagerotate(imagecreate(1,1),45,0x7ffffff9);
+var_dump($img);
+?>
+--EXPECTF--
+bool(false)

ext/wddx/tests/bug70661.phpt

@@ -0,0 +1,69 @@
+--TEST--
+Bug #70661 (Use After Free Vulnerability in WDDX Packet Deserialization)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+$fakezval = ptr2str(1122334455);
+$fakezval .= ptr2str(0);
+$fakezval .= "\x00\x00\x00\x00";
+$fakezval .= "\x01";
+$fakezval .= "\x00";
+$fakezval .= "\x00\x00";
+
+$x = <<<EOT
+<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+		<struct>
+			<recordset rowCount='1' fieldNames='ryat'>
+				<field name='ryat'>
+					<var name='php_class_name'>
+						<string>stdClass</string>
+					</var>
+					<null/>
+				</field>
+			</recordset>
+		</struct>	
+	</data>
+</wddxPacket>
+EOT;
+
+$y = wddx_deserialize($x);
+
+for ($i = 0; $i < 5; $i++) {
+	$v[$i] = $fakezval.$i;
+}
+
+var_dump($y);
+
+function ptr2str($ptr)
+{
+	$out = '';
+	
+	for ($i = 0; $i < 8; $i++) {
+		$out .= chr($ptr & 0xff);
+		$ptr >>= 8;
+	}
+	
+	return $out;
+}
+?>
+DONE
+--EXPECTF--
+array(1) {
+  [0]=>
+  array(1) {
+    ["ryat"]=>
+    array(2) {
+      ["php_class_name"]=>
+      string(8) "stdClass"
+      [0]=>
+      NULL
+    }
+  }
+}
+DONE

ext/wddx/tests/bug70741.phpt

@@ -0,0 +1,26 @@
+--TEST--
+Bug #70741 (Session WDDX Packet Deserialization Type Confusion Vulnerability)
+--SKIPIF--
+<?php
+if (!extension_loaded("wddx")) print "skip";
+?>
+--FILE--
+<?php
+ini_set('session.serialize_handler', 'wddx');
+session_start();
+
+$hashtable = str_repeat('A', 66);
+$wddx = "<?xml version='1.0'?>
+<wddxPacket version='1.0'>
+<header/>
+	<data>
+		<string>$hashtable</string>
+	</data>
+</wddxPacket>";
+session_decode($wddx);
+?>
+DONE
+--EXPECTF--
+
+Warning: session_decode(): Failed to decode session object. Session has been destroyed in %s on line %d
+DONE

ext/wddx/wddx.c

@@ -298,6 +298,10 @@ PS_SERIALIZER_DECODE_FUNC(wddx)
 
 	ZVAL_UNDEF(&retval);
 	if ((ret = php_wddx_deserialize_ex(val, vallen, &retval)) == SUCCESS) {
+		if (Z_TYPE(retval) != IS_ARRAY) {
+			zval_dtor(&retval);
+			return FAILURE;
+		}
 		ZEND_HASH_FOREACH_KEY_VAL(Z_ARRVAL(retval), idx, key, ent) {
 			if (key == NULL) {
 				key = zend_long_to_str(idx);
@@ -908,7 +912,7 @@ static void php_wddx_pop_element(void *user_data, const XML_Char *name)
 
 				if (ent1->varname) {
 					if (!strcmp(ent1->varname, PHP_CLASS_NAME_VAR) &&
-						Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data)) {
+						Z_TYPE(ent1->data) == IS_STRING && Z_STRLEN(ent1->data) && ent2->type == ST_STRUCT) {
 						zend_bool incomplete_class = 0;
 
 						zend_str_tolower(Z_STRVAL(ent1->data), Z_STRLEN(ent1->data));

ext/xmlrpc/tests/bug70728.phpt

@@ -0,0 +1,30 @@
+--TEST--
+Bug #70728 (Type Confusion Vulnerability in PHP_to_XMLRPC_worker)
+--SKIPIF--
+<?php
+if (!extension_loaded("xmlrpc")) print "skip";
+?>
+--FILE--
+<?php
+$obj = new stdClass;
+$obj->xmlrpc_type = 'base64';
+$obj->scalar = 0x1122334455;
+var_dump(xmlrpc_encode($obj));
+var_dump($obj);
+?>
+--EXPECTF--	
+string(135) "<?xml version="1.0" encoding="utf-8"?>
+<params>
+<param>
+ <value>
+  <base64>NzM1ODgyMjkyMDU=&#10;</base64>
+ </value>
+</param>
+</params>
+"
+object(stdClass)#1 (2) {
+  ["xmlrpc_type"]=>
+  string(6) "base64"
+  ["scalar"]=>
+  int(73588229205)
+}

ext/xmlrpc/xmlrpc-epi-php.c

@@ -514,7 +514,15 @@ static XMLRPC_VALUE PHP_to_XMLRPC_worker (const char* key, zval* in_val, int dep
 						xReturn = XMLRPC_CreateValueEmpty();
 						XMLRPC_SetValueID(xReturn, key, 0);
 					} else {
-						xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val));
+						if (Z_TYPE(val) != IS_STRING) {
+							zval newvalue;
+							ZVAL_DUP(&newvalue, &val);
+							convert_to_string(&newvalue);
+							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(newvalue), Z_STRLEN(newvalue));
+							zval_dtor(&newvalue);
+						} else {
+							xReturn = XMLRPC_CreateValueBase64(key, Z_STRVAL(val), Z_STRLEN(val));
+						}
 					}
 					break;
 				case xmlrpc_datetime:
@@ -1357,7 +1365,7 @@ XMLRPC_VALUE_TYPE get_zval_xmlrpc_type(zval* value, zval* newvalue) /* {{{ */
 		if (newvalue) {
 			zval* val;
 
-			if ((type == xmlrpc_base64 && Z_TYPE_P(value) != IS_NULL) || type == xmlrpc_datetime) {
+			if ((type == xmlrpc_base64 && Z_TYPE_P(value) == IS_OBJECT) || type == xmlrpc_datetime) {
 				if ((val = zend_hash_str_find(Z_OBJPROP_P(value), OBJECT_VALUE_ATTR, sizeof(OBJECT_VALUE_ATTR) - 1)) != NULL) {
 					ZVAL_COPY_VALUE(newvalue, val);
 				}

sapi/fpm/fpm/fpm_log.c

@@ -448,6 +448,11 @@ int fpm_log_write(char *log_format) /* {{{ */
 				b += len2;
 				len += len2;
 			}
+			if (len >= FPM_LOG_BUFFER) {
+				zlog(ZLOG_NOTICE, "the log buffer is full (%d). The access log request has been truncated.", FPM_LOG_BUFFER);
+				len = FPM_LOG_BUFFER;
+				break;
+			}
 			continue;
 		}