/73190.diff Secret

## 73190.diff
commit 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
Author: Stanislav Malyshev <stas@php.net>
Date:   Mon Oct 3 00:09:02 2016 -0700

    Fix bug #73190: memcpy negative parameter _bc_new_num_ex

diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
index fda4d21..e656575 100644
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct)
 /* {{{ proto Exception::__wakeup()
    Exception unserialize checks */
 #define CHECK_EXC_TYPE(name, type) \
-	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
+	value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
 	if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
-		zval *tmp; \
-		MAKE_STD_ZVAL(tmp); \
-		ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
-		Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
-		zval_ptr_dtor(&tmp); \
+		zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
 	}

 ZEND_METHOD(exception, __wakeup)
@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup)
 	CHECK_EXC_TYPE("file", IS_STRING);
 	CHECK_EXC_TYPE("line", IS_LONG);
 	CHECK_EXC_TYPE("trace", IS_ARRAY);
-	CHECK_EXC_TYPE("previous", IS_OBJECT);
+	value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+	if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT ||
+			!instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) ||
+			value == object)) {
+		zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
+	}
 }
 /* }}} */

@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString)
 		zval_dtor(&file);
 		zval_dtor(&line);

-		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
+		Z_OBJPROP_P(exception)->nApplyCount++;
+		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+		if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
+			exception = NULL;
+		}

 		if (trace) {
 			zval_ptr_dtor(&trace);
@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString)
 	}
 	zval_dtor(&fname);

+	/* Reset apply counts */
+	exception = getThis();
+	while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
+		if(Z_OBJPROP_P(exception)->nApplyCount) {
+			Z_OBJPROP_P(exception)->nApplyCount--;
+		} else {
+			break;
+		}
+		exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
+	}
+
 	/* We store the result in the private property string so we can access
 	 * the result in uncaught exception handlers without memleaks. */
 	zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);
diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
index 986ad1d..c51133b 100644
--- a/ext/bcmath/libbcmath/src/init.c
+++ b/ext/bcmath/libbcmath/src/init.c
@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
      int length, scale, persistent;
 {
   bc_num temp;
-
+  /* PHP Change:  add length check */
+  if ((size_t)length+(size_t)scale > INT_MAX) {
+   zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
+  }
   /* PHP Change:  malloc() -> pemalloc(), removed free_list code */
   temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
 #if 0
diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c
index 799a32d..05fa484 100644
--- a/ext/bcmath/libbcmath/src/outofmem.c
+++ b/ext/bcmath/libbcmath/src/outofmem.c
@@ -41,6 +41,5 @@

 void bc_out_of_memory (void)
 {
-  (void) fprintf (stderr, "bcmath: out of memory!\n");
-  exit (1);
+  zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
 }
diff --git a/main/php_version.h b/main/php_version.h
index 1868cf0..8fa4040 100644
--- a/main/php_version.h
+++ b/main/php_version.h
@@ -2,7 +2,7 @@
 /* edit configure.in to change version number */
 #define PHP_MAJOR_VERSION 5
 #define PHP_MINOR_VERSION 6
-#define PHP_RELEASE_VERSION 27
+#define PHP_RELEASE_VERSION 26
 #define PHP_EXTRA_VERSION "-dev"
-#define PHP_VERSION "5.6.27-dev"
-#define PHP_VERSION_ID 50627
+#define PHP_VERSION "5.6.26-dev"
+#define PHP_VERSION_ID 50626
	commit 40e7baab3c90001beee4c8f0ed0ef79ad18ee0d6
	Author: Stanislav Malyshev <stas@php.net>
	Date: Mon Oct 3 00:09:02 2016 -0700

	Fix bug #73190: memcpy negative parameter _bc_new_num_ex

	diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
	index fda4d21..e656575 100644
	--- a/Zend/zend_exceptions.c
	+++ b/Zend/zend_exceptions.c
	@@ -229,13 +229,9 @@ ZEND_METHOD(exception, __construct)
	/* {{{ proto Exception::__wakeup()
	Exception unserialize checks */
	#define CHECK_EXC_TYPE(name, type) \
	- value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 0 TSRMLS_CC); \
	+ value = zend_read_property(default_exception_ce, object, name, sizeof(name)-1, 1 TSRMLS_CC); \
	if (value && Z_TYPE_P(value) != IS_NULL && Z_TYPE_P(value) != type) { \
	- zval *tmp; \
	- MAKE_STD_ZVAL(tmp); \
	- ZVAL_STRINGL(tmp, name, sizeof(name)-1, 1); \
	- Z_OBJ_HANDLER_P(object, unset_property)(object, tmp, 0 TSRMLS_CC); \
	- zval_ptr_dtor(&tmp); \
	+ zend_unset_property(default_exception_ce, object, name, sizeof(name)-1 TSRMLS_CC); \
	}

	ZEND_METHOD(exception, __wakeup)
	@@ -248,7 +244,12 @@ ZEND_METHOD(exception, __wakeup)
	CHECK_EXC_TYPE("file", IS_STRING);
	CHECK_EXC_TYPE("line", IS_LONG);
	CHECK_EXC_TYPE("trace", IS_ARRAY);
	- CHECK_EXC_TYPE("previous", IS_OBJECT);
	+ value = zend_read_property(default_exception_ce, object, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
	+ if (value && Z_TYPE_P(value) != IS_NULL && (Z_TYPE_P(value) != IS_OBJECT \|\|
	+ !instanceof_function(Z_OBJCE_P(value), default_exception_ce TSRMLS_CC) \|\|
	+ value == object)) {
	+ zend_unset_property(default_exception_ce, object, "previous", sizeof("previous")-1 TSRMLS_CC);
	+ }
	}
	/* }}} */

	@@ -727,7 +728,11 @@ ZEND_METHOD(exception, __toString)
	zval_dtor(&file);
	zval_dtor(&line);

	- exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 0 TSRMLS_CC);
	+ Z_OBJPROP_P(exception)->nApplyCount++;
	+ exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
	+ if (exception && Z_TYPE_P(exception) == IS_OBJECT && Z_OBJPROP_P(exception)->nApplyCount > 0) {
	+ exception = NULL;
	+ }

	if (trace) {
	zval_ptr_dtor(&trace);
	@@ -736,6 +741,17 @@ ZEND_METHOD(exception, __toString)
	}
	zval_dtor(&fname);

	+ /* Reset apply counts */
	+ exception = getThis();
	+ while (exception && Z_TYPE_P(exception) == IS_OBJECT && instanceof_function(Z_OBJCE_P(exception), default_exception_ce TSRMLS_CC)) {
	+ if(Z_OBJPROP_P(exception)->nApplyCount) {
	+ Z_OBJPROP_P(exception)->nApplyCount--;
	+ } else {
	+ break;
	+ }
	+ exception = zend_read_property(default_exception_ce, exception, "previous", sizeof("previous")-1, 1 TSRMLS_CC);
	+ }
	+
	/* We store the result in the private property string so we can access
	* the result in uncaught exception handlers without memleaks. */
	zend_update_property_string(default_exception_ce, getThis(), "string", sizeof("string")-1, str TSRMLS_CC);
	diff --git a/ext/bcmath/libbcmath/src/init.c b/ext/bcmath/libbcmath/src/init.c
	index 986ad1d..c51133b 100644
	--- a/ext/bcmath/libbcmath/src/init.c
	+++ b/ext/bcmath/libbcmath/src/init.c
	@@ -49,7 +49,10 @@ _bc_new_num_ex (length, scale, persistent)
	int length, scale, persistent;
	{
	bc_num temp;
	-
	+ /* PHP Change: add length check */
	+ if ((size_t)length+(size_t)scale > INT_MAX) {
	+ zend_error(E_ERROR, "Result too long, max is %d", INT_MAX);
	+ }
	/* PHP Change: malloc() -> pemalloc(), removed free_list code */
	temp = (bc_num) safe_pemalloc (1, sizeof(bc_struct)+length, scale, persistent);
	#if 0
	diff --git a/ext/bcmath/libbcmath/src/outofmem.c b/ext/bcmath/libbcmath/src/outofmem.c
	index 799a32d..05fa484 100644
	--- a/ext/bcmath/libbcmath/src/outofmem.c
	+++ b/ext/bcmath/libbcmath/src/outofmem.c
	@@ -41,6 +41,5 @@

	void bc_out_of_memory (void)
	{
	- (void) fprintf (stderr, "bcmath: out of memory!\n");
	- exit (1);
	+ zend_error_noreturn(E_ERROR, "bcmath: out of memory!");
	}
	diff --git a/main/php_version.h b/main/php_version.h
	index 1868cf0..8fa4040 100644
	--- a/main/php_version.h
	+++ b/main/php_version.h
	@@ -2,7 +2,7 @@
	/* edit configure.in to change version number */
	#define PHP_MAJOR_VERSION 5
	#define PHP_MINOR_VERSION 6
	-#define PHP_RELEASE_VERSION 27
	+#define PHP_RELEASE_VERSION 26
	#define PHP_EXTRA_VERSION "-dev"
	-#define PHP_VERSION "5.6.27-dev"
	-#define PHP_VERSION_ID 50627
	+#define PHP_VERSION "5.6.26-dev"
	+#define PHP_VERSION_ID 50626