Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0:
  Fix tsrm_ls
  Fix #76129 - remove more potential unfiltered outputs for phar
  Fix test
  Fix bug #76248 - Malicious LDAP-Server Response causes Crash
  Fix bug #76249 - fail on invalid sequences
  Fix #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
  Fix bug #75981: prevent reading beyond buffer start

ext/exif/exif.c

@@ -1704,7 +1704,7 @@ static void exif_iif_add_value(image_info_type *image_info, int section_index, c
 		case TAG_FMT_UNDEFINED:
 			if (value) {
 				if (tag == TAG_MAKER_NOTE) {
-					length = MIN(length, strlen(value));
+					length = (int) php_strnlen(value, length);
 				}
 
 				/* do not recompute length here */

ext/exif/tests/bug76130.phpt

@@ -0,0 +1,20 @@
+--TEST--
+Bug #76130 (Heap Buffer Overflow (READ: 1786) in exif_iif_add_value)
+--DESCRIPTION--
+This test is meant to exhibit memory issues with the `-m` option. Since a lot of
+notices and warnings are to be expected anyway, we suppress these, since the are
+not relevant for this test.
+--INI--
+error_reporting=E_ALL & ~E_WARNING & ~E_NOTICE
+--SKIPIF--
+<?php
+if (!extension_loaded('exif')) die('skip exif extension not available');
+?>
+--FILE--
+<?php
+exif_read_data(__DIR__ . '/bug76130_1.jpg');
+exif_read_data(__DIR__ . '/bug76130_2.jpg');
+?>
+===DONE===
+--EXPECT--
+===DONE===

ext/iconv/iconv.c

@@ -2658,6 +2658,9 @@ static int php_iconv_stream_filter_append_bucket(
 								tcnt = 0;
 								break;
 							}
+						} else {
+						    php_error_docref(NULL, E_WARNING, "iconv stream filter (\"%s\"=>\"%s\"): invalid multibyte sequence", self->from_charset, self->to_charset);
+						    goto out_failure;
 						}
 						break;
 

ext/iconv/tests/bug76249.phpt

@@ -0,0 +1,18 @@
+--TEST--
+Bug #76249 (stream filter convert.iconv leads to infinite loop on invalid sequence)
+--SKIPIF--
+<?php extension_loaded('iconv') or die('skip iconv extension is not available'); ?>
+--FILE--
+<?php
+$fh = fopen('php://memory', 'rw');
+fwrite($fh, "abc");
+rewind($fh);
+stream_filter_append($fh, 'convert.iconv.ucs-2/utf8//IGNORE', STREAM_FILTER_READ, []);
+$a = stream_get_contents($fh);
+var_dump(strlen($a));
+?>
+DONE
+--EXPECTF--
+Warning: stream_get_contents(): iconv stream filter ("ucs-2"=>"utf8//IGNORE"): invalid multibyte sequence in %sbug76249.php on line %d
+int(3)
+DONE

ext/ldap/ldap.c

@@ -1170,7 +1170,11 @@ PHP_FUNCTION(ldap_get_entries)
 
 		add_assoc_long(&tmp1, "count", num_attrib);
 		dn = ldap_get_dn(ldap, ldap_result_entry);
-		add_assoc_string(&tmp1, "dn", dn);
+		if (dn) {
+			add_assoc_string(&tmp1, "dn", dn);
+		} else {
+			add_assoc_null(&tmp1, "dn");
+		}
 #if (LDAP_API_VERSION > 2000) || HAVE_NSLDAP || HAVE_ORALDAP || WINDOWS
 		ldap_memfree(dn);
 #else

ext/ldap/tests/bug76248.phpt

@@ -0,0 +1,40 @@
+--TEST--
+Bug #76248 (Malicious LDAP-Server Response causes Crash)
+--SKIPIF--
+<?php
+require_once('skipif.inc');
+if (!function_exists('pcntl_fork')) die('skip fork not available');
+?>
+--FILE--
+<?php
+$pid = pcntl_fork();
+const PORT = 12345;
+if ($pid == 0) {
+	// child
+    $server = stream_socket_server("tcp://127.0.0.1:12345");
+	$socket = stream_socket_accept($server, 3);
+	fwrite($socket, base64_decode("MAwCAQFhBwoBAAQABAAweQIBAmR0BJljbj1yb290LGRjPWV4YW1wbGUsZGM9Y29tMFcwIwQLb2JqZWN0Q2xhc3MxFAQSb3JnYW5pemF0aW9uYWxSb2xlMAwEAmNuMQYEBHJvb3QwIgQLZGVzY3JpcHRpb24xEwQRRGlyZWN0b3J5IE1hbmFnZXIwDAIBAmUHCgEABAAEADB5AgEDZHQEmWNuPXJvb3QsZGM9ZXhhbXBsZSxkYz1jb20wVzAjBAtvYmplY3RDbGFzczEUBBJvcmdhbml6YXRpb25hbFJvbGUwDAQCY24xBgQEcm9vdDAiBAtkZXNjcmlwdGlvbjETBBFEaXJlY3RvcnkgTWFuYWdlcjAMAgEDZQcKAQAEAAQA"));
+	fflush($socket);	
+} else {
+	// parent
+	$ds = ldap_connect("127.0.0.1", PORT);
+	ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
+	$b = ldap_bind($ds, "cn=root,dc=example,dc=com", "secret");
+
+	$s = ldap_search($ds, "dc=example,dc=com", "(cn=root)"); 
+	$tt = ldap_get_entries($ds, $s);
+	var_dump($tt);
+}
+?>
+--EXPECT--
+array(2) {
+  ["count"]=>
+  int(1)
+  [0]=>
+  array(2) {
+    ["count"]=>
+    int(0)
+    ["dn"]=>
+    NULL
+  }
+}

ext/phar/phar_object.c

@@ -308,8 +308,7 @@ static void phar_do_403(char *entry, int entry_len) /* {{{ */
 	sapi_header_op(SAPI_HEADER_REPLACE, &ctr);
 	sapi_send_headers();
 	PHPWRITE("<html>\n <head>\n  <title>Access Denied</title>\n </head>\n <body>\n  <h1>403 - File ", sizeof("<html>\n <head>\n  <title>Access Denied</title>\n </head>\n <body>\n  <h1>403 - File ") - 1);
-	PHPWRITE(entry, entry_len);
-	PHPWRITE(" Access Denied</h1>\n </body>\n</html>", sizeof(" Access Denied</h1>\n </body>\n</html>") - 1);
+	PHPWRITE("Access Denied</h1>\n </body>\n</html>", sizeof("Access Denied</h1>\n </body>\n</html>") - 1);
 }
 /* }}} */
 
@@ -333,8 +332,7 @@ static void phar_do_404(phar_archive_data *phar, char *fname, int fname_len, cha
 	sapi_header_op(SAPI_HEADER_REPLACE, &ctr);
 	sapi_send_headers();
 	PHPWRITE("<html>\n <head>\n  <title>File Not Found</title>\n </head>\n <body>\n  <h1>404 - File ", sizeof("<html>\n <head>\n  <title>File Not Found</title>\n </head>\n <body>\n  <h1>404 - File ") - 1);
-	PHPWRITE(entry, entry_len);
-	PHPWRITE(" Not Found</h1>\n </body>\n</html>",  sizeof(" Not Found</h1>\n </body>\n</html>") - 1);
+	PHPWRITE("Not Found</h1>\n </body>\n</html>",  sizeof("Not Found</h1>\n </body>\n</html>") - 1);
 }
 /* }}} */
 

ext/phar/tests/cache_list/frontcontroller10.phpt

@@ -20,6 +20,6 @@ Status: 403 Access Denied
   <title>Access Denied</title>
  </head>
  <body>
-  <h1>403 - File /hi Access Denied</h1>
+  <h1>403 - File Access Denied</h1>
  </body>
 </html>

ext/phar/tests/cache_list/frontcontroller6.phpt

@@ -18,6 +18,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /notfound.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/cache_list/frontcontroller8.phpt

@@ -18,6 +18,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /index.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/frontcontroller10.phpt

@@ -19,6 +19,6 @@ Status: 403 Access Denied
   <title>Access Denied</title>
  </head>
  <body>
-  <h1>403 - File /hi Access Denied</h1>
+  <h1>403 - File Access Denied</h1>
  </body>
 </html>

ext/phar/tests/frontcontroller6.phpt

@@ -16,6 +16,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /notfound.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/frontcontroller8.phpt

@@ -16,6 +16,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /index.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/tar/frontcontroller10.phar.phpt

@@ -19,6 +19,6 @@ Status: 403 Access Denied
   <title>Access Denied</title>
  </head>
  <body>
-  <h1>403 - File /hi Access Denied</h1>
+  <h1>403 - File Access Denied</h1>
  </body>
 </html>

ext/phar/tests/tar/frontcontroller6.phar.phpt

@@ -16,6 +16,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /notfound.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/tar/frontcontroller8.phar.phpt

@@ -16,6 +16,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /index.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/zip/frontcontroller10.phar.phpt

@@ -19,6 +19,6 @@ Status: 403 Access Denied
   <title>Access Denied</title>
  </head>
  <body>
-  <h1>403 - File /hi Access Denied</h1>
+  <h1>403 - File Access Denied</h1>
  </body>
 </html>

ext/phar/tests/zip/frontcontroller6.phar.phpt

@@ -17,6 +17,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /notfound.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>

ext/phar/tests/zip/frontcontroller8.phar.phpt

@@ -16,6 +16,6 @@ Status: 404 Not Found
   <title>File Not Found</title>
  </head>
  <body>
-  <h1>404 - File /index.php Not Found</h1>
+  <h1>404 - File Not Found</h1>
  </body>
 </html>