Merge branch 'PHP-5.6'

* PHP-5.6: (27 commits) fix non-standard C update NEWS 5.4.41 next fix CVE num update NEWS Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in phar_set_inode) fix test fix type in fix for #69085 fix memory leak & add test Fix tests fix CVE num Fix bug #69337 (php_stream_url_wrap_http_ex() type-confusion vulnerability) Fix test Additional fix for bug #69324 More fixes for bug #69152 Fixed bug #69353 (Missing null byte checks for paths in various PHP extensions) Fixed bug #69324 (Buffer Over-read in unserialize when parsing Phar) Fixed bug #69316 (Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER) Fix bug #68486 and bug #69218 (segfault in apache2handler with apache 2.4) Fix bug #68819 (Fileinfo on specific file causes spurious OOM and/or segfault) ... Conflicts: Zend/zend_exceptions.c ext/curl/interface.c ext/dom/document.c ext/fileinfo/libmagic/softmagic.c ext/gd/gd.c ext/hash/hash.c ext/pgsql/pgsql.c ext/phar/phar.c ext/phar/phar_internal.h ext/standard/http_fopen_wrapper.c ext/standard/link.c ext/standard/streamsfuncs.c ext/xmlwriter/php_xmlwriter.c ext/zlib/zlib.c
11 years ago · b3709bfc52
33 changed files with 320 additions and 81 deletions
--- a/Zend/zend_exceptions.c
+++ b/Zend/zend_exceptions.c
@ -557,6 +557,9 @@ ZEND_METHOD(exception, getTraceAsString)
 	DEFAULT_0_PARAMS;

 	trace = zend_read_property(base_exception_ce, getThis(), "trace", sizeof("trace")-1, 1, &rv);
+	if(Z_TYPE_P(trace) != IS_ARRAY) {
+		RETURN_FALSE;
+	}
 	ZEND_HASH_FOREACH_NUM_KEY_VAL(Z_ARRVAL_P(trace), index, frame) {
 		if (Z_TYPE_P(frame) != IS_ARRAY) {
 			zend_error(E_WARNING, "Expected array for frame %pu", index);
--- a/ext/curl/interface.c
+++ b/ext/curl/interface.c
@ -1345,6 +1345,7 @@ static size_t curl_write(char *data, size_t size, size_t nmemb, void *ctx)
 				php_error_docref(NULL, E_WARNING, "Could not call the CURLOPT_WRITEFUNCTION");
 				length = -1;
 			} else if (!Z_ISUNDEF(retval)) {
+				_php_curl_verify_handlers(ch, 1);
 				if (Z_TYPE(retval) != IS_LONG) {
 					convert_to_long_ex(&retval);
 				}
@ -1397,6 +1398,7 @@ static int curl_fnmatch(void *ctx, const char *pattern, const char *string)
 			if (error == FAILURE) {
 				php_error_docref(NULL, E_WARNING, "Cannot call the CURLOPT_FNMATCH_FUNCTION");
 			} else if (!Z_ISUNDEF(retval)) {
+				_php_curl_verify_handlers(ch, 1);
 				if (Z_TYPE(retval) != IS_LONG) {
 					convert_to_long_ex(&retval);
 				}
@ -1456,6 +1458,7 @@ static size_t curl_progress(void *clientp, double dltotal, double dlnow, double
 			if (error == FAILURE) {
 				php_error_docref(NULL, E_WARNING, "Cannot call the CURLOPT_PROGRESSFUNCTION");
 			} else if (!Z_ISUNDEF(retval)) {
+				_php_curl_verify_handlers(ch, 1);
 				if (Z_TYPE(retval) != IS_LONG) {
 					convert_to_long_ex(&retval);
 				}
@ -1524,6 +1527,7 @@ static size_t curl_read(char *data, size_t size, size_t nmemb, void *ctx)
 				length = CURL_READFUNC_ABORT;
 #endif
 			} else if (!Z_ISUNDEF(retval)) {
+				_php_curl_verify_handlers(ch, 1);
 				if (Z_TYPE(retval) == IS_STRING) {
 					length = MIN((int) (size * nmemb), Z_STRLEN(retval));
 					memcpy(data, Z_STRVAL(retval), length);
@ -1589,6 +1593,7 @@ static size_t curl_write_header(char *data, size_t size, size_t nmemb, void *ctx
 				php_error_docref(NULL, E_WARNING, "Could not call the CURLOPT_HEADERFUNCTION");
 				length = -1;
 			} else if (!Z_ISUNDEF(retval)) {
+				_php_curl_verify_handlers(ch, 1);
 				if (Z_TYPE(retval) != IS_LONG) {
 					convert_to_long_ex(&retval);
 				}
--- a/ext/curl/tests/bug69316.phpt
+++ b/ext/curl/tests/bug69316.phpt
@ -0,0 +1,45 @@
+--TEST--
+Bug #69316: Use-after-free in php_curl related to CURLOPT_FILE/_INFILE/_WRITEHEADER
+--SKIPIF--
+<?php include 'skipif.inc'; ?>
+--FILE--
+<?php
+  function hdr_callback($ch, $data) {
+      // close the stream, causing the FILE structure to be free()'d
+      if($GLOBALS['f_file']) {
+          fclose($GLOBALS['f_file']); $GLOBALS['f_file'] = 0;
+
+          // cause an allocation of approx the same size as a FILE structure, size varies a bit depending on platform/libc
+          $FILE_size = (PHP_INT_SIZE == 4 ? 0x160 : 0x238);
+          curl_setopt($ch, CURLOPT_COOKIE, str_repeat("a", $FILE_size - 1));
+      }
+      return strlen($data);
+  }
+
+  include 'server.inc';
+  $host = curl_cli_server_start();
+  $temp_file = dirname(__FILE__) . '/body.tmp';
+  $url = "{$host}/get.php?test=getpost";
+  $ch = curl_init();
+  $f_file = fopen($temp_file, "w") or die("failed to open file\n");
+  curl_setopt($ch, CURLOPT_BUFFERSIZE, 10);
+  curl_setopt($ch, CURLOPT_HEADERFUNCTION, "hdr_callback");
+  curl_setopt($ch, CURLOPT_FILE, $f_file);
+  curl_setopt($ch, CURLOPT_URL, $url);
+  curl_exec($ch);
+  curl_close($ch);
+?>
+===DONE===
+--CLEAN--
+<?php
+unlink(dirname(__FILE__) . '/body.tmp');
+?>
+--EXPECTF--
+Warning: curl_exec(): CURLOPT_FILE resource has gone away, resetting to default in %s on line %d
+array(1) {
+  ["test"]=>
+  string(7) "getpost"
+}
+array(0) {
+}
+===DONE===
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@ -1379,7 +1379,11 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, size_t so
 	xmlInitParser();

 	if (mode == DOM_LOAD_FILE) {
-		char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN );
+		char *file_dest;
+		if (CHECK_NULL_PATH(source, source_len)) {
+			return NULL;
+		}
+		file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN);
 		if (file_dest) {
 			ctxt = xmlCreateFileParserCtxt(file_dest);
 		}
@ -1979,7 +1983,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */

 	id = getThis();

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &source, &source_len, &options) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &source, &source_len, &options) == FAILURE) {
 		return;
 	}

--- a/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
+++ b/ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt
@ -13,6 +13,11 @@ assert.bail=true
 $doc = new DOMDocument();
 $result = $doc->loadHTMLFile("");
 assert('$result === false');
+$doc = new DOMDocument();
+$result = $doc->loadHTMLFile("text.html\0something");
+assert('$result === null');
 ?>
 --EXPECTF--
 %r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile(): Empty string supplied as input %s
+
+%r(PHP ){0,1}%rWarning: DOMDocument::loadHTMLFile() expects parameter 1 to be a valid path, string given %s
--- a/ext/fileinfo/fileinfo.c
+++ b/ext/fileinfo/fileinfo.c
@ -531,6 +531,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime
 				RETVAL_FALSE;
 				goto clean;
 			}
+			if (CHECK_NULL_PATH(buffer, buffer_len)) {
+				php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+				RETVAL_FALSE;
+				goto clean;
+			}

 			wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0);

--- a/ext/fileinfo/libmagic/softmagic.c
+++ b/ext/fileinfo/libmagic/softmagic.c
@ -1101,7 +1101,14 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
 			if (bytecnt > nbytes) {
 				bytecnt = nbytes;
 			}
-
+			if (offset > bytecnt) {
+				offset = bytecnt;
+			}
+			if (s == NULL) {
+				ms->search.s_len = 0;
+				ms->search.s = NULL;
+				return 0;
+			}
 			buf = RCAST(const char *, s) + offset;
 			end = last = RCAST(const char *, s) + bytecnt;
 			/* mget() guarantees buf <= last */
--- a/ext/fileinfo/tests/bug68819_001.phpt
+++ b/ext/fileinfo/tests/bug68819_001.phpt
--- a/ext/fileinfo/tests/bug68819_002.phpt
+++ b/ext/fileinfo/tests/bug68819_002.phpt
@ -0,0 +1,26 @@
+--TEST--
+Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2
+--SKIPIF--
+<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
+--FILE--
+<?php
+
+$string = '';
+
+// These two in any order
+$string .= "\r\n";
+$string .= "''''";
+
+// Total string length > 8192
+$string .= str_repeat(chr(rand(32, 127)), 8184);
+
+// Ending in this string
+$string .= "say";
+
+$finfo = new finfo();
+$type = $finfo->buffer($string);
+var_dump($type);
+
+?>
+--EXPECT--
+string(60) "ASCII text, with very long lines, with CRLF line terminators"
--- a/ext/fileinfo/tests/finfo_file_basic.phpt
+++ b/ext/fileinfo/tests/finfo_file_basic.phpt
@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n";
 var_dump( finfo_file( $finfo, __FILE__) );
 var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
 var_dump( finfo_file( $finfo, $magicFile ) );
+var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );

 ?>
 ===DONE===
@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) );
 string(28) "text/x-php; charset=us-ascii"
 string(22) "PHP script, ASCII text"
 string(25) "text/plain; charset=utf-8"
+
+Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
+bool(false)
 ===DONE===
--- a/ext/gd/gd.c
+++ b/ext/gd/gd.c
@ -2405,7 +2405,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 #endif

 	if (image_type == PHP_GDIMG_TYPE_GD2PART) {
-		if (zend_parse_parameters(ZEND_NUM_ARGS(), "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+		if (zend_parse_parameters(ZEND_NUM_ARGS(), "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
 			return;
 		}
 		if (width < 1 || height < 1) {
@ -2413,7 +2413,7 @@ static void _php_image_create_from(INTERNAL_FUNCTION_PARAMETERS, int image_type,
 			RETURN_FALSE;
 		}
 	} else {
-		if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &file, &file_len) == FAILURE) {
+		if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &file, &file_len) == FAILURE) {
 			return;
 		}
 	}
@ -4155,7 +4155,7 @@ PHP_FUNCTION(imagepsencodefont)
 	size_t enc_len;
 	int *f_ind;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rs", &fnt, &enc, &enc_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rp", &fnt, &enc, &enc_len) == FAILURE) {
 		return;
 	}

--- a/ext/gd/tests/imageloadfont_error1.phpt
+++ b/ext/gd/tests/imageloadfont_error1.phpt
@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter
 --CREDITS--
 Neveo Harrison <neveoo [at] gmail [dot] com> #testfest #tek11
 --SKIPIF--
-<?php 
+<?php
 	if (!extension_loaded("gd")) die("skip GD not present");
 ?>
 --FILE--
--- a/ext/hash/hash.c
+++ b/ext/hash/hash.c
@ -137,6 +137,7 @@ static void php_hash_do_hash(INTERNAL_FUNCTION_PARAMETERS, int isfilename, zend_
 	}
 	if (isfilename) {
 		if (CHECK_NULL_PATH(data, data_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
 			RETURN_FALSE;
 		}
 		stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
@ -254,6 +255,10 @@ static void php_hash_do_hash_hmac(INTERNAL_FUNCTION_PARAMETERS, int isfilename,
 		RETURN_FALSE;
 	}
 	if (isfilename) {
+		if (CHECK_NULL_PATH(data, data_len)) {
+			php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+			RETURN_FALSE;
+		}
 		stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
 		if (!stream) {
 			/* Stream will report errors opening file */
@ -464,7 +469,7 @@ PHP_FUNCTION(hash_update_file)
 	char *filename, buf[1024];
 	size_t filename_len, n;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
 		return;
 	}

--- a/ext/hash/tests/hash_hmac_file_error.phpt
+++ b/ext/hash/tests/hash_hmac_file_error.phpt
@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg);
 echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
 hash_hmac_file('foo', $file, $key, TRUE);

+echo "\n-- Testing hash_hmac_file() function with bad path --\n";
+hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
+
 ?>
 ===Done===
 --EXPECTF--
@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d
 -- Testing hash_hmac_file() function with invalid hash algorithm --

 Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
+
+-- Testing hash_hmac_file() function with bad path --
+
+Warning: hash_hmac_file(): Invalid path in %s on line %d
 ===Done===
--- a/ext/pgsql/pgsql.c
+++ b/ext/pgsql/pgsql.c
@ -3126,7 +3126,7 @@ PHP_FUNCTION(pg_trace)
 	php_stream *stream;
 	zend_resource *link;

-	if (zend_parse_parameters(argc, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+	if (zend_parse_parameters(argc, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
 		return;
 	}

--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@ -604,48 +604,37 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
 *
 * data is the serialized zval
 */
-int phar_parse_metadata(char **buffer, zval *metadata, int zip_metadata_len) /* {{{ */
+int phar_parse_metadata(char **buffer, zval *metadata, php_uint32 zip_metadata_len) /* {{{ */
 {
-	const unsigned char *p;
-	php_uint32 buf_len;
 	php_unserialize_data_t var_hash;

-	if (!zip_metadata_len) {
-		PHAR_GET_32(*buffer, buf_len);
-	} else {
-		buf_len = zip_metadata_len;
-	}
-
-	if (buf_len) {
+	if (zip_metadata_len) {
+		const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len);
+		p = p_buff;
 		ZVAL_NULL(metadata);
-		p = (const unsigned char*) *buffer;
 		PHP_VAR_UNSERIALIZE_INIT(var_hash);

-		if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash)) {
+		if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash)) {
+			efree(p_buff);
 			PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
 			zval_ptr_dtor(metadata);
 			ZVAL_UNDEF(metadata);
 			return FAILURE;
 		}
-
+		efree(p_buff);
 		PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

 		if (PHAR_G(persist)) {
 			/* lazy init metadata */
 			zval_ptr_dtor(metadata);
-			Z_PTR_P(metadata) = pemalloc(buf_len, 1);
-			memcpy(Z_PTR_P(metadata), *buffer, buf_len);
-			*buffer += buf_len;
+			Z_PTR_P(metadata) = pemalloc(zip_metadata_len, 1);
+			memcpy(Z_PTR_P(metadata), *buffer, zip_metadata_len);
 			return SUCCESS;
 		}
 	} else {
 		ZVAL_UNDEF(metadata);
 	}

-	if (!zip_metadata_len) {
-		*buffer += buf_len;
-	}
-
 	return SUCCESS;
 }
 /* }}}*/
@ -666,6 +655,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	phar_entry_info entry;
 	php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
 	php_uint16 manifest_ver;
+	php_uint32 len;
 	zend_long offset;
 	int sig_len, register_alias = 0, temp_alias = 0;
 	char *signature = NULL;
@ -1031,16 +1021,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 	mydata->is_persistent = PHAR_G(persist);

 	/* check whether we have meta data, zero check works regardless of byte order */
+	PHAR_GET_32(buffer, len);
 	if (mydata->is_persistent) {
-		PHAR_GET_32(buffer, mydata->metadata_len);
-		if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len) == FAILURE) {
-			MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
-		}
-	} else {
-		if (phar_parse_metadata(&buffer, &mydata->metadata, 0) == FAILURE) {
-			MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+		mydata->metadata_len = len;
+		if(!len) {
+			/* FIXME: not sure why this is needed but removing it breaks tests */
+			PHAR_GET_32(buffer, len);
 		}
 	}
+	if(len > endbuffer - buffer) {
+		MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
+	}
+	if (phar_parse_metadata(&buffer, &mydata->metadata, len) == FAILURE) {
+		MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+	}
+	buffer += len;

 	/* set up our manifest */
 	zend_hash_init(&mydata->manifest, manifest_count,
@ -1075,7 +1070,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.manifest_pos = manifest_index;
 		}

-		if (buffer + entry.filename_len + 20 > endbuffer) {
+		if (entry.filename_len + 20 > endbuffer - buffer) {
 			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
 		}

@ -1111,19 +1106,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
 			entry.flags |= PHAR_ENT_PERM_DEF_DIR;
 		}

+		PHAR_GET_32(buffer, len);
 		if (entry.is_persistent) {
-			PHAR_GET_32(buffer, entry.metadata_len);
-			if (!entry.metadata_len) buffer -= 4;
-			if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len) == FAILURE) {
-				pefree(entry.filename, entry.is_persistent);
-				MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
-			}
+			entry.metadata_len = len;
 		} else {
-			if (phar_parse_metadata(&buffer, &entry.metadata, 0) == FAILURE) {
-				pefree(entry.filename, entry.is_persistent);
-				MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
-			}
+			entry.metadata_len = 0;
+		}
+		if (len > endbuffer - buffer) {
+			MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+		}
+		if (phar_parse_metadata(&buffer, &entry.metadata, len) == FAILURE) {
+			pefree(entry.filename, entry.is_persistent);
+			MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
 		}
+		buffer += len;

 		entry.offset = entry.offset_abs = offset;
 		offset += entry.compressed_filesize;
--- a/ext/phar/phar_internal.h
+++ b/ext/phar/phar_internal.h
@ -529,10 +529,13 @@ static inline void phar_set_inode(phar_entry_info *entry) /* {{{ */
 {
 	char tmp[MAXPATHLEN];
 	int tmp_len;
+	size_t len;

-	tmp_len = entry->filename_len + entry->phar->fname_len;
-	memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
-	memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
+	tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
+	len = MIN(entry->phar->fname_len, tmp_len);
+	memcpy(tmp, entry->phar->fname, len);
+	len = MIN(tmp_len - len, entry->filename_len);
+	memcpy(tmp + entry->phar->fname_len, entry->filename, len);
 	entry->inode = (unsigned short)zend_hash_func(tmp, tmp_len);
 }
 /* }}} */
@ -565,7 +568,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
 zend_string *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar);
 char *phar_fix_filepath(char *path, int *new_len, int use_cwd);
 phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error);
-int phar_parse_metadata(char **buffer, zval *metadata, int zip_metadata_len);
+int phar_parse_metadata(char **buffer, zval *metadata, php_uint32 zip_metadata_len);
 void destroy_phar_manifest_entry(zval *zv);
 int phar_seek_efp(phar_entry_info *entry, zend_off_t offset, int whence, zend_off_t position, int follow_links);
 php_stream *phar_get_efp(phar_entry_info *entry, int follow_links);
--- a/ext/phar/tests/bug69324.phar
+++ b/ext/phar/tests/bug69324.phar
--- a/ext/phar/tests/bug69324.phpt
+++ b/ext/phar/tests/bug69324.phpt
@ -0,0 +1,17 @@
+--TEST--
+Bug #69324: Buffer Over-read in unserialize when parsing Phar
+--SKIPIF--
+<?php
+if (!extension_loaded("phar")) die("skip");
+?>
+--FILE--
+<?php
+try {
+$p = new Phar(dirname(__FILE__).'/bug69324.phar', 0);
+$meta=$p->getMetadata();
+var_dump($meta);
+} catch(Exception $e) {
+	echo $e->getMessage();
+}
+--EXPECTF--
+internal corruption of phar "%s" (truncated manifest entry)
--- a/ext/phar/tests/bug69441.phar
+++ b/ext/phar/tests/bug69441.phar
--- a/ext/phar/tests/bug69441.phpt
+++ b/ext/phar/tests/bug69441.phpt
@ -0,0 +1,21 @@
+--TEST--
+Phar: bug #69441: Buffer Overflow when parsing tar/zip/phar in phar_set_inode
+--SKIPIF--
+<?php if (!extension_loaded("phar")) die("skip"); ?>
+--FILE--
+<?php
+$fname = dirname(__FILE__) . '/bug69441.phar';
+try {
+$r = new Phar($fname, 0);
+} catch(UnexpectedValueException $e) {
+	echo $e;
+}
+?>
+
+==DONE==
+--EXPECTF--
+exception 'UnexpectedValueException' with message 'phar error: corrupted central directory entry, no magic signature in zip-based phar "%s/bug69441.phar"' in %s/bug69441.php:%d
+Stack trace:
+#0 %s/bug69441.php(%d): Phar->__construct('%s', 0)
+#1 {main}
+==DONE==
--- a/ext/standard/http_fopen_wrapper.c
+++ b/ext/standard/http_fopen_wrapper.c
@ -670,6 +670,7 @@ finish:
 	}

 	response_header = zend_hash_str_find_ind(symbol_table, "http_response_header", sizeof("http_response_header")-1);
+	Z_ADDREF_P(response_header);

 	if (!php_stream_eof(stream)) {
 		size_t tmp_line_len;
@ -905,6 +906,10 @@ out:
 	if (stream) {
 		if (header_init) {
 			ZVAL_COPY(&stream->wrapperdata, response_header);
+		} else {
+			if(response_header) {
+				Z_DELREF_P(response_header);
+			}
 		}
 		php_stream_notify_progress_init(context, 0, file_size);

@ -925,8 +930,13 @@ out:
 		if (transfer_encoding) {
 			php_stream_filter_append(&stream->readfilters, transfer_encoding);
 		}
-	} else if (transfer_encoding) {
-		php_stream_filter_free(transfer_encoding);
+	} else {
+		if(response_header) {
+			Z_DELREF_P(response_header);
+		}
+		if (transfer_encoding) {
+			php_stream_filter_free(transfer_encoding);
+		}
 	}

 	return stream;
--- a/ext/standard/link.c
+++ b/ext/standard/link.c
@ -59,7 +59,7 @@ PHP_FUNCTION(readlink)
 	char buff[MAXPATHLEN];
 	int ret;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &link, &link_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &link, &link_len) == FAILURE) {
 		return;
 	}

--- a/ext/standard/streamsfuncs.c
+++ b/ext/standard/streamsfuncs.c
@ -1493,7 +1493,7 @@ PHP_FUNCTION(stream_resolve_include_path)
 	size_t filename_len;
 	zend_string *resolved_path;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &filename, &filename_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &filename, &filename_len) == FAILURE) {
 		return;
 	}

--- a/ext/standard/tests/file/readlink_variation1.phpt
+++ b/ext/standard/tests/file/readlink_variation1.phpt
@ -65,7 +65,7 @@ bool(false)
 Warning: readlink(): %s in %s on line %d
 bool(false)

-Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d
+Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d
 NULL

 Warning: readlink(): %s in %s on line %d
--- a/ext/standard/tests/http/bug69337.phpt
+++ b/ext/standard/tests/http/bug69337.phpt
@ -0,0 +1,41 @@
+--TEST--
+Bug #69337 (Stream context leaks when http request fails)
+--SKIPIF--
+<?php require 'server.inc'; http_server_skipif('tcp://127.0.0.1:22345'); ?>
+--INI--
+allow_url_fopen=1
+allow_url_include=1
+--FILE--
+<?php
+require 'server.inc';
+
+function stream_notification_callback($notification_code, $severity, $message, $message_code, $bytes_transferred, $bytes_max)
+{
+	if($notification_code == STREAM_NOTIFY_REDIRECTED) {
+	  // $http_response_header is now a string, but will be used as an array
+     // by php_stream_url_wrap_http_ex() later on
+       $GLOBALS['http_response_header'] = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\0\0\0\0";
+    }
+}
+
+$ctx = stream_context_create();
+stream_context_set_params($ctx, array("notification" => "stream_notification_callback"));
+
+$responses = array(
+	"data://text/plain,HTTP/1.0 302 Found\r\nLocation: http://127.0.0.1:22345/try-again\r\n\r\n",
+	"data://text/plain,HTTP/1.0 404 Not Found\r\n\r\n",
+);
+
+$pid = http_server("tcp://127.0.0.1:22345", $responses, $output);
+
+$f = file_get_contents('http://127.0.0.1:22345/', 0, $ctx);
+
+http_server_kill($pid);
+var_dump($f);
+?>
+==DONE==
+--EXPECTF--
+string(26) "HTTP/1.0 404 Not Found
+
+"
+==DONE==
--- a/ext/standard/tests/serialize/bug69152.phpt
+++ b/ext/standard/tests/serialize/bug69152.phpt
@ -0,0 +1,16 @@
+--TEST--
+Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
+--FILE--
+<?php
+$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
+echo $x;
+$x =  unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
+$x->test();
+
+?>
+--EXPECTF--
+exception 'Exception' in %s:%d
+Stack trace:
+#0 {main}
+
+Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition  in %s on line %d
--- a/ext/xmlwriter/php_xmlwriter.c
+++ b/ext/xmlwriter/php_xmlwriter.c
@ -1672,7 +1672,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity)
 /* }}} */
 #endif

-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
+/* {{{ proto resource xmlwriter_open_uri(string source)
 Create new xmlwriter using source uri for output */
 static PHP_FUNCTION(xmlwriter_open_uri)
 {
@ -1685,7 +1685,7 @@ static PHP_FUNCTION(xmlwriter_open_uri)
 	zval *self = getThis();
 	ze_xmlwriter_object *ze_obj = NULL;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s", &source, &source_len) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p", &source, &source_len) == FAILURE) {
 		return;
 	}

--- a/ext/zlib/tests/gzopen_variation1.phpt
+++ b/ext/zlib/tests/gzopen_variation1.phpt
@ -1,17 +1,17 @@
 --TEST--
-Test gzopen() function : usage variation 
+Test gzopen() function : usage variation
 --SKIPIF--
-<?php 
+<?php
 if (!extension_loaded("zlib")) {
-	print "skip - zlib extension not loaded"; 
-}	 
+	print "skip - zlib extension not loaded";
+}
 ?>
 --FILE--
 <?php
 /* Prototype  : resource gzopen(string filename, string mode [, int use_include_path])
- * Description: Open a .gz-file and return a .gz-file pointer 
+ * Description: Open a .gz-file and return a .gz-file pointer
 * Source code: ext/zlib/zlib.c
- * Alias to functions: 
+ * Alias to functions:
 */

 echo "*** Testing gzopen() : usage variation ***\n";
@ -102,9 +102,9 @@ $inputs = array(

      // unset data
      'unset var' => @$unset_var,
-      
+
      // resource variable
-      'resource' => $fp      
+      'resource' => $fp
 );

 // loop through each element of the array for filename
@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d)
 bool(false)

 --empty array--
-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
 NULL

 --int indexed array--
-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
 NULL

 --associative array--
-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
 NULL

 --nested arrays--
-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
+Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
 NULL

 --uppercase NULL--
@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct
 bool(false)

 --instance of classWithoutToString--
-Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d)
+Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d)
 NULL

 --undefined var--
@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d)
 bool(false)

 --resource--
-Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d)
+Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d)
 NULL
 ===DONE===

--- a/ext/zlib/tests/readgzfile_variation1.phpt
+++ b/ext/zlib/tests/readgzfile_variation1.phpt
@ -29,15 +29,15 @@ foreach ( $variation as $var ) {
 ===DONE===
 --EXPECTF--

-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL

-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL

-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL

-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
+Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
 NULL
-===DONE===
+===DONE===
--- a/ext/zlib/tests/readgzfile_variation6.phpt
+++ b/ext/zlib/tests/readgzfile_variation6.phpt
@ -45,5 +45,5 @@ foreach ( $variation as $var ) {
 --EXPECTF--
 Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d)
 bool(false)
-Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d)
-NULL
+Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d)
+NULL
--- a/ext/zlib/zlib.c
+++ b/ext/zlib/zlib.c
@ -588,7 +588,7 @@ static PHP_FUNCTION(gzopen)
 	php_stream *stream;
 	zend_long use_include_path = 0;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
 		return;
 	}

@ -616,7 +616,7 @@ static PHP_FUNCTION(readgzfile)
 	size_t size;
 	zend_long use_include_path = 0;

-	if (zend_parse_parameters(ZEND_NUM_ARGS(), "s|l", &filename, &filename_len, &use_include_path) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS(), "p|l", &filename, &filename_len, &use_include_path) == FAILURE) {
 		return;
 	}

--- a/sapi/apache2handler/sapi_apache2.c
+++ b/sapi/apache2handler/sapi_apache2.c
@ -694,6 +694,7 @@ zend_first_try {
 } zend_end_try();
 		}
 		apr_brigade_cleanup(brigade);
+		apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
 	} else {
 		ctx->r = parent_req;
 	}