Merge branch 'PHP-5.6' of git.php.net:php-src into PHP-5.6

Author: George Wang

NEWS

@@ -1,10 +1,43 @@
-PHP                                                                        NEWS
+PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? Jul 2015, PHP 5.6.11
 
 - Core:
-  . Fixed #69642 (Windows 10 reported as Windows 8).
+  . Fixed bug #69703 (Use __builtin_clzl on PowerPC).
+    (dja at axtens dot net, Kalle)
+  . Fixed bug #69732 (can induce segmentation fault with basic php code).
+    (Dmitry)
+  . Fixed bug #69642 (Windows 10 reported as Windows 8).
     (Christian Wenz, Anatol Belski)
+  . Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation
+    fault). (Christoph M. Becker)
+  . Fixed bug #69781 (phpinfo() reports Professional Editions of Windows
+    7/8/8.1/10 as "Business"). (Christian Wenz)
+  . Fixed bug #69740 (finally in generator (yield) swallows exception in
+    iteration). (Nikita)
+  . Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
+    (Christian Wenz)
+  . Fixed bug #69892 (Different arrays compare indentical due to integer key
+    truncation). (Nikita)
+
+- GD:
+  . Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb)
+
+- GMP:
+  . Fixed bug #69803 (gmp_random_range() modifies second parameter if GMP
+    number). (Nikita)
+
+- PDO_pgsql:
+  . Fixed bug #69752 (PDOStatement::execute() leaks memory with DML
+    Statements when closeCuror() is u). (Philip Hofstetter)
+  . Fixed bug #69362 (PDO-pgsql fails to connect if password contains a
+    leading single quote). (Matteo)
+  . Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
+    (Matteo)
+
+- SimpleXML:
+  . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty
+    node name). (Christoph Michael Becker)
 
 - SPL:
   . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
@@ -23,30 +56,43 @@
     (Christoph M. Becker)
   . Fixed POST data processing slowdown due to small input buffer size
     on Windows. (Jorge Oliveira, Anatol)
-  . Fixed bug #69703 (Use __builtin_clzl on PowerPC).
-    (dja at axtens dot net, Kalle)
-  . Fixed bug #69732 (can induce segmentation fault with basic php code).
-    (Dmitry)
+  . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).
+    (CVE-2015-4642) (Anatol Belski)
+  . Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas)
+
+- FTP
+  . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in
+    heap overflow). (CVE-2015-4643) (Max Spelsberg)
 
 - GD:
   . Fixed bug #69479 (GD fails to build with newer libvpx). (Remi)
 
 - Iconv:
   . Fixed bug #48147 (iconv with //IGNORE cuts the string). (Stas)
 
+- Litespeed SAPI:
+  . Fixed bug #68812 (Unchecked return value). (George Wang)
+
+- Mail:
+  . Fixed bug #68776 (mail() does not have mail header injection prevention for
+    additional headers). (Yasuo)
+
 - MCrypt:
   . Added file descriptor caching to mcrypt_create_iv() (Leigh)
 
+- Opcache
+  . Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
+    (Laruence, Dmitry)
+
+- PCRE
+  . Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
+
 - Phar:
   . Fixed bug #69680 (phar symlink in binary directory broken).
     (Matteo Bernardini, Remi)
 
 - Postgres:
-  . Fixed bug #69667 (segfault in php_pgsql_meta_data). (Remi)
-
-- SimpleXML:
-  . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty
-    node name). (Christoph Michael Becker)
+  . Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644) (Remi)
 
 - Sqlite3:
   . Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415,
@@ -95,9 +141,6 @@
   . Fixed bug #68598 (pcntl_exec() should not allow null char). (CVE-2015-4026)
     (Stas)
 
-- PCRE
-  . Upgraded pcrelib to 8.37. (CVE-2015-2325, CVE-2015-2326)
-
 - Phar:
   . Fixed bug #69453 (Memory Corruption in phar_parse_tarfile when entry
     filename starts with null). (CVE-2015-4021) (Stas)

Zend/tests/bug69551.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #69551 - parse_ini_file() and parse_ini_string() segmentation fault
+--FILE--
+<?php
+$ini = <<<INI
+[Network.eth0]
+SubnetMask = "
+"
+INI;
+$settings = parse_ini_string($ini, false, INI_SCANNER_RAW);
+var_dump($settings);
+?>
+--EXPECTF--
+Warning: syntax error, unexpected '"' in Unknown on line %d
+ in %s on line %d
+bool(false)

Zend/tests/bug69740.phpt

@@ -0,0 +1,28 @@
+--TEST--
+Bug #69740: finally in generator (yield) swallows exception in iteration
+--FILE--
+<?php
+
+function generate() {
+    try {
+        yield 1;
+        yield 2;
+    } finally {
+        echo "finally\n";
+    }
+}
+
+foreach (generate() as $i) {
+    echo $i, "\n";
+    throw new Exception();
+}
+
+?>
+--EXPECTF--
+1
+finally
+
+Fatal error: Uncaught exception 'Exception' in %s:%d
+Stack trace:
+#0 {main}
+  thrown in %s on line %d

Zend/tests/bug69892.phpt

@@ -0,0 +1,10 @@
+--TEST--
+Bug #69892: Different arrays compare indentical due to integer key truncation
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platforms only"); ?>
+--FILE--
+<?php
+var_dump([0 => 0] === [0x100000000 => 0]);
+?>
+--EXPECT--
+bool(false)

Zend/zend_generators.c

@@ -198,6 +198,9 @@ static void zend_generator_dtor_storage(zend_generator *generator, zend_object_h
 	if (finally_op_num) {
 		ex->opline = &ex->op_array->opcodes[finally_op_num];
 		ex->fast_ret = NULL;
+		ex->delayed_exception = EG(exception);
+		EG(exception) = NULL;
+
 		generator->flags |= ZEND_GENERATOR_FORCED_CLOSE;
 		zend_generator_resume(generator TSRMLS_CC);
 	}

Zend/zend_hash.c

@@ -1446,11 +1446,10 @@ ZEND_API int zend_hash_compare(HashTable *ht1, HashTable *ht2, compare_func_t co
 		}
 		if (ordered) {
 			if (p1->nKeyLength==0 && p2->nKeyLength==0) { /* numeric indices */
-				result = p1->h - p2->h;
-				if (result!=0) {
+				if (p1->h != p2->h) {
 					HASH_UNPROTECT_RECURSION(ht1); 
 					HASH_UNPROTECT_RECURSION(ht2); 
-					return result;
+					return p1->h > p2->h ? 1 : -1;
 				}
 			} else { /* string indices */
 				result = p1->nKeyLength - p2->nKeyLength;

Zend/zend_ini_scanner.c

@@ -2029,7 +2029,7 @@ int ini_lex(zval *ini_lval TSRMLS_DC)
 	}
 
 	/* Eat leading and trailing double quotes */
-	if (yytext[0] == '"' && yytext[yyleng - 1] == '"') {
+	if (yyleng > 1 && yytext[0] == '"' && yytext[yyleng - 1] == '"') {
 		SCNG(yy_text)++;
 		yyleng = yyleng - 2;
 	} else if (sc) {

Zend/zend_ini_scanner.l

@@ -523,7 +523,7 @@ end_raw_value_chars:
 	}
 
 	/* Eat leading and trailing double quotes */
-	if (yytext[0] == '"' && yytext[yyleng - 1] == '"') {
+	if (yyleng > 1 && yytext[0] == '"' && yytext[yyleng - 1] == '"') {
 		SCNG(yy_text)++;
 		yyleng = yyleng - 2;
 	} else if (sc) {