Merge branch 'PHP-5.5' of git.php.net:php-src into PHP-5.5

Author: George Wang

NEWS

@@ -1,6 +1,44 @@
 PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-?? ??? 2015, PHP 5.5.26
+?? ??? 2015, PHP 5.5.27
+
+- Core:
+  . Fixed bug #69703 (Use __builtin_clzl on PowerPC).
+    (dja at axtens dot net, Kalle)
+  . Fixed bug #69732 (can induce segmentation fault with basic php code).
+    (Dmitry)
+  . Fixed bug #69642 (Windows 10 reported as Windows 8).
+    (Christian Wenz, Anatol Belski)
+  . Fixed bug #69551 (parse_ini_file() and parse_ini_string() segmentation
+    fault). (Christoph M. Becker)
+  . Fixed bug #69781 (phpinfo() reports Professional Editions of Windows
+    7/8/8.1/10 as "Business"). (Christian Wenz)
+  . Fixed bug #69835 (phpinfo() does not report many Windows SKUs).
+    (Christian Wenz)
+  . Fixed bug #69892 (Different arrays compare indentical due to integer key
+    truncation). (Nikita)
+
+- GD:
+  . Fixed bug #61221 (imagegammacorrect function loses alpha channel). (cmb)
+
+- PDO_pgsql:
+  . Fixed bug #69752 (PDOStatement::execute() leaks memory with DML
+    Statements when closeCuror() is u). (Philip Hofstetter)
+  . Fixed bug #69362 (PDO-pgsql fails to connect if password contains a
+    leading single quote). (Matteo)
+  . Fixed bug #69344 (PDO PgSQL Incorrect binding numeric array with gaps).
+    (Matteo)
+
+- SimpleXML:
+  . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty
+    node name). (Christoph Michael Becker)
+
+- SPL:
+  . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
+    (Stas)
+  . Fixed bug #67805 (SplFileObject setMaxLineLength). (Willian Gustavo Veiga).
+
+11 Jun 2015, PHP 5.5.26
 
 - Core:
   . Fixed bug #69566 (Conditional jump or move depends on uninitialised value
@@ -9,19 +47,25 @@
     (Julien)
   . Fixed bug #69628 (complex GLOB_BRACE fails on Windows).
     (Christoph M. Becker)
-  . Fixed bug #69703 (Use __builtin_clzl on PowerPC).
-    (dja at axtens dot net, Kalle)
-  . Fixed bug #69732 (can induce segmentation fault with basic php code).
-    (Dmitry)
-  . Fixed #69642 (Windows 10 reported as Windows 8).
-    (Christian Wenz, Anatol Belski)
+  . Improved fix for bug #69545 (Integer overflow in ftp_genlist() resulting in
+    heap overflow). (CVE-2015-4643) (Max Spelsberg)
+  . Fixed bug #69646 (OS command injection vulnerability in escapeshellarg).
+    (CVE-2015-4642) (Anatol Belski)
+  . Fixed bug #69719 (Incorrect handling of paths with NULs). (Stas)
 
 - GD:
   . Fixed bug #69479 (GD fails to build with newer libvpx). (Remi)
 
 - Iconv:
   . Fixed bug #48147 (iconv with //IGNORE cuts the string). (Stas)
 
+- Litespeed SAPI:
+  . Fixed bug #68812 (Unchecked return value). (George Wang)
+
+- Mail:
+  . Fixed bug #68776 (mail() does not have mail header injection prevention for
+    additional headers). (Yasuo)
+
 - MCrypt:
   . Added file descriptor caching to mcrypt_create_iv() (Leigh)
 
@@ -33,21 +77,12 @@
     (Matteo Bernardini, Remi)
 
 - Postgres:
-  . Fixed bug #69667 (segfault in php_pgsql_meta_data). (Remi)
+  . Fixed bug #69667 (segfault in php_pgsql_meta_data). (CVE-2015-4644) (Remi)
 
 - Opcache
   . Fixed bug #69549 (Memory leak with opcache.optimization_level=0xFFFFFFFF).
     (Laruence, Dmitry)
 
-- SimpleXML:
-  . Refactored the fix for bug #66084 (simplexml_load_string() mangles empty
-    node name). (Christoph Michael Becker)
-
-- SPL:
-  . Fixed bug #69737 (Segfault when SplMinHeap::compare produces fatal error).
-    (Stas)
-  . Fixed bug #67805 (SplFileObject setMaxLineLength). (Willian Gustavo Veiga).
-
 - Sqlite3:
   . Upgrade bundled sqlite to 3.8.10.2. (CVE-2015-3414, CVE-2015-3415,
     CVE-2015-3416) (Kaplan)

Zend/tests/bug69551.phpt

@@ -0,0 +1,16 @@
+--TEST--
+Bug #69551 - parse_ini_file() and parse_ini_string() segmentation fault
+--FILE--
+<?php
+$ini = <<<INI
+[Network.eth0]
+SubnetMask = "
+"
+INI;
+$settings = parse_ini_string($ini, false, INI_SCANNER_RAW);
+var_dump($settings);
+?>
+--EXPECTF--
+Warning: syntax error, unexpected '"' in Unknown on line %d
+ in %s on line %d
+bool(false)

Zend/tests/bug69892.phpt

@@ -0,0 +1,10 @@
+--TEST--
+Bug #69892: Different arrays compare indentical due to integer key truncation
+--SKIPIF--
+<?php if (PHP_INT_SIZE != 8) die("skip this test is for 64bit platforms only"); ?>
+--FILE--
+<?php
+var_dump([0 => 0] === [0x100000000 => 0]);
+?>
+--EXPECT--
+bool(false)

Zend/zend_hash.c

@@ -1534,11 +1534,10 @@ ZEND_API int zend_hash_compare(HashTable *ht1, HashTable *ht2, compare_func_t co
 		}
 		if (ordered) {
 			if (p1->nKeyLength==0 && p2->nKeyLength==0) { /* numeric indices */
-				result = p1->h - p2->h;
-				if (result!=0) {
+				if (p1->h != p2->h) {
 					HASH_UNPROTECT_RECURSION(ht1); 
 					HASH_UNPROTECT_RECURSION(ht2); 
-					return result;
+					return p1->h > p2->h ? 1 : -1;
 				}
 			} else { /* string indices */
 				result = p1->nKeyLength - p2->nKeyLength;

Zend/zend_ini_scanner.c

@@ -1926,7 +1926,7 @@ int ini_lex(zval *ini_lval TSRMLS_DC)
 	}
 
 	/* Eat leading and trailing double quotes */
-	if (yytext[0] == '"' && yytext[yyleng - 1] == '"') {
+	if (yyleng > 1 && yytext[0] == '"' && yytext[yyleng - 1] == '"') {
 		SCNG(yy_text)++;
 		yyleng = yyleng - 2;
 	} else if (sc) {

Zend/zend_ini_scanner.l

@@ -472,7 +472,7 @@ end_raw_value_chars:
 	}
 
 	/* Eat leading and trailing double quotes */
-	if (yytext[0] == '"' && yytext[yyleng - 1] == '"') {
+	if (yyleng > 1 && yytext[0] == '"' && yytext[yyleng - 1] == '"') {
 		SCNG(yy_text)++;
 		yyleng = yyleng - 2;
 	} else if (sc) {

configure.in

@@ -119,7 +119,7 @@ int zend_sprintf(char *buffer, const char *format, ...);
 
 PHP_MAJOR_VERSION=5
 PHP_MINOR_VERSION=5
-PHP_RELEASE_VERSION=26
+PHP_RELEASE_VERSION=27
 PHP_EXTRA_VERSION="-dev"
 PHP_VERSION="$PHP_MAJOR_VERSION.$PHP_MINOR_VERSION.$PHP_RELEASE_VERSION$PHP_EXTRA_VERSION"
 PHP_VERSION_ID=`expr [$]PHP_MAJOR_VERSION \* 10000 + [$]PHP_MINOR_VERSION \* 100 + [$]PHP_RELEASE_VERSION`