Merge branch 'PHP-7.0'

* PHP-7.0:
  Fix bug #71750: use zend_string_safe_alloc for calculated allocations
  Fix bug #71735: Double-free in SplDoublyLinkedList::offsetSet

3 files changed, 17 insertions, 3 deletions

diff --git a/ext/spl/spl_dllist.c b/ext/spl/spl_dllist.c
index aa0c6c3840..1675c7eaf3 100644
--- a/ext/spl/spl_dllist.c
+++ b/ext/spl/spl_dllist.c
@@ -830,7 +830,6 @@ SPL_METHOD(SplDoublyLinkedList, offsetSet)
 		index = spl_offset_convert_to_long(zindex);
 
 		if (index < 0 || index >= intern->llist->count) {
-			zval_ptr_dtor(value);
 			zend_throw_exception(spl_ce_OutOfRangeException, "Offset invalid or out of range", 0);
 			return;
 		}
diff --git a/ext/spl/tests/bug71735.phpt b/ext/spl/tests/bug71735.phpt
new file mode 100644
index 0000000000..92568028c4
--- /dev/null
+++ b/ext/spl/tests/bug71735.phpt
@@ -0,0 +1,15 @@
+--TEST--
+Bug #71735 (Double-free in SplDoublyLinkedList::offsetSet)
+--FILE--
+<?php
+try {
+$var_1=new SplStack();
+$var_1->offsetSet(100,new DateTime('2000-01-01'));
+} catch(OutOfRangeException $e) {
+	print $e->getMessage()."\n";
+}
+?>
+===DONE===
+--EXPECT--
+Offset invalid or out of range
+===DONE===
\ No newline at end of file
diff --git a/ext/standard/url.c b/ext/standard/url.c
index 381c599c30..b83814422b 100644
--- a/ext/standard/url.c
+++ b/ext/standard/url.c
@@ -506,7 +506,7 @@ PHPAPI zend_string *php_url_encode(char const *s, size_t len)
 
 	from = (unsigned char *)s;
 	end = (unsigned char *)s + len;
-	start = zend_string_alloc(3 * len, 0);
+	start = zend_string_safe_alloc(3, len, 0, 0);
 	to = (unsigned char*)ZSTR_VAL(start);
 
 	while (from < end) {
@@ -624,7 +624,7 @@ PHPAPI zend_string *php_raw_url_encode(char const *s, size_t len)
 	register int x, y;
 	zend_string *str;
 
-	str = zend_string_alloc(3 * len, 0);
+	str = zend_string_safe_alloc(3, len, 0, 0);
 	for (x = 0, y = 0; len--; x++, y++) {
 		ZSTR_VAL(str)[y] = (unsigned char) s[x];
 #ifndef CHARSET_EBCDIC