Merge branch 'PHP-7.0' into PHP-7.1

* PHP-7.0:
  followup with #73276 merge
  fix test
  Fix bug #73276 - crash in openssl_random_pseudo_bytes function
  Fix bug #73293 - NULL pointer dereference in SimpleXMLElement::asXML()
  Fix for #73240 - Write out of bounds at number_format
  avoid strlen
  Bug #73218: add mitigation for ICU int overflow
  Add more locale length checks, due to ICU bugs.
  Fix bug #73150: missing NULL check in dom_document_save_html
  Clear FG(user_stream_current_filename) when bailing out
  set versions and release date
  sync NEWS
  Revert "Fixed bug #73067 (__debugInfo crashes when throwing an exception)"
  Fix for #73240 - Write out of bounds at number_format
  Fix bug #73257 and bug #73258 - SplObjectStorage unserialize allows use of non-object as key
  set versions
  Fix bug #73091 - Unserializing DateInterval object may lead to __toString invocation

12 files changed, 109 insertions, 48 deletions

diff --git a/Zend/tests/bug73067.phpt b/Zend/tests/bug73067.phpt
deleted file mode 100644
index f5d34a8d87..0000000000
--- a/Zend/tests/bug73067.phpt
+++ /dev/null
@@ -1,21 +0,0 @@
---TEST--
-Bug #73067 (__debugInfo crashes when throwing an exception)
---FILE--
-<?php
-
-class Debug
-{
-	public function __debugInfo()
-	{
-		throw new Exception("Test Crash");
-	}
-}
-
-try {
-	var_dump(new Debug());
-} catch (Exception $e) {
-	echo $e->getMessage();
-}
-?>
---EXPECTF--
-Fatal error: __debuginfo() must return an array in %sbug73067.php on line %d
diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
index d57bee862a..434102035c 100644
--- a/Zend/zend_object_handlers.c
+++ b/Zend/zend_object_handlers.c
@@ -182,7 +182,6 @@ ZEND_API HashTable *zend_std_get_debug_info(zval *object, int *is_temp) /* {{{ *
 		return ht;
 	}
 
-	zend_clear_exception();
 	zend_error_noreturn(E_ERROR, ZEND_DEBUGINFO_FUNC_NAME "() must return an array");
 
 	return NULL; /* Compilers are dumb and don't understand that noreturn means that the function does NOT need a return value... */
diff --git a/ext/date/php_date.c b/ext/date/php_date.c
index 7371590469..aed0dc94b2 100644
--- a/ext/date/php_date.c
+++ b/ext/date/php_date.c
@@ -4159,7 +4159,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter
 #define PHP_DATE_INTERVAL_READ_PROPERTY(element, member, itype, def) \
 	do { \
 		zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \
-		if (z_arg) { \
+		if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \
 			(*intobj)->diff->member = (itype)zval_get_long(z_arg); \
 		} else { \
 			(*intobj)->diff->member = (itype)def; \
@@ -4169,7 +4169,7 @@ static int php_date_interval_initialize_from_hash(zval **return_value, php_inter
 #define PHP_DATE_INTERVAL_READ_PROPERTY_I64(element, member) \
 	do { \
 		zval *z_arg = zend_hash_str_find(myht, element, sizeof(element) - 1); \
-		if (z_arg) { \
+		if (z_arg && Z_TYPE_P(z_arg) <= IS_STRING) { \
 			zend_string *str = zval_get_string(z_arg); \
 			DATE_A64I((*intobj)->diff->member, ZSTR_VAL(str)); \
 			zend_string_release(str); \
diff --git a/ext/date/tests/bug73091.phpt b/ext/date/tests/bug73091.phpt
new file mode 100644
index 0000000000..668ef505d8
--- /dev/null
+++ b/ext/date/tests/bug73091.phpt
@@ -0,0 +1,46 @@
+--TEST--
+Bug #73091 (Unserializing DateInterval object may lead to __toString invocation)
+--FILE--
+<?php
+class foo {
+    function __toString() {
+        var_dump(0);
+        return 'may be a bug';
+    }
+}
+    
+var_dump(unserialize('O:12:"DateInterval":1:{s:4:"days";O:3:"foo":0:{}}'));
+?>
+--EXPECTF--
+object(DateInterval)#%d (15) {
+  ["days"]=>
+  int(-1)
+  ["y"]=>
+  int(-1)
+  ["m"]=>
+  int(-1)
+  ["d"]=>
+  int(-1)
+  ["h"]=>
+  int(-1)
+  ["i"]=>
+  int(-1)
+  ["s"]=>
+  int(-1)
+  ["weekday"]=>
+  int(-1)
+  ["weekday_behavior"]=>
+  int(-1)
+  ["first_last_day_of"]=>
+  int(-1)
+  ["invert"]=>
+  int(0)
+  ["special_type"]=>
+  int(0)
+  ["special_amount"]=>
+  int(-1)
+  ["have_weekday_relative"]=>
+  int(0)
+  ["have_special_relative"]=>
+  int(0)
+}
diff --git a/ext/dom/document.c b/ext/dom/document.c
index 70289cf54a..a5e119f786 100644
--- a/ext/dom/document.c
+++ b/ext/dom/document.c
@@ -1663,7 +1663,7 @@ PHP_FUNCTION(dom_document_savexml)
 		if (options & LIBXML_SAVE_NOEMPTYTAG) {
 			xmlSaveNoEmptyTags = saveempty;
 		}
-		if (!size) {
+		if (!size || !mem) {
 			RETURN_FALSE;
 		}
 		RETVAL_STRINGL((char *) mem, size);
@@ -2215,7 +2215,7 @@ PHP_FUNCTION(dom_document_save_html)
 #else
 		htmlDocDumpMemory(docp, &mem, &size);
 #endif
-		if (!size) {
+		if (!size || !mem) {
 			RETVAL_FALSE;
 		} else {
 			RETVAL_STRINGL((const char*) mem, size);
diff --git a/ext/intl/locale/locale_methods.c b/ext/intl/locale/locale_methods.c
index 8cf5babc95..b75183da94 100644
--- a/ext/intl/locale/locale_methods.c
+++ b/ext/intl/locale/locale_methods.c
@@ -406,6 +406,8 @@ static void get_icu_value_src_php( char* tag_name, INTERNAL_FUNCTION_PARAMETERS)
 	if(loc_name_len == 0) {
 		loc_name = intl_locale_get_default();
 	}
+	
+	INTL_CHECK_LOCALE_LEN(loc_name_len);
 
 	/* Call ICU get */
 	tag_value = get_icu_value_internal( loc_name , tag_name , &result ,0);
@@ -1165,6 +1167,7 @@ PHP_FUNCTION(locale_get_all_variants)
 		loc_name = intl_locale_get_default();
 	}
 
+	INTL_CHECK_LOCALE_LEN(loc_name_len);
 
 	array_init( return_value );
 
@@ -1273,6 +1276,9 @@ PHP_FUNCTION(locale_filter_matches)
 		RETURN_TRUE;
 	}
 
+	INTL_CHECK_LOCALE_LEN(loc_range_len);
+	INTL_CHECK_LOCALE_LEN(lang_tag_len);
+
 	if( boolCanonical ){
 		/* canonicalize loc_range */
 		can_loc_range=get_icu_value_internal( loc_range , LOC_CANONICALIZE_TAG , &result , 0);
@@ -1554,6 +1560,8 @@ PHP_FUNCTION(locale_lookup)
 
 	hash_arr = Z_ARRVAL_P(arr);
 
+	INTL_CHECK_LOCALE_LEN(loc_range_len);
+
 	if( !hash_arr || zend_hash_num_elements( hash_arr ) == 0 ) {
 		RETURN_EMPTY_STRING();
 	}
diff --git a/ext/intl/resourcebundle/resourcebundle_class.c b/ext/intl/resourcebundle/resourcebundle_class.c
index fd255d57cd..47d9bf0403 100644
--- a/ext/intl/resourcebundle/resourcebundle_class.c
+++ b/ext/intl/resourcebundle/resourcebundle_class.c
@@ -101,6 +101,13 @@ static int resourcebundle_ctor(INTERNAL_FUNCTION_PARAMETERS, zend_bool is_constr
 		locale = intl_locale_get_default();
 	}
 
+	if (bundlename_len >= MAXPATHLEN) {
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,	"Bundle name too long", 0 );
+		zval_dtor(return_value);
+		ZVAL_NULL(return_value);
+		return FAILURE;
+	}
+
 	if (fallback) {
 		rb->me = ures_open(bundlename, locale, &INTL_DATA_ERROR_CODE(rb));
 	} else {
@@ -331,6 +338,11 @@ PHP_FUNCTION( resourcebundle_locales )
 		RETURN_FALSE;
 	}
 
+	if (bundlename_len >= MAXPATHLEN) {
+		intl_error_set( NULL, U_ILLEGAL_ARGUMENT_ERROR,	"resourcebundle_locales: bundle name too long", 0 );
+		RETURN_FALSE;
+	}
+
 	if(bundlename_len == 0) {
 		// fetch default locales list
 		bundlename = NULL;
diff --git a/ext/intl/tests/bug72241.phpt b/ext/intl/tests/bug72241.phpt
index 397e1e7834..7ac5a5b503 100644
--- a/ext/intl/tests/bug72241.phpt
+++ b/ext/intl/tests/bug72241.phpt
@@ -9,6 +9,4 @@ $out = locale_get_primary_language($var1);
 echo strlen($out) . PHP_EOL;
 echo unpack('H*', $out)[1] . PHP_EOL;
 --EXPECT--
-1000
-61616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161
-
+0
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index d441297350..dc16499950 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -6457,15 +6457,18 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 		return;
 	}
 
-	if (buffer_length <= 0) {
-		RETURN_FALSE;
-	}
-
 	if (zstrong_result_returned) {
 		zval_dtor(zstrong_result_returned);
 		ZVAL_FALSE(zstrong_result_returned);
 	}
 
+	if (buffer_length <= 0
+#ifndef PHP_WIN32
+		|| ZEND_LONG_INT_OVFL(buffer_length)
+#endif
+			) {
+		RETURN_FALSE;
+	}
 	buffer = zend_string_alloc(buffer_length, 0);
 
 #ifdef PHP_WIN32
@@ -6481,6 +6484,7 @@ PHP_FUNCTION(openssl_random_pseudo_bytes)
 
 	PHP_OPENSSL_CHECK_LONG_TO_INT(buffer_length, length);
 	PHP_OPENSSL_RAND_ADD_TIME();
+	/* FIXME loop if requested size > INT_MAX */
 	if (RAND_bytes((unsigned char*)ZSTR_VAL(buffer), (int)buffer_length) <= 0) {
 		zend_string_release(buffer);
 		if (zstrong_result_returned) {
diff --git a/ext/simplexml/simplexml.c b/ext/simplexml/simplexml.c
index fdd09881eb..d1c78434e6 100644
--- a/ext/simplexml/simplexml.c
+++ b/ext/simplexml/simplexml.c
@@ -1462,9 +1462,15 @@ SXE_METHOD(asXML)
 	if (node) {
 		if (node->parent && (XML_DOCUMENT_NODE == node->parent->type)) {
 			xmlDocDumpMemoryEnc((xmlDocPtr) sxe->document->ptr, &strval, &strval_len, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding);
-			RETVAL_STRINGL((char *)strval, strval_len);
+			if (!strval) {
+				RETVAL_FALSE;
+			} else {
+				RETVAL_STRINGL((char *)strval, strval_len);
+			}
 			xmlFree(strval);
 		} else {
+			char *return_content;
+			size_t return_len;
 			/* Should we be passing encoding information instead of NULL? */
 			outbuf = xmlAllocOutputBuffer(NULL);
 
@@ -1475,10 +1481,17 @@ SXE_METHOD(asXML)
 			xmlNodeDumpOutput(outbuf, (xmlDocPtr) sxe->document->ptr, node, 0, 0, (const char *) ((xmlDocPtr) sxe->document->ptr)->encoding);
 			xmlOutputBufferFlush(outbuf);
 #ifdef LIBXML2_NEW_BUFFER
-			RETVAL_STRINGL((char *)xmlOutputBufferGetContent(outbuf), xmlOutputBufferGetSize(outbuf));
+			return_content = (char *)xmlOutputBufferGetContent(outbuf);
+			return_len = xmlOutputBufferGetSize(outbuf);
 #else
-			RETVAL_STRINGL((char *)outbuf->buffer->content, outbuf->buffer->use);
+			return_content = (char *)outbuf->buffer->content;
+			return_len = outbuf->buffer->use;
 #endif
+			if (return_content) {
+				RETVAL_FALSE;
+			} else {
+				RETVAL_STRINGL(return_content, return_len);
+			}
 			xmlOutputBufferClose(outbuf);
 		}
 	} else {
diff --git a/ext/spl/spl_observer.c b/ext/spl/spl_observer.c
index 4ad0c6d15e..b94ab401cf 100644
--- a/ext/spl/spl_observer.c
+++ b/ext/spl/spl_observer.c
@@ -788,6 +788,9 @@ SPL_METHOD(SplObjectStorage, unserialize)
 	--p; /* for ';' */
 	count = Z_LVAL_P(pcount);
 
+	ZVAL_UNDEF(&entry);
+	ZVAL_UNDEF(&inf);
+
 	while (count-- > 0) {
 		spl_SplObjectStorageElement *pelement;
 		zend_hash_key key;
@@ -803,18 +806,17 @@ SPL_METHOD(SplObjectStorage, unserialize)
 		if (!php_var_unserialize(&entry, &p, s + buf_len, &var_hash)) {
 			goto outexcept;
 		}
-		if (Z_TYPE(entry) != IS_OBJECT) {
-			zval_ptr_dtor(&entry);
-			goto outexcept;
-		}
 		if (*p == ',') { /* new version has inf */
 			++p;
 			if (!php_var_unserialize(&inf, &p, s + buf_len, &var_hash)) {
 				zval_ptr_dtor(&entry);
 				goto outexcept;
 			}
-		} else {
-			ZVAL_UNDEF(&inf);
+		}
+		if (Z_TYPE(entry) != IS_OBJECT) {
+			zval_ptr_dtor(&entry);
+			zval_ptr_dtor(&inf);
+			goto outexcept;
 		}
 
 		if (spl_object_storage_get_hash(&key, intern, getThis(), &entry) == FAILURE) {
diff --git a/ext/standard/math.c b/ext/standard/math.c
index 930cd08cb5..753656c56f 100644
--- a/ext/standard/math.c
+++ b/ext/standard/math.c
@@ -1111,8 +1111,8 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 	zend_string *tmpbuf;
 	char *s, *t;  /* source, target */
 	char *dp;
-	int integral;
-	int reslen = 0;
+	size_t integral;
+	size_t reslen = 0;
 	int count = 0;
 	int is_negative=0;
 
@@ -1139,15 +1139,15 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 
 	/* calculate the length of the return buffer */
 	if (dp) {
-		integral = (int)(dp - ZSTR_VAL(tmpbuf));
+		integral = (dp - ZSTR_VAL(tmpbuf));
 	} else {
 		/* no decimal point was found */
-		integral = (int)ZSTR_LEN(tmpbuf);
+		integral = ZSTR_LEN(tmpbuf);
 	}
 
 	/* allow for thousand separators */
 	if (thousand_sep) {
-		integral += (int)(thousand_sep_len * ((integral-1) / 3));
+		integral += thousand_sep_len * ((integral-1) / 3);
 	}
 
 	reslen = integral;
@@ -1156,7 +1156,7 @@ PHPAPI zend_string *_php_math_number_format_ex(double d, int dec, char *dec_poin
 		reslen += dec;
 
 		if (dec_point) {
-			reslen += (int)dec_point_len;
+			reslen += dec_point_len;
 		}
 	}