Merge branch 'PHP-7.0.9' into PHP-7.0

* PHP-7.0.9:
  Partial fix for bug #72613 - do not allow reading past error read
  update NEWS
  Fixed bug #72570 Segmentation fault when binding parameters on a query without placeholders
  Fix bug #72551 and bug #72552 - check before converting size_t->int
  Fix bug #72541 - size_t overflow lead to heap corruption
  fix possible optimization bug
  set versions

Conflicts:
	configure.in
	ext/pdo_pgsql/tests/bug72570.phpt
	main/php_version.h

1 files changed, 8 insertions, 0 deletions

diff --git a/ext/mcrypt/mcrypt.c b/ext/mcrypt/mcrypt.c
index fb5c638c97..73acaa29f2 100644
--- a/ext/mcrypt/mcrypt.c
+++ b/ext/mcrypt/mcrypt.c
@@ -645,6 +645,10 @@ PHP_FUNCTION(mcrypt_generic)
 		memset(ZSTR_VAL(data_str), 0, data_size);
 		memcpy(ZSTR_VAL(data_str), data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_str = zend_string_alloc(data_size, 0);
 		memset(ZSTR_VAL(data_str), 0, data_size);
@@ -695,6 +699,10 @@ PHP_FUNCTION(mdecrypt_generic)
 		memset(data_s, 0, data_size);
 		memcpy(data_s, data, data_len);
 	} else { /* It's not a block algorithm */
+		if (data_len > INT_MAX) {
+			php_error_docref(NULL, E_WARNING, "Data size too large, %d maximum", INT_MAX);
+			RETURN_FALSE;
+		}
 		data_size = (int)data_len;
 		data_s = emalloc(data_size + 1);
 		memset(data_s, 0, data_size);