MFB

9 files changed, 188 insertions, 7 deletions

diff --git a/ext/standard/dir.c b/ext/standard/dir.c
index e489072e2c..8b6fdc1329 100644
--- a/ext/standard/dir.c
+++ b/ext/standard/dir.c
@@ -449,7 +449,7 @@ PHP_FUNCTION(glob)
 
 	/* we assume that any glob pattern will match files from one directory only
 	   so checking the dirname of the first match should be sufficient */
-	strncpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN);
+	strlcpy(cwd, globbuf.gl_pathv[0], MAXPATHLEN);
 
 	if (php_check_open_basedir(cwd TSRMLS_CC)) {
 		RETURN_FALSE;
diff --git a/ext/standard/mail.c b/ext/standard/mail.c
index d437e15c1c..70c1d323be 100644
--- a/ext/standard/mail.c
+++ b/ext/standard/mail.c
@@ -47,8 +47,8 @@
 
 #define SKIP_LONG_HEADER_SEP(str, pos)										\
 	if (str[pos] == '\r' && str[pos + 1] == '\n' && (str[pos + 2] == ' ' || str[pos + 2] == '\t')) {	\
-		pos += 3;											\
-		while (str[pos] == ' ' || str[pos] == '\t') {							\
+		pos += 2;											\
+		while (str[pos + 1] == ' ' || str[pos + 1] == '\t') {							\
 			pos++;											\
 		}												\
 		continue;											\
diff --git a/ext/standard/tests/array/bug40709.phpt b/ext/standard/tests/array/bug40709.phpt
new file mode 100644
index 0000000000..6ab6bbd410
--- /dev/null
+++ b/ext/standard/tests/array/bug40709.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #40709 (array_reduce() behaves strange with one item stored arrays)
+--SKIPIF--
+--FILE--
+<?php
+function CommaSeperatedList($a, $b) {
+    if($a == null)
+        return $b;
+    else
+        return $a.','.$b;
+}
+
+$arr1 = array(1,2,3);
+$arr2 = array(1);
+
+echo "result for arr1: ".array_reduce($arr1,'CommaSeperatedList')."\n";
+echo "result for arr2: ".array_reduce($arr2,'CommaSeperatedList')."\n";
+echo "result for arr1: ".array_reduce($arr1,'CommaSeperatedList')."\n";
+echo "result for arr2: ".array_reduce($arr2,'CommaSeperatedList')."\n";
+
+echo "Done\n";
+?>
+--EXPECT--	
+result for arr1: 1,2,3
+result for arr2: 1
+result for arr1: 1,2,3
+result for arr2: 1
+Done
diff --git a/ext/standard/tests/strings/bug40432.phpt b/ext/standard/tests/strings/bug40432.phpt
new file mode 100644
index 0000000000..6db2e94e58
--- /dev/null
+++ b/ext/standard/tests/strings/bug40432.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #40432 (strip_tags() fails with greater than in attribute)
+--FILE--
+<?php
+echo strip_tags('<span title="test > all">this</span>') . "\n";
+?>
+--EXPECT--
+this
diff --git a/ext/standard/tests/strings/bug40704.phpt b/ext/standard/tests/strings/bug40704.phpt
new file mode 100644
index 0000000000..82e91b5c87
--- /dev/null
+++ b/ext/standard/tests/strings/bug40704.phpt
@@ -0,0 +1,13 @@
+--TEST--
+Bug #40704 (strip_tags() does not handle single quotes correctly)
+--FILE--
+<?php
+
+$html = "<div>Bug ' Trigger</div> Missing Text";
+var_dump(strip_tags($html));
+
+echo "Done\n";
+?>
+--EXPECT--	
+string(26) "Bug ' Trigger Missing Text"
+Done
diff --git a/ext/standard/tests/strings/bug40754.phpt b/ext/standard/tests/strings/bug40754.phpt
new file mode 100644
index 0000000000..23a459317b
--- /dev/null
+++ b/ext/standard/tests/strings/bug40754.phpt
@@ -0,0 +1,63 @@
+--TEST--
+Bug #40754 (Overflow checks inside string functions)
+--FILE--
+<?php
+
+$v = 2147483647;
+
+var_dump(substr("abcde", 1, $v));
+var_dump(substr_replace("abcde", "x", $v, $v));
+
+var_dump(strspn("abcde", "abc", $v, $v));
+var_dump(strcspn("abcde", "abc", $v, $v));
+
+var_dump(substr_count("abcde", "abc", $v, $v));
+var_dump(substr_compare("abcde", "abc", $v, $v));
+
+var_dump(stripos("abcde", "abc", $v));
+var_dump(substr_count("abcde", "abc", $v, 1));
+var_dump(substr_count("abcde", "abc", 1, $v));
+var_dump(strpos("abcde", "abc", $v));
+var_dump(stripos("abcde", "abc", $v));
+var_dump(strrpos("abcde", "abc", $v));
+var_dump(strripos("abcde", "abc", $v));
+var_dump(strncmp("abcde", "abc", $v));
+var_dump(chunk_split("abcde", $v, "abc"));
+var_dump(substr("abcde", $v, $v));
+
+?>
+--EXPECTF--	
+string(4) "bcde"
+bool(false)
+bool(false)
+bool(false)
+
+Warning: substr_count(): Offset value 2147483647 exceeds string length. in %s on line %d
+bool(false)
+
+Warning: substr_compare(): The start position cannot exceed initial string length in %s on line %d
+bool(false)
+
+Warning: stripos(): Offset not contained in string. in %s on line %d
+bool(false)
+
+Warning: substr_count(): Offset value 2147483647 exceeds string length. in %s on line %d
+bool(false)
+
+Warning: substr_count(): Length value 2147483647 exceeds string length. in %s on line %d
+bool(false)
+
+Warning: strpos(): Offset not contained in string. in %s on line %d
+bool(false)
+
+Warning: stripos(): Offset not contained in string. in %s on line %d
+bool(false)
+
+Notice: strrpos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+
+Notice: strripos(): Offset is greater than the length of haystack string in %s on line %d
+bool(false)
+int(2)
+string(8) "abcdeabc"
+bool(false)
diff --git a/ext/standard/tests/strings/htmlentities18.phpt b/ext/standard/tests/strings/htmlentities18.phpt
new file mode 100644
index 0000000000..ab3df05da8
--- /dev/null
+++ b/ext/standard/tests/strings/htmlentities18.phpt
@@ -0,0 +1,40 @@
+--TEST--
+htmlentities() / htmlspecialchars() "don't double encode" flag support
+--FILE--
+<?php
+$tests = array(
+	"abc",
+	"abc&amp;sfdsa",
+	"test&#043;s &amp; some more &#68;",
+	"&; &amp &#a; &9;",
+	"&kffjadfdhsjfhjasdhffasdfas;",
+	"&#8787978789",
+	"&",
+	"&&amp;&",
+	"&ab&amp;&",
+);
+
+foreach ($tests as $test) {
+	var_dump(htmlentities($test, ENT_QUOTES, NULL, FALSE));
+	var_dump(htmlspecialchars($test, ENT_QUOTES, NULL, FALSE));
+}
+?>
+--EXPECT--
+string(3) "abc"
+string(3) "abc"
+string(13) "abc&amp;sfdsa"
+string(13) "abc&amp;sfdsa"
+string(33) "test&#043;s &amp; some more &#68;"
+string(33) "test&#043;s &amp; some more &#68;"
+string(24) "&; &amp;amp &amp;#a; &9;"
+string(24) "&; &amp;amp &amp;#a; &9;"
+string(32) "&amp;kffjadfdhsjfhjasdhffasdfas;"
+string(32) "&amp;kffjadfdhsjfhjasdhffasdfas;"
+string(16) "&amp;#8787978789"
+string(16) "&amp;#8787978789"
+string(5) "&amp;"
+string(5) "&amp;"
+string(15) "&amp;&amp;&amp;"
+string(15) "&amp;&amp;&amp;"
+string(17) "&amp;ab&amp;&amp;"
+string(17) "&amp;ab&amp;&amp;"
diff --git a/ext/standard/user_filters.c b/ext/standard/user_filters.c
index 2f5dfaa682..e366d7c929 100644
--- a/ext/standard/user_filters.c
+++ b/ext/standard/user_filters.c
@@ -260,6 +260,7 @@ static php_stream_filter *user_filter_factory_create(const char *filtername,
 	zval *obj, *zfilter;
 	zval func_name;
 	zval *retval = NULL;
+	int len;
 	
 	/* some sanity checks */
 	if (persistent) {
@@ -268,9 +269,10 @@ static php_stream_filter *user_filter_factory_create(const char *filtername,
 		return NULL;
 	}
 
+	len = strlen(filtername);
+
 	/* determine the classname/class entry */
-	if (FAILURE == zend_hash_find(BG(user_filter_map), (char*)filtername,
-				strlen(filtername) + 1, (void**)&fdat)) {
+	if (FAILURE == zend_hash_find(BG(user_filter_map), (char*)filtername, len + 1, (void**)&fdat)) {
 		char *period;
 
 		/* Userspace Filters using ambiguous wildcards could cause problems.
@@ -279,10 +281,10 @@ static php_stream_filter *user_filter_factory_create(const char *filtername,
 		   TODO: Allow failed userfilter creations to continue
 		   scanning through the list */
 		if ((period = strrchr(filtername, '.'))) {
-			char *wildcard;
+			char *wildcard = emalloc(len + 3);
 
 			/* Search for wildcard matches instead */
-			wildcard = estrdup(filtername);
+			memcpy(wildname, filtername, len + 1); /* copy \0 */
 			period = wildcard + (period - filtername);
 			while (period) {
 				*period = '\0';
diff --git a/ext/wddx/tests/bug41283.phpt b/ext/wddx/tests/bug41283.phpt
new file mode 100644
index 0000000000..241101f2a4
--- /dev/null
+++ b/ext/wddx/tests/bug41283.phpt
@@ -0,0 +1,27 @@
+--TEST--
+Bug #41283 (Bug with serializing array key that are doubles or floats)
+--SKIPIF--
+<?php if (!extension_loaded("wddx")) print "skip"; ?>
+--FILE--
+<?php
+$data = array(
+  'somearray' => array('1.1' => 'One 1','1.2' => 'One 2', '1.0' => 'Three')
+);
+
+var_dump(wddx_deserialize(wddx_serialize_vars('data')));
+?>
+--EXPECT--
+array(1) {
+  ["data"]=>
+  array(1) {
+    ["somearray"]=>
+    array(3) {
+      ["1.1"]=>
+      string(5) "One 1"
+      ["1.2"]=>
+      string(5) "One 2"
+      [1]=>
+      string(5) "Three"
+    }
+  }
+}