Merge branch 'PHP-5.3' of git.php.net:/php-src into PHP-5.3

12 files changed, 177 insertions, 18 deletions

diff --git a/ext/filter/filter_private.h b/ext/filter/filter_private.h
index daa688b4ac..6c26d98075 100644
--- a/ext/filter/filter_private.h
+++ b/ext/filter/filter_private.h
@@ -107,8 +107,10 @@
 	if (len < 1) { \
 		RETURN_VALIDATION_FAILED \
 	} \
-	while (p[len-1] == ' ' || p[len-1] == '\t' || p[len-1] == '\r' || p[len-1] == '\v' || p[len-1] == '\n') { \
-		len--; \
+	if (len > 0) { \
+		while (p[len-1] == ' ' || p[len-1] == '\t' || p[len-1] == '\r' || p[len-1] == '\v' || p[len-1] == '\n') { \
+			len--; \
+		} \
 	} \
 }
 
diff --git a/ext/gd/libgd/gd_png.c b/ext/gd/libgd/gd_png.c
index 49f7cb0777..bdbb7ee7d3 100644
--- a/ext/gd/libgd/gd_png.c
+++ b/ext/gd/libgd/gd_png.c
@@ -127,8 +127,8 @@ gdImagePtr gdImageCreateFromPngCtx (gdIOCtx * infile)
 	png_color_16p trans_gray_rgb;
 	png_color_16p trans_color_rgb;
 	png_bytep trans;
-	png_bytep image_data = NULL;
-	png_bytepp row_pointers = NULL;
+	volatile png_bytep image_data = NULL;
+	volatile png_bytepp row_pointers = NULL;
 	gdImagePtr im = NULL;
 	int i, j, *open = NULL;
 	volatile int transparent = -1;
diff --git a/ext/libxml/libxml.c b/ext/libxml/libxml.c
index a17847868a..788736e756 100644
--- a/ext/libxml/libxml.c
+++ b/ext/libxml/libxml.c
@@ -699,7 +699,7 @@ static PHP_FUNCTION(libxml_set_streams_context)
 {
 	zval *arg;
 
-	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "z", &arg) == FAILURE) {
+	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &arg) == FAILURE) {
 		return;
 	}
 	if (LIBXML(stream_context)) {
diff --git a/ext/libxml/tests/004.phpt b/ext/libxml/tests/004.phpt
index 8bdf593b93..aa87ab7503 100644
--- a/ext/libxml/tests/004.phpt
+++ b/ext/libxml/tests/004.phpt
@@ -27,26 +27,26 @@ echo "Done\n";
 
 ?>
 --EXPECTF--
-Warning: stream_context_create(): options should have the form ["wrappername"]["optionname"] = $value in %s004.php on line 10
-NULL
+Warning: stream_context_create(): options should have the form ["wrappername"]["optionname"] = $value in %s004.php on line %d
 
-Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18
-bool(true)
+Warning: libxml_set_streams_context() expects parameter 1 to be resource, null given in %s004.php on line %d
 NULL
-
-Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18
 bool(true)
-NULL
 
-Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18
-bool(true)
+Warning: libxml_set_streams_context() expects parameter 1 to be resource, string given in %s004.php on line %d
 NULL
+bool(true)
 
-Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18
+Warning: libxml_set_streams_context() expects parameter 1 to be resource, integer given in %s004.php on line %d
+NULL
 bool(true)
+
+Warning: libxml_set_streams_context() expects parameter 1 to be resource, object given in %s004.php on line %d
 NULL
+bool(true)
 
-Warning: DOMDocument::load(): supplied argument is not a valid Stream-Context resource in %s004.php on line 18
+Warning: libxml_set_streams_context() expects parameter 1 to be resource, array given in %s004.php on line %d
+NULL
 bool(true)
 NULL
 bool(true)
diff --git a/ext/libxml/tests/bug63389.phpt b/ext/libxml/tests/bug63389.phpt
new file mode 100644
index 0000000000..e9498aae08
--- /dev/null
+++ b/ext/libxml/tests/bug63389.phpt
@@ -0,0 +1,14 @@
+--TEST--
+Bug #63389 (Missing context check on libxml_set_streams_context() causes memleak)
+--SKIPIF--
+<?php if (!extension_loaded('libxml')) die('skip'); ?>
+--FILE--
+<?php
+$fp = fopen("php://input", "r");
+libxml_set_streams_context($fp);
+libxml_set_streams_context("a");
+echo "okey";
+?>
+--EXPECTF--
+Warning: libxml_set_streams_context() expects parameter 1 to be resource, string given in %sbug63389.php on line %d
+okey
diff --git a/ext/mbstring/mb_gpc.c b/ext/mbstring/mb_gpc.c
index dd60302d03..b35ece31de 100644
--- a/ext/mbstring/mb_gpc.c
+++ b/ext/mbstring/mb_gpc.c
@@ -262,6 +262,12 @@ enum mbfl_no_encoding _php_mb_encoding_handler_ex(const php_mb_encoding_handler_
 		n++;
 		var = php_strtok_r(NULL, info->separator, &strtok_buf);
 	} 
+
+	if (n > (PG(max_input_vars) * 2)) {
+		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+		goto out;
+	}
+
 	num = n; /* make sure to process initilized vars only */
 	
 	/* initialize converter */
diff --git a/ext/mbstring/tests/bug63447_001.phpt b/ext/mbstring/tests/bug63447_001.phpt
new file mode 100644
index 0000000000..51302994db
--- /dev/null
+++ b/ext/mbstring/tests/bug63447_001.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On)
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+?>
+--INI--
+max_input_nesting_level=10
+max_input_vars=5
+mbstring.encoding_translation=1
+--POST--
+a=1&b=2&c=3&d=4&e=5&f=6
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECT--
+Warning: Unknown: Input variables exceeded 5. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
+array(0) {
+}
diff --git a/ext/mbstring/tests/bug63447_002.phpt b/ext/mbstring/tests/bug63447_002.phpt
new file mode 100644
index 0000000000..e51089b794
--- /dev/null
+++ b/ext/mbstring/tests/bug63447_002.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On)
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+?>
+--INI--
+max_input_nesting_level=10
+max_input_vars=4
+mbstring.encoding_translation=1
+--POST--
+a=1&b=2&c=3&d=4&e=5
+--FILE--
+<?php
+var_dump($_POST);
+?>
+--EXPECT--
+Warning: Unknown: Input variables exceeded 4. To increase the limit change max_input_vars in php.ini. in Unknown on line 0
+array(0) {
+}
diff --git a/ext/mbstring/tests/bug63447_003.phpt b/ext/mbstring/tests/bug63447_003.phpt
new file mode 100644
index 0000000000..a4a7e14851
--- /dev/null
+++ b/ext/mbstring/tests/bug63447_003.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #63447 (max_input_vars doesn't filter variables when mbstring.encoding_translation = On)
+--SKIPIF--
+<?php
+extension_loaded('mbstring') or die('skip');
+?>
+--INI--
+max_input_nesting_level=5
+max_input_vars=100
+mbstring.encoding_translation=1
+--POST--
+a=1&b[][][]=2&c[][][][][][]=7
+--FILE--
+<?php
+print_r($_POST);
+?>
+--EXPECT--
+Array
+(
+    [a] => 1
+    [b] => Array
+        (
+            [0] => Array
+                (
+                    [0] => Array
+                        (
+                            [0] => 2
+                        )
+
+                )
+
+        )
+
+)
diff --git a/ext/mysqlnd/mysqlnd_wireprotocol.c b/ext/mysqlnd/mysqlnd_wireprotocol.c
index 1318c37a73..ec0ff496f4 100644
--- a/ext/mysqlnd/mysqlnd_wireprotocol.c
+++ b/ext/mysqlnd/mysqlnd_wireprotocol.c
@@ -982,7 +982,7 @@ php_mysqlnd_rset_field_read(void *_packet, MYSQLND *conn TSRMLS_DC)
 	p += 2;
 	BAIL_IF_NO_MORE_DATA;
 
-	meta->decimals = uint2korr(p);
+	meta->decimals = uint1korr(p);
 	p += 1;
 	BAIL_IF_NO_MORE_DATA;
 
diff --git a/ext/pdo_pgsql/pgsql_statement.c b/ext/pdo_pgsql/pgsql_statement.c
index c35ee33c7f..1dc0d58e97 100644
--- a/ext/pdo_pgsql/pgsql_statement.c
+++ b/ext/pdo_pgsql/pgsql_statement.c
@@ -362,8 +362,20 @@ static int pgsql_stmt_param_hook(pdo_stmt_t *stmt, struct pdo_bound_param_data *
 				}
 				break;
 		}
+	} else {
+#endif
+	if (param->is_param) {
+        /* We need to manually convert to a pg native boolean value */
+        if (PDO_PARAM_TYPE(param->param_type) == PDO_PARAM_BOOL &&
+            ((param->param_type & PDO_PARAM_INPUT_OUTPUT) != PDO_PARAM_INPUT_OUTPUT)) {
+            SEPARATE_ZVAL(&param->parameter);
+            param->param_type = PDO_PARAM_STR;
+            ZVAL_STRINGL(param->parameter, Z_BVAL_P(param->parameter) ? "t" : "f", 1, 1);
+        }
+    }
+#if HAVE_PQPREPARE
 	}
-#endif	
+#endif
 	return 1;
 }
 
diff --git a/ext/pdo_pgsql/tests/bug62593.phpt b/ext/pdo_pgsql/tests/bug62593.phpt
new file mode 100644
index 0000000000..e3ebf46ed5
--- /dev/null
+++ b/ext/pdo_pgsql/tests/bug62593.phpt
@@ -0,0 +1,51 @@
+--TEST--
+PDO PgSQL Bug #62593 (Emulate prepares behave strangely with PARAM_BOOL)
+--SKIPIF--
+<?php
+if (!extension_loaded('pdo') || !extension_loaded('pdo_pgsql')) die('skip not loaded');
+require dirname(__FILE__) . '/config.inc';
+require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+PDOTest::skip();
+?>
+--FILE--
+<?php
+require dirname(__FILE__) . '/../../../ext/pdo/tests/pdo_test.inc';
+$db = PDOTest::test_factory(dirname(__FILE__) . '/common.phpt');
+$db->setAttribute(PDO::ATTR_EMULATE_PREPARES, true);
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_SILENT);
+$errors = array();
+
+$value = true;
+$query = $db->prepare('SELECT :foo IS FALSE as val_is_false');
+$query->bindValue(':foo', $value, PDO::PARAM_BOOL);
+$query->execute();
+$errors[] = $query->errorInfo();
+var_dump($value);
+
+$query->bindValue(':foo', 0, PDO::PARAM_BOOL);
+$query->execute();
+$errors[] = $query->errorInfo();
+
+// Verify bindParam maintains reference and only passes when execute is called
+$value = true;
+$query->bindParam(':foo', $value, PDO::PARAM_BOOL);
+$value = false;
+$query->execute();
+$errors[] = $query->errorInfo();
+var_dump($value);
+
+$expect = 'No errors found';
+
+foreach ($errors as $error)
+{
+  if (strpos('Invalid text representation', $error[2]) !== false)
+  {
+    $expect = 'Invalid boolean found';
+  }
+}
+echo $expect;
+?>
+--EXPECTF--
+bool(true)
+bool(false)
+No errors found