4 files changed, 50 insertions, 38 deletions

diff --git a/ext/filter/sanitizing_filters.c b/ext/filter/sanitizing_filters.c
index c44d7a8e55..d54ced2f4b 100644
--- a/ext/filter/sanitizing_filters.c
+++ b/ext/filter/sanitizing_filters.c
@@ -51,7 +51,7 @@ static void php_filter_encode_html(zval *value, const unsigned char *chars)
 	}
 
 	smart_str_0(&str);
-	efree(Z_STRVAL_P(value));
+	str_efree(Z_STRVAL_P(value));
 	Z_STRVAL_P(value) = str.c;
 	Z_STRLEN_P(value) = str.len;
 }
@@ -102,7 +102,7 @@ static void php_filter_encode_url(zval *value, const unsigned char* chars, const
 		s++;	
 	}
 	*p = '\0';
-	efree(Z_STRVAL_P(value));
+	str_efree(Z_STRVAL_P(value));
 	Z_STRVAL_P(value) = (char *)str;
 	Z_STRLEN_P(value) = p - str;
 }
@@ -131,7 +131,7 @@ static void php_filter_strip(zval *value, long flags)
 	}
 	/* update zval string data */
 	buf[c] = '\0';
-	efree(Z_STRVAL_P(value));
+	str_efree(Z_STRVAL_P(value));
 	Z_STRVAL_P(value) = (char *)buf;
 	Z_STRLEN_P(value) = c;
 }
@@ -169,7 +169,7 @@ static void filter_map_apply(zval *value, filter_map *map)
 	}
 	/* update zval string data */
 	buf[c] = '\0';
-	efree(Z_STRVAL_P(value));
+	str_efree(Z_STRVAL_P(value));
 	Z_STRVAL_P(value) = (char *)buf;
 	Z_STRLEN_P(value) = c;
 }
@@ -254,7 +254,7 @@ void php_filter_full_special_chars(PHP_INPUT_FILTER_PARAM_DECL)
 		quotes = ENT_NOQUOTES;
 	}
 	buf = php_escape_html_entities_ex(Z_STRVAL_P(value), Z_STRLEN_P(value), &len, 1, quotes, SG(default_charset), 0 TSRMLS_CC);
-	efree(Z_STRVAL_P(value));
+	str_efree(Z_STRVAL_P(value));
 	Z_STRVAL_P(value) = buf;
 	Z_STRLEN_P(value) = len;
 }
@@ -365,7 +365,7 @@ void php_filter_magic_quotes(PHP_INPUT_FILTER_PARAM_DECL)
 	/* just call php_addslashes quotes */
 	buf = php_addslashes(Z_STRVAL_P(value), Z_STRLEN_P(value), &len, 0 TSRMLS_CC);
 
-	efree(Z_STRVAL_P(value));
+	str_efree(Z_STRVAL_P(value));
 	Z_STRVAL_P(value) = buf;
 	Z_STRLEN_P(value) = len;
 }
diff --git a/ext/phar/phar.c b/ext/phar/phar.c
index 52179b1246..745eee09da 100644
--- a/ext/phar/phar.c
+++ b/ext/phar/phar.c
@@ -1736,31 +1736,30 @@ static int phar_open_from_fp(php_stream* fp, char *fname, int fname_len, char *a
 static int phar_analyze_path(const char *fname, const char *ext, int ext_len, int for_create TSRMLS_DC) /* {{{ */
 {
 	php_stream_statbuf ssb;
-	char *realpath, old, *a = (char *)(ext + ext_len);
+	char *realpath;
+	char *filename = estrndup(fname, (ext - fname) + ext_len);
 
-	old = *a;
-	*a = '\0';
-
-	if ((realpath = expand_filepath(fname, NULL TSRMLS_CC))) {
+	if ((realpath = expand_filepath(filename, NULL TSRMLS_CC))) {
 #ifdef PHP_WIN32
 		phar_unixify_path_separators(realpath, strlen(realpath));
 #endif
 		if (zend_hash_exists(&(PHAR_GLOBALS->phar_fname_map), realpath, strlen(realpath))) {
-			*a = old;
 			efree(realpath);
+			efree(filename);
 			return SUCCESS;
 		}
 
 		if (PHAR_G(manifest_cached) && zend_hash_exists(&cached_phars, realpath, strlen(realpath))) {
-			*a = old;
 			efree(realpath);
+			efree(filename);
 			return SUCCESS;
 		}
 		efree(realpath);
 	}
 
-	if (SUCCESS == php_stream_stat_path((char *) fname, &ssb)) {
-		*a = old;
+	if (SUCCESS == php_stream_stat_path((char *) filename, &ssb)) {
+
+		efree(filename);
 
 		if (ssb.sb.st_mode & S_IFDIR) {
 			return FAILURE;
@@ -1775,57 +1774,56 @@ static int phar_analyze_path(const char *fname, const char *ext, int ext_len, in
 		char *slash;
 
 		if (!for_create) {
-			*a = old;
+			efree(filename);
 			return FAILURE;
 		}
 
-		slash = (char *) strrchr(fname, '/');
-		*a = old;
+		slash = (char *) strrchr(filename, '/');
 
 		if (slash) {
-			old = *slash;
 			*slash = '\0';
 		}
 
-		if (SUCCESS != php_stream_stat_path((char *) fname, &ssb)) {
-			if (slash) {
-				*slash = old;
-			} else {
-				if (!(realpath = expand_filepath(fname, NULL TSRMLS_CC))) {
+		if (SUCCESS != php_stream_stat_path((char *) filename, &ssb)) {
+			if (!slash) {
+				if (!(realpath = expand_filepath(filename, NULL TSRMLS_CC))) {
+					efree(filename);
 					return FAILURE;
 				}
 #ifdef PHP_WIN32
 				phar_unixify_path_separators(realpath, strlen(realpath));
 #endif
-				a = strstr(realpath, fname) + ((ext - fname) + ext_len);
-				*a = '\0';
+				slash = strstr(realpath, filename) + ((ext - fname) + ext_len);
+				*slash = '\0';
 				slash = strrchr(realpath, '/');
 
 				if (slash) {
 					*slash = '\0';
 				} else {
 					efree(realpath);
+					efree(filename);
 					return FAILURE;
 				}
 
 				if (SUCCESS != php_stream_stat_path(realpath, &ssb)) {
 					efree(realpath);
+					efree(filename);
 					return FAILURE;
 				}
 
 				efree(realpath);
 
 				if (ssb.sb.st_mode & S_IFDIR) {
+					efree(filename);
 					return SUCCESS;
 				}
 			}
 
+			efree(filename);
 			return FAILURE;
 		}
 
-		if (slash) {
-			*slash = old;
-		}
+		efree(filename);
 
 		if (ssb.sb.st_mode & S_IFDIR) {
 			return SUCCESS;
diff --git a/ext/standard/array.c b/ext/standard/array.c
index 1988ea3a44..cd9b398355 100644
--- a/ext/standard/array.c
+++ b/ext/standard/array.c
@@ -1653,24 +1653,28 @@ PHP_FUNCTION(range)
 		high = (unsigned char *)Z_STRVAL_P(zhigh);
 
 		if (*low > *high) {		/* Negative Steps */
+			unsigned char ch = *low;
+
 			if (lstep <= 0) {
 				err = 1;
 				goto err;
 			}
-			for (; *low >= *high; (*low) -= (unsigned int)lstep) {
-				add_next_index_stringl(return_value, (const char *)low, 1, 1);
-				if (((signed int)*low - lstep) < 0) {
+			for (; ch >= *high; ch -= (unsigned int)lstep) {
+				add_next_index_stringl(return_value, (const char *)&ch, 1, 1);
+				if (((signed int)ch - lstep) < 0) {
 					break;
 				}
 			}
 		} else if (*high > *low) {	/* Positive Steps */
+			unsigned char ch = *low;
+
 			if (lstep <= 0) {
 				err = 1;
 				goto err;
 			}
-			for (; *low <= *high; (*low) += (unsigned int)lstep) {
-				add_next_index_stringl(return_value, (const char *)low, 1, 1);
-				if (((signed int)*low + lstep) > 255) {
+			for (; ch <= *high; ch += (unsigned int)lstep) {
+				add_next_index_stringl(return_value, (const char *)&ch, 1, 1);
+				if (((signed int)ch + lstep) > 255) {
 					break;
 				}
 			}
diff --git a/ext/standard/string.c b/ext/standard/string.c
index 88b8099683..1ffbaa9663 100644
--- a/ext/standard/string.c
+++ b/ext/standard/string.c
@@ -3589,7 +3589,7 @@ static void php_str_replace_in_subject(zval *search, zval *replace, zval **subje
 														   replace_value, replace_len, &Z_STRLEN(temp_result), case_sensitivity, replace_count);
 			}
 
-			efree(Z_STRVAL_P(result));
+           str_efree(Z_STRVAL_P(result));
 			Z_STRVAL_P(result) = Z_STRVAL(temp_result);
 			Z_STRLEN_P(result) = Z_STRLEN(temp_result);
 
@@ -4244,6 +4244,7 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 	char *tbuf, *buf, *p, *tp, *rp, c, lc;
 	int br, i=0, depth=0, in_q = 0;
 	int state = 0, pos;
+	char *allow_free;
 
 	if (stateptr)
 		state = *stateptr;
@@ -4255,7 +4256,12 @@ PHPAPI size_t php_strip_tags_ex(char *rbuf, int len, int *stateptr, char *allow,
 	rp = rbuf;
 	br = 0;
 	if (allow) {
-		php_strtolower(allow, allow_len);
+		if (IS_INTERNED(allow)) {
+			allow_free = allow = zend_str_tolower_dup(allow, allow_len);
+		} else {
+			allow_free = NULL;
+			php_strtolower(allow, allow_len);
+		}
 		tbuf = emalloc(PHP_TAG_BUF_SIZE + 1);
 		tp = tbuf;
 	} else {
@@ -4494,8 +4500,12 @@ reg_char:
 		*rp = '\0';
 	}
 	efree(buf);
-	if (allow)
+	if (allow) {
 		efree(tbuf);
+		if (allow_free) {
+			efree(allow_free);
+		}
+	}
 	if (stateptr)
 		*stateptr = state;