From d8c80af71e9b43e9adec9e3f57f2732a0ac95d71 Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Tue, 15 Aug 2017 12:34:13 +0800
Subject: Fixed bug #75075 (unpack with X* causes infinity loop)

---
 NEWS                                     |  1 +
 ext/standard/pack.c                      |  4 ++++
 ext/standard/tests/strings/bug75075.phpt | 10 ++++++++++
 3 files changed, 15 insertions(+)
 create mode 100644 ext/standard/tests/strings/bug75075.phpt

diff --git a/NEWS b/NEWS
index 0723d99231..d901e3db9c 100644
--- a/NEWS
+++ b/NEWS
@@ -53,6 +53,7 @@ PHP                                                                        NEWS
   . Fixed bug #75015 (Crash in recursive iterator destructors). (Julien)
 
 - Standard:
+  . Fixed bug #75075 (unpack with X* causes infinity loop). (Laruence)
   . Fixed bug #74103 (heap-use-after-free when unserializing invalid array
     size). (Nikita)
   . Fixed bug #75054 (A Denial of Service Vulnerability was found when
diff --git a/ext/standard/pack.c b/ext/standard/pack.c
index d15154df31..f6748d42a2 100644
--- a/ext/standard/pack.c
+++ b/ext/standard/pack.c
@@ -782,6 +782,10 @@ PHP_FUNCTION(unpack)
 			/* Never use any input */
 			case 'X':
 				size = -1;
+				if (arg < 0) {
+					php_error_docref(NULL, E_WARNING, "Type %c: '*' ignored", type);
+					arg = 1;
+				}
 				break;
 
 			case '@':
diff --git a/ext/standard/tests/strings/bug75075.phpt b/ext/standard/tests/strings/bug75075.phpt
new file mode 100644
index 0000000000..232de50622
--- /dev/null
+++ b/ext/standard/tests/strings/bug75075.phpt
@@ -0,0 +1,10 @@
+--TEST--
+Bug #75075 (unpack with X* causes infinity loop)
+--FILE--
+<?php
+var_dump(unpack("X*", ""));
+?>
+--EXPECTF--
+Warning: unpack(): Type X: '*' ignored in %sbug75075.php on line %d
+array(0) {
+}
-- 
cgit v1.2.1


From 6275825c68dcd68aedc59cab37cfde7a457256cf Mon Sep 17 00:00:00 2001
From: Xinchen Hui <laruence@gmail.com>
Date: Tue, 15 Aug 2017 12:34:58 +0800
Subject: Update NEWS

---
 NEWS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/NEWS b/NEWS
index 877015094d..f866fdff0f 100644
--- a/NEWS
+++ b/NEWS
@@ -61,6 +61,7 @@ PHP                                                                        NEWS
   . Fixed bug #75015 (Crash in recursive iterator destructors). (Julien)
 
 - Standard:
+  . Fixed bug #75075 (unpack with X* causes infinity loop). (Laruence)
   . Fixed bug #74103 (heap-use-after-free when unserializing invalid array
     size). (Nikita)
   . Fixed bug #75054 (A Denial of Service Vulnerability was found when
-- 
cgit v1.2.1