From 661f662d2fe7ae74585367e5757bb04fbdea717b Mon Sep 17 00:00:00 2001
From: Remi Collet <fedora@famillecollet.com>
Date: Mon, 19 Sep 2016 14:11:20 +0200
Subject: PHP 5.5.38 with backports from 5.6.26

---
 bug72860.patch |  62 ++++++++++++++++++
 bug72910.patch |  61 ++++++++++++++++++
 bug72926.patch |  29 +++++++++
 bug72928.patch |  92 +++++++++++++++++++++++++++
 bug73007.patch |  25 ++++++++
 bug73029.patch |  89 ++++++++++++++++++++++++++
 bug73035.patch |  32 ++++++++++
 bug73052.patch |  65 +++++++++++++++++++
 bug73065.patch | 196 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 failed.txt     |   2 +-
 php55.spec     |  38 ++++++++++-
 11 files changed, 689 insertions(+), 2 deletions(-)
 create mode 100644 bug72860.patch
 create mode 100644 bug72910.patch
 create mode 100644 bug72926.patch
 create mode 100644 bug72928.patch
 create mode 100644 bug73007.patch
 create mode 100644 bug73029.patch
 create mode 100644 bug73035.patch
 create mode 100644 bug73052.patch
 create mode 100644 bug73065.patch

diff --git a/bug72860.patch b/bug72860.patch
new file mode 100644
index 0000000..e26cae0
--- /dev/null
+++ b/bug72860.patch
@@ -0,0 +1,62 @@
+Backported from 5.6.26 by Remi.
+
+
+From 780daee62b55995a10f8e849159eff0a25bacb9d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Sep 2016 23:42:31 -0700
+Subject: [PATCH] Fix bug #72860: wddx_deserialize use-after-free
+
+---
+ ext/wddx/tests/bug72860.phpt | 27 +++++++++++++++++++++++++++
+ ext/wddx/wddx.c              |  3 ++-
+ 2 files changed, 29 insertions(+), 1 deletion(-)
+ create mode 100644 ext/wddx/tests/bug72860.phpt
+
+diff --git a/ext/wddx/tests/bug72860.phpt b/ext/wddx/tests/bug72860.phpt
+new file mode 100644
+index 0000000..6385457
+--- /dev/null
++++ b/ext/wddx/tests/bug72860.phpt
+@@ -0,0 +1,27 @@
++--TEST--
++Bug #72860: wddx_deserialize use-after-free
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++    die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml=<<<XML
++<?xml version='1.0'?>
++<!DOCTYPE wddxPacket SYSTEM 'wddx_0100.dtd'>
++<wddxPacket version='1.0'>
++       <recordset fieldNames='F'>
++               <field name='F'>
++       </recordset>
++</wddxPacket>
++XML;
++
++var_dump(wddx_deserialize($xml));
++?>
++DONE
++--EXPECT--
++NULL
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index d7bd295..b02d2f0 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -232,7 +232,8 @@ static int wddx_stack_destroy(wddx_stack *stack)
+ 
+ 	if (stack->elements) {
+ 		for (i = 0; i < stack->top; i++) {
+-			if (((st_entry *)stack->elements[i])->data)	{
++			if (((st_entry *)stack->elements[i])->data
++					&& ((st_entry *)stack->elements[i])->type != ST_FIELD)	{
+ 				zval_ptr_dtor(&((st_entry *)stack->elements[i])->data);
+ 			}
+ 			if (((st_entry *)stack->elements[i])->varname) {
diff --git a/bug72910.patch b/bug72910.patch
new file mode 100644
index 0000000..2556b69
--- /dev/null
+++ b/bug72910.patch
@@ -0,0 +1,61 @@
+Backported from 5.6.26 by Remi.
+
+
+From 486056b2153f7177cd8a7c78d93968726ee8fa65 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 1 Sep 2016 23:27:06 -0700
+Subject: [PATCH] Fix bug #72910
+
+Merge upstream patch from https://github.com/kkos/oniguruma/commit/65bdf2a0d160d06556415e5f396a75f6b11bad5c
+---
+ ext/mbstring/oniguruma/enc/utf8.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c
+index 5e2c172..74122e1 100644
+--- a/ext/mbstring/oniguruma/enc/utf8.c
++++ b/ext/mbstring/oniguruma/enc/utf8.c
+@@ -98,7 +98,7 @@ mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
+ 
+   len = enclen(ONIG_ENCODING_UTF8, p);
+   c = *p++;
+-  if (len > 1) {
++  if (len > 1 && p < end) {
+     len--;
+     n = c & ((1 << (6 - len)) - 1);
+     while (len--) {
+
+From b570c506815212c7702bfb0046e87d541e171eb7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 19:13:22 -0700
+Subject: [PATCH] Sync fix for bug #72910 with current upstream
+
+---
+ ext/mbstring/oniguruma/enc/utf8.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ext/mbstring/oniguruma/enc/utf8.c b/ext/mbstring/oniguruma/enc/utf8.c
+index 74122e1..9e8478f 100644
+--- a/ext/mbstring/oniguruma/enc/utf8.c
++++ b/ext/mbstring/oniguruma/enc/utf8.c
+@@ -91,14 +91,16 @@ is_mbc_newline(const UChar* p, const UChar* end)
+ }
+ 
+ static OnigCodePoint
+-mbc_to_code(const UChar* p, const UChar* end ARG_UNUSED)
++mbc_to_code(const UChar* p, const UChar* end)
+ {
+   int c, len;
+   OnigCodePoint n;
+ 
+-  len = enclen(ONIG_ENCODING_UTF8, p);
++  len = mbc_enc_len(p);
++  if (len > end - p) len = end - p;
++
+   c = *p++;
+-  if (len > 1 && p < end) {
++  if (len > 1) {
+     len--;
+     n = c & ((1 << (6 - len)) - 1);
+     while (len--) {
+
diff --git a/bug72926.patch b/bug72926.patch
new file mode 100644
index 0000000..044ed2b
--- /dev/null
+++ b/bug72926.patch
@@ -0,0 +1,29 @@
+Backported from 5.6.26 by Remi.
+
+
+From 88d26623b2e55becc1d4b3e7944ebb1a0c1bd908 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 20:49:34 -0700
+Subject: [PATCH] Same issue as #72926 in another place.
+
+---
+ ext/exif/exif.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 657a2cc1..8b0e34c 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -3744,8 +3744,11 @@ static int exif_process_IFD_in_TIFF(image_info_type *ImageInfo, size_t dir_offse
+ 									fgot = php_stream_read(ImageInfo->infile, ImageInfo->Thumbnail.data, ImageInfo->Thumbnail.size);
+ 									if (fgot < ImageInfo->Thumbnail.size) {
+ 										EXIF_ERRLOG_THUMBEOF(ImageInfo)
++										efree(ImageInfo->Thumbnail.data);
++										ImageInfo->Thumbnail.data = NULL;
++									} else {
++										exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ 									}
+-									exif_thumbnail_build(ImageInfo TSRMLS_CC);
+ 								}
+ 							}
+ 						}
diff --git a/bug72928.patch b/bug72928.patch
new file mode 100644
index 0000000..82189ae
--- /dev/null
+++ b/bug72928.patch
@@ -0,0 +1,92 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From dd69327ad783ea93f1e0a9e358974c7b098f29cc Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 4 Sep 2016 22:07:35 -0700
+Subject: [PATCH] Fix bug #72928 - Out of bound when verify signature of zip
+ phar in phar_parse_zipfile
+
+---
+ ext/phar/tests/bug72928.phpt |  18 ++++++++++++++++++
+ ext/phar/tests/bug72928.zip  | Bin 0 -> 140 bytes
+ ext/phar/util.c              |  28 ++++++++++++++++++++++++++++
+ ext/phar/zip.c               |   2 +-
+ 4 files changed, 47 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug72928.phpt
+ create mode 100644 ext/phar/tests/bug72928.zip
+
+diff --git a/ext/phar/util.c b/ext/phar/util.c
+index 4bbd867..828be8f 100644
+--- a/ext/phar/util.c
++++ b/ext/phar/util.c
+@@ -1657,6 +1657,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[64];
+ 			PHP_SHA512_CTX context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_SHA512Init(&context);
+ 			read_len = end_of_phar;
+ 
+@@ -1690,6 +1697,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[32];
+ 			PHP_SHA256_CTX context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_SHA256Init(&context);
+ 			read_len = end_of_phar;
+ 
+@@ -1731,6 +1745,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[20];
+ 			PHP_SHA1_CTX  context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_SHA1Init(&context);
+ 			read_len = end_of_phar;
+ 
+@@ -1764,6 +1785,13 @@ int phar_verify_signature(php_stream *fp, size_t end_of_phar, php_uint32 sig_typ
+ 			unsigned char digest[16];
+ 			PHP_MD5_CTX   context;
+ 
++			if (sig_len < sizeof(digest)) {
++				if (error) {
++					spprintf(error, 0, "broken signature");
++				}
++				return FAILURE;
++			}
++
+ 			PHP_MD5Init(&context);
+ 			read_len = end_of_phar;
+ 
+diff --git a/ext/phar/zip.c b/ext/phar/zip.c
+index bf895e7..ed156a2 100644
+--- a/ext/phar/zip.c
++++ b/ext/phar/zip.c
+@@ -430,7 +430,7 @@ int phar_parse_zipfile(php_stream *fp, char *fname, int fname_len, char *alias,
+ 			php_stream_seek(fp, sizeof(phar_zip_file_header) + entry.header_offset + entry.filename_len + PHAR_GET_16(zipentry.extra_len), SEEK_SET);
+ 			sig = (char *) emalloc(entry.uncompressed_filesize);
+ 			read = php_stream_read(fp, sig, entry.uncompressed_filesize);
+-			if (read != entry.uncompressed_filesize) {
++			if (read != entry.uncompressed_filesize || read <= 8) {
+ 				php_stream_close(sigfile);
+ 				efree(sig);
+ 				PHAR_ZIP_FAIL("signature cannot be read");
diff --git a/bug73007.patch b/bug73007.patch
new file mode 100644
index 0000000..e707c22
--- /dev/null
+++ b/bug73007.patch
@@ -0,0 +1,25 @@
+Backported from 5.6.26 by Remi.
+
+
+From 20fa323d53257a776bd7551ce7bdb2261cfe5420 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 5 Sep 2016 18:01:35 -0700
+Subject: [PATCH] Fix bug #73007: add locale length check
+
+---
+ ext/intl/msgformat/msgformat_format.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ext/intl/msgformat/msgformat_format.c b/ext/intl/msgformat/msgformat_format.c
+index 25c9619..9b6df38 100644
+--- a/ext/intl/msgformat/msgformat_format.c
++++ b/ext/intl/msgformat/msgformat_format.c
+@@ -118,6 +118,8 @@ PHP_FUNCTION( msgfmt_format_message )
+ 		RETURN_FALSE;
+ 	}
+ 
++	INTL_CHECK_LOCALE_LEN(slocale_len);
++
+ 	msgformat_data_init(&mfo->mf_data TSRMLS_CC);
+ 
+ 	if(pattern && pattern_len) {
diff --git a/bug73029.patch b/bug73029.patch
new file mode 100644
index 0000000..9e52054
--- /dev/null
+++ b/bug73029.patch
@@ -0,0 +1,89 @@
+Backported from 5.6.26 by Remi.
+
+
+From 589cfc7d0ebbc2399b6cbac3351ae26d569e9600 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 20:24:13 -0700
+Subject: [PATCH] Fix bug #73029 - Missing type check when unserializing
+ SplArray
+
+---
+ ext/spl/spl_array.c         | 10 ++++++----
+ ext/spl/tests/bug73029.phpt | 16 ++++++++++++++++
+ 2 files changed, 22 insertions(+), 4 deletions(-)
+ create mode 100644 ext/spl/tests/bug73029.phpt
+
+diff --git a/ext/spl/spl_array.c b/ext/spl/spl_array.c
+index 42a8e7a..700d609 100644
+--- a/ext/spl/spl_array.c
++++ b/ext/spl/spl_array.c
+@@ -306,7 +306,7 @@ static zval **spl_array_get_dimension_ptr_ptr(int check_inherited, zval *object,
+ 	long index;
+ 	HashTable *ht = spl_array_get_hash_table(intern, 0 TSRMLS_CC);
+ 
+-	if (!offset) {
++	if (!offset || !ht) {
+ 		return &EG(uninitialized_zval_ptr);
+ 	}
+ 
+@@ -1796,7 +1796,9 @@ SPL_METHOD(Array, unserialize)
+ 		intern->ar_flags |= flags & SPL_ARRAY_CLONE_MASK;
+ 		zval_ptr_dtor(&intern->array);
+ 		ALLOC_INIT_ZVAL(intern->array);
+-		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)) {
++		if (!php_var_unserialize(&intern->array, &p, s + buf_len, &var_hash TSRMLS_CC)
++				|| (Z_TYPE_P(intern->array) != IS_ARRAY && Z_TYPE_P(intern->array) != IS_OBJECT)) {
++			zval_ptr_dtor(&intern->array);
+ 			goto outexcept;
+ 		}
+ 		var_push_dtor(&var_hash, &intern->array);
+diff --git a/ext/spl/tests/bug73029.phpt b/ext/spl/tests/bug73029.phpt
+new file mode 100644
+index 0000000..a379f80
+--- /dev/null
++++ b/ext/spl/tests/bug73029.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #73029: Missing type check when unserializing SplArray
++--FILE--
++<?php
++try {
++$a = 'C:11:"ArrayObject":19:0x:i:0;r:2;;m:a:0:{}}';
++$m = unserialize($a);
++$x = $m[2];
++} catch(UnexpectedValueException $e) {
++	print $e->getMessage() . "\n";
++}
++?>
++DONE
++--EXPECTF--
++Error at offset 10 of 19 bytes
++DONE
+From 812f9c8a632f74d475cbc5b82e09190c8d47f740 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 12 Sep 2016 20:12:41 -0700
+Subject: [PATCH] Fix test
+
+---
+ ext/spl/tests/bug70068.phpt | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/ext/spl/tests/bug70068.phpt b/ext/spl/tests/bug70068.phpt
+index 92a38df..96b2fa8 100644
+--- a/ext/spl/tests/bug70068.phpt
++++ b/ext/spl/tests/bug70068.phpt
+@@ -2,8 +2,13 @@
+ Bug #70068 (Dangling pointer in the unserialization of ArrayObject items)
+ --FILE--
+ <?php
++try {
+ $a = unserialize('a:3:{i:0;C:11:"ArrayObject":20:{x:i:0;r:3;;m:a:0:{};}i:1;d:11;i:2;S:31:"AAAAAAAABBBBCCCC\01\00\00\00\04\00\00\00\00\00\00\00\00\00\00";}');
++} catch(Exception $e) {
++	print $e->getMessage()."\n";
++}
+ ?>
+ OK
+ --EXPECT--
++Error at offset 10 of 20 bytes
+ OK
+\ No newline at end of file
diff --git a/bug73035.patch b/bug73035.patch
new file mode 100644
index 0000000..4cb7a8e
--- /dev/null
+++ b/bug73035.patch
@@ -0,0 +1,32 @@
+Backported from 5.6.26 by Remi.
+Binary diff dropped.
+
+
+From 71a6cff185e26d2806b551d4022e766421d3b275 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:37:44 -0700
+Subject: [PATCH] Fix bug #73035 (Out of bound when verify signature of tar
+ phar in phar_parse_tarfile)
+
+---
+ ext/phar/tar.c               |   2 +-
+ ext/phar/tests/bug73035.phpt |  18 ++++++++++++++++++
+ ext/phar/tests/bug73035.tar  | Bin 0 -> 10240 bytes
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug73035.phpt
+ create mode 100644 ext/phar/tests/bug73035.tar
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index 62edcb5..898ff85 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -286,7 +286,7 @@ int phar_parse_tarfile(php_stream* fp, char *fname, int fname_len, char *alias,
+ 			}
+ 			curloc = php_stream_tell(fp);
+ 			read = php_stream_read(fp, buf, size);
+-			if (read != size) {
++			if (read != size || read <= 8) {
+ 				if (error) {
+ 					spprintf(error, 4096, "phar error: tar-based phar \"%s\" signature cannot be read", fname);
+ 				}
+
diff --git a/bug73052.patch b/bug73052.patch
new file mode 100644
index 0000000..a94e98b
--- /dev/null
+++ b/bug73052.patch
@@ -0,0 +1,65 @@
+Backported from 5.6.26 by Remi.
+
+
+From ba8f3ba05f8545a243881547dcd5a1dcfe4d4fb2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Sep 2016 21:19:29 -0700
+Subject: [PATCH] Fix bug #73052 - Memory Corruption in During
+ Deserialized-object Destruction
+
+---
+ Zend/zend_objects_API.c                    |  6 +--
+ ext/standard/tests/serialize/bug73052.phpt | 18 +++++++++
+ ext/standard/var_unserializer.c            | 61 +++++++++++++++---------------
+ ext/standard/var_unserializer.re           |  1 +
+ 4 files changed, 53 insertions(+), 33 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug73052.phpt
+
+diff --git a/ext/standard/tests/serialize/bug73052.phpt b/ext/standard/tests/serialize/bug73052.phpt
+new file mode 100644
+index 0000000..63b484b
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug73052.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #73052: Memory Corruption in During Deserialized-object Destruction
++--FILE--
++<?php
++
++class obj {
++    var $ryat;
++    public function __destruct() {
++        $this->ryat = null;
++    }
++}
++
++$poc = 'O:3:"obj":1:{';
++var_dump(unserialize($poc));
++?>
++--EXPECTF--
++Notice: unserialize(): Error at offset 13 of 13 bytes in %sbug73052.php on line %d
++bool(false)
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index c8e6f8a..5491492 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -440,6 +440,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ 	    /* We've got partially constructed object on our hands here. Wipe it. */
+ 	    if(Z_TYPE_PP(rval) == IS_OBJECT) {
+ 	       zend_hash_clean(Z_OBJPROP_PP(rval));
++	       zend_object_store_ctor_failed(*rval TSRMLS_CC);
+ 	    }
+ 	    ZVAL_NULL(*rval);
+ 		return 0;
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 11b93c5..ce84bf5 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -446,6 +446,7 @@ static inline int object_common2(UNSERIALIZE_PARAMETER, long elements)
+ 	    /* We've got partially constructed object on our hands here. Wipe it. */
+ 	    if(Z_TYPE_PP(rval) == IS_OBJECT) {
+ 	       zend_hash_clean(Z_OBJPROP_PP(rval));
++	       zend_object_store_ctor_failed(*rval TSRMLS_CC);
+ 	    }
+ 	    ZVAL_NULL(*rval);
+ 		return 0;
diff --git a/bug73065.patch b/bug73065.patch
new file mode 100644
index 0000000..1fc4a1e
--- /dev/null
+++ b/bug73065.patch
@@ -0,0 +1,196 @@
+Backported from 5.6.26 by Remi.
+
+
+From 7d011b6f59a3f5a59a9835f9ad40d9b40c266bec Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 12 Sep 2016 00:35:01 -0700
+Subject: [PATCH] Fix bug #73065: Out-Of-Bounds Read in php_wddx_push_element
+ of wddx.c
+
+---
+ ext/wddx/tests/bug73065.phpt | 98 ++++++++++++++++++++++++++++++++++++++++++++
+ ext/wddx/wddx.c              | 19 +++++----
+ 2 files changed, 108 insertions(+), 9 deletions(-)
+ create mode 100644 ext/wddx/tests/bug73065.phpt
+
+diff --git a/ext/wddx/tests/bug73065.phpt b/ext/wddx/tests/bug73065.phpt
+new file mode 100644
+index 0000000..aa301aa
+--- /dev/null
++++ b/ext/wddx/tests/bug73065.phpt
+@@ -0,0 +1,98 @@
++--TEST--
++Bug #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
++--SKIPIF--
++<?php
++if (!extension_loaded('wddx')) {
++    die('skip. wddx not available');
++}
++?>
++--FILE--
++<?php
++
++$xml1 = <<<XML
++<?xml version='1.0' ?>
++    <!DOCTYPE et SYSTEM 'w'>
++    <wddxPacket ven='1.0'>
++        <array>
++            <var Name="name">
++                <boolean value="keliu"></boolean>
++            </var>
++            <var name="1111">
++                <var name="2222">
++                    <var name="3333"></var>
++                </var>
++            </var>
++        </array>
++    </wddxPacket>
++XML;
++    
++$xml2 = <<<XML
++<?xml version='1.0' ?>
++    <!DOCTYPE et SYSTEM 'w'>
++    <wddxPacket ven='1.0'>
++        <array>
++            <char Name="code">
++                <boolean value="keliu"></boolean>
++            </char>
++        </array>
++    </wddxPacket>
++XML;
++
++$xml3 = <<<XML
++<?xml version='1.0' ?>
++    <!DOCTYPE et SYSTEM 'w'>
++    <wddxPacket ven='1.0'>
++        <array>
++            <boolean Name="value">
++                <boolean value="keliu"></boolean>
++            </boolean>
++        </array>
++    </wddxPacket>
++XML;
++
++$xml4 = <<<XML
++<?xml version='1.0' ?>
++    <!DOCTYPE et SYSTEM 'w'>
++    <wddxPacket ven='1.0'>
++        <array>
++            <recordset Name="fieldNames">
++                <boolean value="keliu"></boolean>
++            </recordset>
++        </array>
++    </wddxPacket>
++XML;
++
++$xml5 = <<<XML
++<?xml version='1.0' ?>
++    <!DOCTYPE et SYSTEM 'w'>
++    <wddxPacket ven='1.0'>
++        <array>
++            <field Name="name">
++                <boolean value="keliu"></boolean>
++            </field>
++        </array>
++    </wddxPacket>
++XML;
++
++for($i=1;$i<=5;$i++) {
++	$xmlvar = "xml$i";
++    $array = wddx_deserialize($$xmlvar);
++    var_dump($array);
++}
++?>
++DONE
++--EXPECTF--
++array(0) {
++}
++array(0) {
++}
++array(0) {
++}
++array(1) {
++  [0]=>
++  array(0) {
++  }
++}
++array(0) {
++}
++DONE
+\ No newline at end of file
+diff --git a/ext/wddx/wddx.c b/ext/wddx/wddx.c
+index b02d2f0..0e77826 100644
+--- a/ext/wddx/wddx.c
++++ b/ext/wddx/wddx.c
+@@ -774,10 +774,10 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ 		int i;
+ 
+ 		if (atts) for (i = 0; atts[i]; i++) {
+-			if (!strcmp(atts[i], EL_CHAR_CODE) && atts[++i] && atts[i][0]) {
++			if (!strcmp(atts[i], EL_CHAR_CODE) && atts[i+1] && atts[i+1][0]) {
+ 				char tmp_buf[2];
+ 
+-				snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i], NULL, 16));
++				snprintf(tmp_buf, sizeof(tmp_buf), "%c", (char)strtol(atts[i+1], NULL, 16));
+ 				php_wddx_process_data(user_data, tmp_buf, strlen(tmp_buf));
+ 				break;
+ 			}
+@@ -795,7 +795,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ 		int i;
+ 
+ 		if (atts) for (i = 0; atts[i]; i++) {
+-			if (!strcmp(atts[i], EL_VALUE) && atts[++i] && atts[i][0]) {
++			if (!strcmp(atts[i], EL_VALUE) && atts[i+1] && atts[i+1][0]) {
+ 				ent.type = ST_BOOLEAN;
+ 				SET_STACK_VARNAME;
+ 
+@@ -803,7 +803,7 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ 				INIT_PZVAL(ent.data);
+ 				Z_TYPE_P(ent.data) = IS_BOOL;
+ 				wddx_stack_push((wddx_stack *)stack, &ent, sizeof(st_entry));
+-				php_wddx_process_data(user_data, atts[i], strlen(atts[i]));
++				php_wddx_process_data(user_data, atts[i+1], strlen(atts[i+1]));
+ 				break;
+ 			}
+ 		}
+@@ -836,8 +836,8 @@ static void php_wddx_push_element(void *
+ 		int i;
+ 
+ 		if (atts) for (i = 0; atts[i]; i++) {
+-			if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
+-				stack->varname = estrdup(atts[i]);
++			if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
++				stack->varname = estrdup(atts[i+1]);
+ 				break;
+ 			}
+ 		}
+@@ -850,11 +850,12 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ 		array_init(ent.data);
+ 
+ 		if (atts) for (i = 0; atts[i]; i++) {
+-			if (!strcmp(atts[i], "fieldNames") && atts[++i] && atts[i][0]) {
++			if (!strcmp(atts[i], "fieldNames") && atts[i+1] && atts[i+1][0]) {
+ 				zval *tmp;
+ 				char *key;
+ 				char *p1, *p2, *endp;
+ 
++				i++;
+ 				endp = (char *)atts[i] + strlen(atts[i]);
+ 				p1 = (char *)atts[i];
+ 				while ((p2 = php_memnstr(p1, ",", sizeof(",")-1, endp)) != NULL) {
+@@ -886,13 +887,13 @@ static void php_wddx_push_element(void *user_data, const XML_Char *name, const X
+ 		ent.data = NULL;
+ 
+ 		if (atts) for (i = 0; atts[i]; i++) {
+-			if (!strcmp(atts[i], EL_NAME) && atts[++i] && atts[i][0]) {
++			if (!strcmp(atts[i], EL_NAME) && atts[i+1] && atts[i+1][0]) {
+ 				st_entry *recordset;
+ 				zval **field;
+ 
+ 				if (wddx_stack_top(stack, (void**)&recordset) == SUCCESS &&
+ 					recordset->type == ST_RECORDSET &&
+-					zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i], strlen(atts[i])+1, (void**)&field) == SUCCESS) {
++					zend_hash_find(Z_ARRVAL_P(recordset->data), (char*)atts[i+1], strlen(atts[i+1])+1, (void**)&field) == SUCCESS) {
+ 					ent.data = *field;
+ 				}
+ 
diff --git a/failed.txt b/failed.txt
index 28ff29b..a54efe4 100644
--- a/failed.txt
+++ b/failed.txt
@@ -1,4 +1,4 @@
-==== PHP 5.5.38-2 (2016-09-10)
+==== PHP 5.5.38-3 (2016-09-19)
 
 $ grep -r 'Tests failed' /var/lib/mock/*/build.log
 
diff --git a/php55.spec b/php55.spec
index 54d4e56..af55d73 100644
--- a/php55.spec
+++ b/php55.spec
@@ -141,7 +141,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: 5.5.38
-Release: 2%{?dist}
+Release: 3%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -222,6 +222,15 @@ Patch116: bug72838.patch
 Patch117: bug72848.patch
 Patch118: bug72849.patch
 Patch119: bug72850.patch
+Patch120: bug72910.patch
+Patch121: bug72926.patch
+Patch122: bug72928.patch
+Patch123: bug73007.patch
+Patch124: bug72860.patch
+Patch125: bug73029.patch
+Patch126: bug73052.patch
+Patch127: bug73035.patch
+Patch128: bug73065.patch
 
 # Security fixes (200+)
 
@@ -1007,6 +1016,15 @@ rm -rf ext/json
 %patch117 -p1 -b .bug72848
 %patch118 -p1 -b .bug72849
 %patch119 -p1 -b .bug72850
+%patch120 -p1 -b .bug72910
+%patch121 -p1 -b .bug72926
+%patch122 -p1 -b .bug72928
+%patch123 -p1 -b .bug73007
+%patch124 -p1 -b .bug72860
+%patch125 -p1 -b .bug73029
+%patch126 -p1 -b .bug73052
+%patch127 -p1 -b .bug73035
+%patch128 -p1 -b .bug73065
 
 # Fixes for tests
 %patch300 -p1 -b .datetests
@@ -2029,6 +2047,24 @@ EOF
 
 
 %changelog
+* Mon Sep 19 2016 Remi Collet <remi@remirepo.net> 5.5.38-3
+- fix #72910: Out of bounds heap read in mbc_to_code()
+- fix #72926: Uninitialized Thumbail Data Leads To Memory Leakage
+  in exif_process_IFD_in_TIFF
+- fix #72928: Out of bound when verify signature of zip phar
+  CVE-2016-7414
+- fix #73007: add locale length check
+  CVE-2016-7416
+- fix #72860: wddx_deserialize use-after-free
+  CVE-2016-7413
+- fix #73029: Missing type check when unserializing SplArray
+  CVE-2016-7417
+- fix #73052: Memory Corruption in During Deserialized-object Destruction
+  CVE-2016-7411
+- fix #73035: Out of bound when verify signature of tar phar
+- fix #73065: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
+  CVE-2016-7418
+
 * Mon Sep  5 2016 Remi Collet <remi@remirepo.net> 5.5.38-2
 - fix #72716: initialize buffer before read (ftp)
 - fix #72663: destroy broken object when unserializing
-- 
cgit