From 912a14cec72d394e150312bc746618005109a4f6 Mon Sep 17 00:00:00 2001
From: Remi Collet <remi@remirepo.net>
Date: Fri, 1 Dec 2017 14:22:07 +0100
Subject: add upstream patch for https://bugs.php.net/75573

---
 ...5514-mt_rand-returns-value-outside-min-ma.patch |  89 -----------------
 php-bug75514.patch                                 |  89 +++++++++++++++++
 php-bug75573.patch                                 | 107 +++++++++++++++++++++
 php71.spec                                         |  11 ++-
 4 files changed, 204 insertions(+), 92 deletions(-)
 delete mode 100644 0001-Fixed-bug-75514-mt_rand-returns-value-outside-min-ma.patch
 create mode 100644 php-bug75514.patch
 create mode 100644 php-bug75573.patch

diff --git a/0001-Fixed-bug-75514-mt_rand-returns-value-outside-min-ma.patch b/0001-Fixed-bug-75514-mt_rand-returns-value-outside-min-ma.patch
deleted file mode 100644
index c963933..0000000
--- a/0001-Fixed-bug-75514-mt_rand-returns-value-outside-min-ma.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 00500c425ba895f1b3591ace3ccd5ee125307559 Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@remirepo.net>
-Date: Mon, 13 Nov 2017 09:55:10 +0100
-Subject: [PATCH] Fixed bug #75514 mt_rand returns value outside [$min,$max]+
- on 32-bit
-
----
- ext/standard/mt_rand.c                |  4 ++--
- ext/standard/tests/math/bug75514.phpt | 12 ++++++++++++
- 2 files changed, 14 insertions(+), 2 deletions(-)
- create mode 100644 ext/standard/tests/math/bug75514.phpt
-
-diff --git a/ext/standard/mt_rand.c b/ext/standard/mt_rand.c
-index 2335a92..6669cbc 100644
---- a/ext/standard/mt_rand.c
-+++ b/ext/standard/mt_rand.c
-@@ -294,7 +294,7 @@ PHPAPI zend_long php_mt_rand_range(zend_long min, zend_long max)
-  * rand() allows min > max, mt_rand does not */
- PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
- {
--	zend_long n;
-+	uint32_t n;
- 
- 	if (BG(mt_rand_mode) == MT_RAND_MT19937) {
- 		return php_mt_rand_range(min, max);
-@@ -302,7 +302,7 @@ PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
- 
- 	/* Legacy mode deliberately not inside php_mt_rand_range()
- 	 * to prevent other functions being affected */
--	n = (zend_long)php_mt_rand() >> 1;
-+	n = php_mt_rand() >> 1;
- 	RAND_RANGE_BADSCALING(n, min, max, PHP_MT_RAND_MAX);
- 
- 	return n;
-diff --git a/ext/standard/tests/math/bug75514.phpt b/ext/standard/tests/math/bug75514.phpt
-new file mode 100644
-index 0000000..af97b6d
---- /dev/null
-+++ b/ext/standard/tests/math/bug75514.phpt
-@@ -0,0 +1,12 @@
-+--TEST--
-+Bug #75514 mt_rand returns value outside [$min,$max]
-+--FILE--
-+<?php
-+mt_srand(0, MT_RAND_PHP);
-+var_dump(mt_rand(0,999999999), mt_rand(0,999));
-+?>
-+===Done===
-+--EXPECT--
-+int(448865905)
-+int(592)
-+===Done===
--- 
-2.9.5
-
-From 2b071028973782ed87e7038e56d47e9897be804a Mon Sep 17 00:00:00 2001
-From: Remi Collet <remi@php.net>
-Date: Tue, 28 Nov 2017 17:42:43 +0100
-Subject: [PATCH] better fix for #75514
-
----
- ext/standard/mt_rand.c | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ext/standard/mt_rand.c b/ext/standard/mt_rand.c
-index 0a76ab8..46f52db 100644
---- a/ext/standard/mt_rand.c
-+++ b/ext/standard/mt_rand.c
-@@ -260,7 +260,7 @@ PHPAPI zend_long php_mt_rand_range(zend_long min, zend_long max)
-  * rand() allows min > max, mt_rand does not */
- PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
- {
--	uint32_t n;
-+	int64_t n;
- 
- 	if (BG(mt_rand_mode) == MT_RAND_MT19937) {
- 		return php_mt_rand_range(min, max);
-@@ -268,7 +268,7 @@ PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
- 
- 	/* Legacy mode deliberately not inside php_mt_rand_range()
- 	 * to prevent other functions being affected */
--	n = php_mt_rand() >> 1;
-+	n = (int64_t)php_mt_rand() >> 1;
- 	RAND_RANGE_BADSCALING(n, min, max, PHP_MT_RAND_MAX);
- 
- 	return n;
--- 
-2.1.4
-
diff --git a/php-bug75514.patch b/php-bug75514.patch
new file mode 100644
index 0000000..c963933
--- /dev/null
+++ b/php-bug75514.patch
@@ -0,0 +1,89 @@
+From 00500c425ba895f1b3591ace3ccd5ee125307559 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@remirepo.net>
+Date: Mon, 13 Nov 2017 09:55:10 +0100
+Subject: [PATCH] Fixed bug #75514 mt_rand returns value outside [$min,$max]+
+ on 32-bit
+
+---
+ ext/standard/mt_rand.c                |  4 ++--
+ ext/standard/tests/math/bug75514.phpt | 12 ++++++++++++
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+ create mode 100644 ext/standard/tests/math/bug75514.phpt
+
+diff --git a/ext/standard/mt_rand.c b/ext/standard/mt_rand.c
+index 2335a92..6669cbc 100644
+--- a/ext/standard/mt_rand.c
++++ b/ext/standard/mt_rand.c
+@@ -294,7 +294,7 @@ PHPAPI zend_long php_mt_rand_range(zend_long min, zend_long max)
+  * rand() allows min > max, mt_rand does not */
+ PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
+ {
+-	zend_long n;
++	uint32_t n;
+ 
+ 	if (BG(mt_rand_mode) == MT_RAND_MT19937) {
+ 		return php_mt_rand_range(min, max);
+@@ -302,7 +302,7 @@ PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
+ 
+ 	/* Legacy mode deliberately not inside php_mt_rand_range()
+ 	 * to prevent other functions being affected */
+-	n = (zend_long)php_mt_rand() >> 1;
++	n = php_mt_rand() >> 1;
+ 	RAND_RANGE_BADSCALING(n, min, max, PHP_MT_RAND_MAX);
+ 
+ 	return n;
+diff --git a/ext/standard/tests/math/bug75514.phpt b/ext/standard/tests/math/bug75514.phpt
+new file mode 100644
+index 0000000..af97b6d
+--- /dev/null
++++ b/ext/standard/tests/math/bug75514.phpt
+@@ -0,0 +1,12 @@
++--TEST--
++Bug #75514 mt_rand returns value outside [$min,$max]
++--FILE--
++<?php
++mt_srand(0, MT_RAND_PHP);
++var_dump(mt_rand(0,999999999), mt_rand(0,999));
++?>
++===Done===
++--EXPECT--
++int(448865905)
++int(592)
++===Done===
+-- 
+2.9.5
+
+From 2b071028973782ed87e7038e56d47e9897be804a Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 28 Nov 2017 17:42:43 +0100
+Subject: [PATCH] better fix for #75514
+
+---
+ ext/standard/mt_rand.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ext/standard/mt_rand.c b/ext/standard/mt_rand.c
+index 0a76ab8..46f52db 100644
+--- a/ext/standard/mt_rand.c
++++ b/ext/standard/mt_rand.c
+@@ -260,7 +260,7 @@ PHPAPI zend_long php_mt_rand_range(zend_long min, zend_long max)
+  * rand() allows min > max, mt_rand does not */
+ PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
+ {
+-	uint32_t n;
++	int64_t n;
+ 
+ 	if (BG(mt_rand_mode) == MT_RAND_MT19937) {
+ 		return php_mt_rand_range(min, max);
+@@ -268,7 +268,7 @@ PHPAPI zend_long php_mt_rand_common(zend_long min, zend_long max)
+ 
+ 	/* Legacy mode deliberately not inside php_mt_rand_range()
+ 	 * to prevent other functions being affected */
+-	n = php_mt_rand() >> 1;
++	n = (int64_t)php_mt_rand() >> 1;
+ 	RAND_RANGE_BADSCALING(n, min, max, PHP_MT_RAND_MAX);
+ 
+ 	return n;
+-- 
+2.1.4
+
diff --git a/php-bug75573.patch b/php-bug75573.patch
new file mode 100644
index 0000000..46cf095
--- /dev/null
+++ b/php-bug75573.patch
@@ -0,0 +1,107 @@
+From 3b9ba7b6bd9e24bdbeca8e8e3f24cee2fccc51d8 Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence@gmail.com>
+Date: Wed, 29 Nov 2017 14:46:21 +0800
+Subject: [PATCH] Fixed bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
+
+---
+ NEWS                        |  1 +
+ Zend/tests/bug75573.phpt    | 64 +++++++++++++++++++++++++++++++++++++++++++++
+ Zend/zend_object_handlers.c | 10 +++----
+ 3 files changed, 69 insertions(+), 6 deletions(-)
+ create mode 100644 Zend/tests/bug75573.phpt
+
+diff --git a/Zend/tests/bug75573.phpt b/Zend/tests/bug75573.phpt
+new file mode 100644
+index 0000000..476ff6e
+--- /dev/null
++++ b/Zend/tests/bug75573.phpt
+@@ -0,0 +1,64 @@
++--TEST--
++Bug #75573 (Segmentation fault in 7.1.12 and 7.0.26)
++--FILE--
++<?php
++
++class A
++{
++	var $_stdObject;
++	function initialize($properties = FALSE) {
++		$this->_stdObject = $properties ? (object) $properties : new stdClass();
++		parent::initialize();
++	}
++	function &__get($property)
++	{
++		if (isset($this->_stdObject->{$property})) {
++			$retval =& $this->_stdObject->{$property};
++			return $retval;
++		} else {
++			return NULL;
++		}
++	}
++	function &__set($property, $value)
++	{
++		return $this->_stdObject->{$property} = $value;
++	}
++	function __isset($property_name)
++	{
++		return isset($this->_stdObject->{$property_name});
++	}
++}
++
++class B extends A
++{
++	function initialize($properties = array())
++	{
++		parent::initialize($properties);
++	}
++	function &__get($property)
++	{
++		if (isset($this->settings) && isset($this->settings[$property])) {
++			$retval =& $this->settings[$property];
++			return $retval;
++		} else {
++			return parent::__get($property);
++		}
++	}
++}
++
++$b = new B();
++$b->settings = [ "foo" => "bar", "name" => "abc" ];
++var_dump($b->name);
++var_dump($b->settings);
++?>
++--EXPECTF--
++Warning: Creating default object from empty value in %sbug75573.php on line %d
++
++Notice: Only variable references should be returned by reference in %sbug75573.php on line %d
++string(3) "abc"
++array(2) {
++  ["foo"]=>
++  string(3) "bar"
++  ["name"]=>
++  string(3) "abc"
++}
+diff --git a/Zend/zend_object_handlers.c b/Zend/zend_object_handlers.c
+index 10045b5..d9ebd84 100644
+--- a/Zend/zend_object_handlers.c
++++ b/Zend/zend_object_handlers.c
+@@ -668,13 +668,11 @@ zval *zend_std_read_property(zval *object, zval *member, int type, void **cache_
+ 			}
+ 			zval_ptr_dtor(&tmp_object);
+ 			goto exit;
+-		} else {
++		} else if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
+ 			zval_ptr_dtor(&tmp_object);
+-			if (Z_STRVAL_P(member)[0] == '\0' && Z_STRLEN_P(member) != 0) {
+-				zend_throw_error(NULL, "Cannot access property started with '\\0'");
+-				retval = &EG(uninitialized_zval);
+-				goto exit;
+-			}
++			zend_throw_error(NULL, "Cannot access property started with '\\0'");
++			retval = &EG(uninitialized_zval);
++			goto exit;
+ 		}
+ 	}
+ 
+-- 
+2.1.4
+
diff --git a/php71.spec b/php71.spec
index 3413ff1..e2d1106 100644
--- a/php71.spec
+++ b/php71.spec
@@ -113,7 +113,7 @@
 Summary: PHP scripting language for creating dynamic web sites
 Name: php
 Version: %{upver}%{?rcver:~%{rcver}}
-Release: 3%{?dist}
+Release: 4%{?dist}
 # All files licensed under PHP version 3.01, except
 # Zend is licensed under Zend
 # TSRM is licensed under BSD
@@ -170,6 +170,8 @@ Patch48: php-7.1.9-openssl-load-config.patch
 Patch91: php-5.6.3-oci8conf.patch
 
 # Upstream fixes (100+)
+Patch100: php-bug75573.patch
+Patch101: php-bug75514.patch
 
 # Security fixes (200+)
 
@@ -180,7 +182,6 @@ Patch300: php-7.0.10-datetests.patch
 Patch301: php-7.0.0-oldpcre.patch
 
 # WIP
-Patch400: 0001-Fixed-bug-75514-mt_rand-returns-value-outside-min-ma.patch
 
 BuildRequires: bzip2-devel, curl-devel >= 7.9
 BuildRequires: httpd-devel >= 2.0.46-1, pam-devel
@@ -1019,6 +1020,8 @@ support for JavaScript Object Notation (JSON) to PHP.
 %patch91 -p1 -b .remi-oci8
 
 # upstream patches
+%patch100 -p1 -b .bug75573
+%patch101 -p1 -b .bug75514
 
 # security patches
 
@@ -1034,7 +1037,6 @@ fi
 %endif
 
 # WIP patch
-%patch400 -p1 -bug75514
 
 # Prevent %%doc confusion over LICENSE files
 cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -2057,6 +2059,9 @@ fi
 
 
 %changelog
+* Fri Dec  1 2017 Remi Collet <remi@remirepo.net> - 7.1.12-4
+- add upstream patch for https://bugs.php.net/75573
+
 * Tue Nov 28 2017 Remi Collet <remi@remirepo.net> - 7.1.12-3
 - refresh patch for https://bugs.php.net/75514
 
-- 
cgit