diff --git a/SOURCES/php-5.4.16-CVE-2014-8142.patch b/SOURCES/php-5.4.16-CVE-2014-8142.patch
new file mode 100644
index 0000000..5d46502
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2014-8142.patch
@@ -0,0 +1,74 @@
+From 630f9c33c23639de85c3fd306b209b538b73b4c9 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 11 Dec 2014 19:28:32 -0800
+Subject: [PATCH] Fix bug #68594 - Use after free vulnerability in
+ unserialize()
+
+---
+ NEWS | 2 +
+ ext/standard/tests/serialize/bug68594.phpt | 23 ++++++++++
+ ext/standard/var_unserializer.c | 68 ++++++++++++++++--------------
+ ext/standard/var_unserializer.re | 3 ++
+ 4 files changed, 64 insertions(+), 32 deletions(-)
+ create mode 100644 ext/standard/tests/serialize/bug68594.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68594.phpt b/ext/standard/tests/serialize/bug68594.phpt
+new file mode 100644
+index 0000000..60fc7a7
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68594.phpt
+@@ -0,0 +1,23 @@
++--TEST--
++Bug #68545 Use after free vulnerability in unserialize()
++--FILE--
++<?php
++for ($i=4; $i<100; $i++) {
++ $m = new StdClass();
++
++ $u = array(1);
++
++ $m->aaa = array(1,2,&$u,4,5);
++ $m->bbb = 1;
++ $m->ccc = &$u;
++ $m->ddd = str_repeat("A", $i);
++
++ $z = serialize($m);
++ $z = str_replace("bbb", "aaa", $z);
++ $y = unserialize($z);
++ $z = serialize($y);
++}
++?>
++===DONE===
++--EXPECTF--
++===DONE===
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index f6f31bd..a12d2fa 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -309,6 +309,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ var_push_dtor(var_hash, old_data);
++ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 7afef6a..4cf1d10 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -315,6 +315,9 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
++ if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ var_push_dtor(var_hash, old_data);
++ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2014-9652.patch b/SOURCES/php-5.4.16-CVE-2014-9652.patch
new file mode 100644
index 0000000..3fc8d66
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2014-9652.patch
@@ -0,0 +1,41 @@
+Upstream test patch dropped (binary patch not supported)
+
+
+From ede59c8feb4b80e1b94e4abdaa0711051e2912ab Mon Sep 17 00:00:00 2001
+From: Anatol Belski <ab@php.net>
+Date: Sun, 4 Jan 2015 14:20:21 +0100
+Subject: [PATCH] Fixed bug #68735 fileinfo out-of-bounds memory access
+
+---
+ NEWS | 7 +++++++
+ ext/fileinfo/libmagic/softmagic.c | 7 +++++--
+ ext/fileinfo/tests/bug68735.jpg | Bin 0 -> 24 bytes
+ ext/fileinfo/tests/bug68735.phpt | 16 ++++++++++++++++
+ 4 files changed, 28 insertions(+), 2 deletions(-)
+ create mode 100644 ext/fileinfo/tests/bug68735.jpg
+ create mode 100644 ext/fileinfo/tests/bug68735.phpt
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index 7e0c856..e7b7855 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -884,14 +884,17 @@ mconvert(struct magic_set *ms, struct magic *m, int flip)
+ size_t sz = file_pstring_length_size(m);
+ char *ptr1 = p->s, *ptr2 = ptr1 + sz;
+ size_t len = file_pstring_get_length(m, ptr1);
+- if (len >= sizeof(p->s)) {
++ sz = sizeof(p->s) - sz; /* maximum length of string */
++ if (len >= sz) {
+ /*
+ * The size of the pascal string length (sz)
+ * is 1, 2, or 4. We need at least 1 byte for NUL
+ * termination, but we've already truncated the
+ * string by p->s, so we need to deduct sz.
++ * Because we can use one of the bytes of the length
++ * after we shifted as NUL termination.
+ */
+- len = sizeof(p->s) - sz;
++ len = sz;
+ }
+ while (len--)
+ *ptr1++ = *ptr2++;
diff --git a/SOURCES/php-5.4.16-CVE-2014-9705.patch b/SOURCES/php-5.4.16-CVE-2014-9705.patch
new file mode 100644
index 0000000..5ce115d
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2014-9705.patch
@@ -0,0 +1,49 @@
+From bdfe457a2c1b47209e32783b3a6447e81baf179a Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Mon, 16 Feb 2015 06:50:10 +0100
+Subject: [PATCH] Port for for bug #68552
+
+---
+ NEWS | 6 ++++++
+ ext/enchant/enchant.c | 7 +++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/ext/enchant/enchant.c b/ext/enchant/enchant.c
+index 6de2fea..0eb8144 100644
+--- a/ext/enchant/enchant.c
++++ b/ext/enchant/enchant.c
+@@ -550,13 +550,12 @@ PHP_FUNCTION(enchant_broker_request_dict)
+
+ d = enchant_broker_request_dict(pbroker->pbroker, (const char *)tag);
+ if (d) {
++ pos = pbroker->dictcnt++;
+ if (pbroker->dictcnt) {
+ pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
+- pos = pbroker->dictcnt++;
+ } else {
+ pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
+ pos = 0;
+- pbroker->dictcnt++;
+ }
+
+ dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
+@@ -607,14 +606,14 @@ PHP_FUNCTION(enchant_broker_request_pwl_dict)
+
+ d = enchant_broker_request_pwl_dict(pbroker->pbroker, (const char *)pwl);
+ if (d) {
++ pos = pbroker->dictcnt++;
+ if (pbroker->dictcnt) {
+- pos = pbroker->dictcnt++;
+ pbroker->dict = (enchant_dict **)erealloc(pbroker->dict, sizeof(enchant_dict *) * pbroker->dictcnt);
+ } else {
+ pbroker->dict = (enchant_dict **)emalloc(sizeof(enchant_dict *));
+ pos = 0;
+- pbroker->dictcnt++;
+ }
++
+ dict = pbroker->dict[pos] = (enchant_dict *)emalloc(sizeof(enchant_dict));
+ dict->id = pos;
+ dict->pbroker = pbroker;
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2014-9709.patch b/SOURCES/php-5.4.16-CVE-2014-9709.patch
new file mode 100644
index 0000000..b70387e
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2014-9709.patch
@@ -0,0 +1,81 @@
+From afbf725e7380dfb3ff43a993e43abd9759a66c2b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Sat, 13 Dec 2014 09:03:44 +0100
+Subject: [PATCH] Fix bug #68601 buffer read overflow in gd_gif_in.c
+
+---
+ NEWS | 3 +++
+ ext/gd/libgd/gd_gif_in.c | 11 +++++++++--
+ 2 files changed, 12 insertions(+), 2 deletions(-)
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index ee88a2f..491e942 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -72,8 +72,10 @@ static struct {
+
+ #define STACK_SIZE ((1<<(MAX_LWZ_BITS))*2)
+
++#define CSD_BUF_SIZE 280
++
+ typedef struct {
+- unsigned char buf[280];
++ unsigned char buf[CSD_BUF_SIZE];
+ int curbit, lastbit, done, last_byte;
+ } CODE_STATIC_DATA;
+
+@@ -400,7 +402,12 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+
+ ret = 0;
+ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
+- ret |= ((scd->buf[ i / 8 ] & (1 << (i % 8))) != 0) << j;
++ if (i < CSD_BUF_SIZE * 8) {
++ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
++ } else {
++ ret = -1;
++ break;
++ }
+
+ scd->curbit += code_size;
+ return ret;
+--
+2.1.4
+
+From bd31cb756399101234258c5491443531099957c3 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Wed, 17 Dec 2014 10:59:36 +0100
+Subject: [PATCH] Better fix for #68601 for perf
+ https://bitbucket.org/libgd/gd-libgd/commits/81e9a993f2893d651d225646378e3fd1b7465467
+
+---
+ ext/gd/libgd/gd_gif_in.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/ext/gd/libgd/gd_gif_in.c b/ext/gd/libgd/gd_gif_in.c
+index 491e942..f41ec84 100644
+--- a/ext/gd/libgd/gd_gif_in.c
++++ b/ext/gd/libgd/gd_gif_in.c
+@@ -400,14 +400,14 @@ GetCode_(gdIOCtx *fd, CODE_STATIC_DATA *scd, int code_size, int flag, int *ZeroD
+ scd->lastbit = (2+count)*8 ;
+ }
+
+- ret = 0;
+- for (i = scd->curbit, j = 0; j < code_size; ++i, ++j)
+- if (i < CSD_BUF_SIZE * 8) {
++ if ((scd->curbit + code_size - 1) >= (CSD_BUF_SIZE * 8)) {
++ ret = -1;
++ } else {
++ ret = 0;
++ for (i = scd->curbit, j = 0; j < code_size; ++i, ++j) {
+ ret |= ((scd->buf[i / 8] & (1 << (i % 8))) != 0) << j;
+- } else {
+- ret = -1;
+- break;
+ }
++ }
+
+ scd->curbit += code_size;
+ return ret;
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-0231.patch b/SOURCES/php-5.4.16-CVE-2015-0231.patch
new file mode 100644
index 0000000..d7863fc
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-0231.patch
@@ -0,0 +1,74 @@
+From b585a3aed7880a5fa5c18e2b838fc96f40e075bd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Thu, 1 Jan 2015 16:19:05 -0800
+Subject: [PATCH] Fix for bug #68710 (Use After Free Vulnerability in PHP's
+ unserialize())
+
+---
+ NEWS | 4 ++++
+ ext/standard/tests/strings/bug68710.phpt | 25 +++++++++++++++++++++++++
+ ext/standard/var_unserializer.c | 4 ++--
+ ext/standard/var_unserializer.re | 2 +-
+ 4 files changed, 32 insertions(+), 3 deletions(-)
+ create mode 100644 ext/standard/tests/strings/bug68710.phpt
+
+diff --git a/ext/standard/tests/strings/bug68710.phpt b/ext/standard/tests/strings/bug68710.phpt
+new file mode 100644
+index 0000000..729a120
+--- /dev/null
++++ b/ext/standard/tests/strings/bug68710.phpt
+@@ -0,0 +1,25 @@
++--TEST--
++Bug #68710 Use after free vulnerability in unserialize() (bypassing the
++CVE-2014-8142 fix)
++--FILE--
++<?php
++for ($i=4; $i<100; $i++) {
++ $m = new StdClass();
++
++ $u = array(1);
++
++ $m->aaa = array(1,2,&$u,4,5);
++ $m->bbb = 1;
++ $m->ccc = &$u;
++ $m->ddd = str_repeat("A", $i);
++
++ $z = serialize($m);
++ $z = str_replace("aaa", "123", $z);
++ $z = str_replace("bbb", "123", $z);
++ $y = unserialize($z);
++ $z = serialize($y);
++}
++?>
++===DONE===
++--EXPECTF--
++===DONE===
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index a12d2fa..f114080 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -309,7 +309,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
+- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index 4cf1d10..f04fc74 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -315,7 +315,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ } else {
+ /* object properties should include no integers */
+ convert_to_string(key);
+- if (zend_symtable_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
++ if (zend_hash_find(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, (void **)&old_data)==SUCCESS) {
+ var_push_dtor(var_hash, old_data);
+ }
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-0232.patch b/SOURCES/php-5.4.16-CVE-2015-0232.patch
new file mode 100644
index 0000000..5ce3507
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-0232.patch
@@ -0,0 +1,32 @@
+Adapted for 5.4.16
+Upstream test dropped as binary patch not supported
+
+From 2fc178cf448d8e1b95d1314e47eeef610729e0df Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 11 Jan 2015 00:51:05 -0800
+Subject: [PATCH] Fix bug #68799: Free called on unitialized pointer
+
+---
+ ext/exif/exif.c | 2 +-
+ ext/exif/tests/bug68799.jpg | Bin 0 -> 735 bytes
+ ext/exif/tests/bug68799.phpt | 63 +++++++++++++++++++++++++++++++++++++++++++
+ 3 files changed, 64 insertions(+), 1 deletion(-)
+ create mode 100644 ext/exif/tests/bug68799.jpg
+ create mode 100644 ext/exif/tests/bug68799.phpt
+
+diff --git a/ext/exif/exif.c b/ext/exif/exif.c
+index 637ebf9..7f95ff4 100644
+--- a/ext/exif/exif.c
++++ b/ext/exif/exif.c
+@@ -2700,7 +2700,7 @@
+ static int exif_process_unicode(image_info_type *ImageInfo, xp_field_type *xp_field, int tag, char *szValuePtr, int ByteCount TSRMLS_DC)
+ {
+ xp_field->tag = tag;
+-
++ xp_field->value = NULL;
+ /* Copy the comment */
+ if (zend_multibyte_encoding_converter(
+ (unsigned char**)&xp_field->value,
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-0273.patch b/SOURCES/php-5.4.16-CVE-2015-0273.patch
new file mode 100644
index 0000000..498569e
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-0273.patch
@@ -0,0 +1,60 @@
+From 7b1898183032eeabc64a086ff040af991cebcd93 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 31 Jan 2015 22:40:08 -0800
+Subject: [PATCH] Fix bug #68942 (Use after free vulnerability in unserialize()
+ with DateTimeZone)
+
+Conflicts:
+ ext/date/php_date.c
+---
+ ext/date/php_date.c | 10 +++-------
+ ext/date/tests/bug68942_2.phpt | 9 +++++++++
+ 2 files changed, 12 insertions(+), 7 deletions(-)
+ create mode 100644 ext/date/tests/bug68942_2.phpt
+
+diff --git a/ext/date/php_date.c b/ext/date/php_date.c
+index 92e9480..08bfd08 100644
+--- a/ext/date/php_date.c
++++ b/ext/date/php_date.c
+@@ -2521,12 +2521,9 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
+ timelib_tzinfo *tzi;
+ php_timezone_obj *tzobj;
+
+- if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS) {
+- convert_to_string(*z_date);
+- if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS) {
+- convert_to_long(*z_timezone_type);
+- if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS) {
+- convert_to_string(*z_timezone);
++ if (zend_hash_find(myht, "date", 5, (void**) &z_date) == SUCCESS && Z_TYPE_PP(z_date) == IS_STRING) {
++ if (zend_hash_find(myht, "timezone_type", 14, (void**) &z_timezone_type) == SUCCESS && Z_TYPE_PP(z_timezone_type) == IS_LONG) {
++ if (zend_hash_find(myht, "timezone", 9, (void**) &z_timezone) == SUCCESS && Z_TYPE_PP(z_timezone) == IS_STRING) {
+
+ switch (Z_LVAL_PP(z_timezone_type)) {
+ case TIMELIB_ZONETYPE_OFFSET:
+@@ -2541,7 +2538,6 @@ static int php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *myht
+
+ case TIMELIB_ZONETYPE_ID: {
+ int ret;
+- convert_to_string(*z_timezone);
+
+ tzi = php_date_parse_tzfile(Z_STRVAL_PP(z_timezone), DATE_TIMEZONEDB TSRMLS_CC);
+
+diff --git a/ext/date/tests/bug68942_2.phpt b/ext/date/tests/bug68942_2.phpt
+new file mode 100644
+index 0000000..5b02567
+--- /dev/null
++++ b/ext/date/tests/bug68942_2.phpt
+@@ -0,0 +1,9 @@
++--TEST--
++Bug #68942 (Use after free vulnerability in unserialize() with DateTime).
++--FILE--
++<?php
++$data = unserialize('a:2:{i:0;O:8:"DateTime":3:{s:4:"date";s:26:"2000-01-01 00:00:00.000000";s:13:"timezone_type";a:2:{i:0;i:1;i:1;i:2;}s:8:"timezone";s:1:"A";}i:1;R:5;}');
++var_dump($data);
++?>
++--EXPECTF--
++Fatal error: Invalid serialization data for DateTime object in %s/bug68942_2.php on line %d
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-2301.patch b/SOURCES/php-5.4.16-CVE-2015-2301.patch
new file mode 100644
index 0000000..c065647
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-2301.patch
@@ -0,0 +1,27 @@
+From b2cf3f064b8f5efef89bb084521b61318c71781b Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence@php.net>
+Date: Thu, 29 Jan 2015 00:00:09 +0800
+Subject: [PATCH] Fixed bug #68901 (use after free)
+
+---
+ NEWS | 3 +++
+ ext/phar/phar_object.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/phar/phar_object.c b/ext/phar/phar_object.c
+index 3671054..712795b 100644
+--- a/ext/phar/phar_object.c
++++ b/ext/phar/phar_object.c
+@@ -2210,8 +2210,8 @@ static zval *phar_rename_archive(phar_archive_data *phar, char *ext, zend_bool c
+ }
+ its_ok:
+ if (SUCCESS == php_stream_stat_path(newpath, &ssb)) {
+- efree(oldpath);
+ zend_throw_exception_ex(spl_ce_BadMethodCallException, 0 TSRMLS_CC, "phar \"%s\" exists and must be unlinked prior to conversion", newpath);
++ efree(oldpath);
+ return NULL;
+ }
+ if (!phar->is_data) {
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-2348.patch b/SOURCES/php-5.4.16-CVE-2015-2348.patch
new file mode 100644
index 0000000..c2cedea
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-2348.patch
@@ -0,0 +1,26 @@
+From 1291d6bbee93b6109eb07e8f7916ff1b7fcc13e1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 12:47:58 -0700
+Subject: [PATCH] Fix bug #69207 - move_uploaded_file allows nulls in path
+
+---
+ NEWS | 3 +++
+ ext/standard/basic_functions.c | 2 +-
+ 2 files changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index 9a9df30..c3e2230 100644
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -5771,7 +5771,7 @@ PHP_FUNCTION(move_uploaded_file)
+ RETURN_FALSE;
+ }
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sp", &path, &path_len, &new_path, &new_path_len) == FAILURE) {
+ return;
+ }
+
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-2783.patch b/SOURCES/php-5.4.16-CVE-2015-2783.patch
new file mode 100644
index 0000000..d8b978d
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-2783.patch
@@ -0,0 +1,257 @@
+Test case removed as binary patches are not supported
+
+From 9faaee66fa493372c7340b1ab05f8fd115131a42 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 5 Apr 2015 15:07:36 -0700
+Subject: [PATCH] Fixed bug #69324 (Buffer Over-read in unserialize when
+ parsing Phar)
+
+---
+ ext/phar/phar.c | 65 ++++++++++++++++++++-----------------------
+ ext/phar/phar_internal.h | 2 +-
+ ext/phar/tests/bug69324.phar | Bin 0 -> 269 bytes
+ ext/phar/tests/bug69324.phpt | 17 +++++++++++
+ 4 files changed, 48 insertions(+), 36 deletions(-)
+ create mode 100644 ext/phar/tests/bug69324.phar
+ create mode 100644 ext/phar/tests/bug69324.phpt
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index ec82351..bf0c985 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -603,25 +603,18 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
+ *
+ * data is the serialized zval
+ */
+-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC) /* {{{ */
++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
+ {
+ const unsigned char *p;
+- php_uint32 buf_len;
+ php_unserialize_data_t var_hash;
+
+- if (!zip_metadata_len) {
+- PHAR_GET_32(*buffer, buf_len);
+- } else {
+- buf_len = zip_metadata_len;
+- }
+-
+- if (buf_len) {
++ if (zip_metadata_len) {
+ ALLOC_ZVAL(*metadata);
+ INIT_ZVAL(**metadata);
+ p = (const unsigned char*) *buffer;
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+- if (!php_var_unserialize(metadata, &p, p + buf_len, &var_hash TSRMLS_CC)) {
++ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ zval_ptr_dtor(metadata);
+ *metadata = NULL;
+@@ -633,19 +626,14 @@ int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSR
+ if (PHAR_G(persist)) {
+ /* lazy init metadata */
+ zval_ptr_dtor(metadata);
+- *metadata = (zval *) pemalloc(buf_len, 1);
+- memcpy(*metadata, *buffer, buf_len);
+- *buffer += buf_len;
++ *metadata = (zval *) pemalloc(zip_metadata_len, 1);
++ memcpy(*metadata, *buffer, zip_metadata_len);
+ return SUCCESS;
+ }
+ } else {
+ *metadata = NULL;
+ }
+
+- if (!zip_metadata_len) {
+- *buffer += buf_len;
+- }
+-
+ return SUCCESS;
+ }
+ /* }}}*/
+@@ -666,6 +654,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ phar_entry_info entry;
+ php_uint32 manifest_len, manifest_count, manifest_flags, manifest_index, tmp_len, sig_flags;
+ php_uint16 manifest_ver;
++ php_uint32 len;
+ long offset;
+ int sig_len, register_alias = 0, temp_alias = 0;
+ char *signature = NULL;
+@@ -1031,16 +1020,21 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ mydata->is_persistent = PHAR_G(persist);
+
+ /* check whether we have meta data, zero check works regardless of byte order */
++ PHAR_GET_32(buffer, len);
+ if (mydata->is_persistent) {
+- PHAR_GET_32(buffer, mydata->metadata_len);
+- if (phar_parse_metadata(&buffer, &mydata->metadata, mydata->metadata_len TSRMLS_CC) == FAILURE) {
+- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
+- }
+- } else {
+- if (phar_parse_metadata(&buffer, &mydata->metadata, 0 TSRMLS_CC) == FAILURE) {
+- MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
++ mydata->metadata_len = len;
++ if(!len) {
++ /* FIXME: not sure why this is needed but removing it breaks tests */
++ PHAR_GET_32(buffer, len);
+ }
+ }
++ if(len > endbuffer - buffer) {
++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (trying to read past buffer end)");
++ }
++ if (phar_parse_metadata(&buffer, &mydata->metadata, len TSRMLS_CC) == FAILURE) {
++ MAPPHAR_FAIL("unable to read phar metadata in .phar file \"%s\"");
++ }
++ buffer += len;
+
+ /* set up our manifest */
+ zend_hash_init(&mydata->manifest, manifest_count,
+@@ -1075,7 +1069,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.manifest_pos = manifest_index;
+ }
+
+- if (buffer + entry.filename_len + 20 > endbuffer) {
++ if (entry.filename_len + 20 > endbuffer - buffer) {
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+
+@@ -1111,19 +1105,20 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.flags |= PHAR_ENT_PERM_DEF_DIR;
+ }
+
++ PHAR_GET_32(buffer, len);
+ if (entry.is_persistent) {
+- PHAR_GET_32(buffer, entry.metadata_len);
+- if (!entry.metadata_len) buffer -= 4;
+- if (phar_parse_metadata(&buffer, &entry.metadata, entry.metadata_len TSRMLS_CC) == FAILURE) {
+- pefree(entry.filename, entry.is_persistent);
+- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+- }
++ entry.metadata_len = len;
+ } else {
+- if (phar_parse_metadata(&buffer, &entry.metadata, 0 TSRMLS_CC) == FAILURE) {
+- pefree(entry.filename, entry.is_persistent);
+- MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+- }
++ entry.metadata_len = 0;
++ }
++ if (len > endbuffer - buffer) {
++ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
++ }
++ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
++ pefree(entry.filename, entry.is_persistent);
++ MAPPHAR_FAIL("unable to read file metadata in .phar file \"%s\"");
+ }
++ buffer += len;
+
+ entry.offset = entry.offset_abs = offset;
+ offset += entry.compressed_filesize;
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index c9306c1..fcfc864 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
+@@ -654,7 +654,7 @@ int phar_mount_entry(phar_archive_data *phar, char *filename, int filename_len,
+ char *phar_find_in_include_path(char *file, int file_len, phar_archive_data **pphar TSRMLS_DC);
+ char *phar_fix_filepath(char *path, int *new_len, int use_cwd TSRMLS_DC);
+ phar_entry_info * phar_open_jit(phar_archive_data *phar, phar_entry_info *entry, char **error TSRMLS_DC);
+-int phar_parse_metadata(char **buffer, zval **metadata, int zip_metadata_len TSRMLS_DC);
++int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC);
+ void destroy_phar_manifest_entry(void *pDest);
+ int phar_seek_efp(phar_entry_info *entry, off_t offset, int whence, off_t position, int follow_links TSRMLS_DC);
+ php_stream *phar_get_efp(phar_entry_info *entry, int follow_links TSRMLS_DC);
+--
+2.1.4
+
+From 12d3bdee3dfa6605024a72080d8a17c165c5ed24 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 11 Apr 2015 16:42:16 -0700
+Subject: [PATCH] Additional fix for bug #69324
+
+Not so happy about duplication but needed due to bug #69429
+---
+ ext/phar/phar.c | 13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index bf0c985..c5c8b46 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -600,27 +600,28 @@ int phar_open_parsed_phar(char *fname, int fname_len, char *alias, int alias_len
+ *
+ * Meta-data is in this format:
+ * [len32][data...]
+- *
++ *
+ * data is the serialized zval
+ */
+ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_len TSRMLS_DC) /* {{{ */
+ {
+- const unsigned char *p;
+ php_unserialize_data_t var_hash;
+
+ if (zip_metadata_len) {
++ const unsigned char *p, *p_buff = estrndup(*buffer, zip_metadata_len);
++ p = p_buff;
+ ALLOC_ZVAL(*metadata);
+ INIT_ZVAL(**metadata);
+- p = (const unsigned char*) *buffer;
+ PHP_VAR_UNSERIALIZE_INIT(var_hash);
+
+ if (!php_var_unserialize(metadata, &p, p + zip_metadata_len, &var_hash TSRMLS_CC)) {
++ efree(p_buff);
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+ zval_ptr_dtor(metadata);
+ *metadata = NULL;
+ return FAILURE;
+ }
+-
++ efree(p_buff);
+ PHP_VAR_UNSERIALIZE_DESTROY(var_hash);
+
+ if (PHAR_G(persist)) {
+@@ -643,7 +644,7 @@ int phar_parse_metadata(char **buffer, zval **metadata, php_uint32 zip_metadata_
+ *
+ * Parse a new one and add it to the cache, returning either SUCCESS or
+ * FAILURE, and setting pphar to the pointer to the manifest entry
+- *
++ *
+ * This is used by phar_open_from_filename to process the manifest, but can be called
+ * directly.
+ */
+@@ -2236,7 +2237,7 @@ last_time:
+
+ /**
+ * Process a phar stream name, ensuring we can handle any of:
+- *
++ *
+ * - whatever.phar
+ * - whatever.phar.gz
+ * - whatever.phar.bz2
+--
+2.1.4
+
+From cee97220285fd7b955a58617b3e0300ec104ed87 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Tue, 14 Apr 2015 15:47:26 +0300
+Subject: [PATCH] Fixed recently introduced memory leak
+
+---
+ ext/phar/phar.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ext/phar/phar.c b/ext/phar/phar.c
+index c5c8b46..223bfe8 100644
+--- a/ext/phar/phar.c
++++ b/ext/phar/phar.c
+@@ -1113,6 +1113,7 @@ static int phar_parse_pharfile(php_stream *fp, char *fname, int fname_len, char
+ entry.metadata_len = 0;
+ }
+ if (len > endbuffer - buffer) {
++ pefree(entry.filename, entry.is_persistent);
+ MAPPHAR_FAIL("internal corruption of phar \"%s\" (truncated manifest entry)");
+ }
+ if (phar_parse_metadata(&buffer, &entry.metadata, len TSRMLS_CC) == FAILURE) {
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-2787.patch b/SOURCES/php-5.4.16-CVE-2015-2787.patch
new file mode 100644
index 0000000..7beadb6
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-2787.patch
@@ -0,0 +1,95 @@
+From 646572d6d3847d68124b03936719f60936b49a38 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 13:20:22 -0700
+Subject: [PATCH] Fixed bug #68976 - Use After Free Vulnerability in
+ unserialize()
+
+---
+ NEWS | 3 +-
+ ext/standard/var_unserializer.c | 63 ++++++++++++++++++++--------------------
+ ext/standard/var_unserializer.re | 1 +
+ 3 files changed, 35 insertions(+), 32 deletions(-)
+
+diff --git a/ext/standard/var_unserializer.c b/ext/standard/var_unserializer.c
+index f114080..ee0cac4 100644
+--- a/ext/standard/var_unserializer.c
++++ b/ext/standard/var_unserializer.c
+@@ -315,6 +315,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
++ var_push_dtor(var_hash, &data);
+
+ zval_dtor(key);
+ FREE_ZVAL(key);
+diff --git a/ext/standard/var_unserializer.re b/ext/standard/var_unserializer.re
+index f04fc74..abac77c 100644
+--- a/ext/standard/var_unserializer.re
++++ b/ext/standard/var_unserializer.re
+@@ -321,6 +321,7 @@ static inline int process_nested_data(UNSERIALIZE_PARAMETER, HashTable *ht, long
+ zend_hash_update(ht, Z_STRVAL_P(key), Z_STRLEN_P(key) + 1, &data,
+ sizeof data, NULL);
+ }
++ var_push_dtor(var_hash, &data);
+
+ zval_dtor(key);
+ FREE_ZVAL(key);
+--
+2.1.4
+
+From 8b14d3052ffcffa17d6e2be652f20e18f8f562ad Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 17 Mar 2015 17:03:46 -0700
+Subject: [PATCH] add test for bug #68976
+
+---
+ ext/standard/tests/serialize/bug68976.phpt | 37 ++++++++++++++++++++++++++++++
+ 1 file changed, 37 insertions(+)
+ create mode 100644 ext/standard/tests/serialize/bug68976.phpt
+
+diff --git a/ext/standard/tests/serialize/bug68976.phpt b/ext/standard/tests/serialize/bug68976.phpt
+new file mode 100644
+index 0000000..a79a953
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug68976.phpt
+@@ -0,0 +1,37 @@
++--TEST--
++Bug #68976 Use After Free Vulnerability in unserialize()
++--FILE--
++<?php
++class evilClass {
++ public $name;
++ function __wakeup() {
++ unset($this->name);
++ }
++}
++
++$fakezval = pack(
++ 'IIII',
++ 0x00100000,
++ 0x00000400,
++ 0x00000000,
++ 0x00000006
++);
++
++$data = unserialize('a:2:{i:0;O:9:"evilClass":1:{s:4:"name";a:2:{i:0;i:1;i:1;i:2;}}i:1;R:4;}');
++
++for($i = 0; $i < 5; $i++) {
++ $v[$i] = $fakezval.$i;
++}
++
++var_dump($data);
++?>
++===DONE===
++--EXPECTF--
++array(2) {
++ [0]=>
++ object(evilClass)#1 (0) {
++ }
++ [1]=>
++ int(1)
++}
++===DONE===
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-3329.patch b/SOURCES/php-5.4.16-CVE-2015-3329.patch
new file mode 100644
index 0000000..0f19112
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-3329.patch
@@ -0,0 +1,41 @@
+Test case removed as binary patches are not supported
+
+
+From f59b67ae50064560d7bfcdb0d6a8ab284179053c Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Tue, 14 Apr 2015 00:03:50 -0700
+Subject: [PATCH] Fix bug #69441 (Buffer Overflow when parsing tar/zip/phar in
+ phar_set_inode)
+
+---
+ ext/phar/phar_internal.h | 9 ++++++---
+ ext/phar/tests/bug69441.phar | Bin 0 -> 5780 bytes
+ ext/phar/tests/bug69441.phpt | 21 +++++++++++++++++++++
+ 3 files changed, 27 insertions(+), 3 deletions(-)
+ create mode 100644 ext/phar/tests/bug69441.phar
+ create mode 100644 ext/phar/tests/bug69441.phpt
+
+diff --git a/ext/phar/phar_internal.h b/ext/phar/phar_internal.h
+index fcfc864..84282d2 100644
+--- a/ext/phar/phar_internal.h
++++ b/ext/phar/phar_internal.h
+@@ -618,10 +618,13 @@ static inline void phar_set_inode(phar_entry_info *entry TSRMLS_DC) /* {{{ */
+ {
+ char tmp[MAXPATHLEN];
+ int tmp_len;
++ size_t len;
+
+- tmp_len = entry->filename_len + entry->phar->fname_len;
+- memcpy(tmp, entry->phar->fname, entry->phar->fname_len);
+- memcpy(tmp + entry->phar->fname_len, entry->filename, entry->filename_len);
++ tmp_len = MIN(MAXPATHLEN, entry->filename_len + entry->phar->fname_len);
++ len = MIN(entry->phar->fname_len, tmp_len);
++ memcpy(tmp, entry->phar->fname, len);
++ len = MIN(tmp_len - len, entry->filename_len);
++ memcpy(tmp + entry->phar->fname_len, entry->filename, len);
+ entry->inode = (unsigned short)zend_get_hash_value(tmp, tmp_len);
+ }
+ /* }}} */
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-3330.patch b/SOURCES/php-5.4.16-CVE-2015-3330.patch
new file mode 100644
index 0000000..4e5b963
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-3330.patch
@@ -0,0 +1,25 @@
+From 809610f5ea38a83b284e1125d1fff129bdd615e7 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 4 Apr 2015 15:03:46 -0700
+Subject: [PATCH] Fix bug #68486 and bug #69218 (segfault in apache2handler
+ with apache 2.4)
+
+---
+ sapi/apache2handler/sapi_apache2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/sapi/apache2handler/sapi_apache2.c b/sapi/apache2handler/sapi_apache2.c
+index e97f11c..cfebc5f 100644
+--- a/sapi/apache2handler/sapi_apache2.c
++++ b/sapi/apache2handler/sapi_apache2.c
+@@ -688,6 +688,7 @@ zend_first_try {
+ } zend_end_try();
+ }
+ apr_brigade_cleanup(brigade);
++ apr_pool_cleanup_run(r->pool, (void *)&SG(server_context), php_server_context_cleanup);
+ } else {
+ ctx->r = parent_req;
+ }
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-4021.patch b/SOURCES/php-5.4.16-CVE-2015-4021.patch
new file mode 100644
index 0000000..4c4b680
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-4021.patch
@@ -0,0 +1,30 @@
+Test case removed as binary patches are not supported
+
+
+From c27f012b7a447e59d4a704688971cbfa7dddaa74 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 29 Apr 2015 22:04:20 -0700
+Subject: [PATCH] Fix bug #69453 - don't try to cut empty string
+
+---
+ ext/phar/tar.c | 2 +-
+ ext/phar/tests/bug69453.phpt | 21 +++++++++++++++++++++
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+ create mode 100644 ext/phar/tests/bug69453.phpt
+
+diff --git a/ext/phar/tar.c b/ext/phar/tar.c
+index ca8eafc..d6d63e6 100644
+--- a/ext/phar/tar.c
++++ b/ext/phar/tar.c
+@@ -425,7 +425,7 @@ bail:
+ entry.filename_len = i;
+ entry.filename = pestrndup(hdr->name, i, myphar->is_persistent);
+
+- if (entry.filename[entry.filename_len - 1] == '/') {
++ if (i > 0 && entry.filename[entry.filename_len - 1] == '/') {
+ /* some tar programs store directories with trailing slash */
+ entry.filename[entry.filename_len - 1] = '\0';
+ entry.filename_len--;
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-4022.patch b/SOURCES/php-5.4.16-CVE-2015-4022.patch
new file mode 100644
index 0000000..81df556
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-4022.patch
@@ -0,0 +1,129 @@
+Adapted for 5.4.16 from
+
+
+From 1494298231072d5991e76db5ef25f20e81018106 Mon Sep 17 00:00:00 2001
+From: Rasmus Lerdorf <rasmus@lerdorf.com>
+Date: Sun, 20 Oct 2013 08:55:48 -0700
+Subject: [PATCH] Minor Coverity tweaks
+
+---
+ ext/ftp/ftp.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
+index 58d3c2e..4da8d60 100644
+--- a/ext/ftp/ftp.c
++++ b/ext/ftp/ftp.c
+@@ -1635,7 +1635,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
+ if (ftp->resp == 226) {
+ ftp->data = data_close(ftp, data);
+ php_stream_close(tmpstream);
+- return ecalloc(1, sizeof(char**));
++ return ecalloc(1, sizeof(char*));
+ }
+
+ /* pull data buffer into tmpfile */
+@@ -1663,11 +1663,11 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
+ }
+ }
+
+- ftp->data = data = data_close(ftp, data);
++ ftp->data = data_close(ftp, data);
+
+ php_stream_rewind(tmpstream);
+
+- ret = safe_emalloc((lines + 1), sizeof(char**), size * sizeof(char*));
++ ret = safe_emalloc((lines + 1), sizeof(char*), size * sizeof(char*));
+
+ entry = ret;
+ text = (char*) (ret + lines + 1);
+--
+2.1.4
+
+From 8f4a6d6e1b6c36259a5dc865d16f0dad76f2f2c9 Mon Sep 17 00:00:00 2001
+From: Rasmus Lerdorf <rasmus@lerdorf.com>
+Date: Sun, 20 Oct 2013 09:36:50 -0700
+Subject: [PATCH] Clean up this weird safe_emalloc() call
+
+---
+ ext/ftp/ftp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
+index 4da8d60..b82017e 100644
+--- a/ext/ftp/ftp.c
++++ b/ext/ftp/ftp.c
+@@ -1667,7 +1667,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
+
+ php_stream_rewind(tmpstream);
+
+- ret = safe_emalloc((lines + 1), sizeof(char*), size * sizeof(char*));
++ ret = safe_emalloc((lines + 1), sizeof(char*), size);
+
+ entry = ret;
+ text = (char*) (ret + lines + 1);
+--
+2.1.4
+
+From ac2832935435556dc593784cd0087b5e576bbe4d Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Wed, 29 Apr 2015 21:57:33 -0700
+Subject: [PATCH] Fix bug #69545 - avoid overflow when reading list
+
+---
+ ext/ftp/ftp.c | 82 +++++++++++++++++++++++++++++------------------------------
+ 1 file changed, 41 insertions(+), 41 deletions(-)
+
+diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
+index 3ff54ff..53560eb 100644
+--- a/ext/ftp/ftp.c
++++ b/ext/ftp/ftp.c
+@@ -1603,8 +1603,8 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
+ databuf_t *data = NULL;
+ char *ptr;
+ int ch, lastch;
+- int size, rcvd;
+- int lines;
++ size_t size, rcvd;
++ size_t lines;
+ char **ret = NULL;
+ char **entry;
+ char *text;
+@@ -1646,7 +1646,7 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
+ lines = 0;
+ lastch = 0;
+ while ((rcvd = my_recv(ftp, data->fd, data->buf, FTP_BUFSIZE))) {
+- if (rcvd == -1) {
++ if (rcvd == -1 || rcvd > ((size_t)(-1))-size) {
+ goto bail;
+ }
+
+--
+2.1.4
+
+From 0765623d6991b62ffcd93ddb6be8a5203a2fa7e2 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 31 May 2015 17:23:06 -0700
+Subject: [PATCH] improve fix for Bug #69545
+
+---
+ NEWS | 4 ++++
+ ext/ftp/ftp.c | 2 --
+ 2 files changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/ext/ftp/ftp.c b/ext/ftp/ftp.c
+index 53560eb..50d8def 100644
+--- a/ext/ftp/ftp.c
++++ b/ext/ftp/ftp.c
+@@ -1656,8 +1656,6 @@ ftp_genlist(ftpbuf_t *ftp, const char *cmd, const char *path TSRMLS_DC)
+ for (ptr = data->buf; rcvd; rcvd--, ptr++) {
+ if (*ptr == '\n' && lastch == '\r') {
+ lines++;
+- } else {
+- size++;
+ }
+ lastch = *ptr;
+ }
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-4024.patch b/SOURCES/php-5.4.16-CVE-2015-4024.patch
new file mode 100644
index 0000000..eaff551
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-4024.patch
@@ -0,0 +1,111 @@
+From 4605d536d23b00813d11cc906bb48d39bdcf5f25 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 9 May 2015 23:04:25 -0700
+Subject: [PATCH] Fixed bug #69364 - use smart_str to assemble strings
+
+---
+ main/rfc1867.c | 51 +++++++++++++++++++++++++++------------------------
+ 1 file changed, 27 insertions(+), 24 deletions(-)
+
+diff --git a/main/rfc1867.c b/main/rfc1867.c
+index fab199b..9e2fbd5 100644
+--- a/main/rfc1867.c
++++ b/main/rfc1867.c
+@@ -33,6 +33,7 @@
+ #include "php_variables.h"
+ #include "rfc1867.h"
+ #include "ext/standard/php_string.h"
++#include "ext/standard/php_smart_str.h"
+
+ #define DEBUG_FILE_UPLOAD ZEND_DEBUG
+
+@@ -398,8 +399,9 @@ static int find_boundary(multipart_buffe
+ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header TSRMLS_DC)
+ {
+ char *line;
+- mime_header_entry prev_entry, entry;
+- int prev_len, cur_len;
++ mime_header_entry entry = {0};
++ smart_str buf_value = {0};
++ char *key = NULL;
+
+ /* didn't find boundary, abort */
+ if (!find_boundary(self, self->boundary TSRMLS_CC)) {
+@@ -411,11 +413,10 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ while( (line = get_line(self TSRMLS_CC)) && strlen(line) > 0 )
+ {
+ /* add header to table */
+- char *key = line;
+ char *value = NULL;
+
+ if (php_rfc1867_encoding_translation(TSRMLS_C)) {
+- self->input_encoding = zend_multibyte_encoding_detector(line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
++ self->input_encoding = zend_multibyte_encoding_detector((unsigned char *)line, strlen(line), self->detect_order, self->detect_order_size TSRMLS_CC);
+ }
+
+ /* space in the beginning means same header */
+@@ -424,31 +425,33 @@ static int multipart_buffer_headers(multipart_buffer *self, zend_llist *header T
+ }
+
+ if (value) {
+- *value = 0;
+- do { value++; } while(isspace(*value));
+-
+- entry.value = estrdup(value);
+- entry.key = estrdup(key);
+-
+- } else if (zend_llist_count(header)) { /* If no ':' on the line, add to previous line */
+-
+- prev_len = strlen(prev_entry.value);
+- cur_len = strlen(line);
+-
+- entry.value = emalloc(prev_len + cur_len + 1);
+- memcpy(entry.value, prev_entry.value, prev_len);
+- memcpy(entry.value + prev_len, line, cur_len);
+- entry.value[cur_len + prev_len] = '\0';
++ if(buf_value.c && key) {
++ /* new entry, add the old one to the list */
++ smart_str_0(&buf_value);
++ entry.key = key;
++ entry.value = buf_value.c;
++ zend_llist_add_element(header, &entry);
++ buf_value.c = NULL;
++ key = NULL;
++ }
+
+- entry.key = estrdup(prev_entry.key);
++ *value = '\0';
++ do { value++; } while(isspace(*value));
+
+- zend_llist_remove_tail(header);
++ key = estrdup(line);
++ smart_str_appends(&buf_value, value);
++ } else if (buf_value.c) { /* If no ':' on the line, add to previous line */
++ smart_str_appends(&buf_value, line);
+ } else {
+ continue;
+ }
+-
++ }
++ if(buf_value.c && key) {
++ /* add the last one to the list */
++ smart_str_0(&buf_value);
++ entry.key = key;
++ entry.value = buf_value.c;
+ zend_llist_add_element(header, &entry);
+- prev_entry = entry;
+ }
+
+ return 1;
+@@ -884,7 +887,7 @@ SAPI_API SAPI_POST_HANDLER_FUNC(rfc1867_post_handler) /* {{{ */
+ if (count == PG(max_input_vars) + 1) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Input variables exceeded %ld. To increase the limit change max_input_vars in php.ini.", PG(max_input_vars));
+ }
+-
++
+ if (php_rfc1867_callback != NULL) {
+ multipart_event_formdata event_formdata;
+
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-CVE-2015-4025.patch b/SOURCES/php-5.4.16-CVE-2015-4025.patch
new file mode 100644
index 0000000..50efc8c
--- /dev/null
+++ b/SOURCES/php-5.4.16-CVE-2015-4025.patch
@@ -0,0 +1,490 @@
+Adapted for 5.4.16 from
+
+From be9b2a95adb504abd5acdc092d770444ad6f6854 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 9 May 2015 23:13:06 -0700
+Subject: [PATCH] Fixed bug #69418 - more s->p fixes for filenames
+
+---
+ ext/pcntl/pcntl.c | 74 +++++++++++++++++++++---------------------
+ ext/standard/basic_functions.c | 24 +++++++-------
+ ext/standard/dir.c | 62 +++++++++++++++++------------------
+ ext/standard/file.c | 10 +++---
+ 4 files changed, 85 insertions(+), 85 deletions(-)
+
+diff --git a/ext/pcntl/pcntl.c b/ext/pcntl/pcntl.c
+index 7a8acaf..6189bdf 100644
+--- a/ext/pcntl/pcntl.c
++++ b/ext/pcntl/pcntl.c
+@@ -754,19 +754,19 @@ PHP_FUNCTION(pcntl_exec)
+ char *path;
+ int path_len;
+ ulong key_num;
+-
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|aa", &path, &path_len, &args, &envs) == FAILURE) {
++
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|aa", &path, &path_len, &args, &envs) == FAILURE) {
+ return;
+ }
+-
++
+ if (ZEND_NUM_ARGS() > 1) {
+ /* Build argument list */
+ args_hash = HASH_OF(args);
+ argc = zend_hash_num_elements(args_hash);
+-
++
+ argv = safe_emalloc((argc + 2), sizeof(char *), 0);
+ *argv = path;
+- for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1;
++ for ( zend_hash_internal_pointer_reset(args_hash), current_arg = argv+1;
+ (argi < argc && (zend_hash_get_current_data(args_hash, (void **) &element) == SUCCESS));
+ (argi++, current_arg++, zend_hash_move_forward(args_hash)) ) {
+
+diff --git a/ext/standard/basic_functions.c b/ext/standard/basic_functions.c
+index c3e2230..7d0bfed 100644
+--- a/ext/standard/basic_functions.c
++++ b/ext/standard/basic_functions.c
+@@ -5433,7 +5433,7 @@ PHP_FUNCTION(set_include_path)
+ int new_value_len;
+ char *old_value;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &new_value, &new_value_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &new_value, &new_value_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/standard/dir.c b/ext/standard/dir.c
+index c64f37c..27ffb9d 100644
+--- a/ext/standard/dir.c
++++ b/ext/standard/dir.c
+@@ -219,12 +219,12 @@ static void _php_do_opendir(INTERNAL_FUNCTION_PARAMETERS, int createobject)
+ php_stream_context *context = NULL;
+ php_stream *dirp;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dirname, &dir_len, &zcontext) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dirname, &dir_len, &zcontext) == FAILURE) {
+ RETURN_NULL();
+ }
+
+ context = php_stream_context_from_zval(zcontext, 0);
+-
++
+ dirp = php_stream_opendir(dirname, REPORT_ERRORS, context);
+
+ if (dirp == NULL) {
+@@ -293,11 +293,11 @@ PHP_FUNCTION(chroot)
+ {
+ char *str;
+ int ret, str_len;
+-
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &str, &str_len) == FAILURE) {
++
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &str, &str_len) == FAILURE) {
+ RETURN_FALSE;
+ }
+-
++
+ ret = chroot(str);
+ if (ret != 0) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "%s (errno %d)", strerror(errno), errno);
+diff --git a/ext/standard/file.c b/ext/standard/file.c
+index 708c3e2..21e1e53 100644
+--- a/ext/standard/file.c
++++ b/ext/standard/file.c
+@@ -805,7 +805,7 @@ PHP_FUNCTION(tempnam)
+ char *p;
+ int fd;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pp", &dir, &dir_len, &prefix, &prefix_len) == FAILURE) {
+ return;
+ }
+
+@@ -1332,7 +1332,7 @@ PHP_FUNCTION(rmdir)
+ zval *zcontext = NULL;
+ php_stream_context *context;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|r", &dir, &dir_len, &zcontext) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|r", &dir, &dir_len, &zcontext) == FAILURE) {
+ RETURN_FALSE;
+ }
+
+--
+2.1.4
+
+From 634aa0a2dbf8ec5e6fabb4ee01c6d1355ba7ee67 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 10 May 2015 23:33:44 -0700
+Subject: [PATCH] Update tests
+
+---
+ ext/standard/tests/dir/dir_variation1.phpt | 22 +++++++++++-----------
+ .../tests/dir/opendir_variation1-win32.phpt | 12 ++++++------
+ ext/standard/tests/dir/opendir_variation1.phpt | 12 ++++++------
+ .../tests/file/mkdir_rmdir_variation2.phpt | 2 +-
+ .../tests/file/tempnam_variation3-win32.phpt | 18 +++++++++---------
+ ext/standard/tests/file/tempnam_variation3.phpt | 22 ++++++++++++----------
+ .../tests/general_functions/include_path.phpt | 4 ++--
+ 7 files changed, 47 insertions(+), 45 deletions(-)
+
+diff --git a/ext/standard/tests/dir/dir_variation1.phpt b/ext/standard/tests/dir/dir_variation1.phpt
+index abb4719..fff04ba 100644
+--- a/ext/standard/tests/dir/dir_variation1.phpt
++++ b/ext/standard/tests/dir/dir_variation1.phpt
+@@ -8,7 +8,7 @@ if (substr(PHP_OS, 0, 3) == 'WIN') {
+ ?>
+ --FILE--
+ <?php
+-/*
++/*
+ * Prototype : object dir(string $directory[, resource $context])
+ * Description: Directory class with properties, handle and class and methods read, rewind and close
+ * Source code: ext/standard/dir.c
+@@ -34,7 +34,7 @@ class A
+ }
+
+ // get a resource variable
+-$fp = fopen(__FILE__, "r"); // get a file handle
++$fp = fopen(__FILE__, "r"); // get a file handle
+ $dfp = opendir( dirname(__FILE__) ); // get a dir handle
+
+ // unexpected values to be passed to $directory argument
+@@ -92,27 +92,27 @@ echo "Done";
+
+ -- Iteration 1 --
+
+-Warning: dir() expects parameter 1 to be string, array given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 2 --
+
+-Warning: dir() expects parameter 1 to be string, array given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 3 --
+
+-Warning: dir() expects parameter 1 to be string, array given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 4 --
+
+-Warning: dir() expects parameter 1 to be string, array given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 5 --
+
+-Warning: dir() expects parameter 1 to be string, array given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 6 --
+@@ -151,16 +151,16 @@ bool(false)
+
+ -- Iteration 16 --
+
+-Warning: dir() expects parameter 1 to be string, resource given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+
+ -- Iteration 17 --
+
+-Warning: dir() expects parameter 1 to be string, resource given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+
+ -- Iteration 18 --
+
+-Warning: dir() expects parameter 1 to be string, object given in %s on line %d
++Warning: dir() expects parameter 1 to be a valid path, object given in %s on line %d
+ NULL
+-Done
+\ No newline at end of file
++Done
+diff --git a/ext/standard/tests/dir/opendir_variation1-win32.phpt b/ext/standard/tests/dir/opendir_variation1-win32.phpt
+index 9a75a5b..9bf3c4a 100644
+--- a/ext/standard/tests/dir/opendir_variation1-win32.phpt
++++ b/ext/standard/tests/dir/opendir_variation1-win32.phpt
+@@ -9,7 +9,7 @@ if (substr(PHP_OS, 0, 3) != 'WIN') {
+ --FILE--
+ <?php
+ /* Prototype : mixed opendir(string $path[, resource $context])
+- * Description: Open a directory and return a dir_handle
++ * Description: Open a directory and return a dir_handle
+ * Source code: ext/standard/dir.c
+ */
+
+@@ -30,7 +30,7 @@ unset ($unset_var);
+
+ // get a class
+ class classA {
+-
++
+ var $path;
+ function __construct($path) {
+ $this->path = $path;
+@@ -73,7 +73,7 @@ $inputs = array(
+ false,
+ TRUE,
+ FALSE,
+-
++
+ // empty data
+ /*16*/ "",
+ '',
+@@ -83,7 +83,7 @@ $inputs = array(
+ /*19*/ "$path",
+ 'string',
+ $heredoc,
+-
++
+ // object data
+ /*22*/ new classA($path),
+
+@@ -216,7 +216,7 @@ bool(false)
+
+ -- Iteration 18 --
+
+-Warning: opendir() expects parameter 1 to be string, array given in %s on line %d
++Warning: opendir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 19 --
+@@ -243,6 +243,6 @@ bool(false)
+
+ -- Iteration 25 --
+
+-Warning: opendir() expects parameter 1 to be string, resource given in %s on line %d
++Warning: opendir() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+ ===DONE===
+diff --git a/ext/standard/tests/dir/opendir_variation1.phpt b/ext/standard/tests/dir/opendir_variation1.phpt
+index 8d195e1..cb4d543 100644
+--- a/ext/standard/tests/dir/opendir_variation1.phpt
++++ b/ext/standard/tests/dir/opendir_variation1.phpt
+@@ -9,7 +9,7 @@ if (substr(PHP_OS, 0, 3) == 'WIN') {
+ --FILE--
+ <?php
+ /* Prototype : mixed opendir(string $path[, resource $context])
+- * Description: Open a directory and return a dir_handle
++ * Description: Open a directory and return a dir_handle
+ * Source code: ext/standard/dir.c
+ */
+
+@@ -30,7 +30,7 @@ unset ($unset_var);
+
+ // get a class
+ class classA {
+-
++
+ var $path;
+ function __construct($path) {
+ $this->path = $path;
+@@ -73,7 +73,7 @@ $inputs = array(
+ false,
+ TRUE,
+ FALSE,
+-
++
+ // empty data
+ /*16*/ "",
+ '',
+@@ -83,7 +83,7 @@ $inputs = array(
+ /*19*/ "$path",
+ 'string',
+ $heredoc,
+-
++
+ // object data
+ /*22*/ new classA($path),
+
+@@ -194,7 +194,7 @@ bool(false)
+
+ -- Iteration 18 --
+
+-Warning: opendir() expects parameter 1 to be string, array given in %s on line %d
++Warning: opendir() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+ -- Iteration 19 --
+@@ -219,6 +219,6 @@ bool(false)
+
+ -- Iteration 25 --
+
+-Warning: opendir() expects parameter 1 to be string, resource given in %s on line %d
++Warning: opendir() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+ ===DONE===
+diff --git a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt
+index 14dd361..24dfc96 100644
+--- a/ext/standard/tests/file/mkdir_rmdir_variation2.phpt
++++ b/ext/standard/tests/file/mkdir_rmdir_variation2.phpt
+@@ -68,7 +68,7 @@ bool(false)
+ Warning: mkdir() expects parameter 1 to be a valid path, string given in %s on line %d
+ bool(false)
+
+-Warning: rmdir(%s): No such file or directory in %s on line %d
++Warning: rmdir() expects parameter 1 to be a valid path, string given in %s on line %d
+ bool(false)
+
+ *** Testing mkdir() with miscelleneous input ***
+diff --git a/ext/standard/tests/file/tempnam_variation3-win32.phpt b/ext/standard/tests/file/tempnam_variation3-win32.phpt
+index fb457cb..cc8194a 100644
+--- a/ext/standard/tests/file/tempnam_variation3-win32.phpt
++++ b/ext/standard/tests/file/tempnam_variation3-win32.phpt
+@@ -22,9 +22,9 @@ if (!mkdir($file_path)) {
+
+ $file_path = realpath($file_path);
+
+-/* An array of prefixes */
++/* An array of prefixes */
+ $names_arr = array(
+- /* Valid args (casting)*/
++ /* Valid args (casting)*/
+ -1,
+ TRUE,
+ FALSE,
+@@ -32,17 +32,17 @@ $names_arr = array(
+ "",
+ " ",
+ "\0",
+- /* Invalid args */
++ /* Invalid args */
+ array(),
+
+- /* Valid args*/
++ /* Valid args*/
+ /* prefix with path separator of a non existing directory*/
+- "/no/such/file/dir",
++ "/no/such/file/dir",
+ "php/php"
+ );
+
+ $res_arr = array(
+- /* Invalid args */
++ /* Invalid args */
+ true,
+ true,
+ true,
+@@ -53,7 +53,7 @@ $res_arr = array(
+ false,
+
+ /* prefix with path separator of a non existing directory*/
+- true,
++ true,
+ true
+ );
+
+@@ -72,7 +72,7 @@ for( $i=0; $i<count($names_arr); $i++ ) {
+ } else {
+ echo "Failed, not created in the correct directory " . realpath($file_dir) . ' vs ' . $file_path ."\n";
+ }
+-
++
+ if (!is_writable($file_name)) {
+ printf("%o\n", fileperms($file_name) );
+
+@@ -105,7 +105,7 @@ Failed, not created in the correct directory %s vs %s
+ OK
+ -- Iteration 7 --
+
+-Warning: tempnam() expects parameter 2 to be string, array given in %s\ext\standard\tests\file\tempnam_variation3-win32.php on line %d
++Warning: tempnam() expects parameter 2 to be a valid path, array given in %s\ext\standard\tests\file\tempnam_variation3-win32.php on line %d
+ OK
+ -- Iteration 8 --
+ OK
+diff --git a/ext/standard/tests/file/tempnam_variation3.phpt b/ext/standard/tests/file/tempnam_variation3.phpt
+index 69ab16c..11b8780 100644
+--- a/ext/standard/tests/file/tempnam_variation3.phpt
++++ b/ext/standard/tests/file/tempnam_variation3.phpt
+@@ -17,9 +17,9 @@ echo "*** Testing tempnam() with obscure prefixes ***\n";
+ $file_path = dirname(__FILE__)."/tempnamVar3";
+ mkdir($file_path);
+
+-/* An array of prefixes */
++/* An array of prefixes */
+ $names_arr = array(
+- /* Invalid args */
++ /* Invalid args */
+ -1,
+ TRUE,
+ FALSE,
+@@ -30,7 +30,7 @@ $names_arr = array(
+ array(),
+
+ /* prefix with path separator of a non existing directory*/
+- "/no/such/file/dir",
++ "/no/such/file/dir",
+ "php/php"
+
+ );
+@@ -48,10 +48,10 @@ for( $i=0; $i<count($names_arr); $i++ ) {
+ echo "File permissions are => ";
+ printf("%o", fileperms($file_name) );
+ echo "\n";
+-
++
+ echo "File created in => ";
+ $file_dir = dirname($file_name);
+-
++
+ if ($file_dir == sys_get_temp_dir()) {
+ echo "temp dir\n";
+ }
+@@ -61,7 +61,7 @@ for( $i=0; $i<count($names_arr); $i++ ) {
+ else {
+ echo "unknown location\n";
+ }
+-
++
+ }
+ else {
+ echo "-- File is not created --\n";
+@@ -100,12 +100,14 @@ File name is => %s/%s
+ File permissions are => 100600
+ File created in => directory specified
+ -- Iteration 6 --
+-File name is => %s/%s
+-File permissions are => 100600
+-File created in => directory specified
++
++Warning: tempnam() expects parameter 2 to be a valid path, string given in %s on line %d
++-- File is not created --
++
++Warning: unlink(): %s in %s on line %d
+ -- Iteration 7 --
+
+-Warning: tempnam() expects parameter 2 to be string, array given in %s on line %d
++Warning: tempnam() expects parameter 2 to be a valid path, array given in %s on line %d
+ -- File is not created --
+
+ Warning: unlink(): %s in %s on line %d
+diff --git a/ext/standard/tests/general_functions/include_path.phpt b/ext/standard/tests/general_functions/include_path.phpt
+index 0392307..8b6626f 100644
+--- a/ext/standard/tests/general_functions/include_path.phpt
++++ b/ext/standard/tests/general_functions/include_path.phpt
+@@ -41,7 +41,7 @@ var_dump(get_include_path());
+
+ echo "Done\n";
+ ?>
+---EXPECTF--
++--EXPECTF--
+ string(1) "."
+
+ Warning: get_include_path() expects exactly 0 parameters, 1 given in %s on line %d
+@@ -67,7 +67,7 @@ string(1) "."
+ NULL
+ string(1) "."
+
+-Warning: set_include_path() expects parameter 1 to be string, array given in %s on line %d
++Warning: set_include_path() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+ string(1) "."
+ NULL
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-aarch64-select.patch b/SOURCES/php-5.4.16-aarch64-select.patch
new file mode 100644
index 0000000..756ce69
--- /dev/null
+++ b/SOURCES/php-5.4.16-aarch64-select.patch
@@ -0,0 +1,44 @@
+From 58c6a08e00d4a8c99123cfb36f3a399a9b352d24 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Tue, 10 Jun 2014 10:28:34 +0200
+Subject: [PATCH] Fixed bug #67406 built-in web-server segfaults on startup
+
+Reproduce on aarch64.
+
+From select man page:
+ "select() may update the timeout argument to indicate how much time was left."
+So "const" is not ok.
+---
+ sapi/cli/php_cli_server.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/sapi/cli/php_cli_server.c b/sapi/cli/php_cli_server.c
+index e838d30..3fd24ea 100644
+--- a/sapi/cli/php_cli_server.c
++++ b/sapi/cli/php_cli_server.c
+@@ -768,11 +768,11 @@ static void php_cli_server_poller_remove(php_cli_server_poller *poller, int mode
+ #endif
+ } /* }}} */
+
+-static int php_cli_server_poller_poll(php_cli_server_poller *poller, const struct timeval *tv) /* {{{ */
++static int php_cli_server_poller_poll(php_cli_server_poller *poller, struct timeval *tv) /* {{{ */
+ {
+ memmove(&poller->active.rfds, &poller->rfds, sizeof(poller->rfds));
+ memmove(&poller->active.wfds, &poller->wfds, sizeof(poller->wfds));
+- return php_select(poller->max_fd + 1, &poller->active.rfds, &poller->active.wfds, NULL, (struct timeval *)tv);
++ return php_select(poller->max_fd + 1, &poller->active.rfds, &poller->active.wfds, NULL, tv);
+ } /* }}} */
+
+ static int php_cli_server_poller_iter_on_active(php_cli_server_poller *poller, void *opaque, int(*callback)(void *, int fd, int events)) /* {{{ */
+@@ -2349,7 +2349,7 @@ static int php_cli_server_do_event_loop(php_cli_server *server TSRMLS_DC) /* {{{
+ {
+ int retval = SUCCESS;
+ while (server->is_running) {
+- static const struct timeval tv = { 1, 0 };
++ struct timeval tv = { 1, 0 };
+ int n = php_cli_server_poller_poll(&server->poller, &tv);
+ if (n > 0) {
+ php_cli_server_do_event_for_each_fd(server,
+--
+1.9.2
+
diff --git a/SOURCES/php-5.4.16-bug50444.patch b/SOURCES/php-5.4.16-bug50444.patch
new file mode 100644
index 0000000..2328cb7
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug50444.patch
@@ -0,0 +1,83 @@
+Backported from 5.5.14
+Adapted for PHP 5.4.16 from
+
+From a05611358606ca21672c49d26c77b7b0c81cab07 Mon Sep 17 00:00:00 2001
+From: Felipe Pena <felipensp@gmail.com>
+Date: Sun, 22 Dec 2013 09:42:45 -0200
+Subject: [PATCH] - Fixed bug #66311 (Stack smashing protection kills PDO/ODBC
+ queries) patch by: michael at orlitzky dot com
+
+---
+ ext/pdo_odbc/odbc_stmt.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ext/pdo_odbc/odbc_stmt.c b/ext/pdo_odbc/odbc_stmt.c
+index 89b6721..e0d7e62 100644
+--- a/ext/pdo_odbc/odbc_stmt.c
++++ b/ext/pdo_odbc/odbc_stmt.c
+@@ -546,7 +546,8 @@ static int odbc_stmt_describe(pdo_stmt_t
+ zend_bool dyn = FALSE;
+ RETCODE rc;
+ SWORD colnamelen;
+- SDWORD colsize, displaysize;
++ SDWORD colsize;
++ SQLLEN displaysize;
+
+ rc = SQLDescribeCol(S->stmt, colno+1, S->cols[colno].colname,
+ sizeof(S->cols[colno].colname)-1, &colnamelen,
+
+From 186ffcb72c982b0235761bdd6388ff1c36d79568 Mon Sep 17 00:00:00 2001
+From: Andrew Kehrig <kehrigan@gmail.com>
+Date: Mon, 24 Feb 2014 12:01:58 -0500
+Subject: [PATCH] Fix #50444: PDO-ODBC changes for 64-bit
+
+This bug is also referenced in
+[#61777](https://bugs.php.net/bug.php?id=61777) and is still present in
+the latest stable release of the 5.5 branch. I see two tickets exist for
+this problem already, and I'm just submitting these changes via github
+as a reminder that this is a serious problem for anyone using PDO_ODBC
+on the x64 builds.
+---
+ NEWS | 3 +++
+ ext/pdo_odbc/odbc_stmt.c | 4 ++--
+ ext/pdo_odbc/php_pdo_odbc_int.h | 2 +-
+ 3 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/ext/pdo_odbc/odbc_stmt.c b/ext/pdo_odbc/odbc_stmt.c
+index 8b0ccf3..1d275cd 100644
+--- a/ext/pdo_odbc/odbc_stmt.c
++++ b/ext/pdo_odbc/odbc_stmt.c
+@@ -279,7 +279,7 @@ static int odbc_stmt_param_hook(pdo_stmt_t *stmt, struct pdo_bound_param_data *p
+ pdo_odbc_stmt *S = (pdo_odbc_stmt*)stmt->driver_data;
+ RETCODE rc;
+ SWORD sqltype = 0, ctype = 0, scale = 0, nullable = 0;
+- UDWORD precision = 0;
++ SQLULEN precision = 0;
+ pdo_odbc_param *P;
+
+ /* we're only interested in parameters for prepared SQL right now */
+@@ -546,7 +546,7 @@ static int odbc_stmt_describe(pdo_stmt_t
+ zend_bool dyn = FALSE;
+ RETCODE rc;
+ SWORD colnamelen;
+- SDWORD colsize;
++ SQLULEN colsize;
+ SQLLEN displaysize;
+
+ rc = SQLDescribeCol(S->stmt, colno+1, S->cols[colno].colname,
+diff --git a/ext/pdo_odbc/php_pdo_odbc_int.h b/ext/pdo_odbc/php_pdo_odbc_int.h
+index 87b2f91..5e42951 100644
+--- a/ext/pdo_odbc/php_pdo_odbc_int.h
++++ b/ext/pdo_odbc/php_pdo_odbc_int.h
+@@ -157,7 +157,7 @@ typedef struct {
+ } pdo_odbc_stmt;
+
+ typedef struct {
+- SQLINTEGER len;
++ SQLLEN len;
+ SQLSMALLINT paramtype;
+ char *outbuf;
+ unsigned is_unicode:1;
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug63595.patch b/SOURCES/php-5.4.16-bug63595.patch
new file mode 100644
index 0000000..493fb3b
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug63595.patch
@@ -0,0 +1,72 @@
+From 3c925b18fa96043e5d7e86f9ce544b143c3c2079 Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Mon, 27 Oct 2014 07:45:34 +0100
+Subject: [PATCH] Fix bug #63595 GMP memory management conflicts with other
+ libraries using GMP
+
+Drop use of php memory allocators as this raise various conflicts
+with other extensions and libraries which use libgmp.
+
+No other solution found.
+We cannot for ensure correct use of allocator with shared lib.
+
+Some memory can allocated before php init
+Some memory can be freed after php shutdown
+
+Known broken run cases
+- php + curl + gnutls + gmp
+- mod_gnutls + mod_php + gnutls + gmp
+- php + freetds + gnutls + gmp
+- php + odbc + freetds + gnutls + gmp
+- php + php-mapi (zarafa) + gnutls + gmp
+---
+ ext/gmp/gmp.c | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/ext/gmp/gmp.c b/ext/gmp/gmp.c
+index f51bd8c..b1553fa 100644
+--- a/ext/gmp/gmp.c
++++ b/ext/gmp/gmp.c
+@@ -324,30 +324,6 @@ static void _php_gmpnum_free(zend_rsrc_list_entry *rsrc TSRMLS_DC);
+ # define MAX_BASE 36
+ #endif
+
+-/* {{{ gmp_emalloc
+- */
+-static void *gmp_emalloc(size_t size)
+-{
+- return emalloc(size);
+-}
+-/* }}} */
+-
+-/* {{{ gmp_erealloc
+- */
+-static void *gmp_erealloc(void *ptr, size_t old_size, size_t new_size)
+-{
+- return erealloc(ptr, new_size);
+-}
+-/* }}} */
+-
+-/* {{{ gmp_efree
+- */
+-static void gmp_efree(void *ptr, size_t size)
+-{
+- efree(ptr);
+-}
+-/* }}} */
+-
+ /* {{{ ZEND_GINIT_FUNCTION
+ */
+ static ZEND_GINIT_FUNCTION(gmp)
+@@ -369,8 +345,6 @@ ZEND_MODULE_STARTUP_D(gmp)
+ #endif
+ REGISTER_STRING_CONSTANT("GMP_VERSION", (char *)gmp_version, CONST_CS | CONST_PERSISTENT);
+
+- mp_set_memory_functions(gmp_emalloc, gmp_erealloc, gmp_efree);
+-
+ return SUCCESS;
+ }
+ /* }}} */
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug66987.patch b/SOURCES/php-5.4.16-bug66987.patch
new file mode 100644
index 0000000..ff7f4be
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug66987.patch
@@ -0,0 +1,51 @@
+From 2c204a55af9b903b3db48dd5a75d492dbf1b387d Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Mon, 31 Mar 2014 16:50:47 +0200
+Subject: [PATCH] Fixed Bug #66987 Memory corruption in fileinfo ext
+ (bigendian)
+
+On little endian:
+ map->p == php_magic_database
+ map->magic[i] = pointer into the map
+
+ map->p == NULL
+ map->magic[i] = pointer to allocated memory
+
+On big endian (ppc64, s390x, ...):
+ map->p != php_magic_database and map->p != NULL
+ map->magic[i] = pointer into a copy of the map
+
+Trying to efree pointer in the later cause memory corruption
+Thanks to dkatulek / Red Hat for the report.
+---
+ ext/fileinfo/libmagic/apprentice.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/ext/fileinfo/libmagic/apprentice.c b/ext/fileinfo/libmagic/apprentice.c
+index 11920e6..fd82564 100644
+--- a/ext/fileinfo/libmagic/apprentice.c
++++ b/ext/fileinfo/libmagic/apprentice.c
+@@ -493,12 +493,14 @@ apprentice_unmap(struct magic_map *map)
+ if (map == NULL)
+ return;
+ if (map->p != php_magic_database) {
+- int j;
+- for (j = 0; j < MAGIC_SETS; j++) {
+- if (map->magic[j])
+- efree(map->magic[j]);
+- }
+- if (map->p != NULL) {
++ if (map->p == NULL) {
++ int j;
++ for (j = 0; j < MAGIC_SETS; j++) {
++ if (map->magic[j]) {
++ efree(map->magic[j]);
++ }
++ }
++ } else {
+ efree(map->p);
+ }
+ }
+--
+2.1.0
+
diff --git a/SOURCES/php-5.4.16-bug68819.patch b/SOURCES/php-5.4.16-bug68819.patch
new file mode 100644
index 0000000..8111178
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug68819.patch
@@ -0,0 +1,87 @@
+From f938112c495b0d26572435c0be73ac0bfe642ecd Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sat, 4 Apr 2015 15:01:37 -0700
+Subject: [PATCH] Fix bug #68819 (Fileinfo on specific file causes spurious OOM
+ and/or segfault)
+
+---
+ ext/fileinfo/libmagic/softmagic.c | 3 +++
+ ext/fileinfo/tests/bug68819_001.phpt | 18 ++++++++++++++++++
+ ext/fileinfo/tests/bug68819_002.phpt | 26 ++++++++++++++++++++++++++
+ 3 files changed, 47 insertions(+)
+ create mode 100644 ext/fileinfo/tests/bug68819_001.phpt
+ create mode 100644 ext/fileinfo/tests/bug68819_002.phpt
+
+diff --git a/ext/fileinfo/libmagic/softmagic.c b/ext/fileinfo/libmagic/softmagic.c
+index e7b7855..54c1a03 100644
+--- a/ext/fileinfo/libmagic/softmagic.c
++++ b/ext/fileinfo/libmagic/softmagic.c
+@@ -1037,6 +1037,9 @@ mcopy(struct magic_set *ms, union VALUETYPE *p, int type, int indir,
+ if (bytecnt > nbytes) {
+ bytecnt = nbytes;
+ }
++ if (offset > bytecnt) {
++ offset = bytecnt;
++ }
+ if (s == NULL) {
+ ms->search.s_len = 0;
+ ms->search.s = NULL;
+diff --git a/ext/fileinfo/tests/bug68819_001.phpt b/ext/fileinfo/tests/bug68819_001.phpt
+new file mode 100644
+index 0000000..ce39ee6
+--- /dev/null
++++ b/ext/fileinfo/tests/bug68819_001.phpt
+@@ -0,0 +1,18 @@
++--TEST--
++Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 1
++--SKIPIF--
++<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
++--FILE--
++<?php
++
++$string = <<<HERE
++----a-----'''---------a---------------a--------a-----a-----a---------a-----as-------a----a--a-------------a--as-----s---------------a---------a---a--s-a-----a-----------asy---------a-----a-----------a----s--------a-------------a-------a--------a----s------------a-----a----------------a----s-----------------\r\n-------------------a-------a-a-------a-----a----a----s----s--------a-----------------------a----a----s-------------a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a----s----s--------a----------a----------------------a----a----s-------------a----------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n------a-------a-a-------a-----a----a---a-----a-----------------------a----a---a-----a------------------s-------a----a---a-----a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s------\r\n-------------------a-------a-a-------a-----a----a---a-------a------------------------a----a---a-----''--a-------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a-------s-----a---a-------------------------a----a-------------a---a-------------------s-------a----a-------------a---a-----as-a--------------a-----a--s----s---------y------------a-----a-s---a-------''----a---s--a-''------''----s------------a-y----------------s------a-----y--a-s--a-s------s--a-s----------''----------------------------a---s--a----a---------a-s---a-s--------s--------a---------s--a-y-------------as----a----a-------------a------a---s--a-s------a--------a----s----y--as--a----a-s---------------a-----a--------------------------------------\r\n-------------------a-------a-a-------a-----a----a-----------s--------a-----------------------a----a--------------------a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a-----------s--------a----------a----------------------a----a--------------------a------------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a---a-----------------------a----a---a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a---a----------a----------------------a----a---a------------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-----a-a-----------a-------a-a-------a-----a----a----a---s-----a-----------------------a----a----a---------a-----------------s-------a----a----a---------a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a--------a----a-----------------------a----a----------a----a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-----a-------------a-------a-a-------a-----a----a--------s-----a---a-------------------------a----a--------------a---a-------------------s-------------a---------------a----a---a---a-----as-a--------------a-----a--s----s---------y------------a-----a-s---a-------''----a---s--a-''------''----s------------a-y----------------s------a-----y--a-s--a-s------s--a-s----------''----------------------------a---s--a----a---------a-s---a-s--------s--------a---------s--a-y-------------as----a----a-------------a------a---s--a-s------a--------a----s----y--as--a----a-s---------------a-----a--------------------------------------\r\n-------------------a-------a-a-------a-----a----a----------------a-----------------------a----a----------------a------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a-------a-----a----a----------------a----------a----------------------a----a----------------a-----------------------------s-------a----a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n---a---------------a-------a-a-------a-----as------------------------a--a--s------------------a-s------------------------a-----s--a-----'''----------a-s---------------------------------------------a-----s--a-----------------a---------a---a--s-a-----a-----------asy---------a-----a-----------a----s----------------------a----s--a-------------a-------a--------a----s------------a-----a----------------a----s------------------\r\n-a-----------------a-------a-a-------a--y---------a------------------y---------a-----'''-------y------a-y--a-------------------------a---------a---a----------as-a---a--s-a-----a-----------asy---------a-----a-----------a----s--------a-------------a-------a--------a----s---------a-----a----------------a----s------------------\r\n-a-----------------a-------a-a-------a--y-------------a------------------y-------------a-----'''-------y----------a-y--a-------------------------a---------a---a----------as-a---a--s-a-----a-----------asy---------a-----a-----------a----s--------a-------------a-------a--------a----s---------a-----a----------------a----s------------------\r\n-------------------a-------a-a-------a--a----a-----a------------------a----a-----a-----'''----------a----s----a----a-------s---a------------------a-----------a--s-a-----a---------------------a------a----s-a-----a-------s-s-------a----s--------a-------------a-------a--------a----s---------a-----a----------------a----s------------------\r\n------aa-----------a-------a-a------------s-a--s---------a---a------------------------a------------a---a------------------s--------a------------a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a------------------------s-----s--a----a-----------------------------------------s--a----a------------------s---------------------------------s--a----a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s--------------a-----a----------a----------s--a----------s-----------------\r\n-------------------a-------a-a--------------s-a---a--------------------------a---a------------------s----------a---a------as---s-a--------------s-----a------a-y--a-------a-----a--a--------a----s--------a-------------a-------a--------a----s---------------a-----a----------a----------s--a----------s-----------------\r\nsay-------a------------s-----''------a----s--------a-------------a-\r\n
++HERE;
++
++$finfo = new finfo();
++$type = $finfo->buffer($string);
++
++var_dump($type);
++?>
++--EXPECT--
++string(60) "ASCII text, with very long lines, with CRLF line terminators"
+diff --git a/ext/fileinfo/tests/bug68819_002.phpt b/ext/fileinfo/tests/bug68819_002.phpt
+new file mode 100644
+index 0000000..cec238d
+--- /dev/null
++++ b/ext/fileinfo/tests/bug68819_002.phpt
+@@ -0,0 +1,26 @@
++--TEST--
++Bug #68819 Fileinfo on specific file causes spurious OOM and/or segfault, var 2
++--SKIPIF--
++<?php require_once(dirname(__FILE__) . '/skipif.inc'); ?>
++--FILE--
++<?php
++
++$string = '';
++
++// These two in any order
++$string .= "\r\n";
++$string .= "''''";
++
++// Total string length > 8192
++$string .= str_repeat(chr(rand(32, 127)), 8184);
++
++// Ending in this string
++$string .= "say";
++
++$finfo = new finfo();
++$type = $finfo->buffer($string);
++var_dump($type);
++
++?>
++--EXPECT--
++string(60) "ASCII text, with very long lines, with CRLF line terminators"
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug69085.patch b/SOURCES/php-5.4.16-bug69085.patch
new file mode 100644
index 0000000..c4149e0
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug69085.patch
@@ -0,0 +1,488 @@
+Adapted for 5.4.16
+
+From d5248f67b58ac3107fec82c5b937fc3f4c89784a Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Mon, 2 Mar 2015 12:27:36 +0300
+Subject: [PATCH] Check variable type before its usage as IS_ARRAY.
+
+---
+ ext/soap/soap.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index eaa57d9..8790605 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -2879,7 +2879,8 @@ PHP_METHOD(SoapClient, __call)
+ }
+
+ /* Add default headers */
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__default_headers", sizeof("__default_headers"), (void **) &tmp)==SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_ARRAY) {
+ HashTable *default_headers = Z_ARRVAL_P(*tmp);
+ if (soap_headers) {
+ if (!free_soap_headers) {
+--
+2.1.4
+
+From 0c136a2abd49298b66acb0cad504f0f972f5bfe8 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Tue, 3 Mar 2015 09:44:46 +0300
+Subject: [PATCH] Added type checks
+
+---
+ ext/soap/php_encoding.c | 9 ++++++---
+ ext/soap/php_http.c | 23 +++++++++++++++--------
+ ext/soap/soap.c | 41 +++++++++++++++++++++++++----------------
+ 3 files changed, 46 insertions(+), 27 deletions(-)
+
+diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
+index 5e93b8a..fd9e367 100644
+--- a/ext/soap/php_encoding.c
++++ b/ext/soap/php_encoding.c
+@@ -3649,18 +3649,21 @@ static encodePtr get_array_type(xmlNodePtr node, zval *array, smart_str *type TS
+ Z_OBJCE_PP(tmp) == soap_var_class_entry) {
+ zval **ztype;
+
+- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) {
++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE ||
++ Z_TYPE_PP(ztype) != IS_LONG) {
+ soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property");
+ }
+ cur_type = Z_LVAL_PP(ztype);
+
+- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_stype", sizeof("enc_stype"), (void **)&ztype) == SUCCESS &&
++ Z_TYPE_PP(ztype) == IS_STRING) {
+ cur_stype = Z_STRVAL_PP(ztype);
+ } else {
+ cur_stype = NULL;
+ }
+
+- if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_PP(tmp), "enc_ns", sizeof("enc_ns"), (void **)&ztype) == SUCCESS &&
++ Z_TYPE_PP(ztype) == IS_STRING) {
+ cur_ns = Z_STRVAL_PP(ztype);
+ } else {
+ cur_ns = NULL;
+diff --git a/ext/soap/php_http.c b/ext/soap/php_http.c
+index 9e74a7c..8c5082c 100644
+--- a/ext/soap/php_http.c
++++ b/ext/soap/php_http.c
+@@ -36,14 +36,16 @@ int proxy_authentication(zval* this_ptr, smart_str* soap_headers TSRMLS_DC)
+ {
+ zval **login, **password;
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_login", sizeof("_proxy_login"), (void **)&login) == SUCCESS &&
++ Z_TYPE_PP(login) == IS_STRING) {
+ unsigned char* buf;
+ int len;
+ smart_str auth = {0};
+
+ smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login));
+ smart_str_appendc(&auth, ':');
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_proxy_password", sizeof("_proxy_password"), (void **)&password) == SUCCESS &&
++ Z_TYPE_PP(password) == IS_STRING) {
+ smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password));
+ }
+ smart_str_0(&auth);
+@@ -64,14 +66,16 @@ int basic_authentication(zval* this_ptr, smart_str* soap_headers TSRMLS_DC)
+ zval **login, **password;
+
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_login", sizeof("_login"), (void **)&login) == SUCCESS &&
+- !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) {
++ Z_TYPE_PP(login) == IS_STRING &&
++ !zend_hash_exists(Z_OBJPROP_P(this_ptr), "_digest", sizeof("_digest"))) {
+ unsigned char* buf;
+ int len;
+ smart_str auth = {0};
+
+ smart_str_appendl(&auth, Z_STRVAL_PP(login), Z_STRLEN_PP(login));
+ smart_str_appendc(&auth, ':');
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_password", sizeof("_password"), (void **)&password) == SUCCESS &&
++ Z_TYPE_PP(password) == IS_STRING) {
+ smart_str_appendl(&auth, Z_STRVAL_PP(password), Z_STRLEN_PP(password));
+ }
+ smart_str_0(&auth);
+@@ -509,6 +513,7 @@ try_again:
+ }
+ if (!http_1_1 ||
+ (zend_hash_find(Z_OBJPROP_P(this_ptr), "_keep_alive", sizeof("_keep_alive"), (void **)&tmp) == SUCCESS &&
++ (Z_TYPE_PP(tmp) == IS_BOOL || Z_TYPE_PP(tmp) == IS_LONG) &&
+ Z_LVAL_PP(tmp) == 0)) {
+ smart_str_append_const(&soap_headers, "\r\n"
+ "Connection: close\r\n");
+@@ -742,7 +747,8 @@ try_again:
+ }
+
+ /* Send cookies along with request */
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS &&
++ Z_TYPE_PP(cookies) == IS_ARRAY) {
+ zval **data;
+ char *key;
+ int i, n;
+@@ -785,7 +791,7 @@ try_again:
+ smart_str_append_const(&soap_headers, "\r\n");
+ smart_str_0(&soap_headers);
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- Z_LVAL_PP(trace) > 0) {
++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ add_property_stringl(this_ptr, "__last_request_headers", soap_headers.c, soap_headers.len, 1);
+ }
+ smart_str_appendl(&soap_headers, request, request_size);
+@@ -830,7 +836,7 @@ try_again:
+ }
+
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- Z_LVAL_PP(trace) > 0) {
++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ add_property_stringl(this_ptr, "__last_response_headers", http_headers, http_header_size, 1);
+ }
+
+@@ -879,7 +885,8 @@ try_again:
+ char *eqpos, *sempos;
+ zval **cookies;
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE ||
++ Z_TYPE_PP(cookies) != IS_ARRAY) {
+ zval *tmp_cookies;
+ MAKE_STD_ZVAL(tmp_cookies);
+ array_init(tmp_cookies);
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index 8790605..9ec6347 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -2549,7 +2549,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
+ }
+
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- Z_LVAL_PP(trace) > 0) {
++ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1);
+ }
+
+@@ -2589,7 +2589,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
+ }
+ ret = FALSE;
+ } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- Z_LVAL_PP(trace) > 0) {
++ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1);
+ }
+ xmlFree(buf);
+@@ -2628,13 +2628,13 @@ static void do_soap_call(zval* this_ptr,
+
+ SOAP_CLIENT_BEGIN_CODE();
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS
+- && Z_LVAL_PP(trace) > 0) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
++ (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"));
+ zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"));
+ }
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS
+- && Z_LVAL_PP(tmp) == SOAP_1_2) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_soap_version", sizeof("_soap_version"), (void **) &tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_LONG && Z_LVAL_PP(tmp) == SOAP_1_2) {
+ soap_version = SOAP_1_2;
+ } else {
+ soap_version = SOAP_1_1;
+@@ -2730,7 +2730,7 @@ static void do_soap_call(zval* this_ptr,
+ zval **uri;
+ smart_str action = {0};
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "uri", sizeof("uri"), (void *)&uri) == FAILURE || Z_TYPE_PP(uri) != IS_STRING) {
+ add_soap_fault(this_ptr, "Client", "Error finding \"uri\" property", NULL, NULL TSRMLS_CC);
+ } else if (location == NULL) {
+ add_soap_fault(this_ptr, "Client", "Error could not find \"location\" property", NULL, NULL TSRMLS_CC);
+@@ -3001,7 +3001,8 @@ PHP_METHOD(SoapClient, __getLastRequest)
+ return;
+ }
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"), (void **)&tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_STRING) {
+ RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
+ }
+ RETURN_NULL();
+@@ -3019,7 +3020,8 @@ PHP_METHOD(SoapClient, __getLastResponse)
+ return;
+ }
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"), (void **)&tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_STRING) {
+ RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
+ }
+ RETURN_NULL();
+@@ -3037,7 +3039,8 @@ PHP_METHOD(SoapClient, __getLastRequestHeaders)
+ return;
+ }
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_request_headers", sizeof("__last_request_headers"), (void **)&tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_STRING) {
+ RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
+ }
+ RETURN_NULL();
+@@ -3055,7 +3058,8 @@ PHP_METHOD(SoapClient, __getLastResponseHeaders)
+ return;
+ }
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "__last_response_headers", sizeof("__last_response_headers"), (void **)&tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_STRING) {
+ RETURN_STRINGL(Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), 1);
+ }
+ RETURN_NULL();
+@@ -3111,13 +3115,15 @@ PHP_METHOD(SoapClient, __setCookie)
+ }
+
+ if (val == NULL) {
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == SUCCESS &&
++ Z_TYPE_PP(cookies) == IS_ARRAY) {
+ zend_hash_del(Z_ARRVAL_PP(cookies), name, name_len+1);
+ }
+ } else {
+ zval *zcookie;
+
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "_cookies", sizeof("_cookies"), (void **)&cookies) == FAILURE ||
++ Z_TYPE_PP(cookies) != IS_ARRAY) {
+ zval *tmp_cookies;
+
+ MAKE_STD_ZVAL(tmp_cookies);
+@@ -4166,7 +4172,8 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function
+ }
+ }
+ } else {
+- if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS) {
++ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "style", sizeof("style"), (void **)&zstyle) == SUCCESS &&
++ Z_TYPE_PP(zstyle) == IS_LONG) {
+ style = Z_LVAL_PP(zstyle);
+ } else {
+ style = SOAP_RPC;
+@@ -4189,7 +4196,7 @@ static xmlDocPtr serialize_function_call(zval *this_ptr, sdlFunctionPtr function
+ }
+
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "use", sizeof("use"), (void **)&zuse) == SUCCESS &&
+- Z_LVAL_PP(zuse) == SOAP_LITERAL) {
++ Z_TYPE_PP(zuse) == IS_LONG && Z_LVAL_PP(zuse) == SOAP_LITERAL) {
+ use = SOAP_LITERAL;
+ } else {
+ use = SOAP_ENCODED;
+@@ -4350,6 +4357,7 @@ static xmlNodePtr serialize_parameter(sdlParamPtr param, zval *param_val, int in
+ zval **param_data;
+
+ if (zend_hash_find(Z_OBJPROP_P(param_val), "param_name", sizeof("param_name"), (void **)¶m_name) == SUCCESS &&
++ Z_TYPE_PP(param_name) == IS_STRING &&
+ zend_hash_find(Z_OBJPROP_P(param_val), "param_data", sizeof("param_data"), (void **)¶m_data) == SUCCESS) {
+ param_val = *param_data;
+ name = Z_STRVAL_PP(param_name);
+--
+2.1.4
+
+From c8eaca013a3922e8383def6158ece2b63f6ec483 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Tue, 3 Mar 2015 10:43:48 +0300
+Subject: [PATCH] Added type checks
+
+---
+ ext/soap/php_encoding.c | 21 ++++++++++++++-------
+ ext/soap/soap.c | 6 ++++--
+ 2 files changed, 18 insertions(+), 9 deletions(-)
+
+diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
+index fd9e367..31f1f7c 100644
+--- a/ext/soap/php_encoding.c
++++ b/ext/soap/php_encoding.c
+@@ -404,12 +404,15 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml
+ encodePtr enc = NULL;
+ HashTable *ht = Z_OBJPROP_P(data);
+
+- if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE) {
++ if (zend_hash_find(ht, "enc_type", sizeof("enc_type"), (void **)&ztype) == FAILURE ||
++ Z_TYPE_PP(ztype) != IS_LONG) {
+ soap_error0(E_ERROR, "Encoding: SoapVar has no 'enc_type' property");
+ }
+
+- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) {
+- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) {
++ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS &&
++ Z_TYPE_PP(zstype) == IS_STRING) {
++ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS &&
++ Z_TYPE_PP(zns) == IS_STRING) {
+ enc = get_encoder(SOAP_GLOBAL(sdl), Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype));
+ } else {
+ zns = NULL;
+@@ -445,8 +448,10 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml
+ }
+
+ if (style == SOAP_ENCODED || (SOAP_GLOBAL(sdl) && encode != enc)) {
+- if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS) {
+- if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS) {
++ if (zend_hash_find(ht, "enc_stype", sizeof("enc_stype"), (void **)&zstype) == SUCCESS &&
++ Z_TYPE_PP(zstype) == IS_STRING) {
++ if (zend_hash_find(ht, "enc_ns", sizeof("enc_ns"), (void **)&zns) == SUCCESS &&
++ Z_TYPE_PP(zns) == IS_STRING) {
+ set_ns_and_type_ex(node, Z_STRVAL_PP(zns), Z_STRVAL_PP(zstype));
+ } else {
+ set_ns_and_type_ex(node, NULL, Z_STRVAL_PP(zstype));
+@@ -454,10 +459,12 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml
+ }
+ }
+
+- if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS) {
++ if (zend_hash_find(ht, "enc_name", sizeof("enc_name"), (void **)&zname) == SUCCESS &&
++ Z_TYPE_PP(zname) == IS_STRING) {
+ xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname)));
+ }
+- if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS) {
++ if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS &&
++ Z_TYPE_PP(zname) == IS_STRING) {
+ xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens));
+ xmlSetNs(node, nsp);
+ }
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index 9ec6347..d460c17 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -3915,7 +3915,8 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
+ }
+
+ if (version == SOAP_1_1) {
+- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) {
++ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_STRING) {
+ size_t new_len;
+ xmlNodePtr node = xmlNewNode(NULL, BAD_CAST("faultcode"));
+ char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC);
+@@ -3940,7 +3941,8 @@ static xmlDocPtr serialize_response_call(sdlFunctionPtr function, char *function
+ }
+ detail_name = "detail";
+ } else {
+- if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS) {
++ if (zend_hash_find(prop, "faultcode", sizeof("faultcode"), (void**)&tmp) == SUCCESS &&
++ Z_TYPE_PP(tmp) == IS_STRING) {
+ size_t new_len;
+ xmlNodePtr node = xmlNewChild(param, ns, BAD_CAST("Code"), NULL);
+ char *str = php_escape_html_entities((unsigned char*)Z_STRVAL_PP(tmp), Z_STRLEN_PP(tmp), &new_len, 0, 0, NULL TSRMLS_CC);
+--
+2.1.4
+
+From 75f40ae1f3a7ca837d230f099627d121f9b3a32f Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Fri, 27 Mar 2015 18:40:58 +0300
+Subject: [PATCH] Fixed bug #69293
+
+---
+ ext/soap/php_encoding.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/soap/php_encoding.c b/ext/soap/php_encoding.c
+index 31f1f7c..13be2a5 100644
+--- a/ext/soap/php_encoding.c
++++ b/ext/soap/php_encoding.c
+@@ -464,7 +464,7 @@ static xmlNodePtr master_to_xml_int(encodePtr encode, zval *data, int style, xml
+ xmlNodeSetName(node, BAD_CAST(Z_STRVAL_PP(zname)));
+ }
+ if (zend_hash_find(ht, "enc_namens", sizeof("enc_namens"), (void **)&znamens) == SUCCESS &&
+- Z_TYPE_PP(zname) == IS_STRING) {
++ Z_TYPE_PP(znamens) == IS_STRING) {
+ xmlNsPtr nsp = encode_add_ns(node, Z_STRVAL_PP(znamens));
+ xmlSetNs(node, nsp);
+ }
+--
+2.1.4
+
+From 997b7e56302710bb3db00b56d0629ac75d73a207 Mon Sep 17 00:00:00 2001
+From: Xinchen Hui <laruence@php.net>
+Date: Fri, 27 Feb 2015 23:32:32 +0800
+Subject: [PATCH] Fixed bug #69085 (SoapClient's __call() type confusion
+ through unserialize()).
+
+---
+ NEWS | 4 ++++
+ ext/soap/soap.c | 6 +++---
+ ext/soap/tests/bugs/bug69085.phpt | 17 +++++++++++++++++
+ 3 files changed, 24 insertions(+), 3 deletions(-)
+ create mode 100644 ext/soap/tests/bugs/bug69085.phpt
+
+diff --git a/ext/soap/tests/bugs/bug69085.phpt b/ext/soap/tests/bugs/bug69085.phpt
+new file mode 100644
+index 0000000..cb27cfd
+--- /dev/null
++++ b/ext/soap/tests/bugs/bug69085.phpt
+@@ -0,0 +1,17 @@
++--TEST--
++Bug #69085 (SoapClient's __call() type confusion through unserialize())
++--SKIPIF--
++<?php require_once('skipif.inc'); ?>
++--INI--
++soap.wsdl_cache_enabled=0
++--FILE--
++<?php
++
++$dummy = unserialize('O:10:"SoapClient":5:{s:3:"uri";s:1:"a";s:8:"location";s:22:"http://localhost/a.xml";s:17:"__default_headers";i:1337;s:15:"__last_response";s:1:"a";s:5:"trace";s:1:"x";}');
++try {
++ $dummy->whatever();
++} catch (Exception $e) {
++ echo "okey";
++}
++--EXPECT--
++okey
+--
+2.1.4
+
+From ff70b40dc978f3f4c457f72a71bb43fd17ee360b Mon Sep 17 00:00:00 2001
+From: Remi Collet <remi@php.net>
+Date: Mon, 13 Apr 2015 14:39:11 +0200
+Subject: [PATCH] fix type in fix for #69085
+
+---
+ ext/soap/soap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index 41aa1ad..1b8f545 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -2549,7 +2549,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
+ }
+
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ add_property_stringl(this_ptr, "__last_request", buf, buf_size, 1);
+ }
+
+@@ -2589,7 +2589,7 @@ static int do_request(zval *this_ptr, xmlDoc *request, char *location, char *act
+ }
+ ret = FALSE;
+ } else if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ add_property_stringl(this_ptr, "__last_response", Z_STRVAL_P(response), Z_STRLEN_P(response), 1);
+ }
+ xmlFree(buf);
+@@ -2629,7 +2629,7 @@ static void do_soap_call(zval* this_ptr,
+ SOAP_CLIENT_BEGIN_CODE();
+
+ if (zend_hash_find(Z_OBJPROP_P(this_ptr), "trace", sizeof("trace"), (void **) &trace) == SUCCESS &&
+- (Z_LVAL_PP(trace) == IS_BOOL || Z_LVAL_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
++ (Z_TYPE_PP(trace) == IS_BOOL || Z_TYPE_PP(trace) == IS_LONG) && Z_LVAL_PP(trace) != 0) {
+ zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_request", sizeof("__last_request"));
+ zend_hash_del(Z_OBJPROP_P(this_ptr), "__last_response", sizeof("__last_response"));
+ }
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug69152.patch b/SOURCES/php-5.4.16-bug69152.patch
new file mode 100644
index 0000000..e7a14a0
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug69152.patch
@@ -0,0 +1,104 @@
+From 51856a76f87ecb24fe1385342be43610fb6c86e4 Mon Sep 17 00:00:00 2001
+From: Dmitry Stogov <dmitry@zend.com>
+Date: Thu, 19 Mar 2015 11:36:01 +0300
+Subject: [PATCH] Fixed bug #69152
+
+---
+ ext/soap/soap.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/ext/soap/soap.c b/ext/soap/soap.c
+index d460c17..41aa1ad 100644
+--- a/ext/soap/soap.c
++++ b/ext/soap/soap.c
+@@ -919,6 +919,12 @@ PHP_METHOD(SoapFault, __toString)
+
+ zend_call_function(&fci, NULL TSRMLS_CC);
+
++ convert_to_string(faultcode);
++ convert_to_string(faultstring);
++ convert_to_string(file);
++ convert_to_long(line);
++ convert_to_string(trace);
++
+ len = spprintf(&str, 0, "SoapFault exception: [%s] %s in %s:%ld\nStack trace:\n%s",
+ Z_STRVAL_P(faultcode), Z_STRVAL_P(faultstring), Z_STRVAL_P(file), Z_LVAL_P(line),
+ Z_STRLEN_P(trace) ? Z_STRVAL_P(trace) : "#0 {main}\n");
+--
+2.1.4
+
+From fb83c76deec58f1fab17c350f04c9f042e5977d1 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 22 Mar 2015 18:17:47 -0700
+Subject: [PATCH] Check that the type is correct
+
+---
+ ext/standard/incomplete_class.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/incomplete_class.c b/ext/standard/incomplete_class.c
+index 1816ac4..30c82e6 100644
+--- a/ext/standard/incomplete_class.c
++++ b/ext/standard/incomplete_class.c
+@@ -144,7 +144,7 @@ PHPAPI char *php_lookup_class_name(zval *object, zend_uint *nlen)
+
+ object_properties = Z_OBJPROP_P(object);
+
+- if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS) {
++ if (zend_hash_find(object_properties, MAGIC_MEMBER, sizeof(MAGIC_MEMBER), (void **) &val) == SUCCESS && Z_TYPE_PP(val) == IS_STRING) {
+ retval = estrndup(Z_STRVAL_PP(val), Z_STRLEN_PP(val));
+
+ if (nlen) {
+--
+2.1.4
+
+From a894a8155fab068d68a04bf181dbaddfa01ccbb0 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 5 Apr 2015 17:30:59 -0700
+Subject: [PATCH] More fixes for bug #69152
+
+---
+ Zend/zend_exceptions.c | 3 +++
+ ext/standard/tests/serialize/bug69152.phpt | 16 ++++++++++++++++
+ 2 files changed, 19 insertions(+)
+ create mode 100644 ext/standard/tests/serialize/bug69152.phpt
+
+diff --git a/Zend/zend_exceptions.c b/Zend/zend_exceptions.c
+index bf90ae7..1ca2ead 100644
+--- a/Zend/zend_exceptions.c
++++ b/Zend/zend_exceptions.c
+@@ -536,6 +536,9 @@ ZEND_METHOD(exception, getTraceAsString)
+ str = &res;
+
+ trace = zend_read_property(default_exception_ce, getThis(), "trace", sizeof("trace")-1, 1 TSRMLS_CC);
++ if(Z_TYPE_P(trace) != IS_ARRAY) {
++ RETURN_FALSE;
++ }
+ zend_hash_apply_with_arguments(Z_ARRVAL_P(trace) TSRMLS_CC, (apply_func_args_t)_build_trace_string, 3, str, len, &num);
+
+ s_tmp = emalloc(1 + MAX_LENGTH_OF_LONG + 7 + 1);
+diff --git a/ext/standard/tests/serialize/bug69152.phpt b/ext/standard/tests/serialize/bug69152.phpt
+new file mode 100644
+index 0000000..4e74168
+--- /dev/null
++++ b/ext/standard/tests/serialize/bug69152.phpt
+@@ -0,0 +1,16 @@
++--TEST--
++Bug #69152: Type Confusion Infoleak Vulnerability in unserialize()
++--FILE--
++<?php
++$x = unserialize('O:9:"exception":1:{s:16:"'."\0".'Exception'."\0".'trace";s:4:"ryat";}');
++echo $x;
++$x = unserialize('O:4:"test":1:{s:27:"__PHP_Incomplete_Class_Name";R:1;}');
++$x->test();
++
++?>
++--EXPECTF--
++exception 'Exception' in %s:%d
++Stack trace:
++#0 {main}
++
++Fatal error: main(): The script tried to execute a method or access a property of an incomplete object. Please ensure that the class definition "unknown" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide a __autoload() function to load the class definition in %s on line %d
+--
+2.1.4
+
diff --git a/SOURCES/php-5.4.16-bug69353.patch b/SOURCES/php-5.4.16-bug69353.patch
new file mode 100644
index 0000000..299b633
--- /dev/null
+++ b/SOURCES/php-5.4.16-bug69353.patch
@@ -0,0 +1,613 @@
+Adapted for 5.4.16 from
+
+From 52b93f0cfd3cba7ff98cc5198df6ca4f23865f80 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 5 Apr 2015 16:01:24 -0700
+Subject: [PATCH] Fixed bug #69353 (Missing null byte checks for paths in
+ various PHP extensions)
+
+---
+ ext/dom/document.c | 5 ++++-
+ ext/dom/tests/DOMDocument_loadHTMLfile_error2.phpt | 5 +++++
+ ext/fileinfo/fileinfo.c | 5 +++++
+ ext/fileinfo/tests/finfo_file_basic.phpt | 4 ++++
+ ext/gd/gd.c | 8 ++++----
+ ext/hash/hash.c | 7 ++++++-
+ ext/hash/tests/hash_hmac_file_error.phpt | 7 +++++++
+ ext/pgsql/pgsql.c | 2 +-
+ ext/standard/link.c | 2 +-
+ ext/standard/streamsfuncs.c | 2 +-
+ ext/xmlwriter/php_xmlwriter.c | 4 ++--
+ ext/zlib/zlib.c | 4 ++--
+ 12 files changed, 42 insertions(+), 13 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index 18c9cc6..7c5817a 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1574,6 +1574,9 @@ static xmlDocPtr dom_document_parser(zval *id, int mode, char *source, int sourc
+ xmlInitParser();
+
+ if (mode == DOM_LOAD_FILE) {
++ if (CHECK_NULL_PATH(source, source_len)) {
++ return NULL;
++ }
+ char *file_dest = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
+ if (file_dest) {
+ ctxt = xmlCreateFileParserCtxt(file_dest);
+@@ -2165,7 +2165,7 @@ static void dom_load_html(INTERNAL_FUNCTION_PARAMETERS, int mode) /* {{{ */
+
+ id = getThis();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/fileinfo/fileinfo.c b/ext/fileinfo/fileinfo.c
+index ead7585..9f651af 100644
+--- a/ext/fileinfo/fileinfo.c
++++ b/ext/fileinfo/fileinfo.c
+@@ -506,6 +506,11 @@ static void _php_finfo_get_type(INTERNAL_FUNCTION_PARAMETERS, int mode, int mime
+ RETVAL_FALSE;
+ goto clean;
+ }
++ if (CHECK_NULL_PATH(buffer, buffer_len)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
++ RETVAL_FALSE;
++ goto clean;
++ }
+
+ wrap = php_stream_locate_url_wrapper(buffer, &tmp2, 0 TSRMLS_CC);
+
+diff --git a/ext/fileinfo/tests/finfo_file_basic.phpt b/ext/fileinfo/tests/finfo_file_basic.phpt
+index 20223fd..ee70e2e 100644
+--- a/ext/fileinfo/tests/finfo_file_basic.phpt
++++ b/ext/fileinfo/tests/finfo_file_basic.phpt
+@@ -19,6 +19,7 @@ echo "*** Testing finfo_file() : basic functionality ***\n";
+ var_dump( finfo_file( $finfo, __FILE__) );
+ var_dump( finfo_file( $finfo, __FILE__, FILEINFO_CONTINUE ) );
+ var_dump( finfo_file( $finfo, $magicFile ) );
++var_dump( finfo_file( $finfo, $magicFile.chr(0).$magicFile) );
+
+ ?>
+ ===DONE===
+@@ -27,4 +28,7 @@ var_dump( finfo_file( $finfo, $magicFile ) );
+ string(28) "text/x-php; charset=us-ascii"
+ string(22) "PHP script, ASCII text"
+ string(25) "text/plain; charset=utf-8"
++
++Warning: finfo_file(): Invalid path in %s/finfo_file_basic.php on line %d
++bool(false)
+ ===DONE===
+diff --git a/ext/gd/gd.c b/ext/gd/gd.c
+index cbc1d2b..322325e 100644
+--- a/ext/gd/gd.c
++++ b/ext/gd/gd.c
+@@ -1495,7 +1495,7 @@ PHP_FUNCTION(imageloadfont)
+ gdFontPtr font;
+ php_stream *stream;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_name) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_name) == FAILURE) {
+ return;
+ }
+
+@@ -2438,7 +2438,7 @@ static void _php_image_create_from(INTER
+ long ignore_warning;
+ #endif
+ if (image_type == PHP_GDIMG_TYPE_GD2PART) {
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "sllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pllll", &file, &file_len, &srcx, &srcy, &width, &height) == FAILURE) {
+ return;
+ }
+ if (width < 1 || height < 1) {
+@@ -2446,7 +2446,7 @@ static void _php_image_create_from(INTER
+ RETURN_FALSE;
+ }
+ } else {
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
+ return;
+ }
+ }
+@@ -4178,7 +4178,7 @@ PHP_FUNCTION(imagepsencodefont)
+ char *enc, **enc_vector;
+ int enc_len, *f_ind;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs", &fnt, &enc, &enc_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp", &fnt, &enc, &enc_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/hash/hash.c b/ext/hash/hash.c
+index abdc62b..9cd6b8e 100644
+--- a/ext/hash/hash.c
++++ b/ext/hash/hash.c
+@@ -142,6 +142,7 @@ static void php_hash_do_hash(INTERNAL_FU
+ }
+ if (isfilename) {
+ if (CHECK_NULL_PATH(data, data_len)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
+ RETURN_FALSE;
+ }
+ stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
+@@ -222,6 +223,10 @@ static void php_hash_do_hash_hmac(INTERN
+ RETURN_FALSE;
+ }
+ if (isfilename) {
++ if (CHECK_NULL_PATH(data, data_len)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid path");
++ RETURN_FALSE;
++ }
+ stream = php_stream_open_wrapper_ex(data, "rb", REPORT_ERRORS, NULL, DEFAULT_CONTEXT);
+ if (!stream) {
+ /* Stream will report errors opening file */
+@@ -449,7 +454,7 @@ PHP_FUNCTION(hash_update_file)
+ char *filename, buf[1024];
+ int filename_len, n;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rs|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rp|r", &zhash, &filename, &filename_len, &zcontext) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/hash/tests/hash_hmac_file_error.phpt b/ext/hash/tests/hash_hmac_file_error.phpt
+index 42ab122..26ba8aa 100644
+--- a/ext/hash/tests/hash_hmac_file_error.phpt
++++ b/ext/hash/tests/hash_hmac_file_error.phpt
+@@ -28,6 +28,9 @@ hash_hmac_file('crc32', $file, $key, TRUE, $extra_arg);
+ echo "\n-- Testing hash_hmac_file() function with invalid hash algorithm --\n";
+ hash_hmac_file('foo', $file, $key, TRUE);
+
++echo "\n-- Testing hash_hmac_file() function with bad path --\n";
++hash_hmac_file('crc32', $file.chr(0).$file, $key, TRUE);
++
+ ?>
+ ===Done===
+ --EXPECTF--
+@@ -51,4 +54,8 @@ Warning: hash_hmac_file() expects at most 4 parameters, 5 given in %s on line %d
+ -- Testing hash_hmac_file() function with invalid hash algorithm --
+
+ Warning: hash_hmac_file(): Unknown hashing algorithm: foo in %s on line %d
++
++-- Testing hash_hmac_file() function with bad path --
++
++Warning: hash_hmac_file(): Invalid path in %s on line %d
+ ===Done===
+\ No newline at end of file
+diff --git a/ext/pgsql/pgsql.c b/ext/pgsql/pgsql.c
+index 7af7e8b..23d55cb 100644
+--- a/ext/pgsql/pgsql.c
++++ b/ext/pgsql/pgsql.c
+@@ -2884,7 +2884,7 @@ PHP_FUNCTION(pg_trace)
+ php_stream *stream;
+ id = PGG(default_link);
+
+- if (zend_parse_parameters(argc TSRMLS_CC, "s|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
++ if (zend_parse_parameters(argc TSRMLS_CC, "p|sr", &z_filename, &z_filename_len, &mode, &mode_len, &pgsql_link) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/standard/link.c b/ext/standard/link.c
+index 0e40a0b..4ed2c5e 100644
+--- a/ext/standard/link.c
++++ b/ext/standard/link.c
+@@ -59,7 +59,7 @@ PHP_FUNCTION(readlink)
+ char buff[MAXPATHLEN];
+ int ret;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &link, &link_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &link, &link_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/standard/streamsfuncs.c b/ext/standard/streamsfuncs.c
+index 7ddfc66..4c2837e 100644
+--- a/ext/standard/streamsfuncs.c
++++ b/ext/standard/streamsfuncs.c
+@@ -1545,7 +1545,7 @@ PHP_FUNCTION(stream_resolve_include_path)
+ char *filename, *resolved_path;
+ int filename_len;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &filename, &filename_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &filename, &filename_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/xmlwriter/php_xmlwriter.c b/ext/xmlwriter/php_xmlwriter.c
+index 206d82a..7a650e2 100644
+--- a/ext/xmlwriter/php_xmlwriter.c
++++ b/ext/xmlwriter/php_xmlwriter.c
+@@ -1738,7 +1738,7 @@ static PHP_FUNCTION(xmlwriter_write_dtd_entity)
+ /* }}} */
+ #endif
+
+-/* {{{ proto resource xmlwriter_open_uri(resource xmlwriter, string source)
++/* {{{ proto resource xmlwriter_open_uri(string source)
+ Create new xmlwriter using source uri for output */
+ static PHP_FUNCTION(xmlwriter_open_uri)
+ {
+@@ -1759,7 +1759,7 @@ static PHP_FUNCTION(xmlwriter_open_uri)
+ void *ioctx;
+ #endif
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &source, &source_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &source, &source_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/zlib/zlib.c b/ext/zlib/zlib.c
+index d70198c..ec958e1 100644
+--- a/ext/zlib/zlib.c
++++ b/ext/zlib/zlib.c
+@@ -581,7 +581,7 @@ static PHP_FUNCTION(gzopen)
+ php_stream *stream;
+ long use_include_path = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ss|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "ps|l", &filename, &filename_len, &mode, &mode_len, &use_include_path) == FAILURE) {
+ return;
+ }
+
+@@ -609,7 +609,7 @@ static PHP_FUNCTION(readgzfile)
+ int size;
+ long use_include_path = 0;
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &filename, &filename_len, &use_include_path) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &filename, &filename_len, &use_include_path) == FAILURE) {
+ return;
+ }
+
+--
+2.1.4
+
+From 1defbb25ed69e7a1a90e2bcb2ee3b9190ea06577 Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 12 Apr 2015 00:56:02 -0700
+Subject: [PATCH] Fix test
+
+---
+ ext/standard/tests/file/readlink_variation1.phpt | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/standard/tests/file/readlink_variation1.phpt b/ext/standard/tests/file/readlink_variation1.phpt
+index 1dae17c..d4f1a5f 100644
+--- a/ext/standard/tests/file/readlink_variation1.phpt
++++ b/ext/standard/tests/file/readlink_variation1.phpt
+@@ -65,7 +65,7 @@ bool(false)
+ Warning: readlink(): %s in %s on line %d
+ bool(false)
+
+-Warning: readlink() expects parameter 1 to be string, resource given in %s on line %d
++Warning: readlink() expects parameter 1 to be a valid path, resource given in %s on line %d
+ NULL
+
+ Warning: readlink(): %s in %s on line %d
+--
+2.1.4
+
+From a643ccfb90750e0d830106588d2a46af87706b5b Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 12 Apr 2015 20:53:09 -0700
+Subject: [PATCH] Fix tests
+
+---
+ ext/gd/tests/imageloadfont_error1.phpt | 6 +++---
+ ext/zlib/tests/gzopen_variation1.phpt | 28 ++++++++++++++--------------
+ ext/zlib/tests/readgzfile_variation1.phpt | 10 +++++-----
+ ext/zlib/tests/readgzfile_variation6.phpt | 4 ++--
+ 4 files changed, 24 insertions(+), 24 deletions(-)
+
+diff --git a/ext/gd/tests/imageloadfont_error1.phpt b/ext/gd/tests/imageloadfont_error1.phpt
+index 16d1a3c..418bbf3 100644
+--- a/ext/gd/tests/imageloadfont_error1.phpt
++++ b/ext/gd/tests/imageloadfont_error1.phpt
+@@ -3,7 +3,7 @@ Testing that imageloadfont() breaks on non-string first parameter
+ --CREDITS--
+ Neveo Harrison <neveoo [at] gmail [dot] com> #testfest #tek11
+ --SKIPIF--
+-<?php
++<?php
+ if (!extension_loaded("gd")) die("skip GD not present");
+ ?>
+ --FILE--
+@@ -11,5 +11,5 @@ Neveo Harrison <neveoo [at] gmail [dot] com> #testfest #tek11
+ var_dump( imageloadfont(array()) );
+ ?>
+ --EXPECTF--
+-Warning: imageloadfont() expects parameter 1 to be string, array given in %s on line %d
+-NULL
+\ No newline at end of file
++Warning: imageloadfont() expects parameter 1 to be a valid path, array given in %s on line %d
++NULL
+diff --git a/ext/zlib/tests/gzopen_variation1.phpt b/ext/zlib/tests/gzopen_variation1.phpt
+index c5a47f4..bca48f3 100644
+--- a/ext/zlib/tests/gzopen_variation1.phpt
++++ b/ext/zlib/tests/gzopen_variation1.phpt
+@@ -1,17 +1,17 @@
+ --TEST--
+-Test gzopen() function : usage variation
++Test gzopen() function : usage variation
+ --SKIPIF--
+-<?php
++<?php
+ if (!extension_loaded("zlib")) {
+- print "skip - zlib extension not loaded";
+-}
++ print "skip - zlib extension not loaded";
++}
+ ?>
+ --FILE--
+ <?php
+ /* Prototype : resource gzopen(string filename, string mode [, int use_include_path])
+- * Description: Open a .gz-file and return a .gz-file pointer
++ * Description: Open a .gz-file and return a .gz-file pointer
+ * Source code: ext/zlib/zlib.c
+- * Alias to functions:
++ * Alias to functions:
+ */
+
+ echo "*** Testing gzopen() : usage variation ***\n";
+@@ -102,9 +102,9 @@ $inputs = array(
+
+ // unset data
+ 'unset var' => @$unset_var,
+-
++
+ // resource variable
+- 'resource' => $fp
++ 'resource' => $fp
+ );
+
+ // loop through each element of the array for filename
+@@ -158,19 +158,19 @@ Error: 2 - gzopen(0.5): failed to open stream: No such file or directory, %s(%d)
+ bool(false)
+
+ --empty array--
+-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
+ NULL
+
+ --int indexed array--
+-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
+ NULL
+
+ --associative array--
+-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
+ NULL
+
+ --nested arrays--
+-Error: 2 - gzopen() expects parameter 1 to be string, array given, %s(%d)
++Error: 2 - gzopen() expects parameter 1 to be a valid path, array given, %s(%d)
+ NULL
+
+ --uppercase NULL--
+@@ -210,7 +210,7 @@ Error: 2 - gzopen(Class A object): failed to open stream: No such file or direct
+ bool(false)
+
+ --instance of classWithoutToString--
+-Error: 2 - gzopen() expects parameter 1 to be string, object given, %s(%d)
++Error: 2 - gzopen() expects parameter 1 to be a valid path, object given, %s(%d)
+ NULL
+
+ --undefined var--
+@@ -222,7 +222,7 @@ Error: 2 - gzopen(): Filename cannot be empty, %s(%d)
+ bool(false)
+
+ --resource--
+-Error: 2 - gzopen() expects parameter 1 to be string, resource given, %s(%d)
++Error: 2 - gzopen() expects parameter 1 to be a valid path, resource given, %s(%d)
+ NULL
+ ===DONE===
+
+diff --git a/ext/zlib/tests/readgzfile_variation1.phpt b/ext/zlib/tests/readgzfile_variation1.phpt
+index 5a5ec4f..5d9b639 100644
+--- a/ext/zlib/tests/readgzfile_variation1.phpt
++++ b/ext/zlib/tests/readgzfile_variation1.phpt
+@@ -29,15 +29,15 @@ foreach ( $variation as $var ) {
+ ===DONE===
+ --EXPECTF--
+
+-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+
+-Warning: readgzfile() expects parameter 1 to be string, array given in %s on line %d
++Warning: readgzfile() expects parameter 1 to be a valid path, array given in %s on line %d
+ NULL
+-===DONE===
+\ No newline at end of file
++===DONE===
+diff --git a/ext/zlib/tests/readgzfile_variation6.phpt b/ext/zlib/tests/readgzfile_variation6.phpt
+index 702f918..9fcea02 100644
+--- a/ext/zlib/tests/readgzfile_variation6.phpt
++++ b/ext/zlib/tests/readgzfile_variation6.phpt
+@@ -45,5 +45,5 @@ foreach ( $variation as $var ) {
+ --EXPECTF--
+ Error: 2 - readgzfile(Class A object): failed to open stream: No such file or directory, %s(%d)
+ bool(false)
+-Error: 2 - readgzfile() expects parameter 1 to be string, object given, %s(%d)
+-NULL
+\ No newline at end of file
++Error: 2 - readgzfile() expects parameter 1 to be a valid path, object given, %s(%d)
++NULL
+--
+2.1.4
+
+From f7d7befae8bcc2db0093f8adaa9f72eeb7ad891e Mon Sep 17 00:00:00 2001
+From: Stanislav Malyshev <stas@php.net>
+Date: Sun, 31 May 2015 22:47:52 -0700
+Subject: [PATCH] Fix #69719 - more checks for nulls in paths
+
+---
+ ext/dom/document.c | 22 +++++++++++++++++-----
+ ext/gd/gd.c | 16 ++++++++--------
+ 2 files changed, 25 insertions(+), 13 deletions(-)
+
+diff --git a/ext/dom/document.c b/ext/dom/document.c
+index 48a19dd..097fcba 100644
+--- a/ext/dom/document.c
++++ b/ext/dom/document.c
+@@ -1754,7 +1754,7 @@ PHP_FUNCTION(dom_document_save)
+ char *file;
+ long options = 0;
+
+- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op|l", &id, dom_document_class_entry, &file, &file_len, &options) == FAILURE) {
+ return;
+ }
+
+@@ -1983,7 +1983,7 @@ static void _dom_document_schema_validat
+ int is_valid;
+ char resolved_path[MAXPATHLEN + 1];
+
+- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
+ return;
+ }
+
+@@ -1996,6 +1996,10 @@ static void _dom_document_schema_validat
+
+ switch (type) {
+ case DOM_LOAD_FILE:
++ if (CHECK_NULL_PATH(source, source_len)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
++ RETURN_FALSE;
++ }
+ valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
+ if (!valid_file) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid Schema file source");
+@@ -2072,7 +2076,7 @@ static void _dom_document_relaxNG_valida
+ int is_valid;
+ char resolved_path[MAXPATHLEN + 1];
+
+- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &source, &source_len) == FAILURE) {
+ return;
+ }
+
+@@ -2085,6 +2089,10 @@ static void _dom_document_relaxNG_valida
+
+ switch (type) {
+ case DOM_LOAD_FILE:
++ if (CHECK_NULL_PATH(source, source_len)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
++ RETURN_FALSE;
++ }
+ valid_file = _dom_get_valid_file_path(source, resolved_path, MAXPATHLEN TSRMLS_CC);
+ if (!valid_file) {
+ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid RelaxNG file source");
+@@ -2165,7 +2173,7 @@ static void dom_load_html(INTERNAL_FUNCT
+
+ id = getThis();
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p|l", &source, &source_len, &options) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s|l", &source, &source_len, &options) == FAILURE) {
+ return;
+ }
+
+@@ -2175,6 +2183,10 @@ static void dom_load_html(INTERNAL_FUNCT
+ }
+
+ if (mode == DOM_LOAD_FILE) {
++ if (CHECK_NULL_PATH(source, source_len)) {
++ php_error_docref(NULL TSRMLS_CC, E_WARNING, "Invalid file source");
++ RETURN_FALSE;
++ }
+ ctxt = htmlCreateFileParserCtxt(source, NULL);
+ } else {
+ source_len = xmlStrlen(source);
+@@ -2263,7 +2275,7 @@ PHP_FUNCTION(dom_document_save_html_file
+ char *file;
+ const char *encoding;
+
+- if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Os", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
++ if (zend_parse_method_parameters(ZEND_NUM_ARGS() TSRMLS_CC, getThis(), "Op", &id, dom_document_class_entry, &file, &file_len) == FAILURE) {
+ return;
+ }
+
+diff --git a/ext/gd/gd.c b/ext/gd/gd.c
+index d258c3d..e527575 100644
+--- a/ext/gd/gd.c
++++ b/ext/gd/gd.c
+@@ -1790,7 +1790,7 @@ PHP_FUNCTION(imagefilledarc)
+ long cx, cy, w, h, ST, E, col, style;
+ gdImagePtr im;
+ int e, st;
+-
++
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "rllllllll", &IM, &cx, &cy, &w, &h, &ST, &E, &col, &style) == FAILURE) {
+ return;
+ }
+@@ -2033,7 +2033,7 @@ PHP_FUNCTION(imagegrabwindow)
+ if ( handle == 0 ) {
+ goto clean;
+ }
+- pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
++ pPrintWindow = (tPrintWindow) GetProcAddress(handle, "PrintWindow");
+
+ if ( pPrintWindow ) {
+ pPrintWindow(window, memDC, (UINT) client_area);
+@@ -3984,7 +3984,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int
+ if (zend_hash_get_current_data_ex(HASH_OF(EXT), (void **) &item, &pos) == FAILURE) {
+ continue;
+ }
+-
++
+ if (strcmp("linespacing", key) == 0) {
+ convert_to_double_ex(item);
+ strex.flags |= gdFTEX_LINESPACE;
+@@ -4006,7 +4006,7 @@ static void php_imagettftext_common(INTERNAL_FUNCTION_PARAMETERS, int mode, int
+ #endif
+
+ PHP_GD_CHECK_OPEN_BASEDIR(fontname, "Invalid font filename");
+-
++
+ #ifdef USE_GD_IMGSTRTTF
+ # if HAVE_GD_STRINGFTEX
+ if (extended) {
+@@ -4071,7 +4071,7 @@ PHP_FUNCTION(imagepsloadfont)
+ struct stat st;
+ #endif
+
+- if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "s", &file, &file_len) == FAILURE) {
++ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "p", &file, &file_len) == FAILURE) {
+ return;
+ }
+
+@@ -4411,11 +4411,11 @@ PHP_FUNCTION(imagepsbbox)
+ if (argc != 3 && argc != 6) {
+ ZEND_WRONG_PARAM_COUNT();
+ }
+-
++
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "srl|lld", &str, &str_len, &fnt, &sz, &sp, &wd, &angle) == FAILURE) {
+ return;
+ }
+-
++
+ if (argc == 6) {
+ space = sp;
+ add_width = wd;
+@@ -4600,7 +4600,7 @@ static void _php_image_convert(INTERNAL_FUNCTION_PARAMETERS, int image_type )
+ #ifdef HAVE_GD_JPG
+ long ignore_warning;
+ #endif
+-
++
+ if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "pplll", &f_org, &f_org_len, &f_dest, &f_dest_len, &height, &width, &threshold) == FAILURE) {
+ return;
+ }
+--
+2.1.4
diff --git a/SPECS/php.spec b/SPECS/php.spec
index 2b479ff..bc9767a 100644
--- a/SPECS/php.spec
+++ b/SPECS/php.spec
@@ -62,13 +62,14 @@
%global db_devel libdb-devel
%endif
+%global _performance_build 1
+
#global rcver RC2
Summary: PHP scripting language for creating dynamic web sites
Name: php
Version: 5.4.16
-# Only odd release to avoid conflicts with even release used by php54 SCL
-Release: 23%{?dist}.3
+Release: 36%{?dist}
# All files licensed under PHP version 3.01, except
# Zend is licensed under Zend
# TSRM is licensed under BSD
@@ -106,6 +107,12 @@ Patch24: php-5.4.16-fpm.patch
# https://bugs.php.net/65143 php-cgi man page
# https://bugs.php.net/65142 phar man page
Patch25: php-5.4.16-man.patch
+# https://bugs.php.net/66987 fileinfo / bigendian
+Patch26: php-5.4.16-bug66987.patch
+# https://bugs.php.net/50444 pdo_odbc / x86_64
+Patch27: php-5.4.16-bug50444.patch
+# https://bugs.php.net/63595 gmp memory allocator
+Patch28: php-5.4.16-bug63595.patch
# Functional changes
Patch40: php-5.4.0-dlopen.patch
@@ -121,6 +128,8 @@ Patch45: php-5.4.8-ldap_r.patch
Patch46: php-5.4.9-fixheader.patch
# drop "Configure command" from phpinfo output
Patch47: php-5.4.9-phpinfo.patch
+# Fix php_select on aarch64 (http://bugs.php.net/67406)
+Patch48: php-5.4.16-aarch64-select.patch
# Fixes for tests
Patch60: php-5.4.16-pdotests.patch
@@ -154,6 +163,27 @@ Patch126: php-5.4.16-CVE-2014-3668.patch
Patch127: php-5.4.16-CVE-2014-3669.patch
Patch128: php-5.4.16-CVE-2014-3670.patch
Patch129: php-5.4.16-CVE-2014-3710.patch
+Patch130: php-5.4.16-CVE-2014-8142.patch
+Patch131: php-5.4.16-CVE-2015-0231.patch
+Patch132: php-5.4.16-CVE-2015-0232.patch
+Patch133: php-5.4.16-CVE-2014-9652.patch
+Patch134: php-5.4.16-CVE-2014-9709.patch
+Patch135: php-5.4.16-CVE-2015-0273.patch
+Patch136: php-5.4.16-CVE-2014-9705.patch
+Patch137: php-5.4.16-CVE-2015-2301.patch
+Patch138: php-5.4.16-bug69085.patch
+Patch139: php-5.4.16-CVE-2015-2787.patch
+Patch140: php-5.4.16-CVE-2015-2348.patch
+Patch145: php-5.4.16-CVE-2015-4022.patch
+Patch146: php-5.4.16-CVE-2015-4021.patch
+Patch147: php-5.4.16-CVE-2015-4024.patch
+Patch148: php-5.4.16-CVE-2015-4025.patch
+Patch149: php-5.4.16-CVE-2015-3330.patch
+Patch150: php-5.4.16-bug69353.patch
+Patch151: php-5.4.16-CVE-2015-2783.patch
+Patch152: php-5.4.16-CVE-2015-3329.patch
+Patch153: php-5.4.16-bug68819.patch
+Patch154: php-5.4.16-bug69152.patch
BuildRequires: bzip2-devel, curl-devel >= 7.9, gmp-devel
@@ -645,6 +675,9 @@ support for using the enchant library to PHP.
%patch23 -p1 -b .gc
%patch24 -p1 -b .fpm
%patch25 -p1 -b .manpages
+%patch26 -p1 -b .bug66987
+%patch27 -p1 -b .bug50444
+%patch28 -p1 -b .bug63595
%patch40 -p1 -b .dlopen
%patch41 -p1 -b .easter
@@ -658,6 +691,7 @@ support for using the enchant library to PHP.
%endif
%patch46 -p1 -b .fixheader
%patch47 -p1 -b .phpinfo
+%patch48 -p1 -b .aarch64select
%patch60 -p1 -b .pdotests
@@ -689,6 +723,28 @@ support for using the enchant library to PHP.
%patch127 -p1 -b .cve3669
%patch128 -p1 -b .cve3670
%patch129 -p1 -b .cve3710
+%patch130 -p1 -b .cve8142
+%patch131 -p1 -b .cve0231
+%patch132 -p1 -b .cve0232
+%patch133 -p1 -b .cve9652
+%patch134 -p1 -b .cve9709
+%patch135 -p1 -b .cve0273
+%patch136 -p1 -b .cve9705
+%patch137 -p1 -b .cve2301
+%patch138 -p1 -b .bug68095
+%patch139 -p1 -b .cve2787
+%patch140 -p1 -b .cve2348
+%patch145 -p1 -b .cve4022
+%patch146 -p1 -b .cve4021
+%patch147 -p1 -b .cve4024
+%patch148 -p1 -b .cve4025
+%patch149 -p1 -b .cve3330
+%patch150 -p1 -b .bug69353
+%patch151 -p1 -b .cve2783
+%patch152 -p1 -b .cve3329
+%patch153 -p1 -b .bug68819
+%patch154 -p1 -b .bug69152
+
# Prevent %%doc confusion over LICENSE files
cp Zend/LICENSE Zend/ZEND_LICENSE
@@ -812,9 +868,6 @@ touch configure.in
./buildconf --force
CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing -Wno-pointer-sign"
-%ifarch ppc64
-CFLAGS="$CFLAGS -O3"
-%endif
export CFLAGS
# Install extension modules in %{_libdir}/php/modules.
@@ -1462,15 +1515,58 @@ fi
%changelog
-* Thu Oct 23 2014 Jan Kaluza <jkaluza@redhat.com> - 5.4.16-23.3
+* Wed Jun 10 2015 Remi Collet <rcollet@redhat.com> - 5.4.16-36
+- fix more functions accept paths with NUL character #1213407
+
+* Fri Jun 5 2015 Remi Collet <rcollet@redhat.com> - 5.4.16-35
+- core: fix multipart/form-data request can use excessive
+ amount of CPU usage CVE-2015-4024
+- fix various functions accept paths with NUL character
+ CVE-2015-4025, CVE-2015-4026, #1213407
+- fileinfo: fix denial of service when processing a crafted
+ file #1213442
+- ftp: fix integer overflow leading to heap overflow when
+ reading FTP file listing CVE-2015-4022
+- phar: fix buffer over-read in metadata parsing CVE-2015-2783
+- phar: invalid pointer free() in phar_tar_process_metadata()
+ CVE-2015-3307
+- phar: fix buffer overflow in phar_set_inode() CVE-2015-3329
+- phar: fix memory corruption in phar_parse_tarfile caused by
+ empty entry file name CVE-2015-4021
+- soap: fix type confusion through unserialize #1222538
+- apache2handler: fix pipelined request executed in deinitialized
+ interpreter under httpd 2.4 CVE-2015-3330
+
+* Thu Apr 16 2015 Remi Collet <rcollet@redhat.com> - 5.4.16-34
+- fix memory corruption in fileinfo module on big endian
+ machines #1082624
+- fix segfault in pdo_odbc on x86_64 #1159892
+- fix segfault in gmp allocator #1154760
+
+* Fri Apr 10 2015 Remi Collet <rcollet@redhat.com> - 5.4.16-33
+- core: use after free vulnerability in unserialize()
+ CVE-2014-8142 and CVE-2015-0231
+- core: fix use-after-free in unserialize CVE-2015-2787
+- core: fix NUL byte injection in file name argument of
+ move_uploaded_file() CVE-2015-2348
+- date: use after free vulnerability in unserialize CVE-2015-0273
+- enchant: fix heap buffer overflow in enchant_broker_request_dict
+ CVE-2014-9705
+- exif: free called on unitialized pointer CVE-2015-0232
+- fileinfo: fix out of bounds read in mconvert CVE-2014-9652
+- gd: fix buffer read overflow in gd_gif_in.c CVE-2014-9709
+- phar: use after free in phar_object.c CVE-2015-2301
+- soap: fix type confusion through unserialize
+
+* Thu Oct 23 2014 Jan Kaluza <jkaluza@redhat.com> - 5.4.16-31
- fileinfo: fix out-of-bounds read in elf note headers. CVE-2014-3710
-* Tue Oct 21 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-23.2
+* Tue Oct 21 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-29
- xmlrpc: fix out-of-bounds read flaw in mkgmtime() CVE-2014-3668
- core: fix integer overflow in unserialize() CVE-2014-3669
- exif: fix heap corruption issue in exif_thumbnail() CVE-2014-3670
-* Thu Sep 11 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-23.1
+* Fri Sep 12 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-27
- gd: fix NULL pointer dereference in gdImageCreateFromXpm().
CVE-2014-2497
- gd: fix NUL byte injection in file names. CVE-2014-5120
@@ -1486,6 +1582,11 @@ fi
- network: fix segfault in dns_get_record
(incomplete fix for CVE-2014-4049). CVE-2014-3597
+
+* Thu Aug 21 2014 Jan Kaluza <jkaluza@redhat.com> - 5.4.16-25
+- fix segfault after startup on aarch64 (#1107567)
+- compile php with -O3 on ppc64le (#1123499)
+
* Fri Jun 13 2014 Remi Collet <rcollet@redhat.com> - 5.4.16-23
- fileinfo: cdf_unpack_summary_info() excessive looping
DoS. CVE-2014-0237