Merge branch 'PHP-5.5' into PHP-5.6

* PHP-5.5:
  fix #72519, possible OOB using imagegif
  fix #72512, invalid read or write for palette image when invalid transparent index is used
  Apparently some envs miss SIZE_MAX
  Fix tests
  Fix bug #72618: NULL Pointer Dereference in exif_process_user_comment
  Partial fix for bug #72613 - do not treat negative returns from bz2 as size_t
  Fix bug #72606: heap-buffer-overflow (write) simplestring_addn simplestring.c
  Fix for bug #72558, Integer overflow error within _gdContributionsAlloc()
  Fix bug #72603: Out of bound read in exif_process_IFD_in_MAKERNOTE
  Fix bug #72562 - destroy var_hash properly
  Fix bug #72533 (locale_accept_from_http out-of-bounds access)
  Fix fir bug #72520
  Fix for bug #72513
  CS fix and comments with bug ID
  Fix for HTTP_PROXY issue.
  add tests for bug #72512
  Fixed bug #72512 gdImageTrueColorToPaletteBody allows arbitrary write/read access
  Fixed bug #72479 - same as #72434

Conflicts:
	ext/bz2/bz2.c
	main/SAPI.c
	main/php_variables.c

Zend/zend_virtual_cwd.c

@@ -651,14 +651,14 @@ CWD_API void realpath_cache_del(const char *path, int path_len TSRMLS_DC) /* {{{
 					memcmp(path, (*bucket)->path, path_len) == 0) {
 			realpath_cache_bucket *r = *bucket;
 			*bucket = (*bucket)->next;
-		   
+
 			/* if the pointers match then only subtract the length of the path */
 		   	if(r->path == r->realpath) {
 				CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1;
 			} else {
 				CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1 + r->realpath_len + 1;
 			}
-		   
+
 			free(r);
 			return;
 		} else {
@@ -734,7 +734,7 @@ static inline realpath_cache_bucket* realpath_cache_find(const char *path, int p
 			realpath_cache_bucket *r = *bucket;
 			*bucket = (*bucket)->next;
 
-			/* if the pointers match then only subtract the length of the path */		   
+			/* if the pointers match then only subtract the length of the path */
 		   	if(r->path == r->realpath) {
 				CWDG(realpath_cache_size) -= sizeof(realpath_cache_bucket) + r->path_len + 1;
 			} else {

ext/bz2/bz2.c

@@ -15,7 +15,7 @@
   | Author: Sterling Hughes <[email protected]>                           |
   +----------------------------------------------------------------------+
 */
- 
+
 /* $Id$ */
 
 #ifdef HAVE_CONFIG_H
@@ -138,29 +138,33 @@ struct php_bz2_stream_data_t {
 static size_t php_bz2iop_read(php_stream *stream, char *buf, size_t count TSRMLS_DC)
 {
 	struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract;
-	size_t ret;
-	
-	ret = BZ2_bzread(self->bz_file, buf, count);
+	int bz2_ret;
+
+	bz2_ret = BZ2_bzread(self->bz_file, buf, count);
 
-	if (ret == 0) {
+	if (bz2_ret < 0) {
+		stream->eof = 1;
+		return -1;
+	}
+	if (bz2_ret == 0) {
 		stream->eof = 1;
 	}
 
-	return ret;
+	return (size_t)bz2_ret;
 }
 
 static size_t php_bz2iop_write(php_stream *stream, const char *buf, size_t count TSRMLS_DC)
 {
 	struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *) stream->abstract;
 
-	return BZ2_bzwrite(self->bz_file, (char*)buf, count); 
+	return BZ2_bzwrite(self->bz_file, (char*)buf, count);
 }
 
 static int php_bz2iop_close(php_stream *stream, int close_handle TSRMLS_DC)
 {
 	struct php_bz2_stream_data_t *self = (struct php_bz2_stream_data_t *)stream->abstract;
 	int ret = EOF;
-	
+
 	if (close_handle) {
 		BZ2_bzclose(self->bz_file);
 	}
@@ -196,7 +200,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open_from_BZFILE(BZFILE *bz,
 														const char *mode, php_stream *innerstream STREAMS_DC TSRMLS_DC)
 {
 	struct php_bz2_stream_data_t *self;
-	
+
 	self = emalloc(sizeof(*self));
 
 	self->stream = innerstream;
@@ -227,15 +231,15 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
 	virtual_filepath_ex(path, &path_copy, NULL TSRMLS_CC);
 #else
 	path_copy = path;
-#endif  
+#endif
 
 	if (php_check_open_basedir(path_copy TSRMLS_CC)) {
 #ifdef VIRTUAL_DIR
 		efree(path_copy);
 #endif
 		return NULL;
 	}
-	
+
 	/* try and open it directly first */
 	bz_file = BZ2_bzopen(path_copy, mode);
 
@@ -246,11 +250,11 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
 	efree(path_copy);
 #endif
 	path_copy = NULL;
-	
+
 	if (bz_file == NULL) {
 		/* that didn't work, so try and get something from the network/wrapper */
 		stream = php_stream_open_wrapper(path, mode, options | STREAM_WILL_CAST, opened_path);
-	
+
 		if (stream) {
 			php_socket_t fd;
 			if (SUCCESS == php_stream_cast(stream, PHP_STREAM_AS_FD, (void **) &fd, REPORT_ERRORS)) {
@@ -265,7 +269,7 @@ PHP_BZ2_API php_stream *_php_stream_bz2open(php_stream_wrapper *wrapper,
 			VCWD_UNLINK(*opened_path);
 		}
 	}
-	
+
 	if (bz_file) {
 		retstream = _php_stream_bz2open_from_BZFILE(bz_file, mode, stream STREAMS_REL_CC TSRMLS_CC);
 		if (retstream) {
@@ -341,7 +345,7 @@ static PHP_FUNCTION(bzread)
 	if (FAILURE == zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r|l", &bz, &len)) {
 		RETURN_FALSE;
 	}
-	
+
 	php_stream_from_zval(stream, &bz);
 
 	if ((len + 1) < 1) {
@@ -351,13 +355,13 @@ static PHP_FUNCTION(bzread)
 
 	Z_STRVAL_P(return_value) = emalloc(len + 1);
 	Z_STRLEN_P(return_value) = php_stream_read(stream, Z_STRVAL_P(return_value), len);
-	
+
 	if (Z_STRLEN_P(return_value) < 0) {
 		efree(Z_STRVAL_P(return_value));
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "could not read valid bz2 data from stream");
-		RETURN_FALSE;		
+		RETURN_FALSE;
 	}
-	
+
 	Z_STRVAL_P(return_value)[Z_STRLEN_P(return_value)] = 0;
 	Z_TYPE_P(return_value) = IS_STRING;
 }
@@ -373,7 +377,7 @@ static PHP_FUNCTION(bzopen)
 
 	BZFILE   *bz;     /* The compressed file stream */
 	php_stream *stream = NULL;
-	
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "Zs", &file, &mode, &mode_len) == FAILURE) {
 		return;
 	}
@@ -389,15 +393,15 @@ static PHP_FUNCTION(bzopen)
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "filename cannot be empty");
 			RETURN_FALSE;
 		}
-		
+
 		if (CHECK_ZVAL_NULL_PATH(*file)) {
 			RETURN_FALSE;
 		}
 
 		stream = php_stream_bz2open(NULL,
-									Z_STRVAL_PP(file), 
-									mode, 
-									REPORT_ERRORS, 
+									Z_STRVAL_PP(file),
+									mode,
+									REPORT_ERRORS,
 									NULL);
 	} else if (Z_TYPE_PP(file) == IS_RESOURCE) {
 		/* If it is a resource, than its a stream resource */
@@ -406,7 +410,7 @@ static PHP_FUNCTION(bzopen)
 
 		php_stream_from_zval(stream, file);
 		stream_mode_len = strlen(stream->mode);
-		
+
 		if (stream_mode_len != 1 && !(stream_mode_len == 2 && memchr(stream->mode, 'b', 2))) {
 			php_error_docref(NULL TSRMLS_CC, E_WARNING, "cannot use stream opened in mode '%s'", stream->mode);
 			RETURN_FALSE;
@@ -440,7 +444,7 @@ static PHP_FUNCTION(bzopen)
 		if (FAILURE == php_stream_cast(stream, PHP_STREAM_AS_FD, (void *) &fd, REPORT_ERRORS)) {
 			RETURN_FALSE;
 		}
-		
+
 		bz = BZ2_bzdopen(fd, mode);
 
 		stream = php_stream_bz2open_from_BZFILE(bz, mode, stream);
@@ -494,7 +498,7 @@ static PHP_FUNCTION(bzcompress)
 					  work_factor = 0, /* Work factor for compression algorithm */
 					  argc;            /* Argument count */
 	int               source_len;      /* Length of the source data */
-	unsigned int      dest_len;        /* Length of the destination buffer */ 
+	unsigned int      dest_len;        /* Length of the destination buffer */
 
 	argc = ZEND_NUM_ARGS();
 
@@ -503,19 +507,19 @@ static PHP_FUNCTION(bzcompress)
 	}
 
 	/* Assign them to easy to use variables, dest_len is initially the length of the data
-	   + .01 x length of data + 600 which is the largest size the results of the compression 
-	   could possibly be, at least that's what the libbz2 docs say (thanks to [email protected] 
+	   + .01 x length of data + 600 which is the largest size the results of the compression
+	   could possibly be, at least that's what the libbz2 docs say (thanks to [email protected]
 	   for pointing this out).  */
 	dest_len   = (unsigned int) (source_len + (0.01 * source_len) + 600);
-	
+
 	/* Allocate the destination buffer */
 	dest = emalloc(dest_len + 1);
-	
+
 	/* Handle the optional arguments */
 	if (argc > 1) {
 		block_size = zblock_size;
 	}
-	
+
 	if (argc > 2) {
 		work_factor = zwork_factor;
 	}
@@ -565,7 +569,7 @@ static PHP_FUNCTION(bzdecompress)
 	/* in most cases bz2 offers at least 2:1 compression, so we use that as our base */
 	bzs.avail_out = source_len * 2;
 	bzs.next_out = dest = emalloc(bzs.avail_out + 1);
-	
+
 	while ((error = BZ2_bzDecompress(&bzs)) == BZ_OK && bzs.avail_in > 0) {
 		/* compression is better then 2:1, need to allocate more memory */
 		bzs.avail_out = source_len;
@@ -591,13 +595,13 @@ static PHP_FUNCTION(bzdecompress)
 /* {{{ php_bz2_error()
    The central error handling interface, does the work for bzerrno, bzerrstr and bzerror */
 static void php_bz2_error(INTERNAL_FUNCTION_PARAMETERS, int opt)
-{ 
+{
 	zval         *bzp;     /* BZip2 Resource Pointer */
 	php_stream   *stream;
 	const char   *errstr;  /* Error string */
 	int           errnum;  /* Error number */
 	struct php_bz2_stream_data_t *self;
-	
+
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "r", &bzp) == FAILURE) {
 		return;
 	}
@@ -609,10 +613,10 @@ static void php_bz2_error(INTERNAL_FUNCTION_PARAMETERS, int opt)
 	}
 
 	self = (struct php_bz2_stream_data_t *) stream->abstract;
-	
+
 	/* Fetch the error information */
 	errstr = BZ2_bzerror(self->bz_file, &errnum);
-	
+
 	/* Determine what to return */
 	switch (opt) {
 		case PHP_BZ_ERRNO:
@@ -623,7 +627,7 @@ static void php_bz2_error(INTERNAL_FUNCTION_PARAMETERS, int opt)
 			break;
 		case PHP_BZ_ERRBOTH:
 			array_init(return_value);
-		
+
 			add_assoc_long  (return_value, "errno",  errnum);
 			add_assoc_string(return_value, "errstr", (char*)errstr, 1);
 			break;

ext/bz2/tests/bug72613.phpt

@@ -0,0 +1,23 @@
+--TEST--
+Bug #72613 (Inadequate error handling in bzread())
+--SKIPIF--
+<?php if (!extension_loaded("bz2")) print "skip"; ?>
+--FILE--
+<?php
+$fp = bzopen(__DIR__.'/72613.bz2', 'r');
+if ($fp === FALSE) {
+    exit("ERROR: bzopen()");
+}
+$data = "";
+while (!feof($fp)) {
+    $res = bzread($fp);
+    if ($res === FALSE) {
+        exit("ERROR: bzread()");
+    }
+    $data .= $res;
+}
+bzclose($fp);
+?>
+DONE
+--EXPECT--
+DONE