Merge branch 'master' into phpng

Conflicts:
	ext/spl/spl_array.c
	ext/spl/spl_directory.c
	ext/standard/formatted_print.c

8 files changed, 148 insertions, 21 deletions

diff --git a/Makefile.gcov b/Makefile.gcov
index 02774b838e..7157cb5ddb 100644
--- a/Makefile.gcov
+++ b/Makefile.gcov
@@ -14,7 +14,7 @@ php_lcov.info: lcov-test
 	@rm -rf lcov_data/
 	@$(mkinstalldirs) lcov_data/
 	@echo
-	-@files=`find . -name \*.gcda -o -name \*.gcno -o -name \*.da -o -name \*.c -o -name \*.h | sed -e 's/^\.\///' | sed -e 's/\.gcda//g' -e 's/\.gcno//g' -e 's/\.da//g' | $(EGREP) $(LCOV_INCLUDE) | sed -e 's/.libs/ZZZZ/g' | sort | sed -e 's/ZZZZ/.libs/g' | uniq` ;\
+	-@files=`find . -name \*.gcda -o -name \*.gcno -o -name \*.da -o -name \*.c -o -name \*.h | sed -e 's/^\.\///' | sed -e 's/\.gcda//g' -e 's/\.gcno//g' -e 's/\.da//g' | $(EGREP) $(LCOV_INCLUDE) | sed -e 's/.libs/ZZZZ/g' | sort -h | sed -e 's/ZZZZ/.libs/g' | uniq` ;\
 	for x in $$files; do \
 		echo -n . ;\
 		y=`echo $$x | sed -e 's!\.libs/!!'`; \
diff --git a/ext/fileinfo/libmagic.patch b/ext/fileinfo/libmagic.patch
index 662537bf7f..bb9a0dafae 100644
--- a/ext/fileinfo/libmagic.patch
+++ b/ext/fileinfo/libmagic.patch
@@ -822,7 +822,7 @@ diff -u libmagic.orig/ascmagic.c libmagic/ascmagic.c
  }
 diff -u libmagic.orig/cdf.c libmagic/cdf.c
 --- libmagic.orig/cdf.c	Tue Feb 26 17:20:42 2013
-+++ libmagic/cdf.c	Fri Feb 21 00:21:27 2014
++++ libmagic/cdf.c	Tue May 27 22:28:51 2014
 @@ -43,7 +43,17 @@
  #include <err.h>
  #endif
@@ -853,7 +853,63 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
  		return -1;
  
  	return (ssize_t)len;
-@@ -1132,7 +1145,7 @@
+@@ -810,6 +823,10 @@
+ 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
+ 		if (inp[i].pi_type & CDF_VECTOR) {
+ 			nelements = CDF_GETUINT32(q, 1);
++			if (nelements == 0) {
++				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
++				goto out;
++			}
+ 			o = 2;
+ 		} else {
+ 			nelements = 1;
+@@ -884,7 +901,9 @@
+ 			}
+ 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
+ 			    nelements));
+-			for (j = 0; j < nelements; j++, i++) {
++			for (j = 0; j < nelements && i < sh.sh_properties; 
++			    j++, i++) 
++			{
+ 				uint32_t l = CDF_GETUINT32(q, o);
+ 				inp[i].pi_str.s_len = l;
+ 				inp[i].pi_str.s_buf = (const char *)
+@@ -929,7 +948,7 @@
+ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
+     cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
+ {
+-	size_t i, maxcount;
++	size_t maxcount;
+ 	const cdf_summary_info_header_t *si =
+ 	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
+ 	const cdf_section_declaration_t *sd =
+@@ -944,21 +963,13 @@
+ 	ssi->si_os = CDF_TOLE2(si->si_os);
+ 	ssi->si_class = si->si_class;
+ 	cdf_swap_class(&ssi->si_class);
+-	ssi->si_count = CDF_TOLE2(si->si_count);
++	ssi->si_count = CDF_TOLE4(si->si_count);
+ 	*count = 0;
+ 	maxcount = 0;
+ 	*info = NULL;
+-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
+-		if (i >= CDF_LOOP_LIMIT) {
+-			DPRINTF(("Unpack summary info loop limit"));
+-			errno = EFTYPE;
+-			return -1;
+-		}
+-		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
+-		    info, count, &maxcount) == -1) {
++	if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
++		count, &maxcount) == -1) 
+ 			return -1;
+-		}
+-	}
+ 	return 0;
+ }
+ 
+@@ -1132,7 +1143,7 @@
  	cdf_directory_t *d;
  	char name[__arraycount(d->d_name)];
  	cdf_stream_t scn;
@@ -862,7 +918,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
  
  	static const char *types[] = { "empty", "user storage",
  	    "user stream", "lockbytes", "property", "root storage" };
-@@ -1185,7 +1198,7 @@
+@@ -1185,7 +1196,7 @@
  cdf_dump_property_info(const cdf_property_info_t *info, size_t count)
  {
  	cdf_timestamp_t tp;
@@ -871,7 +927,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
  	char buf[64];
  	size_t i, j;
  
-@@ -1229,7 +1242,11 @@
+@@ -1229,7 +1240,11 @@
  			break;
  		case CDF_FILETIME:
  			tp = info[i].pi_tp;
@@ -885,7 +941,7 @@ diff -u libmagic.orig/cdf.c libmagic/cdf.c
  			} else {
 diff -u libmagic.orig/cdf.h libmagic/cdf.h
 --- libmagic.orig/cdf.h	Thu Jun 21 00:19:55 2012
-+++ libmagic/cdf.h	Fri Feb 21 00:21:27 2014
++++ libmagic/cdf.h	Tue May 27 22:28:51 2014
 @@ -35,10 +35,12 @@
  #ifndef _H_CDF_
  #define _H_CDF_
@@ -2543,7 +2599,7 @@ diff -u libmagic.orig/print.c libmagic/print.c
  	}
 diff -u libmagic.orig/readcdf.c libmagic/readcdf.c
 --- libmagic.orig/readcdf.c	Tue Jan  7 04:13:42 2014
-+++ libmagic/readcdf.c	Thu Apr 24 20:07:51 2014
++++ libmagic/readcdf.c	Tue May 27 22:28:51 2014
 @@ -30,7 +30,11 @@
  #endif
  
diff --git a/ext/fileinfo/libmagic/cdf.c b/ext/fileinfo/libmagic/cdf.c
index dd7177ed90..4712e84942 100644
--- a/ext/fileinfo/libmagic/cdf.c
+++ b/ext/fileinfo/libmagic/cdf.c
@@ -823,6 +823,10 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 		    i, inp[i].pi_id, inp[i].pi_type, q - p, offs));
 		if (inp[i].pi_type & CDF_VECTOR) {
 			nelements = CDF_GETUINT32(q, 1);
+			if (nelements == 0) {
+				DPRINTF(("CDF_VECTOR with nelements == 0\n"));
+				goto out;
+			}
 			o = 2;
 		} else {
 			nelements = 1;
@@ -897,7 +901,9 @@ cdf_read_property_info(const cdf_stream_t *sst, const cdf_header_t *h,
 			}
 			DPRINTF(("nelements = %" SIZE_T_FORMAT "u\n",
 			    nelements));
-			for (j = 0; j < nelements; j++, i++) {
+			for (j = 0; j < nelements && i < sh.sh_properties; 
+			    j++, i++) 
+			{
 				uint32_t l = CDF_GETUINT32(q, o);
 				inp[i].pi_str.s_len = l;
 				inp[i].pi_str.s_buf = (const char *)
@@ -942,7 +948,7 @@ int
 cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
     cdf_summary_info_header_t *ssi, cdf_property_info_t **info, size_t *count)
 {
-	size_t i, maxcount;
+	size_t maxcount;
 	const cdf_summary_info_header_t *si =
 	    CAST(const cdf_summary_info_header_t *, sst->sst_tab);
 	const cdf_section_declaration_t *sd =
@@ -957,21 +963,13 @@ cdf_unpack_summary_info(const cdf_stream_t *sst, const cdf_header_t *h,
 	ssi->si_os = CDF_TOLE2(si->si_os);
 	ssi->si_class = si->si_class;
 	cdf_swap_class(&ssi->si_class);
-	ssi->si_count = CDF_TOLE2(si->si_count);
+	ssi->si_count = CDF_TOLE4(si->si_count);
 	*count = 0;
 	maxcount = 0;
 	*info = NULL;
-	for (i = 0; i < CDF_TOLE4(si->si_count); i++) {
-		if (i >= CDF_LOOP_LIMIT) {
-			DPRINTF(("Unpack summary info loop limit"));
-			errno = EFTYPE;
+	if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset), info,
+		count, &maxcount) == -1) 
 			return -1;
-		}
-		if (cdf_read_property_info(sst, h, CDF_TOLE4(sd->sd_offset),
-		    info, count, &maxcount) == -1) {
-			return -1;
-		}
-	}
 	return 0;
 }
 
diff --git a/ext/spl/spl_iterators.c b/ext/spl/spl_iterators.c
index 7900b4b5b2..9e1820ccac 100644
--- a/ext/spl/spl_iterators.c
+++ b/ext/spl/spl_iterators.c
@@ -847,6 +847,8 @@ static union _zend_function *spl_recursive_it_get_method(zend_object **zobject,
 				*zobject = Z_OBJ_P(zobj);
 				function_handler = (*zobject)->handlers->get_method(zobject, method, key TSRMLS_CC);
 			}
+		} else {
+			*zobject = Z_OBJ_P(zobj);
 		}
 	}
 	return function_handler;
diff --git a/ext/spl/tests/bug67359.phpt b/ext/spl/tests/bug67359.phpt
new file mode 100644
index 0000000000..e2e61133f3
--- /dev/null
+++ b/ext/spl/tests/bug67359.phpt
@@ -0,0 +1,28 @@
+--TEST--
+Bug #67359 (Segfault in recursiveDirectoryIterator)
+--FILE--
+<?php
+try
+{
+	$rdi = new recursiveDirectoryIterator(dirname(__FILE__),  FilesystemIterator::SKIP_DOTS | FilesystemIterator::UNIX_PATHS);
+	$it = new recursiveIteratorIterator( $rdi );
+	$it->seek(1);
+	while( $it->valid())
+	{
+		if( $it->isFile() )
+		{
+			$it->current();
+		}
+
+		$it->next();
+	}
+
+	$it->current();
+}
+catch(Exception $e)
+{
+}
+echo "okey"
+?>
+--EXPECTF--
+okey
diff --git a/ext/spl/tests/bug67360.phpt b/ext/spl/tests/bug67360.phpt
new file mode 100644
index 0000000000..552c02ad74
--- /dev/null
+++ b/ext/spl/tests/bug67360.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #67360 (Missing element after ArrayObject::getIterator)
+--FILE--
+<?php
+
+$array = array('' => 1, 1 => 2, 3 => 4);
+$ArrayObject = new ArrayObject($array);
+var_dump($ArrayObject);
+$Iterator = $ArrayObject->getIterator();
+var_dump(count($Iterator) === count($array));
+var_dump(iterator_to_array($Iterator));
+
+?>
+--EXPECTF--
+object(ArrayObject)#%d (1) {
+  ["storage":"ArrayObject":private]=>
+  array(3) {
+    [""]=>
+    int(1)
+    [1]=>
+    int(2)
+    [3]=>
+    int(4)
+  }
+}
+bool(true)
+array(3) {
+  [""]=>
+  int(1)
+  [1]=>
+  int(2)
+  [3]=>
+  int(4)
+}
diff --git a/ext/standard/formatted_print.c b/ext/standard/formatted_print.c
index 2942daaad3..6c1f157cec 100644
--- a/ext/standard/formatted_print.c
+++ b/ext/standard/formatted_print.c
@@ -378,6 +378,7 @@ php_formatted_print(int param_count, int use_array, int format_offset TSRMLS_DC)
 	char *format, padding;
 	zend_string *result;
 	int always_sign;
+	int format_len;
 
 	if (zend_parse_parameters(ZEND_NUM_ARGS() TSRMLS_CC, "+", &args, &argc) == FAILURE) {
 		return NULL;
@@ -473,7 +474,7 @@ php_formatted_print(int param_count, int use_array, int format_offset TSRMLS_DC)
 						/* space padding, the default */
 					} else if (format[inpos] == '+') {
 						always_sign = 1;
-					} else if (format[inpos] == '\'') {
+					} else if (format[inpos] == '\'' && inpos+1<format_len) {
 						padding = format[++inpos];
 					} else {
 						PRINTF_DEBUG(("sprintf: end of modifiers\n"));
diff --git a/ext/standard/tests/strings/bug67249.phpt b/ext/standard/tests/strings/bug67249.phpt
new file mode 100644
index 0000000000..6ea75289e6
--- /dev/null
+++ b/ext/standard/tests/strings/bug67249.phpt
@@ -0,0 +1,8 @@
+--TEST--
+Bug #67249 (printf out-of-bounds read)
+--FILE--
+<?php
+var_dump(sprintf("%'", "foo"));
+?>
+--EXPECT--
+string(0) ""