Merge branch 'PHP-5.5' into PHP-5.6.23

* PHP-5.5:
  Fixed bug #72446 - Integer Overflow in gdImagePaletteToTrueColor() resulting in heap overflow
  update NEWS
  fix tests
  fix build
  Fix bug #72455:  Heap Overflow due to integer overflows
  Fix bug #72434: ZipArchive class Use After Free Vulnerability in PHP's GC algorithm and unserialize
  Fixed ##72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
  Fix bug #72407: NULL Pointer Dereference at _gdScaleVert
  Fix bug #72402: _php_mb_regex_ereg_replace_exec - double free
  Fix bug #72298	pass2_no_dither out-of-bounds access
  Fixed #72339 Integer Overflow in _gd2GetHeader() resulting in heap overflow
  Fix bug #72262 - do not overflow int
  Fix bug #72400 and #72403 - prevent signed int overflows for string lengths
  Fix bug #72275: don't allow smart_str to overflow int
  Fix bug #72340: Double Free Courruption in wddx_deserialize
  update NEWS
  Fix #66387: Stack overflow with imagefilltoborder
  Skip test which is 64bits only
  5.5.37 now

Conflicts:
	configure.in
	ext/mcrypt/mcrypt.c
	ext/spl/spl_directory.c
	main/php_version.h

1 files changed, 13 insertions, 9 deletions

diff --git a/ext/gd/libgd/gd.c b/ext/gd/libgd/gd.c
index 5170f4f8c0..da0e094114 100644
--- a/ext/gd/libgd/gd.c
+++ b/ext/gd/libgd/gd.c
@@ -133,6 +133,10 @@ gdImagePtr gdImageCreate (int sx, int sy)
 		return NULL;
 	}
 
+	if (overflow2(sizeof(unsigned char *), sx)) {
+		return NULL;
+	}
+
 	im = (gdImage *) gdCalloc(1, sizeof(gdImage));
 
 	/* Row-major ever since gd 1.3 */
@@ -1098,12 +1102,12 @@ void gdImageLine (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
 	int thick = im->thick;
 
 	if (color == gdAntiAliased) {
-		/* 
+		/*
 		   gdAntiAliased passed as color: use the much faster, much cheaper
 		   and equally attractive gdImageAALine implementation. That
 		   clips too, so don't clip twice.
 		   */
-		gdImageAALine(im, x1, y1, x2, y2, im->AA_color); 
+		gdImageAALine(im, x1, y1, x2, y2, im->AA_color);
 		return;
 	}
 
@@ -1886,7 +1890,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
 		return;
 	}
 
-	alphablending_bak = im->alphaBlendingFlag;	
+	alphablending_bak = im->alphaBlendingFlag;
 	im->alphaBlendingFlag = 0;
 
 	if (nc==gdTiled){
@@ -1898,7 +1902,7 @@ void gdImageFill(gdImagePtr im, int x, int y, int nc)
 	wx2=im->sx;wy2=im->sy;
 	oc = gdImageGetPixel(im, x, y);
 	if (oc==nc || x<0 || x>wx2 || y<0 || y>wy2) {
-		im->alphaBlendingFlag = alphablending_bak;	
+		im->alphaBlendingFlag = alphablending_bak;
 		return;
 	}
 
@@ -1961,7 +1965,7 @@ skip:			for (x++; x<=x2 && (gdImageGetPixel(im, x, y)!=oc); x++);
 	efree(stack);
 
 done:
-	im->alphaBlendingFlag = alphablending_bak;	
+	im->alphaBlendingFlag = alphablending_bak;
 }
 
 static void _gdImageFillTiled(gdImagePtr im, int x, int y, int nc)
@@ -2069,7 +2073,7 @@ void gdImageRectangle (gdImagePtr im, int x1, int y1, int x2, int y2, int color)
 
 		x1ul = x1 - half;
 		y1ul = y1 - half;
-		
+
 		x2lr = x2 + half;
 		y2lr = y2 + half;
 
@@ -2271,7 +2275,7 @@ void gdImageCopyMerge (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int s
 	int tox, toy;
 	int ncR, ncG, ncB;
 	toy = dstY;
-	
+
 	for (y = srcY; y < (srcY + h); y++) {
 		tox = dstX;
 		for (x = srcX; x < (srcX + w); x++) {
@@ -2368,7 +2372,7 @@ void gdImageCopyResized (gdImagePtr dst, gdImagePtr src, int dstX, int dstY, int
 	int colorMap[gdMaxColors];
 	/* Stretch vectors */
 	int *stx, *sty;
-	
+
 	if (overflow2(sizeof(int), srcW)) {
 		return;
 	}
@@ -2913,7 +2917,7 @@ int gdAlphaBlend (int dst, int src) {
     src_weight = gdAlphaTransparent - src_alpha;
     dst_weight = (gdAlphaTransparent - dst_alpha) * src_alpha / gdAlphaMax;
     tot_weight = src_weight + dst_weight;
-    
+
 /* -------------------------------------------------------------------- */
 /*      What red, green and blue result values will we use?             */
 /* -------------------------------------------------------------------- */