php-5.6.27-1.fc23

13 Oct 2016 – **PHP version 5.6.27**

**Core:**

* Fixed bug php#73025 (Heap Buffer Overflow in virtual_popen of zend_virtual_cwd.c). (cmb)
* Fixed bug php#73058 (crypt broken when salt is ‘too’ long). (Anatol)
* Fixed bug php#72703 (Out of bounds global memory read in BF_crypt triggered by password_verify). (Anatol)
* Fixed bug php#73189 (Memcpy negative size parameter php_resolve_path). (Stas)
* Fixed bug php#73147 (Use After Free in unserialize()). (Stas)

**BCmath:**

* Fixed bug php#73190 (memcpy negative parameter _bc_new_num_ex). (Stas)

**DOM:**

* Fixed bug php#73150 (missing NULL check in dom_document_save_html). (Stas)

**Ereg:**

* Fixed bug php#73284 (heap overflow in php_ereg_replace function). (Stas)

**Filter:**

* Fixed bug php#72972 (Bad filter for the flags FILTER_FLAG_NO_RES_RANGE and FILTER_FLAG_NO_PRIV_RANGE). (julien)
* Fixed bug php#67167 (Wrong return value from FILTER_VALIDATE_BOOLEAN, FILTER_NULL_ON_FAILURE). (levim, cmb)
* Fixed bug php#73054 (default option ignored when object passed to int filter). (cmb)

**GD:**

* Fixed bug php#67325 (imagetruecolortopalette: white is duplicated in palette). (cmb)
* Fixed bug php#50194 (imagettftext broken on transparent background w/o alphablending). (cmb)
* Fixed bug php#73003 (Integer Overflow in gdImageWebpCtx of gd_webp.c). (trylab, cmb)
* Fixed bug php#53504 (imagettfbbox gives incorrect values for bounding box). (Mark Plomer, cmb)
* Fixed bug php#73157 (imagegd2() ignores 3rd param if 4 are given). (cmb)
* Fixed bug php#73155 (imagegd2() writes wrong chunk sizes on boundaries). (cmb)
* Fixed bug php#73159 (imagegd2(): unrecognized formats may result in corrupted files). (cmb)
* Fixed bug php#73161 (imagecreatefromgd2() may leak memory). (cmb)

**Intl:**

* Fixed bug php#73218 (add mitigation for ICU int overflow). (Stas)

**Imap:**

* Fixed bug php#73208 (integer overflow in imap_8bit caused heap corruption). (Stas)

**Mbstring:**

* Fixed bug php#72994 (mbc_to_code() out of bounds read). (Laruence, cmb)
* Fixed bug php#66964 (mb_convert_variables() cannot detect recursion). (Yasuo)
* Fixed bug php#72992 (mbstring.internal_encoding doesn’t inherit default_charset). (Yasuo)
* Fixed bug php#73082 (string length overflow in mb_encode_* function). (Stas)

**PCRE:**

* Fixed bug php#73174 (heap overflow in php_pcre_replace_impl). (Stas)

**Opcache:**

* Fixed bug php#72590 (Opcache restart with kill_all_lockers does not work). (Keyur) (julien backport)

**OpenSSL:**

* Fixed bug php#73072 (Invalid path SNI_server_certs causes segfault). (Jakub Zelenka)
* Fixed bug php#73275 (crash in openssl_encrypt function). (Stas)
* Fixed bug php#73276 (crash in openssl_random_pseudo_bytes function). (Stas)

**Session:**

* Fixed bug php#68015 (Session does not report invalid uid for files save handler). (Yasuo)
* Fixed bug php#73100 (session_destroy null dereference in ps_files_path_create). (cmb)

**SimpleXML:**

* Fixed bug php#73293 (NULL pointer dereference in SimpleXMLElement::asXML()). (Stas)

**SPL:**

* Fixed bug php#73073 (CachingIterator null dereference when convert to string). (Stas)

**Standard:**

* Fixed bug php#73240 (Write out of bounds at number_format). (Stas)
* Fixed bug php#73017 (memory corruption in wordwrap function). (Stas)

**Stream:**

* Fixed bug php#73069 (readfile() mangles files larger than 2G). (Laruence)

Leave a Reply